Skip to content

Commit

Permalink
feat: Refactor SMTongsuo generation to support certificate validity
Browse files Browse the repository at this point in the history 
- Add ability to convert an X509 certificate to an openssl configuration file.
- Refactor certificate generation in SMTongsuo to use time package for expiration.
- Add ability to set certificate policies in SMTongsuo.
- Update SMTongsuo tests to use testify/require instead of testify/assert.
  • Loading branch information
@Laisky
Laisky committed Dec 19, 2023
1 parent 83df41c commit 038816c
Show file tree
Hide file tree
Showing 4 changed files with 66 additions and 55 deletions.
5 changes: 4 additions & 1 deletion crypto/converter.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -389,6 +389,7 @@ func VerifyCertByPrikey(certPem []byte, prikeyPem []byte) error {
return err
}

// X509Cert2OpensslConf marshal x509
func X509Cert2OpensslConf(cert *x509.Certificate) (opensslConf []byte) {
// set req & req_distinguished_name
cnt := fmt.Sprintf(`[ req ]
Expand Down Expand Up @@ -416,7 +417,9 @@ commonName = %s
"organizationName",
"organizationalUnitName",
} {
cnt += fmt.Sprintf("%s = %s\n", name, strings.Join(subjectMaps[name], ","))
if len(subjectMaps[name]) != 0 {
cnt += fmt.Sprintf("%s = %s\n", name, strings.Join(subjectMaps[name], ","))
}
}
cnt += "\n"

Expand Down
2 changes: 0 additions & 2 deletions crypto/converter_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -524,7 +524,6 @@ func TestX509Cert2OpensslConf(t *testing.T) {
cert := &x509.Certificate{
Subject: pkix.Name{
CommonName: "example.com",
Country: []string{"US"},
Province: []string{"California"},
Locality: []string{"San Francisco"},
Organization: []string{"Acme Corp"},
Expand All @@ -542,7 +541,6 @@ x509_extensions = v3_ca
[ req_distinguished_name ]
commonName = example.com
countryName = US
stateOrProvinceName = California
localityName = San Francisco
organizationName = Acme Corp
Expand Down
36 changes: 2 additions & 34 deletions crypto/smtongsuo.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,39 +13,6 @@ import (
"github.com/Laisky/errors/v2"
)

const (
configTemplate = `[ req ]
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = v3_ca
[ req_distinguished_name ]
countryName = {{.CountryName}}
stateOrProvinceName = {{.StateOrProvinceName}}
localityName = {{.LocalityName}}
organizationName = {{.OrganizationName}}
organizationalUnitName = {{.OrganizationalUnitName}}
commonName = {{.CommonName}}
[ v3_ca ]
basicConstraints = critical, CA:TRUE
keyUsage = cRLSign, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
certificatePolicies = {{.Policies}}`
)

type configTemplateArgs struct {
CountryName string
StateOrProvinceName string
LocalityName string
OrganizationName string
OrganizationalUnitName string
CommonName string
Policies string
}

// Tongsuo is a wrapper of tongsuo executable binary
//
// https://github.com/Tongsuo-Project/Tongsuo
Expand Down Expand Up @@ -118,7 +85,7 @@ func (t *Tongsuo) NewPrikeyAndCert(ctx context.Context, opts ...X509CertOption)
return nil, nil, errors.Wrap(err, "new private key")
}

_, tpl, err := X509CertOption2Template(opts...)
opt, tpl, err := X509CertOption2Template(opts...)
if err != nil {
return nil, nil, errors.Wrap(err, "X509CertOption2Template")
}
Expand All @@ -140,6 +107,7 @@ func (t *Tongsuo) NewPrikeyAndCert(ctx context.Context, opts ...X509CertOption)
certPem, err := t.runCMD(ctx, []string{
"req", "-outform", "PEM", "-key", "/dev/stdin",
"-set_serial", strconv.Itoa(int(t.serialGenerator.SerialNum())),
"-days", strconv.Itoa(int(time.Until(opt.notAfter) / time.Hour / 24)),
"-x509", "-new", "-nodes", "-utf8", "-batch",
"-sm3", "-sigopt", "sm2-za:no",
"-copy_extensions", "copyall",
Expand Down
78 changes: 60 additions & 18 deletions crypto/smtongsuo_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,10 @@ package crypto

import (
"context"
"crypto/x509"
"encoding/asn1"
"os/exec"
"testing"
"time"

"github.com/stretchr/testify/require"
)
Expand All @@ -20,29 +21,70 @@ func testSkipSmTongsuo(t *testing.T) (skipped bool) {
}

func TestTongsuo_NewPrikeyAndCert(t *testing.T) {
t.Parallel()

ctx := context.Background()

if testSkipSmTongsuo(t) {
return
}

t.Parallel()
ins, err := NewTongsuo("/usr/local/bin/tongsuo")
require.NoError(t, err)

tongsuo := &Tongsuo{} // Create an instance of Tongsuo
t.Run("ca", func(t *testing.T) {
t.Parallel()
opts := []X509CertOption{
WithX509CertIsCA(),
WithX509CertCommonName("test-common-name"),
WithX509CertOrganization("test org"),
WithX509CertPolicies(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 59936, 1, 1, 3}),
}

// Define the X509CertOption options for the test
opts := []X509CertOption{
WithX509CertCommonName("test"),
WithX509CertOrganization("test org"),
}
prikeyPem, certDer, err := ins.NewPrikeyAndCert(context.Background(), opts...)
require.NoError(t, err)
require.NotNil(t, prikeyPem)
require.NotNil(t, certDer)

prikeyPem, certDer, err := tongsuo.NewPrikeyAndCert(context.Background(), opts...)
require.NoError(t, err)
require.NotNil(t, prikeyPem)
require.NotNil(t, certDer)
// Verify that the generated certificate is valid
certinfo, err := ins.ShowCertInfo(ctx, certDer)
// t.Log(string(certinfo))
require.NoError(t, err)
require.Contains(t, string(certinfo), "test-common-name")
require.Contains(t, string(certinfo), "test org")
require.Contains(t, string(certinfo), "CA:TRUE")
require.Contains(t, string(certinfo), "1.3.6.1.4.1.59936.1.1.3")
})

t.Run("not ca", func(t *testing.T) {
t.Parallel()
notafter := time.Now().Add(time.Hour * 24 * 365 * 10)

opts := []X509CertOption{
WithX509CertCommonName("test-common-name"),
WithX509CertOrganization("test org"),
WithX509CertNotAfter(notafter),
WithX509CertPolicies(
asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 59936, 1, 1, 3},
asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 59936, 1, 1, 4},
),
}

prikeyPem, certDer, err := ins.NewPrikeyAndCert(context.Background(), opts...)
require.NoError(t, err)
require.NotNil(t, prikeyPem)
require.NotNil(t, certDer)

// Verify that the generated certificate is valid
certinfo, err := ins.ShowCertInfo(ctx, certDer)
// t.Log(string(certinfo))
require.NoError(t, err)
require.Contains(t, string(certinfo), "test-common-name")
require.Contains(t, string(certinfo), "test org")
require.Contains(t, string(certinfo), "CA:FALSE")
require.Contains(t, string(certinfo), "1.3.6.1.4.1.59936.1.1.3")
require.Contains(t, string(certinfo), "1.3.6.1.4.1.59936.1.1.4")
require.Contains(t, string(certinfo), notafter.UTC().Format("2006 GMT"))
})

// Verify that the generated certificate is valid
cert, err := x509.ParseCertificate(certDer)
require.NoError(t, err)
require.NotNil(t, cert)
require.Equal(t, "test", cert.Subject.CommonName)
require.Equal(t, "test org", cert.Subject.Organization[0])
}

0 comments on commit 038816c

Please sign in to comment.