afan
/
gitea
Tarkkaile 1
Äänestä 0
Fork 0
Koodi Ongelmat 0 Pull-pyynnöt 0 Julkaisut 0 Wiki Activity
gitea源码
1 Commit
2 Branchit
Puu: 61128e8e94
Branchit Tagit
${ item.name }
Create branch ${ searchTerm }
from '61128e8e94'
${ noResults }
gitea/cmd/cert.go

cert.go 5.4KB
Historia Raaka

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207 
  1. // Copyright 2009 The Go Authors. All rights reserved.

  2. // Copyright 2014 The Gogs Authors. All rights reserved.

  3. // Copyright 2016 The Gitea Authors. All rights reserved.

  4. // SPDX-License-Identifier: MIT

  5. 

  6. package cmd

  7. 

  8. import (

  9. 	"context"

  10. 	"crypto/ecdsa"

  11. 	"crypto/elliptic"

  12. 	"crypto/rand"

  13. 	"crypto/rsa"

  14. 	"crypto/x509"

  15. 	"crypto/x509/pkix"

  16. 	"encoding/pem"

  17. 	"fmt"

  18. 	"log"

  19. 	"math/big"

  20. 	"net"

  21. 	"os"

  22. 	"strings"

  23. 	"time"

  24. 

  25. 	"github.com/urfave/cli/v3"

  26. )

  27. 

  28. // cmdCert represents the available cert sub-command.

  29. func cmdCert() *cli.Command {

  30. 	return &cli.Command{

  31. 		Name:  "cert",

  32. 		Usage: "Generate self-signed certificate",

  33. 		Description: `Generate a self-signed X.509 certificate for a TLS server.

  34. Outputs to 'cert.pem' and 'key.pem' and will overwrite existing files.`,

  35. 		Action: runCert,

  36. 		Flags: []cli.Flag{

  37. 			&cli.StringFlag{

  38. 				Name:     "host",

  39. 				Usage:    "Comma-separated hostnames and IPs to generate a certificate for",

  40. 				Required: true,

  41. 			},

  42. 			&cli.StringFlag{

  43. 				Name:  "ecdsa-curve",

  44. 				Value: "",

  45. 				Usage: "ECDSA curve to use to generate a key. Valid values are P224, P256, P384, P521",

  46. 			},

  47. 			&cli.IntFlag{

  48. 				Name:  "rsa-bits",

  49. 				Value: 3072,

  50. 				Usage: "Size of RSA key to generate. Ignored if --ecdsa-curve is set",

  51. 			},

  52. 			&cli.StringFlag{

  53. 				Name:  "start-date",

  54. 				Value: "",

  55. 				Usage: "Creation date formatted as Jan 1 15:04:05 2011",

  56. 			},

  57. 			&cli.DurationFlag{

  58. 				Name:  "duration",

  59. 				Value: 365 * 24 * time.Hour,

  60. 				Usage: "Duration that certificate is valid for",

  61. 			},

  62. 			&cli.BoolFlag{

  63. 				Name:  "ca",

  64. 				Usage: "whether this cert should be its own Certificate Authority",

  65. 			},

  66. 			&cli.StringFlag{

  67. 				Name:  "out",

  68. 				Value: "cert.pem",

  69. 				Usage: "Path to the file where there certificate will be saved",

  70. 			},

  71. 			&cli.StringFlag{

  72. 				Name:  "keyout",

  73. 				Value: "key.pem",

  74. 				Usage: "Path to the file where there certificate key will be saved",

  75. 			},

  76. 		},

  77. 	}

  78. }

  79. 

  80. func publicKey(priv any) any {

  81. 	switch k := priv.(type) {

  82. 	case *rsa.PrivateKey:

  83. 		return &k.PublicKey

  84. 	case *ecdsa.PrivateKey:

  85. 		return &k.PublicKey

  86. 	default:

  87. 		return nil

  88. 	}

  89. }

  90. 

  91. func pemBlockForKey(priv any) *pem.Block {

  92. 	switch k := priv.(type) {

  93. 	case *rsa.PrivateKey:

  94. 		return &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(k)}

  95. 	case *ecdsa.PrivateKey:

  96. 		b, err := x509.MarshalECPrivateKey(k)

  97. 		if err != nil {

  98. 			log.Fatalf("Unable to marshal ECDSA private key: %v", err)

  99. 		}

  100. 		return &pem.Block{Type: "EC PRIVATE KEY", Bytes: b}

  101. 	default:

  102. 		return nil

  103. 	}

  104. }

  105. 

  106. func runCert(_ context.Context, c *cli.Command) error {

  107. 	var priv any

  108. 	var err error

  109. 	switch c.String("ecdsa-curve") {

  110. 	case "":

  111. 		priv, err = rsa.GenerateKey(rand.Reader, c.Int("rsa-bits"))

  112. 	case "P224":

  113. 		priv, err = ecdsa.GenerateKey(elliptic.P224(), rand.Reader)

  114. 	case "P256":

  115. 		priv, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

  116. 	case "P384":

  117. 		priv, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader)

  118. 	case "P521":

  119. 		priv, err = ecdsa.GenerateKey(elliptic.P521(), rand.Reader)

  120. 	default:

  121. 		err = fmt.Errorf("unrecognized elliptic curve: %q", c.String("ecdsa-curve"))

  122. 	}

  123. 	if err != nil {

  124. 		return fmt.Errorf("failed to generate private key: %w", err)

  125. 	}

  126. 

  127. 	var notBefore time.Time

  128. 	if startDate := c.String("start-date"); startDate != "" {

  129. 		notBefore, err = time.Parse("Jan 2 15:04:05 2006", startDate)

  130. 		if err != nil {

  131. 			return fmt.Errorf("failed to parse creation date %w", err)

  132. 		}

  133. 	} else {

  134. 		notBefore = time.Now()

  135. 	}

  136. 

  137. 	notAfter := notBefore.Add(c.Duration("duration"))

  138. 

  139. 	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)

  140. 	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)

  141. 	if err != nil {

  142. 		return fmt.Errorf("failed to generate serial number: %w", err)

  143. 	}

  144. 

  145. 	template := x509.Certificate{

  146. 		SerialNumber: serialNumber,

  147. 		Subject: pkix.Name{

  148. 			Organization: []string{"Acme Co"},

  149. 			CommonName:   "Gitea",

  150. 		},

  151. 		NotBefore: notBefore,

  152. 		NotAfter:  notAfter,

  153. 

  154. 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,

  155. 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},

  156. 		BasicConstraintsValid: true,

  157. 	}

  158. 

  159. 	hosts := strings.SplitSeq(c.String("host"), ",")

  160. 	for h := range hosts {

  161. 		if ip := net.ParseIP(h); ip != nil {

  162. 			template.IPAddresses = append(template.IPAddresses, ip)

  163. 		} else {

  164. 			template.DNSNames = append(template.DNSNames, h)

  165. 		}

  166. 	}

  167. 

  168. 	if c.Bool("ca") {

  169. 		template.IsCA = true

  170. 		template.KeyUsage |= x509.KeyUsageCertSign

  171. 	}

  172. 

  173. 	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, publicKey(priv), priv)

  174. 	if err != nil {

  175. 		return fmt.Errorf("failed to create certificate: %w", err)

  176. 	}

  177. 

  178. 	certOut, err := os.Create(c.String("out"))

  179. 	if err != nil {

  180. 		return fmt.Errorf("failed to open %s for writing: %w", c.String("keyout"), err)

  181. 	}

  182. 	err = pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})

  183. 	if err != nil {

  184. 		return fmt.Errorf("failed to encode certificate: %w", err)

  185. 	}

  186. 	err = certOut.Close()

  187. 	if err != nil {

  188. 		return fmt.Errorf("failed to write cert: %w", err)

  189. 	}

  190. 	fmt.Fprintf(c.Writer, "Written cert to %s\n", c.String("out"))

  191. 

  192. 	keyOut, err := os.OpenFile(c.String("keyout"), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o600)

  193. 	if err != nil {

  194. 		return fmt.Errorf("failed to open %s for writing: %w", c.String("keyout"), err)

  195. 	}

  196. 	err = pem.Encode(keyOut, pemBlockForKey(priv))

  197. 	if err != nil {

  198. 		return fmt.Errorf("failed to encode key: %w", err)

  199. 	}

  200. 	err = keyOut.Close()

  201. 	if err != nil {

  202. 		return fmt.Errorf("failed to write key: %w", err)

  203. 	}

  204. 	fmt.Fprintf(c.Writer, "Written key to %s\n", c.String("keyout"))

  205. 	return nil

  206. }