Add ability to generate a certificate from an existing key. #1416
Conversation
|
Thanks for the contribution! Before we can merge this, we need @SohamG to sign the Salesforce Inc. Contributor License Agreement. |
|
I also added the corresponding feature to |
There was a problem hiding this comment.
Thanks for the contribution! I really want us to have this feature! (writing out the pubkey PEM from a certificate is also a thing I'd like to add btw).
We just need a little bit more polish to get this mergeable (P256 support, passwords, maybe a to-public-key subcommand?)
| pub, rawPriv, err = ed25519.GenerateKey(rand.Reader) | ||
| if err != nil { | ||
| return fmt.Errorf("error while generating ed25519 keys: %s", err) | ||
| if *cf.inKeyPath == "" { |
There was a problem hiding this comment.
I'd really like to have this feature, but I think if we're going to add it, we need to support P256 as well.
There was a problem hiding this comment.
On it. My particular use case was Curve25519 but I don't see too much trouble adding this for P256 too.
| func x25519KeyFromPriv(priv []byte) ([]byte, []byte) { | ||
| pubkey, err := curve25519.X25519(priv, curve25519.Basepoint) | ||
| if err != nil { | ||
| panic(err) |
There was a problem hiding this comment.
In most cases, I prefer to bubble the error back up and let the caller decide to panic
There was a problem hiding this comment.
Well the original function I modeled this one from (similar name in the same file) didn't bubble err, so I didn't do it either. That being said its a relatively minor fix, which I will implement.
| case "25519", "X25519", "Curve25519", "CURVE25519": | ||
| pub, rawPriv = x25519Keypair() | ||
| curve = cert.Curve_CURVE25519 | ||
| if *cf.inKeyPath == "" { |
There was a problem hiding this comment.
Do you think this ought to be it's own "command"? Making this a bonus feature of keygen is potentially confusing.
Also, many users encrypt their private keys, we may need to support that. I think there's a helper function for this.... somewhere?
There was a problem hiding this comment.
Yes, I did spot the helper, I threw this together as a Proof-Of-Concept and without knowing if this feature was desired. I'll add encrypted keys and a new subcommand.
|
Hey! Thanks for the reply. As I said, I will look into adding P256 now that I know there is interest in the PR. I'll add a new subcommand to |
2 participants
Hello,
I made this quick patch to add the ability to make a CA certificate from an already existing private key. This could be useful for when you accidentally delete your ca.crt file.
Note that my original intention was to be able to have a v1 CA and a v2 CA signed by the same key and hence trusted/verify-able. My use case is that I have a v2 network for all of my Linux hosts, but the iPhone app only supports v1 CA crts and I could not find a way to reconcile this. This problem is still unsolved as I realized in testing this patch that the fingerprint of the Certs changes between v1 and v2 even if all other parameters including the private/public key remain constant. Nebula seems to be using the fingerprint to find the CA before it does any assymetric key verification.
(I could hack it further to make identical fingerprint v1 and v2 certs but thats too dirty...)
Please let me know if I need to make any formatting/code style changes. Licensed same as project, will sign CLA.