The signature obviously changed. I filed a bug and the resolution was that the contents had to be asn1 encoded. While Firefox and openssl displayed the correct content of this line the certificate was invalid.
Idk if the bug is still hosted on google code or if the previous bugs were exported to github On Sunday, July 17, 2016 at 6:14:13 AM UTC+2, sunil....@gmail.com wrote: > > Hello, this is 2016 and I am walking on this path now.. > > In the rootCA function and elsewhere, you have this line: > > derBytes, err := x509.CreateCertificate(rand.Reader, &rcat, &rcat, > &rpriv.PublicKey, rpriv) > > However, the last two parameters to this function, according to the golang > refs (https://golang.org/pkg/crypto/x509/#CreateCertificate) are: > > "The parameter *pub* is the public key of the signee" > > and > > "*priv* is the private key of the signer" > > (For quick reference, here is the function signature from the same page: > ...) > > func CreateCertificate(rand io <https://golang.org/pkg/io/>.Reader > <https://golang.org/pkg/io/#Reader>, template, parent *Certificate > <https://golang.org/pkg/crypto/x509/#Certificate>, pub, priv interface{}) > (cert []byte <https://golang.org/pkg/builtin/#byte>, err error > <https://golang.org/pkg/builtin/#error>) > > > This does not seem to tally with your usage. > > BTW, I much appreciate your work here. I hope perhaps it could be led to > correctness slowly and form a great reference? > > > > > > On Sunday, October 19, 2014 at 9:43:48 AM UTC-7, Darko Luketic wrote: >> >> This is how the certs are generated >> >> package main >> >> import ( >> "crypto/rand" >> "crypto/rsa" >> "crypto/sha512" >> "crypto/x509" >> "crypto/x509/pkix" >> "encoding/asn1" >> "encoding/pem" >> "fmt" >> "math/big" >> "net" >> "os" >> "time" >> //"strconv" >> ) >> >> var ( >> organization = []string{"domain.tld", "My Name"} >> streetaddress = []string{"Street. 123"} >> postalcode = []string{"12345"} >> province = []string{"Province"} >> locality = []string{"City"} >> country = []string{"DE"} >> ) >> >> var ( >> rcat = rootCATemplate() >> icat = intermediateCATemplate() >> rpriv *rsa.PrivateKey >> ipriv *rsa.PrivateKey >> ) >> >> func main() { >> rootCA() >> intermediateCA() >> serverCert("server1.name", "1.2.3.4", "2a01::2") >> serverCert("server2.name", "2.3.4.5", "2a02::2") >> } >> >> func rootCATemplate() x509.Certificate { >> template := x509.Certificate{} >> template.Subject = pkix.Name{ >> Organization: organization, >> StreetAddress: streetaddress, >> PostalCode: postalcode, >> Province: province, >> Locality: locality, >> Country: country, >> CommonName: "icod.de CA", >> } >> >> template.NotBefore = time.Now() >> template.NotAfter = template.NotBefore.Add(172800 * time.Hour) >> template.KeyUsage = x509.KeyUsageCertSign | >> x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | >> x509.KeyUsageCRLSign >> template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, >> x509.ExtKeyUsageServerAuth} >> template.IsCA = true >> template.BasicConstraintsValid = true >> extSubjectAltName := pkix.Extension{} >> extSubjectAltName.Id = asn1.ObjectIdentifier{2, 5, 29, 17} >> extSubjectAltName.Critical = false >> extSubjectAltName.Value = []byte(`email...@dom1.de, URI: >> http://ca.dom1.de/` <http://ca.dom1.de/>) >> template.ExtraExtensions = []pkix.Extension{extSubjectAltName} >> return template >> } >> >> func intermediateCATemplate() x509.Certificate { >> template := x509.Certificate{} >> template.Subject = pkix.Name{ >> Organization: organization, >> StreetAddress: streetaddress, >> PostalCode: postalcode, >> Province: province, >> Locality: locality, >> Country: country, >> CommonName: "SelfTLS CA", >> } >> >> template.NotBefore = time.Now() >> template.NotAfter = template.NotBefore.Add(172800 * time.Hour) >> template.KeyUsage = x509.KeyUsageCertSign | >> x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | >> x509.KeyUsageCRLSign >> template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, >> x509.ExtKeyUsageServerAuth} >> template.IsCA = true >> template.BasicConstraintsValid = true >> extSubjectAltName := pkix.Extension{} >> extSubjectAltName.Id = asn1.ObjectIdentifier{2, 5, 29, 17} >> extSubjectAltName.Critical = false >> extSubjectAltName.Value = []byte(`emai...@dom2.com, URI: >> http://ca.dom2.com/` <http://ca.dom2.com/>) >> template.ExtraExtensions = []pkix.Extension{extSubjectAltName} >> return template >> } >> >> // hosts: []string{"hostname","ipv4addr","ipv6addr"} >> func serverTemplate(hosts []string) x509.Certificate { >> template := x509.Certificate{} >> template.Subject = pkix.Name{ >> Organization: organization, >> StreetAddress: streetaddress, >> PostalCode: postalcode, >> Province: province, >> Locality: locality, >> Country: country, >> } >> >> template.NotBefore = time.Now() >> template.NotAfter = template.NotBefore.Add(86400 * time.Hour) >> template.KeyUsage = x509.KeyUsageKeyEncipherment | >> x509.KeyUsageDigitalSignature >> template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, >> x509.ExtKeyUsageServerAuth} >> template.BasicConstraintsValid = true >> >> for _, h := range hosts { >> if ip := net.ParseIP(h); ip != nil { >> template.IPAddresses = append(template.IPAddresses, ip) >> } else { >> template.DNSNames = append(template.DNSNames, h) >> template.Subject.CommonName = h >> } >> } >> return template >> } >> >> func serverCert(host, ipv4, ipv6 string) { >> tpl := serverTemplate([]string{host, ipv4, ipv6}) >> priv, err := rsa.GenerateKey(rand.Reader, 4096) >> if err != nil { >> fmt.Println("Failed to generate private key:", err) >> os.Exit(1) >> } >> serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) >> tpl.SerialNumber, err = rand.Int(rand.Reader, serialNumberLimit) >> if err != nil { >> fmt.Println("Failed to generate serial number:", err) >> os.Exit(1) >> } >> h := sha512.New() >> pb, e := x509.MarshalPKIXPublicKey(&priv.PublicKey) >> if e != nil { >> fmt.Println(e.Error()) >> return >> } >> h.Write(pb) >> tpl.SubjectKeyId = h.Sum(nil) >> derBytes, err := x509.CreateCertificate(rand.Reader, &tpl, &icat, >> &priv.PublicKey, ipriv) >> if err != nil { >> fmt.Println("Failed to create certificate:", err) >> os.Exit(1) >> } >> certOut, err := os.Create(host + ".crt") >> if err != nil { >> fmt.Println("Failed to open "+host+".crt for writing:", err) >> os.Exit(1) >> } >> pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}) >> certOut.Close() >> keyOut, err := os.OpenFile(host+".key", >> os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) >> if err != nil { >> fmt.Println("failed to open "+host+".key for writing:", err) >> os.Exit(1) >> } >> pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: >> x509.MarshalPKCS1PrivateKey(priv)}) >> keyOut.Close() >> } >> >> func intermediateCA() { >> var err error >> ipriv, err = rsa.GenerateKey(rand.Reader, 4096) >> if err != nil { >> fmt.Println("Failed to generate private key:", err) >> os.Exit(1) >> } >> serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) >> icat.SerialNumber, err = rand.Int(rand.Reader, serialNumberLimit) >> if err != nil { >> fmt.Println("Failed to generate serial number:", err) >> os.Exit(1) >> } >> h := sha512.New() >> pb, e := x509.MarshalPKIXPublicKey(&ipriv.PublicKey) >> if e != nil { >> fmt.Println(e.Error()) >> return >> } >> h.Write(pb) >> icat.SubjectKeyId = h.Sum(nil) >> >> derBytes, err := x509.CreateCertificate(rand.Reader, &icat, &rcat, >> &ipriv.PublicKey, rpriv) >> if err != nil { >> fmt.Println("Failed to create certificate:", err) >> os.Exit(1) >> } >> certOut, err := os.Create("intermediate.crt") >> if err != nil { >> fmt.Println("Failed to open ca.pem for writing:", err) >> os.Exit(1) >> } >> pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}) >> certOut.Close() >> keyOut, err := os.OpenFile("intermediate.key", >> os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) >> if err != nil { >> fmt.Println("failed to open ca.key for writing:", err) >> os.Exit(1) >> } >> pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: >> x509.MarshalPKCS1PrivateKey(ipriv)}) >> keyOut.Close() >> } >> >> func rootCA() { >> var err error >> rpriv, err = rsa.GenerateKey(rand.Reader, 4096) >> if err != nil { >> fmt.Println("Failed to generate private key:", err) >> os.Exit(1) >> } >> serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) >> rcat.SerialNumber, err = rand.Int(rand.Reader, serialNumberLimit) >> if err != nil { >> fmt.Println("Failed to generate serial number:", err) >> os.Exit(1) >> } >> h := sha512.New() >> pb, e := x509.MarshalPKIXPublicKey(&rpriv.PublicKey) >> if e != nil { >> fmt.Println(e.Error()) >> return >> } >> h.Write(pb) >> rcat.SubjectKeyId = h.Sum(nil) >> >> derBytes, err := x509.CreateCertificate(rand.Reader, &rcat, &rcat, >> &rpriv.PublicKey, rpriv) >> if err != nil { >> fmt.Println("Failed to create certificate:", err) >> os.Exit(1) >> } >> certOut, err := os.Create("rootca.crt") >> if err != nil { >> fmt.Println("Failed to open ca.pem for writing:", err) >> os.Exit(1) >> } >> pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}) >> certOut.Close() >> keyOut, err := os.OpenFile("rootca.key", >> os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) >> if err != nil { >> fmt.Println("failed to open ca.key for writing:", err) >> os.Exit(1) >> } >> pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: >> x509.MarshalPKCS1PrivateKey(rpriv)}) >> keyOut.Close() >> } >> >> -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
