Support creating intermediate CA

Pascal van Buijtene · Pascal van Buijtene · commit 90bb67329b14 · 2021-11-08T12:52:22.000+01:00
diff --git a/certificates/create_ca.go b/certificates/create_ca.go
@@ -16,7 +16,7 @@ import (
 	"strings"
 	"time"
 
-	multierror "github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/go-multierror"
 	"github.com/mitchellh/cli"
 )
 
@@ -25,8 +25,10 @@ type CreateCA struct {
 }
 
 type CreateCAArguments struct {
-	Days      int
-	OutputDir string
+	Days              int
+	OutputDir         string
+	CACertificatePath string
+	CAKeyPath         string
 }
 
 func (c *CreateCA) Run(args []string) int {
@@ -36,6 +38,8 @@ func (c *CreateCA) Run(args []string) int {
 	flags.Usage = func() { c.Ui.Info(c.Help()) }
 	flags.IntVar(&config.Days, "days", 0, "the validity period of the certificate in days")
 	flags.StringVar(&config.OutputDir, "out", "./ca", "The output directory")
+	flags.StringVar(&config.CACertificatePath, "ca-certificate", "", "the path to a CA certificate file")
+	flags.StringVar(&config.CAKeyPath, "ca-key", "", "the path to a CA key file")
 
 	if err := flags.Parse(args); err != nil {
 		return 1
@@ -46,6 +50,12 @@ func (c *CreateCA) Run(args []string) int {
 		multierror.Append(validationErrors, errors.New("days must be positive"))
 	}
 
+	caCertPathLen := len(config.CACertificatePath)
+	caKeyPathLen := len(config.CAKeyPath)
+	if (caCertPathLen > 0 && caKeyPathLen == 0) || (caKeyPathLen > 0 && caCertPathLen == 0){
+		multierror.Append(validationErrors, errors.New("both -ca-certificate and -ca-key options are required"))
+	}
+
 	if validationErrors.ErrorOrNil() != nil {
 		c.Ui.Error(validationErrors.Error())
 		return 1
@@ -59,9 +69,27 @@ func (c *CreateCA) Run(args []string) int {
 		days = config.Days
 		years = 0
 	}
+	
+	var caCert *x509.Certificate
+	var caKey *rsa.PrivateKey
+	var err error
+	if caCertPathLen > 0 {
+		caCert, err = readCertificateFromFile(config.CACertificatePath)
+		if err != nil {
+			c.Ui.Error(err.Error())
+			return 1
+		}
+
+		caKey, err = readRSAKeyFromFile(config.CAKeyPath)
+		if err != nil {
+			err := fmt.Errorf("error: %s. please note that only RSA keys are currently supported", err.Error())
+			c.Ui.Error(err.Error())
+			return 1
+		}
+	}
 
 	outputDir := config.OutputDir
-	err := generateCACertificate(defaultKeySize, years, days, outputDir)
+	err = generateCACertificate(years, days, outputDir, caCert, caKey)
 	if err != nil {
 		c.Ui.Error(err.Error())
 	} else {
@@ -70,7 +98,7 @@ func (c *CreateCA) Run(args []string) int {
 	return 0
 }
 
-func generateCACertificate(keysize int, years int, days int, outputDir string) error {
+func generateCACertificate(years int, days int, outputDir string, caCert *x509.Certificate, caPrivateKey *rsa.PrivateKey) error {
 	serialNumber, err := generateSerialNumber(128)
 	if err != nil {
 		return fmt.Errorf("could not generate 128-bit serial number: %s", err.Error())
@@ -81,9 +109,16 @@ func generateCACertificate(keysize int, years int, days int, outputDir string) e
 		return fmt.Errorf("could not generate RSA private key: %s", err.Error())
 	}
 
-	keyID := generateKeyIDFromRSAPublicKey(privateKey.N, privateKey.E)
-
 	cn := fmt.Sprintf("EventStoreDB CA %s", serialNumber.Text(16))
+	subjectKeyID := generateKeyIDFromRSAPublicKey(privateKey.N, privateKey.E)
+	authorityKeyID := subjectKeyID
+	maxPathLen := 2
+
+	if caCert != nil && caPrivateKey != nil {
+		maxPathLen = -1
+		cn = fmt.Sprintf("EventStoreDB Intermediate CA %s", serialNumber.Text(16))
+		authorityKeyID = generateKeyIDFromRSAPublicKey(caPrivateKey.N, caPrivateKey.E)
+	}
 
 	cert := &x509.Certificate{
 		SerialNumber: serialNumber,
@@ -92,14 +127,22 @@ func generateCACertificate(keysize int, years int, days int, outputDir string) e
 			Organization: []string{"Event Store Ltd"},
 			Country:      []string{"UK"},
 		},
+		IsCA:                  true,
+		BasicConstraintsValid: true,
+		MaxPathLen:            maxPathLen,
 		NotBefore:             time.Now(),
 		NotAfter:              time.Now().AddDate(years, 0, days),
-		IsCA:                  true,
-		MaxPathLen:            1,
 		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
-		BasicConstraintsValid: true,
-		SubjectKeyId:          keyID,
-		AuthorityKeyId:        keyID,
+		SubjectKeyId:          subjectKeyID,
+		AuthorityKeyId:        authorityKeyID,
+	}
+
+	parentCert := cert
+	certPrivateKey := privateKey
+
+	if caCert != nil && caPrivateKey != nil {
+		parentCert = caCert
+		certPrivateKey = caPrivateKey
 	}
 
 	privateKeyPem := new(bytes.Buffer)
@@ -111,7 +154,7 @@ func generateCACertificate(keysize int, years int, days int, outputDir string) e
 		return fmt.Errorf("could not encode private key to PEM format: %s", err.Error())
 	}
 
-	certBytes, err := x509.CreateCertificate(rand.Reader, cert, cert, &privateKey.PublicKey, privateKey)
+	certBytes, err := x509.CreateCertificate(rand.Reader, cert, parentCert, &privateKey.PublicKey, certPrivateKey)
 	if err != nil {
 		return fmt.Errorf("could not generate certificate: %s", err.Error())
 	}
@@ -153,14 +196,16 @@ func generateCACertificate(keysize int, years int, days int, outputDir string) e
 func (c *CreateCA) Help() string {
 	helpText := `
 Usage: create_ca [options]
-  Generate a root/CA TLS certificate to be used with EventStoreDB
+  Generate a root/intermediate CA TLS certificate to be used with EventStoreDB
 Options:
   -days                       The validity period of the certificate in days (default: 5 years)
   -out                        The output directory (default: ./ca)
+  -ca-certificate             The path to a CA certificate file for creating an intermediate CA certificate
+  -ca-key                     The path to a CA key file for creating an intermediate CA certificate
 `
 	return strings.TrimSpace(helpText)
 }
 
 func (c *CreateCA) Synopsis() string {
-	return "Generate a root/CA TLS certificate to be used with EventStoreDB"
+	return "Generate a root/intermediate CA TLS certificate to be used with EventStoreDB"
 }
diff --git a/certificates/create_node.go b/certificates/create_node.go
@@ -190,7 +190,7 @@ func (c *CreateNode) Run(args []string) int {
 		years = 0
 	}
 
-	err = generateNodeCertificate(caCert, caKey, ips, dnsNames, defaultKeySize, years, days, outputDir, outputBaseFileName)
+	err = generateNodeCertificate(caCert, caKey, ips, dnsNames, years, days, outputDir, outputBaseFileName)
 	if err != nil {
 		c.Ui.Error(err.Error())
 		return 1
@@ -200,7 +200,7 @@ func (c *CreateNode) Run(args []string) int {
 	return 0
 }
 
-func generateNodeCertificate(caCert *x509.Certificate, caPrivateKey *rsa.PrivateKey, ips []net.IP, dnsNames []string, keysize int, years int, days int, outputDir string, outputBaseFileName string) error {
+func generateNodeCertificate(caCert *x509.Certificate, caPrivateKey *rsa.PrivateKey, ips []net.IP, dnsNames []string, years int, days int, outputDir string, outputBaseFileName string) error {
 	serialNumber, err := generateSerialNumber(128)
 	if err != nil {
 		return fmt.Errorf("could not generate 128-bit serial number: %s", err.Error())
diff --git a/go.mod b/go.mod
@@ -4,6 +4,5 @@ go 1.14
 
 require (
 	github.com/hashicorp/go-multierror v1.0.0
-	github.com/hashicorp/hcl v1.0.0
 	github.com/mitchellh/cli v1.1.1
 )
diff --git a/go.sum b/go.sum
@@ -2,18 +2,12 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310 h1:BUAU3CGlLvorLI26
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/bgentry/speakeasy v0.1.0 h1:ByYyxL9InA1OWqxJqqp2A5pYHUrCiAL6K3J+LKSsQkY=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/eventstore/es-gencert-cli v0.0.0-20200810090631-41ce27532e69 h1:e919SNsU6EnmpOsYBwvH9rn7kohweA5FUfFOvVQPEXc=
-github.com/eventstore/es-gencert-cli v0.0.0-20200810090631-41ce27532e69/go.mod h1:0ypTrkuHDS23qDZ5I4P84q4CvOYB8IABnCt1rH7e3/U=
 github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-multierror v1.0.0 h1:iVjPR7a6H0tWELX5NxNe7bYopibicUzc7uPribsnS6o=
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
-github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
-github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/mattn/go-colorable v0.0.9 h1:UVL0vNpWh04HeJXV0KLcaT7r06gOH2l4OW6ddYRUIY4=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-isatty v0.0.3 h1:ns/ykhmWi7G9O+8a448SecJU3nSMBXJfqQkl0upE1jI=

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,5 @@ go 1.14`
`4`	`4`
`5`	`5`	`require (`
`6`	`6`	`github.com/hashicorp/go-multierror v1.0.0`
`7`		`- github.com/hashicorp/hcl v1.0.0`
`8`	`7`	`github.com/mitchellh/cli v1.1.1`
`9`	`8`	`)`