WIP: initial mtls package #133

Merged
vtolstov merged 4 commits from mtls into v3 2022-06-27 00:22:10 +03:00
2 changed files with 41 additions and 3 deletions
Showing only changes of commit eb8c1332f0 - Show all commits

View File

@ -94,7 +94,7 @@ func NewIntermediate(cacrt *x509.Certificate, cakey crypto.PrivateKey, opts ...C
github-code-scanning[bot] commented 2022-06-05 06:03:30 +03:00 (Migrated from github.com)
Review

Disabled TLS certificate check

InsecureSkipVerify should not be used in production code.

Show more details

## Disabled TLS certificate check InsecureSkipVerify should not be used in production code. [Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
github-code-scanning[bot] commented 2022-06-05 06:03:30 +03:00 (Migrated from github.com)
Review

Disabled TLS certificate check

InsecureSkipVerify should not be used in production code.

Show more details

## Disabled TLS certificate check InsecureSkipVerify should not be used in production code. [Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
// SignCSR sign certificate request and return signed pubkey // SignCSR sign certificate request and return signed pubkey
func SignCSR(rawcsr []byte, cacrt *x509.Certificate, cakey crypto.PrivateKey, opts ...CertificateOption) ([]byte, error) { func SignCSR(rawcsr []byte, cacrt *x509.Certificate, cakey crypto.PrivateKey, opts ...CertificateOption) ([]byte, error) {
if cacrt == nil { if cacrt == nil {
opts = append(opts, CertificateIsCA(false)) opts = append(opts, CertificateIsCA(true))
github-code-scanning[bot] commented 2022-06-05 06:03:30 +03:00 (Migrated from github.com)
Review

Disabled TLS certificate check

InsecureSkipVerify should not be used in production code.

Show more details

## Disabled TLS certificate check InsecureSkipVerify should not be used in production code. [Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
github-code-scanning[bot] commented 2022-06-05 06:03:30 +03:00 (Migrated from github.com)
Review

Disabled TLS certificate check

InsecureSkipVerify should not be used in production code.

Show more details

## Disabled TLS certificate check InsecureSkipVerify should not be used in production code. [Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
} }
options := NewCertificateOptions(opts...) options := NewCertificateOptions(opts...)
@ -124,7 +124,7 @@ func SignCSR(rawcsr []byte, cacrt *x509.Certificate, cakey crypto.PrivateKey, op
github-code-scanning[bot] commented 2022-06-05 06:03:30 +03:00 (Migrated from github.com)
Review

Disabled TLS certificate check

InsecureSkipVerify should not be used in production code.

Show more details

## Disabled TLS certificate check InsecureSkipVerify should not be used in production code. [Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
github-code-scanning[bot] commented 2022-06-05 06:03:30 +03:00 (Migrated from github.com)
Review

Disabled TLS certificate check

InsecureSkipVerify should not be used in production code.

Show more details

## Disabled TLS certificate check InsecureSkipVerify should not be used in production code. [Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
IsCA: options.IsCA, IsCA: options.IsCA,
} }
if !options.IsCA { if options.IsCA {
github-code-scanning[bot] commented 2022-06-05 06:03:30 +03:00 (Migrated from github.com)
Review

Disabled TLS certificate check

InsecureSkipVerify should not be used in production code.

Show more details

## Disabled TLS certificate check InsecureSkipVerify should not be used in production code. [Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
github-code-scanning[bot] commented 2022-06-05 06:03:30 +03:00 (Migrated from github.com)
Review

Disabled TLS certificate check

InsecureSkipVerify should not be used in production code.

Show more details

## Disabled TLS certificate check InsecureSkipVerify should not be used in production code. [Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
cacrt = tpl cacrt = tpl
} else { } else {
tpl.Issuer = cacrt.Subject tpl.Issuer = cacrt.Subject

github-code-scanning[bot] commented 2022-06-05 06:03:30 +03:00 (Migrated from github.com)
Review

Disabled TLS certificate check

InsecureSkipVerify should not be used in production code.

Show more details

## Disabled TLS certificate check InsecureSkipVerify should not be used in production code. [Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)
github-code-scanning[bot] commented 2022-06-05 06:03:30 +03:00 (Migrated from github.com)
Review

Disabled TLS certificate check

InsecureSkipVerify should not be used in production code.

Show more details

## Disabled TLS certificate check InsecureSkipVerify should not be used in production code. [Show more details](https://github.com/unistack-org/micro/security/code-scanning/2)

View File

@ -10,6 +10,7 @@ func TestNewCa(t *testing.T) {
bcrt, key, err := NewCA( bcrt, key, err := NewCA(
CertificateOrganization("test_org"), CertificateOrganization("test_org"),
CertificateOrganizationalUnit("test_unit"), CertificateOrganizationalUnit("test_unit"),
CertificateIsCA(true),
) )
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
@ -23,7 +24,7 @@ func TestNewCa(t *testing.T) {
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
if crt.IsCA { if !crt.IsCA {
t.Fatalf("crt IsCA invalid %v", crt) t.Fatalf("crt IsCA invalid %v", crt)
} }
if crt.Subject.Organization[0] != "test_org" { if crt.Subject.Organization[0] != "test_org" {
@ -33,3 +34,40 @@ func TestNewCa(t *testing.T) {
t.Fatalf("crt subject invalid %v", crt.Subject) t.Fatalf("crt subject invalid %v", crt.Subject)
} }
} }
func TestNewIntermediate(t *testing.T) {
bcrt, cakey, err := NewCA(
CertificateOrganization("test_org"),
CertificateOrganizationalUnit("test_unit"),
)
if err != nil {
t.Fatal(err)
}
cacrt, err := x509.ParseCertificate(bcrt)
if err != nil {
t.Fatal(err)
}
bcrt, ikey, err := NewIntermediate(cacrt, cakey,
CertificateOrganization("test_org"),
CertificateOrganizationalUnit("test_unit"),
)
if err != nil {
t.Fatal(err)
}
_ = ikey
icrt, err := x509.ParseCertificate(bcrt)
if err != nil {
t.Fatal(err)
}
if icrt.IsCA {
t.Fatalf("crt IsCA invalid %v", icrt)
}
if icrt.Subject.Organization[0] != "test_org" {
t.Fatalf("crt subject invalid %v", icrt.Subject)
}
if icrt.Subject.OrganizationalUnit[0] != "test_unit" {
t.Fatalf("crt subject invalid %v", icrt.Subject)
}
}