Merge pull request #85 from mutablelogic/v5

V5

Author: djthorpe

go.mod

@@ -3,7 +3,7 @@ module github.com/mutablelogic/go-server
 go 1.23.5
 
 require (
-	github.com/djthorpe/go-pg v1.0.2
+	github.com/djthorpe/go-pg v1.0.3
 	github.com/stretchr/testify v1.10.0
 )
 

go.sum

@@ -24,8 +24,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/djthorpe/go-pg v1.0.2 h1:hbuyyRWt26k9jwoyt2WdYJdMICMtRozXj6lBgcIvwT0=
-github.com/djthorpe/go-pg v1.0.2/go.mod h1:XHl/w8+66Hs746nOYd+gdjqPImNuLVZ5UsXLI47rb4c=
+github.com/djthorpe/go-pg v1.0.3 h1:mD0fXftDlEaqxuCH+XAhHGmY/l93uBuPIgEy6iCSqRI=
+github.com/djthorpe/go-pg v1.0.3/go.mod h1:XHl/w8+66Hs746nOYd+gdjqPImNuLVZ5UsXLI47rb4c=
 github.com/docker/docker v27.1.1+incompatible h1:hO/M4MtV36kzKldqnA37IWhebRA+LnqqcqDja6kVaKY=
 github.com/docker/docker v27.1.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=

pkg/cert/cert.go

@@ -0,0 +1,285 @@
+package cert
+
+import (
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/json"
+	"encoding/pem"
+	"fmt"
+	"io"
+	"time"
+
+	// Packages
+	schema "github.com/mutablelogic/go-server/pkg/cert/schema"
+	types "github.com/mutablelogic/go-server/pkg/types"
+)
+
+////////////////////////////////////////////////////////////////////////////////
+// TYPES
+
+// Certificate
+type Cert struct {
+	Name    string     `json:"name"`                // Common Name
+	Subject *uint64    `json:"subject,omitempty"`   // Subject
+	Signer  *Cert      `json:"signer,omitempty"`    // Signer
+	Ts      *time.Time `json:"timestamp,omitempty"` // Timestamp
+
+	// The private key and certificate
+	priv any
+	x509 x509.Certificate
+}
+
+////////////////////////////////////////////////////////////////////////////////
+// GLOBALS
+
+const (
+	// Supported key types
+	keyTypeRSA   = "RSA"
+	keyTypeECDSA = "ECDSA"
+
+	// DefaultBits is the default number of bits for a RSA private key
+	defaultBits = 2048
+)
+
+const (
+	PemTypePrivateKey  = "PRIVATE KEY"
+	PemTypeCertificate = "CERTIFICATE"
+)
+
+////////////////////////////////////////////////////////////////////////////////
+// LIFECYCLE
+
+// Create a new certificate
+func New(opts ...Opt) (*Cert, error) {
+	cert, err := apply(opts...)
+	if err != nil {
+		return nil, err
+	}
+
+	// Check for key
+	if cert.priv == nil || cert.PublicKey() == nil {
+		return nil, fmt.Errorf("missing private or public key")
+	}
+
+	// Set the NotBefore and NotAfter dates based on signer
+	if cert.Signer != nil {
+		if !cert.Signer.x509.NotBefore.IsZero() && cert.Signer.x509.NotBefore.After(cert.x509.NotBefore) {
+			cert.x509.NotBefore = cert.Signer.x509.NotBefore
+		}
+		if !cert.Signer.x509.NotAfter.IsZero() && cert.Signer.x509.NotAfter.Before(cert.x509.NotAfter) {
+			cert.x509.NotAfter = cert.Signer.x509.NotAfter
+		}
+	}
+
+	// Check for expiry
+	if cert.x509.NotAfter.IsZero() {
+		return nil, fmt.Errorf("missing expiry date")
+	}
+
+	// Set random serial number if not set
+	if cert.x509.SerialNumber == nil {
+		if err := WithRandomSerial()(cert); err != nil {
+			return nil, err
+		}
+	}
+
+	// Set the name from the common name
+	cert.Name = cert.x509.Subject.CommonName
+	if cert.Name == "" {
+		cert.Name = fmt.Sprintf("%x", cert.x509.SerialNumber)
+	}
+
+	// Create the certificate
+	signer := cert.Signer
+	if signer == nil {
+		signer = cert
+	} else {
+		cert.x509.Issuer = signer.x509.Subject
+	}
+	if data, err := x509.CreateCertificate(rand.Reader, &cert.x509, &signer.x509, cert.PublicKey(), signer.priv); err != nil {
+		return nil, err
+	} else {
+		cert.x509.Raw = data
+	}
+
+	// Return the certificate
+	return cert, nil
+}
+
+// Read a certificate
+func Read(r io.Reader) (*Cert, error) {
+	cert := new(Cert)
+	data, err := io.ReadAll(r)
+	if err != nil {
+		return nil, err
+	}
+
+	// Read until EOF
+	for len(data) > 0 {
+		// Decode the PEM block
+		block, rest := pem.Decode(data)
+		if block == nil {
+			return nil, fmt.Errorf("invalid PEM block")
+		}
+
+		// Parse the block
+		switch block.Type {
+		case PemTypeCertificate:
+			c, err := x509.ParseCertificate(block.Bytes)
+			if err != nil {
+				return nil, err
+			} else {
+				cert.x509 = *c
+			}
+		case PemTypePrivateKey:
+			key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+			if err != nil {
+				return nil, err
+			} else {
+				cert.priv = key
+			}
+		default:
+			return nil, fmt.Errorf("invalid PEM block type: %q", block.Type)
+		}
+
+		// Move to next block
+		data = rest
+	}
+
+	// Set name from serial number if not set
+	if cert.Name == "" {
+		cert.Name = fmt.Sprintf("%x", cert.x509.SerialNumber)
+	}
+
+	// Return success
+	return cert, nil
+}
+
+///////////////////////////////////////////////////////////////////////////////
+// STRINGIFY
+
+func (c Cert) MarshalJSON() ([]byte, error) {
+	return json.Marshal(c.Meta())
+}
+
+func (c Cert) String() string {
+	data, err := json.MarshalIndent(c, "", "  ")
+	if err != nil {
+		return err.Error()
+	}
+	return string(data)
+}
+
+///////////////////////////////////////////////////////////////////////////////
+// PUBLIC METHODS
+
+// Return metadata from a cert
+func (c Cert) Meta() schema.CertMeta {
+	signerNamePtr := func() *string {
+		if c.Signer != nil {
+			return types.StringPtr(c.Signer.Name)
+		} else {
+			return nil
+		}
+	}
+	return schema.CertMeta{
+		Name:         c.Name,
+		Signer:       signerNamePtr(),
+		SerialNumber: fmt.Sprintf("%x", c.x509.SerialNumber),
+		Subject:      c.x509.Subject.String(),
+		NotBefore:    c.x509.NotBefore,
+		NotAfter:     c.x509.NotAfter,
+		IPs:          c.x509.IPAddresses,
+		Hosts:        c.x509.DNSNames,
+		IsCA:         c.IsCA(),
+		KeyType:      c.keyType(),
+		KeyBits:      c.keySubtype(),
+	}
+}
+
+// Return metadata from a cert
+func (c Cert) SubjectMeta() schema.NameMeta {
+	fieldPtr := func(field []string) *string {
+		if len(field) > 0 {
+			return types.StringPtr(field[0])
+		} else {
+			return nil
+		}
+	}
+	return schema.NameMeta{
+		CommonName:    c.x509.Subject.CommonName,
+		Org:           fieldPtr(c.x509.Subject.Organization),
+		Unit:          fieldPtr(c.x509.Subject.OrganizationalUnit),
+		Country:       fieldPtr(c.x509.Subject.Country),
+		City:          fieldPtr(c.x509.Subject.Locality),
+		State:         fieldPtr(c.x509.Subject.Province),
+		StreetAddress: fieldPtr(c.x509.Subject.StreetAddress),
+		PostalCode:    fieldPtr(c.x509.Subject.PostalCode),
+	}
+}
+
+// Return true if the certificate is a certificate authority
+func (c *Cert) IsCA() bool {
+	return c.x509.IsCA
+}
+
+// Return the private key, or nil
+func (c *Cert) PrivateKey() any {
+	return c.priv
+}
+
+// Return the public key, or nil
+func (c *Cert) PublicKey() any {
+	switch k := c.priv.(type) {
+	case *rsa.PrivateKey:
+		return &k.PublicKey
+	case *ecdsa.PrivateKey:
+		return &k.PublicKey
+	case ed25519.PrivateKey:
+		return k.Public().(ed25519.PublicKey)
+	default:
+		return nil
+	}
+}
+
+// Output certificate as PEM format
+func (c *Cert) Write(w io.Writer) error {
+	return pem.Encode(w, &pem.Block{Type: PemTypeCertificate, Bytes: c.x509.Raw})
+}
+
+// Write the private key as PEM format
+func (c *Cert) WritePrivateKey(w io.Writer) error {
+	data, err := x509.MarshalPKCS8PrivateKey(c.priv)
+	if err != nil {
+		return err
+	}
+	return pem.Encode(w, &pem.Block{Type: PemTypePrivateKey, Bytes: data})
+}
+
+///////////////////////////////////////////////////////////////////////////////
+// PRIVATE METHODS
+
+func (c *Cert) keyType() string {
+	switch c.priv.(type) {
+	case *rsa.PrivateKey:
+		return keyTypeRSA
+	case *ecdsa.PrivateKey:
+		return keyTypeECDSA
+	default:
+		return ""
+	}
+}
+
+func (c *Cert) keySubtype() string {
+	switch k := c.priv.(type) {
+	case *rsa.PrivateKey:
+		return fmt.Sprintf("%d", k.N.BitLen())
+	case *ecdsa.PrivateKey:
+		return k.Params().Name
+	default:
+		return ""
+	}
+}