40 lines
1.2 KiB
Go
40 lines
1.2 KiB
Go
|
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
||
|
// SPDX-License-Identifier: Apache-2.0
|
||
|
|
||
|
// Package dynamiccertauthority implements a x509 certificate authority capable of issuing
|
||
|
// certificates from a dynamically updating CA keypair.
|
||
|
package dynamiccertauthority
|
||
|
|
||
|
import (
|
||
|
"crypto/x509/pkix"
|
||
|
"time"
|
||
|
|
||
|
"go.pinniped.dev/internal/certauthority"
|
||
|
"go.pinniped.dev/internal/dynamiccert"
|
||
|
)
|
||
|
|
||
|
// CA is a type capable of issuing certificates.
|
||
|
type CA struct {
|
||
|
provider dynamiccert.Provider
|
||
|
}
|
||
|
|
||
|
// New creates a new CA, ready to issue certs whenever the provided provider has a keypair to
|
||
|
// provide.
|
||
|
func New(provider dynamiccert.Provider) *CA {
|
||
|
return &CA{
|
||
|
provider: provider,
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// IssuePEM issues a new server certificate for the given identity and duration, returning it as a
|
||
|
// pair of PEM-formatted byte slices for the certificate and private key.
|
||
|
func (c *CA) IssuePEM(subject pkix.Name, dnsNames []string, ttl time.Duration) ([]byte, []byte, error) {
|
||
|
caCrtPEM, caKeyPEM := c.provider.CurrentCertKeyContent()
|
||
|
ca, err := certauthority.Load(string(caCrtPEM), string(caKeyPEM))
|
||
|
if err != nil {
|
||
|
return nil, nil, err
|
||
|
}
|
||
|
|
||
|
return ca.IssuePEM(subject, dnsNames, ttl)
|
||
|
}
|