From 08a23f637943d92c6898cd196f170456cecd6b60 Mon Sep 17 00:00:00 2001 From: Chris Marslender Date: Thu, 12 Sep 2024 12:07:48 -0500 Subject: [PATCH 1/3] Make GenerateNewCA not write a file. call WriteCertAndKey after if it needs to be written --- pkg/tls/tls.go | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/pkg/tls/tls.go b/pkg/tls/tls.go index 030635c..722f0ea 100644 --- a/pkg/tls/tls.go +++ b/pkg/tls/tls.go @@ -77,10 +77,14 @@ func GenerateAllCerts(outDir string, privateCACert *x509.Certificate, privateCAK if privateCACert == nil && privateCAKey == nil { // If privateCACert and privateCAKey are both nil, we will generate a new one - privateCACertBytes, privateCAKeyBytes, err := GenerateNewCA(path.Join(outDir, "ca", "private_ca")) + privateCACertDER, privateCAKey, err := GenerateNewCA() if err != nil { return fmt.Errorf("error creating private ca pair: %w", err) } + privateCACertBytes, privateCAKeyBytes, err := WriteCertAndKey(privateCACertDER, privateCAKey, path.Join(outDir, "ca", "private_ca")) + if err != nil { + return fmt.Errorf("error writing private ca: %w", err) + } privateCACert, err = ParsePemCertificate(privateCACertBytes) if err != nil { return fmt.Errorf("error parsing generated private_ca.crt: %w", err) @@ -222,7 +226,7 @@ func WriteCertAndKey(certDER []byte, certKey *rsa.PrivateKey, certKeyBase string } // GenerateNewCA generates a new CA -func GenerateNewCA(certKeyBase string) ([]byte, []byte, error) { +func GenerateNewCA() ([]byte, *rsa.PrivateKey, error) { // Generate a new RSA private key privateKey, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { @@ -256,7 +260,7 @@ func GenerateNewCA(certKeyBase string) ([]byte, []byte, error) { return nil, nil, err } - return WriteCertAndKey(certDER, privateKey, certKeyBase) + return certDER, privateKey, nil } // GenerateCASignedCert generates a new key/cert signed by the given CA From 078603b4b5c1e80cc850bd9d01b290d252f1d174 Mon Sep 17 00:00:00 2001 From: Chris Marslender Date: Thu, 12 Sep 2024 12:11:16 -0500 Subject: [PATCH 2/3] Remove unused pem parsing, since we get private key back initially now --- pkg/tls/tls.go | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/pkg/tls/tls.go b/pkg/tls/tls.go index 722f0ea..e1965a1 100644 --- a/pkg/tls/tls.go +++ b/pkg/tls/tls.go @@ -81,7 +81,7 @@ func GenerateAllCerts(outDir string, privateCACert *x509.Certificate, privateCAK if err != nil { return fmt.Errorf("error creating private ca pair: %w", err) } - privateCACertBytes, privateCAKeyBytes, err := WriteCertAndKey(privateCACertDER, privateCAKey, path.Join(outDir, "ca", "private_ca")) + privateCACertBytes, _, err := WriteCertAndKey(privateCACertDER, privateCAKey, path.Join(outDir, "ca", "private_ca")) if err != nil { return fmt.Errorf("error writing private ca: %w", err) } @@ -89,10 +89,6 @@ func GenerateAllCerts(outDir string, privateCACert *x509.Certificate, privateCAK if err != nil { return fmt.Errorf("error parsing generated private_ca.crt: %w", err) } - privateCAKey, err = ParsePemKey(privateCAKeyBytes) - if err != nil { - return fmt.Errorf("error parsing generated private_ca.key: %w", err) - } } else if privateCACert == nil || privateCAKey == nil { // If only one of them is nil, we can't continue return errors.New("you must provide the CA cert and key if providing a CA, or set both to nil and a new CA will be generated") From 7dfad16d6e733985ee264c8e190cc8c1b7560141 Mon Sep 17 00:00:00 2001 From: Chris Marslender Date: Thu, 12 Sep 2024 12:17:02 -0500 Subject: [PATCH 3/3] Ensure we assign the privateCAKey outside the if block --- pkg/tls/tls.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/tls/tls.go b/pkg/tls/tls.go index e1965a1..e03d4c1 100644 --- a/pkg/tls/tls.go +++ b/pkg/tls/tls.go @@ -77,7 +77,8 @@ func GenerateAllCerts(outDir string, privateCACert *x509.Certificate, privateCAK if privateCACert == nil && privateCAKey == nil { // If privateCACert and privateCAKey are both nil, we will generate a new one - privateCACertDER, privateCAKey, err := GenerateNewCA() + var privateCACertDER []byte + privateCACertDER, privateCAKey, err = GenerateNewCA() if err != nil { return fmt.Errorf("error creating private ca pair: %w", err) }