consul/agent/connect/generate.go

package connect

import (
	"bytes"
	"crypto"
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"encoding/pem"
	"fmt"
	"strings"
	"time"
)

const (
	DefaultPrivateKeyType      = "ec"
	DefaultPrivateKeyBits      = 256
	DefaultIntermediateCertTTL = 24 * 365 * time.Hour
)

func pemEncodeKey(key []byte, blockType string) (string, error) {
	var buf bytes.Buffer

	if err := pem.Encode(&buf, &pem.Block{Type: blockType, Bytes: key}); err != nil {
		return "", fmt.Errorf("error encoding private key: %s", err)
	}
	return buf.String(), nil
}

func generateRSAKey(keyBits int) (crypto.Signer, string, error) {
	var pk *rsa.PrivateKey

	pk, err := rsa.GenerateKey(rand.Reader, keyBits)
	if err != nil {
		return nil, "", fmt.Errorf("error generating RSA private key: %s", err)
	}

	bs := x509.MarshalPKCS1PrivateKey(pk)
	pemBlock, err := pemEncodeKey(bs, "RSA PRIVATE KEY")
	if err != nil {
		return nil, "", err
	}

	return pk, pemBlock, nil
}

func generateECDSAKey(keyBits int) (crypto.Signer, string, error) {
	var pk *ecdsa.PrivateKey
	var curve elliptic.Curve

	switch keyBits {
	case 224:
		curve = elliptic.P224()
	case 256:
		curve = elliptic.P256()
	case 384:
		curve = elliptic.P384()
	case 521:
		curve = elliptic.P521()
	default:
		return nil, "", fmt.Errorf("error generating ECDSA private key: unknown curve length %d", keyBits)
	}

	pk, err := ecdsa.GenerateKey(curve, rand.Reader)
	if err != nil {
		return nil, "", fmt.Errorf("error generating ECDSA private key: %s", err)
	}

	bs, err := x509.MarshalECPrivateKey(pk)
	if err != nil {
		return nil, "", fmt.Errorf("error marshaling ECDSA private key: %s", err)
	}

	pemBlock, err := pemEncodeKey(bs, "EC PRIVATE KEY")
	if err != nil {
		return nil, "", err
	}

	return pk, pemBlock, nil
}

// GeneratePrivateKey generates a new Private key
func GeneratePrivateKeyWithConfig(keyType string, keyBits int) (crypto.Signer, string, error) {
	switch strings.ToLower(keyType) {
	case "rsa":
		return generateRSAKey(keyBits)
	case "ec":
		return generateECDSAKey(keyBits)
	default:
		return nil, "", fmt.Errorf("unknown private key type requested: %s", keyType)
	}
}

func GeneratePrivateKey() (crypto.Signer, string, error) {
	// TODO: find any calls to this func, replace with calls to GeneratePrivateKeyWithConfig()
	// using prefs `private_key_type` and `private_key_bits`
	return GeneratePrivateKeyWithConfig(DefaultPrivateKeyType, DefaultPrivateKeyBits)
}
Rename some of the CA structs/files 7 years ago			`package connect`

			`import (`
			`"bytes"`
Fix logical conflicts with CA refactor 7 years ago			`"crypto"`
Rename some of the CA structs/files 7 years ago			`"crypto/ecdsa"`
			`"crypto/elliptic"`
			`"crypto/rand"`
connect: Support RSA keys in addition to ECDSA (#6055) Support RSA keys in addition to ECDSA 5 years ago			`"crypto/rsa"`
Rename some of the CA structs/files 7 years ago			`"crypto/x509"`
			`"encoding/pem"`
			`"fmt"`
connect: Support RSA keys in addition to ECDSA (#6055) Support RSA keys in addition to ECDSA 5 years ago			`"strings"`
connect: add validations around intermediate cert ttl (#7213) 5 years ago			`"time"`
Rename some of the CA structs/files 7 years ago			`)`

connect: Support RSA keys in addition to ECDSA (#6055) Support RSA keys in addition to ECDSA 5 years ago			`const (`
connect: add validations around intermediate cert ttl (#7213) 5 years ago			`DefaultPrivateKeyType = "ec"`
			`DefaultPrivateKeyBits = 256`
			`DefaultIntermediateCertTTL = 24 * 365 * time.Hour`
connect: Support RSA keys in addition to ECDSA (#6055) Support RSA keys in addition to ECDSA 5 years ago			`)`

			`func pemEncodeKey(key []byte, blockType string) (string, error) {`
			`var buf bytes.Buffer`

			`if err := pem.Encode(&buf, &pem.Block{Type: blockType, Bytes: key}); err != nil {`
			`return "", fmt.Errorf("error encoding private key: %s", err)`
			`}`
			`return buf.String(), nil`
			`}`

			`func generateRSAKey(keyBits int) (crypto.Signer, string, error) {`
			`var pk *rsa.PrivateKey`

			`pk, err := rsa.GenerateKey(rand.Reader, keyBits)`
			`if err != nil {`
			`return nil, "", fmt.Errorf("error generating RSA private key: %s", err)`
			`}`

			`bs := x509.MarshalPKCS1PrivateKey(pk)`
			`pemBlock, err := pemEncodeKey(bs, "RSA PRIVATE KEY")`
			`if err != nil {`
			`return nil, "", err`
			`}`

			`return pk, pemBlock, nil`
			`}`

			`func generateECDSAKey(keyBits int) (crypto.Signer, string, error) {`
Rename some of the CA structs/files 7 years ago			`var pk *ecdsa.PrivateKey`
connect: Support RSA keys in addition to ECDSA (#6055) Support RSA keys in addition to ECDSA 5 years ago			`var curve elliptic.Curve`
Rename some of the CA structs/files 7 years ago
connect: Support RSA keys in addition to ECDSA (#6055) Support RSA keys in addition to ECDSA 5 years ago			`switch keyBits {`
			`case 224:`
			`curve = elliptic.P224()`
			`case 256:`
			`curve = elliptic.P256()`
			`case 384:`
			`curve = elliptic.P384()`
			`case 521:`
			`curve = elliptic.P521()`
			`default:`
			`return nil, "", fmt.Errorf("error generating ECDSA private key: unknown curve length %d", keyBits)`
			`}`

			`pk, err := ecdsa.GenerateKey(curve, rand.Reader)`
Rename some of the CA structs/files 7 years ago			`if err != nil {`
connect: Support RSA keys in addition to ECDSA (#6055) Support RSA keys in addition to ECDSA 5 years ago			`return nil, "", fmt.Errorf("error generating ECDSA private key: %s", err)`
Rename some of the CA structs/files 7 years ago			`}`

			`bs, err := x509.MarshalECPrivateKey(pk)`
			`if err != nil {`
connect: Support RSA keys in addition to ECDSA (#6055) Support RSA keys in addition to ECDSA 5 years ago			`return nil, "", fmt.Errorf("error marshaling ECDSA private key: %s", err)`
Rename some of the CA structs/files 7 years ago			`}`

connect: Support RSA keys in addition to ECDSA (#6055) Support RSA keys in addition to ECDSA 5 years ago			`pemBlock, err := pemEncodeKey(bs, "EC PRIVATE KEY")`
Rename some of the CA structs/files 7 years ago			`if err != nil {`
connect: Support RSA keys in addition to ECDSA (#6055) Support RSA keys in addition to ECDSA 5 years ago			`return nil, "", err`
Rename some of the CA structs/files 7 years ago			`}`

connect: Support RSA keys in addition to ECDSA (#6055) Support RSA keys in addition to ECDSA 5 years ago			`return pk, pemBlock, nil`
			`}`

			`// GeneratePrivateKey generates a new Private key`
			`func GeneratePrivateKeyWithConfig(keyType string, keyBits int) (crypto.Signer, string, error) {`
			`switch strings.ToLower(keyType) {`
			`case "rsa":`
			`return generateRSAKey(keyBits)`
			`case "ec":`
			`return generateECDSAKey(keyBits)`
			`default:`
			`return nil, "", fmt.Errorf("unknown private key type requested: %s", keyType)`
			`}`
			`}`

			`func GeneratePrivateKey() (crypto.Signer, string, error) {`
			`// TODO: find any calls to this func, replace with calls to GeneratePrivateKeyWithConfig()`
			// using prefs `private_key_type` and `private_key_bits`
			`return GeneratePrivateKeyWithConfig(DefaultPrivateKeyType, DefaultPrivateKeyBits)`
Rename some of the CA structs/files 7 years ago			`}`