mirror of https://github.com/slackhq/nebula.git
119 lines
2.6 KiB
Go
119 lines
2.6 KiB
Go
|
package e2e
|
||
|
|
||
|
import (
|
||
|
"crypto/rand"
|
||
|
"io"
|
||
|
"net"
|
||
|
"time"
|
||
|
|
||
|
"github.com/slackhq/nebula/cert"
|
||
|
"golang.org/x/crypto/curve25519"
|
||
|
"golang.org/x/crypto/ed25519"
|
||
|
)
|
||
|
|
||
|
// NewTestCaCert will generate a CA cert
|
||
|
func NewTestCaCert(before, after time.Time, ips, subnets []*net.IPNet, groups []string) (*cert.NebulaCertificate, []byte, []byte, []byte) {
|
||
|
pub, priv, err := ed25519.GenerateKey(rand.Reader)
|
||
|
if before.IsZero() {
|
||
|
before = time.Now().Add(time.Second * -60).Round(time.Second)
|
||
|
}
|
||
|
if after.IsZero() {
|
||
|
after = time.Now().Add(time.Second * 60).Round(time.Second)
|
||
|
}
|
||
|
|
||
|
nc := &cert.NebulaCertificate{
|
||
|
Details: cert.NebulaCertificateDetails{
|
||
|
Name: "test ca",
|
||
|
NotBefore: time.Unix(before.Unix(), 0),
|
||
|
NotAfter: time.Unix(after.Unix(), 0),
|
||
|
PublicKey: pub,
|
||
|
IsCA: true,
|
||
|
InvertedGroups: make(map[string]struct{}),
|
||
|
},
|
||
|
}
|
||
|
|
||
|
if len(ips) > 0 {
|
||
|
nc.Details.Ips = ips
|
||
|
}
|
||
|
|
||
|
if len(subnets) > 0 {
|
||
|
nc.Details.Subnets = subnets
|
||
|
}
|
||
|
|
||
|
if len(groups) > 0 {
|
||
|
nc.Details.Groups = groups
|
||
|
}
|
||
|
|
||
|
err = nc.Sign(cert.Curve_CURVE25519, priv)
|
||
|
if err != nil {
|
||
|
panic(err)
|
||
|
}
|
||
|
|
||
|
pem, err := nc.MarshalToPEM()
|
||
|
if err != nil {
|
||
|
panic(err)
|
||
|
}
|
||
|
|
||
|
return nc, pub, priv, pem
|
||
|
}
|
||
|
|
||
|
// NewTestCert will generate a signed certificate with the provided details.
|
||
|
// Expiry times are defaulted if you do not pass them in
|
||
|
func NewTestCert(ca *cert.NebulaCertificate, key []byte, name string, before, after time.Time, ip *net.IPNet, subnets []*net.IPNet, groups []string) (*cert.NebulaCertificate, []byte, []byte, []byte) {
|
||
|
issuer, err := ca.Sha256Sum()
|
||
|
if err != nil {
|
||
|
panic(err)
|
||
|
}
|
||
|
|
||
|
if before.IsZero() {
|
||
|
before = time.Now().Add(time.Second * -60).Round(time.Second)
|
||
|
}
|
||
|
|
||
|
if after.IsZero() {
|
||
|
after = time.Now().Add(time.Second * 60).Round(time.Second)
|
||
|
}
|
||
|
|
||
|
pub, rawPriv := x25519Keypair()
|
||
|
|
||
|
nc := &cert.NebulaCertificate{
|
||
|
Details: cert.NebulaCertificateDetails{
|
||
|
Name: name,
|
||
|
Ips: []*net.IPNet{ip},
|
||
|
Subnets: subnets,
|
||
|
Groups: groups,
|
||
|
NotBefore: time.Unix(before.Unix(), 0),
|
||
|
NotAfter: time.Unix(after.Unix(), 0),
|
||
|
PublicKey: pub,
|
||
|
IsCA: false,
|
||
|
Issuer: issuer,
|
||
|
InvertedGroups: make(map[string]struct{}),
|
||
|
},
|
||
|
}
|
||
|
|
||
|
err = nc.Sign(ca.Details.Curve, key)
|
||
|
if err != nil {
|
||
|
panic(err)
|
||
|
}
|
||
|
|
||
|
pem, err := nc.MarshalToPEM()
|
||
|
if err != nil {
|
||
|
panic(err)
|
||
|
}
|
||
|
|
||
|
return nc, pub, cert.MarshalX25519PrivateKey(rawPriv), pem
|
||
|
}
|
||
|
|
||
|
func x25519Keypair() ([]byte, []byte) {
|
||
|
privkey := make([]byte, 32)
|
||
|
if _, err := io.ReadFull(rand.Reader, privkey); err != nil {
|
||
|
panic(err)
|
||
|
}
|
||
|
|
||
|
pubkey, err := curve25519.X25519(privkey, curve25519.Basepoint)
|
||
|
if err != nil {
|
||
|
panic(err)
|
||
|
}
|
||
|
|
||
|
return pubkey, privkey
|
||
|
}
|