ACMEv2 client library for Go.

load.go 3.0KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146
  1. // Package acmeutils provides miscellaneous ACME-related utility functions.
  2. package acmeutils
  3. import (
  4. "crypto"
  5. "crypto/ecdsa"
  6. "crypto/rsa"
  7. "crypto/x509"
  8. "encoding/pem"
  9. "fmt"
  10. "io"
  11. "strings"
  12. )
  13. // Load one or more certificates from a sequence of PEM-encoded certificates.
  14. func LoadCertificates(pemBlock []byte) ([][]byte, error) {
  15. var derBlock *pem.Block
  16. var certs [][]byte
  17. for {
  18. derBlock, pemBlock = pem.Decode(pemBlock)
  19. if derBlock == nil {
  20. break
  21. }
  22. if derBlock.Type != "CERTIFICATE" {
  23. return nil, fmt.Errorf("is not a certificate")
  24. }
  25. certs = append(certs, derBlock.Bytes)
  26. }
  27. if len(certs) == 0 {
  28. return nil, fmt.Errorf("no certificates found")
  29. }
  30. return certs, nil
  31. }
  32. // Writes one or more DER-formatted certificates in PEM format.
  33. func SaveCertificates(w io.Writer, certificates ...[]byte) error {
  34. for _, c := range certificates {
  35. err := pem.Encode(w, &pem.Block{
  36. Type: "CERTIFICATE",
  37. Bytes: c,
  38. })
  39. if err != nil {
  40. return err
  41. }
  42. }
  43. return nil
  44. }
  45. // Load a PEM private key from a stream.
  46. func LoadPrivateKey(keyPEMBlock []byte) (crypto.PrivateKey, error) {
  47. var keyDERBlock *pem.Block
  48. for {
  49. keyDERBlock, keyPEMBlock = pem.Decode(keyPEMBlock)
  50. if keyDERBlock == nil {
  51. return nil, fmt.Errorf("failed to parse key PEM data")
  52. }
  53. if keyDERBlock.Type == "PRIVATE KEY" || strings.HasSuffix(keyDERBlock.Type, " PRIVATE KEY") {
  54. break
  55. }
  56. }
  57. pk, err := LoadPrivateKeyDER(keyDERBlock.Bytes)
  58. if err != nil {
  59. return nil, err
  60. }
  61. return pk, nil
  62. }
  63. // Parse a DER private key. The key can be RSA or ECDSA. PKCS8 containers are
  64. // supported.
  65. func LoadPrivateKeyDER(der []byte) (crypto.PrivateKey, error) {
  66. pk, err := x509.ParsePKCS1PrivateKey(der)
  67. if err == nil {
  68. return pk, nil
  69. }
  70. pk2, err := x509.ParsePKCS8PrivateKey(der)
  71. if err == nil {
  72. switch pk2 := pk2.(type) {
  73. case *rsa.PrivateKey, *ecdsa.PrivateKey:
  74. return pk2, nil
  75. default:
  76. return nil, fmt.Errorf("unknown private key type")
  77. }
  78. }
  79. epk, err := x509.ParseECPrivateKey(der)
  80. if err == nil {
  81. return epk, nil
  82. }
  83. return nil, fmt.Errorf("failed to parse private key")
  84. }
  85. // Write a private key in PEM form.
  86. func SavePrivateKey(w io.Writer, pk crypto.PrivateKey) error {
  87. var kb []byte
  88. var hdr string
  89. var err error
  90. switch v := pk.(type) {
  91. case *rsa.PrivateKey:
  92. kb = x509.MarshalPKCS1PrivateKey(v)
  93. hdr = "RSA PRIVATE KEY"
  94. case *ecdsa.PrivateKey:
  95. kb, err = x509.MarshalECPrivateKey(v)
  96. hdr = "EC PRIVATE KEY"
  97. default:
  98. return fmt.Errorf("unsupported private key type: %T", pk)
  99. }
  100. if err != nil {
  101. return err
  102. }
  103. err = pem.Encode(w, &pem.Block{
  104. Type: hdr,
  105. Bytes: kb,
  106. })
  107. if err != nil {
  108. return err
  109. }
  110. return nil
  111. }
  112. // Load a PEM CSR from a stream and return it in DER form.
  113. func LoadCSR(pemBlock []byte) ([]byte, error) {
  114. var derBlock *pem.Block
  115. for {
  116. derBlock, pemBlock = pem.Decode(pemBlock)
  117. if derBlock == nil {
  118. return nil, fmt.Errorf("failed to parse CSR PEM data")
  119. }
  120. if derBlock.Type == "CERTIFICATE REQUEST" {
  121. break
  122. }
  123. }
  124. return derBlock.Bytes, nil
  125. }