Merge pull request #58 from alan4chen/validity

make CA cert validity period configurable

cmd/gen-cacert/main.go

@@ -88,6 +88,7 @@ func main() {
 		Organization:           cc.Organization,
 		OrganizationalUnit:     cc.OrganizationalUnit,
 		CommonName:             cc.CommonName,
+		ValidityPeriod:         cc.ValidityPeriod,
 	}}, requireX509CACert, hostname, ips)
 	if err != nil {
 		log.Fatalf("unable to initialize cert signer: %v", err)

config/config.go

@@ -86,6 +86,8 @@ type KeyConfig struct {
 	X509CACertLocation string
 	// Fields of the CA cert in subject line.
 	Country, State, Locality, Organization, OrganizationalUnit, CommonName string
+	// The validity time period of the CA cert, which is specified in seconds.
+	ValidityPeriod uint64
 }
 
 // Config defines struct to store configuration fields for crypki.

config/config_test.go

@@ -19,9 +19,9 @@ func TestParse(t *testing.T) {
 		TLSPort:           "4443",
 		SignersPerPool:    2,
 		Keys: []KeyConfig{
-			{"key1", 1, "/path/1", "foo", 2, 1, true, "/path/foo", "", "", "", "", "", "My CA"},
-			{"key2", 2, "/path/2", "bar", 2, 1, false, "", "", "", "", "", "", ""},
-			{"key3", 3, "/path/3", "baz", 2, 1, false, "/path/baz", "", "", "", "", "", ""},
+			{"key1", 1, "/path/1", "foo", 2, 1, true, "/path/foo", "", "", "", "", "", "My CA", 0},
+			{"key2", 2, "/path/2", "bar", 2, 1, false, "", "", "", "", "", "", "", 0},
+			{"key3", 3, "/path/3", "baz", 2, 1, false, "/path/baz", "", "", "", "", "", "", 0},
 		},
 		KeyUsages: []KeyUsage{
 			{"/sig/x509-cert", []string{"key1", "key3"}, 3600},

crypki.go

@@ -30,6 +30,16 @@ const (
 	UnknownPublicKeyAlgorithm PublicKeyAlgorithm = iota
 	RSA
 	ECDSA
+
+	// Default values for CAconfig.
+	defaultCounty = "ZZ" // Unknown or unspecified country
+	defaultState = "StateName"
+	defaultCity = "CityName"
+	defaultCompany = "CompanyName"
+	defaultOrganization = "OrganizationUnitName"
+	defaultCommonName = "www.example.com"
+	defaultValidityPeriod = uint64(730 * 24 * 3600) // 2 years
+
 )
 
 // CertSign interface contains methods related to signing certificates.
@@ -58,10 +68,38 @@ type CAConfig struct {
 	OrganizationalUnit string `json:"OrganizationalUnit"`
 	CommonName         string `json:"CommonName"`
 
+	// The validity time period of the CA cert, which is specified in seconds.
+	ValidityPeriod uint64 `json:"ValidityPeriod"`
+
 	// PKCS#11 device fields.
 	Identifier       string `json:"Identifier"`
 	KeyLabel         string `json:"KeyLabel"`
 	SlotNumber       int    `json:"SlotNumber"`
 	UserPinPath      string `json:"UserPinPath"`
 	PKCS11ModulePath string `json:"PKCS11ModulePath"`
 }
+
+// LoadDefaults assigns default values to missing required configuration fields.
+func (c *CAConfig) LoadDefaults() {
+	if c.Country == "" {
+		c.Country = defaultCounty
+	}
+	if c.State == "" {
+		c.State = defaultState
+	}
+	if c.Locality == "" {
+		c.Locality = defaultCity
+	}
+	if c.Organization == "" {
+		c.Organization = defaultCompany
+	}
+	if c.OrganizationalUnit == "" {
+		c.OrganizationalUnit = defaultOrganization
+	}
+	if c.CommonName == "" {
+		c.CommonName = defaultCommonName
+	}
+	if c.ValidityPeriod <= 0 {
+		c.ValidityPeriod = defaultValidityPeriod
+	}
+}

pkcs11/signer.go

@@ -237,14 +237,18 @@ func getX509CACert(key config.KeyConfig, pool sPool, hostname string, ips []net.
 	signer := pool.get()
 	defer pool.put(signer)
 
-	out, err := x509cert.GenCACert(&crypki.CAConfig{
+	caConfig := &crypki.CAConfig{
 		Country:            key.Country,
 		State:              key.State,
 		Locality:           key.Locality,
 		Organization:       key.Organization,
 		OrganizationalUnit: key.OrganizationalUnit,
 		CommonName:         key.CommonName,
-	}, signer, hostname, ips, signer.signAlgorithm())
+		ValidityPeriod:     key.ValidityPeriod,
+	}
+	caConfig.LoadDefaults()
+
+	out, err := x509cert.GenCACert(caConfig, signer, hostname, ips, signer.signAlgorithm())
 	if err != nil {
 		return nil, fmt.Errorf("unable to generate x509 CA certificate: %v", err)
 	}

x509cert/x509.go

@@ -19,11 +19,9 @@ import (
 
 // GenCACert creates the CA certificate given signer.
 func GenCACert(config *crypki.CAConfig, signer crypto.Signer, hostname string, ips []net.IP, pka crypki.PublicKeyAlgorithm) ([]byte, error) {
-	const validityPeriod = uint64(730 * 24 * 3600) // 2 years
-
 	// Backdate start time by one hour as the current system clock may be ahead of other running systems.
 	start := uint64(time.Now().Unix())
-	end := start + validityPeriod
+	end := start + config.ValidityPeriod
 	start -= 3600
 
 	subj := pkix.Name{