feature: support load x-ca/ca

Signed-off-by: xiexianbin <me@xiexianbin.cn>

Author: xiexianbin

.gitignore

@@ -17,5 +17,4 @@
 bin/
 .history/
 .idea/
-certs/
 x-ca

README.md

@@ -1,32 +1,35 @@
 # go-ca
 
-golang x-ca client， which can simple Sign Self Root/Second-Level CA, and sign for Domains and IPs.
+golang x-ca client, which can simple Sign Self Root/Second-Level CA, and sign for Domains and IPs.
 
 shell implement at [x-ca/x-ca](https://github.com/x-ca/x-ca)
 
 ## install
 
 ```
 curl -Lfs -o xca https://github.com/x-ca/go-ca/releases/latest/download/xca-{linux|darwin|windows}
-chmox +x xca
+chmod +x xca
+mv xca /usr/local/bin/
 ```
 
 ## Help
 
 ```
-$ bin/xca --help
+$ xca --help
 Create Root CA and TLS CA:
-goca -create-ca true \
+xca -create-ca true \
   -root-cert x-ca/ca/root-ca.crt \
   -root-key x-ca/ca/root-ca/private/root-ca.key \
   -tls-cert x-ca/ca/tls-ca.crt \
-  -tls-key x-ca/ca/tls-ca/private/tls-ca.key
+  -tls-key x-ca/ca/tls-ca/private/tls-ca.key \
+  -tls-chain x-ca/ca/tls-ca-chain.pem
 
 Sign Domains or Ips:
 xca -cn xxxx \
   --domains "xxx,xxx" --ips "xxx,xxx" \
   -tls-cert x-ca/ca/tls-ca.crt \
-  -tls-key x-ca/ca/tls-ca/private/tls-ca.key
+  -tls-key x-ca/ca/tls-ca/private/tls-ca.key \
+  -tls-chain x-ca/ca/tls-ca-chain.pem
 
 Usage:
   -cn string
@@ -42,19 +45,26 @@ Usage:
   -root-cert string
     	Root certificate file path, PEM format. (default "x-ca/ca/root-ca.crt")
   -root-key string
-    	Root private key file path, PEM/? format. (default "x-ca/ca/root-ca/private/root-ca.key")
+    	Root private key file path, PEM format. (default "x-ca/ca/root-ca/private/root-ca.key")
   -tls-cert string
     	Second-Level certificate file path, PEM format. (default "x-ca/ca/tls-ca.crt")
+  -tls-chain string
+    	Root/Second-Level CA Chain file path, PEM format. (default "x-ca/ca/tls-ca-chain.pem")
   -tls-key string
-    	Second-Level private key file path, PEM/? format. (default "x-ca/ca/tls-ca/private/tls-ca.key")
+    	Second-Level private key file path, PEM format. (default "x-ca/ca/tls-ca/private/tls-ca.key")
+  -tls-key-password string
+    	tls key password, only work for load github.com/x-ca/x-ca.
+
+Source Code:
+  https://github.com/x-ca/go-ca
 ```
 
 ## Usage Demo
 
 - create ca
 
 ```
-bin/xca -create-ca true \
+xca -create-ca true \
   -root-cert x-ca/ca/root-ca.crt \
   -root-key x-ca/ca/root-ca/private/root-ca.key \
   -tls-cert x-ca/ca/tls-ca.crt \
@@ -73,11 +83,11 @@ git clone git@github.com:x-ca/ca.git x-ca
 - sign domain
 
 ```
-bin/xca -cn xiexianbin.cn \
+xca -cn xiexianbin.cn \
   --domains "*.xiexianbin.cn,*.80.xyz" \
   --ips 100.80.0.128 \
   -tls-cert x-ca/ca/tls-ca.crt \
-  -tls-key x-ca/ca/tls-ca/private/tls-ca.key
+  -tls-key x-ca/ca/tls-ca/private/[tls-ca.key | tls-ca-des3.key]
 ```
 
 - test cert
@@ -86,13 +96,18 @@ bin/xca -cn xiexianbin.cn \
 docker run -it -d \
   -p 8443:443 \
   -v $(pwd)/examples/default.conf:/etc/nginx/conf.d/default.conf \
-  -v $(pwd)/certs/xiexianbin.cn/xiexianbin.cn.bundle.crt:/etc/pki/nginx/server.crt \
-  -v $(pwd)/certs/xiexianbin.cn/xiexianbin.cn.key:/etc/pki/nginx/private/server.key \
+  -v $(pwd)/x-ca/certs/xiexianbin.cn/xiexianbin.cn.bundle.crt:/etc/pki/nginx/server.crt \
+  -v $(pwd)/x-ca/certs/xiexianbin.cn/xiexianbin.cn.key:/etc/pki/nginx/private/server.key \
   nginx
 ```
 
 visit https://dev.xiexianbin.cn:8443/
 
+## FaQ
+
+if CA Cert begin with `BEGIN ENCRYPTED PRIVATE KEY`(raise `Error: fromPEMBytes: x509: no DEK-Info header in block`), 
+Use `openssl rsa -in root-ca.key -des3` change cipher
+
 ## Ref
 
 - [基于OpenSSL签署根CA、二级CA](https://www.xiexianbin.cn/s/ca/)

ca/root.go

@@ -37,6 +37,7 @@ const (
 )
 
 var (
+	// sort.StringsAreSorted(supportPemType) == true
 	supportPemType = []string{"ECDSA PRIVATE KEY", "RSA PRIVATE KEY"}
 )
 
@@ -64,7 +65,7 @@ func NewRootCA(keyBits int) (*RootCA, error) {
 }
 
 // LoadRootCA create new tls CA
-func LoadRootCA(keyPath, certPath string) (*RootCA, error) {
+func LoadRootCA(keyPath, certPath, password string) (*RootCA, error) {
 	keyBytes, kErr := ioutil.ReadFile(keyPath)
 	certBytes, cErr := ioutil.ReadFile(certPath)
 	if kErr != nil {
@@ -77,10 +78,39 @@ func LoadRootCA(keyPath, certPath string) (*RootCA, error) {
 	keyBlock, _ := pem.Decode(keyBytes)
 	if keyBlock == nil {
 		return nil, fmt.Errorf("decode key is nil")
-	} else if sort.SearchStrings(supportPemType, keyBlock.Type) < 0 {
+	} else if supportPemType[sort.SearchStrings(supportPemType, keyBlock.Type)] != keyBlock.Type {
 		return nil, fmt.Errorf("unsupport PEM type %s", keyBlock.Type)
 	}
-	key, err := x509.ParsePKCS1PrivateKey(keyBlock.Bytes)
+
+	/* Fix x-ca/ca root/tls key Problem
+	 * https://github.com/x-ca/ca/blob/f82f6cc529662d5a751b79d87698a13c65f342ec/etc/root-ca.conf#L15
+	 * https://security.stackexchange.com/questions/93417/what-encryption-is-applied-on-a-key-generated-by-openssl-req
+	 * https://rfc-editor.org/rfc/rfc1423.html
+	 * openssl asn1parse -in root-ca.key -i | cut -c-90
+	 * - golang code
+	 *
+	 * if x509.IsEncryptedPEMBlock(keyBlock) == true {
+	 *    der, err := x509.DecryptPEMBlock(keyBlock, []byte("pwd"))
+	 *    key, _ = x509.ParsePKCS1PrivateKey(der)
+	 * } else {
+	 *    key, err = x509.ParsePKCS1PrivateKey(keyBlock.Bytes)
+	 * }
+	 *
+	 * Raise error: `Error: fromPEMBytes: x509: no DEK-Info header in block`
+	 *
+	 * - fix run: `openssl rsa -in root-ca.key -des3`
+	 */
+	var key *rsa.PrivateKey
+	var err error
+	if x509.IsEncryptedPEMBlock(keyBlock) == true {
+		der, err := x509.DecryptPEMBlock(keyBlock, []byte(password))
+		if err != nil {
+			return nil, err
+		}
+		key, _ = x509.ParsePKCS1PrivateKey(der)
+	} else {
+		key, err = x509.ParsePKCS1PrivateKey(keyBlock.Bytes)
+	}
 	if err != nil {
 		return nil, fmt.Errorf("load private key %s, error %s", keyPath, err)
 	}

ca/tls.go

@@ -72,7 +72,7 @@ func NewTLSCA(keyBits int, rootCert *x509.Certificate, rootKey *rsa.PrivateKey)
 }
 
 // LoadTLSCA create new tls CA
-func LoadTLSCA(keyPath, certPath string) (*TLSCA, error) {
+func LoadTLSCA(keyPath, certPath, password string) (*TLSCA, error) {
 	keyBytes, kErr := ioutil.ReadFile(keyPath)
 	certBytes, cErr := ioutil.ReadFile(certPath)
 	if kErr != nil {
@@ -85,10 +85,39 @@ func LoadTLSCA(keyPath, certPath string) (*TLSCA, error) {
 	keyBlock, _ := pem.Decode(keyBytes)
 	if keyBlock == nil {
 		return nil, fmt.Errorf("decode key is nil")
-	} else if sort.SearchStrings(supportPemType, keyBlock.Type) < 0 {
+	} else if supportPemType[sort.SearchStrings(supportPemType, keyBlock.Type)] != keyBlock.Type {
 		return nil, fmt.Errorf("unsupport PEM type %s", keyBlock.Type)
 	}
-	key, err := x509.ParsePKCS1PrivateKey(keyBlock.Bytes)
+
+	/* Fix x-ca/ca root/tls key Problem
+	 * https://github.com/x-ca/ca/blob/f82f6cc529662d5a751b79d87698a13c65f342ec/etc/root-ca.conf#L15
+	 * https://security.stackexchange.com/questions/93417/what-encryption-is-applied-on-a-key-generated-by-openssl-req
+	 * https://rfc-editor.org/rfc/rfc1423.html
+	 * openssl asn1parse -in root-ca.key -i | cut -c-90
+	 * - golang code
+	 *
+	 * if x509.IsEncryptedPEMBlock(keyBlock) == true {
+	 *    der, err := x509.DecryptPEMBlock(keyBlock, []byte("pwd"))
+	 *    key, _ = x509.ParsePKCS1PrivateKey(der)
+	 * } else {
+	 *    key, err = x509.ParsePKCS1PrivateKey(keyBlock.Bytes)
+	 * }
+	 *
+	 * Raise error: `Error: fromPEMBytes: x509: no DEK-Info header in block`
+	 *
+	 * - fix run: `openssl rsa -in root-ca.key -des3`
+	 */
+	var key *rsa.PrivateKey
+	var err error
+	if x509.IsEncryptedPEMBlock(keyBlock) == true {
+		der, err := x509.DecryptPEMBlock(keyBlock, []byte(password))
+		if err != nil {
+			return nil, err
+		}
+		key, _ = x509.ParsePKCS1PrivateKey(der)
+	} else {
+		key, err = x509.ParsePKCS1PrivateKey(keyBlock.Bytes)
+	}
 	if err != nil {
 		return nil, fmt.Errorf("load private key %s, error %s", keyPath, err)
 	}
@@ -294,13 +323,13 @@ func (c *TLSCA) Sign(commonName string, domains []string, ips []net.IP, days, ke
 func (c *TLSCA) WriteCert(commonName string, key *rsa.PrivateKey, cert *x509.Certificate, tlsChainPath string) error {
 	// mkdir
 	var dir = strings.Replace(commonName, "*.", "", -1)
-	err := os.MkdirAll(fmt.Sprintf("certs/%s", dir), 0700)
+	err := os.MkdirAll(fmt.Sprintf("x-ca/certs/%s", dir), 0700)
 	if err != nil && !os.IsExist(err) {
 		return err
 	}
 
 	// write key
-	keyPath := fmt.Sprintf("certs/%s/%s.key", dir, commonName)
+	keyPath := fmt.Sprintf("x-ca/certs/%s/%s.key", dir, commonName)
 	keyFile, err := os.OpenFile(keyPath, os.O_CREATE|os.O_EXCL|os.O_WRONLY, 0600)
 	if err != nil {
 		return err
@@ -316,7 +345,7 @@ func (c *TLSCA) WriteCert(commonName string, key *rsa.PrivateKey, cert *x509.Cer
 	}
 
 	// write cert
-	certPath := fmt.Sprintf("certs/%s/%s.crt", dir, commonName)
+	certPath := fmt.Sprintf("x-ca/certs/%s/%s.crt", dir, commonName)
 	certFile, err := os.OpenFile(certPath, os.O_CREATE|os.O_EXCL|os.O_WRONLY, 0600)
 	if err != nil {
 		return err
@@ -332,7 +361,7 @@ func (c *TLSCA) WriteCert(commonName string, key *rsa.PrivateKey, cert *x509.Cer
 	}
 
 	// write cert chain
-	certChainPath := fmt.Sprintf("certs/%s/%s.bundle.crt", dir, commonName)
+	certChainPath := fmt.Sprintf("x-ca/certs/%s/%s.bundle.crt", dir, commonName)
 	certChainFile, err := os.OpenFile(certChainPath, os.O_CREATE|os.O_EXCL|os.O_WRONLY, 0600)
 	if err != nil {
 		return err
@@ -355,7 +384,7 @@ func (c *TLSCA) WriteCert(commonName string, key *rsa.PrivateKey, cert *x509.Cer
 	}
 
 	// print
-	fmt.Println("write cert to", fmt.Sprintf("./certs/%s/{%s.key,%s.crt,%s.bundle.crt}", commonName, commonName, commonName, commonName))
+	fmt.Println("write cert to", fmt.Sprintf("./x-ca/certs/%s/{%s.key,%s.crt,%s.bundle.crt}", commonName, commonName, commonName, commonName))
 
 	return nil
 }

main.go

@@ -25,29 +25,31 @@ import (
 )
 
 var (
-	createCa     bool
-	rootKeyPath  string
-	rootCertPath string
-	tlsKeyPath   string
-	tlsCertPath  string
-	tlsChainPath string
-	domainStr    string
-	commonName   string
-	domains      []string
-	ipStr        string
-	ips          []net.IP
-	help         bool
+	createCa       bool
+	rootKeyPath    string
+	rootCertPath   string
+	tlsKeyPath     string
+	tlsCertPath    string
+	tlsChainPath   string
+	tlsKeyPassword string
+	domainStr      string
+	commonName     string
+	domains        []string
+	ipStr          string
+	ips            []net.IP
+	help           bool
 )
 
 func init() {
 	flag.BoolVar(&createCa, "create-ca", false, "Create Root CA.")
-	flag.StringVar(&rootKeyPath, "root-key", "x-ca/ca/root-ca/private/root-ca.key", "Root private key file path, PEM/? format.")
+	flag.StringVar(&rootKeyPath, "root-key", "x-ca/ca/root-ca/private/root-ca.key", "Root private key file path, PEM format.")
 	flag.StringVar(&rootCertPath, "root-cert", "x-ca/ca/root-ca.crt", "Root certificate file path, PEM format.")
-	flag.StringVar(&tlsKeyPath, "tls-key", "x-ca/ca/tls-ca/private/tls-ca.key", "Second-Level private key file path, PEM/? format.")
+	flag.StringVar(&tlsKeyPath, "tls-key", "x-ca/ca/tls-ca/private/tls-ca.key", "Second-Level private key file path, PEM format.")
 	flag.StringVar(&tlsCertPath, "tls-cert", "x-ca/ca/tls-ca.crt", "Second-Level certificate file path, PEM format.")
 	flag.StringVar(&tlsChainPath, "tls-chain", "x-ca/ca/tls-ca-chain.pem", "Root/Second-Level CA Chain file path, PEM format.")
-	flag.StringVar(&commonName, "cn", "", "sign cert common name.")
+	flag.StringVar(&tlsKeyPassword, "tls-key-password", "", "tls key password, only work for load github.com/x-ca/x-ca.")
 	flag.StringVar(&domainStr, "domains", "", "Comma-Separated domain names.")
+	flag.StringVar(&commonName, "cn", "", "sign cert common name.")
 	flag.StringVar(&ipStr, "ips", "", "Comma-Separated IP addresses.")
 	flag.BoolVar(&help, "help", false, "show help message")
 
@@ -72,6 +74,9 @@ xca -cn xxxx \
 		fmt.Println()
 		fmt.Println("Usage:")
 		flag.PrintDefaults()
+		fmt.Println()
+		fmt.Println(`Source Code:
+  https://github.com/x-ca/go-ca`)
 	}
 }
 
@@ -143,7 +148,7 @@ func doCreateCa() error {
 func doSign() error {
 	var err error
 
-	tlsCA, err := ca.LoadTLSCA(tlsKeyPath, tlsCertPath)
+	tlsCA, err := ca.LoadTLSCA(tlsKeyPath, tlsCertPath, tlsKeyPassword)
 	if err != nil {
 		return err
 	}