[csr] add certificate generation

Author: capcom6

.env.example

@@ -3,3 +3,6 @@ HTTP__PROXY_HEADER=X-Forwarded-For # HTTP proxy header
 HTTP__PROXIES=127.0.0.1 # HTTP trusted proxies
 
 STORAGE__URL=redis://localhost:6379/0 # Redis URL
+
+CSR__CA_CERT_PATH=./ca/ca.crt   # CA certificate
+CSR__CA_KEY_PATH=./ca/ca.key    # CA private key

.gitignore

@@ -126,6 +126,8 @@ $RECYCLE.BIN/
 # Custom rules (everything added below won't be overriden by 'Generate .gitignore File' if you use 'Update' option)
 
 tmp/
+ca/
+
 coverage.html
 
 go.work.sum

internal/config/config.go

@@ -21,7 +21,9 @@ type StorageConfig struct {
 }
 
 type CSR struct {
-	TTL time.Duration `envconfig:"CSR__TTL"`
+	TTL        time.Duration `envconfig:"CSR__TTL"`
+	CACertPath string        `envconfig:"CSR__CA_CERT_PATH" required:"true"`
+	CAKeyPath  string        `envconfig:"CSR__CA_KEY_PATH" required:"true"`
 }
 
 type Config struct {

internal/config/module.go

@@ -1,6 +1,8 @@
 package config
 
 import (
+	"os"
+
 	"github.com/android-sms-gateway/ca/internal/api"
 	"github.com/android-sms-gateway/ca/internal/csr"
 	"github.com/android-sms-gateway/ca/pkg/core/http"
@@ -29,8 +31,20 @@ var Module = fx.Module(
 		}
 	}),
 	fx.Provide(func(c Config) csr.Config {
+		caCert, err := os.ReadFile(c.CSR.CACertPath)
+		if err != nil {
+			panic(err)
+		}
+
+		caKey, err := os.ReadFile(c.CSR.CAKeyPath)
+		if err != nil {
+			panic(err)
+		}
+
 		return csr.Config{
-			TTL: c.CSR.TTL,
+			CACert: caCert,
+			CAKey:  caKey,
+			TTL:    c.CSR.TTL,
 		}
 	}),
 )

internal/csr/ca.go

@@ -0,0 +1,31 @@
+package csr
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+)
+
+func LoadCA(certPEM, keyPEM []byte) (*x509.Certificate, any, error) {
+	// Load CA certificate
+	block, _ := pem.Decode(certPEM)
+	if block == nil || block.Type != "CERTIFICATE" {
+		return nil, nil, fmt.Errorf("invalid CA certificate")
+	}
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to parse CA certificate: %w", err)
+	}
+
+	// Load CA private key
+	block, _ = pem.Decode(keyPEM)
+	if block == nil || (block.Type != "RSA PRIVATE KEY" && block.Type != "EC PRIVATE KEY" && block.Type != "PRIVATE KEY") {
+		return nil, nil, fmt.Errorf("invalid CA private key")
+	}
+	priv, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to parse CA private key: %w", err)
+	}
+
+	return cert, priv, nil
+}

internal/csr/config.go

@@ -3,5 +3,7 @@ package csr
 import "time"
 
 type Config struct {
-	TTL time.Duration
+	CACert []byte
+	CAKey  []byte
+	TTL    time.Duration
 }

internal/csr/domain.go

@@ -40,14 +40,19 @@ func (c CSR) toMap() map[string]string {
 }
 
 type CSRStatus struct {
+	CSR
 	id          string
 	status      client.CSRStatus
 	certificate string
 	reason      string
 }
 
-func NewCSRStatus(id string, status client.CSRStatus, certificate string, reason string) CSRStatus {
+func NewCSRStatus(id string, content string, metadata map[string]string, status client.CSRStatus, certificate string, reason string) CSRStatus {
 	return CSRStatus{
+		CSR: CSR{
+			content:  content,
+			metadata: metadata,
+		},
 		id:          id,
 		status:      status,
 		certificate: certificate,

internal/csr/module.go

@@ -14,7 +14,14 @@ var Module = fx.Module(
 	fx.Provide(func(config Config, redis *redis.Client) *repository {
 		return newRepository(redis, config.TTL)
 	}, fx.Private),
-	fx.Provide(NewService),
+	fx.Provide(func(config Config, csrs *repository, log *zap.Logger) (*Service, error) {
+		caCert, caKey, err := LoadCA(config.CACert, config.CAKey)
+		if err != nil {
+			return nil, err
+		}
+
+		return NewService(csrs, caCert, caKey, log), nil
+	}),
 	fx.Invoke(func(lc fx.Lifecycle, s *Service) {
 		lc.Append(fx.Hook{
 			OnStop: s.Stop,

internal/csr/repository.go

@@ -2,6 +2,7 @@ package csr
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"time"
@@ -66,7 +67,13 @@ func (r *repository) Get(ctx context.Context, requestId string) (CSRStatus, erro
 		return CSRStatus{}, ErrCSRNotFound
 	}
 
-	return NewCSRStatus(requestId, client.CSRStatus(status), res["certificate"], res["reason"]), nil
+	metadata := map[string]string{}
+
+	if err := json.Unmarshal([]byte(res["metadata"]), &metadata); err != nil {
+		return CSRStatus{}, fmt.Errorf("failed to get csr: %w", err)
+	}
+
+	return NewCSRStatus(requestId, res["content"], metadata, client.CSRStatus(status), res["certificate"], res["reason"]), nil
 }
 
 func newRepository(redis *redis.Client, ttl time.Duration) *repository {

internal/csr/service.go

@@ -2,12 +2,14 @@ package csr
 
 import (
 	"context"
+	"crypto/rand"
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
 	"fmt"
 	"math/big"
 	"runtime"
+	"strings"
 	"time"
 
 	"github.com/android-sms-gateway/ca/pkg/client"
@@ -20,6 +22,9 @@ import (
 type Service struct {
 	csrs *repository
 
+	caCert *x509.Certificate
+	caKey  any
+
 	queue *queue.Queue
 	newid func() string
 	log   *zap.Logger
@@ -57,7 +62,7 @@ func (s *Service) Create(ctx context.Context, csr CSR) (CSRStatus, error) {
 		s.log.Error("failed to queue csr", zap.Error(err))
 	}
 
-	return NewCSRStatus(id, client.CSRStatusPending, "", ""), nil
+	return NewCSRStatus(id, csr.content, csr.metadata, client.CSRStatusPending, "", ""), nil
 }
 
 func (s *Service) Get(ctx context.Context, id string) (CSRStatus, error) {
@@ -82,13 +87,13 @@ func (s *Service) process(ctx context.Context, m core.TaskMessage) error {
 		return nil
 	}
 
-	csr, err := s.parseCsr(res.Certificate())
+	csr, err := s.parseCsr(res.Content())
 	if err != nil {
 		return err
 	}
 
 	// Create a signed certificate
-	_ = &x509.Certificate{
+	template := &x509.Certificate{
 		SerialNumber:          big.NewInt(1),
 		Subject:               csr.Subject,
 		NotBefore:             time.Now(),
@@ -102,20 +107,22 @@ func (s *Service) process(ctx context.Context, m core.TaskMessage) error {
 		IPAddresses:           csr.IPAddresses,
 	}
 
-	// certBytes, err := x509.CreateCertificate(rand.Reader, template, caKey, csr.PublicKey, caPriv)
-	// if err != nil {
-	// 	return "", fmt.Errorf("failed to sign certificate: %w", err)
-	// }
+	certBytes, err := x509.CreateCertificate(rand.Reader, template, s.caCert, csr.PublicKey, s.caKey)
+	if err != nil {
+		return fmt.Errorf("failed to sign certificate: %w", err)
+	}
+
+	// Encode the signed certificate to PEM format
+	var certPEM strings.Builder
+	if err := pem.Encode(&certPEM, &pem.Block{Type: "CERTIFICATE", Bytes: certBytes}); err != nil {
+		return fmt.Errorf("failed to encode certificate: %w", err)
+	}
 
-	time.Sleep(time.Second * 10)
+	s.log.Info("signed certificate", zap.String("id", id), zap.String("csr", res.Certificate()), zap.String("cert", certPEM.String()))
 
 	return nil
 }
 
-// func LoadCA(certPath, keyPath string) (*x509.Certificate, *rsa.PrivateKey, error) {
-
-// }
-
 func (s *Service) parseCsr(content string) (*x509.CertificateRequest, error) {
 	block, _ := pem.Decode([]byte(content))
 	if block == nil || block.Type != "CERTIFICATE REQUEST" {
@@ -125,11 +132,19 @@ func (s *Service) parseCsr(content string) (*x509.CertificateRequest, error) {
 	return x509.ParseCertificateRequest(block.Bytes)
 }
 
-func NewService(csrs *repository, log *zap.Logger) *Service {
+func NewService(csrs *repository, caCert *x509.Certificate, caKey any, log *zap.Logger) *Service {
 	if csrs == nil {
 		panic("csrs is required")
 	}
 
+	if caCert == nil {
+		panic("caCert is required")
+	}
+
+	if caKey == nil {
+		panic("caKey is required")
+	}
+
 	if log == nil {
 		panic("log is required")
 	}
@@ -139,6 +154,9 @@ func NewService(csrs *repository, log *zap.Logger) *Service {
 	s := &Service{
 		csrs: csrs,
 
+		caCert: caCert,
+		caKey:  caKey,
+
 		newid: newid,
 		log:   log,
 	}