Merge pull request #111 from rekby/devel

Add ecdsa certificates support

internal/cert_manager/cert_description_test.go

@@ -0,0 +1,45 @@
+package cert_manager
+
+import (
+	"testing"
+
+	"go.uber.org/zap"
+
+	"github.com/maxatome/go-testdeep"
+)
+
+func TestCertDescription_CertStoreName(t *testing.T) {
+	td := testdeep.NewT(t)
+	td.Cmp(CertDescription{MainDomain: "asd.ru", KeyType: KeyRSA}.CertStoreName(), "asd.ru.rsa.cer")
+}
+
+func TestCertDescription_DomainNames(t *testing.T) {
+	td := testdeep.NewT(t)
+	td.Cmp(CertDescription{MainDomain: "asd.ru", KeyType: KeyRSA}.DomainNames(), []DomainName{"asd.ru", "www.asd.ru"})
+}
+
+func TestCertDescription_KeyStoreName(t *testing.T) {
+	td := testdeep.NewT(t)
+	td.Cmp(CertDescription{MainDomain: "asd.ru", KeyType: KeyRSA}.KeyStoreName(), "asd.ru.rsa.key")
+}
+
+func TestCertDescription_LockName(t *testing.T) {
+	td := testdeep.NewT(t)
+	td.Cmp(CertDescription{MainDomain: "asd.ru", KeyType: KeyRSA}.LockName(), "asd.ru.lock")
+}
+
+func TestCertDescription_MetaStoreName(t *testing.T) {
+	td := testdeep.NewT(t)
+	td.Cmp(CertDescription{MainDomain: "asd.ru", KeyType: KeyRSA}.MetaStoreName(), "asd.ru.rsa.json")
+}
+
+func TestCertDescription_String(t *testing.T) {
+	td := testdeep.NewT(t)
+	td.Cmp(CertDescription{MainDomain: "asd.ru", KeyType: KeyRSA}.String(), "asd.ru.rsa")
+}
+
+func TestCertDescription_ZapField(t *testing.T) {
+	td := testdeep.NewT(t)
+	cd := CertDescription{MainDomain: "asd.ru", KeyType: KeyRSA}
+	td.Cmp(cd.ZapField(), zap.Stringer("cert_name", cd))
+}

internal/cert_manager/cert_desctiption.go

@@ -0,0 +1,48 @@
+//nolint:golint
+package cert_manager
+
+import (
+	"strings"
+
+	"go.uber.org/zap"
+)
+
+type CertDescription struct {
+	MainDomain string
+	KeyType    KeyType
+}
+
+func (n CertDescription) CertStoreName() string {
+	return n.MainDomain + "." + n.KeyType.String() + ".cer"
+}
+
+func (n CertDescription) DomainNames() []DomainName {
+	return []DomainName{DomainName(n.MainDomain), DomainName("www." + n.MainDomain)}
+}
+
+func (n CertDescription) KeyStoreName() string {
+	return n.MainDomain + "." + n.KeyType.String() + ".key"
+}
+
+func (n CertDescription) LockName() string {
+	return n.MainDomain + ".lock"
+}
+
+func (n CertDescription) MetaStoreName() string {
+	return n.MainDomain + "." + n.KeyType.String() + ".json"
+}
+
+func (n CertDescription) String() string {
+	return n.MainDomain + "." + n.KeyType.String()
+}
+
+func (n CertDescription) ZapField() zap.Field {
+	return zap.Stringer("cert_name", n)
+}
+
+func CertDescriptionFromDomain(domain DomainName, keyType KeyType) CertDescription {
+	return CertDescription{
+		MainDomain: strings.TrimPrefix(domain.String(), "www."),
+		KeyType:    keyType,
+	}
+}

internal/cert_manager/helpers.go

@@ -3,6 +3,7 @@ package cert_manager
 
 import (
 	"crypto"
+	"crypto/ecdsa"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/tls"
@@ -99,10 +100,19 @@ func validCertTLS(cert *tls.Certificate, domains []DomainName, useAsIs bool, now
 	case *rsa.PublicKey:
 		prv, ok := cert.PrivateKey.(*rsa.PrivateKey)
 		if !ok {
-			return nil, errors.New("private key type does not match public key type")
+			return nil, errors.New("rsa private key type does not match public key type")
 		}
 		if pub.N.Cmp(prv.N) != 0 {
-			return nil, errors.New("private key does not match public key")
+			return nil, errors.New("rsa private key does not match public key")
+		}
+	case *ecdsa.PublicKey:
+		prv, ok := cert.PrivateKey.(*ecdsa.PrivateKey)
+		if !ok {
+			return nil, errors.New("ecdsa private key type does not match public key type")
+		}
+		pubFromPriv := prv.Public().(*ecdsa.PublicKey)
+		if pub.X.Cmp(pubFromPriv.X) != 0 || pub.Y.Cmp(pubFromPriv.Y) != 0 {
+			return nil, errors.New("ecdsa private key does not match public key")
 		}
 	default:
 		return nil, errors.New("unknown public key algorithm")