mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-29 18:36:30 +02:00
40 lines
796 B
Go
40 lines
796 B
Go
package derivecert
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/sha256"
|
|
"io"
|
|
|
|
"golang.org/x/crypto/hkdf"
|
|
|
|
"github.com/pomerium/pomerium/internal/deterministicecdsa"
|
|
)
|
|
|
|
type readerType byte
|
|
|
|
const (
|
|
readerTypeCAPrivateKey readerType = iota
|
|
readerTypeCACertificate
|
|
readerTypeServerPrivateKey
|
|
readerTypeServerCertificate
|
|
readerTypeSerialNumber
|
|
)
|
|
|
|
func newReader(readerType readerType, psk []byte, domains ...string) io.Reader {
|
|
var buf bytes.Buffer
|
|
buf.WriteByte(byte(readerType))
|
|
buf.Write(psk)
|
|
buf.WriteByte(0)
|
|
for _, domain := range domains {
|
|
buf.WriteString(domain)
|
|
buf.WriteByte(0)
|
|
}
|
|
|
|
return hkdf.New(sha256.New, buf.Bytes(), nil, nil)
|
|
}
|
|
|
|
func deriveKey(r io.Reader) (*ecdsa.PrivateKey, error) {
|
|
return deterministicecdsa.GenerateKey(elliptic.P256(), r)
|
|
}
|