()
| 272 | } |
| 273 | |
| 274 | func (ca CA) loadOrGenRoot() (rootCert *x509.Certificate, rootKey crypto.Signer, err error) { |
| 275 | if ca.Root != nil { |
| 276 | rootChain, rootSigner, err := ca.Root.Load() |
| 277 | if err != nil { |
| 278 | return nil, nil, err |
| 279 | } |
| 280 | return rootChain[0], rootSigner, nil |
| 281 | } |
| 282 | rootCertPEM, err := ca.storage.Load(ca.ctx, ca.storageKeyRootCert()) |
| 283 | if err != nil { |
| 284 | if !errors.Is(err, fs.ErrNotExist) { |
| 285 | return nil, nil, fmt.Errorf("loading root cert: %v", err) |
| 286 | } |
| 287 | |
| 288 | // TODO: should we require that all or none of the assets are required before overwriting anything? |
| 289 | rootCert, rootKey, err = ca.genRoot() |
| 290 | if err != nil { |
| 291 | return nil, nil, fmt.Errorf("generating root: %v", err) |
| 292 | } |
| 293 | } |
| 294 | |
| 295 | if rootCert == nil { |
| 296 | rootCert, err = pemDecodeCertificate(rootCertPEM) |
| 297 | if err != nil { |
| 298 | return nil, nil, fmt.Errorf("parsing root certificate PEM: %v", err) |
| 299 | } |
| 300 | } |
| 301 | if rootKey == nil { |
| 302 | rootKeyPEM, err := ca.storage.Load(ca.ctx, ca.storageKeyRootKey()) |
| 303 | if err != nil { |
| 304 | return nil, nil, fmt.Errorf("loading root key: %v", err) |
| 305 | } |
| 306 | rootKey, err = certmagic.PEMDecodePrivateKey(rootKeyPEM) |
| 307 | if err != nil { |
| 308 | return nil, nil, fmt.Errorf("decoding root key: %v", err) |
| 309 | } |
| 310 | } |
| 311 | |
| 312 | return rootCert, rootKey, nil |
| 313 | } |
| 314 | |
| 315 | func (ca CA) genRoot() (rootCert *x509.Certificate, rootKey crypto.Signer, err error) { |
| 316 | repl := ca.newReplacer() |
no test coverage detected