WiP: feat(self-signed): genSignedCert

@xen-orchestra/self-signed/index.js

@@ -1,4 +1,7 @@
 const { execFile } = require('child_process')
+const { promisify } = require('util')
+
+const randomBytes = promisify(require('crypto').randomBytes)
 
 const openssl = (cmd, args, { input, ...opts } = {}) =>
   new Promise((resolve, reject) => {
@@ -10,12 +13,35 @@ const openssl = (cmd, args, { input, ...opts } = {}) =>
     }
   })
 
-exports.genSelfSignedCert = async ({ days = 360 } = {}) => {
+const req = (key, selfSigned, { days = 360 } = {}) => {
+  const args = ['-batch', '-new', '-key', '-', '-nodes']
+  if (selfSigned) {
+    args.push('-x509', '-days', String(days))
+  }
+  return openssl('req', args, { input: key })
+}
+
+exports.genSelfSignedCert = async opts => {
   const key = await openssl('genrsa', ['2048'])
   return {
-    cert: await openssl('req', ['-batch', '-new', '-key', '-', '-x509', '-days', String(days), '-nodes'], {
+    cert: await req(key, true, opts),
-      input: key,
+    key,
-    }),
+  }
+}
+
+exports.genSignedCert = async (ca, { days = 360 } = {}) => {
+  const key = await openssl('genrsa', ['2048'])
+  const csr = await req(key, false)
+  const serial = '0x' + (await randomBytes(40)).toString('hex')
+  const input = [csr, ca.cert, ca.key].join('\n')
+  return {
+    cert: await openssl(
+      'x509',
+      ['-req', '-in', '-', '-CA', '-', '-CAkey', '-', '-days', String(days), '-set_serial', serial],
+      {
+        input,
+      }
+    ),
     key,
   }
 }