Add PKCS12 archive bundle to self-signed certificate resource

go.mod

@@ -5,4 +5,5 @@ go 1.14
 require (
 	github.com/hashicorp/terraform-plugin-sdk v1.14.0
 	golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586
+	software.sslmate.com/src/go-pkcs12 v0.0.0-20200619203921-c9ed90bd32dc
 )

go.sum

@@ -318,3 +318,5 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
+software.sslmate.com/src/go-pkcs12 v0.0.0-20200619203921-c9ed90bd32dc h1:EsxyX6d5CU9zIK74f0y5OeDRFoQalEMHz1Jdvo4K16g=
+software.sslmate.com/src/go-pkcs12 v0.0.0-20200619203921-c9ed90bd32dc/go.mod h1:/xvNRWUqm0+/ZMiF4EX00vrSCMsE4/NHb+Pt3freEeQ=

tls/resource_certificate.go

@@ -137,11 +137,25 @@ func resourceCertificateCommonSchema() map[string]*schema.Schema {
 			Description: "If true, the generated certificate will include a subject key identifier.",
 			ForceNew:    true,
 		},
+
+		"certificate_p12": {
+			Type:      schema.TypeString,
+			Computed:  true,
+			Sensitive: true,
+		},
+
+		"certificate_p12_password": {
+			Type:      schema.TypeString,
+			Optional:  true,
+			Default:   "",
+			Sensitive: true,
+		},
 	}
 }
 
 func createCertificate(d *schema.ResourceData, template, parent *x509.Certificate, pub crypto.PublicKey, priv interface{}) error {
 	var err error
+	var caCerts []*x509.Certificate
 
 	template.NotBefore = now()
 	template.NotAfter = template.NotBefore.Add(time.Duration(d.Get("validity_period_hours").(int)) * time.Hour)
@@ -185,6 +199,27 @@ func createCertificate(d *schema.ResourceData, template, parent *x509.Certificat
 	}
 	certPem := string(pem.EncodeToMemory(&pem.Block{Type: pemCertType, Bytes: certBytes}))
 
+	private_key, err := parsePrivateKey(d, "private_key_pem", "key_algorithm")
+	// Set PKCS12 data. This is only set if there is a private key present.
+	if err != nil {
+		d.Set("certificate_p12", "")
+	} else {
+		cert, err := x509.ParseCertificate(certBytes)
+		if err != nil {
+			return fmt.Errorf("certificate parse error: %s", err)
+		}
+
+		// caCerts = append(caCerts, parent)
+
+		password := d.Get("certificate_p12_password").(string)
+		pkcs12B64, err := toPkcs12(private_key, cert, caCerts, password)
+		if err != nil {
+			return fmt.Errorf("to pfx error: %s", err)
+		}
+
+		d.Set("certificate_p12", string(pkcs12B64))
+	}
+
 	validFromBytes, err := template.NotBefore.MarshalText()
 	if err != nil {
 		return fmt.Errorf("error serializing validity_start_time: %s", err)

tls/util.go

@@ -1,12 +1,15 @@
 package tls
 
 import (
+	"crypto/rand"
 	"crypto/x509"
+	"encoding/base64"
 	"encoding/pem"
 	"fmt"
 
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
 	"golang.org/x/crypto/ssh"
+	"software.sslmate.com/src/go-pkcs12"
 )
 
 func decodePEM(d *schema.ResourceData, pemKey, pemType string) (*pem.Block, error) {
@@ -103,3 +106,15 @@ func readPublicKey(d *schema.ResourceData, rsaKey interface{}) error {
 	}
 	return nil
 }
+
+func toPkcs12(privateKey interface{}, cert *x509.Certificate, caCerts []*x509.Certificate, password string) ([]byte, error) {
+
+	pkcs12Data, err := pkcs12.Encode(rand.Reader, privateKey, cert, caCerts, password)
+	if err != nil {
+		return nil, err
+	}
+
+	buf := make([]byte, base64.StdEncoding.EncodedLen(len(pkcs12Data)))
+	base64.StdEncoding.Encode(buf, pkcs12Data)
+	return buf, nil
+}

vendor/modules.txt

@@ -361,3 +361,7 @@ google.golang.org/grpc/stats
 google.golang.org/grpc/status
 google.golang.org/grpc/tap
 google.golang.org/grpc/test/bufconn
+# software.sslmate.com/src/go-pkcs12 v0.0.0-20200619203921-c9ed90bd32dc
+## explicit
+software.sslmate.com/src/go-pkcs12
+software.sslmate.com/src/go-pkcs12/internal/rc2

website/docs/r/locally_signed_cert.html.md

@@ -107,6 +107,10 @@ The following attributes are exported:
   [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.
 * `validity_end_time` - The time until which the certificate is invalid, as an
   [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.
+* `certificate_p12` -The certificate, intermediate, and the private key archived as a p12 file.
+  The data is base64 encoded (including padding), and its password is configurable via the
+  certificate_p12_password argument.
+  This field is empty if creating a locally signed certificate from a CSR.
 
 ## Automatic Renewal
 

website/docs/r/self_signed_cert.html.md

@@ -94,6 +94,9 @@ The following arguments are supported:
   the subject key identifier. Defaults to `false`, in which case the subject
   key identifier is not set at all.
 
+* `certificate_p12_password` - (Optional) Password to be used when generating the P12 file
+  stored in certificate_p12. Defaults to an empty string.
+
 The `allowed_uses` list accepts the following keywords, combining the set of flags defined by
 both [Key Usage](https://tools.ietf.org/html/rfc5280#section-4.2.1.3) and
 [Extended Key Usage](https://tools.ietf.org/html/rfc5280#section-4.2.1.12) in
@@ -130,6 +133,10 @@ The following attributes are exported:
   [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.
 * `validity_end_time` - The time until which the certificate is invalid, as an
   [RFC3339](https://tools.ietf.org/html/rfc3339) timestamp.
+* `certificate_p12` -The certificate, intermediate, and the private key archived as a p12 file.
+  The data is base64 encoded (including padding),
+  and its password is configurable via the certificate_p12_password argument.
+  This field is empty if creating a locally signed certificate from a CSR.
 
 ## Automatic Renewal