wire up the CA implementation
With this version, the certificates are now using the supplied CA mechanism.
This commit is contained in:
parent
70515f6fa6
commit
1cdac69f4b
|
@ -61,7 +61,7 @@ func parseCertificateArgs(fs *flag.FlagSet, args []string, cert *pkiadm.Certific
|
|||
|
||||
cert.PrivateKey = pkiadm.ResourceName{*pk, pkiadm.RTPrivateKey}
|
||||
cert.CSR = pkiadm.ResourceName{*csr, pkiadm.RTCSR}
|
||||
cert.CA = pkiadm.ResourceName{*ca, pkiadm.RTCertificate}
|
||||
cert.CA = pkiadm.ResourceName{*ca, pkiadm.RTCA}
|
||||
cert.Serial = pkiadm.ResourceName{*serial, pkiadm.RTSerial}
|
||||
}
|
||||
|
||||
|
|
|
@ -1,9 +1,17 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"github.com/gibheer/pki"
|
||||
"github.com/gibheer/pkiadm"
|
||||
)
|
||||
|
||||
var (
|
||||
CASelfSign = &CA{
|
||||
ID: "self-sign",
|
||||
Type: pkiadm.CALocal,
|
||||
}
|
||||
)
|
||||
|
||||
type (
|
||||
// CA is an instance that can sign certificates. When a certificate needs an
|
||||
// update, the given CSR is signed by the CA.
|
||||
|
@ -24,6 +32,28 @@ func NewCA(id string, caType pkiadm.CAType, cert pkiadm.ResourceName) (*CA, erro
|
|||
return ca, nil
|
||||
}
|
||||
|
||||
// Sign the certificate sign request with this CA
|
||||
func (ca *CA) Sign(lookup *Storage, csr *pki.CertificateRequest, opts pki.CertificateOptions) (*pki.Certificate, error) {
|
||||
caCertDef, err := lookup.GetCertificate(ca.Certificate)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
caCert, err := caCertDef.GetCertificate()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
pkDef, err := lookup.GetPrivateKey(caCertDef.PrivateKey)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
pk, err := pkDef.GetKey()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return csr.ToCertificate(pk, opts, caCert)
|
||||
}
|
||||
|
||||
// Return the unique ResourceName
|
||||
func (ca *CA) Name() pkiadm.ResourceName {
|
||||
return pkiadm.ResourceName{ca.ID, pkiadm.RTCA}
|
||||
|
@ -46,10 +76,6 @@ func (ca *CA) DependsOn() []pkiadm.ResourceName {
|
|||
}
|
||||
}
|
||||
|
||||
func (ca *CA) Sign(csr *CSR) (*Certificate, error) {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
func (s *Server) CreateCA(inCA pkiadm.CA, res *pkiadm.Result) error {
|
||||
s.lock()
|
||||
defer s.unlock()
|
||||
|
|
|
@ -49,13 +49,10 @@ func (c *Certificate) Name() pkiadm.ResourceName {
|
|||
// AddDependency registers a depending resource to be retuened by Dependencies()
|
||||
// Refresh must trigger a rebuild of the resource.
|
||||
func (c *Certificate) Refresh(lookup *Storage) error {
|
||||
var ca *pki.Certificate
|
||||
var err error
|
||||
ca := CASelfSign
|
||||
if !c.IsCA {
|
||||
cert, err := lookup.GetCertificate(c.CA)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
ca, err = cert.GetCertificate()
|
||||
ca, err = lookup.GetCA(c.CA)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -68,14 +65,6 @@ func (c *Certificate) Refresh(lookup *Storage) error {
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
pkRes, err := lookup.GetPrivateKey(c.PrivateKey)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
pk, err := pkRes.GetKey()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
serRes, err := lookup.GetSerial(c.Serial)
|
||||
if err != nil {
|
||||
return err
|
||||
|
@ -94,7 +83,8 @@ func (c *Certificate) Refresh(lookup *Storage) error {
|
|||
IsCA: c.IsCA,
|
||||
CALength: 0, // TODO make this an option
|
||||
}
|
||||
cert, err := csr.ToCertificate(pk, opts, ca)
|
||||
//cert, err := csr.ToCertificate(pk, opts, ca)
|
||||
cert, err := ca.Sign(lookup, csr, opts)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue