From 1cdac69f4b20b7af18ebd7d7581c41e95922a188 Mon Sep 17 00:00:00 2001 From: Gibheer Date: Sat, 15 Jul 2017 00:57:03 +0200 Subject: [PATCH] wire up the CA implementation With this version, the certificates are now using the supplied CA mechanism. --- cmd/pkiadm/certificate.go | 2 +- cmd/pkiadmd/ca.go | 34 ++++++++++++++++++++++++++++++---- cmd/pkiadmd/certificate.go | 20 +++++--------------- 3 files changed, 36 insertions(+), 20 deletions(-) diff --git a/cmd/pkiadm/certificate.go b/cmd/pkiadm/certificate.go index dbebc4c..0624684 100644 --- a/cmd/pkiadm/certificate.go +++ b/cmd/pkiadm/certificate.go @@ -61,7 +61,7 @@ func parseCertificateArgs(fs *flag.FlagSet, args []string, cert *pkiadm.Certific cert.PrivateKey = pkiadm.ResourceName{*pk, pkiadm.RTPrivateKey} cert.CSR = pkiadm.ResourceName{*csr, pkiadm.RTCSR} - cert.CA = pkiadm.ResourceName{*ca, pkiadm.RTCertificate} + cert.CA = pkiadm.ResourceName{*ca, pkiadm.RTCA} cert.Serial = pkiadm.ResourceName{*serial, pkiadm.RTSerial} } diff --git a/cmd/pkiadmd/ca.go b/cmd/pkiadmd/ca.go index 0f043ac..fa39946 100644 --- a/cmd/pkiadmd/ca.go +++ b/cmd/pkiadmd/ca.go @@ -1,9 +1,17 @@ package main import ( + "github.com/gibheer/pki" "github.com/gibheer/pkiadm" ) +var ( + CASelfSign = &CA{ + ID: "self-sign", + Type: pkiadm.CALocal, + } +) + type ( // CA is an instance that can sign certificates. When a certificate needs an // update, the given CSR is signed by the CA. @@ -24,6 +32,28 @@ func NewCA(id string, caType pkiadm.CAType, cert pkiadm.ResourceName) (*CA, erro return ca, nil } +// Sign the certificate sign request with this CA +func (ca *CA) Sign(lookup *Storage, csr *pki.CertificateRequest, opts pki.CertificateOptions) (*pki.Certificate, error) { + caCertDef, err := lookup.GetCertificate(ca.Certificate) + if err != nil { + return nil, err + } + caCert, err := caCertDef.GetCertificate() + if err != nil { + return nil, err + } + pkDef, err := lookup.GetPrivateKey(caCertDef.PrivateKey) + if err != nil { + return nil, err + } + pk, err := pkDef.GetKey() + if err != nil { + return nil, err + } + + return csr.ToCertificate(pk, opts, caCert) +} + // Return the unique ResourceName func (ca *CA) Name() pkiadm.ResourceName { return pkiadm.ResourceName{ca.ID, pkiadm.RTCA} @@ -46,10 +76,6 @@ func (ca *CA) DependsOn() []pkiadm.ResourceName { } } -func (ca *CA) Sign(csr *CSR) (*Certificate, error) { - return nil, nil -} - func (s *Server) CreateCA(inCA pkiadm.CA, res *pkiadm.Result) error { s.lock() defer s.unlock() diff --git a/cmd/pkiadmd/certificate.go b/cmd/pkiadmd/certificate.go index 3e04a29..aeba917 100644 --- a/cmd/pkiadmd/certificate.go +++ b/cmd/pkiadmd/certificate.go @@ -49,13 +49,10 @@ func (c *Certificate) Name() pkiadm.ResourceName { // AddDependency registers a depending resource to be retuened by Dependencies() // Refresh must trigger a rebuild of the resource. func (c *Certificate) Refresh(lookup *Storage) error { - var ca *pki.Certificate + var err error + ca := CASelfSign if !c.IsCA { - cert, err := lookup.GetCertificate(c.CA) - if err != nil { - return err - } - ca, err = cert.GetCertificate() + ca, err = lookup.GetCA(c.CA) if err != nil { return err } @@ -68,14 +65,6 @@ func (c *Certificate) Refresh(lookup *Storage) error { if err != nil { return err } - pkRes, err := lookup.GetPrivateKey(c.PrivateKey) - if err != nil { - return err - } - pk, err := pkRes.GetKey() - if err != nil { - return err - } serRes, err := lookup.GetSerial(c.Serial) if err != nil { return err @@ -94,7 +83,8 @@ func (c *Certificate) Refresh(lookup *Storage) error { IsCA: c.IsCA, CALength: 0, // TODO make this an option } - cert, err := csr.ToCertificate(pk, opts, ca) + //cert, err := csr.ToCertificate(pk, opts, ca) + cert, err := ca.Sign(lookup, csr, opts) if err != nil { return err }