wire up the CA implementation
With this version, the certificates are now using the supplied CA mechanism.
This commit is contained in:
parent
70515f6fa6
commit
1cdac69f4b
|
@ -61,7 +61,7 @@ func parseCertificateArgs(fs *flag.FlagSet, args []string, cert *pkiadm.Certific
|
||||||
|
|
||||||
cert.PrivateKey = pkiadm.ResourceName{*pk, pkiadm.RTPrivateKey}
|
cert.PrivateKey = pkiadm.ResourceName{*pk, pkiadm.RTPrivateKey}
|
||||||
cert.CSR = pkiadm.ResourceName{*csr, pkiadm.RTCSR}
|
cert.CSR = pkiadm.ResourceName{*csr, pkiadm.RTCSR}
|
||||||
cert.CA = pkiadm.ResourceName{*ca, pkiadm.RTCertificate}
|
cert.CA = pkiadm.ResourceName{*ca, pkiadm.RTCA}
|
||||||
cert.Serial = pkiadm.ResourceName{*serial, pkiadm.RTSerial}
|
cert.Serial = pkiadm.ResourceName{*serial, pkiadm.RTSerial}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,9 +1,17 @@
|
||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"github.com/gibheer/pki"
|
||||||
"github.com/gibheer/pkiadm"
|
"github.com/gibheer/pkiadm"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
CASelfSign = &CA{
|
||||||
|
ID: "self-sign",
|
||||||
|
Type: pkiadm.CALocal,
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
type (
|
type (
|
||||||
// CA is an instance that can sign certificates. When a certificate needs an
|
// CA is an instance that can sign certificates. When a certificate needs an
|
||||||
// update, the given CSR is signed by the CA.
|
// update, the given CSR is signed by the CA.
|
||||||
|
@ -24,6 +32,28 @@ func NewCA(id string, caType pkiadm.CAType, cert pkiadm.ResourceName) (*CA, erro
|
||||||
return ca, nil
|
return ca, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Sign the certificate sign request with this CA
|
||||||
|
func (ca *CA) Sign(lookup *Storage, csr *pki.CertificateRequest, opts pki.CertificateOptions) (*pki.Certificate, error) {
|
||||||
|
caCertDef, err := lookup.GetCertificate(ca.Certificate)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
caCert, err := caCertDef.GetCertificate()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
pkDef, err := lookup.GetPrivateKey(caCertDef.PrivateKey)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
pk, err := pkDef.GetKey()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return csr.ToCertificate(pk, opts, caCert)
|
||||||
|
}
|
||||||
|
|
||||||
// Return the unique ResourceName
|
// Return the unique ResourceName
|
||||||
func (ca *CA) Name() pkiadm.ResourceName {
|
func (ca *CA) Name() pkiadm.ResourceName {
|
||||||
return pkiadm.ResourceName{ca.ID, pkiadm.RTCA}
|
return pkiadm.ResourceName{ca.ID, pkiadm.RTCA}
|
||||||
|
@ -46,10 +76,6 @@ func (ca *CA) DependsOn() []pkiadm.ResourceName {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ca *CA) Sign(csr *CSR) (*Certificate, error) {
|
|
||||||
return nil, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Server) CreateCA(inCA pkiadm.CA, res *pkiadm.Result) error {
|
func (s *Server) CreateCA(inCA pkiadm.CA, res *pkiadm.Result) error {
|
||||||
s.lock()
|
s.lock()
|
||||||
defer s.unlock()
|
defer s.unlock()
|
||||||
|
|
|
@ -49,13 +49,10 @@ func (c *Certificate) Name() pkiadm.ResourceName {
|
||||||
// AddDependency registers a depending resource to be retuened by Dependencies()
|
// AddDependency registers a depending resource to be retuened by Dependencies()
|
||||||
// Refresh must trigger a rebuild of the resource.
|
// Refresh must trigger a rebuild of the resource.
|
||||||
func (c *Certificate) Refresh(lookup *Storage) error {
|
func (c *Certificate) Refresh(lookup *Storage) error {
|
||||||
var ca *pki.Certificate
|
var err error
|
||||||
|
ca := CASelfSign
|
||||||
if !c.IsCA {
|
if !c.IsCA {
|
||||||
cert, err := lookup.GetCertificate(c.CA)
|
ca, err = lookup.GetCA(c.CA)
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
ca, err = cert.GetCertificate()
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -68,14 +65,6 @@ func (c *Certificate) Refresh(lookup *Storage) error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
pkRes, err := lookup.GetPrivateKey(c.PrivateKey)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
pk, err := pkRes.GetKey()
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
serRes, err := lookup.GetSerial(c.Serial)
|
serRes, err := lookup.GetSerial(c.Serial)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
@ -94,7 +83,8 @@ func (c *Certificate) Refresh(lookup *Storage) error {
|
||||||
IsCA: c.IsCA,
|
IsCA: c.IsCA,
|
||||||
CALength: 0, // TODO make this an option
|
CALength: 0, // TODO make this an option
|
||||||
}
|
}
|
||||||
cert, err := csr.ToCertificate(pk, opts, ca)
|
//cert, err := csr.ToCertificate(pk, opts, ca)
|
||||||
|
cert, err := ca.Sign(lookup, csr, opts)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue