overall cleanup and bugfixing
This commit fixes some minor issues with self signed certificates. On the way to that fix, some other issues were fixed, which I can't remember. This also adds a couple of log output to make it easier to understand, what actually happens in the daemon.
This commit is contained in:
parent
1cdac69f4b
commit
bc410d2d10
|
@ -10,6 +10,7 @@ type (
|
||||||
|
|
||||||
IsCA bool
|
IsCA bool
|
||||||
Duration time.Duration
|
Duration time.Duration
|
||||||
|
Created time.Time
|
||||||
|
|
||||||
PrivateKey ResourceName
|
PrivateKey ResourceName
|
||||||
Serial ResourceName
|
Serial ResourceName
|
||||||
|
|
|
@ -32,16 +32,25 @@ func createCA(args []string, client *pkiadm.Client) error {
|
||||||
func setCA(args []string, client *pkiadm.Client) error {
|
func setCA(args []string, client *pkiadm.Client) error {
|
||||||
fs := flag.NewFlagSet("pkiadm set-public", flag.ExitOnError)
|
fs := flag.NewFlagSet("pkiadm set-public", flag.ExitOnError)
|
||||||
id := fs.String("id", "", "the id of the CA to change")
|
id := fs.String("id", "", "the id of the CA to change")
|
||||||
pk := fs.String("private-key", "", "the id of the new private key to use for CA generation")
|
ct := fs.String("type", "local", "the type of CA to create (local, LetsEncrypt)")
|
||||||
|
cert := fs.String("certificate", "", "the id of the certificate to use for signing")
|
||||||
fs.Parse(args)
|
fs.Parse(args)
|
||||||
|
|
||||||
if !fs.Lookup("private-key").Changed {
|
fieldList := []string{}
|
||||||
return nil
|
for _, field := range []string{"certificate", "type"} {
|
||||||
|
flag := fs.Lookup(field)
|
||||||
|
if flag.Changed {
|
||||||
|
fieldList = append(fieldList, field)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
caName := pkiadm.ResourceName{ID: *pk, Type: pkiadm.RTPrivateKey}
|
caType := pkiadm.StringToCAType(*ct)
|
||||||
|
if caType == pkiadm.CAUnknown {
|
||||||
|
return errors.New("unknown ca type")
|
||||||
|
}
|
||||||
|
caName := pkiadm.ResourceName{ID: *cert, Type: pkiadm.RTCertificate}
|
||||||
if err := client.SetCA(
|
if err := client.SetCA(
|
||||||
pkiadm.CA{ID: *id, Certificate: caName},
|
pkiadm.CA{ID: *id, Certificate: caName},
|
||||||
[]string{"private-key"},
|
fieldList,
|
||||||
); err != nil {
|
); err != nil {
|
||||||
return errors.Wrap(err, "Could not change CA")
|
return errors.Wrap(err, "Could not change CA")
|
||||||
}
|
}
|
||||||
|
|
|
@ -88,9 +88,9 @@ func listCertificate(args []string, client *pkiadm.Client) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
out := tabwriter.NewWriter(os.Stdout, 2, 2, 1, ' ', tabwriter.AlignRight)
|
out := tabwriter.NewWriter(os.Stdout, 2, 2, 1, ' ', tabwriter.AlignRight)
|
||||||
fmt.Fprintf(out, "%s\t%s\t%s\t%s\t%s\t%s\t%s\t\n", "id", "private", "csr", "ca", "serial", "duration", "self-signed")
|
fmt.Fprintf(out, "%s\t%s\t%s\t%s\t%s\t%s\t%s\t\n", "id", "private", "csr", "ca", "serial", "created", "duration", "self-signed")
|
||||||
for _, cert := range certs {
|
for _, cert := range certs {
|
||||||
fmt.Fprintf(out, "%s\t%s\t%s\t%s\t%s\t%s\t%t\t\n", cert.ID, cert.PrivateKey.ID, cert.CSR.ID, cert.CA.ID, cert.Serial.ID, cert.Duration, cert.IsCA)
|
fmt.Fprintf(out, "%s\t%s\t%s\t%s\t%s\t%s\t%t\t\n", cert.ID, cert.PrivateKey.ID, cert.CSR.ID, cert.CA.ID, cert.Serial.ID, cert.Created, cert.Duration, cert.IsCA)
|
||||||
}
|
}
|
||||||
out.Flush()
|
out.Flush()
|
||||||
|
|
||||||
|
@ -111,6 +111,7 @@ func showCertificate(args []string, client *pkiadm.Client) error {
|
||||||
fmt.Fprintf(out, "csr:\t%s\n", cert.CSR.ID)
|
fmt.Fprintf(out, "csr:\t%s\n", cert.CSR.ID)
|
||||||
fmt.Fprintf(out, "ca:\t%s\n", cert.CA.ID)
|
fmt.Fprintf(out, "ca:\t%s\n", cert.CA.ID)
|
||||||
fmt.Fprintf(out, "serial:\t%s\n", cert.Serial.ID)
|
fmt.Fprintf(out, "serial:\t%s\n", cert.Serial.ID)
|
||||||
|
fmt.Fprintf(out, "created:\t%s\n", cert.Created)
|
||||||
fmt.Fprintf(out, "duration:\t%s\n", cert.Duration)
|
fmt.Fprintf(out, "duration:\t%s\n", cert.Duration)
|
||||||
fmt.Fprintf(out, "self-signed:\t%t\n", cert.IsCA)
|
fmt.Fprintf(out, "self-signed:\t%t\n", cert.IsCA)
|
||||||
fmt.Fprintf(out, "checksum:\t%s\n", base64.StdEncoding.EncodeToString(cert.Checksum))
|
fmt.Fprintf(out, "checksum:\t%s\n", base64.StdEncoding.EncodeToString(cert.Checksum))
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"log"
|
||||||
|
|
||||||
"github.com/gibheer/pki"
|
"github.com/gibheer/pki"
|
||||||
"github.com/gibheer/pkiadm"
|
"github.com/gibheer/pkiadm"
|
||||||
)
|
)
|
||||||
|
@ -33,25 +35,51 @@ func NewCA(id string, caType pkiadm.CAType, cert pkiadm.ResourceName) (*CA, erro
|
||||||
}
|
}
|
||||||
|
|
||||||
// Sign the certificate sign request with this CA
|
// Sign the certificate sign request with this CA
|
||||||
func (ca *CA) Sign(lookup *Storage, csr *pki.CertificateRequest, opts pki.CertificateOptions) (*pki.Certificate, error) {
|
func (ca *CA) Sign(lookup *Storage, csr pkiadm.ResourceName, opts pki.CertificateOptions) (*pki.Certificate, error) {
|
||||||
caCertDef, err := lookup.GetCertificate(ca.Certificate)
|
var caCert *pki.Certificate
|
||||||
|
var pk pki.PrivateKey
|
||||||
|
var caCertDef *Certificate
|
||||||
|
|
||||||
|
csrRes, err := lookup.GetCSR(csr)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
caCert, err := caCertDef.GetCertificate()
|
csrIns, err := csrRes.GetCSR()
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
pkDef, err := lookup.GetPrivateKey(caCertDef.PrivateKey)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
pk, err := pkDef.GetKey()
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
return csr.ToCertificate(pk, opts, caCert)
|
if ca == CASelfSign {
|
||||||
|
pkDef, err := lookup.GetPrivateKey(csrRes.PrivateKey)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
pk, err = pkDef.GetKey()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
caCertDef = &Certificate{ID: "self-signed"}
|
||||||
|
} else {
|
||||||
|
caCertDef, err = lookup.GetCertificate(ca.Certificate)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
caCert, err = caCertDef.GetCertificate()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
pkDef, err := lookup.GetPrivateKey(caCertDef.PrivateKey)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
pk, err = pkDef.GetKey()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Printf("ca '%s' signing csr '%s' using cert '%s'", ca.ID, csr.ID, caCertDef.ID)
|
||||||
|
return csrIns.ToCertificate(pk, opts, caCert)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Return the unique ResourceName
|
// Return the unique ResourceName
|
||||||
|
@ -135,7 +163,7 @@ func (s *Server) ShowCA(inCA pkiadm.CA, res *pkiadm.ResultCA) error {
|
||||||
|
|
||||||
ca, err := s.storage.GetCA(pkiadm.ResourceName{ID: inCA.ID, Type: pkiadm.RTCA})
|
ca, err := s.storage.GetCA(pkiadm.ResourceName{ID: inCA.ID, Type: pkiadm.RTCA})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
res.Result.SetError(err, "Could not find private key '%s'", inCA.ID)
|
res.Result.SetError(err, "Could not find CA '%s'", inCA.ID)
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
res.CAs = []pkiadm.CA{pkiadm.CA{
|
res.CAs = []pkiadm.CA{pkiadm.CA{
|
||||||
|
|
|
@ -19,6 +19,7 @@ type (
|
||||||
|
|
||||||
IsCA bool
|
IsCA bool
|
||||||
Duration time.Duration
|
Duration time.Duration
|
||||||
|
Created time.Time
|
||||||
|
|
||||||
PrivateKey pkiadm.ResourceName
|
PrivateKey pkiadm.ResourceName
|
||||||
Serial pkiadm.ResourceName
|
Serial pkiadm.ResourceName
|
||||||
|
@ -57,14 +58,6 @@ func (c *Certificate) Refresh(lookup *Storage) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
csrRes, err := lookup.GetCSR(c.CSR)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
csr, err := csrRes.GetCSR()
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
serRes, err := lookup.GetSerial(c.Serial)
|
serRes, err := lookup.GetSerial(c.Serial)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
@ -84,7 +77,7 @@ func (c *Certificate) Refresh(lookup *Storage) error {
|
||||||
CALength: 0, // TODO make this an option
|
CALength: 0, // TODO make this an option
|
||||||
}
|
}
|
||||||
//cert, err := csr.ToCertificate(pk, opts, ca)
|
//cert, err := csr.ToCertificate(pk, opts, ca)
|
||||||
cert, err := ca.Sign(lookup, csr, opts)
|
cert, err := ca.Sign(lookup, c.CSR, opts)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -92,8 +85,8 @@ func (c *Certificate) Refresh(lookup *Storage) error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
block.Headers = map[string]string{"ID": c.ID}
|
|
||||||
c.Data = pem.EncodeToMemory(&block)
|
c.Data = pem.EncodeToMemory(&block)
|
||||||
|
c.Created = time.Now()
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -213,6 +206,7 @@ func (s *Server) ShowCertificate(inCert pkiadm.ResourceName, res *pkiadm.ResultC
|
||||||
res.Certificates = []pkiadm.Certificate{pkiadm.Certificate{
|
res.Certificates = []pkiadm.Certificate{pkiadm.Certificate{
|
||||||
ID: cert.ID,
|
ID: cert.ID,
|
||||||
Duration: cert.Duration,
|
Duration: cert.Duration,
|
||||||
|
Created: cert.Created,
|
||||||
PrivateKey: cert.PrivateKey,
|
PrivateKey: cert.PrivateKey,
|
||||||
Serial: cert.Serial,
|
Serial: cert.Serial,
|
||||||
CA: cert.CA,
|
CA: cert.CA,
|
||||||
|
@ -229,6 +223,7 @@ func (s *Server) ListCertificate(filter pkiadm.Filter, res *pkiadm.ResultCertifi
|
||||||
res.Certificates = append(res.Certificates, pkiadm.Certificate{
|
res.Certificates = append(res.Certificates, pkiadm.Certificate{
|
||||||
ID: cert.ID,
|
ID: cert.ID,
|
||||||
Duration: cert.Duration,
|
Duration: cert.Duration,
|
||||||
|
Created: cert.Created,
|
||||||
PrivateKey: cert.PrivateKey,
|
PrivateKey: cert.PrivateKey,
|
||||||
Serial: cert.Serial,
|
Serial: cert.Serial,
|
||||||
CA: cert.CA,
|
CA: cert.CA,
|
||||||
|
|
|
@ -77,7 +77,6 @@ func (c *CSR) Refresh(lookup *Storage) error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
block.Headers = map[string]string{"ID": c.ID}
|
|
||||||
c.Data = pem.EncodeToMemory(&block)
|
c.Data = pem.EncodeToMemory(&block)
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,6 +3,7 @@ package main
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
|
"log"
|
||||||
"os"
|
"os"
|
||||||
"os/exec"
|
"os/exec"
|
||||||
|
|
||||||
|
@ -59,15 +60,19 @@ func (l *Location) Refresh(lookup *Storage) error {
|
||||||
raw = append(raw, output...)
|
raw = append(raw, output...)
|
||||||
}
|
}
|
||||||
if l.PreCommand != "" {
|
if l.PreCommand != "" {
|
||||||
|
log.Printf("location '%s' is updating '%s' - pre '%s'", l.ID, l.Path, l.PreCommand)
|
||||||
cmd := exec.Command(l.PreCommand, l.Path)
|
cmd := exec.Command(l.PreCommand, l.Path)
|
||||||
if err := cmd.Run(); err != nil {
|
if err := cmd.Run(); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
log.Printf("location '%s' is updating '%s'", l.ID, l.Path)
|
||||||
if err := ioutil.WriteFile(l.Path, raw, 0600); err != nil {
|
if err := ioutil.WriteFile(l.Path, raw, 0600); err != nil {
|
||||||
|
log.Printf("could not write location '%s': %s", l.ID, err)
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if l.PostCommand != "" {
|
if l.PostCommand != "" {
|
||||||
|
log.Printf("location '%s' is updating '%s' - post '%s'", l.ID, l.Path, l.PostCommand)
|
||||||
cmd := exec.Command(l.PostCommand, l.Path)
|
cmd := exec.Command(l.PostCommand, l.Path)
|
||||||
if err := cmd.Run(); err != nil {
|
if err := cmd.Run(); err != nil {
|
||||||
return err
|
return err
|
||||||
|
@ -132,6 +137,7 @@ func (s *Server) SetLocation(changeset pkiadm.LocationChange, res *pkiadm.Result
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if err := s.storage.Update(locName); err != nil {
|
if err := s.storage.Update(locName); err != nil {
|
||||||
|
log.Printf("could not update location '%s': %s", loc.ID, err)
|
||||||
res.SetError(err, "Could not update location '%s'", loc.ID)
|
res.SetError(err, "Could not update location '%s'", loc.ID)
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -87,7 +87,6 @@ func (p *PrivateKey) Refresh(_ *Storage) error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
block.Headers = map[string]string{"ID": p.ID}
|
|
||||||
p.Key = pem.EncodeToMemory(&block)
|
p.Key = pem.EncodeToMemory(&block)
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -44,7 +44,6 @@ func (p *PublicKey) Refresh(lookup *Storage) error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
block.Headers = map[string]string{"ID": p.ID, "TYPE": p.Type.String()}
|
|
||||||
p.Key = pem.EncodeToMemory(&block)
|
p.Key = pem.EncodeToMemory(&block)
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -359,6 +359,7 @@ func (s *Storage) Update(rn pkiadm.ResourceName) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, dep := range updateOrder {
|
for _, dep := range updateOrder {
|
||||||
|
log.Printf("refreshing resource '%s' because of '%s'", dep.Name(), rn.String())
|
||||||
if err := dep.Refresh(s); err != nil {
|
if err := dep.Refresh(s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
|
@ -20,6 +20,8 @@ func (i ResourceType) String() string {
|
||||||
return "serial"
|
return "serial"
|
||||||
case RTLocation:
|
case RTLocation:
|
||||||
return "location"
|
return "location"
|
||||||
|
case RTCA:
|
||||||
|
return "CA"
|
||||||
case RTUnknown:
|
case RTUnknown:
|
||||||
return "unknown"
|
return "unknown"
|
||||||
default:
|
default:
|
||||||
|
@ -43,6 +45,8 @@ func StringToResourceType(in string) (ResourceType, error) {
|
||||||
return RTSubject, nil
|
return RTSubject, nil
|
||||||
case "serial":
|
case "serial":
|
||||||
return RTSerial, nil
|
return RTSerial, nil
|
||||||
|
case "ca":
|
||||||
|
return RTCA, nil
|
||||||
default:
|
default:
|
||||||
return RTUnknown, fmt.Errorf("unknown resource type")
|
return RTUnknown, fmt.Errorf("unknown resource type")
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue