Fork 0

redesign cli

This is a major rebuilding of the CLI. The library part is split out
into pkilib and the cli handles only the communication with the user,
I/O and the library.
The API will still look the same, but the code should be much better to
grasp. Instead of repeating everything, more will be grouped together
and reused.
This commit is contained in:
Gibheer 2015-02-15 01:34:25 +01:00
parent 2f9126dc6a
commit 16eb14db9f
10 changed files with 282 additions and 700 deletions

View File

@ -1,118 +0,0 @@
package main
// create a sign request needed for the final certificate
import (
type (
SignFlags struct {
PrivateKeyPath string // path to the private key
Output string // path where to store the CSR
BaseAttributes pkix.Name
DNSNames []string // alternative names to the BaseAttributes.CommonName
IPAddresses []net.IP // alternative IP addresses
private_key crypto.Signer
output_stream io.Writer // the output stream for the CSR
var (
COMMA_SPLIT = regexp.MustCompile(`,[[:space:]]?`)
// create a sign request with a private key
func create_sign_request() {
flags := parse_sign_flags()
flags.private_key = load_private_key(flags.PrivateKeyPath)
stream, err := open_output_stream(flags.Output)
if err != nil {
crash_with_help(2, fmt.Sprintf("Error when creating file %s: %s", flags.Output, err))
defer stream.Close()
flags.output_stream = stream
if err = create_csr(flags); err != nil {
fmt.Fprintln(os.Stderr, "Error when generating CSR: ", err)
// parse the flags to create a certificate sign request
func parse_sign_flags() SignFlags {
dns_names := "" // string to hold the alternative names
ips := "" // string to hold the alternative ips
var container struct {
Country, Organization, OrganizationalUnit, Locality, Province,
StreetAddress, PostalCode string
flags := SignFlags{}
fs := flag.NewFlagSet("create-cert-sign", flag.ExitOnError)
fs.StringVar(&flags.PrivateKeyPath, "private-key", "", "path to the private key file")
fs.StringVar(&flags.Output, "output", "STDOUT", "path where the generated csr should be stored")
flags.BaseAttributes = pkix.Name{}
fs.StringVar(&flags.BaseAttributes.CommonName, "common-name", "", "the name of the resource")
fs.StringVar(&flags.BaseAttributes.SerialNumber, "serial", "1", "serial number for the request")
fs.StringVar(&dns_names, "names", "", "alternative names (comma separated)")
fs.StringVar(&ips, "ips", "", "alternative IPs (comma separated)")
fs.StringVar(&container.Country, "country", "", "country of the organization")
fs.StringVar(&container.Organization, "organization", "", "the name of the organization")
fs.StringVar(&container.OrganizationalUnit, "org-unit", "", "the organizational unit")
fs.StringVar(&container.Locality, "city", "", "the city or locality")
fs.StringVar(&container.Province, "province", "", "the province")
fs.StringVar(&container.StreetAddress, "street", "", "the street address for the cert")
fs.StringVar(&container.PostalCode, "postal-code", "", "the postal code of the city")
// convert array flags to config structs
if dns_names != "" {
flags.DNSNames = COMMA_SPLIT.Split(dns_names, -1)
if ips != "" {
tmp_ips := COMMA_SPLIT.Split(ips, -1)
for _, sip := range tmp_ips {
flags.IPAddresses = append(flags.IPAddresses, net.ParseIP(sip))
container_type := reflect.ValueOf(container)
config_type := reflect.ValueOf(&flags.BaseAttributes).Elem()
for i := 0; i < container_type.NumField(); i++ {
field := container_type.Field(i)
new_field := config_type.FieldByName(container_type.Type().Field(i).Name)
new_field.Set(reflect.ValueOf(COMMA_SPLIT.Split(field.String(), -1)))
return flags
// generate the csr and print into flags.output_stream
func create_csr(flags SignFlags) (error) {
csr_template := &x509.CertificateRequest{
Subject: flags.BaseAttributes,
DNSNames: flags.DNSNames,
IPAddresses: flags.IPAddresses,
csr_raw, err := x509.CreateCertificateRequest(rand.Reader, csr_template, flags.private_key)
if err != nil { return err }
block := &pem.Block{Type: TypeLabelCSR, Bytes: csr_raw}
pem.Encode(flags.output_stream, block)
return nil

View File

@ -1,84 +0,0 @@
package main
import (
type CSRTest struct {
ShouldBe []string
Set func(*SignFlags)
Fetch func(*x509.CertificateRequest) []string
const (
func SetupTest() (*SignFlags, *bytes.Buffer) {
p, _ := pem.Decode([]byte(RAW_PRIVATE_KEY))
buf := bytes.NewBuffer(make([]byte, 0))
flags := &SignFlags{
private_key: load_private_key_ecdsa(p),
output_stream: buf,
return flags, buf
func TestCSRGeneration(t *testing.T) {
tests := []CSRTest {
func(f *SignFlags) { f.BaseAttributes.CommonName = "foo" },
func(c *x509.CertificateRequest) []string { return []string{c.Subject.CommonName} },
}, {
[]string{"foo.com", "bar.com", "baz.com"},
func(f *SignFlags) { f.DNSNames = []string{ "foo.com", "bar.com", "baz.com" }},
func(c *x509.CertificateRequest) []string { return c.DNSNames },
[]string{"", ""},
func(f *SignFlags) { f.IPAddresses = []net.IP{net.ParseIP(""), net.ParseIP("") }},
func(c *x509.CertificateRequest) []string {
res := make([]string, 0)
for _, ip := range c.IPAddresses {
res = append(res, ip.String())
return res
for _, test := range tests {
flags, io := SetupTest()
res, _ := ioutil.ReadAll(io)
raw, _ := pem.Decode(res)
csr, _ := x509.ParseCertificateRequest(raw.Bytes)
if !diff(test.ShouldBe, test.Fetch(csr)) {
t.Logf("Expected: %v\nbut got: %v", test.ShouldBe, test.Fetch(csr))
func diff(a, b []string) bool {
if len(a) != len(b) { return false }
for i, e := range a {
if e != b[i] { return false }
return true

flags.go Normal file
View File

@ -0,0 +1,168 @@
package main
// This file handles the complete parameter assignment, as some parameters are
// often used by multiple functions.
import (
const (
RsaLowerLength = 2048
RsaUpperLength = 16384
var (
EcdsaCurves = []int{224, 256, 384, 521}
type (
// holds all certificate related flags, which need parsing afterwards
certFlagsContainer struct {
serialNumber int // the serial number for the cert
commonName string // the common name used in the cert
dnsNames string // all alternative names in the certificate (comma separated list)
ipAddresses string // all IP addresses in the certificate (comma separated list)
country string // the country names which should end up in the cert (comma separated list)
organization string // the organization names (comma separated list)
organizationalUnit string // the organizational units (comma separated list)
locality string // the city or locality (comma separated list)
province string // the province name (comma separated list)
streetAddress string // the street addresses of the organization (comma separated list)
postalCode string // the postal codes of the locality
// a container go gather all incoming flags for further processing
paramContainer struct {
outputPath string // path to output whatever is generated
cryptType string // type of something (private key)
length int // the length of something (private key)
privateKeyPath string // path to the private key
publicKeyPath string // path to the public key
signRequestPath string // path to the certificate sign request
certificateFlags *certFlagsContainer // container for certificate related flags
// a container for the refined flags
flagSet struct {
PrivateKey pkilib.PrivateKey
Output io.WriteCloser
// private key specific stuff
PrivateKeyGenerationFlags privateKeyGenerationFlags
privateKeyGenerationFlags struct {
Type string // type of the private key (rsa, ecdsa)
Curve elliptic.Curve // curve for ecdsa
Size int // bitsize for rsa
Flags struct {
flagset *flag.FlagSet // the flagset reference for printing the help
flag_container *paramContainer
Flags *flagSet // the end result of the flag setting
check_list []flagCheck // list of all checks
flagCheck func()(error)
// create a new flag handler with the name of the subfunction
func NewFlags(method_name string) *Flags {
return &Flags{
Flags: &flagSet{},
flagset: flag.NewFlagSet(method_name, flag.ExitOnError),
check_list: make([]flagCheck, 0),
flag_container: &paramContainer{},
// check all parameters for validity
func (f *Flags) Parse(options []string) error {
for _, check := range f.check_list {
// TODO handle error in a betetr way (output specific help, not command help)
if err := check(); err != nil { return err }
return nil
// add the private key option to the requested flags
func (f *Flags) AddPrivateKey() {
f.check_list = append(f.check_list, f.parsePrivateKey)
f.flagset.StringVar(&f.flag_container.privateKeyPath, "private-key", "", "path to the private key")
// check the private key flag and load the private key
func (f *Flags) parsePrivateKey() error {
// check permissions of private key file
info, err := os.Stat(f.flag_container.privateKeyPath)
if err != nil { return fmt.Errorf("Error reading private key: %s", err) }
if info.Mode().Perm().String()[4:] != "------" {
return fmt.Errorf("private key file modifyable by others!")
pk, err := ReadPrivateKeyFile(f.flag_container.privateKeyPath)
if err != nil { return fmt.Errorf("Error reading private key: %s", err) }
f.Flags.PrivateKey = pk
return nil
// add the output parameter to the checklist
func (f *Flags) AddOutput() {
f.check_list = append(f.check_list, f.parseOutput)
f.flagset.StringVar(&f.flag_container.outputPath, "output", "STDOUT", "path to the output or STDOUT")
// parse the output parameter and open the file handle
func (f *Flags) parseOutput() error {
if f.flag_container.outputPath == "STDOUT" {
f.Flags.Output = os.Stdout
return nil
var err error
f.Flags.Output, err = os.OpenFile(
os.O_WRONLY | os.O_APPEND | os.O_CREATE, // do not kill users files!
if err != nil { return err }
return nil
// This function adds the private key generation flags.
func (f *Flags) AddPrivateKeyGenerationFlags() {
f.check_list = append(f.check_list, f.parsePrivateKeyGenerationFlags)
f.flagset.StringVar(&f.flag_container.cryptType, "type", "ecdsa", "the type of the private key (ecdsa, rsa)")
"length", 521,
fmt.Sprintf("%d - %d for rsa; %v for ecdsa", RsaLowerLength, RsaUpperLength, EcdsaCurves),
func (f *Flags) parsePrivateKeyGenerationFlags() error {
pk_type := f.flag_container.cryptType
f.Flags.PrivateKeyGenerationFlags.Type = pk_type
switch pk_type {
case "ecdsa":
switch f.flag_container.length {
case 224: f.Flags.PrivateKeyGenerationFlags.Curve = elliptic.P224()
case 256: f.Flags.PrivateKeyGenerationFlags.Curve = elliptic.P256()
case 384: f.Flags.PrivateKeyGenerationFlags.Curve = elliptic.P384()
case 521: f.Flags.PrivateKeyGenerationFlags.Curve = elliptic.P521()
default: return fmt.Errorf("Curve %d unknown!", f.flag_container.length)
case "rsa": f.Flags.PrivateKeyGenerationFlags.Size = f.flag_container.length
default: return fmt.Errorf("Type %s is unknown!", pk_type)
return nil

io.go Normal file
View File

@ -0,0 +1,41 @@
package main
// handle all io and de/encoding of data
import (
var (
ErrBlockNotFound = errors.New("block not found")
// load a pem section from a file
func readSectionFromFile(path, btype string) ([]byte, error) {
raw, err := readFile(path)
if err != nil { return raw, err }
return decodeSection(raw, btype)
// read a file completely and report possible errors
func readFile(path string) ([]byte, error) {
raw, err := ioutil.ReadFile(path)
if err != nil { return EmptyByteArray, err }
return raw, nil
// decode a pem encoded file and search for the specified section
func decodeSection(data []byte, btype string) ([]byte, error) {
rest := data
for len(rest) > 0 {
var block *pem.Block
block, rest = pem.Decode(rest)
if block.Type == btype {
return block.Bytes, nil
return EmptyByteArray, ErrBlockNotFound

View File

@ -2,69 +2,74 @@ package main
import ( import (
"fmt" "fmt"
"os" "os"
"path/filepath" "path/filepath"
const ( "github.com/gibheer/pkilib"
RsaLowerLength = 2048
RsaUpperLength = 4096
TypeLabelPubKey = "PUBLIC KEY"
) )
var ( var (
EcdsaLength = []int{224, 256, 384, 521} EmptyByteArray = make([]byte, 0)
) )
//const (
// RsaLowerLength = 2048
// RsaUpperLength = 4096
// TypeLabelPubKey = "PUBLIC KEY"
//var (
// EcdsaLength = []int{224, 256, 384, 521}
func main() { func main() {
if len(os.Args) == 1 { if len(os.Args) == 1 {
crash_with_help(1, "No module selected!") crash_with_help(1, "No module selected!")
} }
switch os.Args[1] { switch os.Args[1] {
case "create-private": create_private_key() case "create-private": create_private_key()
case "create-cert-sign": create_sign_request()
case "create-public": create_public_key() case "create-public": create_public_key()
case "help": print_modules() // case "create-cert-sign": create_sign_request()
case "info": info_on_file() // case "help": print_modules()
case "sign-request": sign_request() // case "info": info_on_file()
case "sign-input": sign_input() // case "sign-request": sign_request()
case "verify-signature": verify_signature() // case "sign-input": sign_input()
// case "verify-signature": verify_signature()
default: crash_with_help(1, "Command not supported!") default: crash_with_help(1, "Command not supported!")
} }
} }
// get information on file (private key, sign request, certificate, ...) // create a private key
func info_on_file() {} func create_private_key() {
// sign a certificate request to create a new certificate fs := NewFlags("create-private")
func sign_request() {} fs.AddOutput()
err := fs.Parse(program_args())
if err != nil { crash_with_help(1, fmt.Sprintf("%s", err)) }
// open stream for given path var pk pkilib.Pemmer
func open_output_stream(path string) (io.WriteCloser, error) { switch fs.Flags.PrivateKeyGenerationFlags.Type {
switch path { case "ecdsa": pk, err = pkilib.NewPrivateKeyEcdsa(fs.Flags.PrivateKeyGenerationFlags.Curve)
case "STDOUT": return os.Stdout, nil case "rsa": pk, err = pkilib.NewPrivateKeyRsa(fs.Flags.PrivateKeyGenerationFlags.Size)
case "STDERR": return os.Stderr, nil
default: return open_stream(path, os.O_WRONLY | os.O_CREATE | os.O_TRUNC)
} }
if err != nil { crash_with_help(2, fmt.Sprintf("%s", err)) }
marsh_pem, err := pk.MarshalPem()
if err != nil { crash_with_help(2, fmt.Sprintf("%s", err)) }
_, err = marsh_pem.WriteTo(fs.Flags.Output)
if err != nil { crash_with_help(2, fmt.Sprintf("%s", err)) }
} }
func open_input_stream(path string) (io.ReadCloser, error) { // create a public key derived from a private key
switch path { func create_public_key() {
case "STDIN": return os.Stdin, nil fs := NewFlags("create-public")
default: return open_stream(path, os.O_RDONLY) fs.AddPrivateKey()
} err := fs.Parse(program_args())
} if err != nil { crash_with_help(1, fmt.Sprintf("%s", err)) }
func open_stream(path string, flags int) (io.ReadWriteCloser, error) { fmt.Println(fs.Flags.PrivateKey.Public())
var err error
output_stream, err := os.OpenFile(path, flags, 0600)
if err != nil {
return nil, err
return output_stream, nil
} }
// print the module help // print the module help
@ -76,15 +81,21 @@ where 'command' is one of:
create-cert-sign create a new certificate sign request create-cert-sign create a new certificate sign request
help show this help help show this help
info get info on a file info get info on a file
sign sign a certificate request sign-request sign a certificate request
sign-input sign a message with a private key sign-input sign a message with a private key
verify-signature verify a signature verify-signature verify a signature
`, filepath.Base(os.Args[0])) `, filepath.Base(os.Args[0]))
fmt.Println() fmt.Println()
} }
// crash and provide a helpful message
func crash_with_help(code int, message string) { func crash_with_help(code int, message string) {
fmt.Fprintln(os.Stderr, message) fmt.Fprintln(os.Stderr, message)
print_modules() print_modules()
os.Exit(code) os.Exit(code)
} }
// return the arguments to the program
func program_args() []string {
return os.Args[2:]

View File

@ -1,145 +1,33 @@
package main package main
// generate an ecdsa or rsa private key
import ( import (
"crypto" "errors"
"crypto/elliptic" "github.com/gibheer/pkilib"
) )
type ( const (
CreateFlags struct { TypeLabelRSA = "RSA PRIVATE KEY"
CryptType string // rsa or ecdsa TypeLabelECDSA = "EC PRIVATE KEY"
CryptLength int // the bit length
Output string // a path or stream to output the private key to
output_stream io.WriteCloser // the actual stream to the output
) )
// create a new private key var (
func create_private_key() { ErrNoPKFound = errors.New("no private key found")
flags := parse_create_flags() )
var err error // Read the private key from the path and try to figure out which type of key it
flags.output_stream, err = open_output_stream(flags.Output) // might be.
if err != nil { func ReadPrivateKeyFile(path string) (pkilib.PrivateKey, error) {
crash_with_help(2, fmt.Sprintf("Error when creating file %s: %s", flags.Output, err)) raw_pk, err := readSectionFromFile(path, TypeLabelECDSA)
if err == nil {
pk, err := pkilib.LoadPrivateKeyEcdsa(raw_pk)
if err != nil { return nil, err }
return pk, nil
} }
defer flags.output_stream.Close() raw_pk, err = readSectionFromFile(path, TypeLabelRSA)
if err == nil {
switch flags.CryptType { pk, err := pkilib.LoadPrivateKeyRsa(raw_pk)
case "rsa": create_private_key_rsa(flags) if err != nil { return nil, err }
case "ecdsa": create_private_key_ecdsa(flags) return pk, nil
default: crash_with_help(2, fmt.Sprintf("%s not supported!", flags.CryptType))
} }
} return nil, ErrNoPKFound
// generate a rsa private key
func create_private_key_rsa(flags CreateFlags) {
if flags.CryptLength < 2048 {
crash_with_help(2, "Length is smaller than 2048!")
priv, err := rsa.GenerateKey( rand.Reader, flags.CryptLength)
if err != nil {
fmt.Fprintln(os.Stderr, "Error: ", err)
marshal := x509.MarshalPKCS1PrivateKey(priv)
block := &pem.Block{Type: TypeLabelRSA, Bytes: marshal}
pem.Encode(flags.output_stream, block)
// generate a ecdsa private key
func create_private_key_ecdsa(flags CreateFlags) {
var curve elliptic.Curve
switch flags.CryptLength {
case 224: curve = elliptic.P224()
case 256: curve = elliptic.P256()
case 384: curve = elliptic.P384()
case 521: curve = elliptic.P521()
default: crash_with_help(2, "Unsupported crypt length!")
priv, err := ecdsa.GenerateKey(curve, rand.Reader)
if err != nil {
fmt.Fprintln(os.Stderr, "Error: ", err)
marshal, err := x509.MarshalECPrivateKey(priv)
if err != nil {
crash_with_help(2, fmt.Sprintf("Problems marshalling the private key: %s", err))
block := &pem.Block{Type: TypeLabelECDSA, Bytes: marshal}
pem.Encode(flags.output_stream, block)
// parse the flags to create a private key
func parse_create_flags() CreateFlags {
flags := CreateFlags{}
fs := flag.NewFlagSet("create-private", flag.ExitOnError)
fs.StringVar(&flags.CryptType, "type", "ecdsa", "which type to use to encrypt key (rsa, ecdsa)")
fs.IntVar(&flags.CryptLength, "length", 521, fmt.Sprintf(
"%i - %i for rsa; %v for ecdsa", RsaLowerLength, RsaUpperLength, EcdsaLength,))
fs.StringVar(&flags.Output, "output", "STDOUT", "filename to store the private key")
return flags
// load the private key stored at `path`
func load_private_key(path string) crypto.Signer {
if path == "" {
crash_with_help(2, "No path to private key supplied!")
file, err := os.Open(path)
if err != nil {
crash_with_help(3, fmt.Sprintf("Error when opening private key: %s", err))
defer file.Close()
data, err := ioutil.ReadAll(file)
if err != nil {
crash_with_help(3, fmt.Sprintf("Error when reading private key: %s", err))
block, _ := pem.Decode(data)
if block.Type == TypeLabelRSA {
return load_private_key_rsa(block)
} else if block.Type == TypeLabelECDSA {
return load_private_key_ecdsa(block)
} else {
crash_with_help(2, "No valid private key file! Only RSA and ECDSA keys are allowed!")
return nil
// parse rsa private key
func load_private_key_rsa(block *pem.Block) crypto.Signer {
key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
if err != nil {
crash_with_help(3, fmt.Sprintf("Error parsing private key: %s", err))
return key
// parse ecdsa private key
func load_private_key_ecdsa(block *pem.Block) crypto.Signer {
key, err := x509.ParseECPrivateKey(block.Bytes)
if err != nil {
crash_with_help(3, fmt.Sprintf("Error parsing private key: %s", err))
return key
} }

View File

@ -1,50 +0,0 @@
package main
// create a public key from a private key
import (
type (
PublicKeyFlags struct {
PrivateKeyPath string
Output string
output_stream io.WriteCloser // the actual stream to the output
func create_public_key() {
var err error
flags := parse_public_key_flags()
flags.output_stream, err = open_output_stream(flags.Output)
if err != nil {
crash_with_help(2, fmt.Sprintf("Error when creating file %s: %s", flags.Output, err))
defer flags.output_stream.Close()
priv_key := load_private_key(flags.PrivateKeyPath)
marshal, err := x509.MarshalPKIXPublicKey(priv_key.Public())
if err != nil {
crash_with_help(2, fmt.Sprintf("Problems marshalling the public key: %s", err))
block := &pem.Block{Type: TypeLabelPubKey, Bytes: marshal}
pem.Encode(flags.output_stream, block)
func parse_public_key_flags() PublicKeyFlags {
flags := PublicKeyFlags{}
fs := flag.NewFlagSet("create-public", flag.ExitOnError)
fs.StringVar(&flags.PrivateKeyPath, "private-key", "", "path to the private key file")
fs.StringVar(&flags.Output, "output", "STDOUT", "path where the generated public key should be stored")
return flags

View File

@ -1,103 +0,0 @@
package main
import (
// "crypto/ecdsa"
// "crypto/rsa"
type (
SignInputFlags struct {
Message string // the message to sign
MessageStream string // the message stream to sign
PrivateKeyPath string // path to the private key
Output string // a path or stream to output the private key to
Format string // the format of the output
private_key crypto.Signer
output_stream io.Writer // the output stream for the CSR
input_stream io.Reader // the input stream to read the message from
func sign_input() {
flags := parse_sign_input_flags()
if flags.Message != "" && flags.MessageStream != "" {
crash_with_help(2, "Only message or message file can be signed!")
flags.private_key = load_private_key(flags.PrivateKeyPath)
output_stream, err := open_output_stream(flags.Output)
if err != nil {
crash_with_help(2, fmt.Sprintf("Error when creating file %s: %s", flags.Output, err))
flags.output_stream = output_stream
defer output_stream.Close()
if flags.MessageStream != "" {
input_stream, err := open_input_stream(flags.MessageStream)
if err != nil {
crash_with_help(2, fmt.Sprintf("Error when opening stream %s: %s", flags.MessageStream, err))
flags.input_stream = input_stream
defer input_stream.Close()
if err := create_signature(flags); err != nil {
fmt.Fprintln(os.Stderr, "Error when creating signature", err)
func parse_sign_input_flags() SignInputFlags {
flags := SignInputFlags{}
fs := flag.NewFlagSet("sign-input", flag.ExitOnError)
fs.StringVar(&flags.PrivateKeyPath, "private-key", "", "path to the private key file")
fs.StringVar(&flags.Output, "output", "STDOUT", "path where the generated signature should be stored (STDOUT, STDERR, file)")
fs.StringVar(&flags.Message, "message", "", "the message to sign")
fs.StringVar(&flags.MessageStream, "message-stream", "STDIN", "the path to the stream to sign (file, STDIN)")
fs.StringVar(&flags.Format, "format", "base64", "the output format (binary, base64)")
return flags
func create_signature(flags SignInputFlags) error {
var message []byte
var err error
if flags.MessageStream != "" {
message, err = ioutil.ReadAll(flags.input_stream)
if err != nil { return err }
} else {
message = []byte(flags.Message)
// compute sha256 of the message
hash := sha256.New()
length, _ := hash.Write(message)
if length != len(message) { return errors.New("Error when creating hash over message!") }
// create signature of the hash using the private key
signature, err := flags.private_key.Sign(
if err != nil { return err }
if flags.Format == "base64" {
} else {
return nil

View File

@ -1,10 +0,0 @@
package main
import (
// sign a certificate request to create a new certificate
func sign_request() {

View File

@ -1,161 +0,0 @@
package main
// verify a signature generated with a private key
import (
type (
VerifySignatureFlags struct {
Message string // the message to sign
MessageStream string // the path to the input stream
PublicKeyPath string // path to the private key
Signature string // a path or stream to output the private key to
SignatureStream string // read signature from an input stream
Format string // the format of the signature
message_stream io.Reader // the message stream
signature_stream io.Reader // the signature stream
// struct to load the signature into (which is basically two bigint in byte form)
Signature struct {
R, S *big.Int
func verify_signature() {
flags := parse_verify_signature_flags()
if flags.SignatureStream == flags.MessageStream &&
( flags.Message == "" && flags.Signature == "") {
crash_with_help(2, "Signature and Message stream can't be the same source!")
// open streams
if flags.Message == "" && flags.MessageStream != "" {
message_stream, err := open_input_stream(flags.MessageStream)
if err != nil {
crash_with_help(2, fmt.Sprintf("Error when opening stream %s: %s", flags.MessageStream, err))
defer message_stream.Close()
flags.message_stream = message_stream
if flags.Signature == "" && flags.SignatureStream != "" {
signature_stream, err := open_input_stream(flags.SignatureStream)
if err != nil {
crash_with_help(2, fmt.Sprintf("Error when opening stream %s: %s", flags.SignatureStream, err))
defer signature_stream.Close()
flags.signature_stream = signature_stream
public_key, err := load_public_key_ecdsa(flags.PublicKeyPath)
if err != nil {
crash_with_help(2, fmt.Sprintf("Error when loading public key: %s", err))
signature, err := load_signature(flags)
if err != nil {
crash_with_help(2, fmt.Sprintf("Error when loading the signature: %s", err))
message, err := load_message(flags)
hash := sha256.New()
success := ecdsa.Verify(public_key, hash.Sum(nil), signature.R, signature.S)
// parse the parameters
func parse_verify_signature_flags() VerifySignatureFlags {
flags := VerifySignatureFlags{}
fs := flag.NewFlagSet("verify-signature", flag.ExitOnError)
fs.StringVar(&flags.PublicKeyPath, "public-key", "", "path to the public key file")
fs.StringVar(&flags.Signature, "signature", "", "path where the signature file can be found")
fs.StringVar(&flags.SignatureStream, "signature-stream", "", "the path to the stream of the signature (file, STDIN)")
fs.StringVar(&flags.Format, "format", "auto", "the input format of the signature (auto, binary, base64)")
fs.StringVar(&flags.Message, "message", "", "the message to validate")
fs.StringVar(&flags.MessageStream, "message-stream", "STDIN", "the path to the stream to validate (file, STDIN)")
return flags
// load the private key from pem file
func load_public_key_ecdsa(path string) (*ecdsa.PublicKey, error) {
public_key_file, err := os.Open(path)
if err != nil { return nil, err }
public_key_pem, err := ioutil.ReadAll(public_key_file)
if err != nil { return nil, err }
block, _ := pem.Decode(public_key_pem)
if block.Type != TypeLabelPubKey {
return nil, errors.New(fmt.Sprintf("No public key found in %s", path))
public_key, err := x509.ParsePKIXPublicKey(block.Bytes)
if err != nil { return nil, err }
return public_key.(*ecdsa.PublicKey), nil
// parse the signature from asn1 file
func load_signature(flags VerifySignatureFlags) (*Signature, error) {
var signature_raw []byte
var err error
if flags.Message != "" {
signature_raw = []byte(flags.Message)
} else {
signature_raw, err = ioutil.ReadAll(flags.signature_stream)
if err != nil { return nil, err }
switch strings.ToLower(flags.Format) {
case "auto":
sig, err := load_signature_base64(signature_raw)
if err != nil {
sig, err = load_signature_binary(signature_raw)
if err != nil { return nil, err }
return sig, nil
return sig, nil
case "base64": return load_signature_base64(signature_raw)
case "binary": return load_signature_binary(signature_raw)
default: return nil, errors.New("Unknown format!")
// convert the signature from base64 into a signature
func load_signature_base64(signature_raw []byte) (*Signature, error) {
asn1_sig, err := base64.StdEncoding.DecodeString(string(signature_raw))
if err != nil { return nil, err }
return load_signature_binary(asn1_sig)
// convert the signature from asn1 into a signature
func load_signature_binary(signature_raw []byte) (*Signature, error) {
var signature Signature
_, err := asn1.Unmarshal(signature_raw, &signature)
if err != nil { return nil, err }
return &signature, nil
// load the message from a stream or the parameter
func load_message(flags VerifySignatureFlags) (string, error) {
if flags.Message != "" { return flags.Message, nil }
message, err := ioutil.ReadAll(flags.message_stream)
if err != nil { return "", err }
return string(message), nil