certificate generation is in

The hole certificate sign request and certificate creation process was pulled into pki, which made pkictl a bit smaller in code. There are still some things missing, but the initial support for certificates is done!
2015-03-16 17:15:29 +01:00 · 2015-03-16 17:15:29 +01:00 · 31bf8bc739
parent 52102b0f24
commit 31bf8bc739
3 changed files with 73 additions and 45 deletions
--- a/certificate_data.go
+++ b/certificate_data.go
@ -1,28 +0,0 @@
-package main
-
-import (
-  "crypto/x509"
-  "crypto/x509/pkix"
-  "net"
-)
-
-type (
-  certificateData struct {
-    Subject  pkix.Name
-
-    DnsNames       []string
-    EmailAddresses []string
-    IpAddresses    []net.IP
-  }
-)
-
-func (c *certificateData) GenerateCSR() *x509.CertificateRequest {
-  csr := &x509.CertificateRequest{}
-
-  csr.Subject        = c.Subject
-  csr.DNSNames       = c.DnsNames
-  csr.IPAddresses    = c.IpAddresses
-  csr.EmailAddresses = c.EmailAddresses
-
-  return csr
-}
--- a/flags.go
+++ b/flags.go
@ -5,11 +5,12 @@ package main

 import (
  "crypto/elliptic"
-  "crypto/x509/pkix"
  "encoding/base64"
+  "encoding/pem"
  "flag"
  "fmt"
  "io"
+  "io/ioutil"
  "net"
  "os"
  "reflect"
@ -76,7 +77,9 @@ type (
    // private key specific stuff
    PrivateKeyGenerationFlags privateKeyGenerationFlags
    // a certificate filled with the parameters
-    CertificateData certificateData
+    CertificateData *pki.CertificateData
+    // the certificate sign request
+    CertificateSignRequest *pki.CertificateRequest
  }

  privateKeyGenerationFlags struct {
@ -175,6 +178,39 @@ func (f *Flags) parsePublicKey() error {
  return nil
 }

+// add flag to load certificate sign request
+func (f *Flags) AddCSR() {
+  f.check_list = append(f.check_list, f.parseCSR)
+  f.flagset.StringVar(&f.flag_container.signRequestPath, "csr-path", "", "path to the certificate sign request")
+}
+
+// parse the certificate sign request
+func (f *Flags) parseCSR() error {
+  rest, err := ioutil.ReadFile(f.flag_container.signRequestPath)
+  if err != nil { return fmt.Errorf("Error reading certificate sign request: %s", err) }
+
+  var csr_asn1 []byte
+  var block *pem.Block
+  for len(rest) > 0 {
+    block, rest = pem.Decode(rest)
+    if block.Type == "CERTIFICATE REQUEST" {
+      csr_asn1 = block.Bytes
+      break
+    }
+  }
+  if len(csr_asn1) == 0 {
+    return fmt.Errorf(
+      "No certificate sign request found in %s",
+      f.flag_container.signRequestPath,
+    )
+  }
+
+  csr, err := pki.LoadCertificateSignRequest(csr_asn1)
+  if err != nil { return fmt.Errorf("Invalid certificate sign request: %s", err) }
+  f.Flags.CertificateSignRequest = csr
+  return nil
+}
+
 // add the output parameter to the checklist
 func (f *Flags) AddOutput() {
  f.check_list = append(f.check_list, f.parseOutput)
@ -307,7 +343,7 @@ func (f *Flags) AddCertificateFields() {

 // parse the certificate fields into a raw certificate
 func (f *Flags) parseCertificateFields() error {
-  f.Flags.CertificateData = certificateData{Subject: pkix.Name{}}
+  f.Flags.CertificateData = pki.NewCertificateData()
  // convert the automatic flags
  container_type := reflect.ValueOf(&f.flag_container.certificateFlags.automatic).Elem()
  cert_data_type := reflect.ValueOf(&f.Flags.CertificateData.Subject).Elem()
@ -321,12 +357,12 @@ func (f *Flags) parseCertificateFields() error {
  }

  // convert the manual flags
-  data     := &f.Flags.CertificateData
+  data     := f.Flags.CertificateData
  raw_data := f.flag_container.certificateFlags.manual
  data.Subject.SerialNumber = raw_data.serialNumber
  data.Subject.CommonName   = raw_data.commonName
  if raw_data.dnsNames != "" {
-    data.DnsNames             = strings.Split(raw_data.dnsNames, ",")
+    data.DNSNames             = strings.Split(raw_data.dnsNames, ",")
  }
  if raw_data.emailAddresses != "" {
    data.EmailAddresses       = strings.Split(raw_data.emailAddresses, ",")
@ -334,10 +370,10 @@ func (f *Flags) parseCertificateFields() error {

  if raw_data.ipAddresses == "" { return nil }
  raw_ips := strings.Split(raw_data.ipAddresses, ",")
-  data.IpAddresses = make([]net.IP, len(raw_ips))
+  data.IPAddresses = make([]net.IP, len(raw_ips))
  for i, ip := range raw_ips {
-    data.IpAddresses[i] = net.ParseIP(ip)
-    if data.IpAddresses[i] == nil {
+    data.IPAddresses[i] = net.ParseIP(ip)
+    if data.IPAddresses[i] == nil {
      return fmt.Errorf("'%s' is not a valid IP", ip)
    }
  }
--- a/main.go
+++ b/main.go
@ -2,13 +2,11 @@ package main

 import (
  "crypto"
-  "crypto/rand"
-  "crypto/x509"
  "encoding/base64"
-  "encoding/pem"
  "fmt"
  "io"
  "io/ioutil"
+  "math/big"
  "os"
  "path/filepath"

@ -29,7 +27,7 @@ func main() {
  case "sign-input":       sign_input()
  case "verify-signature": verify_input()
  case "create-cert-sign": create_sign_request()
-//  case "sign-request":     sign_request()
+  case "create-cert":      create_cert()
  case "help":             print_modules()
 //  case "info":             info_on_file()
  default: crash_with_help(1, "Command not supported!")
@ -126,14 +124,36 @@ func create_sign_request() {
  fs.AddCertificateFields()
  fs.Parse(program_args())

-  csrt := fs.Flags.CertificateData.GenerateCSR()
-  csr, err := x509.CreateCertificateRequest(rand.Reader, csrt, fs.Flags.PrivateKey.PrivateKey())
+  csr, err := fs.Flags.CertificateData.ToCertificateRequest(fs.Flags.PrivateKey)
  if err != nil { crash_with_help(2, "Could not create certificate sign request: %s", err) }
-  pem_block := &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csr}
-  err = pem.Encode(fs.Flags.Output, pem_block)
+  pem_block, err := csr.MarshalPem()
+  if err != nil { crash_with_help(2, "Could not covnert to pem: %s", err) }
+  _, err = pem_block.WriteTo(fs.Flags.Output)
  if err != nil { crash_with_help(2, "Encoding didn't work: %s", err) }
 }

+func create_cert() {
+  fs := NewFlags("create-cert")
+  fs.AddPrivateKey()
+  fs.AddCSR()
+  fs.AddOutput()
+  fs.Parse(program_args())
+
+  // TODO implement flags for all certificate options
+  cert_opts := pki.CertificateOptions{}
+  cert_opts.SerialNumber = big.NewInt(1)
+  cert, err := fs.Flags.CertificateSignRequest.ToCertificate(
+    fs.Flags.PrivateKey,
+    cert_opts,
+    nil,
+  )
+  if err != nil { crash_with_help(2, "Error generating certificate: %s", err) }
+  pem_block, err := cert.MarshalPem()
+  if err != nil { crash_with_help(2, "Error converting to pem: %s", err) }
+  _, err = pem_block.WriteTo(fs.Flags.Output)
+  if err != nil { crash_with_help(2, "Output didn't work: %s", err) }
+}
+
 // print the module help
 func print_modules() {
  fmt.Printf(`Usage: %s command args
@ -143,7 +163,7 @@ where 'command' is one of:
    sign-input        sign a message with a private key
    verify-signature  verify a signature
    create-cert-sign  create a new certificate sign request
-    sign-request      sign a certificate request
+    create-cert       sign a certificate request
    help              show this help
    info              get info on a file
 `, filepath.Base(os.Args[0]))