add basic key usage flag to certificates
This commit is contained in:
parent
ba5a59931e
commit
855fde6d68
41
flags.go
41
flags.go
|
@ -5,6 +5,7 @@ package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"crypto/elliptic"
|
"crypto/elliptic"
|
||||||
|
"crypto/x509"
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
"encoding/pem"
|
"encoding/pem"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
@ -26,7 +27,18 @@ const (
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
EcdsaCurves = []int{224, 256, 384, 521}
|
EcdsaCurves = []int{224, 256, 384, 521}
|
||||||
|
ValidKeyUsages = map[string]x509.KeyUsage{
|
||||||
|
"digitalsignature": x509.KeyUsageDigitalSignature,
|
||||||
|
"contentcommitment": x509.KeyUsageContentCommitment,
|
||||||
|
"keyencipherment": x509.KeyUsageKeyEncipherment,
|
||||||
|
"dataencipherment": x509.KeyUsageDataEncipherment,
|
||||||
|
"keyagreement": x509.KeyUsageKeyAgreement,
|
||||||
|
"certsign": x509.KeyUsageCertSign,
|
||||||
|
"crlsign": x509.KeyUsageCRLSign,
|
||||||
|
"encipheronly": x509.KeyUsageEncipherOnly,
|
||||||
|
"decipheronly": x509.KeyUsageDecipherOnly,
|
||||||
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
type (
|
type (
|
||||||
|
@ -61,7 +73,8 @@ type (
|
||||||
signRequestPath string // path to the certificate sign request
|
signRequestPath string // path to the certificate sign request
|
||||||
certificateFlags certiticateRequestRawFlags // container for certificate related flags
|
certificateFlags certiticateRequestRawFlags // container for certificate related flags
|
||||||
signature string // a base64 encoded signature
|
signature string // a base64 encoded signature
|
||||||
certGeneration certGenerationRaw
|
certGeneration certGenerationRaw // all certificate generation flags
|
||||||
|
certificatePath string // path to a certificate
|
||||||
}
|
}
|
||||||
|
|
||||||
privateKeyGenerationFlags struct {
|
privateKeyGenerationFlags struct {
|
||||||
|
@ -76,6 +89,8 @@ type (
|
||||||
notAfter string
|
notAfter string
|
||||||
isCA bool
|
isCA bool
|
||||||
length int
|
length int
|
||||||
|
caPath string // path to the ca file if isCA is false
|
||||||
|
keyUsage string // comma separated list of key usages
|
||||||
}
|
}
|
||||||
|
|
||||||
flagCheck func() error
|
flagCheck func() error
|
||||||
|
@ -275,12 +290,17 @@ func InitFlagCert(cmd *Command) {
|
||||||
"time before the certificate is not valid in RFC3339 format (default now)",
|
"time before the certificate is not valid in RFC3339 format (default now)",
|
||||||
)
|
)
|
||||||
cmd.Flags().StringVar(
|
cmd.Flags().StringVar(
|
||||||
&flagContainer.certGeneration.
|
&flagContainer.certGeneration.notAfter,
|
||||||
notAfter,
|
|
||||||
"not-after",
|
"not-after",
|
||||||
time.Now().Add(time.Duration(180*24*time.Hour)).Format(time.RFC3339),
|
time.Now().Add(time.Duration(180*24*time.Hour)).Format(time.RFC3339),
|
||||||
"time after which the certificate is not valid in RFC3339 format (default now + 180 days)",
|
"time after which the certificate is not valid in RFC3339 format (default now + 180 days)",
|
||||||
)
|
)
|
||||||
|
cmd.Flags().StringVar(
|
||||||
|
&flagContainer.certGeneration.keyUsage,
|
||||||
|
"key-usage",
|
||||||
|
"",
|
||||||
|
"comma separated list of key usages",
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
// parse the certificate data
|
// parse the certificate data
|
||||||
|
@ -302,6 +322,19 @@ func checkCertFlags() error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
// parse the key usage string
|
||||||
|
if keyUstr := flagContainer.certGeneration.keyUsage; keyUstr != "" {
|
||||||
|
keyUarr := strings.Split(keyUstr, ",")
|
||||||
|
var keyUresult x509.KeyUsage
|
||||||
|
for _, usage := range keyUarr {
|
||||||
|
if value, ok := ValidKeyUsages[strings.ToLower(usage)]; ok {
|
||||||
|
keyUresult = keyUresult | value
|
||||||
|
} else {
|
||||||
|
return fmt.Errorf("unsupported key usage '%s'", usage)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
FlagCertificateGeneration.KeyUsage = keyUresult
|
||||||
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue