From 855fde6d680e4e84c1a4d6b9d67dae40208bdc5c Mon Sep 17 00:00:00 2001 From: Gibheer Date: Mon, 30 Mar 2015 20:20:58 +0200 Subject: add basic key usage flag to certificates --- flags.go | 41 +++++++++++++++++++++++++++++++++++++---- 1 file changed, 37 insertions(+), 4 deletions(-) (limited to 'flags.go') diff --git a/flags.go b/flags.go index ab449bd..600fa02 100644 --- a/flags.go +++ b/flags.go @@ -5,6 +5,7 @@ package main import ( "crypto/elliptic" + "crypto/x509" "encoding/base64" "encoding/pem" "fmt" @@ -26,7 +27,18 @@ const ( ) var ( - EcdsaCurves = []int{224, 256, 384, 521} + EcdsaCurves = []int{224, 256, 384, 521} + ValidKeyUsages = map[string]x509.KeyUsage{ + "digitalsignature": x509.KeyUsageDigitalSignature, + "contentcommitment": x509.KeyUsageContentCommitment, + "keyencipherment": x509.KeyUsageKeyEncipherment, + "dataencipherment": x509.KeyUsageDataEncipherment, + "keyagreement": x509.KeyUsageKeyAgreement, + "certsign": x509.KeyUsageCertSign, + "crlsign": x509.KeyUsageCRLSign, + "encipheronly": x509.KeyUsageEncipherOnly, + "decipheronly": x509.KeyUsageDecipherOnly, + } ) type ( @@ -61,7 +73,8 @@ type ( signRequestPath string // path to the certificate sign request certificateFlags certiticateRequestRawFlags // container for certificate related flags signature string // a base64 encoded signature - certGeneration certGenerationRaw + certGeneration certGenerationRaw // all certificate generation flags + certificatePath string // path to a certificate } privateKeyGenerationFlags struct { @@ -76,6 +89,8 @@ type ( notAfter string isCA bool length int + caPath string // path to the ca file if isCA is false + keyUsage string // comma separated list of key usages } flagCheck func() error @@ -275,12 +290,17 @@ func InitFlagCert(cmd *Command) { "time before the certificate is not valid in RFC3339 format (default now)", ) cmd.Flags().StringVar( - &flagContainer.certGeneration. - notAfter, + &flagContainer.certGeneration.notAfter, "not-after", time.Now().Add(time.Duration(180*24*time.Hour)).Format(time.RFC3339), "time after which the certificate is not valid in RFC3339 format (default now + 180 days)", ) + cmd.Flags().StringVar( + &flagContainer.certGeneration.keyUsage, + "key-usage", + "", + "comma separated list of key usages", + ) } // parse the certificate data @@ -302,6 +322,19 @@ func checkCertFlags() error { return err } } + // parse the key usage string + if keyUstr := flagContainer.certGeneration.keyUsage; keyUstr != "" { + keyUarr := strings.Split(keyUstr, ",") + var keyUresult x509.KeyUsage + for _, usage := range keyUarr { + if value, ok := ValidKeyUsages[strings.ToLower(usage)]; ok { + keyUresult = keyUresult | value + } else { + return fmt.Errorf("unsupported key usage '%s'", usage) + } + } + FlagCertificateGeneration.KeyUsage = keyUresult + } return nil } -- cgit v1.2.3-70-g09d2