flags.go


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431

package main

// This file handles the complete parameter assignment, as some parameters are
// often used by multiple functions.

import (
  "crypto/elliptic"
  "encoding/base64"
  "encoding/pem"
  "fmt"
  "io"
  "io/ioutil"
  "net"
  "os"
  "reflect"
  "strings"

  "github.com/gibheer/pki"
)

const (
  RsaLowerLength = 2048
  RsaUpperLength = 16384
)

var (
  EcdsaCurves    = []int{224, 256, 384, 521}
)

type (
  // holds all certificate related flags, which need parsing afterwards
  certFlagsContainer struct {
    manual struct {
      serialNumber   string // the serial number for the cert
      commonName     string // the common name used in the cert
      dnsNames       string // all alternative names in the certificate (comma separated list)
      ipAddresses    string // all IP addresses in the certificate (comma separated list)
      emailAddresses string // alternative email addresses
    }
    automatic struct {
      Country       string // the country names which should end up in the cert (comma separated list)
      Organization  string // the organization names (comma separated list)
      OrganizationalUnit string // the organizational units (comma separated list)
      Locality      string // the city or locality (comma separated list)
      Province      string // the province name (comma separated list)
      StreetAddress string // the street addresses of the organization (comma separated list)
      PostalCode    string // the postal codes of the locality
    }
  }

  // a container go gather all incoming flags for further processing
  paramContainer struct {
    outputPath       string // path to output whatever is generated
    inputPath        string // path to an input resource
    cryptType        string // type of something (private key)
    length           int    // the length of something (private key)
    privateKeyPath   string // path to the private key
    publicKeyPath    string // path to the public key
    signRequestPath  string // path to the certificate sign request
    certificateFlags certFlagsContainer // container for certificate related flags
    signature        string // a base64 encoded signature
  }

  privateKeyGenerationFlags struct {
    Type string // type of the private key (rsa, ecdsa)
    Curve elliptic.Curve // curve for ecdsa
    Size  int            // bitsize for rsa
  }

  flagCheck func()(error)
)

var (
  CmdRoot = &Command {
    Short: "A tool to manage keys and certificates.",
    Long: `This tool provides a way to manage private and public keys, create
certificate requests and certificates and sign/verify messages.`,
  }

  CmdCreatePrivateKey = &Command {
    Use: "create-private",
    Short: "create a private key",
    Long: "Create an ecdsa or rsa key with this command",
    Example: "create-private -type=ecdsa -length=521",
    Run: create_private_key,
  }

  CmdCreatePublicKey = &Command {
    Use: "create-public",
    Short: "create a public key from a private key",
    Long: "Create a public key derived from a private key.",
    Example: "create-public -private-key=foo.ecdsa",
    Run: create_public_key,
  }

  CmdSignInput = &Command {
    Use: "sign-input",
    Short: "sign a text using a private key",
    Long: "Create a signature using a private key",
    Example: "sign-input -private-key=foo.ecdsa -input=textfile",
    Run: sign_input,
  }

  CmdVerifyInput = &Command {
    Use: "verify-input",
    Short: "verify a text using a signature",
    Long: "Verify a text using a signature and a public key.",
    Example: "verify-input -public-key=foo.ecdsa.pub -input=textfile -signature=abc456",
    Run: verify_input,
  }

  CmdCreateSignRequest = &Command {
    Use: "create-sign-request",
    Short: "create a certificate sign request",
    Long: "Create a certificate sign request.",
    Example: "create-sign-request -private-key=foo.ecdsa -common-name=foo -serial=1",
    Run: create_sign_request,
  }

  CmdCreateCert = &Command {
    Use: "create-cert",
    Short: "create a certificate from a sign request",
    Long: "Create a certificate based on a certificate sign request.",
    Example: "create-cert -private-key=foo.ecdsa -csr-path=foo.csr",
    Run: create_cert,
  }

  // variable to hold the raw arguments before checking
  flagContainer *paramContainer

  // loaded private key
  FlagPrivateKey pki.PrivateKey
  // loaded public key
  FlagPublicKey  pki.PublicKey
  // the IO handler for input
  FlagInput      io.ReadCloser
  // the IO handler for output
  FlagOutput     io.WriteCloser
  // signature from the args
  FlagSignature  []byte
  // private key specific stuff
  FlagPrivateKeyGeneration privateKeyGenerationFlags
  // a certificate filled with the parameters
  FlagCertificateRequestData *pki.CertificateData
  // the certificate sign request
  FlagCertificateSignRequest *pki.CertificateRequest
)

func InitFlags() {
  flagContainer = &paramContainer{}
  CmdRoot.AddCommand(
    CmdCreatePrivateKey,
    CmdCreatePublicKey,
    CmdSignInput,
    CmdVerifyInput,
    CmdCreateSignRequest,
    CmdCreateCert,
  )

  // private-key
  InitFlagOutput(CmdCreatePrivateKey)
  InitFlagPrivateKeyGeneration(CmdCreatePrivateKey)
  // public-key
  InitFlagOutput(CmdCreatePublicKey)
  InitFlagPrivateKey(CmdCreatePublicKey)
  // sign-input
  InitFlagInput(CmdSignInput)
  InitFlagPrivateKey(CmdSignInput)
  InitFlagOutput(CmdSignInput)
  // verify-input
  InitFlagInput(CmdVerifyInput)
  InitFlagPrivateKey(CmdVerifyInput)
  InitFlagOutput(CmdVerifyInput)
  InitFlagSignature(CmdVerifyInput)
  // create-sign-request
  InitFlagPrivateKey(CmdCreateSignRequest)
  InitFlagOutput(CmdCreateSignRequest)
  InitFlagCertificateFields(CmdCreateSignRequest)
  // create-certificate
  InitFlagPrivateKey(CmdCreateCert)
  InitFlagOutput(CmdCreateCert)
  InitFlagCSR(CmdCreateCert)
}

func checkFlags(checks... flagCheck) error {
  for _, check := range checks {
    if err := check(); err != nil {
      return err
    }
  }
  return nil
}

//// print a message with the usage part
//func (f *Flags) Usagef(message string, args ...interface{}) {
//  fmt.Fprintf(os.Stderr, "error: " + message + "\n", args...)
//  f.flagset.Flags().Usage()
//}

// add the private key option to the requested flags
func InitFlagPrivateKey(cmd *Command) {
  cmd.Flags().StringVar(&flagContainer.privateKeyPath, "private-key", "", "path to the private key (required)")
}

// check the private key flag and load the private key
func checkPrivateKey() error {
  if flagContainer.privateKeyPath == "" { return fmt.Errorf("No private key given!") }
  // check permissions of private key file
  info, err := os.Stat(flagContainer.privateKeyPath)
  if err != nil { return fmt.Errorf("Error reading private key: %s", err) }
  if info.Mode().Perm().String()[4:] != "------" {
    return fmt.Errorf("private key file modifyable by others!")
  }

  pk, err := ReadPrivateKeyFile(flagContainer.privateKeyPath)
  if err != nil { return fmt.Errorf("Error reading private key: %s", err) }
  FlagPrivateKey = pk
  return nil
}

// add the public key flag
func InitFlagPublicKey(cmd *Command) {
  cmd.Flags().StringVar(&flagContainer.publicKeyPath, "public-key", "", "path to the public key (required)")
}

// parse public key flag
func checkPublicKey() error {
  if flagContainer.publicKeyPath == "" { return fmt.Errorf("No public key given!") }

  pu, err := ReadPublicKeyFile(flagContainer.publicKeyPath)
  if err != nil { return fmt.Errorf("Error reading public key: %s", err) }
  FlagPublicKey = pu
  return nil
}

// add flag to load certificate sign request
func InitFlagCSR(cmd *Command) {
  cmd.Flags().StringVar(&flagContainer.signRequestPath, "csr-path", "", "path to the certificate sign request")
}

// parse the certificate sign request
func checkCSR() error {
  rest, err := ioutil.ReadFile(flagContainer.signRequestPath)
  if err != nil { return fmt.Errorf("Error reading certificate sign request: %s", err) }

  var csr_asn1 []byte
  var block *pem.Block
  for len(rest) > 0 {
    block, rest = pem.Decode(rest)
    if block.Type == "CERTIFICATE REQUEST" {
      csr_asn1 = block.Bytes
      break
    }
  }
  if len(csr_asn1) == 0 {
    return fmt.Errorf(
      "No certificate sign request found in %s",
      flagContainer.signRequestPath,
    )
  }

  csr, err := pki.LoadCertificateSignRequest(csr_asn1)
  if err != nil { return fmt.Errorf("Invalid certificate sign request: %s", err) }
  FlagCertificateSignRequest = csr
  return nil
}

func InitFlagOutput(cmd *Command) {
  cmd.Flags().StringVar(&flagContainer.outputPath, "output", "STDOUT", "path to the output or STDOUT")
}

// parse the output parameter and open the file handle
func checkOutput() error {
  if flagContainer.outputPath == "STDOUT" {
    FlagOutput = os.Stdout
    return nil
  }
  var err error
  FlagOutput, err = os.OpenFile(
    flagContainer.outputPath,
    os.O_WRONLY | os.O_APPEND | os.O_CREATE, // do not kill users files!
    0600,
  )
  if err != nil { return err }
  return nil
}

// add the input parameter to load resources from
func InitFlagInput(cmd *Command) {
  cmd.Flags().StringVar(&flagContainer.inputPath, "input", "STDIN", "path to the input or STDIN")
}

// parse the input parameter and open the file handle
func checkInput() error {
  if flagContainer.inputPath == "STDIN" {
    FlagInput = os.Stdin
    return nil
  }
  var err error
  FlagInput, err = os.Open(flagContainer.inputPath)
  if err != nil { return err }
  return nil
}

// This function adds the private key generation flags.
func InitFlagPrivateKeyGeneration(cmd *Command) {
  cmd.Flags().StringVar(&flagContainer.cryptType, "type", "ecdsa", "the type of the private key (ecdsa, rsa)")
  cmd.Flags().IntVar(
    &flagContainer.length,
    "length", 521,
    fmt.Sprintf("%d - %d for rsa; one of %v for ecdsa", RsaLowerLength, RsaUpperLength, EcdsaCurves),
  )
}

// check the private key generation variables and move them to the work space
func checkPrivateKeyGeneration() error {
  pk_type := flagContainer.cryptType
  FlagPrivateKeyGeneration.Type = pk_type
  switch pk_type {
  case "ecdsa":
    switch flagContainer.length {
    case 224: FlagPrivateKeyGeneration.Curve = elliptic.P224()
    case 256: FlagPrivateKeyGeneration.Curve = elliptic.P256()
    case 384: FlagPrivateKeyGeneration.Curve = elliptic.P384()
    case 521: FlagPrivateKeyGeneration.Curve = elliptic.P521()
    default: return fmt.Errorf("Curve %d unknown!", flagContainer.length)
    }
  case "rsa":
    size := flagContainer.length
    if RsaLowerLength <= size && size <= RsaUpperLength {
      FlagPrivateKeyGeneration.Size = size
    } else {
      return fmt.Errorf("Length of %d is not allowed for rsa!", size)
    }
  default: return fmt.Errorf("Type %s is unknown!", pk_type)
  }
  return nil
}

// add the signature flag to load a signature from a signing process
func InitFlagSignature(cmd *Command) {
  cmd.Flags().StringVar(&flagContainer.signature, "signature", "", "the base64 encoded signature to use for verification")
}

// parse the signature flag
func checkSignature() error {
  var err error
  FlagSignature, err = base64.StdEncoding.DecodeString(flagContainer.signature)
  if err != nil { return err }
  return nil
}

// add the certificate fields to the flags
func InitFlagCertificateFields(cmd *Command) {
  cmd.Flags().StringVar(
    &flagContainer.certificateFlags.manual.serialNumber,
    "serial", "1", "unique serial number of the CA");
  cmd.Flags().StringVar(
    &flagContainer.certificateFlags.manual.commonName,
    "common-name", "", "common name of the entity to certify");
  cmd.Flags().StringVar(
    &flagContainer.certificateFlags.manual.dnsNames,
    "dns-names", "", "comma separated list of alternative fqdn entries for the entity");
  cmd.Flags().StringVar(
    &flagContainer.certificateFlags.manual.emailAddresses,
    "email-address", "", "comma separated list of alternative email entries for the entity");
  cmd.Flags().StringVar(
    &flagContainer.certificateFlags.manual.ipAddresses,
    "ip-address", "", "comma separated list of alternative ip entries for the entity");
  cmd.Flags().StringVar(
    &flagContainer.certificateFlags.automatic.Country,
    "country", "", "comma separated list of countries the entitiy resides in");
  cmd.Flags().StringVar(
    &flagContainer.certificateFlags.automatic.Organization,
    "organization", "", "comma separated list of organizations the entity belongs to");
  cmd.Flags().StringVar(
    &flagContainer.certificateFlags.automatic.OrganizationalUnit,
    "organization-unit", "", "comma separated list of organization units or departments the entity belongs to");
  cmd.Flags().StringVar(
    &flagContainer.certificateFlags.automatic.Locality,
    "locality", "", "comma separated list of localities or cities the entity resides in");
  cmd.Flags().StringVar(
    &flagContainer.certificateFlags.automatic.Province,
    "province", "", "comma separated list of provinces the entity resides in");
  cmd.Flags().StringVar(
    &flagContainer.certificateFlags.automatic.StreetAddress,
    "street-address", "", "comma separated list of street addresses the entity resides in");
  cmd.Flags().StringVar(
    &flagContainer.certificateFlags.automatic.PostalCode,
    "postal-code", "", "comma separated list of postal codes of the localities");
}

// parse the certificate fields into a raw certificate
func checkCertificateFields() error {
  FlagCertificateRequestData = pki.NewCertificateData()
  // convert the automatic flags
  container_type := reflect.ValueOf(&flagContainer.certificateFlags.automatic).Elem()
  cert_data_type := reflect.ValueOf(&FlagCertificateRequestData.Subject).Elem()

  for _, field := range []string{"Country", "Organization", "OrganizationalUnit",
                                 "Locality", "Province", "StreetAddress", "PostalCode"} {
    field_value := container_type.FieldByName(field).String()
    if field_value == "" { continue }
    target := cert_data_type.FieldByName(field)
    target.Set(reflect.ValueOf(strings.Split(field_value, ",")))
  }

  // convert the manual flags
  data     := FlagCertificateRequestData
  raw_data := flagContainer.certificateFlags.manual
  data.Subject.SerialNumber = raw_data.serialNumber
  data.Subject.CommonName   = raw_data.commonName
  if raw_data.dnsNames != "" {
    data.DNSNames             = strings.Split(raw_data.dnsNames, ",")
  }
  if raw_data.emailAddresses != "" {
    data.EmailAddresses       = strings.Split(raw_data.emailAddresses, ",")
  }

  if raw_data.ipAddresses == "" { return nil }
  raw_ips := strings.Split(raw_data.ipAddresses, ",")
  data.IPAddresses = make([]net.IP, len(raw_ips))
  for i, ip := range raw_ips {
    data.IPAddresses[i] = net.ParseIP(ip)
    if data.IPAddresses[i] == nil {
      return fmt.Errorf("'%s' is not a valid IP", ip)
    }
  }

  return nil
}