forked from cockroachdb/cockroach
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cert.go
135 lines (119 loc) · 4.23 KB
/
cert.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
// Copyright 2015 The Cockroach Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
// implied. See the License for the specific language governing
// permissions and limitations under the License.
//
// Author: Marc Berhault (marc@cockroachlabs.com)
package cli
import (
"fmt"
"github.com/cockroachdb/cockroach/security"
"github.com/spf13/cobra"
)
const defaultKeySize = 2048
var keySize int
// A createCACert command generates a CA certificate and stores it
// in the cert directory.
var createCACertCmd = &cobra.Command{
Use: "create-ca --ca-cert=<path-to-ca-cert> --ca-key=<path-to-ca-key>",
Short: "create CA cert and key",
Long: `
Generates CA certificate and key, writing them to --ca-cert and --ca-key.
`,
SilenceUsage: true,
RunE: runCreateCACert,
}
// runCreateCACert generates key pair and CA certificate and writes them
// to their corresponding files.
func runCreateCACert(cmd *cobra.Command, args []string) error {
if len(baseCtx.SSLCA) == 0 || len(baseCtx.SSLCAKey) == 0 {
mustUsage(cmd)
return errMissingParams
}
if err := security.RunCreateCACert(baseCtx.SSLCA, baseCtx.SSLCAKey, keySize); err != nil {
return fmt.Errorf("failed to generate CA certificate: %s", err)
}
return nil
}
// A createNodeCert command generates a node certificate and stores it
// in the cert directory.
var createNodeCertCmd = &cobra.Command{
Use: "create-node --ca-cert=<ca-cert> --ca-key=<ca-key> --cert=<node-cert> --key=<node-key> <host 1> <host 2> ... <host N>",
Short: "create node cert and key",
Long: `
Generates node certificate and keys for a given node, writing them to
--cert and --key. CA certificate and key must be passed in.
At least one host should be passed in (either IP address or dns name).
`,
SilenceUsage: true,
RunE: runCreateNodeCert,
}
// runCreateNodeCert generates key pair and CA certificate and writes them
// to their corresponding files.
func runCreateNodeCert(cmd *cobra.Command, args []string) error {
if len(baseCtx.SSLCA) == 0 || len(baseCtx.SSLCAKey) == 0 ||
len(baseCtx.SSLCert) == 0 || len(baseCtx.SSLCertKey) == 0 {
mustUsage(cmd)
return errMissingParams
}
if err := security.RunCreateNodeCert(baseCtx.SSLCA, baseCtx.SSLCAKey,
baseCtx.SSLCert, baseCtx.SSLCertKey, keySize, args); err != nil {
return fmt.Errorf("failed to generate node certificate: %s", err)
}
return nil
}
// A createClientCert command generates a client certificate and stores it
// in the cert directory under <username>.crt and key under <username>.key.
var createClientCertCmd = &cobra.Command{
Use: "create-client --ca-cert=<ca-cert> --ca-key=<ca-key> --cert=<node-cert> --key=<node-key> username",
Short: "create client cert and key",
Long: `
Generates a client certificate and key, writing them to --cert and --key.
--cert and --key. CA certificate and key must be passed in.
The certs directory should contain a CA cert and key.
`,
SilenceUsage: true,
RunE: runCreateClientCert,
}
// runCreateClientCert generates key pair and CA certificate and writes them
// to their corresponding files.
func runCreateClientCert(cmd *cobra.Command, args []string) error {
if len(args) != 1 {
mustUsage(cmd)
return errMissingParams
}
if len(baseCtx.SSLCA) == 0 || len(baseCtx.SSLCAKey) == 0 ||
len(baseCtx.SSLCert) == 0 || len(baseCtx.SSLCertKey) == 0 {
mustUsage(cmd)
return errMissingParams
}
if err := security.RunCreateClientCert(baseCtx.SSLCA, baseCtx.SSLCAKey,
baseCtx.SSLCert, baseCtx.SSLCertKey, keySize, args[0]); err != nil {
return fmt.Errorf("failed to generate clent certificate: %s", err)
}
return nil
}
var certCmds = []*cobra.Command{
createCACertCmd,
createNodeCertCmd,
createClientCertCmd,
}
var certCmd = &cobra.Command{
Use: "cert",
Short: "create ca, node, and client certs",
Run: func(cmd *cobra.Command, args []string) {
mustUsage(cmd)
},
}
func init() {
certCmd.AddCommand(certCmds...)
}