Add import subcommand to import certificates.

This also supports inserting a bundle of certificates as a given
release.

.travis.yml

@@ -6,11 +6,8 @@ go:
   - 1.6
 before_script:
   - go get -u github.com/golang/lint/golint
-script: 
-  - go get github.com/cloudflare/cfssl_trust/...
-  - go test -cover github.com/cloudflare/cfssl_trust/...
-  - go vet github.com/cloudflare/cfssl_trust/...
-  - golint github.com/cloudflare/cfssl_trust/...
+script:
+  - ./test.sh
 notifications:
   email:
     recipients:

cli/import.go

@@ -0,0 +1,102 @@
+package cli
+
+import (
+	"crypto/x509"
+	"database/sql"
+	"fmt"
+	"io/ioutil"
+	"os"
+
+	"github.com/cloudflare/cfssl/helpers"
+	"github.com/cloudflare/cfssl_trust/model/certdb"
+	_ "github.com/mattn/go-sqlite3"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+var importCmd = &cobra.Command{
+	Use:   "import",
+	Short: "Import certificates into the database.",
+	Long:  "Import certificates into the database, marking them under a release as needed.",
+	Run:   importer,
+}
+
+func init() {
+	RootCmd.AddCommand(importCmd)
+}
+
+func importCertificate(db *sql.DB, cert *x509.Certificate, rel *certdb.Release) error {
+	fmt.Printf("- importing serial %s AKI %x\n", cert.SerialNumber, cert.AuthorityKeyId)
+	c := certdb.NewCertificate(cert)
+	err := certdb.Ensure(c, db)
+	if err != nil {
+		return err
+	}
+
+	aia := certdb.NewAIA(c)
+	if aia != nil {
+		err = certdb.Ensure(aia, db)
+		if err != nil {
+			return err
+		}
+	}
+
+	// The rest of the function deals with inserting the
+	// certificate into the relevant release table. The assumption
+	// here is that the release exists in the DB.
+	if rel == nil {
+		return nil
+	}
+
+	cr := certdb.NewCertificateRelease(c, rel)
+	return certdb.Ensure(cr, db)
+
+}
+
+func importer(cmd *cobra.Command, args []string) {
+	dbPath := viper.GetString("database.path")
+	db, err := sql.Open("sqlite3", dbPath)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "[!] %s\n", err)
+		os.Exit(1)
+	}
+
+	var rel *certdb.Release
+	if bundleRelease != "" {
+		rel, err = certdb.NewRelease(bundle, bundleRelease)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "[!] %s\n", err)
+			os.Exit(1)
+		}
+
+		err = certdb.Ensure(rel, db)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "[!] %s\n", err)
+			os.Exit(1)
+		}
+	}
+
+	for _, path := range args {
+		fileContents, err := ioutil.ReadFile(path)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "[!] %s\n", err)
+			os.Exit(1)
+		}
+
+		certs, err := helpers.ParseCertificatesPEM(fileContents)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "[!] %s\n", err)
+			os.Exit(1)
+		}
+
+		for _, x509Cert := range certs {
+			err := importCertificate(db, x509Cert, rel)
+			if err != nil {
+				fmt.Fprintf(os.Stderr, "[!] %s\n", err)
+				os.Exit(1)
+			}
+		}
+	}
+
+	db.Close()
+}

cli/root.go

@@ -7,13 +7,16 @@ import (
 
 	"github.com/cloudflare/cfssl/log"
 	"github.com/cloudflare/cfssl_trust/config"
+	"github.com/cloudflare/cfssl_trust/release"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 
 var (
-	cfgFile string
-	dbFile  string
+	cfgFile       string
+	dbFile        string
+	bundle        string
+	bundleRelease string
 )
 
 func root(cmd *cobra.Command, args []string) {
@@ -42,8 +45,10 @@ func Execute() {
 func init() {
 	cobra.OnInitialize(initConfig)
 
+	RootCmd.PersistentFlags().StringVarP(&bundle, "bundle", "b", "int", "select a bundle (ca or int)")
 	RootCmd.PersistentFlags().StringVarP(&cfgFile, "config", "f", "", "config file (default is /etc/cfssl/cfssl.yaml)")
 	RootCmd.PersistentFlags().StringVarP(&dbFile, "db", "d", "", "path to trust database")
+	RootCmd.PersistentFlags().StringVarP(&bundleRelease, "release", "r", "", "select a release")
 
 	viper.BindPFlag("database.path", RootCmd.PersistentFlags().Lookup("db"))
 }
@@ -68,4 +73,14 @@ func initConfig() {
 	if err == nil {
 		log.Info("cfssl-trust: loading from config file ", viper.ConfigFileUsed())
 	}
+
+	if bundleRelease != "" {
+		rel, err := release.Parse(bundleRelease)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "[!] Invalid release '%s'.\n", bundleRelease)
+			fmt.Fprintf(os.Stderr, "\tReason: %s\n", err)
+			os.Exit(1)
+		}
+		fmt.Println("selected release", rel)
+	}
 }

debian/rules

@@ -1,7 +1,10 @@
 #!/usr/bin/make -f
 
+export DH_OPTIONS
 export DH_GOPKG := github.com/cloudflare/cfssl_trust/cmd/cfssl-trust
 
 %:
+	# go get github.com/Masterminds/glide
+	# glide i
 	dh $@ --buildsystem=golang --with=golang
 

glide.yaml

@@ -10,3 +10,9 @@ import:
   subpackages:
   - migrate
   - driver/sqlite3
+- package: golang.org/x/net
+  subpackages:
+  - context
+- package: golang.org/x/tools
+  subpackages:
+  - go/buildutil

model/1485991500_revision_1.up.sql

@@ -29,7 +29,7 @@ INSERT INTO schema_version (revision, created_at)
 CREATE TABLE IF NOT EXISTS certificates (
 	ski		TEXT NOT NULL,
 	aki		TEXT NOT NULL,
-	serial		INTEGER NOT NULL,
+	serial		BLOB NOT NULL,
 	not_before	INTEGER NOT NULL,
 	not_after	INTEGER NOT NULL,
 	raw		BLOB NOT NULL,
@@ -67,7 +67,7 @@ CREATE TABLE IF NOT EXISTS revocations (
 -- The roots table is a list of root certificates.
 CREATE TABLE IF NOT EXISTS roots (
 	ski		TEXT NOT NULL,
-	serial		INTEGER NOT NULL,
+	serial		BLOB NOT NULL,
 	release		TEXT NOT NULL,
 	UNIQUE (ski, serial, release)
 	FOREIGN KEY (ski) REFERENCES certificates(ski),
@@ -78,14 +78,14 @@ CREATE TABLE IF NOT EXISTS roots (
 -- The root_releases contains metadata about a given root bundle
 -- release, facilitating deterministic bundle rebuilds.
 CREATE TABLE IF NOT EXISTS root_releases (
-	version		TEXT NOT NULL,
-	released_at	INTEGER NOT NULL
+	version		TEXT PRIMARY KEY,
+	released_at	INTEGER UNIQUE NOT NULL
 );
 
 -- The intermediates table is a list of root intermediates.
 CREATE TABLE IF NOT EXISTS intermediates (
 	ski		TEXT NOT NULL,
-	serial		INTEGER NOT NULL,
+	serial		BLOB NOT NULL,
 	release		TEXT NOT NULL,
 	UNIQUE (ski, serial, release)
 	FOREIGN KEY (ski) REFERENCES certificates(ski),
@@ -96,6 +96,6 @@ CREATE TABLE IF NOT EXISTS intermediates (
 -- intermediate bundle release, facilitating deterministic bundle
 -- rebuilds.
 CREATE TABLE IF NOT EXISTS intermediate_releases (
-	version		TEXT NOT NULL,
-	released_at	INTEGER NOT NULL
+	version		TEXT PRIMARY KEY,
+	released_at	INTEGER UNIQUE NOT NULL
 );