forked from cloudflare/cfssl
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cfssl_gencert.go
146 lines (120 loc) · 3 KB
/
cfssl_gencert.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
package main
import (
"encoding/json"
"fmt"
"github.com/cloudflare/cfssl/api/client"
"github.com/cloudflare/cfssl/config"
"github.com/cloudflare/cfssl/csr"
"github.com/cloudflare/cfssl/initca"
"github.com/cloudflare/cfssl/log"
"github.com/cloudflare/cfssl/signer"
)
var gencertUsageText = `cfssl gencert -- generate a new key and signed certificate
Usage of gencert:
cfssl gencert [-initca] CSRJSON
cfssl gencert [-remote remote_server] HOSTNAME CSRJSON
cfssl gencert [-ca cert] [-ca-key key] HOSTNAME CSRJSON
Arguments:
HOSTNAME: Hostname for the cert
CSRJSON: JSON file containing the request
HOSTNAME should not be included when initalising a new CA.
Flags:
`
var gencertFlags = []string{"initca", "remote", "ca", "ca-key", "f"}
func gencertMain(args []string) (err error) {
if Config.hostname == "" && !Config.isCA {
Config.hostname, args, err = popFirstArgument(args)
if err != nil {
return
}
}
csrFile, args, err := popFirstArgument(args)
if err != nil {
return
}
csrFileBytes, err := readStdin(csrFile)
if err != nil {
return
}
var req csr.CertificateRequest
err = json.Unmarshal(csrFileBytes, &req)
if err != nil {
return
}
if Config.isCA {
var key, cert []byte
cert, key, err = initca.New(&req)
if err != nil {
return
}
printCert(key, nil, cert)
} else {
if Config.remote != "" {
return gencertRemotely(req)
}
if Config.caFile == "" {
log.Error("cannot sign certificate without a CA certificate (provide one with -ca)")
return
}
if Config.caKeyFile == "" {
log.Error("cannot sign certificate without a CA key (provide one with -ca-key)")
return
}
var policy *config.Signing
// If there is a config, use its signing policy. Otherwise, leave policy == nil
// and NewSigner will use DefaultConfig().
if Config.cfg != nil {
policy = Config.cfg.Signing
}
var key, csrPEM []byte
g := &csr.Generator{validator}
csrPEM, key, err = g.ProcessRequest(&req)
if err != nil {
key = nil
return
}
var sign *signer.Signer
sign, err = signer.NewSigner(Config.caFile, Config.caKeyFile, policy)
if err != nil {
return
}
var cert []byte
cert, err = sign.Sign(Config.hostname, csrPEM, Config.profile)
if err != nil {
return
}
printCert(key, csrPEM, cert)
}
return nil
}
func printCert(key, csrPEM, cert []byte) {
out := map[string]string{
"cert": string(cert),
"key": string(key),
}
if csrPEM != nil {
out["csr"] = string(csrPEM)
}
jsonOut, err := json.Marshal(out)
if err != nil {
return
}
fmt.Printf("%s\n", jsonOut)
}
func gencertRemotely(req csr.CertificateRequest) error {
srv := client.NewServer(Config.remote)
g := &csr.Generator{validator}
csrPEM, key, err := g.ProcessRequest(&req)
if err != nil {
key = nil
return err
}
var cert []byte
cert, err = srv.Sign(Config.hostname, csrPEM, Config.profile)
if err != nil {
return err
}
printCert(key, csrPEM, cert)
return nil
}
var CLIGenCert = &Command{gencertUsageText, gencertFlags, gencertMain}