-
Notifications
You must be signed in to change notification settings - Fork 124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add CA Database, switch serial file to text, add CA-Private Key parameter #8
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mentioned a few nits that I'd like addressed,but overall I'm happy to accept this PR.
Thanks for all the work!
Would you be interested in adding a test to ensure that the format of the index.txt
file is not mistakenly changed at some point in the future?
@@ -46,6 +46,7 @@ func main() { | |||
flVersion = flag.Bool("version", false, "prints version information") | |||
flPort = flag.String("port", envString("SCEP_HTTP_LISTEN_PORT", "8080"), "port to listen on") | |||
flDepotPath = flag.String("depot", envString("SCEP_FILE_DEPOT", "depot"), "path to ca folder") | |||
flCAPass = flag.String("capass", envString("SCEP_CA_PASS", ""), "passwd for the ca.key") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm fine with this, but have you considered the case where the key is not a string?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No :-| Lets move this into a TODO. Currently i don't see how to hand this over via command line (unless you use SCEP_CA_PASS? not sure here though)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, we can add a flag if it becomes a necessity :)
r := bufio.NewReader(file) | ||
// is there a better way?? | ||
data, err := r.ReadString('\r') | ||
data = strings.TrimSuffix(data ,"\r") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The bytes package provides equivalent methods for working with bytes.
https://golang.org/pkg/bytes/
See this excellent blog post about using either package https://medium.com/@benbjohnson/go-walkthrough-bytes-strings-packages-499be9f4b5bd#.mpo4ze804
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i was just wondering if ReadString('\n') or an equivalent function could not directly remove newlines as supposed but did not find a solution. i guess this is a slightly clumsy but working version we could live with
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 removing comment
data, err := r.ReadString('\r') | ||
data = strings.TrimSuffix(data ,"\r") | ||
data = strings.TrimSuffix(data ,"\n") | ||
if err != nil && err != io.EOF { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you move the error checking right under the data, err :=
line?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
return nil, err | ||
} | ||
serial, success := s.SetString(data,16) | ||
if success != true { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if !success {
is clearer
You can also shorten things here with
serial, ok := s.SetString...
if !ok {
// handle false
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
} | ||
serial, success := s.SetString(data,16) | ||
if success != true { | ||
return nil, errors.New("Could not convert "+string(data)+" to serial number") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
error strings should not be capitalized
https://github.com/golang/go/wiki/CodeReviewComments#error-strings
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
|
||
file, err := os.OpenFile(name, os.O_CREATE | os.O_RDWR | os.O_APPEND, dbPerm) | ||
if err != nil { | ||
fmt.Printf("Could not append to "+name+" : %q\n", err.Error()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you'd like to annotate the error, consider using fmt.Errorf
instead.
https://golang.org/pkg/fmt/#Errorf
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
dbEntry.WriteString("\n") | ||
|
||
if _, err := file.Write(dbEntry.Bytes()); err != nil { | ||
file.Close() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
by adding defer file.Close()
above you're already ensuring that the file will be closed.
I see that I made the same mistake below :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 was a nasty copy from writeSerial()
writing a test for now exceeds my 2 days old GoLang knowledge (and also my currently available time). please accept the PR without this but all issues above fixed. Meanwhile i added another small feature we need, the validity of a client certificate can now be set via -crtvalid flag in the scep-server. please review and merge if you like it... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for addressing the changes.
Please set a default duration for validity and I will merge.
@@ -146,7 +145,7 @@ func (d fileDepot) writeDB(cn string, serial *big.Int, filename string, cert *x5 | |||
|
|||
file, err := os.OpenFile(name, os.O_CREATE | os.O_RDWR | os.O_APPEND, dbPerm) | |||
if err != nil { | |||
fmt.Printf("Could not append to "+name+" : %q\n", err.Error()) | |||
fmt.Errorf("could not append to "+name+" : %q\n", err.Error()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
notice fmt.Errorf
returns an error. so here just change it to
return fmt.Errorf("could not append to "+name+" : %q\n", err.Error())
@@ -46,6 +46,7 @@ func main() { | |||
flVersion = flag.Bool("version", false, "prints version information") | |||
flPort = flag.String("port", envString("SCEP_HTTP_LISTEN_PORT", "8080"), "port to listen on") | |||
flDepotPath = flag.String("depot", envString("SCEP_FILE_DEPOT", "depot"), "path to ca folder") | |||
flCAPass = flag.String("capass", envString("SCEP_CA_PASS", ""), "passwd for the ca.key") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, we can add a flag if it becomes a necessity :)
@@ -162,6 +163,14 @@ func CAKeyPassword(pw []byte) ServiceOption { | |||
} | |||
} | |||
|
|||
// optional argument to set the validity of signed client certs in days |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The comment should start with // ClientValidity sets the ....
The name of the function should come first as per the linter.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the capass flag was necessary because without any password on the ca.key file the enroll process fails... do you know what is the default value in the sign function? maybe "" or sth. strange? or do you know what is the default ca.key password when using scepserver ca -init?
// optional argument to set the validity of signed client certs in days | ||
func ClientValidity(duration int) ServiceOption { | ||
return func(s *service) error { | ||
s.clientValidity = duration |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is an optional argument, but it defaults to 0
if not set. That does not seem like a good default.
Please change the opts inside NewService
so that a default time other than 0
is used. I'll leave it up to you to decide what a good option should be.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
isnt
flClDuration = flag.String("crtvalid", envString("SCEP_CERT_VALID", "365"), "validity for new client certificates in days")
setting the default?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see, you're using 365
as a default for the flag. That works
Update README.md and setup CI
The patch allows us to :