add CA Database, switch serial file to text, add CA-Private Key parameter #8
Conversation
| @@ -46,6 +46,7 @@ func main() { | |||
| flVersion = flag.Bool("version", false, "prints version information") | |||
| flPort = flag.String("port", envString("SCEP_HTTP_LISTEN_PORT", "8080"), "port to listen on") | |||
| flDepotPath = flag.String("depot", envString("SCEP_FILE_DEPOT", "depot"), "path to ca folder") | |||
| flCAPass = flag.String("capass", envString("SCEP_CA_PASS", ""), "passwd for the ca.key") | |||
There was a problem hiding this comment.
I'm fine with this, but have you considered the case where the key is not a string?
There was a problem hiding this comment.
No :-| Lets move this into a TODO. Currently i don't see how to hand this over via command line (unless you use SCEP_CA_PASS? not sure here though)
There was a problem hiding this comment.
yeah, we can add a flag if it becomes a necessity :)
| r := bufio.NewReader(file) | ||
| // is there a better way?? | ||
| data, err := r.ReadString('\r') | ||
| data = strings.TrimSuffix(data ,"\r") |
There was a problem hiding this comment.
The bytes package provides equivalent methods for working with bytes.
https://golang.org/pkg/bytes/
See this excellent blog post about using either package https://medium.com/@benbjohnson/go-walkthrough-bytes-strings-packages-499be9f4b5bd#.mpo4ze804
There was a problem hiding this comment.
i was just wondering if ReadString('\n') or an equivalent function could not directly remove newlines as supposed but did not find a solution. i guess this is a slightly clumsy but working version we could live with
There was a problem hiding this comment.
👍 removing comment
| data, err := r.ReadString('\r') | ||
| data = strings.TrimSuffix(data ,"\r") | ||
| data = strings.TrimSuffix(data ,"\n") | ||
| if err != nil && err != io.EOF { |
There was a problem hiding this comment.
Can you move the error checking right under the data, err := line?
| return nil, err | ||
| } | ||
| serial, success := s.SetString(data,16) | ||
| if success != true { |
There was a problem hiding this comment.
if !success { is clearer
You can also shorten things here with
serial, ok := s.SetString...
if !ok {
// handle false
}
| } | ||
| serial, success := s.SetString(data,16) | ||
| if success != true { | ||
| return nil, errors.New("Could not convert "+string(data)+" to serial number") |
There was a problem hiding this comment.
error strings should not be capitalized
https://github.com/golang/go/wiki/CodeReviewComments#error-strings
|
|
||
| file, err := os.OpenFile(name, os.O_CREATE | os.O_RDWR | os.O_APPEND, dbPerm) | ||
| if err != nil { | ||
| fmt.Printf("Could not append to "+name+" : %q\n", err.Error()) |
There was a problem hiding this comment.
If you'd like to annotate the error, consider using fmt.Errorf instead.
https://golang.org/pkg/fmt/#Errorf
| dbEntry.WriteString("\n") | ||
|
|
||
| if _, err := file.Write(dbEntry.Bytes()); err != nil { | ||
| file.Close() |
There was a problem hiding this comment.
by adding defer file.Close() above you're already ensuring that the file will be closed.
I see that I made the same mistake below :)
There was a problem hiding this comment.
👍 was a nasty copy from writeSerial()
|
writing a test for now exceeds my 2 days old GoLang knowledge (and also my currently available time). please accept the PR without this but all issues above fixed. Meanwhile i added another small feature we need, the validity of a client certificate can now be set via -crtvalid flag in the scep-server. please review and merge if you like it... |
| @@ -146,7 +145,7 @@ func (d fileDepot) writeDB(cn string, serial *big.Int, filename string, cert *x5 | |||
|
|
|||
| file, err := os.OpenFile(name, os.O_CREATE | os.O_RDWR | os.O_APPEND, dbPerm) | |||
| if err != nil { | |||
| fmt.Printf("Could not append to "+name+" : %q\n", err.Error()) | |||
| fmt.Errorf("could not append to "+name+" : %q\n", err.Error()) | |||
There was a problem hiding this comment.
notice fmt.Errorf returns an error. so here just change it to
return fmt.Errorf("could not append to "+name+" : %q\n", err.Error())
| @@ -46,6 +46,7 @@ func main() { | |||
| flVersion = flag.Bool("version", false, "prints version information") | |||
| flPort = flag.String("port", envString("SCEP_HTTP_LISTEN_PORT", "8080"), "port to listen on") | |||
| flDepotPath = flag.String("depot", envString("SCEP_FILE_DEPOT", "depot"), "path to ca folder") | |||
| flCAPass = flag.String("capass", envString("SCEP_CA_PASS", ""), "passwd for the ca.key") | |||
There was a problem hiding this comment.
yeah, we can add a flag if it becomes a necessity :)
| @@ -162,6 +163,14 @@ func CAKeyPassword(pw []byte) ServiceOption { | |||
| } | |||
| } | |||
|
|
|||
| // optional argument to set the validity of signed client certs in days | |||
There was a problem hiding this comment.
The comment should start with // ClientValidity sets the .... The name of the function should come first as per the linter.
There was a problem hiding this comment.
the capass flag was necessary because without any password on the ca.key file the enroll process fails... do you know what is the default value in the sign function? maybe "" or sth. strange? or do you know what is the default ca.key password when using scepserver ca -init?
| // optional argument to set the validity of signed client certs in days | ||
| func ClientValidity(duration int) ServiceOption { | ||
| return func(s *service) error { | ||
| s.clientValidity = duration |
There was a problem hiding this comment.
This is an optional argument, but it defaults to 0 if not set. That does not seem like a good default.
Please change the opts inside NewService so that a default time other than 0 is used. I'll leave it up to you to decide what a good option should be.
There was a problem hiding this comment.
isnt
flClDuration = flag.String("crtvalid", envString("SCEP_CERT_VALID", "365"), "validity for new client certificates in days") setting the default?
There was a problem hiding this comment.
I see, you're using 365 as a default for the flag. That works
Update README.md and setup CI
The patch allows us to :