Beispiel #1
0
func caImport(argv map[string]interface{}) (err error) {
	name := ArgString(argv["<name>"], nil)
	inTags := ArgString(argv["--tags"], nil)

	certFile := ArgString(argv["<cert>"], nil)
	keyFile := ArgString(argv["<privateKey>"], "")

	certExpiry := ArgInt(argv["--cert-expiry"], 90)

	dnLocality := ArgString(argv["--dn-l"], "")
	dnState := ArgString(argv["--dn-st"], "")
	dnOrg := ArgString(argv["--dn-o"], "")
	dnOrgUnit := ArgString(argv["--dn-ou"], "")
	dnCountry := ArgString(argv["--dn-c"], "")
	dnStreet := ArgString(argv["--dn-street"], "")
	dnPostal := ArgString(argv["--dn-postal"], "")

	logger.Infof("Importing %s as %s", certFile, name)
	app := NewAdminApp()
	app.Load()

	ca, _ := x509.NewCA(nil)
	ca.Data.Body.Name = name

	if dnLocality != "" {
		ca.Data.Body.DNScope.Locality = dnLocality
	}
	if dnState != "" {
		ca.Data.Body.DNScope.Province = dnState
	}
	if dnOrg != "" {
		ca.Data.Body.DNScope.Organization = dnOrg
	}
	if dnOrgUnit != "" {
		ca.Data.Body.DNScope.OrganizationalUnit = dnOrgUnit
	}
	if dnCountry != "" {
		ca.Data.Body.DNScope.Country = dnCountry
	}
	if dnStreet != "" {
		ca.Data.Body.DNScope.StreetAddress = dnStreet
	}
	if dnPostal != "" {
		ca.Data.Body.DNScope.PostalCode = dnPostal
	}

	ok, err := fs.Exists(certFile)
	checkAppFatal("Could not check file existence for %s: %s", certFile, err)
	if !ok {
		checkUserFatal("File does not exist: %s", certFile)
	}
	certPem, err := fs.ReadFile(certFile)

	cert, err := x509.PemDecodeX509Certificate([]byte(certPem))
	checkUserFatal("Not a valid certificate PEM for %s: %s", certFile, err)
	// TODO - consider converting cert back to pem to use for consistency

	// We generate a random ID instead of using the serial number because we
	// don't control the serial
	ca.Data.Body.Id = NewID()
	ca.Data.Body.Certificate = certPem
	ca.Data.Body.CertExpiry = certExpiry
	caExpiry := int(cert.NotAfter.Sub(cert.NotBefore) / (time.Hour * 24))
	ca.Data.Body.CAExpiry = caExpiry

	if keyFile != "" {
		ok, err = fs.Exists(keyFile)
		checkAppFatal("Could not check file existence for %s: %s", keyFile, err)
		if !ok {
			checkUserFatal("File does not exist: %s", keyFile)
		}
		keyPem, err := fs.ReadFile(keyFile)

		key, err := crypto.PemDecodePrivate([]byte(keyPem))
		checkUserFatal("Not a valid private key PEM for %s: %s", keyFile, err)
		// TODO - consider converting key back to pem to use for consistency

		keyType, err := crypto.GetKeyType(key)
		checkUserFatal("Unknow private key file for %s: %s", keyFile, err)

		ca.Data.Body.KeyType = string(keyType)
		ca.Data.Body.PrivateKey = keyPem
	}

	logger.Info("Saving CA")
	caContainer, err := app.entities.org.EncryptThenSignString(ca.Dump(), nil)
	checkAppFatal("Could not encrypt CA: %s", err)

	err = app.fs.api.Authenticate(app.entities.org.Data.Body.Id, "")
	checkAppFatal("Could not authenticate to API as Org: %s", err)

	err = app.fs.api.StorePrivate(ca.Data.Body.Id, caContainer.Dump())
	checkAppFatal("Could not save CA: %s", err)

	logger.Info("Updating index")
	app.LoadOrgIndex()
	app.index.org.AddCA(ca.Data.Body.Name, ca.Data.Body.Id)
	app.index.org.AddCATags(ca.Data.Body.Id, ParseTags(inTags))
	app.SaveOrgIndex()

	return nil
}
Beispiel #2
0
func (cont *CertificateController) Update(params *CertificateParams) error {
	logger.Debug("updating certificate")
	logger.Tracef("received params: %s", params)

	if err := params.ValidateName(true); err != nil {
		return err
	}

	if err := cont.env.LoadAdminEnv(); err != nil {
		return err
	}

	index, err := cont.env.controllers.org.GetIndex()
	if err != nil {
		return err
	}

	certId, err := index.GetCert(*params.Name)
	if err != nil {
		return err
	}

	cert, err := cont.GetCert(certId)
	if err != nil {
		return err
	}

	if *params.CertFile != "" {
		ok, err := fs.Exists(*params.CertFile)
		if err != nil {
			return err
		}
		if !ok {
			logger.Warnf("certificate file '%s' does not exist", *params.CertFile)
			return nil
		}

		logger.Debugf("reading certificate file '%s'", *params.CertFile)

		certPem, err := fs.ReadFile(*params.CertFile)
		if err != nil {
			return err
		}

		// TODO - better validation of pem
		logger.Debug("decoding certificate file PEM")
		_, err = x509.PemDecodeX509Certificate([]byte(certPem))
		if err != nil {
			return err
		}

		cert.Data.Body.Certificate = certPem
	}

	if *params.KeyFile != "" {
		ok, err := fs.Exists(*params.KeyFile)
		if err != nil {
			return err
		}
		if !ok {
			logger.Warnf("key file '%s' does not exist", *params.KeyFile)
			return nil
		}

		logger.Debugf("reading key file '%s'", *params.KeyFile)

		keyPem, err := fs.ReadFile(*params.KeyFile)
		if err != nil {
			return err
		}

		logger.Debug("decoding key file PEM")
		key, err := crypto.PemDecodePrivate([]byte(keyPem))
		if err != nil {
			return err
		}

		logger.Debug("getting key type")
		keyType, err := crypto.GetKeyType(key)
		if err != nil {
			return err
		}

		cert.Data.Body.KeyType = string(keyType)
		cert.Data.Body.PrivateKey = keyPem
	}

	if *params.Tags != "" {
		cont.ResetCertTags(certId, *params.Tags)
	}

	err = cont.SaveCert(cert)
	if err != nil {
		return err
	}

	logger.Trace("returning nil error")
	return nil
}
Beispiel #3
0
func (cont *CAController) Update(params *CAParams) error {
	logger.Debug("updating CA")
	logger.Trace("received params [NOT LOGGED]")

	if err := params.ValidateName(true); err != nil {
		return err
	}

	if err := cont.env.LoadAdminEnv(); err != nil {
		return err
	}

	index, err := cont.env.controllers.org.GetIndex()
	if err != nil {
		return err
	}

	caId, err := index.GetCA(*params.Name)
	if err != nil {
		return err
	}

	ca, err := cont.GetCA(caId)
	if err != nil {
		return err
	}

	if *params.CertFile != "" {
		ok, err := fs.Exists(*params.CertFile)
		if err != nil {
			return err
		}
		if !ok {
			logger.Warnf("certificate file '%s' does not exist", *params.CertFile)
			return nil
		}

		logger.Debugf("reading certificate file '%s'", *params.CertFile)
		certPem, err := fs.ReadFile(*params.CertFile)
		if err != nil {
			return err
		}

		// TODO - better validation of pem
		logger.Debug("decoding certificate file PEM")
		_, err = x509.PemDecodeX509Certificate([]byte(certPem))
		if err != nil {
			return err
		}

		logger.Trace("setting certificate")
		ca.Data.Body.Certificate = certPem
	}

	if *params.KeyFile != "" {
		ok, err := fs.Exists(*params.KeyFile)
		if err != nil {
			return err
		}
		if !ok {
			logger.Warnf("key file '%s' does not exist", *params.KeyFile)
			return nil
		}

		logger.Debugf("seading key file '%s'", *params.KeyFile)
		keyPem, err := fs.ReadFile(*params.KeyFile)
		if err != nil {
			return err
		}

		// TODO - better validation of pem
		logger.Debug("decoding key file PEM")
		key, err := crypto.PemDecodePrivate([]byte(keyPem))
		if err != nil {
			return err
		}

		logger.Debug("getting key type")
		keyType, err := crypto.GetKeyType(key)
		if err != nil {
			return err
		}

		ca.Data.Body.KeyType = string(keyType)
		ca.Data.Body.PrivateKey = keyPem
	}

	if *params.Tags != "" {
		cont.ResetCATags(caId, *params.Tags)
	}

	if *params.CaExpiry != 0 {
		logger.Tracef("setting CA expiry to %d", *params.CaExpiry)
		ca.Data.Body.CAExpiry = *params.CaExpiry
	}

	if *params.CertExpiry != 0 {
		logger.Tracef("setting certificate expiry to %d", *params.CertExpiry)
		ca.Data.Body.CertExpiry = *params.CertExpiry
	}

	if *params.DnLocality != "" {
		logger.Tracef("setting DN locality to %s", *params.DnLocality)
		ca.Data.Body.DNScope.Locality = *params.DnLocality
	}

	if *params.DnState != "" {
		logger.Tracef("setting DN state to %s", *params.DnState)
		ca.Data.Body.DNScope.Province = *params.DnState
	}

	if *params.DnOrg != "" {
		logger.Tracef("setting DN organisation to %s", *params.DnOrg)
		ca.Data.Body.DNScope.Organization = *params.DnOrg
	}

	if *params.DnOrgUnit != "" {
		logger.Tracef("setting DN organisational unit to %s", *params.DnOrgUnit)
		ca.Data.Body.DNScope.OrganizationalUnit = *params.DnOrgUnit
	}

	if *params.DnCountry != "" {
		logger.Tracef("setting DN country to %s", *params.DnCountry)
		ca.Data.Body.DNScope.Country = *params.DnCountry
	}

	if *params.DnStreet != "" {
		logger.Tracef("setting DN street address to %s", *params.DnStreet)
		ca.Data.Body.DNScope.StreetAddress = *params.DnStreet
	}

	if *params.DnPostal != "" {
		logger.Tracef("setting DN postal code to %s", *params.DnPostal)
		ca.Data.Body.DNScope.PostalCode = *params.DnPostal
	}

	err = cont.SaveCA(ca)
	if err != nil {
		return err
	}

	logger.Trace("returning nil error")
	return nil
}
Beispiel #4
0
func (cont *CertificateController) New(params *CertificateParams) (*x509.Certificate, *x509.CA, error) {
	logger.Debug("creating new certificate")
	logger.Tracef("received params: %s", params)

	if err := params.ValidateName(true); err != nil {
		return nil, nil, err
	}

	if err := cont.env.LoadAdminEnv(); err != nil {
		return nil, nil, err
	}

	// TODO - This should really be in a certificate function
	subject := pkix.Name{CommonName: *params.Name}

	if *params.DnLocality != "" {
		subject.Locality = []string{*params.DnLocality}
	}
	if *params.DnState != "" {
		subject.Province = []string{*params.DnState}
	}
	if *params.DnOrg != "" {
		subject.Organization = []string{*params.DnOrg}
	}
	if *params.DnOrgUnit != "" {
		subject.OrganizationalUnit = []string{*params.DnOrgUnit}
	}
	if *params.DnCountry != "" {
		subject.Country = []string{*params.DnCountry}
	}
	if *params.DnStreet != "" {
		subject.StreetAddress = []string{*params.DnStreet}
	}
	if *params.DnPostal != "" {
		subject.PostalCode = []string{*params.DnPostal}
	}

	logger.Debug("creating certificate struct")
	cert, err := x509.NewCertificate(nil)
	if err != nil {
		return nil, nil, err
	}

	cert.Data.Body.Name = *params.Name
	cert.Data.Body.Expiry = *params.Expiry

	var ca *x509.CA

	if *params.CertFile == "" && *params.KeyFile == "" {
		cert.Data.Body.KeyType = *params.KeyType
		logger.Debug("generating certificate and key")
		if *params.Ca == "" {
			if err := cert.Generate(nil, &subject); err != nil {
				return nil, nil, err
			}
		} else {
			index, err := cont.env.controllers.org.GetIndex()
			if err != nil {
				return nil, nil, err
			}

			caId, err := index.GetCA(*params.Ca)
			if err != nil {
				return nil, nil, err
			}

			ca, err = cont.GetCA(caId)
			if err != nil {
				return nil, nil, err
			}

			logger.Debugf("generating certificate and signing with CA '%s'", caId)
			if err := cert.Generate(ca, &subject); err != nil {
				return nil, nil, err
			}
		}
	} else {
		if *params.CertFile == "" {
			return nil, nil, fmt.Errorf("certificate PEM file must be provided if importing")
		}

		logger.Debugf("importing certificate from '%s'", *params.CertFile)
		ok, err := fs.Exists(*params.CertFile)
		if err != nil {
			return nil, nil, err
		}

		if !ok {
			logger.Warnf("certificate file '%s' does not exist", *params.CertFile)
			return nil, nil, nil
		}

		logger.Debug("reading certificate from file")
		certPem, err := fs.ReadFile(*params.CertFile)
		if err != nil {
			return nil, nil, err
		}

		logger.Debug("decoding certificate PEM")
		importCert, err := x509.PemDecodeX509Certificate([]byte(certPem))
		if err != nil {
			return nil, nil, err
		}

		cert.Data.Body.Id = x509.NewID()
		cert.Data.Body.Certificate = certPem
		certExpiry := int(importCert.NotAfter.Sub(importCert.NotBefore) / (time.Hour * 24))
		cert.Data.Body.Expiry = certExpiry

		if *params.KeyFile != "" {
			logger.Debugf("importing certificate privte key from '%s'", *params.KeyFile)
			ok, err := fs.Exists(*params.KeyFile)
			if err != nil {
				return nil, nil, err
			}

			if !ok {
				logger.Warnf("key file '%s' does not exist", *params.KeyFile)
				return nil, nil, nil
			}

			logger.Debug("reading private key file")
			keyPem, err := fs.ReadFile(*params.KeyFile)
			if err != nil {
				return nil, nil, err
			}

			logger.Debug("decoding private key PEM")
			key, err := crypto.PemDecodePrivate([]byte(keyPem))
			if err != nil {
				return nil, nil, err
			}

			logger.Debug("getting key type")
			keyType, err := crypto.GetKeyType(key)
			if err != nil {
				return nil, nil, err
			}

			cert.Data.Body.KeyType = string(keyType)
			cert.Data.Body.PrivateKey = keyPem
		}
	}

	if *params.StandaloneFile == "" {
		err = cont.SaveCert(cert)
		if err != nil {
			return nil, nil, err
		}

		var tags string
		if *params.Tags == "NAME" {
			tags = *params.Name
		} else {
			tags = *params.Tags
		}

		err = cont.AddCertToOrgIndex(cert, tags)
		if err != nil {
			return nil, nil, err
		}
	}

	logger.Trace("returning certificate")
	return cert, ca, nil
}
Beispiel #5
0
func (cont *CAController) New(params *CAParams) (*x509.CA, error) {
	logger.Debug("creating new CA")
	logger.Trace("received params [NOT LOGGED]")

	if err := params.ValidateName(true); err != nil {
		return nil, err
	}

	if err := params.ValidateCAExpiry(true); err != nil {
		return nil, err
	}

	if err := params.ValidateCertExpiry(true); err != nil {
		return nil, err
	}

	if err := params.ValidateKeyType(true); err != nil {
		return nil, err
	}

	if err := cont.env.LoadAdminEnv(); err != nil {
		return nil, err
	}

	logger.Debug("creating CA struct")
	ca, err := x509.NewCA(nil)
	if err != nil {
		return nil, err
	}

	ca.Data.Body.Name = *params.Name
	ca.Data.Body.CAExpiry = *params.CaExpiry
	ca.Data.Body.CertExpiry = *params.CertExpiry
	ca.Data.Body.KeyType = *params.KeyType
	ca.Data.Body.DNScope.Locality = *params.DnLocality
	ca.Data.Body.DNScope.Province = *params.DnState
	ca.Data.Body.DNScope.Organization = *params.DnOrg
	ca.Data.Body.DNScope.OrganizationalUnit = *params.DnOrgUnit
	ca.Data.Body.DNScope.Country = *params.DnCountry
	ca.Data.Body.DNScope.StreetAddress = *params.DnStreet
	ca.Data.Body.DNScope.PostalCode = *params.DnPostal

	if *params.CertFile == "" && *params.KeyFile == "" {
		logger.Debug("generating keys")
		ca.GenerateRoot()
	} else {
		if *params.CertFile == "" {
			return nil, fmt.Errorf("certificate PEM file must be provided if importing")
		}

		ok, err := fs.Exists(*params.CertFile)
		if err != nil {
			return nil, err
		}

		if !ok {
			logger.Warnf("certificate file '%s' does not exist", *params.CertFile)
			return nil, nil
		}

		logger.Debugf("reading certificate PEM file '%s", *params.CertFile)
		certPem, err := fs.ReadFile(*params.CertFile)
		if err != nil {
			return nil, err
		}

		logger.Debug("decoding certificate PEM")
		cert, err := x509.PemDecodeX509Certificate([]byte(certPem))
		if err != nil {
			return nil, err
		}

		ca.Data.Body.Id = x509.NewID()
		ca.Data.Body.Certificate = certPem
		ca.Data.Body.CertExpiry = *params.CertExpiry
		caExpiry := int(cert.NotAfter.Sub(cert.NotBefore) / (time.Hour * 24))
		ca.Data.Body.CAExpiry = caExpiry

		if *params.KeyFile != "" {
			ok, err = fs.Exists(*params.KeyFile)
			if err != nil {
				return nil, err
			}

			if !ok {
				logger.Warnf("key file '%s' does not exist", *params.KeyFile)
				return nil, nil
			}

			logger.Debugf("reading private key PEM file '%s'", *params.KeyFile)
			keyPem, err := fs.ReadFile(*params.KeyFile)
			if err != nil {
				return nil, err
			}

			logger.Debug("decoding private key")
			key, err := crypto.PemDecodePrivate([]byte(keyPem))
			if err != nil {
				return nil, err
			}

			logger.Debug("getting key type")
			keyType, err := crypto.GetKeyType(key)
			if err != nil {
				return nil, err
			}

			ca.Data.Body.KeyType = string(keyType)
			ca.Data.Body.PrivateKey = keyPem
		}
	}

	err = cont.SaveCA(ca)
	if err != nil {
		return nil, err
	}

	err = cont.AddCAToOrgIndex(ca, *params.Tags)
	if err != nil {
		return nil, err
	}

	logger.Trace("returning CA")
	return ca, nil
}