// NewSignHandler generates a new SignHandler using the certificate
// authority private key and certficate to sign certificates.
func NewSignHandler(caFile, cakeyFile string) (http.Handler, error) {
var err error
s := new(SignHandler)
// TODO(kyle): add profile loading to API server
if s.signer, err = signer.NewSigner(caFile, cakeyFile, nil); err != nil {
log.Errorf("setting up signer failed: %v", err)
return nil, err
}
return HttpHandler{s, "POST"}, nil
}
// NewGeneratorHandler builds a new GeneratorHandler from the
// validation function provided.
func NewCertGeneratorHandler(validator Validator, caFile, caKeyFile string) (http.Handler, error) {
var err error
log.Info("setting up new generator / signer")
cg := new(CertGeneratorHandler)
if cg.signer, err = signer.NewSigner(caFile, caKeyFile, nil); err != nil {
return nil, err
}
cg.generator = &csr.Generator{validator}
return HttpHandler{cg, "POST"}, nil
}
// create a test intermediate cert in PEM
func createInterCert(t *testing.T, csrFile string, policy *config.Signing, profileName string) (certPEM []byte) {
signer, err := signer.NewSigner(testCAFile, testCAKeyFile, policy)
if err != nil {
t.Fatal(err)
}
csr, err := ioutil.ReadFile(csrFile)
if err != nil {
t.Fatal(err)
}
certPEM, err = signer.Sign("cloudflare-inter.com", csr, profileName)
if err != nil {
t.Fatal(err)
}
return
}
// signerMain is the main CLI of signer functionality.
// [TODO: zi] Decide whether to drop the argument list and only use flags to specify all the inputs.
func signerMain(args []string) (err error) {
// Grab values through args only if corresponding flags are absent
if Config.hostname == "" {
Config.hostname, args, err = popFirstArgument(args)
if err != nil {
return
}
}
if Config.certFile == "" {
Config.certFile, args, err = popFirstArgument(args)
if err != nil {
return
}
}
// Read the certificate and sign it with CA files
log.Debug("Loading Client certificate: ", Config.certFile)
clientCert, err := ioutil.ReadFile(Config.certFile)
if err != nil {
return
}
var policy *config.Signing
// If there is a config, use its signing policy. Otherwise, leave policy == nil
// and NewSigner will use DefaultConfig().
if Config.cfg != nil {
policy = Config.cfg.Signing
}
signer, err := signer.NewSigner(Config.caFile, Config.caKeyFile, policy)
if err != nil {
return
}
cert, err := signer.Sign(Config.hostname, clientCert, Config.profile)
if err != nil {
return
}
fmt.Printf("%s", cert)
return
}
func gencertMain(args []string) (err error) {
if Config.hostname == "" && !Config.isCA {
Config.hostname, args, err = popFirstArgument(args)
if err != nil {
return
}
}
csrFile, args, err := popFirstArgument(args)
if err != nil {
return
}
csrFileBytes, err := readStdin(csrFile)
if err != nil {
return
}
var req csr.CertificateRequest
err = json.Unmarshal(csrFileBytes, &req)
if err != nil {
return
}
if Config.isCA {
var key, cert []byte
cert, key, err = initca.New(&req)
if err != nil {
return
}
printCert(key, nil, cert)
} else {
if Config.remote != "" {
return gencertRemotely(req)
}
if Config.caFile == "" {
log.Error("cannot sign certificate without a CA certificate (provide one with -ca)")
return
}
if Config.caKeyFile == "" {
log.Error("cannot sign certificate without a CA key (provide one with -ca-key)")
return
}
var policy *config.Signing
// If there is a config, use its signing policy. Otherwise, leave policy == nil
// and NewSigner will use DefaultConfig().
if Config.cfg != nil {
policy = Config.cfg.Signing
}
var key, csrPEM []byte
g := &csr.Generator{validator}
csrPEM, key, err = g.ProcessRequest(&req)
if err != nil {
key = nil
return
}
var sign *signer.Signer
sign, err = signer.NewSigner(Config.caFile, Config.caKeyFile, policy)
if err != nil {
return
}
var cert []byte
cert, err = sign.Sign(Config.hostname, csrPEM, Config.profile)
if err != nil {
return
}
printCert(key, csrPEM, cert)
}
return nil
}