func (cont *CSRController) Update(params *CSRParams) error {
logger.Debug("updating CSR")
logger.Tracef("received params: %s", params)
if err := params.ValidateName(true); err != nil {
return err
}
if err := cont.env.LoadAdminEnv(); err != nil {
return err
}
index, err := cont.env.controllers.org.GetIndex()
if err != nil {
return err
}
csrId, err := index.GetCSR(*params.Name)
if err != nil {
return err
}
csr, err := cont.GetCSR(csrId)
if err != nil {
return err
}
if *params.CsrFile != "" {
ok, err := fs.Exists(*params.CsrFile)
if err != nil {
return err
}
if !ok {
logger.Warnf("CSR file '%s' does not exist", *params.CsrFile)
return nil
}
logger.Debugf("reading CSR file '%s'", *params.CsrFile)
csrPem, err := fs.ReadFile(*params.CsrFile)
if err != nil {
return err
}
// TODO - better validation of pem
logger.Debug("decoding CSR file PEM")
_, err = x509.PemDecodeX509CSR([]byte(csrPem))
if err != nil {
return err
}
csr.Data.Body.CSR = csrPem
}
if *params.KeyFile != "" {
ok, err := fs.Exists(*params.KeyFile)
if err != nil {
return err
}
if !ok {
logger.Warnf("key file '%s' does not exist", *params.KeyFile)
return nil
}
logger.Debugf("reading key file '%s'", *params.KeyFile)
keyPem, err := fs.ReadFile(*params.KeyFile)
if err != nil {
return err
}
logger.Debug("decoding key file PEM")
key, err := crypto.PemDecodePrivate([]byte(keyPem))
if err != nil {
return err
}
keyType, err := crypto.GetKeyType(key)
if err != nil {
return err
}
csr.Data.Body.KeyType = string(keyType)
csr.Data.Body.PrivateKey = keyPem
}
if *params.Tags != "" {
cont.ResetCSRTags(csrId, *params.Tags)
}
err = cont.SaveCSR(csr)
if err != nil {
return err
}
logger.Trace("returning nil error")
return nil
}
func (cont *CSRController) New(params *CSRParams) (*x509.CSR, error) {
logger.Debug("creating new CSR")
logger.Tracef("received params: %s", params)
if err := params.ValidateName(true); err != nil {
return nil, err
}
if err := cont.env.LoadAdminEnv(); err != nil {
return nil, err
}
// TODO - This should really be in a CSR function
subject := pkix.Name{CommonName: *params.Name}
if *params.DnLocality != "" {
subject.Locality = []string{*params.DnLocality}
}
if *params.DnState != "" {
subject.Province = []string{*params.DnState}
}
if *params.DnOrg != "" {
subject.Organization = []string{*params.DnOrg}
}
if *params.DnOrgUnit != "" {
subject.OrganizationalUnit = []string{*params.DnOrgUnit}
}
if *params.DnCountry != "" {
subject.Country = []string{*params.DnCountry}
}
if *params.DnStreet != "" {
subject.StreetAddress = []string{*params.DnStreet}
}
if *params.DnPostal != "" {
subject.PostalCode = []string{*params.DnPostal}
}
logger.Debug("creating CSR struct")
csr, err := x509.NewCSR(nil)
if err != nil {
return nil, err
}
csr.Data.Body.Id = x509.NewID()
csr.Data.Body.Name = *params.Name
if *params.CsrFile == "" && *params.KeyFile == "" {
csr.Data.Body.KeyType = *params.KeyType
logger.Debug("generating CSR and key")
csr.Generate(&subject)
} else {
if *params.CsrFile == "" {
return nil, fmt.Errorf("CSR PEM file must be provided if importing")
}
logger.Debugf("importing CSR from '%s'", *params.CsrFile)
ok, err := fs.Exists(*params.CsrFile)
if err != nil {
return nil, err
}
if !ok {
logger.Warnf("CSR file '%s' does not exist", *params.CsrFile)
logger.Tracef("returning nil error")
return nil, nil
}
logger.Debug("reading file")
csrPem, err := fs.ReadFile(*params.CsrFile)
if err != nil {
return nil, err
}
logger.Debug("decoding CSR PEM")
_, err = x509.PemDecodeX509CSR([]byte(csrPem))
if err != nil {
return nil, err
}
csr.Data.Body.CSR = csrPem
if *params.KeyFile != "" {
logger.Debugf("importing private key file from '%s'", *params.KeyFile)
ok, err := fs.Exists(*params.KeyFile)
if err != nil {
return nil, err
}
if !ok {
logger.Warnf("key file '%s' does not exist", *params.KeyFile)
logger.Trace("returning nil error")
return nil, nil
}
logger.Debugf("reading key file")
keyPem, err := fs.ReadFile(*params.KeyFile)
if err != nil {
return nil, err
}
logger.Debug("decoding private key PEM")
key, err := crypto.PemDecodePrivate([]byte(keyPem))
if err != nil {
return nil, err
}
keyType, err := crypto.GetKeyType(key)
if err != nil {
return nil, err
}
csr.Data.Body.KeyType = string(keyType)
csr.Data.Body.PrivateKey = keyPem
}
}
if *params.StandaloneFile == "" {
err = cont.SaveCSR(csr)
if err != nil {
return nil, err
}
var tags string
if *params.Tags == "NAME" {
tags = *params.Name
} else {
tags = *params.Tags
}
err = cont.AddCSRToOrgIndex(csr, tags)
if err != nil {
return nil, err
}
}
return csr, nil
}
func caImport(argv map[string]interface{}) (err error) {
name := ArgString(argv["<name>"], nil)
inTags := ArgString(argv["--tags"], nil)
certFile := ArgString(argv["<cert>"], nil)
keyFile := ArgString(argv["<privateKey>"], "")
certExpiry := ArgInt(argv["--cert-expiry"], 90)
dnLocality := ArgString(argv["--dn-l"], "")
dnState := ArgString(argv["--dn-st"], "")
dnOrg := ArgString(argv["--dn-o"], "")
dnOrgUnit := ArgString(argv["--dn-ou"], "")
dnCountry := ArgString(argv["--dn-c"], "")
dnStreet := ArgString(argv["--dn-street"], "")
dnPostal := ArgString(argv["--dn-postal"], "")
logger.Infof("Importing %s as %s", certFile, name)
app := NewAdminApp()
app.Load()
ca, _ := x509.NewCA(nil)
ca.Data.Body.Name = name
if dnLocality != "" {
ca.Data.Body.DNScope.Locality = dnLocality
}
if dnState != "" {
ca.Data.Body.DNScope.Province = dnState
}
if dnOrg != "" {
ca.Data.Body.DNScope.Organization = dnOrg
}
if dnOrgUnit != "" {
ca.Data.Body.DNScope.OrganizationalUnit = dnOrgUnit
}
if dnCountry != "" {
ca.Data.Body.DNScope.Country = dnCountry
}
if dnStreet != "" {
ca.Data.Body.DNScope.StreetAddress = dnStreet
}
if dnPostal != "" {
ca.Data.Body.DNScope.PostalCode = dnPostal
}
ok, err := fs.Exists(certFile)
checkAppFatal("Could not check file existence for %s: %s", certFile, err)
if !ok {
checkUserFatal("File does not exist: %s", certFile)
}
certPem, err := fs.ReadFile(certFile)
cert, err := x509.PemDecodeX509Certificate([]byte(certPem))
checkUserFatal("Not a valid certificate PEM for %s: %s", certFile, err)
// TODO - consider converting cert back to pem to use for consistency
// We generate a random ID instead of using the serial number because we
// don't control the serial
ca.Data.Body.Id = NewID()
ca.Data.Body.Certificate = certPem
ca.Data.Body.CertExpiry = certExpiry
caExpiry := int(cert.NotAfter.Sub(cert.NotBefore) / (time.Hour * 24))
ca.Data.Body.CAExpiry = caExpiry
if keyFile != "" {
ok, err = fs.Exists(keyFile)
checkAppFatal("Could not check file existence for %s: %s", keyFile, err)
if !ok {
checkUserFatal("File does not exist: %s", keyFile)
}
keyPem, err := fs.ReadFile(keyFile)
key, err := crypto.PemDecodePrivate([]byte(keyPem))
checkUserFatal("Not a valid private key PEM for %s: %s", keyFile, err)
// TODO - consider converting key back to pem to use for consistency
keyType, err := crypto.GetKeyType(key)
checkUserFatal("Unknow private key file for %s: %s", keyFile, err)
ca.Data.Body.KeyType = string(keyType)
ca.Data.Body.PrivateKey = keyPem
}
logger.Info("Saving CA")
caContainer, err := app.entities.org.EncryptThenSignString(ca.Dump(), nil)
checkAppFatal("Could not encrypt CA: %s", err)
err = app.fs.api.Authenticate(app.entities.org.Data.Body.Id, "")
checkAppFatal("Could not authenticate to API as Org: %s", err)
err = app.fs.api.StorePrivate(ca.Data.Body.Id, caContainer.Dump())
checkAppFatal("Could not save CA: %s", err)
logger.Info("Updating index")
app.LoadOrgIndex()
app.index.org.AddCA(ca.Data.Body.Name, ca.Data.Body.Id)
app.index.org.AddCATags(ca.Data.Body.Id, ParseTags(inTags))
app.SaveOrgIndex()
return nil
}
func (cont *CertificateController) New(params *CertificateParams) (*x509.Certificate, *x509.CA, error) {
logger.Debug("creating new certificate")
logger.Tracef("received params: %s", params)
if err := params.ValidateName(true); err != nil {
return nil, nil, err
}
if err := cont.env.LoadAdminEnv(); err != nil {
return nil, nil, err
}
// TODO - This should really be in a certificate function
subject := pkix.Name{CommonName: *params.Name}
if *params.DnLocality != "" {
subject.Locality = []string{*params.DnLocality}
}
if *params.DnState != "" {
subject.Province = []string{*params.DnState}
}
if *params.DnOrg != "" {
subject.Organization = []string{*params.DnOrg}
}
if *params.DnOrgUnit != "" {
subject.OrganizationalUnit = []string{*params.DnOrgUnit}
}
if *params.DnCountry != "" {
subject.Country = []string{*params.DnCountry}
}
if *params.DnStreet != "" {
subject.StreetAddress = []string{*params.DnStreet}
}
if *params.DnPostal != "" {
subject.PostalCode = []string{*params.DnPostal}
}
logger.Debug("creating certificate struct")
cert, err := x509.NewCertificate(nil)
if err != nil {
return nil, nil, err
}
cert.Data.Body.Name = *params.Name
cert.Data.Body.Expiry = *params.Expiry
var ca *x509.CA
if *params.CertFile == "" && *params.KeyFile == "" {
cert.Data.Body.KeyType = *params.KeyType
logger.Debug("generating certificate and key")
if *params.Ca == "" {
if err := cert.Generate(nil, &subject); err != nil {
return nil, nil, err
}
} else {
index, err := cont.env.controllers.org.GetIndex()
if err != nil {
return nil, nil, err
}
caId, err := index.GetCA(*params.Ca)
if err != nil {
return nil, nil, err
}
ca, err = cont.GetCA(caId)
if err != nil {
return nil, nil, err
}
logger.Debugf("generating certificate and signing with CA '%s'", caId)
if err := cert.Generate(ca, &subject); err != nil {
return nil, nil, err
}
}
} else {
if *params.CertFile == "" {
return nil, nil, fmt.Errorf("certificate PEM file must be provided if importing")
}
logger.Debugf("importing certificate from '%s'", *params.CertFile)
ok, err := fs.Exists(*params.CertFile)
if err != nil {
return nil, nil, err
}
if !ok {
logger.Warnf("certificate file '%s' does not exist", *params.CertFile)
return nil, nil, nil
}
logger.Debug("reading certificate from file")
certPem, err := fs.ReadFile(*params.CertFile)
if err != nil {
return nil, nil, err
}
logger.Debug("decoding certificate PEM")
importCert, err := x509.PemDecodeX509Certificate([]byte(certPem))
if err != nil {
return nil, nil, err
}
cert.Data.Body.Id = x509.NewID()
cert.Data.Body.Certificate = certPem
certExpiry := int(importCert.NotAfter.Sub(importCert.NotBefore) / (time.Hour * 24))
cert.Data.Body.Expiry = certExpiry
if *params.KeyFile != "" {
logger.Debugf("importing certificate privte key from '%s'", *params.KeyFile)
ok, err := fs.Exists(*params.KeyFile)
if err != nil {
return nil, nil, err
}
if !ok {
logger.Warnf("key file '%s' does not exist", *params.KeyFile)
return nil, nil, nil
}
logger.Debug("reading private key file")
keyPem, err := fs.ReadFile(*params.KeyFile)
if err != nil {
return nil, nil, err
}
logger.Debug("decoding private key PEM")
key, err := crypto.PemDecodePrivate([]byte(keyPem))
if err != nil {
return nil, nil, err
}
logger.Debug("getting key type")
keyType, err := crypto.GetKeyType(key)
if err != nil {
return nil, nil, err
}
cert.Data.Body.KeyType = string(keyType)
cert.Data.Body.PrivateKey = keyPem
}
}
if *params.StandaloneFile == "" {
err = cont.SaveCert(cert)
if err != nil {
return nil, nil, err
}
var tags string
if *params.Tags == "NAME" {
tags = *params.Name
} else {
tags = *params.Tags
}
err = cont.AddCertToOrgIndex(cert, tags)
if err != nil {
return nil, nil, err
}
}
logger.Trace("returning certificate")
return cert, ca, nil
}
func (cont *CAController) Update(params *CAParams) error {
logger.Debug("updating CA")
logger.Trace("received params [NOT LOGGED]")
if err := params.ValidateName(true); err != nil {
return err
}
if err := cont.env.LoadAdminEnv(); err != nil {
return err
}
index, err := cont.env.controllers.org.GetIndex()
if err != nil {
return err
}
caId, err := index.GetCA(*params.Name)
if err != nil {
return err
}
ca, err := cont.GetCA(caId)
if err != nil {
return err
}
if *params.CertFile != "" {
ok, err := fs.Exists(*params.CertFile)
if err != nil {
return err
}
if !ok {
logger.Warnf("certificate file '%s' does not exist", *params.CertFile)
return nil
}
logger.Debugf("reading certificate file '%s'", *params.CertFile)
certPem, err := fs.ReadFile(*params.CertFile)
if err != nil {
return err
}
// TODO - better validation of pem
logger.Debug("decoding certificate file PEM")
_, err = x509.PemDecodeX509Certificate([]byte(certPem))
if err != nil {
return err
}
logger.Trace("setting certificate")
ca.Data.Body.Certificate = certPem
}
if *params.KeyFile != "" {
ok, err := fs.Exists(*params.KeyFile)
if err != nil {
return err
}
if !ok {
logger.Warnf("key file '%s' does not exist", *params.KeyFile)
return nil
}
logger.Debugf("seading key file '%s'", *params.KeyFile)
keyPem, err := fs.ReadFile(*params.KeyFile)
if err != nil {
return err
}
// TODO - better validation of pem
logger.Debug("decoding key file PEM")
key, err := crypto.PemDecodePrivate([]byte(keyPem))
if err != nil {
return err
}
logger.Debug("getting key type")
keyType, err := crypto.GetKeyType(key)
if err != nil {
return err
}
ca.Data.Body.KeyType = string(keyType)
ca.Data.Body.PrivateKey = keyPem
}
if *params.Tags != "" {
cont.ResetCATags(caId, *params.Tags)
}
if *params.CaExpiry != 0 {
logger.Tracef("setting CA expiry to %d", *params.CaExpiry)
ca.Data.Body.CAExpiry = *params.CaExpiry
}
if *params.CertExpiry != 0 {
logger.Tracef("setting certificate expiry to %d", *params.CertExpiry)
ca.Data.Body.CertExpiry = *params.CertExpiry
}
if *params.DnLocality != "" {
logger.Tracef("setting DN locality to %s", *params.DnLocality)
ca.Data.Body.DNScope.Locality = *params.DnLocality
}
if *params.DnState != "" {
logger.Tracef("setting DN state to %s", *params.DnState)
ca.Data.Body.DNScope.Province = *params.DnState
}
if *params.DnOrg != "" {
logger.Tracef("setting DN organisation to %s", *params.DnOrg)
ca.Data.Body.DNScope.Organization = *params.DnOrg
}
if *params.DnOrgUnit != "" {
logger.Tracef("setting DN organisational unit to %s", *params.DnOrgUnit)
ca.Data.Body.DNScope.OrganizationalUnit = *params.DnOrgUnit
}
if *params.DnCountry != "" {
logger.Tracef("setting DN country to %s", *params.DnCountry)
ca.Data.Body.DNScope.Country = *params.DnCountry
}
if *params.DnStreet != "" {
logger.Tracef("setting DN street address to %s", *params.DnStreet)
ca.Data.Body.DNScope.StreetAddress = *params.DnStreet
}
if *params.DnPostal != "" {
logger.Tracef("setting DN postal code to %s", *params.DnPostal)
ca.Data.Body.DNScope.PostalCode = *params.DnPostal
}
err = cont.SaveCA(ca)
if err != nil {
return err
}
logger.Trace("returning nil error")
return nil
}
func (cont *CAController) New(params *CAParams) (*x509.CA, error) {
logger.Debug("creating new CA")
logger.Trace("received params [NOT LOGGED]")
if err := params.ValidateName(true); err != nil {
return nil, err
}
if err := params.ValidateCAExpiry(true); err != nil {
return nil, err
}
if err := params.ValidateCertExpiry(true); err != nil {
return nil, err
}
if err := params.ValidateKeyType(true); err != nil {
return nil, err
}
if err := cont.env.LoadAdminEnv(); err != nil {
return nil, err
}
logger.Debug("creating CA struct")
ca, err := x509.NewCA(nil)
if err != nil {
return nil, err
}
ca.Data.Body.Name = *params.Name
ca.Data.Body.CAExpiry = *params.CaExpiry
ca.Data.Body.CertExpiry = *params.CertExpiry
ca.Data.Body.KeyType = *params.KeyType
ca.Data.Body.DNScope.Locality = *params.DnLocality
ca.Data.Body.DNScope.Province = *params.DnState
ca.Data.Body.DNScope.Organization = *params.DnOrg
ca.Data.Body.DNScope.OrganizationalUnit = *params.DnOrgUnit
ca.Data.Body.DNScope.Country = *params.DnCountry
ca.Data.Body.DNScope.StreetAddress = *params.DnStreet
ca.Data.Body.DNScope.PostalCode = *params.DnPostal
if *params.CertFile == "" && *params.KeyFile == "" {
logger.Debug("generating keys")
ca.GenerateRoot()
} else {
if *params.CertFile == "" {
return nil, fmt.Errorf("certificate PEM file must be provided if importing")
}
ok, err := fs.Exists(*params.CertFile)
if err != nil {
return nil, err
}
if !ok {
logger.Warnf("certificate file '%s' does not exist", *params.CertFile)
return nil, nil
}
logger.Debugf("reading certificate PEM file '%s", *params.CertFile)
certPem, err := fs.ReadFile(*params.CertFile)
if err != nil {
return nil, err
}
logger.Debug("decoding certificate PEM")
cert, err := x509.PemDecodeX509Certificate([]byte(certPem))
if err != nil {
return nil, err
}
ca.Data.Body.Id = x509.NewID()
ca.Data.Body.Certificate = certPem
ca.Data.Body.CertExpiry = *params.CertExpiry
caExpiry := int(cert.NotAfter.Sub(cert.NotBefore) / (time.Hour * 24))
ca.Data.Body.CAExpiry = caExpiry
if *params.KeyFile != "" {
ok, err = fs.Exists(*params.KeyFile)
if err != nil {
return nil, err
}
if !ok {
logger.Warnf("key file '%s' does not exist", *params.KeyFile)
return nil, nil
}
logger.Debugf("reading private key PEM file '%s'", *params.KeyFile)
keyPem, err := fs.ReadFile(*params.KeyFile)
if err != nil {
return nil, err
}
logger.Debug("decoding private key")
key, err := crypto.PemDecodePrivate([]byte(keyPem))
if err != nil {
return nil, err
}
logger.Debug("getting key type")
keyType, err := crypto.GetKeyType(key)
if err != nil {
return nil, err
}
ca.Data.Body.KeyType = string(keyType)
ca.Data.Body.PrivateKey = keyPem
}
}
err = cont.SaveCA(ca)
if err != nil {
return nil, err
}
err = cont.AddCAToOrgIndex(ca, *params.Tags)
if err != nil {
return nil, err
}
logger.Trace("returning CA")
return ca, nil
}