func newChainAction(c *cli.Context) {
crt, err := depot.GetCertificateAuthority(d)
if err != nil {
fmt.Fprintln(os.Stderr, "Get CA certificate error:", err)
os.Exit(1)
}
// Should not fail if creating from depot
crtBytes, _ := crt.Export()
if len(c.Args()) == 0 {
fmt.Printf("%s", crtBytes)
return
}
name := c.Args()[0]
crtHost, err := depot.GetCertificateHost(d, name)
if err != nil {
fmt.Fprintln(os.Stderr, "Get certificate error:", err)
os.Exit(1)
}
crtHostBytes, _ := crtHost.Export()
if err = crt.VerifyHost(crtHost, name); err != nil {
fmt.Fprintln(os.Stderr, "Verify certificate chain error:", err)
os.Exit(1)
}
fmt.Printf("%s%s", crtBytes, crtHostBytes)
}
func getHostFiles(c *cli.Context, name string) ([]*TarFile, error) {
tarFiles := make([]*TarFile, 0)
crtFile, err := d.GetFile(depot.HostCrtTag(name))
if err != nil {
return nil, errors.New("Get host certificate error: " + err.Error())
}
crtTarFile, err := generateTarFile(crtFile, name+crtSuffix)
if err != nil {
return nil, errors.New("Generate certificate tar file error: " + err.Error())
}
tarFiles = append(tarFiles, crtTarFile)
keyFile, err := d.GetFile(depot.HostPrivKeyTag(name))
if err != nil {
return nil, errors.New("Get host key error: " + err.Error())
}
keyTarFile, err := generateTarFile(keyFile, name+keySuffix)
if err != nil {
return nil, errors.New("Generate key tar file error: " + err.Error())
}
if c.Bool("insecure") {
if keyTarFile, err = decryptEncryptedKeyTarFile(keyTarFile, getPassPhrase(c, name+" key")); err != nil {
return nil, errors.New("Get decrypted host key error: " + err.Error())
}
}
tarFiles = append(tarFiles, keyTarFile)
return tarFiles, nil
}
func getPassPhrase(c *cli.Context, name string) []byte {
if c.IsSet("passphrase") {
return []byte(c.String("passphrase"))
} else {
return askPassPhrase(name)
}
}
func newSignAction(c *cli.Context) {
if len(c.Args()) != 1 {
fmt.Fprintln(os.Stderr, "One host name must be provided.")
os.Exit(1)
}
name := c.Args()[0]
if depot.CheckCertificateHost(d, name) {
fmt.Fprintln(os.Stderr, "Certificate has existed!")
os.Exit(1)
}
csr, err := depot.GetCertificateSigningRequest(d, name)
if err != nil {
fmt.Fprintln(os.Stderr, "Get certificate request error:", err)
os.Exit(1)
}
crt, err := depot.GetCertificateAuthority(d)
if err != nil {
fmt.Fprintln(os.Stderr, "Get CA certificate error:", err)
os.Exit(1)
}
info, err := depot.GetCertificateAuthorityInfo(d)
if err != nil {
fmt.Fprintln(os.Stderr, "Get CA certificate info error:", err)
os.Exit(1)
}
key, err := depot.GetEncryptedPrivateKeyAuthority(d, getPassPhrase(c, "CA key"))
if err != nil {
fmt.Fprintln(os.Stderr, "Get CA key error:", err)
os.Exit(1)
}
crtHost, err := pkix.CreateCertificateHost(crt, info, key, csr)
if err != nil {
fmt.Fprintln(os.Stderr, "Create certificate error:", err)
os.Exit(1)
} else {
fmt.Printf("Created %s/crt from %s/csr signed by ca/key\n", name, name)
}
if err = depot.PutCertificateHost(d, name, crtHost); err != nil {
fmt.Fprintln(os.Stderr, "Save certificate error:", err)
}
if err = depot.UpdateCertificateAuthorityInfo(d, info); err != nil {
fmt.Fprintln(os.Stderr, "Update CA info error:", err)
}
}
func newExportAction(c *cli.Context) {
if len(c.Args()) > 1 {
fmt.Fprintln(os.Stderr, "At most one host name could be provided.")
os.Exit(1)
}
var files []*TarFile
var err error
if len(c.Args()) == 0 {
files, err = getAuthFiles(c)
} else {
files, err = getHostFiles(c, c.Args()[0])
}
if err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
w := tar.NewWriter(os.Stdout)
defer w.Close()
if err = outputTarFiles(w, files); err != nil {
fmt.Fprintln(os.Stderr, "Save tar error:", err)
os.Exit(1)
}
}
func initAction(c *cli.Context) {
if depot.CheckCertificateAuthority(d) || depot.CheckCertificateAuthorityInfo(d) || depot.CheckPrivateKeyAuthority(d) {
fmt.Fprintln(os.Stderr, "CA has existed!")
os.Exit(1)
}
var passphrase []byte
var err error
if c.IsSet("passphrase") {
passphrase = []byte(c.String("passphrase"))
} else {
passphrase, err = createPassPhrase()
if err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
}
key, err := pkix.CreateRSAKey(c.Int("key-bits"))
if err != nil {
fmt.Fprintln(os.Stderr, "Create RSA Key error:", err)
os.Exit(1)
} else {
fmt.Println("Created ca/key")
}
crt, info, err := pkix.CreateCertificateAuthority(key)
if err != nil {
fmt.Fprintln(os.Stderr, "Create certificate error:", err)
os.Exit(1)
} else {
fmt.Println("Created ca/crt")
}
if err = depot.PutCertificateAuthority(d, crt); err != nil {
fmt.Fprintln(os.Stderr, "Save certificate error:", err)
}
if err = depot.PutCertificateAuthorityInfo(d, info); err != nil {
fmt.Fprintln(os.Stderr, "Save certificate info error:", err)
}
if err = depot.PutEncryptedPrivateKeyAuthority(d, key, passphrase); err != nil {
fmt.Fprintln(os.Stderr, "Save key error:", err)
}
}
func newCertAction(c *cli.Context) {
if len(c.Args()) != 1 {
fmt.Fprintln(os.Stderr, "One host name must be provided.")
os.Exit(1)
}
name := c.Args()[0]
if depot.CheckCertificateSigningRequest(d, name) || depot.CheckPrivateKeyHost(d, name) {
fmt.Fprintln(os.Stderr, "Certificate request has existed!")
os.Exit(1)
}
var passphrase []byte
var err error
if c.IsSet("passphrase") {
passphrase = []byte(c.String("passphrase"))
} else {
passphrase, err = createPassPhrase()
if err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
}
key, err := pkix.CreateRSAKey(c.Int("key-bits"))
if err != nil {
fmt.Fprintln(os.Stderr, "Create RSA Key error:", err)
os.Exit(1)
} else {
fmt.Printf("Created %s/key\n", name)
}
csr, err := pkix.CreateCertificateSigningRequest(key, name, c.String("ip"))
if err != nil {
fmt.Fprintln(os.Stderr, "Create certificate request error:", err)
os.Exit(1)
} else {
fmt.Printf("Created %s/crt\n", name)
}
if err = depot.PutCertificateSigningRequest(d, name, csr); err != nil {
fmt.Fprintln(os.Stderr, "Save certificate request error:", err)
}
if err = depot.PutEncryptedPrivateKeyHost(d, name, key, passphrase); err != nil {
fmt.Fprintln(os.Stderr, "Save key error:", err)
}
}