func newSignAction(c *cli.Context) {
if len(c.Args()) != 1 {
fmt.Fprintln(os.Stderr, "One host name must be provided.")
os.Exit(1)
}
formattedReqName := strings.Replace(c.Args()[0], " ", "_", -1)
formattedCAName := strings.Replace(c.String("CA"), " ", "_", -1)
if depot.CheckCertificate(d, formattedReqName) {
fmt.Fprintln(os.Stderr, "Certificate has existed!")
os.Exit(1)
}
csr, err := depot.GetCertificateSigningRequest(d, formattedReqName)
if err != nil {
fmt.Fprintln(os.Stderr, "Get certificate request error:", err)
os.Exit(1)
}
crt, err := depot.GetCertificate(d, formattedCAName)
if err != nil {
fmt.Fprintln(os.Stderr, "Get CA certificate error:", err)
os.Exit(1)
}
key, err := depot.GetPrivateKey(d, formattedCAName)
if err != nil {
key, err = depot.GetEncryptedPrivateKey(d, formattedCAName, getPassPhrase(c, "CA key"))
if err != nil {
fmt.Fprintln(os.Stderr, "Get CA key error:", err)
os.Exit(1)
}
}
crtHost, err := pkix.CreateCertificateHost(crt, key, csr, c.Int("years"))
if err != nil {
fmt.Fprintln(os.Stderr, "Create certificate error:", err)
os.Exit(1)
} else {
fmt.Printf("Created %s/%s.crt from %s/%s.csr signed by %s/%s.key\n", depotDir, formattedReqName, depotDir, formattedReqName, depotDir, formattedCAName)
}
if c.Bool("stdout") {
crtBytes, err := crtHost.Export()
if err != nil {
fmt.Fprintln(os.Stderr, "Print certificate error:", err)
os.Exit(1)
} else {
fmt.Printf(string(crtBytes[:]))
}
}
if err = depot.PutCertificate(d, formattedReqName, crtHost); err != nil {
fmt.Fprintln(os.Stderr, "Save certificate error:", err)
}
}
func newCertAction(c *cli.Context) {
var name = ""
ips := pkix.ParseAndValidateIPs(c.String("ip"))
domains := strings.Split(c.String("domain"), ",")
if c.String("domain") == "" {
domains = nil
}
switch {
case len(c.String("common-name")) != 0:
name = c.String("common-name")
case len(domains) != 0:
name = domains[0]
case len(ips) != 0:
name = ips[0].String()
default:
fmt.Fprintln(os.Stderr, "Must provide Common Name or SAN")
os.Exit(1)
}
formattedName := strings.Replace(name, " ", "_", -1)
if depot.CheckCertificateSigningRequest(d, formattedName) || depot.CheckPrivateKey(d, formattedName) {
fmt.Fprintln(os.Stderr, "Certificate request has existed!")
os.Exit(1)
}
var passphrase []byte
var err error
if c.IsSet("passphrase") {
passphrase = []byte(c.String("passphrase"))
} else {
passphrase, err = createPassPhrase()
if err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
}
var key *pkix.Key
if c.IsSet("key") {
keyBytes, err := ioutil.ReadFile(c.String("key"))
key, err = pkix.NewKeyFromPrivateKeyPEM(keyBytes)
if err != nil {
fmt.Fprintln(os.Stderr, "Read Key error:", err)
os.Exit(1)
}
fmt.Printf("Read %s.key\n", name)
} else {
key, err = pkix.CreateRSAKey(c.Int("key-bits"))
if err != nil {
fmt.Fprintln(os.Stderr, "Create RSA Key error:", err)
os.Exit(1)
}
if len(passphrase) > 0 {
fmt.Printf("Created %s/%s.key (encrypted by passphrase)\n", depotDir, formattedName)
} else {
fmt.Printf("Created %s/%s.key\n", depotDir, formattedName)
}
}
csr, err := pkix.CreateCertificateSigningRequest(key, c.String("organizational-unit"), ips, domains, c.String("organization"), c.String("country"), c.String("province"), c.String("locality"), name)
if err != nil {
fmt.Fprintln(os.Stderr, "Create certificate request error:", err)
os.Exit(1)
} else {
fmt.Printf("Created %s/%s.csr\n", depotDir, formattedName)
}
if c.Bool("stdout") {
csrBytes, err := csr.Export()
if err != nil {
fmt.Fprintln(os.Stderr, "Print certificate request error:", err)
os.Exit(1)
} else {
fmt.Printf(string(csrBytes[:]))
}
}
if err = depot.PutCertificateSigningRequest(d, formattedName, csr); err != nil {
fmt.Fprintln(os.Stderr, "Save certificate request error:", err)
}
if len(passphrase) > 0 {
if err = depot.PutEncryptedPrivateKey(d, formattedName, key, passphrase); err != nil {
fmt.Fprintln(os.Stderr, "Save encrypted private key error:", err)
}
} else {
if err = depot.PutPrivateKey(d, formattedName, key); err != nil {
fmt.Fprintln(os.Stderr, "Save private key error:", err)
}
}
}
func initAction(c *cli.Context) {
if !c.IsSet("common-name") {
fmt.Println("Must supply Common Name for CA")
os.Exit(1)
}
formattedName := strings.Replace(c.String("common-name"), " ", "_", -1)
if depot.CheckCertificate(d, formattedName) || depot.CheckPrivateKey(d, formattedName) {
fmt.Fprintln(os.Stderr, "CA with specified name already exists!")
os.Exit(1)
}
var passphrase []byte
var err error
if c.IsSet("passphrase") {
passphrase = []byte(c.String("passphrase"))
} else {
passphrase, err = createPassPhrase()
if err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
}
var key *pkix.Key
if c.IsSet("key") {
keyBytes, err := ioutil.ReadFile(c.String("key"))
key, err = pkix.NewKeyFromPrivateKeyPEM(keyBytes)
if err != nil {
fmt.Fprintln(os.Stderr, "Read Key error:", err)
os.Exit(1)
}
fmt.Printf("Read %s\n", c.String("key"))
} else {
key, err = pkix.CreateRSAKey(c.Int("key-bits"))
if err != nil {
fmt.Fprintln(os.Stderr, "Create RSA Key error:", err)
os.Exit(1)
}
if len(passphrase) > 0 {
fmt.Printf("Created %s/%s.key (encrypted by passphrase)\n", depotDir, formattedName)
} else {
fmt.Printf("Created %s/%s.key\n", depotDir, formattedName)
}
}
crt, err := pkix.CreateCertificateAuthority(key, c.String("organizational-unit"), c.Int("years"), c.String("organization"), c.String("country"), c.String("province"), c.String("locality"), c.String("common-name"))
if err != nil {
fmt.Fprintln(os.Stderr, "Create certificate error:", err)
os.Exit(1)
} else {
fmt.Printf("Created %s/%s.crt\n", depotDir, formattedName)
}
if c.Bool("stdout") {
crtBytes, err := crt.Export()
if err != nil {
fmt.Fprintln(os.Stderr, "Print CA certificate error:", err)
os.Exit(1)
} else {
fmt.Printf(string(crtBytes[:]))
}
}
if err = depot.PutCertificate(d, formattedName, crt); err != nil {
fmt.Fprintln(os.Stderr, "Save certificate error:", err)
}
if len(passphrase) > 0 {
if err = depot.PutEncryptedPrivateKey(d, formattedName, key, passphrase); err != nil {
fmt.Fprintln(os.Stderr, "Save encrypted private key error:", err)
}
} else {
if err = depot.PutPrivateKey(d, formattedName, key); err != nil {
fmt.Fprintln(os.Stderr, "Save private key error:", err)
}
}
}
func getPassPhrase(c *cli.Context, name string) []byte {
if c.IsSet("passphrase") {
return []byte(c.String("passphrase"))
}
return askPassPhrase(name)
}