Remove deprecated methods and write all pki files at once.

pki/pki.go

@@ -156,10 +156,8 @@ func GetProvisionerKey(caURL, rootFile, kid string) (string, error) {
 }
 
 type options struct {
-	// address        string
-	// caURL          string
-	// dnsNames       []string
 	provisioner    string
+	pkiOnly        bool
 	enableACME     bool
 	enableSSH      bool
 	enableAdmin    bool
@@ -199,6 +197,13 @@ func WithProvisioner(s string) PKIOption {
 	}
 }
 
+// WithPKIOnly will only generate the PKI without the step-ca config files.
+func WithPKIOnly() PKIOption {
+	return func(p *PKI) {
+		p.options.pkiOnly = true
+	}
+}
+
 // WithACME enables acme provisioner in step-ca.
 func WithACME() PKIOption {
 	return func(p *PKI) {
@@ -248,13 +253,8 @@ type PKI struct {
 	casOptions    apiv1.Options
 	caService     apiv1.CertificateAuthorityService
 	caCreator     apiv1.CertificateAuthorityCreator
-	// root, rootKey, rootFingerprint string
-	// intermediate, intermediateKey  string
-	// sshHostPubKey, sshHostKey      string
-	// sshUserPubKey, sshUserKey      string
 	config        string
 	defaults      string
-	// rootFingerprint     string
 	ottPublicKey  *jose.JSONWebKey
 	ottPrivateKey *jose.JSONWebEncryption
 	options       *options
@@ -386,34 +386,6 @@ func (p *PKI) GetRootFingerprint() string {
 	return p.Defaults.Fingerprint
 }
 
-// SetProvisioner sets the provisioner name of the OTT keys.
-//
-// Deprecated: this method is deprecated in favor of WithProvisioner.
-func (p *PKI) SetProvisioner(s string) {
-	p.options.provisioner = s
-}
-
-// SetAddress sets the listening address of the CA.
-//
-// Deprecated: this method is deprecated in favor of WithAddress.
-func (p *PKI) SetAddress(s string) {
-	p.Address = s
-}
-
-// SetDNSNames sets the dns names of the CA.
-//
-// Deprecated: this method is deprecated in favor of WithDNSNames.
-func (p *PKI) SetDNSNames(s []string) {
-	p.DnsNames = s
-}
-
-// SetCAURL sets the ca-url to use in the defaults.json.
-//
-// Deprecated: this method is deprecated in favor of WithCaUrl.
-func (p *PKI) SetCAURL(s string) {
-	p.Defaults.CaUrl = s
-}
-
 // GenerateKeyPairs generates the key pairs used by the certificate authority.
 func (p *PKI) GenerateKeyPairs(pass []byte) error {
 	var err error
@@ -450,22 +422,29 @@ func (p *PKI) GenerateRootCertificate(name, org, resource string, pass []byte) (
 		return nil, err
 	}
 
-	sum := sha256.Sum256(resp.Certificate.Raw)
+	// PrivateKey will only be set if we have access to it (SoftCAS).
-	p.Defaults.Fingerprint = strings.ToLower(hex.EncodeToString(sum[:]))
+	if err := p.WriteRootCertificate(resp.Certificate, resp.PrivateKey, pass); err != nil {
-	p.Files[p.Root[0]] = encodeCertificate(resp.Certificate)
-	p.Files[p.RootKey[0]], err = encodePrivateKey(resp.PrivateKey, pass)
-	if err != nil {
 		return nil, err
 	}
 
-	// PrivateKey will only be set if we have access to it (SoftCAS).
-	// if err := p.WriteRootCertificate(resp.Certificate, resp.PrivateKey, pass); err != nil {
-	// 	return nil, err
-	// }
-
 	return resp, nil
 }
 
+// WriteRootCertificate writes to the buffer the given certificate and key if given.
+func (p *PKI) WriteRootCertificate(rootCrt *x509.Certificate, rootKey interface{}, pass []byte) error {
+	p.Files[p.Root[0]] = encodeCertificate(rootCrt)
+	if rootKey != nil {
+		var err error
+		p.Files[p.RootKey[0]], err = encodePrivateKey(rootKey, pass)
+		if err != nil {
+			return err
+		}
+	}
+	sum := sha256.Sum256(rootCrt.Raw)
+	p.Defaults.Fingerprint = strings.ToLower(hex.EncodeToString(sum[:]))
+	return nil
+}
+
 // GenerateIntermediateCertificate generates an intermediate certificate with
 // the given name and using the default key type.
 func (p *PKI) GenerateIntermediateCertificate(name, org, resource string, parent *apiv1.CreateCertificateAuthorityResponse, pass []byte) error {
@@ -494,62 +473,9 @@ func (p *PKI) GenerateIntermediateCertificate(name, org, resource string, parent
 	p.casOptions.CertificateAuthority = resp.Name
 	p.Files[p.Intermediate] = encodeCertificate(resp.Certificate)
 	p.Files[p.IntermediateKey], err = encodePrivateKey(resp.PrivateKey, pass)
-	if err != nil {
 	return err
 }
 
-	return nil
-	// return p.WriteIntermediateCertificate(resp.Certificate, resp.PrivateKey, pass)
-}
-
-// WriteRootCertificate writes to disk the given certificate and key.
-func (p *PKI) WriteRootCertificate(rootCrt *x509.Certificate, rootKey interface{}, pass []byte) error {
-	fmt.Println(p.options.isHelm)
-	if p.options.isHelm {
-		return nil
-	}
-
-	if err := fileutil.WriteFile(p.Root[0], pem.EncodeToMemory(&pem.Block{
-		Type:  "CERTIFICATE",
-		Bytes: rootCrt.Raw,
-	}), 0600); err != nil {
-		return err
-	}
-
-	if rootKey != nil {
-		_, err := pemutil.Serialize(rootKey, pemutil.WithPassword(pass), pemutil.ToFile(p.RootKey[0], 0600))
-		if err != nil {
-			return err
-		}
-	}
-
-	sum := sha256.Sum256(rootCrt.Raw)
-	p.Defaults.Fingerprint = strings.ToLower(hex.EncodeToString(sum[:]))
-
-	return nil
-}
-
-// WriteIntermediateCertificate writes to disk the given certificate and key.
-func (p *PKI) WriteIntermediateCertificate(crt *x509.Certificate, key interface{}, pass []byte) error {
-	if p.options.isHelm {
-		return nil
-	}
-
-	if err := fileutil.WriteFile(p.Intermediate, pem.EncodeToMemory(&pem.Block{
-		Type:  "CERTIFICATE",
-		Bytes: crt.Raw,
-	}), 0600); err != nil {
-		return err
-	}
-	if key != nil {
-		_, err := pemutil.Serialize(key, pemutil.WithPassword(pass), pemutil.ToFile(p.IntermediateKey, 0600))
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
 // CreateCertificateAuthorityResponse returns a
 // CreateCertificateAuthorityResponse that can be used as a parent of a
 // CreateCertificateAuthority request.
@@ -610,19 +536,21 @@ func (p *PKI) GenerateSSHSigningKeys(password []byte) error {
 		if err != nil {
 			return err
 		}
-
-		// _, err = pemutil.Serialize(priv, pemutil.WithFilename(privNames[i]), pemutil.WithPassword(password))
-		// if err != nil {
-		// 	return err
-		// }
-		// if err = fileutil.WriteFile(pubNames[i], ssh.MarshalAuthorizedKey(sshKey), 0600); err != nil {
-		// 	return err
-		// }
 	}
 	p.options.enableSSH = true
 	return nil
 }
 
+// WriteFiles writes on disk the previously generated files.
+func (p *PKI) WriteFiles() error {
+	for fn, b := range p.Files {
+		if err := fileutil.WriteFile(fn, b, 0600); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 func (p *PKI) askFeedback() {
 	ui.Println()
 	ui.Printf("\033[1mFEEDBACK\033[0m %s %s\n",
@@ -636,14 +564,6 @@ func (p *PKI) askFeedback() {
 	ui.Println("      \033[1mhttps://bit.ly/step-discord\033[0m.")
 }
 
-// TellPKI outputs the locations of public and private keys generated
-// generated for a new PKI. Generally this will consist of a root certificate
-// and key and an intermediate certificate and key.
-func (p *PKI) TellPKI() {
-	p.tellPKI()
-	p.askFeedback()
-}
-
 func (p *PKI) tellPKI() {
 	ui.Println()
 	if p.casOptions.Is(apiv1.SoftCAS) {
@@ -832,16 +752,16 @@ func (p *PKI) GenerateConfig(opt ...Option) (*authconfig.Config, error) {
 // Save stores the pki on a json file that will be used as the certificate
 // authority configuration.
 func (p *PKI) Save(opt ...Option) error {
-	// Write pre-generated files.
+	// Write generated files
-	for fn, b := range p.Files {
+	if err := p.WriteFiles(); err != nil {
-		if err := fileutil.WriteFile(fn, b, 0600); err != nil {
 		return err
 	}
-	}
 
+	// Display only the
 	p.tellPKI()
 
 	// Generate and write ca.json
+	if !p.options.pkiOnly {
 		config, err := p.GenerateConfig(opt...)
 		if err != nil {
 			return err
@@ -890,9 +810,9 @@ func (p *PKI) Save(opt ...Option) error {
 		} else {
 			ui.Println("Your registration authority is ready to go. To generate certificates for individual services see 'step help ca'.")
 		}
+	}
 
 	p.askFeedback()
-
 	return nil
 }