forked from TrueCloudLab/certificates
Only rewrite keys with --force.
This commit is contained in:
parent
63e36ecd7a
commit
22b86c3fcc
1 changed files with 31 additions and 2 deletions
|
@ -17,7 +17,6 @@ import (
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
|
|
||||||
"github.com/smallstep/certificates/kms/apiv1"
|
"github.com/smallstep/certificates/kms/apiv1"
|
||||||
"github.com/smallstep/certificates/kms/yubikey"
|
"github.com/smallstep/certificates/kms/yubikey"
|
||||||
"github.com/smallstep/cli/crypto/pemutil"
|
"github.com/smallstep/cli/crypto/pemutil"
|
||||||
|
@ -32,6 +31,7 @@ type Config struct {
|
||||||
RootFile string
|
RootFile string
|
||||||
KeyFile string
|
KeyFile string
|
||||||
Pin string
|
Pin string
|
||||||
|
Force bool
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *Config) Validate() error {
|
func (c *Config) Validate() error {
|
||||||
|
@ -43,8 +43,16 @@ func (c *Config) Validate() error {
|
||||||
case c.RootOnly && c.RootFile != "":
|
case c.RootOnly && c.RootFile != "":
|
||||||
return errors.New("flag `--root-only` is incompatible with flag `--root`")
|
return errors.New("flag `--root-only` is incompatible with flag `--root`")
|
||||||
case c.RootSlot == c.CrtSlot:
|
case c.RootSlot == c.CrtSlot:
|
||||||
return errors.New("flat `--root-slot` and flag `--crt-slot` cannot be the same")
|
return errors.New("flag `--root-slot` and flag `--crt-slot` cannot be the same")
|
||||||
|
case c.RootFile == "" && c.RootSlot == "":
|
||||||
|
return errors.New("one of flag `--root` or `--root-slot` is required")
|
||||||
default:
|
default:
|
||||||
|
if c.RootFile != "" {
|
||||||
|
c.RootSlot = ""
|
||||||
|
}
|
||||||
|
if c.RootOnly {
|
||||||
|
c.CrtSlot = ""
|
||||||
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -56,6 +64,7 @@ func main() {
|
||||||
flag.StringVar(&c.CrtSlot, "crt-slot", "9c", "Slot to store the intermediate certificate.")
|
flag.StringVar(&c.CrtSlot, "crt-slot", "9c", "Slot to store the intermediate certificate.")
|
||||||
flag.StringVar(&c.RootFile, "root", "", "Path to the root certificate to use.")
|
flag.StringVar(&c.RootFile, "root", "", "Path to the root certificate to use.")
|
||||||
flag.StringVar(&c.KeyFile, "key", "", "Path to the root key to use.")
|
flag.StringVar(&c.KeyFile, "key", "", "Path to the root key to use.")
|
||||||
|
flag.BoolVar(&c.Force, "force", false, "Force the delete of previous keys.")
|
||||||
flag.Usage = usage
|
flag.Usage = usage
|
||||||
flag.Parse()
|
flag.Parse()
|
||||||
|
|
||||||
|
@ -77,6 +86,16 @@ func main() {
|
||||||
fatal(err)
|
fatal(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Check if the slots are empty, fail if they are not
|
||||||
|
if !c.Force {
|
||||||
|
switch {
|
||||||
|
case c.RootSlot != "":
|
||||||
|
checkSlot(k, c.RootSlot)
|
||||||
|
case c.CrtSlot != "":
|
||||||
|
checkSlot(k, c.CrtSlot)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if err := createPKI(k, c); err != nil {
|
if err := createPKI(k, c); err != nil {
|
||||||
fatal(err)
|
fatal(err)
|
||||||
}
|
}
|
||||||
|
@ -109,6 +128,16 @@ COPYRIGHT
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func checkSlot(k *yubikey.YubiKey, slot string) {
|
||||||
|
if _, err := k.GetPublicKey(&apiv1.GetPublicKeyRequest{
|
||||||
|
Name: slot,
|
||||||
|
}); err == nil {
|
||||||
|
fmt.Fprintf(os.Stderr, "⚠️ Your YubiKey already has a key in the slot %s.\n", slot)
|
||||||
|
fmt.Fprintln(os.Stderr, " If you want to delete it and start fresh, use `--force`.")
|
||||||
|
os.Exit(1)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func createPKI(k *yubikey.YubiKey, c Config) error {
|
func createPKI(k *yubikey.YubiKey, c Config) error {
|
||||||
var err error
|
var err error
|
||||||
ui.Println("Creating PKI ...")
|
ui.Println("Creating PKI ...")
|
||||||
|
|
Loading…
Reference in a new issue