Add support for the flag --issuer-password-file

The new flag allows to pass a file with the password used to decrypt
the key used in RA mode.
This commit is contained in:
Mariano Cano 2021-03-24 14:53:19 -07:00
parent 71f59de396
commit bdeb0ccd7c
3 changed files with 42 additions and 8 deletions

View file

@ -25,6 +25,7 @@ import (
type options struct {
configFile string
password []byte
issuerPassword []byte
database db.AuthDB
}
@ -53,6 +54,14 @@ func WithPassword(password []byte) Option {
}
}
// WithIssuer sets the given password as the configured certificate issuer
// password in the CA options.
func WithIssuerPassword(password []byte) Option {
return func(o *options) {
o.issuerPassword = password
}
}
// WithDatabase sets the given authority database to the CA options.
func WithDatabase(db db.AuthDB) Option {
return func(o *options) {
@ -82,10 +91,18 @@ func New(config *authority.Config, opts ...Option) (*CA, error) {
// Init initializes the CA with the given configuration.
func (ca *CA) Init(config *authority.Config) (*CA, error) {
if l := len(ca.opts.password); l > 0 {
// Intermediate Password.
if len(ca.opts.password) > 0 {
ca.config.Password = string(ca.opts.password)
}
// Certificate issuer password for RA mode.
if len(ca.opts.issuerPassword) > 0 {
if ca.config.AuthorityConfig != nil && ca.config.AuthorityConfig.CertificateIssuer != nil {
ca.config.AuthorityConfig.CertificateIssuer.Password = string(ca.opts.issuerPassword)
}
}
var opts []authority.Option
if ca.opts.database != nil {
opts = append(opts, authority.WithDatabase(ca.opts.database))
@ -213,6 +230,7 @@ func (ca *CA) Reload() error {
newCA, err := New(config,
WithPassword(ca.opts.password),
WithIssuerPassword(ca.opts.issuerPassword),
WithConfigFile(ca.opts.configFile),
WithDatabase(ca.auth.GetDatabase()),
)

View file

@ -106,7 +106,7 @@ func main() {
app.HelpName = "step-ca"
app.Version = config.Version()
app.Usage = "an online certificate authority for secure automated certificate management"
app.UsageText = `**step-ca** <config> [**--password-file**=<file>] [**--resolver**=<addr>] [**--help**] [**--version**]`
app.UsageText = `**step-ca** <config> [**--password-file**=<file>] [**--issuer-password-file**=<file>] [**--resolver**=<addr>] [**--help**] [**--version**]`
app.Description = `**step-ca** runs the Step Online Certificate Authority
(Step CA) using the given configuration.
See the README.md for more detailed configuration documentation.

View file

@ -22,13 +22,17 @@ var AppCommand = cli.Command{
Name: "start",
Action: appAction,
UsageText: `**step-ca** <config>
[**--password-file**=<file>]
[**--resolver**=<addr>]`,
[**--password-file**=<file>] [**--issuer-password-file**=<file>] [**--resolver**=<addr>]`,
Flags: []cli.Flag{
cli.StringFlag{
Name: "password-file",
Usage: `path to the <file> containing the password to decrypt the
intermediate private key.`,
},
cli.StringFlag{
Name: "issuer-password-file",
Usage: `path to the <file> containing the password to decrypt the
certificate issuer private key used in the RA mode.`,
},
cli.StringFlag{
Name: "resolver",
@ -40,6 +44,7 @@ intermediate private key.`,
// AppAction is the action used when the top command runs.
func appAction(ctx *cli.Context) error {
passFile := ctx.String("password-file")
issuerPassFile := ctx.String("issuer-password-file")
resolver := ctx.String("resolver")
// If zero cmd line args show help, if >1 cmd line args show error.
@ -64,6 +69,14 @@ func appAction(ctx *cli.Context) error {
password = bytes.TrimRightFunc(password, unicode.IsSpace)
}
var issuerPassword []byte
if issuerPassFile != "" {
if issuerPassword, err = ioutil.ReadFile(issuerPassFile); err != nil {
fatal(errors.Wrapf(err, "error reading %s", issuerPassFile))
}
issuerPassword = bytes.TrimRightFunc(issuerPassword, unicode.IsSpace)
}
// replace resolver if requested
if resolver != "" {
net.DefaultResolver.PreferGo = true
@ -72,7 +85,10 @@ func appAction(ctx *cli.Context) error {
}
}
srv, err := ca.New(config, ca.WithConfigFile(configFile), ca.WithPassword(password))
srv, err := ca.New(config,
ca.WithConfigFile(configFile),
ca.WithPassword(password),
ca.WithIssuerPassword(issuerPassword))
if err != nil {
fatal(err)
}