forked from TrueCloudLab/certificates
Add Identity helpers.
This commit is contained in:
Mariano Cano
parent
c2a3bcfab5
commit
87ce2c9b4b
2 changed files with 54 additions and 0 deletions
39
ca/client.go
39
ca/client.go
|
|
@ -26,6 +26,7 @@ import (
|
|||
"github.com/smallstep/certificates/authority"
|
||||
"github.com/smallstep/certificates/authority/provisioner"
|
||||
"github.com/smallstep/cli/config"
|
||||
"github.com/smallstep/cli/crypto/keys"
|
||||
"github.com/smallstep/cli/crypto/x509util"
|
||||
"golang.org/x/net/http2"
|
||||
"gopkg.in/square/go-jose.v2/jwt"
|
||||
|
|
@ -1033,6 +1034,44 @@ func CreateSignRequest(ott string) (*api.SignRequest, crypto.PrivateKey, error)
|
|||
}, pk, nil
|
||||
}
|
||||
|
||||
// CreateCertificateRequest creates a new CSR with the given common name and
|
||||
// SANs. If no san is provided the commonName will set also a SAN.
|
||||
func CreateCertificateRequest(commonName string, sans ...string) (*api.CertificateRequest, crypto.PrivateKey, error) {
|
||||
key, err := keys.GenerateDefaultKey()
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
return createCertificateRequest(commonName, sans, key)
|
||||
}
|
||||
|
||||
func createCertificateRequest(commonName string, sans []string, key crypto.PrivateKey) (*api.CertificateRequest, crypto.PrivateKey, error) {
|
||||
if len(sans) == 0 {
|
||||
sans = []string{commonName}
|
||||
}
|
||||
dnsNames, ips, emails := x509util.SplitSANs(sans)
|
||||
template := &x509.CertificateRequest{
|
||||
Subject: pkix.Name{
|
||||
CommonName: commonName,
|
||||
},
|
||||
DNSNames: dnsNames,
|
||||
IPAddresses: ips,
|
||||
EmailAddresses: emails,
|
||||
}
|
||||
csr, err := x509.CreateCertificateRequest(rand.Reader, template, key)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
cr, err := x509.ParseCertificateRequest(csr)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
if err := cr.CheckSignature(); err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
|
||||
return &api.CertificateRequest{CertificateRequest: cr}, key, nil
|
||||
}
|
||||
|
||||
func getInsecureClient() *http.Client {
|
||||
return &http.Client{
|
||||
Transport: &http.Transport{
|
||||
|
|
|
|||
|
|
@ -40,6 +40,21 @@ type Identity struct {
|
|||
Key string `json:"key"`
|
||||
}
|
||||
|
||||
// NewIdentityRequest returns a new CSR to create the identity. If an identity
|
||||
// was already present it reuses the private key.
|
||||
func NewIdentityRequest(commonName string, sans ...string) (*api.CertificateRequest, crypto.PrivateKey, error) {
|
||||
var identityKey crypto.PrivateKey
|
||||
if i, err := LoadDefaultIdentity(); err == nil && i.Key != "" {
|
||||
if k, err := pemutil.Read(i.Key); err == nil {
|
||||
identityKey = k
|
||||
}
|
||||
}
|
||||
if identityKey == nil {
|
||||
return CreateCertificateRequest(commonName, sans...)
|
||||
}
|
||||
return createCertificateRequest(commonName, sans, identityKey)
|
||||
}
|
||||
|
||||
// LoadDefaultIdentity loads the default identity.
|
||||
func LoadDefaultIdentity() (*Identity, error) {
|
||||
b, err := ioutil.ReadFile(IdentityFile)
|
||||
|
|
|
|||
Loading…
Reference in a new issue