Add Identity helpers.

This commit is contained in:
Mariano Cano 2019-11-20 19:11:54 -08:00
parent c2a3bcfab5
commit 87ce2c9b4b
2 changed files with 54 additions and 0 deletions

View file

@ -26,6 +26,7 @@ import (
"github.com/smallstep/certificates/authority" "github.com/smallstep/certificates/authority"
"github.com/smallstep/certificates/authority/provisioner" "github.com/smallstep/certificates/authority/provisioner"
"github.com/smallstep/cli/config" "github.com/smallstep/cli/config"
"github.com/smallstep/cli/crypto/keys"
"github.com/smallstep/cli/crypto/x509util" "github.com/smallstep/cli/crypto/x509util"
"golang.org/x/net/http2" "golang.org/x/net/http2"
"gopkg.in/square/go-jose.v2/jwt" "gopkg.in/square/go-jose.v2/jwt"
@ -1033,6 +1034,44 @@ func CreateSignRequest(ott string) (*api.SignRequest, crypto.PrivateKey, error)
}, pk, nil }, pk, nil
} }
// CreateCertificateRequest creates a new CSR with the given common name and
// SANs. If no san is provided the commonName will set also a SAN.
func CreateCertificateRequest(commonName string, sans ...string) (*api.CertificateRequest, crypto.PrivateKey, error) {
key, err := keys.GenerateDefaultKey()
if err != nil {
return nil, nil, err
}
return createCertificateRequest(commonName, sans, key)
}
func createCertificateRequest(commonName string, sans []string, key crypto.PrivateKey) (*api.CertificateRequest, crypto.PrivateKey, error) {
if len(sans) == 0 {
sans = []string{commonName}
}
dnsNames, ips, emails := x509util.SplitSANs(sans)
template := &x509.CertificateRequest{
Subject: pkix.Name{
CommonName: commonName,
},
DNSNames: dnsNames,
IPAddresses: ips,
EmailAddresses: emails,
}
csr, err := x509.CreateCertificateRequest(rand.Reader, template, key)
if err != nil {
return nil, nil, err
}
cr, err := x509.ParseCertificateRequest(csr)
if err != nil {
return nil, nil, err
}
if err := cr.CheckSignature(); err != nil {
return nil, nil, err
}
return &api.CertificateRequest{CertificateRequest: cr}, key, nil
}
func getInsecureClient() *http.Client { func getInsecureClient() *http.Client {
return &http.Client{ return &http.Client{
Transport: &http.Transport{ Transport: &http.Transport{

View file

@ -40,6 +40,21 @@ type Identity struct {
Key string `json:"key"` Key string `json:"key"`
} }
// NewIdentityRequest returns a new CSR to create the identity. If an identity
// was already present it reuses the private key.
func NewIdentityRequest(commonName string, sans ...string) (*api.CertificateRequest, crypto.PrivateKey, error) {
var identityKey crypto.PrivateKey
if i, err := LoadDefaultIdentity(); err == nil && i.Key != "" {
if k, err := pemutil.Read(i.Key); err == nil {
identityKey = k
}
}
if identityKey == nil {
return CreateCertificateRequest(commonName, sans...)
}
return createCertificateRequest(commonName, sans, identityKey)
}
// LoadDefaultIdentity loads the default identity. // LoadDefaultIdentity loads the default identity.
func LoadDefaultIdentity() (*Identity, error) { func LoadDefaultIdentity() (*Identity, error) {
b, err := ioutil.ReadFile(IdentityFile) b, err := ioutil.ReadFile(IdentityFile)