rsa/cmd/ca/init.go

package ca

import (
	"crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"crypto/x509/pkix"
	"fmt"
	"net"
	"os"
	"time"

	"github.com/spf13/cobra"
	"src.lwithers.me.uk/go/rsa/pkg/ca"
)

// Init a new certificate authority from scratch.
func Init(cmd *cobra.Command, args []string) {
	desc := args[0]

	template := createCATemplate(desc)
	key, err := rsa.GenerateKey(rand.Reader, bits)
	if err != nil {
		fmt.Fprintf(os.Stderr, "Failed to generate new key (%d bits): %v\n", bits, err)
		os.Exit(1)
	}

	_, err = ca.Create(dir, template, key)
	if err != nil {
		fmt.Fprintf(os.Stderr, "Failed to initialise new certificate authority: %v\n", err)
		os.Exit(1)
	}
}

func createCATemplate(desc string) *x509.Certificate {
	from, until := signingDates(30 * 365 * 24 * time.Hour)

	hasTargetRules := len(permittedDomains) > 0 || len(excludedDomains) > 0
	var permittedIP, excludedIP []*net.IPNet
	if len(permittedIPs) > 0 {
		hasTargetRules = true
		for _, ipr := range permittedIPs {
			permittedIP = append(permittedIP, parseCIDR(ipr))
		}
	}
	if len(excludedIPs) > 0 {
		hasTargetRules = true
		for _, ipr := range permittedIPs {
			excludedIP = append(excludedIP, parseCIDR(ipr))
		}
	}

	return &x509.Certificate{
		Subject: pkix.Name{
			CommonName: desc,
		},
		NotBefore: from,
		NotAfter:  until,

		BasicConstraintsValid: true,
		IsCA:                  true,
		MaxPathLen:            maxPathLen,
		MaxPathLenZero:        (maxPathLen == 0),

		PermittedDNSDomains:         permittedDomains,
		ExcludedDNSDomains:          excludedDomains,
		PermittedIPRanges:           permittedIP,
		ExcludedIPRanges:            excludedIP,
		PermittedDNSDomainsCritical: hasTargetRules,
	}
}

func parseCIDR(s string) *net.IPNet {
	ip, ipnet, err := net.ParseCIDR(s)
	if err != nil {
		fmt.Fprintln(os.Stderr, err)
		os.Exit(1)
	}

	if !ip.Equal(ipnet.IP) {
		fmt.Fprintf(os.Stderr, "%s: invalid IP range (did you mean %s?)\n", s, ipnet.String())
		os.Exit(1)
	}

	return ipnet
}
Initial commit of RSA CLI tool, still very much WIP 2023-03-01 21:30:16 +00:00			`package ca`

			`import (`
			`"crypto/rand"`
			`"crypto/rsa"`
			`"crypto/x509"`
			`"crypto/x509/pkix"`
			`"fmt"`
			`"net"`
			`"os"`
			`"time"`

			`"github.com/spf13/cobra"`
			`"src.lwithers.me.uk/go/rsa/pkg/ca"`
			`)`

			`// Init a new certificate authority from scratch.`
			`func Init(cmd *cobra.Command, args []string) {`
			`desc := args[0]`

			`template := createCATemplate(desc)`
			`key, err := rsa.GenerateKey(rand.Reader, bits)`
			`if err != nil {`
			`fmt.Fprintf(os.Stderr, "Failed to generate new key (%d bits): %v\n", bits, err)`
			`os.Exit(1)`
			`}`

			`_, err = ca.Create(dir, template, key)`
			`if err != nil {`
			`fmt.Fprintf(os.Stderr, "Failed to initialise new certificate authority: %v\n", err)`
			`os.Exit(1)`
			`}`
			`}`

			`func createCATemplate(desc string) *x509.Certificate {`
			`from, until := signingDates(30 * 365 * 24 * time.Hour)`

			`hasTargetRules := len(permittedDomains) > 0 \|\| len(excludedDomains) > 0`
			`var permittedIP, excludedIP []*net.IPNet`
			`if len(permittedIPs) > 0 {`
			`hasTargetRules = true`
			`for _, ipr := range permittedIPs {`
			`permittedIP = append(permittedIP, parseCIDR(ipr))`
			`}`
			`}`
			`if len(excludedIPs) > 0 {`
			`hasTargetRules = true`
			`for _, ipr := range permittedIPs {`
			`excludedIP = append(excludedIP, parseCIDR(ipr))`
			`}`
			`}`

			`return &x509.Certificate{`
			`Subject: pkix.Name{`
			`CommonName: desc,`
			`},`
			`NotBefore: from,`
			`NotAfter: until,`

			`BasicConstraintsValid: true,`
			`IsCA: true,`
			`MaxPathLen: maxPathLen,`
			`MaxPathLenZero: (maxPathLen == 0),`

			`PermittedDNSDomains: permittedDomains,`
			`ExcludedDNSDomains: excludedDomains,`
			`PermittedIPRanges: permittedIP,`
			`ExcludedIPRanges: excludedIP,`
			`PermittedDNSDomainsCritical: hasTargetRules,`
			`}`
			`}`

			`func parseCIDR(s string) *net.IPNet {`
			`ip, ipnet, err := net.ParseCIDR(s)`
			`if err != nil {`
			`fmt.Fprintln(os.Stderr, err)`
			`os.Exit(1)`
			`}`

			`if !ip.Equal(ipnet.IP) {`
			`fmt.Fprintf(os.Stderr, "%s: invalid IP range (did you mean %s?)\n", s, ipnet.String())`
			`os.Exit(1)`
			`}`

			`return ipnet`
			`}`