rsa/cmd/ca/sign.go

package ca

import (
	"crypto/rsa"
	"crypto/x509"
	"encoding/pem"
	"fmt"
	"os"
	"time"

	"github.com/spf13/cobra"
	"src.lwithers.me.uk/go/rsa/pkg/ca"
	"src.lwithers.me.uk/go/rsa/pkg/pemfile"
)

// Sign one or more CSRs.
func Sign(cmd *cobra.Command, args []string) {
	csrFilename := args[0]
	from, until := signingDates(365 * 24 * time.Hour)

	// open the CA
	ca, err := ca.Open(dir)
	if err != nil {
		fmt.Fprintln(os.Stderr, err)
		os.Exit(1)
	}

	// parse the CSR
	csr, err := pemfile.ReadCSR(csrFilename)
	if err != nil {
		fmt.Fprintln(os.Stderr, err)
		os.Exit(1)
	}
	pubKey, ok := csr.PublicKey.(*rsa.PublicKey)
	if !ok {
		fmt.Fprintf(os.Stderr, "%s: public key is not RSA\n", csrFilename)
		os.Exit(1)
	}

	// build the certificate template
	var (
		keyUsage    x509.KeyUsage
		extKeyUsage []x509.ExtKeyUsage
	)
	switch {
	// TODO: CLI flags
	case len(csr.DNSNames) == 0 && len(csr.IPAddresses) == 0:
		extKeyUsage = append(extKeyUsage, x509.ExtKeyUsageClientAuth)
	default:
		extKeyUsage = append(extKeyUsage, x509.ExtKeyUsageServerAuth)
	}

	template := &x509.Certificate{
		KeyUsage:    keyUsage,
		ExtKeyUsage: extKeyUsage,
		Subject:     csr.Subject,
		NotBefore:   from,
		NotAfter:    until,
		DNSNames:    csr.DNSNames,
		IPAddresses: csr.IPAddresses,
	}

	// sign the certificate
	cert, auditDir, err := ca.Sign(template, pubKey)
	if err != nil {
		fmt.Fprintln(os.Stderr, err)
		os.Exit(1)
	}
	raw := pem.EncodeToMemory(&pem.Block{
		Type:  pemfile.TypeX509Certificate,
		Bytes: cert.Raw,
	})

	// TODO: copy CSR to audit dir
	_ = auditDir

	// write CSR to output file
	switch outputFilename {
	case "", "-":
		os.Stdout.Write(raw)
	default:
		if err := os.WriteFile(outputFilename, raw, 0600); err != nil {
			fmt.Fprintln(os.Stderr, err)
			os.Exit(1)
		}
	}
}
Initial commit of RSA CLI tool, still very much WIP 2023-03-01 21:30:16 +00:00			`package ca`

			`import (`
			`"crypto/rsa"`
			`"crypto/x509"`
			`"encoding/pem"`
			`"fmt"`
			`"os"`
			`"time"`

			`"github.com/spf13/cobra"`
			`"src.lwithers.me.uk/go/rsa/pkg/ca"`
			`"src.lwithers.me.uk/go/rsa/pkg/pemfile"`
			`)`

			`// Sign one or more CSRs.`
			`func Sign(cmd *cobra.Command, args []string) {`
			`csrFilename := args[0]`
			`from, until := signingDates(365 * 24 * time.Hour)`

			`// open the CA`
			`ca, err := ca.Open(dir)`
			`if err != nil {`
			`fmt.Fprintln(os.Stderr, err)`
			`os.Exit(1)`
			`}`

			`// parse the CSR`
			`csr, err := pemfile.ReadCSR(csrFilename)`
			`if err != nil {`
			`fmt.Fprintln(os.Stderr, err)`
			`os.Exit(1)`
			`}`
			`pubKey, ok := csr.PublicKey.(*rsa.PublicKey)`
			`if !ok {`
			`fmt.Fprintf(os.Stderr, "%s: public key is not RSA\n", csrFilename)`
			`os.Exit(1)`
			`}`

			`// build the certificate template`
			`var (`
			`keyUsage x509.KeyUsage`
			`extKeyUsage []x509.ExtKeyUsage`
			`)`
			`switch {`
			`// TODO: CLI flags`
			`case len(csr.DNSNames) == 0 && len(csr.IPAddresses) == 0:`
			`extKeyUsage = append(extKeyUsage, x509.ExtKeyUsageClientAuth)`
			`default:`
			`extKeyUsage = append(extKeyUsage, x509.ExtKeyUsageServerAuth)`
			`}`

			`template := &x509.Certificate{`
			`KeyUsage: keyUsage,`
			`ExtKeyUsage: extKeyUsage,`
			`Subject: csr.Subject,`
			`NotBefore: from,`
			`NotAfter: until,`
			`DNSNames: csr.DNSNames,`
			`IPAddresses: csr.IPAddresses,`
			`}`

			`// sign the certificate`
			`cert, auditDir, err := ca.Sign(template, pubKey)`
			`if err != nil {`
			`fmt.Fprintln(os.Stderr, err)`
			`os.Exit(1)`
			`}`
			`raw := pem.EncodeToMemory(&pem.Block{`
			`Type: pemfile.TypeX509Certificate,`
			`Bytes: cert.Raw,`
			`})`

			`// TODO: copy CSR to audit dir`
			`_ = auditDir`

			`// write CSR to output file`
			`switch outputFilename {`
			`case "", "-":`
			`os.Stdout.Write(raw)`
			`default:`
			`if err := os.WriteFile(outputFilename, raw, 0600); err != nil {`
			`fmt.Fprintln(os.Stderr, err)`
			`os.Exit(1)`
			`}`
			`}`
			`}`