package ca import ( "crypto/rsa" "crypto/x509" "encoding/pem" "fmt" "os" "time" "github.com/spf13/cobra" "src.lwithers.me.uk/go/rsa/pkg/ca" "src.lwithers.me.uk/go/rsa/pkg/pemfile" ) // Sign one or more CSRs. func Sign(cmd *cobra.Command, args []string) { csrFilename := args[0] from, until := signingDates(365 * 24 * time.Hour) // open the CA ca, err := ca.Open(dir) if err != nil { fmt.Fprintln(os.Stderr, err) os.Exit(1) } // parse the CSR csr, err := pemfile.ReadCSR(csrFilename) if err != nil { fmt.Fprintln(os.Stderr, err) os.Exit(1) } pubKey, ok := csr.PublicKey.(*rsa.PublicKey) if !ok { fmt.Fprintf(os.Stderr, "%s: public key is not RSA\n", csrFilename) os.Exit(1) } // build the certificate template var ( keyUsage x509.KeyUsage extKeyUsage []x509.ExtKeyUsage ) switch { // TODO: CLI flags case len(csr.DNSNames) == 0 && len(csr.IPAddresses) == 0: extKeyUsage = append(extKeyUsage, x509.ExtKeyUsageClientAuth) default: extKeyUsage = append(extKeyUsage, x509.ExtKeyUsageServerAuth) } template := &x509.Certificate{ KeyUsage: keyUsage, ExtKeyUsage: extKeyUsage, Subject: csr.Subject, NotBefore: from, NotAfter: until, DNSNames: csr.DNSNames, IPAddresses: csr.IPAddresses, } // sign the certificate cert, auditDir, err := ca.Sign(template, pubKey) if err != nil { fmt.Fprintln(os.Stderr, err) os.Exit(1) } raw := pem.EncodeToMemory(&pem.Block{ Type: pemfile.TypeX509Certificate, Bytes: cert.Raw, }) // TODO: copy CSR to audit dir _ = auditDir // write CSR to output file switch outputFilename { case "", "-": os.Stdout.Write(raw) default: if err := os.WriteFile(outputFilename, raw, 0600); err != nil { fmt.Fprintln(os.Stderr, err) os.Exit(1) } } }