Home Explore Help
Sign In
cloudflare
/
cfssl
mirror of https://github.com/cloudflare/cfssl
Watch 1
Star 0
Fork 0
Files Issues
Branch: nicky/golang-cross-latest
Branches Tags
cfssl
/
cli
/
gencert
/
gencert.go

gencert.go 4.2 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166 
  1. // Package gencert implements the gencert command.
    2. 

  2. package gencert
    3. 

  3. 

  4. import (
    5. 

  5. 	"encoding/json"
    6. 

  6. 	"errors"
    7. 

  7. 

  8. 	"github.com/cloudflare/cfssl/api/generator"
    9. 

  9. 	"github.com/cloudflare/cfssl/cli"
    10. 

  10. 	"github.com/cloudflare/cfssl/cli/genkey"
    11. 

  11. 	"github.com/cloudflare/cfssl/cli/sign"
    12. 

  12. 	"github.com/cloudflare/cfssl/csr"
    13. 

  13. 	"github.com/cloudflare/cfssl/initca"
    14. 

  14. 	"github.com/cloudflare/cfssl/log"
    15. 

  15. 	"github.com/cloudflare/cfssl/signer"
    16. 

  16. )
    17. 

  17. 

  18. var gencertUsageText = `cfssl gencert -- generate a new key and signed certificate
    19. 

  19. 

  20. Usage of gencert:
    21. 

  21.     Generate a new key and cert from CSR:
    22. 

  22.         cfssl gencert -initca CSRJSON
    23. 

  23.         cfssl gencert -ca cert -ca-key key [-config config] [-profile profile] [-hostname hostname] CSRJSON
    24. 

  24.         cfssl gencert -remote remote_host [-config config] [-profile profile] [-label label] [-hostname hostname] CSRJSON
    25. 

  25. 

  26.     Re-generate a CA cert with the CA key and CSR:
    27. 

  27.         cfssl gencert -initca -ca-key key CSRJSON
    28. 

  28. 

  29.     Re-generate a CA cert with the CA key and certificate:
    30. 

  30.         cfssl gencert -renewca -ca cert -ca-key key
    31. 

  31. 

  32. Arguments:
    33. 

  33.         CSRJSON:    JSON file containing the request, use '-' for reading JSON from stdin
    34. 

  34. 

  35. Flags:
    36. 

  36. `
    37. 

  37. 

  38. var gencertFlags = []string{"initca", "remote", "ca", "ca-key", "config", "cn", "hostname", "profile", "label"}
    39. 

  39. 

  40. func gencertMain(args []string, c cli.Config) error {
    41. 

  41. 	if c.RenewCA {
    42. 

  42. 		log.Infof("re-generate a CA certificate from CA cert and key")
    43. 

  43. 		cert, err := initca.RenewFromPEM(c.CAFile, c.CAKeyFile)
    44. 

  44. 		if err != nil {
    45. 

  45. 			log.Errorf("%v\n", err)
    46. 

  46. 			return err
    47. 

  47. 		}
    48. 

  48. 		cli.PrintCert(nil, nil, cert)
    49. 

  49. 		return nil
    50. 

  50. 	}
    51. 

  51. 

  52. 	csrJSONFile, args, err := cli.PopFirstArgument(args)
    53. 

  53. 	if err != nil {
    54. 

  54. 		return err
    55. 

  55. 	}
    56. 

  56. 

  57. 	if len(args) > 0 {
    58. 

  58. 		return errors.New("only one argument is accepted, please check with usage")
    59. 

  59. 	}
    60. 

  60. 

  61. 	csrJSONFileBytes, err := cli.ReadStdin(csrJSONFile)
    62. 

  62. 	if err != nil {
    63. 

  63. 		return err
    64. 

  64. 	}
    65. 

  65. 

  66. 	req := csr.CertificateRequest{
    67. 

  67. 		KeyRequest: csr.NewKeyRequest(),
    68. 

  68. 	}
    69. 

  69. 	err = json.Unmarshal(csrJSONFileBytes, &req)
    70. 

  70. 	if err != nil {
    71. 

  71. 		return err
    72. 

  72. 	}
    73. 

  73. 	if c.CNOverride != "" {
    74. 

  74. 		req.CN = c.CNOverride
    75. 

  75. 	}
    76. 

  76. 	switch {
    77. 

  77. 	case c.IsCA:
    78. 

  78. 		var key, csrPEM, cert []byte
    79. 

  79. 		if c.CAKeyFile != "" {
    80. 

  80. 			log.Infof("re-generate a CA certificate from CSR and CA key")
    81. 

  81. 			cert, csrPEM, err = initca.NewFromPEM(&req, c.CAKeyFile)
    82. 

  82. 			if err != nil {
    83. 

  83. 				log.Errorf("%v\n", err)
    84. 

  84. 				return err
    85. 

  85. 			}
    86. 

  86. 		} else {
    87. 

  87. 			log.Infof("generating a new CA key and certificate from CSR")
    88. 

  88. 			cert, csrPEM, key, err = initca.New(&req)
    89. 

  89. 			if err != nil {
    90. 

  90. 				return err
    91. 

  91. 			}
    92. 

  92. 

  93. 		}
    94. 

  94. 		cli.PrintCert(key, csrPEM, cert)
    95. 

  95. 

  96. 	default:
    97. 

  97. 		if req.CA != nil {
    98. 

  98. 			err = errors.New("ca section only permitted in initca")
    99. 

  99. 			return err
    100. 

  100. 		}
    101. 

  101. 

  102. 		if c.Hostname != "" {
    103. 

  103. 			req.Hosts = signer.SplitHosts(c.Hostname)
    104. 

  104. 		}
    105. 

  105. 		// Remote can be forced on the command line or in the config
    106. 

  106. 		if c.Remote == "" && c.CFG == nil {
    107. 

  107. 			if c.CAFile == "" {
    108. 

  108. 				log.Error("need a CA certificate (provide one with -ca)")
    109. 

  109. 				return nil
    110. 

  110. 			}
    111. 

  111. 

  112. 			if c.CAKeyFile == "" {
    113. 

  113. 				log.Error("need a CA key (provide one with -ca-key)")
    114. 

  114. 				return nil
    115. 

  115. 			}
    116. 

  116. 		}
    117. 

  117. 

  118. 		var key, csrBytes []byte
    119. 

  119. 		g := &csr.Generator{Validator: genkey.Validator}
    120. 

  120. 		csrBytes, key, err = g.ProcessRequest(&req)
    121. 

  121. 		if err != nil {
    122. 

  122. 			key = nil
    123. 

  123. 			return err
    124. 

  124. 		}
    125. 

  125. 

  126. 		s, err := sign.SignerFromConfig(c)
    127. 

  127. 		if err != nil {
    128. 

  128. 			return err
    129. 

  129. 		}
    130. 

  130. 

  131. 		var cert []byte
    132. 

  132. 		signReq := signer.SignRequest{
    133. 

  133. 			Request: string(csrBytes),
    134. 

  134. 			Hosts:   signer.SplitHosts(c.Hostname),
    135. 

  135. 			Profile: c.Profile,
    136. 

  136. 			Label:   c.Label,
    137. 

  137. 		}
    138. 

  138. 

  139. 		if c.CRL != "" {
    140. 

  140. 			signReq.CRLOverride = c.CRL
    141. 

  141. 		}
    142. 

  142. 		cert, err = s.Sign(signReq)
    143. 

  143. 		if err != nil {
    144. 

  144. 			return err
    145. 

  145. 		}
    146. 

  146. 

  147. 		// This follows the Baseline Requirements for the Issuance and
    148. 

  148. 		// Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser
    149. 

  149. 		// Forum (https://cabforum.org). Specifically, section 10.2.3 ("Information
    150. 

  150. 		// Requirements"), states:
    151. 

  151. 		//
    152. 

  152. 		// "Applicant information MUST include, but not be limited to, at least one
    153. 

  153. 		// Fully-Qualified Domain Name or IP address to be included in the Certificate’s
    154. 

  154. 		// SubjectAltName extension."
    155. 

  155. 		if len(signReq.Hosts) == 0 && len(req.Hosts) == 0 {
    156. 

  156. 			log.Warning(generator.CSRNoHostMessage)
    157. 

  157. 		}
    158. 

  158. 

  159. 		cli.PrintCert(key, csrBytes, cert)
    160. 

  160. 	}
    161. 

  161. 	return nil
    162. 

  162. }
    163. 

  163. 

  164. // Command assembles the definition of Command 'gencert'
    165. 

  165. var Command = &cli.Command{UsageText: gencertUsageText, Flags: gencertFlags, Main: gencertMain}
    166. 

  166.