-
Notifications
You must be signed in to change notification settings - Fork 7
/
main.go
346 lines (297 loc) · 10.7 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
// Copyright 2019 Aporeto Inc.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package main
import (
"fmt"
"log"
"os"
"strings"
"time"
"github.com/spf13/cobra"
"github.com/spf13/viper"
"go.aporeto.io/tg/tgnoob"
"golang.org/x/term"
)
func addOutputFlags(cmd *cobra.Command) {
cmd.Flags().String("out", "./", "Path to the directtory where the certificate files will be written.")
cmd.Flags().Bool("force", false, "Overwrite the certificate if it already exists.")
cmd.Flags().String("name", "", "Base name of the certificate.")
cmd.Flags().String("algo", "ecdsa", "Signature algorithm to use. Can be rsa or ecdsa.")
}
func addUsageFlags(cmd *cobra.Command) {
cmd.Flags().Bool("auth-server", false, "If set, the issued certificate can be used for server authentication.")
cmd.Flags().Bool("auth-client", false, "If set, the issued certificate can be used for client authentication.")
cmd.Flags().Bool("auth-email", false, "If set, the issued certificate can be used for email signature/encryption.")
}
func addPKIXFlags(cmd *cobra.Command) {
cmd.Flags().StringSlice("org", nil, "List of organizations that will be written in the certificate subject.")
cmd.Flags().StringSlice("org-unit", nil, "List of organizational units that will be written in the certificate subject.")
cmd.Flags().String("common-name", "", "Common name that will be written in the certificate subject.")
cmd.Flags().StringSlice("country", nil, "Country that will be written the the subject.")
cmd.Flags().StringSlice("state", nil, "State that will be written the the subject.")
cmd.Flags().StringSlice("city", nil, "City that will be written the the subject.")
cmd.Flags().StringSlice("zip-code", nil, "City that will be written the the subject.")
cmd.Flags().StringSlice("address", nil, "Address that will be written the the subject.")
cmd.Flags().StringSlice("dns", nil, "List of alternate DNS names.")
cmd.Flags().StringSlice("ip", nil, "List of alternate ips.")
}
func addSigningFlags(cmd *cobra.Command) {
cmd.Flags().String("signing-cert", "", "Path to the signing certificate.")
cmd.Flags().String("signing-cert-key", "", "Path to the signing certificate key.")
cmd.Flags().String("signing-cert-key-pass", "", "PathPassword to decrypt the signing certificate key.")
cmd.Flags().StringSlice("policy", nil, "Additional policy extensions in the form --policy <OID>. Note that 1.3.6.1.4.1 is automatically added. Just start with your PEN number.")
cmd.Flags().Duration("validity", 0, "Duration of the validity of the certificate. 0 means default: 1y for certificates, 10y for CAs")
}
func main() {
cobra.OnInitialize(func() {
viper.SetEnvPrefix("tlsgen")
viper.AutomaticEnv()
viper.SetEnvKeyReplacer(strings.NewReplacer("-", "_"))
})
var rootCmd = &cobra.Command{
Use: "tg",
}
var cmdGen = &cobra.Command{
Use: "cert",
Short: "Generate certificates",
PreRunE: func(cmd *cobra.Command, args []string) error {
return viper.BindPFlags(cmd.Flags())
},
Run: func(cmd *cobra.Command, args []string) {
generateCertificate()
},
}
cmdGen.Flags().Bool("p12", false, "If set, a p12 will also be generated. This needs openssl binary to be installed on your machine.")
cmdGen.Flags().String("p12-pass", "", "Set the p12 passphrase. Only works when --p12 is set.")
cmdGen.Flags().Bool("is-ca", false, "If set the issued certificate could be used as a certificate authority.")
cmdGen.Flags().String("pass", "", "Passphrase to use for the private key. If not given it will not be encryped.")
addPKIXFlags(cmdGen)
addSigningFlags(cmdGen)
addUsageFlags(cmdGen)
addOutputFlags(cmdGen)
var csrGen = &cobra.Command{
Use: "csr",
Short: "Generate certificate signing request",
PreRunE: func(cmd *cobra.Command, args []string) error {
return viper.BindPFlags(cmd.Flags())
},
Run: func(cmd *cobra.Command, args []string) {
generateCSR()
},
}
csrGen.Flags().String("cert", "", "Create a new CSR from the given existing certificate. All other options will be ignored.")
csrGen.Flags().String("cert-key", "", "Path to the key associated to the cert.")
csrGen.Flags().String("cert-key-pass", "", "Password to the key associated to the cert.")
addPKIXFlags(csrGen)
addOutputFlags(csrGen)
var csrSign = &cobra.Command{
Use: "sign",
Short: "Sign the given certificate signing request",
PreRunE: func(cmd *cobra.Command, args []string) error {
return viper.BindPFlags(cmd.Flags())
},
Run: func(cmd *cobra.Command, args []string) {
signCSR()
},
}
csrSign.Flags().StringSlice("csr", nil, "Path to csrs to sign.")
csrSign.Flags().Bool("is-ca", false, "If set the issued certificate could be used as a certificate authority.")
addSigningFlags(csrSign)
addUsageFlags(csrSign)
addOutputFlags(csrSign)
var verifyCmd = &cobra.Command{
Use: "verify",
Short: "Verify if the given cert has been signed by another one",
PreRunE: func(cmd *cobra.Command, args []string) error {
return viper.BindPFlags(cmd.Flags())
},
Run: func(cmd *cobra.Command, args []string) {
verifyCert()
},
}
verifyCmd.Flags().String("cert", "", "Path to certificate to verify.")
verifyCmd.Flags().String("signer", "", "Path to signing certificate.")
addUsageFlags(verifyCmd)
var decryptCmd = &cobra.Command{
Use: "decrypt",
Short: "Decrypt of the given private key",
PreRunE: func(cmd *cobra.Command, args []string) error {
return viper.BindPFlags(cmd.Flags())
},
Run: func(cmd *cobra.Command, args []string) {
decryptPrivateKey()
},
}
decryptCmd.Flags().String("key", "", "path to the key.")
decryptCmd.Flags().String("pass", "", "password to decrypt the key.")
var encryptCmd = &cobra.Command{
Use: "encrypt",
Short: "Encrypt of the given private key",
PreRunE: func(cmd *cobra.Command, args []string) error {
return viper.BindPFlags(cmd.Flags())
},
Run: func(cmd *cobra.Command, args []string) {
encryptPrivateKey()
},
}
encryptCmd.Flags().String("key", "", "path to the key.")
encryptCmd.Flags().String("pass", "", "password to encrypt the key.")
rootCmd.AddCommand(
cmdGen,
csrGen,
csrSign,
verifyCmd,
decryptCmd,
encryptCmd,
)
_ = rootCmd.Execute() // nolint: errcheck
}
func generateCertificate() {
if err := tgnoob.GenerateCertificate(
viper.GetString("name"),
viper.GetString("common-name"),
getPass("Enter passphrase for the private key: ", "pass"),
viper.GetBool("is-ca"),
viper.GetBool("auth-server"),
viper.GetBool("auth-client"),
viper.GetBool("auth-email"),
viper.GetBool("p12"),
getPass("Enter p12 passphrase: ", "p12-pass"),
viper.GetString("out"),
viper.GetBool("force"),
viper.GetString("algo"),
viper.GetString("signing-cert"),
viper.GetString("signing-cert-key"),
getPass("Enter passphrase of the signing key: ", "signing-cert-key-pass"),
viper.GetStringSlice("country"),
viper.GetStringSlice("state"),
viper.GetStringSlice("city"),
viper.GetStringSlice("address"),
viper.GetStringSlice("zip-code"),
viper.GetStringSlice("org"),
viper.GetStringSlice("org-unit"),
viper.GetStringSlice("dns"),
viper.GetStringSlice("ip"),
getValidity(viper.GetDuration("validity"), viper.GetBool("is-ca")),
viper.GetStringSlice("policy"),
); err != nil {
log.Fatalf("could not generate certificate: %s", err)
}
log.Printf("certificate key pair created: cert: %s-cert.pem, key: %s-key.pem", viper.GetString("name"), viper.GetString("name"))
}
func generateCSR() {
if err := tgnoob.GenerateCSR(
viper.GetString("name"),
viper.GetString("common-name"),
viper.GetString("cert"),
viper.GetString("cert-key"),
getPass("Enter passphrase for the signing key: ", "cert-key-pass"),
viper.GetString("out"),
viper.GetBool("force"),
viper.GetString("algo"),
viper.GetStringSlice("country"),
viper.GetStringSlice("state"),
viper.GetStringSlice("city"),
viper.GetStringSlice("address"),
viper.GetStringSlice("zip-code"),
viper.GetStringSlice("org"),
viper.GetStringSlice("org-unit"),
viper.GetStringSlice("dns"),
viper.GetStringSlice("ip"),
viper.GetStringSlice("policy"),
); err != nil {
log.Fatalf("could not generate csr: %s", err)
}
log.Printf("certificate request and private key created: cert: %s-csr.pem, key: %s-key.pem", viper.GetString("name"), viper.GetString("name"))
}
func signCSR() {
if err := tgnoob.SignCSR(
viper.GetString("name"),
viper.GetBool("is-ca"),
viper.GetBool("auth-server"),
viper.GetBool("auth-client"),
viper.GetBool("auth-email"),
viper.GetString("out"),
viper.GetBool("force"),
viper.GetString("algo"),
viper.GetString("signing-cert"),
viper.GetString("signing-cert-key"),
getPass("Enter passphrase of the signing key: ", "signing-cert-key-pass"),
viper.GetStringSlice("csr"),
getValidity(viper.GetDuration("validity"), false),
viper.GetStringSlice("policy"),
); err != nil {
log.Fatalf("could not sign csr: %s", err)
}
log.Printf("certificate issued: cert: %s-cert.pem", viper.GetString("name"))
}
func verifyCert() {
if err := tgnoob.VerifyCert(
viper.GetString("cert"),
viper.GetString("signer"),
viper.GetBool("auth-server"),
viper.GetBool("auth-client"),
viper.GetBool("auth-email"),
); err != nil {
log.Fatalf("could not verify the certificate: %s", err)
}
log.Print("certificate verified")
}
func decryptPrivateKey() {
var (
err error
encodedPem []byte
)
if encodedPem, err = tgnoob.DecryptPrivateKey(
viper.GetString("key"),
getPass("Passphrase: ", "pass"),
); err != nil {
log.Fatalf("unable to decrypt private key: %s", err)
}
fmt.Printf("%s", encodedPem)
}
func encryptPrivateKey() {
var (
err error
encodedPem []byte
)
if encodedPem, err = tgnoob.EncryptPrivateKey(
viper.GetString("key"),
getPass("Passphrase: ", "pass"),
); err != nil {
log.Fatalf("unable to encrypt private key: %s", err)
}
fmt.Printf("%s", encodedPem)
}
func getPass(title, key string) string {
pass := viper.GetString(key)
if pass != "-" {
return pass
}
if title != "" {
fmt.Fprint(os.Stderr, title) // nolint: errcheck
}
password, err := term.ReadPassword(int(os.Stdin.Fd()))
fmt.Fprint(os.Stderr, "\n") // nolint: errcheck
if err != nil {
panic("unable to read your information: %s")
}
return string(password)
}
func getValidity(duration time.Duration, isCA bool) time.Duration {
if duration != 0 {
return duration
}
if isCA {
return 86400 * time.Hour
}
return 8640 * time.Hour
}