Skip to content
This repository has been archived by the owner on Aug 31, 2021. It is now read-only.

Commit

Permalink
Group example binary to not mess with go get.
Browse files Browse the repository at this point in the history
  • Loading branch information
jeremy-clerc committed Feb 15, 2017
1 parent 51e2e81 commit 48788f8
Show file tree
Hide file tree
Showing 4 changed files with 162 additions and 172 deletions.
10 changes: 5 additions & 5 deletions example/client-auth/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,14 @@ having a trusted certificate.
Build the PKI from the yaml definition:

```
go run build-pki.go -config_path pki.yaml -db_path pki.boltdb
go run client-auth.go -config_path pki.yaml -db_path pki.boltdb
```

Fetch the certificates needed for nginx:

```
go run get.go -db_path pki.boltdb -ca_name "Admins Intermediate CA" -bundle_name "localhost"
go run get.go -db_path pki.boltdb -bundle_name "Admins Intermediate CA"
go run client-auth.go -db_path pki.boltdb -ca_name "Admins Intermediate CA" -bundle_name "localhost"
go run client-auth.go -db_path pki.boltdb -bundle_name "Admins Intermediate CA"
```

Create the nginx config structure:
Expand All @@ -32,7 +32,7 @@ golang.org/x/crypto/pkcs12 only provides decoding, so we use openssl.
Fetch the client certificate and create a pkcs12 formatted file:

```
go run get.go -db_path pki.boltdb -ca_name "Admins Intermediate CA" -bundle_name [email protected] -full_chain=false
go run client-auth.go -db_path pki.boltdb -ca_name "Admins Intermediate CA" -bundle_name [email protected] -full_chain=false
cat [email protected].{key,crt} | openssl pkcs12 -export -out [email protected]+pkcs12.crt
```

Expand All @@ -41,7 +41,7 @@ Import [email protected]+pkcs12.crt in your favorite browser.
Fetch the root CA to import in the browser:

```
go run get.go -db_path pki.boltdb -bundle_name "CA"
go run client-auth.go -db_path pki.boltdb -bundle_name "CA"
```

Import CA+chain.crt in your favorite browser.
Expand Down
82 changes: 0 additions & 82 deletions example/client-auth/build-pki.go

This file was deleted.

157 changes: 157 additions & 0 deletions example/client-auth/client-auth.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,157 @@
package main

import (
"encoding/pem"
"flag"
"io/ioutil"
"log"
"time"

"os"

"crypto/x509"
"crypto/x509/pkix"

"github.com/boltdb/bolt"
"github.com/go-yaml/yaml"
"github.com/google/easypki/pkg/certificate"
"github.com/google/easypki/pkg/easypki"
"github.com/google/easypki/pkg/store"
)

func main() {
var (
caName = flag.String("ca_name", "", "Name of the CA which signed the bundle.")
bundleName = flag.String("bundle_name", "", "Name of the bundle to retrieve.")
fullChain = flag.Bool("full_chain", true, "Include chain of trust in certificate output.")
dbPath = flag.String("db_path", "", "Bolt database path.")
configPath = flag.String("config_path", "", "Configuration path to generate PKI.")
)
flag.Parse()
if *dbPath == "" {
log.Fatal("Arg db_path must be set.")
}
if *bundleName == "" && *configPath == "" {
log.Fatal("One of bundle_name or config_path must be set.")
}
db, err := bolt.Open(*dbPath, 0600, nil)
if err != nil {
log.Fatalf("Failed opening bolt database %v: %v", *dbPath, err)
}
defer db.Close()
pki := &easypki.EasyPKI{Store: &store.Bolt{DB: db}}
if *bundleName != "" {
get(pki, *caName, *bundleName, *fullChain)
return
}
build(pki, *configPath)
}

// build create a full PKI based on a yaml configuration.
func build(pki *easypki.EasyPKI, configPath string) {
type configCerts struct {
Name string `yaml:"name"`
CommonName string `yaml:"commonName"`
DNSNames []string `yaml:"dnsNames"`
EmailAddresses []string `yaml:"emailAddresses"`
IsCA bool `yaml:"isCA"`
IsClient bool `yaml:"isClient"`
Signer string `yaml:"signer"`
Expire time.Duration `yaml:"expire"`
}

type config struct {
Subject pkix.Name `yaml:"subject"`
Certs []configCerts `yaml:"certs"`
}

b, err := ioutil.ReadFile(configPath)
if err != nil {
log.Fatalf("Failed reading configuration file %v: %v", configPath, err)
}
conf := &config{}
if err := yaml.Unmarshal(b, conf); err != nil {
log.Fatalf("Failed umarshaling yaml config (%v) %v: %v", configPath, string(b), err)
}
for _, cert := range conf.Certs {
req := &easypki.Request{
Name: cert.Name,
Template: &x509.Certificate{
Subject: conf.Subject,
NotAfter: time.Now().Add(cert.Expire),
IsCA: cert.IsCA,
DNSNames: cert.DNSNames,
EmailAddresses: cert.EmailAddresses,
},
IsClientCertificate: cert.IsClient,
}
if cert.IsCA {
req.Template.MaxPathLen = -1
}
req.Template.Subject.CommonName = cert.CommonName
var signer *certificate.Bundle
if cert.Signer != "" {
signer, err = pki.GetCA(cert.Signer)
if err != nil {
log.Fatalf("Cannot sign %v because cannot get CA %v: %v", cert.Name, cert.Signer, err)
}
}
if err := pki.Sign(signer, req); err != nil {
log.Fatalf("Cannot create bundle for %v: %v", cert.Name, err)
}
}
}

// get retrieves a bundle from the bolt database. If fullChain is true, the
// certificate will be the chain of trust from the primary tup to root CA.
func get(pki *easypki.EasyPKI, caName, bundleName string, fullChain bool) {
var bundle *certificate.Bundle
if caName == "" {
caName = bundleName
}
bundle, err := pki.GetBundle(caName, bundleName)
if err != nil {
log.Fatalf("Failed getting bundle %v within CA %v: %v", bundleName, caName, err)
}
leaf := bundle
chain := []*certificate.Bundle{bundle}
if fullChain {
for {
if leaf.Cert.Issuer.CommonName == leaf.Cert.Subject.CommonName {
break
}
ca, err := pki.GetCA(leaf.Cert.Issuer.CommonName)
if err != nil {
log.Fatalf("Failed getting signing CA %v: %v", leaf.Cert.Issuer.CommonName, err)
}
chain = append(chain, ca)
leaf = ca
}
}
key, err := os.Create(bundleName + ".key")
if err != nil {
log.Fatalf("Failed creating key output file: %v", err)
}
if err := pem.Encode(key, &pem.Block{
Bytes: x509.MarshalPKCS1PrivateKey(bundle.Key),
Type: "RSA PRIVATE KEY",
}); err != nil {
log.Fatalf("Failed ecoding private key: %v", err)
}
crtName := bundleName + ".crt"
if fullChain {
crtName = bundleName + "+chain.crt"
}
cert, err := os.Create(crtName)
if err != nil {
log.Fatalf("Failed creating chain output file: %v", err)
}
for _, c := range chain {
if err := pem.Encode(cert, &pem.Block{
Bytes: c.Cert.Raw,
Type: "CERTIFICATE",
}); err != nil {
log.Fatalf("Failed ecoding %v certificate: %v", c.Name, err)
}
}
}
85 changes: 0 additions & 85 deletions example/client-auth/get.go

This file was deleted.

0 comments on commit 48788f8

Please sign in to comment.