feat: CA certificate generation

Create CA ids, namespaces and certificates using bf itself. See bf new --help for more information.
RealImage · Feb 28, 2024 · a652644 · a652644
1 parent 134670e
commit a652644
Show file tree

Hide file tree

Showing 5 changed files with 119 additions and 23 deletions.
diff --git a/cmd/bf/ca.go b/cmd/bf/ca.go
@@ -23,7 +23,7 @@ var (
 		Aliases: []string{"ca"},
 		Flags: []cli.Flag{
 			caCertFlag,
-			caKeyFlag,
+			caPrivKeyFlag,
 			&cli.StringFlag{
 				Name:        "host",
 				Usage:       "listen on `HOST`",

diff --git a/cmd/bf/flags.go b/cmd/bf/flags.go
@@ -1,6 +1,10 @@
 package main
 
 import (
+	"io"
+	"os"
+
+	"github.com/google/uuid"
 	"github.com/urfave/cli/v2"
 )
 
@@ -10,23 +14,55 @@ func envvarNames(s string) []string {
 
 // Flags
 var (
+	namespace uuid.UUID
+	nsFlag    = &cli.StringFlag{
+		Name:     "namespace",
+		Usage:    "namespace `UUID`",
+		Required: true,
+		Aliases:  []string{"ns"},
+		EnvVars:  envvarNames("NS"),
+		Action: func(_ *cli.Context, ns string) (err error) {
+			namespace, err = uuid.Parse(ns)
+			return err
+		},
+	}
+
 	caCertUri  string
 	caCertFlag = &cli.StringFlag{
 		Name:        "ca-certificate",
 		Usage:       "read CA certificate from `FILE`",
 		Aliases:     []string{"ca-cert"},
-		EnvVars:     envvarNames("CA_CERTIFICATE"),
+		EnvVars:     envvarNames("CA_CERT"),
+		TakesFile:   true,
 		Value:       "cert.pem",
 		Destination: &caCertUri,
 	}
 
-	caPrivKeyUri string
-	caKeyFlag    = &cli.StringFlag{
+	caPrivKeyUri  string
+	caPrivKeyFlag = &cli.StringFlag{
 		Name:        "ca-private-key",
 		Usage:       "read CA private key from `FILE`",
 		Aliases:     []string{"ca-key"},
-		EnvVars:     envvarNames("CA_PRIVATE_KEY"),
+		EnvVars:     envvarNames("CA_PRIVKEY"),
+		TakesFile:   true,
 		Value:       "key.pem",
 		Destination: &caPrivKeyUri,
 	}
+
+	outputFile string
+	outputFlag = &cli.StringFlag{
+		Name:        "output",
+		Usage:       "write output to `FILE`",
+		Aliases:     []string{"o"},
+		TakesFile:   true,
+		Value:       "-",
+		Destination: &outputFile,
+	}
 )
+
+func getOutputWriter() (io.Writer, error) {
+	if outputFile == "-" {
+		return os.Stdout, nil
+	}
+	return os.Create(outputFile)
+}
diff --git a/cmd/bf/issue.go b/cmd/bf/issue.go
@@ -17,7 +17,7 @@ var (
 		Name: "issue",
 		Flags: []cli.Flag{
 			caCertFlag,
-			caKeyFlag,
+			caPrivKeyFlag,
 			&cli.TimestampFlag{
 				Name:        "not-before",
 				Usage:       "issue certificates valid from `TIMESTAMP`",

diff --git a/cmd/bf/new.go b/cmd/bf/new.go
@@ -1,10 +1,16 @@
 package main
 
 import (
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
 	"encoding/pem"
 	"fmt"
+	"math/big"
+	"time"
 
 	"github.com/RealImage/bifrost"
+	"github.com/RealImage/bifrost/cafiles"
 	"github.com/google/uuid"
 	"github.com/urfave/cli/v2"
 )
@@ -18,15 +24,26 @@ var newCmd = &cli.Command{
 			Name:    "namespace",
 			Aliases: []string{"ns"},
 			Usage:   "Create a new namespace",
+			Flags: []cli.Flag{
+				outputFlag,
+			},
 			Action: func(c *cli.Context) error {
-				fmt.Println(uuid.New().String())
+				out, err := getOutputWriter()
+				if err != nil {
+					return err
+				}
+
+				fmt.Fprintln(out, uuid.New())
 				return nil
 			},
 		},
 		{
 			Name:    "identity",
 			Aliases: []string{"id"},
 			Usage:   "Create a new identity",
+			Flags: []cli.Flag{
+				outputFlag,
+			},
 			Action: func(c *cli.Context) error {
 				key, err := bifrost.NewPrivateKey()
 				if err != nil {
@@ -40,31 +57,74 @@ var newCmd = &cli.Command{
 					Type:  "EC PRIVATE KEY",
 					Bytes: asn1Der,
 				}
-				fmt.Print(string(pem.EncodeToMemory(block)))
+
+				out, err := getOutputWriter()
+				if err != nil {
+					return err
+				}
+				fmt.Fprint(out, string(pem.EncodeToMemory(block)))
 				return nil
 			},
 		},
 		{
 			Name:    "ca-certificate",
 			Aliases: []string{"ca-cert", "ca"},
 			Flags: []cli.Flag{
-				caCertFlag,
-				caKeyFlag,
+				nsFlag,
+				caPrivKeyFlag,
+				outputFlag,
+				&cli.DurationFlag{
+					Name:  "validity",
+					Usage: "certificate `VALIDITY`",
+					Value: time.Hour * 24 * 365,
+				},
 			},
 			Usage: "Create a new certificate authority signing certificate",
 			Action: func(c *cli.Context) error {
-				return nil
-			},
-		},
-		{
-			Name:    "tls-certificate",
-			Aliases: []string{"tls-cert", "tls"},
-			Flags: []cli.Flag{
-				caCertFlag,
-				caKeyFlag,
-			},
-			Usage: "Create a new TLS server certificate",
-			Action: func(c *cli.Context) error {
+				key, err := cafiles.GetPrivateKey(c.Context, caPrivKeyUri)
+				if err != nil {
+					return err
+				}
+
+				notBefore := time.Now()
+				notAfter := notBefore.Add(c.Duration("validity"))
+
+				// Create root certificate.
+				template := x509.Certificate{
+					SerialNumber: big.NewInt(2),
+					Subject: pkix.Name{
+						CommonName:   key.UUID(namespace).String(),
+						Organization: []string{namespace.String()},
+					},
+					NotBefore:             notBefore,
+					NotAfter:              notAfter,
+					KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+					ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+					BasicConstraintsValid: true,
+				}
+
+				certDer, err := x509.CreateCertificate(
+					rand.Reader,
+					&template,
+					&template,
+					key.PublicKey().PublicKey,
+					key,
+				)
+				if err != nil {
+					return err
+				}
+
+				out, err := getOutputWriter()
+				if err != nil {
+					return err
+				}
+
+				block := &pem.Block{
+					Type:  "CERTIFICATE",
+					Bytes: certDer,
+				}
+				fmt.Fprint(out, string(pem.EncodeToMemory(block)))
+
 				return nil
 			},
 		},

diff --git a/cmd/bf/proxy.go b/cmd/bf/proxy.go
@@ -34,7 +34,7 @@ var (
 		Aliases: []string{"proxy", "id-proxy"},
 		Flags: []cli.Flag{
 			caCertFlag,
-			caKeyFlag,
+			caPrivKeyFlag,
 			&cli.StringFlag{
 				Name:        "backend-url",
 				Usage:       "Proxy requests to `URL`",