(ctx *cli.Context)
| 148 | } |
| 149 | |
| 150 | func signCertificateAction(ctx *cli.Context) error { |
| 151 | if err := errs.NumberOfArguments(ctx, 2); err != nil { |
| 152 | return err |
| 153 | } |
| 154 | |
| 155 | args := ctx.Args() |
| 156 | csrFile := args.Get(0) |
| 157 | crtFile := args.Get(1) |
| 158 | tok := ctx.String("token") |
| 159 | offline := ctx.Bool("offline") |
| 160 | |
| 161 | csrInt, err := pemutil.Read(csrFile) |
| 162 | if err != nil { |
| 163 | return err |
| 164 | } |
| 165 | csr, ok := csrInt.(*x509.CertificateRequest) |
| 166 | if !ok { |
| 167 | return errors.Errorf("error parsing %s: file is not a certificate request", csrFile) |
| 168 | } |
| 169 | if err = csr.CheckSignature(); err != nil { |
| 170 | return errors.Wrapf(err, "csr has invalid signature") |
| 171 | } |
| 172 | |
| 173 | // offline and token are incompatible because the token is generated before |
| 174 | // the start of the offline CA. |
| 175 | if offline && tok != "" { |
| 176 | return errs.IncompatibleFlagWithFlag(ctx, "offline", "token") |
| 177 | } |
| 178 | |
| 179 | // certificate flow unifies online and offline flows on a single api |
| 180 | flow, err := cautils.NewCertificateFlow(ctx, cautils.WithCertificateRequest(csr)) |
| 181 | if err != nil { |
| 182 | return err |
| 183 | } |
| 184 | |
| 185 | if tok == "" { |
| 186 | // Use the ACME protocol with a different certificate authority. |
| 187 | if ctx.IsSet("acme") { |
| 188 | return cautils.ACMESignCSRFlow(ctx, csr, crtFile, "") |
| 189 | } |
| 190 | sans := ctx.StringSlice("san") |
| 191 | sans = mergeSans(sans, csr) |
| 192 | if tok, err = flow.GenerateToken(ctx, csr.Subject.CommonName, sans); err != nil { |
| 193 | var acmeTokenErr *cautils.ACMETokenError |
| 194 | if errors.As(err, &acmeTokenErr) { |
| 195 | return cautils.ACMESignCSRFlow(ctx, csr, crtFile, acmeTokenErr.Name) |
| 196 | } |
| 197 | return err |
| 198 | } |
| 199 | } |
| 200 | |
| 201 | // Validate common name |
| 202 | jwt, err := token.ParseInsecure(tok) |
| 203 | if err != nil { |
| 204 | return errors.Wrap(err, "error parsing flag '--token'") |
| 205 | } |
| 206 | switch jwt.Payload.Type() { |
| 207 | case token.OIDC, token.AWS, token.GCP, token.Azure, token.K8sSA: |
nothing calls this directly
no test coverage detected
searching dependent graphs…