MCPcopy
hub / github.com/smallstep/cli / signCertificateAction

Function signCertificateAction

command/ca/sign.go:150–223  ·  view source on GitHub ↗
(ctx *cli.Context)

Source from the content-addressed store, hash-verified

148}
149
150func signCertificateAction(ctx *cli.Context) error {
151 if err := errs.NumberOfArguments(ctx, 2); err != nil {
152 return err
153 }
154
155 args := ctx.Args()
156 csrFile := args.Get(0)
157 crtFile := args.Get(1)
158 tok := ctx.String("token")
159 offline := ctx.Bool("offline")
160
161 csrInt, err := pemutil.Read(csrFile)
162 if err != nil {
163 return err
164 }
165 csr, ok := csrInt.(*x509.CertificateRequest)
166 if !ok {
167 return errors.Errorf("error parsing %s: file is not a certificate request", csrFile)
168 }
169 if err = csr.CheckSignature(); err != nil {
170 return errors.Wrapf(err, "csr has invalid signature")
171 }
172
173 // offline and token are incompatible because the token is generated before
174 // the start of the offline CA.
175 if offline && tok != "" {
176 return errs.IncompatibleFlagWithFlag(ctx, "offline", "token")
177 }
178
179 // certificate flow unifies online and offline flows on a single api
180 flow, err := cautils.NewCertificateFlow(ctx, cautils.WithCertificateRequest(csr))
181 if err != nil {
182 return err
183 }
184
185 if tok == "" {
186 // Use the ACME protocol with a different certificate authority.
187 if ctx.IsSet("acme") {
188 return cautils.ACMESignCSRFlow(ctx, csr, crtFile, "")
189 }
190 sans := ctx.StringSlice("san")
191 sans = mergeSans(sans, csr)
192 if tok, err = flow.GenerateToken(ctx, csr.Subject.CommonName, sans); err != nil {
193 var acmeTokenErr *cautils.ACMETokenError
194 if errors.As(err, &acmeTokenErr) {
195 return cautils.ACMESignCSRFlow(ctx, csr, crtFile, acmeTokenErr.Name)
196 }
197 return err
198 }
199 }
200
201 // Validate common name
202 jwt, err := token.ParseInsecure(tok)
203 if err != nil {
204 return errors.Wrap(err, "error parsing flag '--token'")
205 }
206 switch jwt.Payload.Type() {
207 case token.OIDC, token.AWS, token.GCP, token.Azure, token.K8sSA:

Callers

nothing calls this directly

Calls 10

GenerateTokenMethod · 0.95
SignMethod · 0.95
NewCertificateFlowFunction · 0.92
WithCertificateRequestFunction · 0.92
ACMESignCSRFlowFunction · 0.92
ParseInsecureFunction · 0.92
mergeSansFunction · 0.85
TypeMethod · 0.80
StringMethod · 0.65
ReadMethod · 0.45

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…