(ctx *cli.Context)
| 771 | } |
| 772 | |
| 773 | func parseOrCreateKey(ctx *cli.Context) (crypto.PublicKey, crypto.Signer, error) { |
| 774 | var ( |
| 775 | kms = ctx.String("kms") |
| 776 | keyFile = ctx.String("key") |
| 777 | ) |
| 778 | |
| 779 | // Validate key parameters and generate key pair |
| 780 | if keyFile == "" { |
| 781 | insecureMode := ctx.Bool("insecure") |
| 782 | kty, crv, size, err := utils.GetKeyDetailsFromCLI(ctx, insecureMode, "kty", "curve", "size") |
| 783 | if err != nil { |
| 784 | return nil, nil, err |
| 785 | } |
| 786 | if insecureMode { // put keyutil in insecure mode, allowing RSA keys shorter than 2048 bits |
| 787 | undoInsecure := keyutil.Insecure() |
| 788 | defer undoInsecure() |
| 789 | } |
| 790 | pub, priv, err := keyutil.GenerateKeyPair(kty, crv, size) |
| 791 | if err != nil { |
| 792 | return nil, nil, err |
| 793 | } |
| 794 | signer, ok := priv.(crypto.Signer) |
| 795 | if !ok { |
| 796 | return nil, nil, errors.Errorf("private key of type %T is not a crypto.Signer", priv) |
| 797 | } |
| 798 | return pub, signer, nil |
| 799 | } |
| 800 | |
| 801 | // Validate incompatible flags and read a key file |
| 802 | switch { |
| 803 | case ctx.IsSet("kty"): |
| 804 | return nil, nil, errs.IncompatibleFlag(ctx, "key", "kty") |
| 805 | case ctx.IsSet("crv"): |
| 806 | return nil, nil, errs.IncompatibleFlag(ctx, "key", "crv") |
| 807 | case ctx.IsSet("size"): |
| 808 | return nil, nil, errs.IncompatibleFlag(ctx, "key", "size") |
| 809 | } |
| 810 | |
| 811 | opts := []pemutil.Options{} |
| 812 | passFile := ctx.String("password-file") |
| 813 | if passFile != "" { |
| 814 | opts = append(opts, pemutil.WithPasswordFile(passFile)) |
| 815 | } |
| 816 | |
| 817 | var pub crypto.PublicKey |
| 818 | var signer crypto.Signer |
| 819 | |
| 820 | signer, err := cryptoutil.CreateSigner(kms, keyFile, opts...) |
| 821 | if err != nil { |
| 822 | // TODO: check sentinel error; if it's not a signer, it could be a public key instead |
| 823 | pub, err = cryptoutil.PublicKey(kms, keyFile, opts...) |
| 824 | if err != nil { |
| 825 | return nil, nil, err |
| 826 | } |
| 827 | } else { |
| 828 | pub = signer.Public() |
| 829 | // Make sure we can sign X509 certificates with it. |
| 830 | if !cryptoutil.IsX509Signer(signer) { |
no test coverage detected
searching dependent graphs…