parseSigner returns the parent certificate and key for leaf and intermediate certificates. When a template is used, it will return the key only if the flags --ca and --ca-key are passed.
(ctx *cli.Context, defaultSigner crypto.Signer)
| 839 | // certificates. When a template is used, it will return the key only if the |
| 840 | // flags --ca and --ca-key are passed. |
| 841 | func parseSigner(ctx *cli.Context, defaultSigner crypto.Signer) (*x509.Certificate, crypto.Signer, error) { |
| 842 | var ( |
| 843 | caCert = ctx.String("ca") |
| 844 | caKey = ctx.String("ca-key") |
| 845 | caKMS = ctx.String("ca-kms") |
| 846 | profile = ctx.String("profile") |
| 847 | template = ctx.String("template") |
| 848 | ) |
| 849 | |
| 850 | // Check required flags when profile is used. |
| 851 | if template == "" { |
| 852 | switch profile { |
| 853 | case profileLeaf, profileIntermediateCA: |
| 854 | if caCert == "" { |
| 855 | return nil, nil, errs.RequiredWithFlagValue(ctx, "profile", profile, "ca") |
| 856 | } |
| 857 | if caKey == "" { |
| 858 | return nil, nil, errs.RequiredWithFlagValue(ctx, "profile", profile, "ca-key") |
| 859 | } |
| 860 | case profileRootCA, profileSelfSigned: |
| 861 | if caCert != "" { |
| 862 | return nil, nil, errs.IncompatibleFlagValue(ctx, "ca", "profile", profile) |
| 863 | } |
| 864 | if caKey != "" { |
| 865 | return nil, nil, errs.IncompatibleFlagValue(ctx, "ca-key", "profile", profile) |
| 866 | } |
| 867 | default: |
| 868 | return nil, nil, errs.InvalidFlagValue(ctx, "profile", profile, "leaf, intermediate-ca, root-ca, self-signed") |
| 869 | } |
| 870 | } |
| 871 | |
| 872 | // Root, self-signed, or template with no parent. |
| 873 | if caCert == "" && caKey == "" { |
| 874 | return nil, defaultSigner, nil |
| 875 | } |
| 876 | |
| 877 | // Leaf, intermediate or template with |
| 878 | switch { |
| 879 | case caCert != "" && caKey == "": |
| 880 | return nil, nil, errs.RequiredWithFlag(ctx, "ca", "ca-key") |
| 881 | case caCert == "" && caKey != "": |
| 882 | return nil, nil, errs.RequiredWithFlag(ctx, "ca-key", "ca") |
| 883 | } |
| 884 | |
| 885 | // Parse --ca as a certificate. |
| 886 | cert, err := pemutil.ReadCertificate(caCert) |
| 887 | if err != nil { |
| 888 | return nil, nil, err |
| 889 | } |
| 890 | |
| 891 | // Parse --ca-key as a crypto.Signer. |
| 892 | passFile := ctx.String("ca-password-file") |
| 893 | opts := []pemutil.Options{} |
| 894 | if passFile != "" { |
| 895 | opts = append(opts, pemutil.WithPasswordFile(passFile)) |
| 896 | } |
| 897 | |
| 898 | signer, err := cryptoutil.CreateSigner(caKMS, caKey, opts...) |
no test coverage detected
searching dependent graphs…