OfflineTokenFlow generates a provisioning token using either 1. static configuration from ca.json (created with `step ca init`) 2. input from command line flags These two options are mutually exclusive and priority is given to ca.json.
(ctx *cli.Context, typ int, subject string, sans []string, notBefore, notAfter time.Time, certNotBefore, certNotAfter provisioner.TimeDuration)
| 210 | // |
| 211 | // These two options are mutually exclusive and priority is given to ca.json. |
| 212 | func OfflineTokenFlow(ctx *cli.Context, typ int, subject string, sans []string, notBefore, notAfter time.Time, certNotBefore, certNotAfter provisioner.TimeDuration) (string, error) { |
| 213 | caConfig := ctx.String("ca-config") |
| 214 | if caConfig == "" { |
| 215 | return "", errs.InvalidFlagValue(ctx, "ca-config", "", "") |
| 216 | } |
| 217 | |
| 218 | // Using the offline CA |
| 219 | if utils.FileExists(caConfig) { |
| 220 | offlineCA, err := NewOfflineCA(ctx, caConfig) |
| 221 | if err != nil { |
| 222 | return "", err |
| 223 | } |
| 224 | return offlineCA.GenerateToken(ctx, typ, subject, sans, notBefore, notAfter, certNotBefore, certNotAfter) |
| 225 | } |
| 226 | |
| 227 | kid := ctx.String("kid") |
| 228 | provisionerName, flag := flags.FirstStringOf(ctx, "provisioner", "issuer") |
| 229 | |
| 230 | // Require provisionerName and keyFile if ca.json does not exists. |
| 231 | // kid can be passed or created using jwk.Thumbprint. |
| 232 | switch { |
| 233 | case provisionerName == "": |
| 234 | return "", errs.RequiredWithFlag(ctx, "offline", flag) |
| 235 | case ctx.String("key") == "": |
| 236 | return "", errs.RequiredWithFlag(ctx, "offline", "key") |
| 237 | } |
| 238 | |
| 239 | // Get audience from ca-url |
| 240 | audience, err := parseAudience(ctx, typ) |
| 241 | if err != nil { |
| 242 | return "", err |
| 243 | } |
| 244 | |
| 245 | // Get root from argument or default location |
| 246 | root := ctx.String("root") |
| 247 | if root == "" { |
| 248 | root = pki.GetRootCAPath() |
| 249 | if utils.FileExists(root) { |
| 250 | return "", errs.RequiredFlag(ctx, "root") |
| 251 | } |
| 252 | } |
| 253 | |
| 254 | tokAttrs := tokenAttrs{ |
| 255 | subject: subject, |
| 256 | root: root, |
| 257 | audience: audience, |
| 258 | provisionerName: provisionerName, |
| 259 | kid: kid, |
| 260 | sans: sans, |
| 261 | notBefore: notBefore, |
| 262 | notAfter: notAfter, |
| 263 | certNotBefore: certNotBefore, |
| 264 | certNotAfter: certNotAfter, |
| 265 | } |
| 266 | |
| 267 | switch { |
| 268 | case ctx.IsSet("x5c-cert") || ctx.IsSet("x5c-key"): |
| 269 | return generateX5CToken(ctx, nil, typ, tokAttrs) |
no test coverage detected
searching dependent graphs…