CreateSignRequest is a helper function that given an x509 OTT returns a simple but secure sign request as well as the private key used.
(ctx *cli.Context, tok, subject string, sans []string)
| 295 | // CreateSignRequest is a helper function that given an x509 OTT returns a |
| 296 | // simple but secure sign request as well as the private key used. |
| 297 | func (f *CertificateFlow) CreateSignRequest(ctx *cli.Context, tok, subject string, sans []string) (*api.SignRequest, crypto.PrivateKey, error) { |
| 298 | jwt, err := token.ParseInsecure(tok) |
| 299 | if err != nil { |
| 300 | return nil, nil, err |
| 301 | } |
| 302 | |
| 303 | kty, crv, size, err := utils.GetKeyDetailsFromCLI(ctx, false, "kty", "curve", "size") |
| 304 | if err != nil { |
| 305 | return nil, nil, err |
| 306 | } |
| 307 | pk, err := keyutil.GenerateKey(kty, crv, size) |
| 308 | if err != nil { |
| 309 | return nil, nil, err |
| 310 | } |
| 311 | |
| 312 | dnsNames, ips, emails, uris := splitSANs(sans, jwt.Payload.SANs) |
| 313 | switch jwt.Payload.Type() { |
| 314 | case token.AWS: |
| 315 | doc := jwt.Payload.Amazon.InstanceIdentityDocument |
| 316 | if len(ips) == 0 && len(dnsNames) == 0 { |
| 317 | defaultSANs := []string{ |
| 318 | doc.PrivateIP, |
| 319 | fmt.Sprintf("ip-%s.%s.compute.internal", strings.ReplaceAll(doc.PrivateIP, ".", "-"), doc.Region), |
| 320 | } |
| 321 | if !sharedContext.DisableCustomSANs { |
| 322 | defaultSANs = append(defaultSANs, subject) |
| 323 | } |
| 324 | dnsNames, ips, emails, uris = splitSANs(defaultSANs) |
| 325 | } |
| 326 | case token.GCP: |
| 327 | ce := jwt.Payload.Google.ComputeEngine |
| 328 | if len(ips) == 0 && len(dnsNames) == 0 { |
| 329 | defaultSANs := []string{ |
| 330 | fmt.Sprintf("%s.c.%s.internal", ce.InstanceName, ce.ProjectID), |
| 331 | fmt.Sprintf("%s.%s.c.%s.internal", ce.InstanceName, ce.Zone, ce.ProjectID), |
| 332 | } |
| 333 | if !sharedContext.DisableCustomSANs { |
| 334 | defaultSANs = append(defaultSANs, subject) |
| 335 | } |
| 336 | dnsNames, ips, emails, uris = splitSANs(defaultSANs) |
| 337 | } |
| 338 | case token.Azure: |
| 339 | if len(ips) == 0 && len(dnsNames) == 0 { |
| 340 | defaultSANs := []string{ |
| 341 | jwt.Payload.Azure.ResourceName, |
| 342 | } |
| 343 | if !sharedContext.DisableCustomSANs { |
| 344 | defaultSANs = append(defaultSANs, subject) |
| 345 | } |
| 346 | dnsNames, ips, emails, uris = splitSANs(defaultSANs) |
| 347 | } |
| 348 | case token.OIDC: |
| 349 | // If no sans are given using the --san flag, and the subject argument |
| 350 | // matches the email then CN=token.sub SANs=email, token.iss#token.sub |
| 351 | // |
| 352 | // If no sans are given and the subject argument does not match the |
| 353 | // email then CN=subject SANs=splitSANs(subject) |
| 354 | // |
no test coverage detected