MCPcopy
hub / github.com/smallstep/cli / CreateSignRequest

Method CreateSignRequest

utils/cautils/certificate_flow.go:297–405  ·  view source on GitHub ↗

CreateSignRequest is a helper function that given an x509 OTT returns a simple but secure sign request as well as the private key used.

(ctx *cli.Context, tok, subject string, sans []string)

Source from the content-addressed store, hash-verified

295// CreateSignRequest is a helper function that given an x509 OTT returns a
296// simple but secure sign request as well as the private key used.
297func (f *CertificateFlow) CreateSignRequest(ctx *cli.Context, tok, subject string, sans []string) (*api.SignRequest, crypto.PrivateKey, error) {
298 jwt, err := token.ParseInsecure(tok)
299 if err != nil {
300 return nil, nil, err
301 }
302
303 kty, crv, size, err := utils.GetKeyDetailsFromCLI(ctx, false, "kty", "curve", "size")
304 if err != nil {
305 return nil, nil, err
306 }
307 pk, err := keyutil.GenerateKey(kty, crv, size)
308 if err != nil {
309 return nil, nil, err
310 }
311
312 dnsNames, ips, emails, uris := splitSANs(sans, jwt.Payload.SANs)
313 switch jwt.Payload.Type() {
314 case token.AWS:
315 doc := jwt.Payload.Amazon.InstanceIdentityDocument
316 if len(ips) == 0 && len(dnsNames) == 0 {
317 defaultSANs := []string{
318 doc.PrivateIP,
319 fmt.Sprintf("ip-%s.%s.compute.internal", strings.ReplaceAll(doc.PrivateIP, ".", "-"), doc.Region),
320 }
321 if !sharedContext.DisableCustomSANs {
322 defaultSANs = append(defaultSANs, subject)
323 }
324 dnsNames, ips, emails, uris = splitSANs(defaultSANs)
325 }
326 case token.GCP:
327 ce := jwt.Payload.Google.ComputeEngine
328 if len(ips) == 0 && len(dnsNames) == 0 {
329 defaultSANs := []string{
330 fmt.Sprintf("%s.c.%s.internal", ce.InstanceName, ce.ProjectID),
331 fmt.Sprintf("%s.%s.c.%s.internal", ce.InstanceName, ce.Zone, ce.ProjectID),
332 }
333 if !sharedContext.DisableCustomSANs {
334 defaultSANs = append(defaultSANs, subject)
335 }
336 dnsNames, ips, emails, uris = splitSANs(defaultSANs)
337 }
338 case token.Azure:
339 if len(ips) == 0 && len(dnsNames) == 0 {
340 defaultSANs := []string{
341 jwt.Payload.Azure.ResourceName,
342 }
343 if !sharedContext.DisableCustomSANs {
344 defaultSANs = append(defaultSANs, subject)
345 }
346 dnsNames, ips, emails, uris = splitSANs(defaultSANs)
347 }
348 case token.OIDC:
349 // If no sans are given using the --san flag, and the subject argument
350 // matches the email then CN=token.sub SANs=email, token.iss#token.sub
351 //
352 // If no sans are given and the subject argument does not match the
353 // email then CN=subject SANs=splitSANs(subject)
354 //

Callers 1

certificateActionFunction · 0.95

Calls 4

ParseInsecureFunction · 0.92
GetKeyDetailsFromCLIFunction · 0.92
splitSANsFunction · 0.85
TypeMethod · 0.80

Tested by

no test coverage detected