NOISSUE - Refactor CSR generation #55
Conversation
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
| @@ -314,71 +314,38 @@ func createCSREndpoint(svc certs.Service) endpoint.Endpoint { | |||
| return func(ctx context.Context, request interface{}) (response interface{}, err error) { | |||
| req := request.(createCSRReq) | |||
| if err := req.validate(); err != nil { | |||
| return createCSRRes{created: false}, err | |||
There was a problem hiding this comment.
what is the purpose of create csr endpoint, users can create csrs using openssl
There was a problem hiding this comment.
Its an alternative if the user doesn't want to use openssl. The idea is to make certs more generic.
There was a problem hiding this comment.
move to cli tool, no need to call an online api to create a CSR
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
api/http/endpoint.go
Outdated
| } | ||
|
|
||
| csr, err := svc.CreateCSR(ctx, req.Metadata, req.Metadata.EntityID, req.privKey) | ||
| cert, err := svc.IssueFromCSR(ctx, req.entityID, req.ttl, certs.CSR{CSR: []byte(req.CSR), PrivateKey: []byte(req.PrivateKey)}) |
There was a problem hiding this comment.
you don't need the private key when signing the certificate, you only need the public key. the point of this endpoint is for users who want to keep their private keys secure
There was a problem hiding this comment.
Let me make that change
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
cli/certs.go
Outdated
| case *rsa.PrivateKey: | ||
| signer = key | ||
| case *ecdsa.PrivateKey: | ||
| signer = key | ||
| case ed25519.PrivateKey: | ||
| signer = key |
There was a problem hiding this comment.
Group cases:
case *rsa.PrivateKey, *ecdsa.PrivateKey, *ed25519.PrivateKey:
cli/certs.go
Outdated
| } | ||
| return CreateCSR(metadata, parsedKey) | ||
| default: | ||
| return certs.CSR{}, errors.NewSDKError(errors.Wrap(ErrCreateEntity, errors.New("unsupported private key type"))) |
There was a problem hiding this comment.
Extract errors.New("unsupported...") to a variable.
cli/certs.go
Outdated
| privateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes) | ||
| case certs.ECPrivateKey: | ||
| privateKey, err = x509.ParseECPrivateKey(block.Bytes) | ||
| case certs.PrivateKey, "PKCS8 PRIVATE KEY": |
There was a problem hiding this comment.
Extract string literal to constant. Please double-check to see if there is no such constant somewhere in imported packages.
cli/certs.go
Outdated
| privateKey, err = x509.ParseECPrivateKey(block.Bytes) | ||
| case certs.PrivateKey, "PKCS8 PRIVATE KEY": | ||
| privateKey, err = x509.ParsePKCS8PrivateKey(block.Bytes) | ||
| case "ED25519 PRIVATE KEY": |
cli/certs.go
Outdated
| case "ED25519 PRIVATE KEY": | ||
| privateKey, err = x509.ParsePKCS8PrivateKey(block.Bytes) | ||
| default: | ||
| err = errors.New("unsupported private key type") |
cli/certs.go
Outdated
| err = errors.New("unsupported private key type") | ||
| } | ||
| if err != nil { | ||
| return nil, errors.New("failed to parse key") |
Signed-off-by: nyagamunene <[email protected]>
service.go
Outdated
| // The certificate is then stored in the repository using the CreateCert method. | ||
| // If the root CA is not found, it returns an error. | ||
| func (s *service) IssueCert(ctx context.Context, entityID, ttl string, ipAddrs []string, options SubjectOptions, key ...any) (Certificate, error) { | ||
| var privKey any |
There was a problem hiding this comment.
Use var privKey crypto.PrivateKey instead.
certs.go
Outdated
| @@ -217,7 +158,7 @@ type Service interface { | |||
| RetrieveCAToken(ctx context.Context) (string, error) | |||
|
|
|||
| // IssueCert issues a certificate from the database. | |||
| IssueCert(ctx context.Context, entityID, ttl string, ipAddrs []string, option SubjectOptions, privKey ...*rsa.PrivateKey) (Certificate, error) | |||
| IssueCert(ctx context.Context, entityID, ttl string, ipAddrs []string, option SubjectOptions, privKey ...any) (Certificate, error) | |||
There was a problem hiding this comment.
Use privKey crypto.PrivateKey instead.
Signed-off-by: nyagamunene <[email protected]>
certs.go
Outdated
| @@ -217,7 +159,7 @@ type Service interface { | |||
| RetrieveCAToken(ctx context.Context) (string, error) | |||
|
|
|||
| // IssueCert issues a certificate from the database. | |||
| IssueCert(ctx context.Context, entityID, ttl string, ipAddrs []string, option SubjectOptions, privKey ...*rsa.PrivateKey) (Certificate, error) | |||
| IssueCert(ctx context.Context, entityID, ttl string, ipAddrs []string, option SubjectOptions, privKey ...crypto.PrivateKey) (Certificate, error) | |||
There was a problem hiding this comment.
Is there a reason for this to be a variadic function? Can we just use have
IssueCert(ctx context.Context, entityID, ttl string, ipAddrs []string, option SubjectOptions, privKey crypto.PrivateKey) (Certificate, error)There was a problem hiding this comment.
Yes there is a reason. It because its also been used by the issueCSR method to issue certificates since they user needs to provide their own private key
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
service.go
Outdated
| // issueCert generates and issues a certificate for a given backendID. | ||
| // It uses the RSA algorithm to generate a private key, and then creates a certificate | ||
| // using the provided template and the generated private key. | ||
| // The certificate is then stored in the repository using the CreateCert method. | ||
| // If the root CA is not found, it returns an error. |
There was a problem hiding this comment.
Remove duplicate comments.
service.go
Outdated
| // using the provided template and the generated private key. | ||
| // The certificate is then stored in the repository using the CreateCert method. | ||
| // If the root CA is not found, it returns an error. | ||
| func (s *service) IssueCert(ctx context.Context, entityID, ttl string, ipAddrs []string, options SubjectOptions, key crypto.PrivateKey) (Certificate, error) { |
There was a problem hiding this comment.
Let's extract issuing certs to unexported method:
(s *service) issue(ctx context.Context, entityID, ttl string, ipAddrs []string, options SubjectOptions, pubKey crypto.PublicKey, privKey crypto.PrivateKey) (Certificate, error)you can call from both IssuseCert and IssueFromCSR so that you can make the interface cleaner:
IssueCert(ctx context.Context, entityID, ttl string, ipAddrs []string, option SubjectOptions) (Certificate, error)So we do not have any key params when issuing certs (so you don't have to use nil as the indicator you want to create a key pair).
Signed-off-by: nyagamunene <[email protected]>
service.go
Outdated
| serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) | ||
| if err != nil { | ||
| return Certificate{}, err | ||
| } | ||
|
|
||
| if s.intermediateCA.Certificate == nil || s.intermediateCA.PrivateKey == nil { | ||
| return Certificate{}, ErrIntermediateCANotFound | ||
| subject := s.getSubject(options) |
There was a problem hiding this comment.
Rename to subjectFromOpts. Also, no need to make it a service method, it's just an unexported function: func subjectFromOpts(opts SubjectOptions) pkix.Name.
Signed-off-by: nyagamunene <[email protected]>
What type of PR is this?
This is a refactor because it changes the following functionality: it removes CSR repository.
What does this do?
It removes CSR repository.
Which issue(s) does this PR fix/relate to?
N/A
Have you included tests for your changes?
Yes
Did you document any new/modified features?
No
Notes