File: install.go

package info (click to toggle)
golang-github-smallstep-cli 0.15.16%2Bds-3
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 4,404 kB
  • sloc: sh: 512; makefile: 99
file content (255 lines) | stat: -rw-r--r-- 6,449 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
 
package certificate

import (
	"fmt"
	"strings"

	"github.com/pkg/errors"
	"github.com/smallstep/certinfo"
	"github.com/smallstep/cli/command"
	"github.com/smallstep/cli/crypto/pemutil"
	"github.com/smallstep/cli/errs"
	"github.com/smallstep/truststore"
	"github.com/urfave/cli"
)

func installCommand() cli.Command {
	return cli.Command{
		Name:   "install",
		Action: command.ActionFunc(installAction),
		Usage:  "install a root certificate in the system truststore",
		UsageText: `**step certificate install** <crt-file>
[**--prefix**=<name>] [**--all**]
[**--java**] [**--firefox**] [**--no-system**]`,
		Description: `**step certificate install** installs a root certificate in the system
truststore.

Java and Firefox truststores are also supported via the respective flags.

## POSITIONAL ARGUMENTS

<crt-file>
:  Certificate to install in the system truststore

## EXAMPLES

Install a certificate in the system truststore:
'''
$ step certificate install root-ca.pem
'''

Install a certificate in all the supported truststores:
'''
$ step certificate install --all root-ca.pem
'''

Install a certificate in Firefox and the system trustore:
'''
$ step certificate install --firefox root--ca.pem
'''

Install a certificate in Java and the system trustore:
'''
$ step certificate install --java root-ca.pem
'''

Install a certificate in Firefox, Java, but not in the system trustore:
'''
$ step certificate install --firefox --java --no-system root-ca.pem
'''`,
		Flags: []cli.Flag{
			cli.StringFlag{
				Name: "prefix",
				Usage: `The prefix used to <name> the CA in the truststore. Defaults to the
certificate common name.`,
			},
			cli.BoolFlag{
				Name:  "java",
				Usage: "install on the Java key store",
			},
			cli.BoolFlag{
				Name:  "firefox",
				Usage: "install on the Firefox NSS security database",
			},
			cli.BoolFlag{
				Name:  "no-system",
				Usage: "disables the install on the system truststore",
			},
			cli.BoolFlag{
				Name:  "all",
				Usage: "install on the system, Firefox and Java truststores",
			},
		},
	}
}

func uninstallCommand() cli.Command {
	return cli.Command{
		Name:   "uninstall",
		Action: command.ActionFunc(uninstallAction),
		Usage:  "uninstall a root certificate from the system truststore",
		UsageText: `**step certificate uninstall** <crt-file>
[**--prefix**=<name>] [**--all**]
[**--java**] [**--firefox**] [**--no-system**]`,
		Description: `**step certificate install** uninstalls a root certificate from the system
truststore.

Java and Firefox truststores are also supported via the respective flags.

## POSITIONAL ARGUMENTS

<crt-file>
:  Certificate to uninstall from the system truststore

## EXAMPLES

Uninstall from only the system truststore:
'''
$ step certificate uninstall root-ca.pem
'''

Uninstall a certificate from all the supported truststores:
'''
$ step certificate uninstall --all root-ca.pem
'''

Uninstall a certificate from Firefox and the system trustore:
'''
$ step certificate uninstall --firefox root--ca.pem
'''

Uninstall a certificate infrom Java and the system trustore:
'''
$ step certificate uninstall --java root-ca.pem
'''

Uninstall a certificate from Firefox, Java, but not from the system:
'''
$ step certificate uninstall --firefox --java --no-system root-ca.pem
'''`,
		Flags: []cli.Flag{
			cli.StringFlag{
				Name: "prefix",
				Usage: `The prefix used to <name> the CA in the truststore. Defaults to the
certificate common name.`,
			},
			cli.BoolFlag{
				Name:  "java",
				Usage: "uninstall from the Java key store",
			},
			cli.BoolFlag{
				Name:  "firefox",
				Usage: "uninstall from the Firefox NSS security database",
			},
			cli.BoolFlag{
				Name:  "no-system",
				Usage: "disables the uninstall from the system truststore",
			},
			cli.BoolFlag{
				Name:  "all",
				Usage: "uninstall from the system, Firefox and Java truststores",
			},
		},
	}
}

func installAction(ctx *cli.Context) error {
	if err := errs.NumberOfArguments(ctx, 1); err != nil {
		return err
	}

	filename := ctx.Args().Get(0)
	opts, err := getTruststoreOptions(ctx)
	if err != nil {
		return err
	}

	if err := truststore.InstallFile(filename, opts...); err != nil {
		switch err := err.(type) {
		case *truststore.CmdError:
			return errors.Errorf("failed to execute \"%s\" failed with: %s", strings.Join(err.Cmd().Args, " "), err.Err())
		default:
			return errors.Wrapf(err, "failed to install %s", filename)
		}
	}

	fmt.Printf("Certificate %s has been installed.\n", filename)
	// Print certificate info (ignore errors)
	if cert, err := pemutil.ReadCertificate(filename); err == nil {
		if s, err := certinfo.CertificateShortText(cert); err == nil {
			fmt.Print(s)
		}
	}

	return nil
}

func uninstallAction(ctx *cli.Context) error {
	if err := errs.NumberOfArguments(ctx, 1); err != nil {
		return err
	}

	filename := ctx.Args().Get(0)
	opts, err := getTruststoreOptions(ctx)
	if err != nil {
		return err
	}

	if err := truststore.UninstallFile(filename, opts...); err != nil {
		switch err := err.(type) {
		case *truststore.CmdError:
			return errors.Errorf("failed to execute \"%s\" failed with: %s", strings.Join(err.Cmd().Args, " "), err.Err())
		default:
			return errors.Wrapf(err, "failed to uninstall %s", filename)
		}
	}

	fmt.Printf("Certificate %s has been removed.\n", filename)
	// Print certificate info (ignore errors)
	if cert, err := pemutil.ReadCertificate(filename); err == nil {
		if s, err := certinfo.CertificateShortText(cert); err == nil {
			fmt.Print(s)
		}
	}

	return nil
}

func getTruststoreOptions(ctx *cli.Context) ([]truststore.Option, error) {
	cert, err := pemutil.ReadCertificate(ctx.Args().Get(0))
	if err != nil {
		return nil, err
	}

	if !cert.IsCA || cert.CheckSignatureFrom(cert) != nil {
		return nil, errors.Errorf("certificate %s is not a root CA", ctx.Args().Get(0))
	}

	prefix := ctx.String("prefix")
	if prefix == "" {
		if len(cert.Subject.CommonName) > 0 {
			prefix = cert.Subject.CommonName + " "
		} else {
			prefix = "Smallstep Development CA "
		}
	}

	opts := []truststore.Option{
		truststore.WithPrefix(prefix),
	}

	if ctx.Bool("all") {
		opts = append(opts, truststore.WithJava(), truststore.WithFirefox())
	} else {
		if ctx.Bool("java") {
			opts = append(opts, truststore.WithJava())
		}
		if ctx.Bool("firefox") {
			opts = append(opts, truststore.WithFirefox())
		}
	}
	if ctx.Bool("no-system") {
		opts = append(opts, truststore.WithNoSystem())
	}
	return opts, nil
}