Added certificates generate command#68
Added certificates generate command#68sajayantony wants to merge 3 commits intonotaryproject:prototype-2from
Conversation
The command will generate an 2084 bits rsa based crt and key file. The files will be placed in $HOME/.notary/keys Signed-off-by: Sajay Antony <sajaya@microsoft.com>
- Default to 3047 for RSA Bits - Added --not-after flag for supporting expiry - Remove organization defaults - Remove TLS capabilities Signed-off-by: Sajay Antony <sajaya@microsoft.com>
| } | ||
| } | ||
|
|
||
| return keysDir, nil |
There was a problem hiding this comment.
We need to ensure that keysDir is really a directory. It could be a regular file or symbolic link.
There was a problem hiding this comment.
Updated to use IsDir. Is that good enough or do we need to ensure more checks. I believe you handled this in ORAS a well.
cmd/nv2/gencert.go
Outdated
| fmt.Printf("Generating certificates expiring on %s\n", notAfter.Format(time.RFC3339)) | ||
| fmt.Printf("Writing public key file: %s\n", crtFilePath) |
There was a problem hiding this comment.
Should be Generated and Wrote.
There was a problem hiding this comment.
BTW, it is not just a public key, but a self-signed cert.
Signed-off-by: Sajay Antony <sajaya@microsoft.com>
|
|
||
| // Set certificate validity | ||
| notBefore := time.Now() | ||
| notAfter := notBefore.Add(time.Duration(365 * 24 * time.Hour)) |
| hosts := strings.Split(host, ",") | ||
| for _, h := range hosts { | ||
| if ip := net.ParseIP(h); ip != nil { | ||
| template.IPAddresses = append(template.IPAddresses, ip) | ||
| } else { | ||
| template.DNSNames = append(template.DNSNames, h) | ||
| } | ||
| } |
There was a problem hiding this comment.
as this is codesigning not ssl certificate, we don't need to support DNSName or ip-address.
There was a problem hiding this comment.
We still need them as the x509 package checks SAN instead of CN starting from golang 1.15. See https://golang.org/doc/go1.15#commonname
| Organization: []string{hosts[0]}, | ||
| CommonName: hosts[0], |
There was a problem hiding this comment.
Can we take Organization Name from user instead of host? host is confusing as certificate is not used for tls.
There was a problem hiding this comment.
Organization is removed in the Notation CLI Alpha PR.
| keysDir, err := ensureKeysDir() | ||
| if err != nil { | ||
| return fmt.Errorf("Could not access keys directory: %v", err) | ||
| } |
There was a problem hiding this comment.
Should be done as first thing after validating arguments.
| func ensureKeysDir() (string, error) { | ||
|
|
||
| // Expected to ensure ~/.notation/keys | ||
| dirname, err := os.UserHomeDir() |
There was a problem hiding this comment.
As discussed in #76 we should support XDG_Base_Directory.
There was a problem hiding this comment.
Notation CLI Alpha honors XDG directories.
|
|
||
| certOut, err := os.OpenFile(crtFileName, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0600) | ||
| if err != nil { | ||
| return fmt.Errorf("Failed to open %s for writing: %v", crtFilePath, err) |
| Value: 3072, | ||
| }, | ||
| &cli.StringFlag{ | ||
| Name: "not-after", |
There was a problem hiding this comment.
Will it be a better customer experience to take validity period validForDays instead of actual date?
Pros:
- easy to associate default value of 1 year
- No need to worry about not-after being in past.
certificates generate --not-after 2006-01-02T15:04:05-07:00
certificates generate --valid-for-days 365
There was a problem hiding this comment.
validForDays might not be a good one. For testing purposes, people may want short-lived certs like serveral hours or minutes.
|
@priteshbandi #83 PR adds all this capability into notation alpha. @shizhMSFT - can see if there are inputs here you might not have already considered in your PR? |
The command will generate an 2084 bits rsa based crt and key file.
The files will be placed in $HOME/.notary/keys
Signed-off-by: Sajay Antony sajaya@microsoft.com
Fixes #66