diff options
author | Lars Wirzenius <liw@liw.fi> | 2023-07-30 18:59:05 +0300 |
---|---|---|
committer | Lars Wirzenius <liw@liw.fi> | 2023-07-30 18:59:05 +0300 |
commit | 2ca635fe9587ecf7140500d4949800edda84c385 (patch) | |
tree | c590479981d7c92070da84e83beb16115d6b761e | |
parent | 2ce2d075d648fd7a4cbbde224c8d7be8ef254397 (diff) | |
download | sshca-2ca635fe9587ecf7140500d4949800edda84c385.tar.gz |
feat! require --ca option for CA name for host, user certification
Sponsored-by: author
-rw-r--r-- | src/cmd/host.rs | 9 | ||||
-rw-r--r-- | src/cmd/user.rs | 10 | ||||
-rw-r--r-- | sshca.md | 16 |
3 files changed, 19 insertions, 16 deletions
diff --git a/src/cmd/host.rs b/src/cmd/host.rs index 2896fe3..d3a85b4 100644 --- a/src/cmd/host.rs +++ b/src/cmd/host.rs @@ -154,7 +154,8 @@ pub struct Certify { expires_in: String, /// Name of CA. - ca_name: String, + #[clap(long)] + ca: String, /// Name of host. hostname: String, @@ -162,10 +163,10 @@ pub struct Certify { impl Runnable for Certify { fn run(&mut self, _config: &Config, store: &mut KeyStore) -> Result<(), CAError> { - let ca = if let Some(ca) = store.get_host_ca(&self.ca_name) { + let ca = if let Some(ca) = store.get_host_ca(&self.ca) { ca } else { - return Err(CAError::NoSuchHostCA(self.ca_name.clone())); + return Err(CAError::NoSuchHostCA(self.ca.clone())); }; let host = if let Some(host) = store.get_host(&self.hostname) { host @@ -173,7 +174,7 @@ impl Runnable for Certify { return Err(CAError::NoSuchHost(self.hostname.clone())); }; - let ca = HostCa::new(self.ca_name.clone(), ca.keypair().clone()); + let ca = HostCa::new(self.ca.clone(), ca.keypair().clone()); let valid_for = parse_validity(&self.expires_in)?; let cert = ca.certify(host.public(), &valid_for, host.principals())?; if let Some(output) = &self.output { diff --git a/src/cmd/user.rs b/src/cmd/user.rs index ea4feb1..3bd0050 100644 --- a/src/cmd/user.rs +++ b/src/cmd/user.rs @@ -142,16 +142,18 @@ pub struct Certify { #[clap(long, default_value = DEFAULT_VALIDITY)] expires_in: String, - ca_name: String, + #[clap(long)] + ca: String, + username: String, } impl Runnable for Certify { fn run(&mut self, _config: &Config, store: &mut KeyStore) -> Result<(), CAError> { - let ca = if let Some(pair) = store.get_user_ca(&self.ca_name) { + let ca = if let Some(pair) = store.get_user_ca(&self.ca) { pair } else { - return Err(CAError::NoSuchUserCA(self.ca_name.clone())); + return Err(CAError::NoSuchUserCA(self.ca.clone())); }; let user = if let Some(user) = store.get_user(&self.username) { @@ -161,7 +163,7 @@ impl Runnable for Certify { }; let key = user.public(); - let ca = UserCa::new(self.ca_name.clone(), ca.keypair().clone()); + let ca = UserCa::new(self.ca.clone(), ca.keypair().clone()); let valid_for = parse_validity(&self.expires_in)?; let cert = ca.certify(key, &valid_for, user.principals())?; @@ -670,10 +670,10 @@ given file .config/sshca/config.yaml from config.yaml when I run sshca ca new host CAv1 when I run sshca host generate myhost -p myhost -p othername -when I run sshca host certify CAv1 myhost +when I run sshca host certify --ca CAv1 myhost then stdout matches regex ^ssh-ed25519-cert-v01@openssh.com -when I run sshca host certify --output my.cert CAv1 myhost +when I run sshca host certify --output my.cert --ca CAv1 myhost then file my.cert matches regex /^ssh-ed25519-cert-v01@openssh.com/ when I run ssh-keygen -L -f my.cert @@ -698,7 +698,7 @@ given an installed sshca given file .config/sshca/config.yaml from config.yaml when I run sshca ca new host CAv1 when I run sshca host generate myhost.example.com -when I run sshca host certify --output my.cert CAv1 myhost.example.com +when I run sshca host certify --output my.cert --ca CAv1 myhost.example.com when I run ssh-keygen -L -f my.cert then stdout matches regex Valid: from \d+-\d+-\d+T\d+:\d+:\d+ to \d+-\d+-\d+T\d+:\d+:\d+ ~~~ @@ -725,7 +725,7 @@ given file .config/sshca/config.yaml from config.yaml when I run sshca ca new host CAv1 when I run sshca host generate myhost.example.com -when I run sshca host certify --output my.cert CAv1 myhost.example.com --expires-in 1d +when I run sshca host certify --output my.cert --ca CAv1 myhost.example.com --expires-in 1d when I run ssh-keygen -L -f my.cert then stdout matches regex Valid: from \d+-\d+-\d+T\d+:\d+:\d+ to \d+-\d+-\d+T\d+:\d+:\d+ ~~~ @@ -922,10 +922,10 @@ when I run sshca ca new user CAv1 when I run ssh-keygen -t ed25519 -N '' -f myself when I run sshca user new myname myself.pub --principal tomjon -p king -when I run sshca user certify CAv1 myname +when I run sshca user certify --ca CAv1 myname then stdout matches regex ^ssh-ed25519-cert-v01@openssh.com -when I run sshca user certify --output my.cert CAv1 myname +when I run sshca user certify --output my.cert --ca CAv1 myname then file my.cert matches regex /^ssh-ed25519-cert-v01@openssh.com/ when I run ssh-keygen -Lf my.cert @@ -953,7 +953,7 @@ given file .config/sshca/config.yaml from config.yaml when I run sshca ca new user CAv1 when I run ssh-keygen -t ed25519 -N '' -f myself when I run sshca user new myname myself.pub -when I run sshca user certify --output my.cert CAv1 myname +when I run sshca user certify --output my.cert --ca CAv1 myname when I run ssh-keygen -L -f my.cert then stdout matches regex Valid: from \d+-\d+-\d+T\d+:\d+:\d+ to \d+-\d+-\d+T\d+:\d+:\d+ ~~~ @@ -977,7 +977,7 @@ given file .config/sshca/config.yaml from config.yaml when I run sshca ca new user CAv1 when I run ssh-keygen -t ed25519 -N '' -f myself when I run sshca user new myname myself.pub -when I run sshca user certify --output my.cert CAv1 myname --expires-in 1d +when I run sshca user certify --output my.cert --ca CAv1 myname --expires-in 1d when I run ssh-keygen -L -f my.cert then stdout matches regex Valid: from \d+-\d+-\d+T\d+:\d+:\d+ to \d+-\d+-\d+T\d+:\d+:\d+ ~~~ |