0
0
mirror of https://github.com/slackhq/nebula.git synced 2024-12-22 12:18:30 +00:00
slackhq_nebula/cmd/nebula-cert/main.go
John Maguire a56a97e5c3
Add ability to encrypt CA private key at rest (#386)
Fixes #8.

`nebula-cert ca` now supports encrypting the CA's private key with a
passphrase. Pass `-encrypt` in order to be prompted for a passphrase.
Encryption is performed using AES-256-GCM and Argon2id for KDF. KDF
parameters default to RFC recommendations, but can be overridden via CLI
flags `-argon-memory`, `-argon-parallelism`, and `-argon-iterations`.
2023-04-03 13:59:38 -04:00

140 lines
2.7 KiB
Go

package main
import (
"flag"
"fmt"
"io"
"os"
)
var Build string
type helpError struct {
s string
}
func (he *helpError) Error() string {
return he.s
}
func newHelpErrorf(s string, v ...interface{}) error {
return &helpError{s: fmt.Sprintf(s, v...)}
}
func main() {
flag.Usage = func() {
help("", os.Stderr)
os.Exit(1)
}
printVersion := flag.Bool("version", false, "Print version")
flagHelp := flag.Bool("help", false, "Print command line usage")
flagH := flag.Bool("h", false, "Print command line usage")
printUsage := false
flag.Parse()
if *flagH || *flagHelp {
printUsage = true
}
args := flag.Args()
if *printVersion {
fmt.Printf("Version: %v\n", Build)
os.Exit(0)
}
if len(args) < 1 {
if printUsage {
help("", os.Stderr)
os.Exit(0)
}
help("No mode was provided", os.Stderr)
os.Exit(1)
} else if printUsage {
handleError(args[0], &helpError{}, os.Stderr)
os.Exit(0)
}
var err error
switch args[0] {
case "ca":
err = ca(args[1:], os.Stdout, os.Stderr, StdinPasswordReader{})
case "keygen":
err = keygen(args[1:], os.Stdout, os.Stderr)
case "sign":
err = signCert(args[1:], os.Stdout, os.Stderr, StdinPasswordReader{})
case "print":
err = printCert(args[1:], os.Stdout, os.Stderr)
case "verify":
err = verify(args[1:], os.Stdout, os.Stderr)
default:
err = fmt.Errorf("unknown mode: %s", args[0])
}
if err != nil {
os.Exit(handleError(args[0], err, os.Stderr))
}
}
func handleError(mode string, e error, out io.Writer) int {
code := 1
// Handle -help, -h flags properly
if e == flag.ErrHelp {
code = 0
e = &helpError{}
} else if e != nil && e.Error() != "" {
fmt.Fprintln(out, "Error:", e)
}
switch e.(type) {
case *helpError:
switch mode {
case "ca":
caHelp(out)
case "keygen":
keygenHelp(out)
case "sign":
signHelp(out)
case "print":
printHelp(out)
case "verify":
verifyHelp(out)
}
}
return code
}
func help(err string, out io.Writer) {
if err != "" {
fmt.Fprintln(out, "Error:", err)
fmt.Fprintln(out, "")
}
fmt.Fprintf(out, "Usage of %s <global flags> <mode>:\n", os.Args[0])
fmt.Fprintln(out, " Global flags:")
fmt.Fprintln(out, " -version: Prints the version")
fmt.Fprintln(out, " -h, -help: Prints this help message")
fmt.Fprintln(out, "")
fmt.Fprintln(out, " Modes:")
fmt.Fprintln(out, " "+caSummary())
fmt.Fprintln(out, " "+keygenSummary())
fmt.Fprintln(out, " "+signSummary())
fmt.Fprintln(out, " "+printSummary())
fmt.Fprintln(out, " "+verifySummary())
fmt.Fprintln(out, "")
fmt.Fprintf(out, " To see usage for a given mode, use %s <mode> -h\n", os.Args[0])
}
func mustFlagString(name string, val *string) error {
if *val == "" {
return newHelpErrorf("-%s is required", name)
}
return nil
}