Merge pull request #4 from soramitsukhmer/feature/add-path-length-to-…

…sign Add 'path-length' flag to 'sign' command
soramitsukhmer · Jan 13, 2022 · 6b13803 · 6b13803
2 parents c497876 + dd31e8e
commit 6b13803
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 3 deletions.
diff --git a/cmd/sign.go b/cmd/sign.go
@@ -67,6 +67,11 @@ func NewSignCommand() cli.Command {
 				Name:  "intermediate",
 				Usage: "Whether generated certificate should be a intermediate",
 			},
+			cli.IntFlag{
+				Name:  "path-length",
+				Value: 0,
+				Usage: "Maximum number of non-self-issued intermediate certificates that may follow this CA certificate in a valid certification path",
+			},
 		},
 		Action: newSignAction,
 	}
@@ -140,8 +145,13 @@ func newSignAction(c *cli.Context) {
 	var crtOut *pkix.Certificate
 	if c.Bool("intermediate") {
 		fmt.Fprintln(os.Stderr, "Building intermediate")
-		crtOut, err = pkix.CreateIntermediateCertificateAuthority(crt, key, csr, expiresTime)
+		crtOut, err = pkix.CreateIntermediateCertificateAuthority(crt, key, csr, expiresTime, c.Int("path-length"))
 	} else {
+		if c.IsSet("path-length") {
+			fmt.Fprintln(os.Stderr, "The 'path-length' can only be used with 'intermediate' flag.")
+			os.Exit(1)
+		}
+
 		crtOut, err = pkix.CreateCertificateHost(crt, key, csr, expiresTime)
 	}
 

diff --git a/pkix/cert_auth.go b/pkix/cert_auth.go
@@ -78,7 +78,7 @@ func CreateCertificateAuthority(key *Key, organizationalUnit string, expiry time
 
 // CreateIntermediateCertificateAuthority creates an intermediate
 // CA certificate signed by the given authority.
-func CreateIntermediateCertificateAuthority(crtAuth *Certificate, keyAuth *Key, csr *CertificateSigningRequest, proposedExpiry time.Time) (*Certificate, error) {
+func CreateIntermediateCertificateAuthority(crtAuth *Certificate, keyAuth *Key, csr *CertificateSigningRequest, proposedExpiry time.Time, pathlen int) (*Certificate, error) {
 	authTemplate := newAuthTemplate()
 
 	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
@@ -87,7 +87,11 @@ func CreateIntermediateCertificateAuthority(crtAuth *Certificate, keyAuth *Key,
 		return nil, err
 	}
 	authTemplate.SerialNumber.Set(serialNumber)
-	authTemplate.MaxPathLenZero = false
+
+	if pathlen > 0 {
+		authTemplate.MaxPathLen = pathlen
+		authTemplate.MaxPathLenZero = false
+	}
 
 	rawCsr, err := csr.GetRawCertificateSigningRequest()
 	if err != nil {