feat: generate CSR from transit key (#1)

cmd/transit_gencsr.go

@@ -0,0 +1,91 @@
+package cmd
+
+import (
+	"os"
+
+	"github.com/spf13/cobra"
+	"github.com/vdbulcke/hc-vault-util/hc-vault-util/logger"
+	"github.com/vdbulcke/hc-vault-util/hc-vault-util/transit"
+)
+
+var cfsslCSRFile string
+var keyVersion int
+
+func init() {
+	// bind to root command
+	transitCmd.AddCommand(genCSRCmd)
+	// add flags to sub command
+	genCSRCmd.Flags().StringVarP(&cfsslCSRFile, "csr-json", "c", "", "The path to a cfssl csr file")
+	genCSRCmd.Flags().StringVarP(&transitKey, "transit-key", "t", "", "The name of the transit key to import")
+	genCSRCmd.Flags().StringVarP(&transitMount, "mount", "", "transit", "Mount path of transit backend")
+	genCSRCmd.Flags().IntVarP(&keyVersion, "version", "", 0, "Version of the transit key, or 0 for latest (default 0)")
+
+	// required flags
+	//nolint
+	genCSRCmd.MarkFlagRequired("transit-key")
+	//nolint
+	genCSRCmd.MarkFlagRequired("csr-json")
+
+}
+
+var genCSRCmd = &cobra.Command{
+	Use:   "gencsr",
+	Short: "Generate a CSR from private key in transit backend",
+	Long:  "Generate a CSR from private key in transit backend",
+	Run:   genCSRRun,
+
+	Example: `
+   hc-vault-util transit gencsr --csr-json example/csr.json --transit-key "rsa" 
+
+Mandatory Environment Variables:
+- VAULT_ADDR: Address of the vault server 
+- VAULT_TOKEN: Vault authentication token. With permission to read transit/wrapping_key and write transit/keys/[KEY-NAME]/import.
+
+Optional Environment Variables:
+- VAULT_CACERT: Path to a PEM encoded CA file to verify TLS on the VAULT_ADDR.
+- VAULT_CAPATH: Path to a directory of PEM encoded CA files to verify TLS on the VAULT_ADDR.
+- VAULT_SKIP_VERIFY: To disable TLS verification completely.
+
+
+CSR JSON format: 
+{
+    "hosts": [
+        "cloudflare.com",
+        "www.cloudflare.com"
+    ],
+    "names": [
+        {
+            "C": "US",
+            "L": "San Francisco",
+            "O": "CloudFlare",
+            "OU": "Systems Engineering",
+            "ST": "California"
+        }
+    ]
+}
+ 
+
+`,
+}
+
+// importRun cobra server handler
+func genCSRRun(cmd *cobra.Command, args []string) {
+
+	logger := logger.GenLogger(Debug, noColor)
+
+	transitClient, err := transit.NewTransitClient(logger)
+	if err != nil {
+		logger.Error("Error creating transit client", "error", err)
+		os.Exit(1)
+	}
+
+	// set key properties
+	transitClient.SetKeyProperties(transitMount, transitKey)
+
+	err = transitClient.GenCSR(cfsslCSRFile, keyVersion)
+	if err != nil {
+		logger.Error("Error generating CSR", "error", err)
+		os.Exit(1)
+	}
+
+}

cmd/transit_import.go

@@ -64,7 +64,10 @@ func importRun(cmd *cobra.Command, args []string) {
 		os.Exit(1)
 	}
 
-	err = transitClient.ImportPrivateKey(transitMount, transitKey, privKey)
+	// set key properties
+	transitClient.SetKeyProperties(transitMount, transitKey)
+
+	err = transitClient.ImportPrivateKey(privKey)
 	if err != nil {
 		logger.Error("Error importing key", "error", err)
 		os.Exit(1)

example/csr.json

@@ -0,0 +1,16 @@
+{
+    "CN": "Foo", 
+    "hosts": [
+        "cloudflare.com",
+        "www.cloudflare.com"
+    ],
+    "names": [
+        {
+            "C": "US",
+            "L": "San Francisco",
+            "O": "CloudFlare",
+            "OU": "Systems Engineering",
+            "ST": "California"
+        }
+    ]
+}

go.mod

@@ -3,10 +3,13 @@ module github.com/vdbulcke/hc-vault-util
 go 1.19
 
 require (
+	github.com/cloudflare/cfssl v1.6.3
 	github.com/google/tink/go v1.7.0
 	github.com/hashicorp/go-hclog v1.3.1
 	github.com/hashicorp/vault/api v1.8.1
+	github.com/savaki/jq v0.0.0-20161209013833-0e6baecebbf8
 	github.com/spf13/cobra v1.6.1
+	go.uber.org/zap v1.23.0
 )
 
 require (
@@ -17,6 +20,7 @@ require (
 	github.com/fatih/color v1.13.0 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
+	github.com/google/certificate-transparency-go v1.1.4 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
@@ -35,27 +39,29 @@ require (
 	github.com/hashicorp/vault/sdk v0.6.0 // indirect
 	github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb // indirect
 	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/jhump/protoreflect v1.14.0 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
 	github.com/mitchellh/copystructure v1.0.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.0.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/mitchellh/reflectwalk v1.0.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.1 // indirect
 	github.com/oklog/run v1.0.0 // indirect
 	github.com/pierrec/lz4 v2.5.2+incompatible // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	go.uber.org/atomic v1.9.0 // indirect
-	golang.org/x/crypto v0.0.0-20220214200702-86341886e292 // indirect
-	golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd // indirect
-	golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect
+	go.uber.org/atomic v1.10.0 // indirect
+	go.uber.org/multierr v1.8.0 // indirect
+	golang.org/x/crypto v0.1.0 // indirect
+	golang.org/x/net v0.1.0 // indirect
+	golang.org/x/sys v0.1.0 // indirect
 	golang.org/x/text v0.4.0 // indirect
-	golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 // indirect
-	google.golang.org/genproto v0.0.0-20220218161850-94dd64e39d7c // indirect
-	google.golang.org/grpc v1.44.0 // indirect
-	google.golang.org/protobuf v1.27.1 // indirect
+	golang.org/x/time v0.1.0 // indirect
+	google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c // indirect
+	google.golang.org/grpc v1.50.1 // indirect
+	google.golang.org/protobuf v1.28.1 // indirect
 	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )