Implement the 'ca list' and 'ca sign' CLI commands

refs #5450

lib/base/tlsutility.cpp

@@ -575,6 +575,11 @@ boost::shared_ptr<X509> CreateCertIcingaCA(EVP_PKEY *pubkey, X509_NAME *subject)
 	return CreateCert(pubkey, subject, X509_get_subject_name(cacert.get()), privkey, false);
 }
 
+boost::shared_ptr<X509> CreateCertIcingaCA(const boost::shared_ptr<X509>& cert)
+{
+	return CreateCertIcingaCA(X509_get_pubkey(cert.get()), X509_get_subject_name(cert.get()));
+}
+
 String CertificateToString(const boost::shared_ptr<X509>& cert)
 {
 	BIO *mem = BIO_new(BIO_s_mem());

lib/base/tlsutility.hpp

@@ -50,6 +50,7 @@ String I2_BASE_API GetIcingaCADir(void);
 String I2_BASE_API CertificateToString(const boost::shared_ptr<X509>& cert);
 boost::shared_ptr<X509> I2_BASE_API StringToCertificate(const String& cert);
 boost::shared_ptr<X509> I2_BASE_API CreateCertIcingaCA(EVP_PKEY *pubkey, X509_NAME *subject);
+boost::shared_ptr<X509> I2_BASE_API CreateCertIcingaCA(const boost::shared_ptr<X509>& cert);
 String I2_BASE_API PBKDF2_SHA1(const String& password, const String& salt, int iterations);
 String I2_BASE_API SHA1(const String& s, bool binary = false);
 String I2_BASE_API SHA256(const String& s);

lib/cli/CMakeLists.txt

@@ -17,6 +17,7 @@
 
 set(cli_SOURCES
   apisetupcommand.cpp apisetuputility.cpp
+  calistcommand.cpp casigncommand.cpp
   nodeaddcommand.cpp nodeblackandwhitelistcommand.cpp nodelistcommand.cpp noderemovecommand.cpp
   nodesetcommand.cpp nodesetupcommand.cpp nodeupdateconfigcommand.cpp nodewizardcommand.cpp nodeutility.cpp
   clicommand.cpp

lib/cli/calistcommand.cpp

@@ -0,0 +1,79 @@
+/******************************************************************************
+ * Icinga 2                                                                   *
+ * Copyright (C) 2012-2017 Icinga Development Team (https://www.icinga.com/)  *
+ *                                                                            *
+ * This program is free software; you can redistribute it and/or              *
+ * modify it under the terms of the GNU General Public License                *
+ * as published by the Free Software Foundation; either version 2             *
+ * of the License, or (at your option) any later version.                     *
+ *                                                                            *
+ * This program is distributed in the hope that it will be useful,            *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of             *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the              *
+ * GNU General Public License for more details.                               *
+ *                                                                            *
+ * You should have received a copy of the GNU General Public License          *
+ * along with this program; if not, write to the Free Software Foundation     *
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.             *
+ ******************************************************************************/
+
+#include "cli/calistcommand.hpp"
+#include "base/logger.hpp"
+#include "base/application.hpp"
+#include "base/tlsutility.hpp"
+
+using namespace icinga;
+
+REGISTER_CLICOMMAND("ca/list", CAListCommand);
+
+String CAListCommand::GetDescription(void) const
+{
+	return "Lists all certificate signing requests.";
+}
+
+String CAListCommand::GetShortDescription(void) const
+{
+	return "lists all certificate signing requests";
+}
+
+void CAListCommand::PrintRequest(const String& requestFile)
+{
+	Dictionary::Ptr request = Utility::LoadJsonFile(requestFile);
+
+	if (!request)
+		return;
+
+	String fingerprint = Utility::BaseName(requestFile);
+	fingerprint = fingerprint.SubStr(0, fingerprint.GetLength() - 5);
+
+	std::cout << "***\n";
+	std::cout << "Fingerprint: " << fingerprint << "\n";
+
+	String certRequestText = request->Get("cert_request");
+
+	boost::shared_ptr<X509> certRequest = StringToCertificate(certRequestText);
+
+	String cn = GetCertificateCN(certRequest);
+
+	String certResponseText = request->Get("cert_response");
+
+	if (!certResponseText.IsEmpty()) {
+		boost::shared_ptr<X509> certResponse = StringToCertificate(certResponseText);
+	}
+
+	std::cout << "CN: " << cn << "\n";
+	std::cout << "Certificate (request): " << certRequestText << "\n";
+	std::cout << "Certificate (response): " << certResponseText << "\n";
+}
+
+/**
+ * The entry point for the "ca list" CLI command.
+ *
+ * @returns An exit status.
+ */
+int CAListCommand::Run(const boost::program_options::variables_map& vm, const std::vector<std::string>& ap) const
+{
+	Utility::Glob(Application::GetLocalStateDir() + "/lib/icinga2/pki-requests/*.json", &CAListCommand::PrintRequest, GlobFile);
+
+	return 0;
+}

lib/cli/calistcommand.hpp

@@ -0,0 +1,48 @@
+/******************************************************************************
+ * Icinga 2                                                                   *
+ * Copyright (C) 2012-2017 Icinga Development Team (https://www.icinga.com/)  *
+ *                                                                            *
+ * This program is free software; you can redistribute it and/or              *
+ * modify it under the terms of the GNU General Public License                *
+ * as published by the Free Software Foundation; either version 2             *
+ * of the License, or (at your option) any later version.                     *
+ *                                                                            *
+ * This program is distributed in the hope that it will be useful,            *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of             *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the              *
+ * GNU General Public License for more details.                               *
+ *                                                                            *
+ * You should have received a copy of the GNU General Public License          *
+ * along with this program; if not, write to the Free Software Foundation     *
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.             *
+ ******************************************************************************/
+
+#ifndef CALISTCOMMAND_H
+#define CALISTCOMMAND_H
+
+#include "cli/clicommand.hpp"
+
+namespace icinga
+{
+
+/**
+ * The "ca list" command.
+ *
+ * @ingroup cli
+ */
+class CAListCommand : public CLICommand
+{
+public:
+	DECLARE_PTR_TYPEDEFS(CAListCommand);
+
+	virtual String GetDescription(void) const override;
+	virtual String GetShortDescription(void) const override;
+	virtual int Run(const boost::program_options::variables_map& vm, const std::vector<std::string>& ap) const override;
+
+private:
+	static void PrintRequest(const String& requestFile);
+};
+
+}
+
+#endif /* CALISTCOMMAND_H */

lib/cli/casigncommand.cpp

@@ -0,0 +1,74 @@
+/******************************************************************************
+ * Icinga 2                                                                   *
+ * Copyright (C) 2012-2017 Icinga Development Team (https://www.icinga.com/)  *
+ *                                                                            *
+ * This program is free software; you can redistribute it and/or              *
+ * modify it under the terms of the GNU General Public License                *
+ * as published by the Free Software Foundation; either version 2             *
+ * of the License, or (at your option) any later version.                     *
+ *                                                                            *
+ * This program is distributed in the hope that it will be useful,            *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of             *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the              *
+ * GNU General Public License for more details.                               *
+ *                                                                            *
+ * You should have received a copy of the GNU General Public License          *
+ * along with this program; if not, write to the Free Software Foundation     *
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.             *
+ ******************************************************************************/
+
+#include "cli/casigncommand.hpp"
+#include "base/logger.hpp"
+#include "base/application.hpp"
+#include "base/tlsutility.hpp"
+
+using namespace icinga;
+
+REGISTER_CLICOMMAND("ca/sign", CASignCommand);
+
+String CASignCommand::GetDescription(void) const
+{
+	return "Signs an outstanding certificate request.";
+}
+
+String CASignCommand::GetShortDescription(void) const
+{
+	return "signs an outstanding certificate request";
+}
+
+int CASignCommand::GetMinArguments(void) const
+{
+	return 1;
+}
+
+ImpersonationLevel CASignCommand::GetImpersonationLevel(void) const
+{
+        return ImpersonateIcinga;
+}
+
+/**
+ * The entry point for the "ca sign" CLI command.
+ *
+ * @returns An exit status.
+ */
+int CASignCommand::Run(const boost::program_options::variables_map& vm, const std::vector<std::string>& ap) const
+{
+	String requestFile = Application::GetLocalStateDir() + "/lib/icinga2/pki-requests/" + ap[0] + ".json";
+
+	Dictionary::Ptr request = Utility::LoadJsonFile(requestFile);
+
+	if (!request)
+		return 1;
+
+	String certRequestText = request->Get("cert_request");
+
+	boost::shared_ptr<X509> certRequest = StringToCertificate(certRequestText);
+
+	boost::shared_ptr<X509> certResponse = CreateCertIcingaCA(certRequest);
+
+	request->Set("cert_response", CertificateToString(certResponse));
+
+	Utility::SaveJsonFile(requestFile, 0600, request);
+
+	return 0;
+}

lib/cli/casigncommand.hpp

@@ -0,0 +1,47 @@
+/******************************************************************************
+ * Icinga 2                                                                   *
+ * Copyright (C) 2012-2017 Icinga Development Team (https://www.icinga.com/)  *
+ *                                                                            *
+ * This program is free software; you can redistribute it and/or              *
+ * modify it under the terms of the GNU General Public License                *
+ * as published by the Free Software Foundation; either version 2             *
+ * of the License, or (at your option) any later version.                     *
+ *                                                                            *
+ * This program is distributed in the hope that it will be useful,            *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of             *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the              *
+ * GNU General Public License for more details.                               *
+ *                                                                            *
+ * You should have received a copy of the GNU General Public License          *
+ * along with this program; if not, write to the Free Software Foundation     *
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.             *
+ ******************************************************************************/
+
+#ifndef CASIGNCOMMAND_H
+#define CASIGNCOMMAND_H
+
+#include "cli/clicommand.hpp"
+
+namespace icinga
+{
+
+/**
+ * The "ca sign" command.
+ *
+ * @ingroup cli
+ */
+class CASignCommand : public CLICommand
+{
+public:
+	DECLARE_PTR_TYPEDEFS(CASignCommand);
+
+	virtual String GetDescription(void) const override;
+	virtual String GetShortDescription(void) const override;
+	virtual int GetMinArguments(void) const override;
+	virtual ImpersonationLevel GetImpersonationLevel(void) const override;
+	virtual int Run(const boost::program_options::variables_map& vm, const std::vector<std::string>& ap) const override;
+};
+
+}
+
+#endif /* CASIGNCOMMAND_H */