/****************************************************************************** * Icinga 2 * * Copyright (C) 2012-2017 Icinga Development Team (https://www.icinga.com/) * * * * This program is free software; you can redistribute it and/or * * modify it under the terms of the GNU General Public License * * as published by the Free Software Foundation; either version 2 * * of the License, or (at your option) any later version. * * * * This program is distributed in the hope that it will be useful, * * but WITHOUT ANY WARRANTY; without even the implied warranty of * * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * * GNU General Public License for more details. * * * * You should have received a copy of the GNU General Public License * * along with this program; if not, write to the Free Software Foundation * * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. * ******************************************************************************/ #include "cli/casigncommand.hpp" #include "remote/apilistener.hpp" #include "base/logger.hpp" #include "base/application.hpp" #include "base/tlsutility.hpp" using namespace icinga; REGISTER_CLICOMMAND("ca/sign", CASignCommand); String CASignCommand::GetDescription(void) const { return "Signs an outstanding certificate request."; } String CASignCommand::GetShortDescription(void) const { return "signs an outstanding certificate request"; } int CASignCommand::GetMinArguments(void) const { return 1; } ImpersonationLevel CASignCommand::GetImpersonationLevel(void) const { return ImpersonateIcinga; } /** * The entry point for the "ca sign" CLI command. * * @returns An exit status. */ int CASignCommand::Run(const boost::program_options::variables_map& vm, const std::vector& ap) const { String requestFile = ApiListener::GetCertificateRequestsDir() + "/" + ap[0] + ".json"; if (!Utility::PathExists(requestFile)) { Log(LogCritical, "cli") << "No request exists for fingerprint '" << ap[0] << "'."; return 1; } Dictionary::Ptr request = Utility::LoadJsonFile(requestFile); if (!request) return 1; String certRequestText = request->Get("cert_request"); std::shared_ptr certRequest = StringToCertificate(certRequestText); if (!certRequest) { Log(LogCritical, "cli", "Certificate request is invalid. Could not parse X.509 certificate for the 'cert_request' attribute."); return 1; } std::shared_ptr certResponse = CreateCertIcingaCA(certRequest); BIO *out = BIO_new(BIO_s_mem()); X509_NAME_print_ex(out, X509_get_subject_name(certRequest.get()), 0, XN_FLAG_ONELINE & ~ASN1_STRFLGS_ESC_MSB); char *data; long length; length = BIO_get_mem_data(out, &data); String subject = String(data, data + length); BIO_free(out); if (!certResponse) { Log(LogCritical, "cli") << "Could not sign certificate for '" << subject << "'."; return 1; } request->Set("cert_response", CertificateToString(certResponse)); Utility::SaveJsonFile(requestFile, 0600, request); Log(LogInformation, "cli") << "Signed certificate for '" << subject << "'."; return 0; }