Merge pull request #72 from smallstep/truststore

maraino · web-flow · commit 28e3ac9dc5ec · 2019-02-06T18:53:47.000-08:00
Support for step certificate install.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/Gopkg.toml b/Gopkg.toml
@@ -66,3 +66,7 @@ required = [
 [[constraint]]
   branch = "master"
   name = "github.com/smallstep/certificates"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/smallstep/truststore"
diff --git a/command/ca/bootstrap.go b/command/ca/bootstrap.go
@@ -15,6 +15,7 @@ import (
 	"github.com/smallstep/cli/flags"
 	"github.com/smallstep/cli/ui"
 	"github.com/smallstep/cli/utils"
+	"github.com/smallstep/truststore"
 	"github.com/urfave/cli"
 )
 
@@ -23,7 +24,7 @@ func bootstrapCommand() cli.Command {
 		Name:      "bootstrap",
 		Action:    command.ActionFunc(bootstrapAction),
 		Usage:     "initialize the environment to use the CA commands",
-		UsageText: "**step ca bootstrap** [**--ca-url**=<uri>] [**--fingerprint**=<fingerprint>]",
+		UsageText: `**step ca bootstrap** [**--ca-url**=<uri>] [**--fingerprint**=<fingerprint>] [**--install**]`,
 		Description: `**step ca bootstrap** downloads the root certificate from the certificate
 authority and sets up the current environment to use it.
 
@@ -33,7 +34,14 @@ url, the root certificate location and its fingerprint.
 
 After the bootstrap, ca commands do not need to specify the flags 
 --ca-url, --root or --fingerprint if we want to use the same environment.`,
-		Flags: []cli.Flag{caURLFlag, fingerprintFlag, flags.Force},
+		Flags: []cli.Flag{
+			caURLFlag,
+			fingerprintFlag,
+			cli.BoolFlag{
+				Name:  "install",
+				Usage: "Install the root certificate into the system truststore.",
+			},
+			flags.Force},
 	}
 }
 
@@ -104,5 +112,15 @@ func bootstrapAction(ctx *cli.Context) error {
 	}
 
 	ui.Printf("Your configuration has been saved in %s.\n", configFile)
+
+	if ctx.Bool("install") {
+		ui.Printf("Installing the root certificate in the system truststore... ")
+		if err := truststore.InstallFile(rootFile); err != nil {
+			ui.Println()
+			return err
+		}
+		ui.Println("done.")
+	}
+
 	return nil
 }
diff --git a/command/certificate/certificate.go b/command/certificate/certificate.go
@@ -20,7 +20,7 @@ of private keys.
 
 ## EXAMPLES
 
-Create a root certifciate and private key using the default parameters (EC P-256 curve):
+Create a root certificate and private key using the default parameters (EC P-256 curve):
 '''
 $ step certificate create foo foo.crt foo.key --profile root-ca
 '''
@@ -69,7 +69,16 @@ Extract the public key from a PEM encoded certificate:
 '''
 $ step certificate key foo.crt
 '''
-`,
+
+Install a root certificate in the system truststore:
+'''
+$ step certificate install root-ca.crt
+'''
+
+Uninstall a root certificate from the system truststore:
+'''
+$ step certificate uninstall root-ca.crt
+'''`,
 
 		Subcommands: cli.Commands{
 			bundleCommand(),
@@ -81,6 +90,8 @@ $ step certificate key foo.crt
 			signCommand(),
 			verifyCommand(),
 			keyCommand(),
+			installCommand(),
+			uninstallCommand(),
 		},
 	}
 
diff --git a/command/certificate/install.go b/command/certificate/install.go
@@ -0,0 +1,240 @@
+package certificate
+
+import (
+	"strings"
+
+	"github.com/pkg/errors"
+	"github.com/smallstep/cli/command"
+	"github.com/smallstep/cli/crypto/pemutil"
+	"github.com/smallstep/cli/errs"
+	"github.com/smallstep/cli/ui"
+	"github.com/smallstep/truststore"
+	"github.com/urfave/cli"
+)
+
+func installCommand() cli.Command {
+	return cli.Command{
+		Name:   "install",
+		Action: command.ActionFunc(installAction),
+		Usage:  "install a root certificate in the system truststore",
+		UsageText: `**step certificate install** <crt-file>
+		[**--prefix**=<name>] [**--all**]
+		[**--java**] [**--firefox**] [**--no-system**]`,
+		Description: `**step certificate install** installs a root certificate in the system
+truststore.
+
+Java and Firefox truststores are also supported via the respective flags.
+
+## POSITIONAL ARGUMENTS
+
+<crt-file>
+:  Certificate to install in the system truststore
+
+## EXAMPLES
+
+Install a certificate in the system truststore:
+'''
+$ step certificate install root-ca.pem
+'''
+
+Install a certificate in all the supported truststores:
+'''
+$ step certificate install --all root-ca.pem
+'''
+
+Install a certificate in Firefox and the system trustore:
+'''
+$ step certificate install --firefox root--ca.pem
+'''
+
+Install a certificate in Java and the system trustore:
+'''
+$ step certificate install --java root-ca.pem
+'''
+
+Install a certificate in Firefox, Java, but not in the system trustore:
+'''
+$ step certificate install --firefox --java --no-system root-ca.pem
+'''`,
+		Flags: []cli.Flag{
+			cli.StringFlag{
+				Name: "prefix",
+				Usage: `The prefix used to <name> the CA in the truststore. Defaults to the
+certificate common name.`,
+			},
+			cli.BoolFlag{
+				Name:  "java",
+				Usage: "install on the Java key store",
+			},
+			cli.BoolFlag{
+				Name:  "firefox",
+				Usage: "install on the Firefox NSS security database",
+			},
+			cli.BoolFlag{
+				Name:  "no-system",
+				Usage: "disables the install on the system truststore",
+			},
+			cli.BoolFlag{
+				Name:  "all",
+				Usage: "install on the system, Firefox and Java truststores",
+			},
+		},
+	}
+}
+
+func uninstallCommand() cli.Command {
+	return cli.Command{
+		Name:   "uninstall",
+		Action: command.ActionFunc(uninstallAction),
+		Usage:  "uninstall a root certificate from the system truststore",
+		UsageText: `**step certificate uninstall** <crt-file>
+		[**--prefix**=<name>] [**--all**]
+		[**--java**] [**--firefox**] [**--no-system**]`,
+		Description: `**step certificate install** uninstalls a root certificate from the system
+truststore.
+
+Java and Firefox truststores are also supported via the respective flags.
+
+## POSITIONAL ARGUMENTS
+
+<crt-file>
+:  Certificate to uninstall from the system truststore
+
+## EXAMPLES
+
+Uninstall from only the system truststore:
+'''
+$ step certificate uninstall root-ca.pem
+'''
+
+Uninstall a certificate from all the supported truststores:
+'''
+$ step certificate uninstall =-all root-ca.pem
+'''
+
+Uninstall a certificate from Firefox and the system trustore:
+'''
+$ step certificate uninstall --firefox root--ca.pem
+'''
+
+Uninstall a certificate infrom Java and the system trustore:
+'''
+$ step certificate uninstall --java root-ca.pem
+'''
+
+Uninstall a certificate from Firefox, Java, but not from the system:
+'''
+$ step certificate uninstall --firefox --java --no-system root-ca.pem
+'''`,
+		Flags: []cli.Flag{
+			cli.StringFlag{
+				Name: "prefix",
+				Usage: `The prefix used to <name> the CA in the truststore. Defaults to the
+certificate common name.`,
+			},
+			cli.BoolFlag{
+				Name:  "java",
+				Usage: "uninstall from the Java key store",
+			},
+			cli.BoolFlag{
+				Name:  "firefox",
+				Usage: "uninstall from the Firefox NSS security database",
+			},
+			cli.BoolFlag{
+				Name:  "no-system",
+				Usage: "disables the uninstall from the system truststore",
+			},
+			cli.BoolFlag{
+				Name:  "all",
+				Usage: "uninstall from the system, Firefox and Java truststores",
+			},
+		},
+	}
+}
+
+func installAction(ctx *cli.Context) error {
+	if err := errs.NumberOfArguments(ctx, 1); err != nil {
+		return err
+	}
+
+	filename := ctx.Args().Get(0)
+	opts, err := getTruststoreOptions(ctx)
+	if err != nil {
+		return err
+	}
+
+	if err := truststore.InstallFile(filename, opts...); err != nil {
+		switch err := err.(type) {
+		case *truststore.CmdError:
+			return errors.Errorf("failed to execute \"%s\" failed with: %s", strings.Join(err.Cmd().Args, " "), err.Err())
+		default:
+			return errors.Wrapf(err, "failed to install %s", filename)
+		}
+	}
+
+	ui.Printf("Certificate %s has been installed.", filename)
+	return nil
+}
+
+func uninstallAction(ctx *cli.Context) error {
+	if err := errs.NumberOfArguments(ctx, 1); err != nil {
+		return err
+	}
+
+	filename := ctx.Args().Get(0)
+	opts, err := getTruststoreOptions(ctx)
+	if err != nil {
+		return err
+	}
+
+	if err := truststore.UninstallFile(filename, opts...); err != nil {
+		switch err := err.(type) {
+		case *truststore.CmdError:
+			return errors.Errorf("failed to execute \"%s\" failed with: %s", strings.Join(err.Cmd().Args, " "), err.Err())
+		default:
+			return errors.Wrapf(err, "failed to uninstall %s", filename)
+		}
+	}
+
+	ui.Printf("Certificate %s has been removed.", filename)
+	return nil
+}
+
+func getTruststoreOptions(ctx *cli.Context) ([]truststore.Option, error) {
+	cert, err := pemutil.ReadCertificate(ctx.Args().Get(0))
+	if err != nil {
+		return nil, err
+	}
+
+	if !cert.IsCA || cert.CheckSignatureFrom(cert) != nil {
+		return nil, errors.Errorf("certificate %s is not a root CA", ctx.Args().Get(0))
+	}
+
+	prefix := ctx.String("prefix")
+	if prefix == "" {
+		if len(cert.Subject.CommonName) > 0 {
+			prefix = cert.Subject.CommonName + " "
+		} else {
+			prefix = "Smallstep Development CA "
+		}
+	}
+
+	opts := []truststore.Option{
+		truststore.WithPrefix(prefix),
+	}
+
+	if ctx.Bool("all") {
+		opts = append(opts, truststore.WithJava(), truststore.WithFirefox())
+	} else {
+		if ctx.Bool("java") {
+			opts = append(opts, truststore.WithJava())
+		}
+		if ctx.Bool("firefox") {
+			opts = append(opts, truststore.WithFirefox())
+		}
+	}
+	if ctx.Bool("no-system") {
+		opts = append(opts, truststore.WithNoSystem())
+	}
+	return opts, nil
+}
