hatter/yubikey-ca
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: v0.2.0, support client ca from piv card

Browse Source
This commit is contained in:
Hatter Jiang
2023-10-31 00:14:49 +08:00
parent 723601f19b
commit a9f9c2266c
3 changed files with 34 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
yubikey-ca-java/README.md
View File

@@ -58,3 +58,13 @@ $ java -jar yubikey-ca-java.jar --issue-client-code-ca \
--pin ****** \ --pin ****** \
[--add-to-remote] [--add-to-remote]
``` ```
or
```shell
$ java -jar yubikey-ca-java.jar --issue-client-code-ca \
--sign-slot 89 --cert-slot 90 --subject 'CN=Hatter Signing CA' --valid-years 10 \
--intermediate-ca-id 44 \
--pin ****** \
[--add-to-remote]
```

2
yubikey-ca-java/src/main/java/me/hatter/tools/yubikeyca/YubikeyCaConstant.java
View File

@@ -2,5 +2,5 @@ package me.hatter.tools.yubikeyca;
public interface YubikeyCaConstant { public interface YubikeyCaConstant {
String NAME = "yubikey-ca"; String NAME = "yubikey-ca";
String VERSION = "0.1.1"; String VERSION = "0.2.0";
} }

32
yubikey-ca-java/src/main/java/me/hatter/tools/yubikeyca/YubikeyCaMain.java
View File

@@ -15,6 +15,8 @@ import me.hatter.tools.yubikeyca.cardcli.PivMeta;
import me.hatter.tools.yubikeyca.hatterink.CertificateUtil; import me.hatter.tools.yubikeyca.hatterink.CertificateUtil;
import java.security.KeyPair; import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
import java.util.Arrays; import java.util.Arrays;
@@ -49,8 +51,8 @@ public class YubikeyCaMain {
log.error("Intermediate CA id is required."); log.error("Intermediate CA id is required.");
return; return;
} }
if (StringUtil.isEmpty(args.keypairType)) { if (StringUtil.isEmpty(args.keypairType) && StringUtil.isEmpty(args.certSlot)) {
log.error("Keypair type is required."); log.error("Keypair type or cert slot is required.");
return; return;
} }
if (args.issueServerCa && (args.dnsNames == null || args.dnsNames.length == 0)) { if (args.issueServerCa && (args.dnsNames == null || args.dnsNames.length == 0)) {
@@ -58,20 +60,28 @@ public class YubikeyCaMain {
return; return;
} }
final PKType pkType = getPkTypeFromArgs(args);
if (pkType == null) return;
final X509Certificate interCertificate = CertificateUtil.getCertificate(args.pin, args.intermediateCaId); final X509Certificate interCertificate = CertificateUtil.getCertificate(args.pin, args.intermediateCaId);
final PivMeta signPivMeta = CardCliUtil.getPivPublicKey(args.signSlot); final PivMeta signPivMeta = CardCliUtil.getPivPublicKey(args.signSlot);
final KeyPair keyPair = KeyPairTool.instance(pkType).generateKeyPair().getKeyPair(); final PublicKey publicKey;
PrivateKey privateKey = null;
if (StringUtil.isEmpty(args.certSlot)) {
final PKType pkType = getPkTypeFromArgs(args);
if (pkType == null) return;
final KeyPair keyPair = KeyPairTool.instance(pkType).generateKeyPair().getKeyPair();
publicKey = keyPair.getPublic();
privateKey = keyPair.getPrivate();
} else {
final PivMeta certPivMeta = CardCliUtil.getPivPublicKey(args.certSlot);
publicKey = certPivMeta.getPublicKey();
}
final String cardCliCmd = CardCliUtil.getCardCliCmd(); final String cardCliCmd = CardCliUtil.getCardCliCmd();
final CertificateAuthority ca = CertificateAuthority.instance() final CertificateAuthority ca = CertificateAuthority.instance()
.subject(args.subject) .subject(args.subject)
.signCert(interCertificate) .signCert(interCertificate)
.certPubKey(keyPair.getPublic()) .certPubKey(publicKey)
.validYears(validYears(args, 2)) .validYears(validYears(args, 2))
.customerSigner(new CardCliPivCustomerSigner( .customerSigner(new CardCliPivCustomerSigner(
args.pin, args.signSlot, signPivMeta.getAlgorithm(), cardCliCmd)); args.pin, args.signSlot, signPivMeta.getAlgorithm(), cardCliCmd));
@@ -85,7 +95,10 @@ public class YubikeyCaMain {
cert = ca.createClientCert(); cert = ca.createClientCert();
} }
final String certPem = X509CertUtil.serializeX509CertificateToPEM(cert); final String certPem = X509CertUtil.serializeX509CertificateToPEM(cert);
final String privateKeyPem = KeyUtil.serializePrivateKeyToPEM(keyPair.getPrivate()); String privateKeyPem = null;
if (privateKey != null) {
privateKeyPem = KeyUtil.serializePrivateKeyToPEM(privateKey);
}
log.info("Issued CA: \n" + certPem); log.info("Issued CA: \n" + certPem);
if (args.addToRemote) { if (args.addToRemote) {
@@ -108,6 +121,7 @@ public class YubikeyCaMain {
final X509Certificate rootCertificate = CertificateUtil.getCertificate(args.pin, args.rootCaId); final X509Certificate rootCertificate = CertificateUtil.getCertificate(args.pin, args.rootCaId);
final PivMeta signPivMeta = CardCliUtil.getPivPublicKey(args.signSlot);
final PivMeta certPivMeta = CardCliUtil.getPivPublicKey(args.certSlot); final PivMeta certPivMeta = CardCliUtil.getPivPublicKey(args.certSlot);
final String cardCliCmd = CardCliUtil.getCardCliCmd(); final String cardCliCmd = CardCliUtil.getCardCliCmd();
@@ -117,7 +131,7 @@ public class YubikeyCaMain {
.certPubKey(certPivMeta.getPublicKey()) .certPubKey(certPivMeta.getPublicKey())
.validYears(validYears(args, 10)) .validYears(validYears(args, 10))
.customerSigner(new CardCliPivCustomerSigner( .customerSigner(new CardCliPivCustomerSigner(
args.pin, args.signSlot, certPivMeta.getAlgorithm(), cardCliCmd)) args.pin, args.signSlot, signPivMeta.getAlgorithm(), cardCliCmd))
.createIntermediateCert(); .createIntermediateCert();
final String intermediateCaPem = X509CertUtil.serializeX509CertificateToPEM(intermediateCa); final String intermediateCaPem = X509CertUtil.serializeX509CertificateToPEM(intermediateCa);