Implemented basic functionality.
This commit is contained in:
429
ca.go
429
ca.go
@@ -1,6 +1,7 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/rand"
|
||||
"crypto/rsa"
|
||||
"crypto/x509"
|
||||
@@ -8,8 +9,11 @@ import (
|
||||
"encoding/pem"
|
||||
"fmt"
|
||||
"math/big"
|
||||
"net"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"text/template"
|
||||
"time"
|
||||
|
||||
gohcl "github.com/hashicorp/hcl/v2/gohcl"
|
||||
@@ -22,20 +26,44 @@ type Paths struct {
|
||||
}
|
||||
|
||||
type CA struct {
|
||||
Label string `hcl:",label"`
|
||||
Name string `hcl:"name"`
|
||||
Country string `hcl:"country"`
|
||||
Organization string `hcl:"organization"`
|
||||
SerialType string `hcl:"serial_type"`
|
||||
KeySize int `hcl:"key_size,optional"`
|
||||
Validity string `hcl:"validity,optional"`
|
||||
Paths Paths `hcl:"paths,block"`
|
||||
Label string `hcl:",label"`
|
||||
Name string `hcl:"name"`
|
||||
Country string `hcl:"country"`
|
||||
Organization string `hcl:"organization"`
|
||||
OrganizationalUnit string `hcl:"organizational_unit,optional"`
|
||||
Locality string `hcl:"locality,optional"`
|
||||
Province string `hcl:"province,optional"`
|
||||
Email string `hcl:"email,optional"`
|
||||
SerialType string `hcl:"serial_type,optional"`
|
||||
KeySize int `hcl:"key_size,optional"`
|
||||
Validity string `hcl:"validity,optional"`
|
||||
Paths Paths `hcl:"paths,block"`
|
||||
}
|
||||
|
||||
type Configuration struct {
|
||||
CA CA `hcl:"ca,block"`
|
||||
}
|
||||
|
||||
type CertificateDef struct {
|
||||
Name string `hcl:",label"`
|
||||
Subject string `hcl:"subject,optional"`
|
||||
Type string `hcl:"type,optional"`
|
||||
Validity string `hcl:"validity,optional"`
|
||||
SAN []string `hcl:"san,optional"`
|
||||
}
|
||||
|
||||
type CertificateDefaults struct {
|
||||
Subject string `hcl:"subject,optional"`
|
||||
Type string `hcl:"type,optional"`
|
||||
Validity string `hcl:"validity,optional"`
|
||||
SAN []string `hcl:"san,optional"`
|
||||
}
|
||||
|
||||
type Certificates struct {
|
||||
Defaults *CertificateDefaults `hcl:"defaults,block"`
|
||||
Certificates []CertificateDef `hcl:"certificate,block"`
|
||||
}
|
||||
|
||||
func LoadCA(path string) (*CA, error) {
|
||||
parser := hclparse.NewParser()
|
||||
file, diags := parser.ParseHCLFile(path)
|
||||
@@ -56,6 +84,21 @@ func LoadCA(path string) (*CA, error) {
|
||||
return &config.CA, nil
|
||||
}
|
||||
|
||||
// Parse certificates.hcl file with defaults support
|
||||
func LoadCertificatesFile(path string) ([]CertificateDef, *CertificateDefaults, error) {
|
||||
parser := hclparse.NewParser()
|
||||
file, diags := parser.ParseHCLFile(path)
|
||||
if diags.HasErrors() {
|
||||
return nil, nil, fmt.Errorf("failed to parse HCL: %s", diags.Error())
|
||||
}
|
||||
var certsFile Certificates
|
||||
diags = gohcl.DecodeBody(file.Body, nil, &certsFile)
|
||||
if diags.HasErrors() {
|
||||
return nil, nil, fmt.Errorf("failed to decode HCL: %s", diags.Error())
|
||||
}
|
||||
return certsFile.Certificates, certsFile.Defaults, nil
|
||||
}
|
||||
|
||||
func parseValidity(validity string) (time.Duration, error) {
|
||||
if validity == "" {
|
||||
return time.Hour * 24 * 365 * 5, nil // default 5 years
|
||||
@@ -105,9 +148,12 @@ func GenerateCA(ca *CA) ([]byte, []byte, error) {
|
||||
tmpl := x509.Certificate{
|
||||
SerialNumber: serialNumber,
|
||||
Subject: pkix.Name{
|
||||
Country: []string{ca.Country},
|
||||
Organization: []string{ca.Organization},
|
||||
CommonName: ca.Name,
|
||||
Country: []string{ca.Country},
|
||||
Organization: []string{ca.Organization},
|
||||
OrganizationalUnit: optionalSlice(ca.OrganizationalUnit),
|
||||
Locality: optionalSlice(ca.Locality),
|
||||
Province: optionalSlice(ca.Province),
|
||||
CommonName: ca.Name,
|
||||
},
|
||||
NotBefore: now,
|
||||
NotAfter: now.Add(validity),
|
||||
@@ -115,6 +161,13 @@ func GenerateCA(ca *CA) ([]byte, []byte, error) {
|
||||
BasicConstraintsValid: true,
|
||||
IsCA: true,
|
||||
}
|
||||
// Add email if present
|
||||
if ca.Email != "" {
|
||||
tmpl.Subject.ExtraNames = append(tmpl.Subject.ExtraNames, pkix.AttributeTypeAndValue{
|
||||
Type: []int{1, 2, 840, 113549, 1, 9, 1}, // emailAddress OID
|
||||
Value: ca.Email,
|
||||
})
|
||||
}
|
||||
certDER, err := x509.CreateCertificate(rand.Reader, &tmpl, &tmpl, &priv.PublicKey, priv)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
@@ -160,6 +213,7 @@ func (c *CA) Validate() error {
|
||||
if c.Organization == "" {
|
||||
return fmt.Errorf("CA 'organization' is required")
|
||||
}
|
||||
// SerialType is now optional; default to 'random' if empty
|
||||
if c.SerialType == "" {
|
||||
c.SerialType = "random"
|
||||
}
|
||||
@@ -209,7 +263,12 @@ func InitCA(configPath string, overwrite bool) {
|
||||
fmt.Println("CA certificate and key generated.")
|
||||
}
|
||||
|
||||
func IssueCertificate(configPath, subject string, overwrite bool) {
|
||||
func IssueCertificate(configPath, name string, subject, certType, validityFlag string, san []string, overwrite bool) {
|
||||
// Add default dns SAN for server/server-only if none specified
|
||||
if (certType == "server" || certType == "server-only") && len(san) == 0 {
|
||||
san = append(san, "dns:"+subject)
|
||||
}
|
||||
|
||||
ca, err := LoadCA(configPath)
|
||||
if err != nil {
|
||||
fmt.Println("Error loading config:", err)
|
||||
@@ -262,16 +321,66 @@ func IssueCertificate(configPath, subject string, overwrite bool) {
|
||||
fmt.Println("Failed to generate serial number:", err)
|
||||
return
|
||||
}
|
||||
|
||||
var validity time.Duration
|
||||
if validityFlag != "" {
|
||||
validity, err = parseValidity(validityFlag)
|
||||
if err != nil {
|
||||
fmt.Println("Invalid validity value:", err)
|
||||
return
|
||||
}
|
||||
} else {
|
||||
validity = 365 * 24 * time.Hour // default 1 year
|
||||
}
|
||||
|
||||
// Parse subject as DN if it looks like a DN, otherwise use as CommonName only
|
||||
var subjectPKIX pkix.Name
|
||||
if isDNFormat(subject) {
|
||||
subjectPKIX = parseDistinguishedName(subject)
|
||||
} else {
|
||||
subjectPKIX = pkix.Name{CommonName: subject}
|
||||
}
|
||||
|
||||
certTmpl := x509.Certificate{
|
||||
SerialNumber: serialNumber,
|
||||
Subject: pkix.Name{
|
||||
CommonName: subject,
|
||||
},
|
||||
NotBefore: time.Now(),
|
||||
NotAfter: time.Now().AddDate(1, 0, 0), // 1 year
|
||||
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
|
||||
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
|
||||
Subject: subjectPKIX,
|
||||
NotBefore: time.Now(),
|
||||
NotAfter: time.Now().Add(validity),
|
||||
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
|
||||
}
|
||||
|
||||
// Handle SANs
|
||||
for _, s := range san {
|
||||
sLower := strings.ToLower(s)
|
||||
var val string
|
||||
if n, _ := fmt.Sscanf(sLower, "dns:%s", &val); n == 1 {
|
||||
certTmpl.DNSNames = append(certTmpl.DNSNames, val)
|
||||
} else if n, _ := fmt.Sscanf(sLower, "ip:%s", &val); n == 1 {
|
||||
certTmpl.IPAddresses = append(certTmpl.IPAddresses, net.ParseIP(val))
|
||||
} else if n, _ := fmt.Sscanf(sLower, "email:%s", &val); n == 1 {
|
||||
certTmpl.EmailAddresses = append(certTmpl.EmailAddresses, val)
|
||||
} else {
|
||||
fmt.Printf("Invalid SAN format: %s\n", s)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
switch certType {
|
||||
case "client":
|
||||
certTmpl.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
|
||||
case "server":
|
||||
certTmpl.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}
|
||||
case "server-only":
|
||||
certTmpl.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
|
||||
case "code-signing":
|
||||
certTmpl.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning}
|
||||
case "email":
|
||||
certTmpl.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageEmailProtection}
|
||||
default:
|
||||
fmt.Println("Unknown certificate type. Use one of: client, server, server-only, code-signing, email.")
|
||||
return
|
||||
}
|
||||
|
||||
certDER, err := x509.CreateCertificate(rand.Reader, &certTmpl, caCert, &priv.PublicKey, caKey)
|
||||
if err != nil {
|
||||
fmt.Println("Failed to create certificate:", err)
|
||||
@@ -280,8 +389,12 @@ func IssueCertificate(configPath, subject string, overwrite bool) {
|
||||
certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
|
||||
keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
|
||||
|
||||
certFile := filepath.Join(ca.Paths.Certificates, subject+".crt.pem")
|
||||
keyFile := filepath.Join(ca.Paths.PrivateKeys, subject+".key.pem")
|
||||
basename := name
|
||||
if basename == "" {
|
||||
basename = subject
|
||||
}
|
||||
certFile := filepath.Join(ca.Paths.Certificates, basename+"."+certType+".crt.pem")
|
||||
keyFile := filepath.Join(ca.Paths.PrivateKeys, basename+"."+certType+".key.pem")
|
||||
if err := SavePEM(certFile, certPEM, false, overwrite); err != nil {
|
||||
fmt.Println("Error saving certificate:", err)
|
||||
return
|
||||
@@ -290,5 +403,277 @@ func IssueCertificate(configPath, subject string, overwrite bool) {
|
||||
fmt.Println("Error saving key:", err)
|
||||
return
|
||||
}
|
||||
fmt.Printf("Certificate and key for '%s' generated.\n", subject)
|
||||
fmt.Printf("%s certificate and key for '%s' generated.\n", certType, subject)
|
||||
}
|
||||
|
||||
// Extract defaults from certificates.hcl (now using new LoadCertificatesFile signature)
|
||||
func GetCertificateDefaults(path string) CertificateDef {
|
||||
_, defaults, err := LoadCertificatesFile(path)
|
||||
if err != nil || defaults == nil {
|
||||
return CertificateDef{}
|
||||
}
|
||||
return CertificateDef{
|
||||
Type: defaults.Type,
|
||||
Validity: defaults.Validity,
|
||||
SAN: defaults.SAN,
|
||||
}
|
||||
}
|
||||
|
||||
// Issue certificate with custom basename and dry-run support
|
||||
func IssueCertificateWithBasename(configPath, basename, subject, certType, validityFlag string, san []string, overwrite, dryRun bool) error {
|
||||
if dryRun {
|
||||
fmt.Printf("Would issue certificate: name=%s, subject=%s, type=%s, validity=%s, SAN=%v\n", basename, subject, certType, validityFlag, san)
|
||||
return nil
|
||||
}
|
||||
// Call IssueCertificate but override basename logic
|
||||
return issueCertificateInternal(configPath, basename, subject, certType, validityFlag, san, overwrite)
|
||||
}
|
||||
|
||||
// Internal: like IssueCertificate but with explicit basename
|
||||
func issueCertificateInternal(configPath, basename, subject, certType, validityFlag string, san []string, overwrite bool) error {
|
||||
// Add default dns SAN for server/server-only if none specified
|
||||
if (certType == "server" || certType == "server-only") && len(san) == 0 {
|
||||
san = append(san, "dns:"+subject)
|
||||
}
|
||||
|
||||
ca, err := LoadCA(configPath)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Error loading config: %v", err)
|
||||
}
|
||||
|
||||
caCertPath := filepath.Join(ca.Paths.Certificates, "ca_cert.pem")
|
||||
caKeyPath := filepath.Join(ca.Paths.PrivateKeys, "ca_key.pem")
|
||||
|
||||
caCertPEM, err := os.ReadFile(caCertPath)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Error reading CA certificate file: %v", err)
|
||||
}
|
||||
caKeyPEM, err := os.ReadFile(caKeyPath)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Error reading CA key file: %v", err)
|
||||
}
|
||||
|
||||
caCertBlock, _ := pem.Decode(caCertPEM)
|
||||
if caCertBlock == nil {
|
||||
return fmt.Errorf("Failed to parse CA certificate PEM")
|
||||
}
|
||||
caCert, err := x509.ParseCertificate(caCertBlock.Bytes)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Failed to parse CA certificate: %v", err)
|
||||
}
|
||||
caKeyBlock, _ := pem.Decode(caKeyPEM)
|
||||
if caKeyBlock == nil {
|
||||
return fmt.Errorf("Failed to parse CA key PEM")
|
||||
}
|
||||
caKey, err := x509.ParsePKCS1PrivateKey(caKeyBlock.Bytes)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Failed to parse CA private key: %v", err)
|
||||
}
|
||||
|
||||
priv, err := rsa.GenerateKey(rand.Reader, 4096)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Failed to generate private key: %v", err)
|
||||
}
|
||||
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
|
||||
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Failed to generate serial number: %v", err)
|
||||
}
|
||||
|
||||
var validity time.Duration
|
||||
if validityFlag != "" {
|
||||
validity, err = parseValidity(validityFlag)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Invalid validity value: %v", err)
|
||||
}
|
||||
} else {
|
||||
validity = 365 * 24 * time.Hour // default 1 year
|
||||
}
|
||||
|
||||
// Parse subject as DN if it looks like a DN, otherwise use as CommonName only
|
||||
var subjectPKIX pkix.Name
|
||||
if isDNFormat(subject) {
|
||||
subjectPKIX = parseDistinguishedName(subject)
|
||||
} else {
|
||||
subjectPKIX = pkix.Name{CommonName: subject}
|
||||
}
|
||||
|
||||
certTmpl := x509.Certificate{
|
||||
SerialNumber: serialNumber,
|
||||
Subject: subjectPKIX,
|
||||
NotBefore: time.Now(),
|
||||
NotAfter: time.Now().Add(validity),
|
||||
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
|
||||
}
|
||||
|
||||
// Handle SANs
|
||||
for _, s := range san {
|
||||
sLower := strings.ToLower(s)
|
||||
var val string
|
||||
if n, _ := fmt.Sscanf(sLower, "dns:%s", &val); n == 1 {
|
||||
certTmpl.DNSNames = append(certTmpl.DNSNames, val)
|
||||
} else if n, _ := fmt.Sscanf(sLower, "ip:%s", &val); n == 1 {
|
||||
certTmpl.IPAddresses = append(certTmpl.IPAddresses, net.ParseIP(val))
|
||||
} else if n, _ := fmt.Sscanf(sLower, "email:%s", &val); n == 1 {
|
||||
certTmpl.EmailAddresses = append(certTmpl.EmailAddresses, val)
|
||||
} else {
|
||||
return fmt.Errorf("Invalid SAN format: %s", s)
|
||||
}
|
||||
}
|
||||
|
||||
switch certType {
|
||||
case "client":
|
||||
certTmpl.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
|
||||
case "server":
|
||||
certTmpl.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}
|
||||
case "server-only":
|
||||
certTmpl.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
|
||||
case "code-signing":
|
||||
certTmpl.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning}
|
||||
case "email":
|
||||
certTmpl.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageEmailProtection}
|
||||
default:
|
||||
return fmt.Errorf("Unknown certificate type. Use one of: client, server, server-only, code-signing, email.")
|
||||
}
|
||||
|
||||
certDER, err := x509.CreateCertificate(rand.Reader, &certTmpl, caCert, &priv.PublicKey, caKey)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Failed to create certificate: %v", err)
|
||||
}
|
||||
certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
|
||||
keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
|
||||
|
||||
certFile := filepath.Join(ca.Paths.Certificates, basename+".crt.pem")
|
||||
keyFile := filepath.Join(ca.Paths.PrivateKeys, basename+".key.pem")
|
||||
if err := SavePEM(certFile, certPEM, false, overwrite); err != nil {
|
||||
return fmt.Errorf("Error saving certificate: %v", err)
|
||||
}
|
||||
if err := SavePEM(keyFile, keyPEM, true, overwrite); err != nil {
|
||||
return fmt.Errorf("Error saving key: %v", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// Helper: check if string looks like a DN (contains at least CN=...)
|
||||
func isDNFormat(s string) bool {
|
||||
return len(s) > 0 && strings.Contains(s, "CN=")
|
||||
}
|
||||
|
||||
// Helper: parse DN string into pkix.Name (supports CN, C, O, OU, L, ST, emailAddress)
|
||||
func parseDistinguishedName(dn string) pkix.Name {
|
||||
var name pkix.Name
|
||||
parts := strings.Split(dn, ",")
|
||||
for _, part := range parts {
|
||||
kv := strings.SplitN(strings.TrimSpace(part), "=", 2)
|
||||
if len(kv) != 2 {
|
||||
continue
|
||||
}
|
||||
key, val := strings.TrimSpace(kv[0]), strings.TrimSpace(kv[1])
|
||||
switch key {
|
||||
case "CN":
|
||||
name.CommonName = val
|
||||
case "C":
|
||||
name.Country = append(name.Country, val)
|
||||
case "O":
|
||||
name.Organization = append(name.Organization, val)
|
||||
case "OU":
|
||||
name.OrganizationalUnit = append(name.OrganizationalUnit, val)
|
||||
case "L":
|
||||
name.Locality = append(name.Locality, val)
|
||||
case "ST":
|
||||
name.Province = append(name.Province, val)
|
||||
case "emailAddress":
|
||||
name.ExtraNames = append(name.ExtraNames, pkix.AttributeTypeAndValue{
|
||||
Type: []int{1, 2, 840, 113549, 1, 9, 1}, // emailAddress OID
|
||||
Value: val,
|
||||
})
|
||||
}
|
||||
}
|
||||
return name
|
||||
}
|
||||
|
||||
// Helper: apply Go template to a string using CertificateDef and CertificateDefaults as data
|
||||
func applyTemplate(s string, def CertificateDef, defaults *CertificateDefaults) (string, error) {
|
||||
data := struct {
|
||||
CertificateDef
|
||||
Defaults *CertificateDefaults
|
||||
}{
|
||||
CertificateDef: def,
|
||||
Defaults: defaults,
|
||||
}
|
||||
tmpl, err := template.New("").Parse(s)
|
||||
if err != nil {
|
||||
return s, err
|
||||
}
|
||||
var buf bytes.Buffer
|
||||
if err := tmpl.Execute(&buf, data); err != nil {
|
||||
return s, err
|
||||
}
|
||||
return buf.String(), nil
|
||||
}
|
||||
|
||||
// Render all string fields in CertificateDef using Go templates and return a new CertificateDef
|
||||
func renderCertificateDefTemplates(def CertificateDef, defaults *CertificateDefaults) CertificateDef {
|
||||
newDef := def
|
||||
// Subject: use def.Subject if set, else defaults.Subject (rendered)
|
||||
if def.Subject != "" {
|
||||
if rendered, err := applyTemplate(def.Subject, def, defaults); err == nil {
|
||||
newDef.Subject = rendered
|
||||
}
|
||||
} else if defaults != nil && defaults.Subject != "" {
|
||||
if rendered, err := applyTemplate(defaults.Subject, def, defaults); err == nil {
|
||||
newDef.Subject = rendered
|
||||
}
|
||||
}
|
||||
// Type: use def.Type if set, else defaults.Type (rendered)
|
||||
if def.Type != "" {
|
||||
if rendered, err := applyTemplate(def.Type, def, defaults); err == nil {
|
||||
newDef.Type = rendered
|
||||
}
|
||||
} else if defaults != nil && defaults.Type != "" {
|
||||
if rendered, err := applyTemplate(defaults.Type, def, defaults); err == nil {
|
||||
newDef.Type = rendered
|
||||
}
|
||||
}
|
||||
// Validity: use def.Validity if set, else defaults.Validity (rendered)
|
||||
if def.Validity != "" {
|
||||
if rendered, err := applyTemplate(def.Validity, def, defaults); err == nil {
|
||||
newDef.Validity = rendered
|
||||
}
|
||||
} else if defaults != nil && defaults.Validity != "" {
|
||||
if rendered, err := applyTemplate(defaults.Validity, def, defaults); err == nil {
|
||||
newDef.Validity = rendered
|
||||
}
|
||||
}
|
||||
// SAN: use def.SAN if set, else defaults.SAN (rendered)
|
||||
if len(def.SAN) > 0 {
|
||||
newSAN := make([]string, len(def.SAN))
|
||||
for i, s := range def.SAN {
|
||||
if rendered, err := applyTemplate(s, def, defaults); err == nil {
|
||||
newSAN[i] = rendered
|
||||
} else {
|
||||
newSAN[i] = s
|
||||
}
|
||||
}
|
||||
newDef.SAN = newSAN
|
||||
} else if defaults != nil && len(defaults.SAN) > 0 {
|
||||
newSAN := make([]string, len(defaults.SAN))
|
||||
for i, s := range defaults.SAN {
|
||||
if rendered, err := applyTemplate(s, def, defaults); err == nil {
|
||||
newSAN[i] = rendered
|
||||
} else {
|
||||
newSAN[i] = s
|
||||
}
|
||||
}
|
||||
newDef.SAN = newSAN
|
||||
}
|
||||
return newDef
|
||||
}
|
||||
|
||||
// Helper: convert optional string to []string or nil
|
||||
func optionalSlice(s string) []string {
|
||||
if s == "" {
|
||||
return nil
|
||||
}
|
||||
return []string{s}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user