Add new command to generate a new signing certificate for the controller

Signed-off-by: Paul Gaiduk <[email protected]>

cmd/certs.go

@@ -7,6 +7,7 @@ import (
 	"github.com/lf-edge/eden/pkg/defaults"
 	"github.com/lf-edge/eden/pkg/eden"
 	"github.com/lf-edge/eden/pkg/openevec"
+	"github.com/lf-edge/eden/pkg/utils"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 )
@@ -47,3 +48,29 @@ func newCertsCmd(cfg *openevec.EdenSetupArgs) *cobra.Command {
 
 	return certsCmd
 }
+
+func newGenSigningCertCmd() *cobra.Command {
+	var certPath string
+
+	var certsCmd = &cobra.Command{
+		Use:   "gen-signing-cert",
+		Short: "generate new signing certificate for controller",
+		Long:  `Generate a new signing certificate for the controller using the same signing key`,
+		Run: func(cmd *cobra.Command, args []string) {
+			if err := utils.GenServerCertFromPrevCertAndKey(certPath); err != nil {
+				log.Errorf("cannot generate signing cert: %s", err)
+			} else {
+				log.Info("GenServerCertEllipticFromPrevCertAndKey done")
+			}
+		},
+	}
+
+	edenHome, err := utils.DefaultEdenDir()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	certsCmd.Flags().StringVarP(&certPath, "out", "o", filepath.Join(edenHome, defaults.DefaultCertsDist, "signing-new.pem"), "certificate output path")
+
+	return certsCmd
+}

cmd/edenUtils.go

@@ -30,6 +30,7 @@ func newUtilsCmd(configName, verbosity *string) *cobra.Command {
 				newDownloaderCmd(cfg),
 				newOciImageCmd(),
 				newCertsCmd(cfg),
+				newGenSigningCertCmd(),
 				newGcpCmd(cfg),
 				newSdInfoEveCmd(),
 				newDebugCmd(cfg),

pkg/utils/x509.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"net"
 	"os"
+	"path/filepath"
 	"time"
 
 	"crypto/ecdsa"
@@ -106,6 +107,68 @@ func GenServerCertElliptic(cert *x509.Certificate, key *rsa.PrivateKey, serial *
 
 }
 
+// GenServerCertFromPrevCertAndKey generate new signing certificate for the controller using the same signing key and saves it to give path
+func GenServerCertFromPrevCertAndKey(writePath string) error {
+	edenHome, err := DefaultEdenDir()
+	if err != nil {
+		return err
+	}
+
+	// Read root cert
+	rootCert, err := ParseCertificate(filepath.Join(edenHome, defaults.DefaultCertsDist, "root-certificate.pem"))
+	if err != nil {
+		return err
+	}
+
+	// Read root key
+	rootKey, err := ParsePrivateKey(filepath.Join(edenHome, defaults.DefaultCertsDist, "root-certificate-key.pem"))
+	if err != nil {
+		return err
+	}
+
+	// Read server cert
+	oldServerCert, err := ParseCertificate(filepath.Join(edenHome, defaults.DefaultCertsDist, "signing.pem"))
+	if err != nil {
+		return err
+	}
+
+	// Read ecdsa server key
+	serverKeyBytes, err := os.ReadFile(filepath.Join(edenHome, defaults.DefaultCertsDist, "signing-key.pem"))
+	if err != nil {
+		return err
+	}
+	var serverKey *ecdsa.PrivateKey
+	for block, rest := pem.Decode(serverKeyBytes); block != nil; block, rest = pem.Decode(rest) {
+		if block.Type == "EC PRIVATE KEY" {
+			serverKey, err = x509.ParseECPrivateKey(block.Bytes)
+			if err != nil {
+				return err
+			}
+			break
+		}
+	}
+
+	// keep all the same except for dates
+	serverTemplate := *oldServerCert
+	serverTemplate.NotBefore = time.Now().Add(-10 * time.Second)
+	serverTemplate.NotAfter = time.Now().AddDate(10, 0, 0)
+
+	// create new certificate and write it to file
+	serverCert := genCertECDSA(&serverTemplate, rootCert, &serverKey.PublicKey, rootKey)
+	certOut, err := os.Create(writePath)
+	if err != nil {
+		return err
+	}
+	if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: serverCert.Raw}); err != nil {
+		return err
+	}
+	if err := certOut.Close(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
 // WriteToFiles write cert and key
 func WriteToFiles(crt *x509.Certificate, key interface{}, certFile string, keyFile string) (err error) {
 	certOut, err := os.Create(certFile)