globalsign / hvclient Goto Github PK

View Code? Open in Web Editor NEW

8.0 9.0 10.0 348 KB

An interface for making GlobalSign Atlas API calls

License: MIT License

Go 99.62% Shell 0.17% Makefile 0.21%

hvclient's Introduction

hvclient

Package hvclient provides an interface to the GlobalSign Atlas Certificate Management API.

Installation

go get github.com/globalsign/hvclient

The cmd/hvclient directory contains a command line interface utility.

Quickstart Guide

Basic usage is straightforward:

Create a Client object
Use it to make HVCA API calls.

Creating a Client object requires:

An API key and API secret provided by GlobalSign during account set-up; and
A private key and a certificate to use for mutual TLS authentication with the HVCA server. The private key should be the one associated with the public key that was provided to GlobalSign during account set-up, and the certificate should be the one provided by GlobalSign along with the API key and API secret.

The Client object may be created with either:

A configuration file, useful when the account credentials are located in files; or with
A Config object, useful when the account credentials are obtained programmatically from a secrets vault, from environment variables, or in some other manner.

Configuration file

An example configuration file:

{
    "url": "https://emea.api.hvca.globalsign.com:8443/v2",
    "api_key": "<your_api_key>",
    "api_secret": "<your_api_secret>",
    "cert_file": "testdata/mtls_cert.pem",
    "key_file": "testdata/mtls_private_key.pem",
    "key_passphrase": "strongpassword",
    "insecure_skip_verify": false,
    "extra_headers": [
        "Header-Name-One": "value",
        "Header-Name-Two": "value"
    ],
    "timeout": 60
}

key_passphrase must be provided if the mTLS private key is an encrypted PEM block as specified in RFC 1423.
insecure_skip_verify controls whether the client verifies the server's certificate chain and host name. If true, any certificate presented by the server and any host name in that certificate is accepted. In this mode, TLS is susceptible to machine-in-the-middle attacks unless custom verification is used. This should be used only for testing.
extra_headers are optional additional HTTP headers to include in the requests to the server.
timeout specifies a request timeout in seconds.

Demo

hvclient's People

Contributors

Stargazers

Watchers

Forkers

prashantgsin sid-th mara-soldan toddgaunt-gs robplee vsglobalsign vikas-sing kingcdavid madhunandan-gs

hvclient's Issues

Set Signature Hash Algo with CLI

There is currently no option to set the signature hash algo from the CLI, i.e.

First generate a private key:
openssl genrsa -out ./private.key 2048

Then use hvclient to create a CSR:

./hvclient -privatekey ./private.key --commonname example.com -csrout csr.pem > csr.pem

We can then try to issue a cert

./hvclient --commonname example.com -dnsnames example.com -csr csr.pem hvclient: couldn't obtain certificate: 422: signature.hash_algorithm: is required

But the account is configured to require signature.hash_algorithm but that isn't an option to set in the CLI

either it should allow the client to set it, or have a sensible default

Unable to get the cert

First generate a private key:
openssl genrsa -out ./private.key 2048

Then use hvclient to create a CSR:
./hvclient -privatekey ./private.key --commonname example.com -csrout csr.pem > csr.pem

Then we can look at the CSR, (this is optional)
openssl req -in csr.pem -text

We can then issue a cert
hvclient -commonname Demo_cert -csr csr.pem | openssl x509 -req -extfile <(printf "subjectAltName=DNS:pki.atlasqa.co.uk") -text -signkey test.key -out certificate.crt

Got below error:
hvclient: couldn't obtain certificate: 422: san.dns_names: has to have between 1 and 2 items
139781497472320:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: CERTIFICATE REQUEST

Git workflows use unsupported versions of golang.

The git workflows for this repo are only building for go 1.17 and 1.18. At the very least we should add 1.19 and 1.20.

We should also remove at least 1.17 and probably also 1.18.

Update ValidationPolicy to contain missing fields

It was brought to my attention that the ValidationPolicy structure is missing the subject:serialNumber field. This should be supported in hvclient. Also the hvclient struct should be compared to the HVCA/Atlas API for any other missing fields and accordingly be updated.

They are tied specifically to my personal HVCA demo account. Really we should create one or more HVCA demo accounts specifically for use with testing this client
Some of them rely on specific text in HVCA error messages, which is not documented, and causes and has caused test failures when that error text changes. It is probably not necessary to validate the error message text, and the tests ought to be revised to not do that
Some of the tests are probably not necessary. For example, the tests for the /stats endpoints validates that we do indeed get some kind of "page size too large" error when we supply a large page size. This was useful during development to confirm everything was working as it should and to confirm my understanding of what HVCA was doing, but realistically this is testing HVCA operation more than it's testing the operation of the client, so it's probably not necessary here.

If we want to be able to run these integration tests from the Github build, we'll need to add the relevant credentials as secrets for this repository.