add challenge password support for csr

Author: sni

Changes

@@ -6,6 +6,7 @@ next:
          - improve logging of invalid http requests
          - check_logfile: improve detection of required macros
          - add list-combine option
+         - add challenge password support for csr
 
 0.37     Sun Sep  7 11:41:00 CEST 2025
          - update windows exporter to 0.31.3

go.mod

@@ -26,6 +26,7 @@ require (
 	github.com/spf13/cobra v1.10.1
 	github.com/spf13/pflag v1.0.10
 	github.com/stretchr/testify v1.11.1
+	github.com/subuk/csrtool v0.0.0-20250413213651-887255723652
 	github.com/yusufpapurcu/wmi v1.2.4
 	golang.org/x/sys v0.36.0
 	golang.org/x/term v0.35.0

go.sum

@@ -107,6 +107,8 @@ github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
 github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/subuk/csrtool v0.0.0-20250413213651-887255723652 h1:ugfwv+gtOibCeWz4jbabkh64vpzfEHeITEG/iFXRn0M=
+github.com/subuk/csrtool v0.0.0-20250413213651-887255723652/go.mod h1:5D8NXQKYH/KRR4+k014+K1J6nxpTxqZAG5ULc2kOiuI=
 github.com/tklauser/go-sysconf v0.3.15 h1:VE89k0criAymJ/Os65CSn1IXaol+1wrsFHEB8Ol49K4=
 github.com/tklauser/go-sysconf v0.3.15/go.mod h1:Dmjwr6tYFIseJw7a3dRLJfsHAMXZ3nEnL/aZY+0IuI4=
 github.com/tklauser/numcpus v0.10.0 h1:18njr6LDBk1zuna922MgdjQuJFjrdppsZG60sHGfjso=

pkg/snclient/listen_web_admin.go

@@ -14,6 +14,7 @@ import (
 	"syscall"
 
 	"github.com/goccy/go-json"
+	"github.com/subuk/csrtool/pkg/csrtool"
 )
 
 func init() {
@@ -54,6 +55,7 @@ type csrRequestJSON struct {
 	Organization       string `json:"Organization"`
 	OrganizationalUnit string `json:"OrganizationalUnit"`
 	KeyLength          int    `json:"KeyLength"`
+	ChallengePassword  string `json:"ChallengePassword"`
 }
 
 type replaceCertData struct {
@@ -226,7 +228,7 @@ func (l *HandlerWebAdmin) serveCertsCSR(res http.ResponseWriter, req *http.Reque
 
 	res.Header().Set("Content-Type", "application/json")
 	res.WriteHeader(http.StatusOK)
-	err = pem.Encode(res, csrPEM)
+	_, err = res.Write(csrPEM)
 	if err != nil {
 		LogError(json.NewEncoder(res).Encode(map[string]interface{}{
 			"success": false,
@@ -237,25 +239,19 @@ func (l *HandlerWebAdmin) serveCertsCSR(res http.ResponseWriter, req *http.Reque
 	}
 }
 
-func (l *HandlerWebAdmin) createCSR(data *csrRequestJSON, privateKey *rsa.PrivateKey) (*pem.Block, error) {
-	csrTemplate := x509.CertificateRequest{
-		Subject: pkix.Name{
-			Country:            []string{data.Country},
-			Province:           []string{data.State},
-			Locality:           []string{data.Locality},
-			Organization:       []string{data.Organization},
-			OrganizationalUnit: []string{data.OrganizationalUnit},
-			CommonName:         data.HostName,
-		},
+func (l *HandlerWebAdmin) createCSR(data *csrRequestJSON, privateKey *rsa.PrivateKey) ([]byte, error) {
+	subject := pkix.Name{
+		Country:            []string{data.Country},
+		Province:           []string{data.State},
+		Locality:           []string{data.Locality},
+		Organization:       []string{data.Organization},
+		OrganizationalUnit: []string{data.OrganizationalUnit},
+		CommonName:         data.HostName,
 	}
-
-	// create certificate signing request
-	csrDER, err := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, privateKey)
+	csrPEM, err := csrtool.GenerateCSR(privateKey, subject, []string{}, data.ChallengePassword)
 	if err != nil {
-		return nil, fmt.Errorf("could not create x509 certificate error was: %s", err.Error())
+		return nil, fmt.Errorf("generate csr: %s", err.Error())
 	}
-	// Marshall to pem format
-	csrPEM := &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrDER}
 
 	return csrPEM, nil
 }

t/02_daemon_linux_test.go

@@ -40,7 +40,7 @@ func TestErrorBetweenSavingAndSigning(t *testing.T) {
 	defer os.Remove("test.key")
 	defer os.Remove("test.csr")
 
-	postData, err := json.Marshal(map[string]any{
+	rawPostData := map[string]any{
 		"Country":            "DE",
 		"State":              "Bavaria",
 		"Locality":           "Earth",
@@ -49,7 +49,9 @@ func TestErrorBetweenSavingAndSigning(t *testing.T) {
 		"HostName":           "Root CA SNClient",
 		"NewKey":             true,
 		"KeyLength":          1024,
-	})
+	}
+
+	postData, err := json.Marshal(rawPostData)
 	require.NoErrorf(t, err, "post data json encoded")
 
 	// Create  Temp Server Certs
@@ -115,6 +117,28 @@ func TestErrorBetweenSavingAndSigning(t *testing.T) {
 
 	_, err = os.ReadFile("test.key.tmp")
 	if err == nil {
-		t.Fatalf("tempory key file was not removed")
+		t.Fatalf("temporary key file was not removed")
+	}
+
+	// request csr with challenge password
+	rawPostData["ChallengePassword"] = "test123"
+	postData, err = json.Marshal(rawPostData)
+	require.NoErrorf(t, err, "post data json encoded")
+	commandResult = runCmd(t, &cmd{
+		Cmd:  "curl",
+		Args: []string{"-s", "-u", "user:" + localDaemonAdminPassword, "-k", "-s", "-d", string(postData), baseURL + "/api/v1/admin/csr"},
+		Dir:  ".",
+		Like: []string{"CERTIFICATE REQUEST"},
+	})
+
+	err = os.WriteFile("test.csr", []byte(commandResult.Stdout), 0o600)
+	if err != nil {
+		t.Fatalf("could not save certificate signing requests")
 	}
+
+	runCmd(t, &cmd{
+		Cmd:  "openssl",
+		Args: []string{"req", "-in", "test.csr", "-noout", "-text"},
+		Like: []string{"challengePassword", "test123", "sha256WithRSAEncryption"},
+	})
 }