v2: Implement 'pki' app powered by Smallstep for localhost certificates (#3125)

* pki: Initial commit of PKI app (WIP) (see #2502 and #3021)

* pki: Ability to use root/intermediates, and sign with root

* pki: Fix benign misnamings left over from copy+paste

* pki: Only install root if not already trusted

* Make HTTPS port the default; all names use auto-HTTPS; bug fixes

* Fix build - what happened to our CI tests??

* Fix go.mod

1 files changed, 89 insertions, 0 deletions

diff --git a/modules/caddypki/command.go b/modules/caddypki/command.go
new file mode 100644
index 0000000..9276fcb
--- /dev/null
+++ b/modules/caddypki/command.go
@@ -0,0 +1,89 @@
+// Copyright 2015 Matthew Holt and The Caddy Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package caddypki
+
+import (
+	"flag"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/caddyserver/caddy/v2"
+	caddycmd "github.com/caddyserver/caddy/v2/cmd"
+	"github.com/smallstep/truststore"
+)
+
+func init() {
+	caddycmd.RegisterCommand(caddycmd.Command{
+		Name:  "untrust",
+		Func:  cmdUntrust,
+		Usage: "[--ca <id> | --cert <path>]",
+		Short: "Untrusts a locally-trusted CA certificate",
+		Long: `
+Untrusts a root certificate from the local trust store(s). Intended
+for development environments only.
+
+This command uninstalls trust; it does not necessarily delete the
+root certificate from trust stores entirely. Thus, repeatedly
+trusting and untrusting new certificates can fill up trust databases.
+
+This command does not delete or modify certificate files.
+
+Specify which certificate to untrust either by the ID of its CA with
+the --ca flag, or the direct path to the certificate file with the
+--cert flag. If the --ca flag is used, only the default storage paths
+are assumed (i.e. using --ca flag with custom storage backends or file
+paths will not work).
+
+If no flags are specified, --ca=local is assumed.`,
+		Flags: func() *flag.FlagSet {
+			fs := flag.NewFlagSet("untrust", flag.ExitOnError)
+			fs.String("ca", "", "The ID of the CA to untrust")
+			fs.String("cert", "", "The path to the CA certificate to untrust")
+			return fs
+		}(),
+	})
+}
+
+func cmdUntrust(fs caddycmd.Flags) (int, error) {
+	ca := fs.String("ca")
+	cert := fs.String("cert")
+
+	if ca != "" && cert != "" {
+		return caddy.ExitCodeFailedStartup, fmt.Errorf("conflicting command line arguments")
+	}
+	if ca == "" && cert == "" {
+		ca = defaultCAID
+	}
+	if ca != "" {
+		cert = filepath.Join(caddy.AppDataDir(), "pki", "authorities", ca, "root.crt")
+	}
+
+	// sanity check, make sure cert file exists first
+	_, err := os.Stat(cert)
+	if err != nil {
+		return caddy.ExitCodeFailedStartup, fmt.Errorf("accessing certificate file: %v", err)
+	}
+
+	err = truststore.UninstallFile(cert,
+		truststore.WithDebug(),
+		truststore.WithFirefox(),
+		truststore.WithJava())
+	if err != nil {
+		return caddy.ExitCodeFailedStartup, err
+	}
+
+	return caddy.ExitCodeSuccess, nil
+}