Feature Request: nebula-cert via script

[TheBinaryLoop]

Hi all, is it possible to change the nebula-cert binary to be completely scriptable without the need for filesystem? So print the ca to stdout (for example json formated) after creation and so on?

[johnmaguire]

Hi @TheBinaryLoop -

Sometimes /dev/stdin or /dev/stdout can be abused for this purpose. It seems to work for printing certs from stdin, but there are some issues with generating certs, seen below.

❯ nebula-cert print -json -path /dev/stdin
-----BEGIN NEBULA CERTIFICATE-----
CnUKCWpvaG5zLW1icBIKgsihhQyA/v//DyIEaG9tZSIGbGFwdG9wKM7up5kGMJCo
iqYGOiDUf9sISzc1jt0T4M/UT+fAYBhXB6vTzt/ZK/3n8WxTTUogDh9fQpIMTiTB
JJbE0PGZ7L4P/5K9pO2sNS69bC63zoQSQCLzed4Ozt7y2rDR4ZXtC0hl3ao5MNF3
RKUTDs/2n7qLoXEbqo6MrXnI2aslGbtG6F3ORIOLUjKtP7DDo3Ey1w4=
-----END NEBULA CERTIFICATE-----^D
{"details":{"groups":["home","laptop"],"ips":["192.168.100.2/24"],"isCa":false,"issuer":"0e1f5f42920c4e24c12496c4d0f199ecbe0fff92bda4edac352ebd6c2eb7ce84","name":"johns-mbp","notAfter":"2023-07-27T11:58:08-04:00","notBefore":"2022-09-20T13:24:30-04:00","publicKey":"d47fdb084b37358edd13e0cfd44fe7c060185707abd3cedfd92bfde7f16c534d","subnets":[]},"fingerprint":"f54add6f257fc014f064dac2835381b9343e0cecb054b6a64e18ffb432451a69","signature":"22f379de0ecedef2dab0d1e195ed0b4865ddaa3930d17744a5130ecff69fba8ba1711baa8e8cad79c8d9ab2519bb46e85dce44838b5232ad3fb0c3a37132d70e"}

❯ sudo nebula-cert sign -name "foo" -ip "192.168.100.3/24" -out-crt /dev/stdout -out-key /dev/stdout
Error: refusing to overwrite existing cert: /dev/stdout

Could you share a bit more about your use case? As far as programmatic access goes, today we typically recommend importing nebula directly as a Go dependency.

[TheBinaryLoop]

For my specific use-case, I need to compile and run the nebula-cert binary in an encapsulated wasm environment where no fs is available. I need to go though the complete setup process (generating CA, signing certs) without ever touching the file-system (Security related). I know this sound special, but I think it would be a good addition to be able to use nebula-cert only to the console.

[johnmaguire]

@TheBinaryLoop This does sound like a rather specialized use case. It's a bit awkward for a few reasons, including the fact that some of these commands accept multiple file inputs, as well as text on stdin (i.e. encryption passphrase for the CA), output multiple files, and there are some security implications raised by inputting private keys on the command line.

Since you need to compile nebula-cert for this environment anyway, have you considered writing a wrapper Golang program around the nebula library that does what you need?

[bbg-code]

I had a similar use case where I wanted to work fully in memory with certificates.
My solution was to roll my own cert library:
https://github.com/bbg-code/NebulaNetworkAutomation