feature: support ec/refactor cmd

Signed-off-by: xiexianbin <me@xiexianbin.cn>

Author: xiexianbin

.gitignore

@@ -14,8 +14,9 @@
 # Dependency directories (remove the comment below to include it)
 # vendor/
 .DS_Store
-bin/
 .history/
 .idea/
 .lh/
+bin/
+vendor
 x-ca

Makefile

@@ -69,40 +69,40 @@ clean: ## Run clean bin files
 
 .PHONY: build
 build:  ## Build for current os
-	${SUB_BUILD_CMD} -o bin/$(BINARY_NAME)
+	${SUB_BUILD_CMD} -o bin/$(BINARY_NAME) ./cmd/...
 
 .PHONY: linux-amd64
 linux-amd64:  ## Build linux amd64
-	CGO_ENABLED=0 ${GOARGS} ${SUB_BUILD_CMD} -o bin/${BINARY_NAME}-$@
+	CGO_ENABLED=0 ${GOARGS} ${SUB_BUILD_CMD} -o bin/${BINARY_NAME}-$@ ./cmd/...
 
 .PHONY: linux-arm64
 linux-arm64:  ## Build linux arm64
-	CGO_ENABLED=0 ${GOARGS} ${SUB_BUILD_CMD} -o bin/${BINARY_NAME}-$@
+	CGO_ENABLED=0 ${GOARGS} ${SUB_BUILD_CMD} -o bin/${BINARY_NAME}-$@ ./cmd/...
 
 .PHONY: linux-ppc64le
 linux-ppc64le:  ## Build linux ppc64le
-	CGO_ENABLED=0 ${GOARGS} ${SUB_BUILD_CMD} -o bin/${BINARY_NAME}-$@
+	CGO_ENABLED=0 ${GOARGS} ${SUB_BUILD_CMD} -o bin/${BINARY_NAME}-$@ ./cmd/...
 
 .PHONY: linux-s390x
 linux-s390x:  ## Build linux s390x
-	CGO_ENABLED=0 ${GOARGS} ${SUB_BUILD_CMD} -o bin/${BINARY_NAME}-$@
+	CGO_ENABLED=0 ${GOARGS} ${SUB_BUILD_CMD} -o bin/${BINARY_NAME}-$@ ./cmd/...
 
 .PHONY: darwin-amd64
 darwin-amd64:  ## Build darwin amd64
-	CGO_ENABLED=0 ${GOARGS} ${SUB_BUILD_CMD} -o bin/${BINARY_NAME}-$@
+	CGO_ENABLED=0 ${GOARGS} ${SUB_BUILD_CMD} -o bin/${BINARY_NAME}-$@ ./cmd/...
 
 .PHONY: darwin-arm64
 darwin-arm64:  ## Build darwin arm64
-	CGO_ENABLED=0 ${GOARGS} ${SUB_BUILD_CMD} -o bin/${BINARY_NAME}-$@
+	CGO_ENABLED=0 ${GOARGS} ${SUB_BUILD_CMD} -o bin/${BINARY_NAME}-$@ ./cmd/...
 
 .PHONY: windows-amd64
 windows-amd64:  ## Build windows amd64
-	CGO_ENABLED=0 ${GOARGS} ${SUB_BUILD_CMD} -o bin/${BINARY_NAME}-$@.exe
+	CGO_ENABLED=0 ${GOARGS} ${SUB_BUILD_CMD} -o bin/${BINARY_NAME}-$@.exe ./cmd/...
 
-.PHONY: docker-build
-docker-build: test  ## Build docker image
-	docker build -t ${IMG} .
+# .PHONY: docker-build
+# docker-build: test  ## Build docker image
+# 	docker build -t ${IMG} .
 
-.PHONY: docker-push
-docker-push:  ## Push docker image
-	docker push ${IMG}
+# .PHONY: docker-push
+# docker-push:  ## Push docker image
+# 	docker push ${IMG}

README.md

@@ -21,7 +21,7 @@ mv xca /usr/local/bin/
 ```
 $ xca --help
 Create Root CA and TLS CA:
-xca -create-ca true \
+xca -create-ca \
   -root-cert x-ca/ca/root-ca.crt \
   -root-key x-ca/ca/root-ca/private/root-ca.key \
   -tls-cert x-ca/ca/tls-ca.crt \
@@ -67,10 +67,37 @@ Source Code:
 
 ## Usage Demo
 
-- create ca
+### create EC CA
+
+You can specify the key type (`-key-type`) and curve (`-curve`) to create an EC root CA and TLS CA:
+
+```
+./xca -create-ca \
+  -root-cert x-ca/ca/root-ca.crt \
+  -root-key x-ca/ca/root-ca/private/root-ca.key \
+  -tls-cert x-ca/ca/tls-ca.crt \
+  -tls-key x-ca/ca/tls-ca/private/tls-ca.key \
+  -tls-chain x-ca/ca/tls-ca-chain.pem \
+  -key-type ec \
+  -curve P256
+```
+
+To sign a certificate with an EC key:
+
+```
+./xca -cn example.com \
+  --domains "example.com" \
+  -tls-cert x-ca/ca/tls-ca.crt \
+  -tls-key x-ca/ca/tls-ca/private/tls-ca.key \
+  -tls-chain x-ca/ca/tls-ca-chain.pem \
+  -key-type ec \
+  -curve P256
+```
+
+### create RSA CA
 
 ```
-xca -create-ca true \
+xca -create-ca \
   -root-cert x-ca/ca/root-ca.crt \
   -root-key x-ca/ca/root-ca/private/root-ca.key \
   -tls-cert x-ca/ca/tls-ca.crt \
@@ -117,3 +144,35 @@ Use `openssl rsa -in root-ca.key -des3` change cipher
 ## Ref
 
 - [基于OpenSSL签署根CA、二级CA](https://www.xiexianbin.cn/s/ca/)
+
+```
+go.mod - Added cobra dependency
+ca/baseca.go - Common CA functionality
+ca/common.go - Shared utilities
+cmd/create.go - create-ca command
+cmd/sign.go - sign command
+cmd/root.go - root cobra command
+cmd/xca.go - main entry point (refactored)
+```
+
+## Usage Examples
+
+```
+
+go build -o bin/xca ./cmd/...
+
+# Create CA certificates
+xca create-ca --key-type ec --curve P256
+
+# Sign domain certificate
+xca sign example.com --domains "example.com,www.example.com"
+
+# Sign IP certificate
+xca sign 192.168.1.1 --ips "192.168.1.1"
+
+# Get help
+xca --help
+xca create-ca --help
+xca sign --help
+
+```

ca/base.go

@@ -13,9 +13,180 @@ limitations under the License.
 
 package ca
 
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"os"
+	"path"
+	"strings"
+)
+
 type CA interface {
-	CreateKey() error
+	GenerateKey() error
 	CreateCert() error
 	Write(keyPath, certPath, chainPath string) error
-	//Load(keyPath, certPath string) (interface{}, error)
+	//Load(keyPath, certPath string) (any, error)
+}
+
+// BaseCA represents common functionality for all CA types
+type BaseCA struct {
+	Key     any // *rsa.PrivateKey or *ecdsa.PrivateKey
+	Cert    *x509.Certificate
+	KeyBits int
+	Curve   string
+}
+
+// GenerateKey generates a new private key based on key type
+func (b *BaseCA) GenerateKey(keyType string) error {
+	switch strings.ToLower(keyType) {
+	case "ec", "ecdsa":
+		var curve elliptic.Curve
+		switch b.Curve {
+		case "P224":
+			curve = elliptic.P224()
+		case "P256":
+			curve = elliptic.P256()
+		case "P384":
+			curve = elliptic.P384()
+		case "P521":
+			curve = elliptic.P521()
+		default:
+			return fmt.Errorf("unsupported curve %s", b.Curve)
+		}
+		key, err := ecdsa.GenerateKey(curve, rand.Reader)
+		if err != nil {
+			return err
+		}
+		b.Key = key
+	case "rsa":
+		key, err := rsa.GenerateKey(rand.Reader, b.KeyBits)
+		if err != nil {
+			return err
+		}
+		b.Key = key
+	default:
+		return fmt.Errorf("unsupported key type %s", keyType)
+	}
+	return nil
+}
+
+// GetPublicKey extracts the public key from the private key
+func (b *BaseCA) GetPublicKey() (any, error) {
+	switch k := b.Key.(type) {
+	case *rsa.PrivateKey:
+		return k.Public(), nil
+	case *ecdsa.PrivateKey:
+		return k.Public(), nil
+	default:
+		return nil, fmt.Errorf("unsupported key type")
+	}
+}
+
+// WriteKey writes the private key to a PEM file
+func (b *BaseCA) WriteKey(keyPath string) error {
+	// Create directory if it doesn't exist
+	err := os.MkdirAll(path.Dir(keyPath), 0700)
+	if err != nil && !os.IsExist(err) {
+		return err
+	}
+
+	keyFile, err := os.OpenFile(keyPath, os.O_CREATE|os.O_EXCL|os.O_WRONLY, 0600)
+	if err != nil {
+		return err
+	}
+	defer keyFile.Close()
+
+	var keyType string
+	var keyBytes []byte
+	switch k := b.Key.(type) {
+	case *rsa.PrivateKey:
+		keyType = "RSA PRIVATE KEY"
+		keyBytes = x509.MarshalPKCS1PrivateKey(k)
+	case *ecdsa.PrivateKey:
+		keyType = "EC PRIVATE KEY"
+		var err error
+		keyBytes, err = x509.MarshalECPrivateKey(k)
+		if err != nil {
+			return err
+		}
+	default:
+		return fmt.Errorf("unsupported key type")
+	}
+
+	return pem.Encode(keyFile, &pem.Block{
+		Type:  keyType,
+		Bytes: keyBytes,
+	})
+}
+
+// WriteCert writes the certificate to a PEM file
+func (b *BaseCA) WriteCert(certPath string) error {
+	// Create directory if it doesn't exist
+	err := os.MkdirAll(path.Dir(certPath), 0700)
+	if err != nil && !os.IsExist(err) {
+		return err
+	}
+
+	certFile, err := os.OpenFile(certPath, os.O_CREATE|os.O_EXCL|os.O_WRONLY, 0600)
+	if err != nil {
+		return err
+	}
+	defer certFile.Close()
+
+	return pem.Encode(certFile, &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: b.Cert.Raw,
+	})
+}
+
+// LoadKey loads a private key from a PEM file
+func (b *BaseCA) LoadKey(keyPath string) error {
+	keyBytes, err := os.ReadFile(keyPath)
+	if err != nil {
+		return err
+	}
+
+	keyBlock, _ := pem.Decode(keyBytes)
+	if keyBlock == nil {
+		return fmt.Errorf("decode key is nil")
+	}
+
+	// Check if encrypted
+	isEncrypted := len(keyBlock.Headers) > 0 && keyBlock.Headers["Proc-Type"] == "4,ENCRYPTED"
+	if isEncrypted {
+		return fmt.Errorf("encrypted PEM blocks are not supported - please decrypt your key first, using: openssl rsa -in encrypted.key -out decrypted.key")
+	}
+
+	switch keyBlock.Type {
+	case "RSA PRIVATE KEY":
+		b.Key, err = x509.ParsePKCS1PrivateKey(keyBlock.Bytes)
+	case "EC PRIVATE KEY":
+		b.Key, err = x509.ParseECPrivateKey(keyBlock.Bytes)
+	default:
+		return fmt.Errorf("unsupported PEM type %s", keyBlock.Type)
+	}
+	return err
+}
+
+// LoadCert loads a certificate from a PEM file
+func (b *BaseCA) LoadCert(certPath string) error {
+	certBytes, err := os.ReadFile(certPath)
+	if err != nil {
+		return err
+	}
+
+	certBlock, _ := pem.Decode(certBytes)
+	if certBlock == nil {
+		return fmt.Errorf("decode cert is nil")
+	} else if certBlock.Type != "CERTIFICATE" {
+		return fmt.Errorf("unsupported PEM type %s", certBlock.Type)
+	}
+
+	b.Cert, err = x509.ParseCertificate(certBlock.Bytes)
+	return err
 }