Refactor certificate usage for the binaries.

[samribeiro]

• CA.crt -> Certificate Authority certificate (usually a self-signed certificate that signs all the others).
• CA.key -> CA Private key (usually should be kept very secret).
• client.crt/target.crt -> A client or target certificate that was signed by the CA.
• client.key/target.key -> The private key corresponding to the client or target.

Short (oversimplified) summary for how certificates are used to authenticate the client and the target in gRPC

Before Authentication

• The client has: client.crt, client.key, CA.crt
• The target has: target.crt, target.key, CA.crt

During Authentication

• The client sends the client certificate to the target.
• The target sends the target certificate to the client.
• The client uses the CA certificate to validate that the received target certificate is valid.
• The target uses the CA certificate to validate that the received client certificate is valid.
• The client verifyes that the name in the target certificate matches with the expected one.

After Authentication

• The private keys are used for establishing the secure channels.

Current certificate usage for the binaries

The following binaries receive ca.crt, client.crt/target.crt, client.key/target.key: gnmi_get gnmi_set gnmi_target gnoi_reset

However, gnoi_cert, receives ca.crt and ca.key. This is usefull because this client needs to sign and install certificates in the target. In addition, gnoi_cert uses this ca.crt and key to dynamically create a client.crt to connect to the target.

Proposed certificate usage for all binaries

Have all binaries accept one of the two options: 1) ca.crt, client.crt/target.crt, client.key/target.key; or 2) ca.key, ca.crt;

Package these two options in a library under utils where it can be used by all other binaries.

[ericm]

Do we want a flag to represent switching between the 2 options or just use the first one if the cert flag is set

[samribeiro]

if ca.crt, client.crt/target.crt, client.key/target.key are provided, use option 1. if only ca.key and ca.crt are provided, use option 2 (what gnoi cert does). print usage message otherwise.