diff options
| author | Valentin Rothberg <rothberg@redhat.com> | 2019-01-08 14:52:57 +0100 |
|---|---|---|
| committer | Valentin Rothberg <rothberg@redhat.com> | 2019-01-11 13:38:11 +0100 |
| commit | bd40dcfc2bc7c9014ea1f33482fb63aacbcdfe87 (patch) | |
| tree | 5f06e4e289f16d9164d692590a3fe6541b5384cf /vendor/k8s.io/client-go/util/cert | |
| parent | 545f24421247c9f6251a634764db3f8f8070a812 (diff) | |
| download | podman-bd40dcfc2bc7c9014ea1f33482fb63aacbcdfe87.tar.gz podman-bd40dcfc2bc7c9014ea1f33482fb63aacbcdfe87.tar.bz2 podman-bd40dcfc2bc7c9014ea1f33482fb63aacbcdfe87.zip | |
vendor: update everything
* If possible, update each dependency to the latest available version.
* Use releases over commit IDs and avoid vendoring branches.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Diffstat (limited to 'vendor/k8s.io/client-go/util/cert')
| -rw-r--r-- | vendor/k8s.io/client-go/util/cert/cert.go | 40 |
1 files changed, 35 insertions, 5 deletions
diff --git a/vendor/k8s.io/client-go/util/cert/cert.go b/vendor/k8s.io/client-go/util/cert/cert.go index 2c95754c1..fb7f5facc 100644 --- a/vendor/k8s.io/client-go/util/cert/cert.go +++ b/vendor/k8s.io/client-go/util/cert/cert.go @@ -138,23 +138,50 @@ func MakeEllipticPrivateKeyPEM() ([]byte, error) { // Host may be an IP or a DNS name // You may also specify additional subject alt names (either ip or dns names) for the certificate func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS []string) ([]byte, []byte, error) { + caKey, err := rsa.GenerateKey(cryptorand.Reader, 2048) + if err != nil { + return nil, nil, err + } + + caTemplate := x509.Certificate{ + SerialNumber: big.NewInt(1), + Subject: pkix.Name{ + CommonName: fmt.Sprintf("%s-ca@%d", host, time.Now().Unix()), + }, + NotBefore: time.Now(), + NotAfter: time.Now().Add(time.Hour * 24 * 365), + + KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, + BasicConstraintsValid: true, + IsCA: true, + } + + caDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &caTemplate, &caTemplate, &caKey.PublicKey, caKey) + if err != nil { + return nil, nil, err + } + + caCertificate, err := x509.ParseCertificate(caDERBytes) + if err != nil { + return nil, nil, err + } + priv, err := rsa.GenerateKey(cryptorand.Reader, 2048) if err != nil { return nil, nil, err } template := x509.Certificate{ - SerialNumber: big.NewInt(1), + SerialNumber: big.NewInt(2), Subject: pkix.Name{ CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()), }, NotBefore: time.Now(), NotAfter: time.Now().Add(time.Hour * 24 * 365), - KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, + KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, BasicConstraintsValid: true, - IsCA: true, } if ip := net.ParseIP(host); ip != nil { @@ -166,16 +193,19 @@ func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS template.IPAddresses = append(template.IPAddresses, alternateIPs...) template.DNSNames = append(template.DNSNames, alternateDNS...) - derBytes, err := x509.CreateCertificate(cryptorand.Reader, &template, &template, &priv.PublicKey, priv) + derBytes, err := x509.CreateCertificate(cryptorand.Reader, &template, caCertificate, &priv.PublicKey, caKey) if err != nil { return nil, nil, err } - // Generate cert + // Generate cert, followed by ca certBuffer := bytes.Buffer{} if err := pem.Encode(&certBuffer, &pem.Block{Type: CertificateBlockType, Bytes: derBytes}); err != nil { return nil, nil, err } + if err := pem.Encode(&certBuffer, &pem.Block{Type: CertificateBlockType, Bytes: caDERBytes}); err != nil { + return nil, nil, err + } // Generate key keyBuffer := bytes.Buffer{} |