summaryrefslogtreecommitdiff
path: root/vendor/k8s.io/client-go/util/cert/cert.go
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/k8s.io/client-go/util/cert/cert.go')
-rw-r--r--vendor/k8s.io/client-go/util/cert/cert.go157
1 files changed, 59 insertions, 98 deletions
diff --git a/vendor/k8s.io/client-go/util/cert/cert.go b/vendor/k8s.io/client-go/util/cert/cert.go
index fb7f5facc..9fd097af5 100644
--- a/vendor/k8s.io/client-go/util/cert/cert.go
+++ b/vendor/k8s.io/client-go/util/cert/cert.go
@@ -18,26 +18,25 @@ package cert
import (
"bytes"
- "crypto/ecdsa"
- "crypto/elliptic"
+ "crypto"
cryptorand "crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
- "errors"
"fmt"
- "math"
+ "io/ioutil"
"math/big"
"net"
+ "path"
+ "strings"
"time"
-)
-const (
- rsaKeySize = 2048
- duration365d = time.Hour * 24 * 365
+ "k8s.io/client-go/util/keyutil"
)
+const duration365d = time.Hour * 24 * 365
+
// Config contains the basic fields required for creating a certificate
type Config struct {
CommonName string
@@ -54,13 +53,8 @@ type AltNames struct {
IPs []net.IP
}
-// NewPrivateKey creates an RSA private key
-func NewPrivateKey() (*rsa.PrivateKey, error) {
- return rsa.GenerateKey(cryptorand.Reader, rsaKeySize)
-}
-
// NewSelfSignedCACert creates a CA certificate
-func NewSelfSignedCACert(cfg Config, key *rsa.PrivateKey) (*x509.Certificate, error) {
+func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
now := time.Now()
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0),
@@ -72,7 +66,7 @@ func NewSelfSignedCACert(cfg Config, key *rsa.PrivateKey) (*x509.Certificate, er
NotAfter: now.Add(duration365d * 10).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
- IsCA: true,
+ IsCA: true,
}
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
@@ -82,62 +76,40 @@ func NewSelfSignedCACert(cfg Config, key *rsa.PrivateKey) (*x509.Certificate, er
return x509.ParseCertificate(certDERBytes)
}
-// NewSignedCert creates a signed certificate using the given CA certificate and key
-func NewSignedCert(cfg Config, key *rsa.PrivateKey, caCert *x509.Certificate, caKey *rsa.PrivateKey) (*x509.Certificate, error) {
- serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
- if err != nil {
- return nil, err
- }
- if len(cfg.CommonName) == 0 {
- return nil, errors.New("must specify a CommonName")
- }
- if len(cfg.Usages) == 0 {
- return nil, errors.New("must specify at least one ExtKeyUsage")
- }
-
- certTmpl := x509.Certificate{
- Subject: pkix.Name{
- CommonName: cfg.CommonName,
- Organization: cfg.Organization,
- },
- DNSNames: cfg.AltNames.DNSNames,
- IPAddresses: cfg.AltNames.IPs,
- SerialNumber: serial,
- NotBefore: caCert.NotBefore,
- NotAfter: time.Now().Add(duration365d).UTC(),
- KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
- ExtKeyUsage: cfg.Usages,
- }
- certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
- if err != nil {
- return nil, err
- }
- return x509.ParseCertificate(certDERBytes)
+// GenerateSelfSignedCertKey creates a self-signed certificate and key for the given host.
+// Host may be an IP or a DNS name
+// You may also specify additional subject alt names (either ip or dns names) for the certificate.
+func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS []string) ([]byte, []byte, error) {
+ return GenerateSelfSignedCertKeyWithFixtures(host, alternateIPs, alternateDNS, "")
}
-// MakeEllipticPrivateKeyPEM creates an ECDSA private key
-func MakeEllipticPrivateKeyPEM() ([]byte, error) {
- privateKey, err := ecdsa.GenerateKey(elliptic.P256(), cryptorand.Reader)
- if err != nil {
- return nil, err
- }
-
- derBytes, err := x509.MarshalECPrivateKey(privateKey)
- if err != nil {
- return nil, err
+// GenerateSelfSignedCertKeyWithFixtures creates a self-signed certificate and key for the given host.
+// Host may be an IP or a DNS name. You may also specify additional subject alt names (either ip or dns names)
+// for the certificate.
+//
+// If fixtureDirectory is non-empty, it is a directory path which can contain pre-generated certs. The format is:
+// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.crt
+// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.key
+// Certs/keys not existing in that directory are created.
+func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, alternateDNS []string, fixtureDirectory string) ([]byte, []byte, error) {
+ validFrom := time.Now().Add(-time.Hour) // valid an hour earlier to avoid flakes due to clock skew
+ maxAge := time.Hour * 24 * 365 // one year self-signed certs
+
+ baseName := fmt.Sprintf("%s_%s_%s", host, strings.Join(ipsToStrings(alternateIPs), "-"), strings.Join(alternateDNS, "-"))
+ certFixturePath := path.Join(fixtureDirectory, baseName+".crt")
+ keyFixturePath := path.Join(fixtureDirectory, baseName+".key")
+ if len(fixtureDirectory) > 0 {
+ cert, err := ioutil.ReadFile(certFixturePath)
+ if err == nil {
+ key, err := ioutil.ReadFile(keyFixturePath)
+ if err == nil {
+ return cert, key, nil
+ }
+ return nil, nil, fmt.Errorf("cert %s can be read, but key %s cannot: %v", certFixturePath, keyFixturePath, err)
+ }
+ maxAge = 100 * time.Hour * 24 * 365 // 100 years fixtures
}
- privateKeyPemBlock := &pem.Block{
- Type: ECPrivateKeyBlockType,
- Bytes: derBytes,
- }
- return pem.EncodeToMemory(privateKeyPemBlock), nil
-}
-
-// GenerateSelfSignedCertKey creates a self-signed certificate and key for the given host.
-// Host may be an IP or a DNS name
-// You may also specify additional subject alt names (either ip or dns names) for the certificate
-func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS []string) ([]byte, []byte, error) {
caKey, err := rsa.GenerateKey(cryptorand.Reader, 2048)
if err != nil {
return nil, nil, err
@@ -148,12 +120,12 @@ func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS
Subject: pkix.Name{
CommonName: fmt.Sprintf("%s-ca@%d", host, time.Now().Unix()),
},
- NotBefore: time.Now(),
- NotAfter: time.Now().Add(time.Hour * 24 * 365),
+ NotBefore: validFrom,
+ NotAfter: validFrom.Add(maxAge),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
- IsCA: true,
+ IsCA: true,
}
caDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &caTemplate, &caTemplate, &caKey.PublicKey, caKey)
@@ -176,8 +148,8 @@ func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS
Subject: pkix.Name{
CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()),
},
- NotBefore: time.Now(),
- NotAfter: time.Now().Add(time.Hour * 24 * 365),
+ NotBefore: validFrom,
+ NotAfter: validFrom.Add(maxAge),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
@@ -209,37 +181,26 @@ func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS
// Generate key
keyBuffer := bytes.Buffer{}
- if err := pem.Encode(&keyBuffer, &pem.Block{Type: RSAPrivateKeyBlockType, Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil {
+ if err := pem.Encode(&keyBuffer, &pem.Block{Type: keyutil.RSAPrivateKeyBlockType, Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil {
return nil, nil, err
}
+ if len(fixtureDirectory) > 0 {
+ if err := ioutil.WriteFile(certFixturePath, certBuffer.Bytes(), 0644); err != nil {
+ return nil, nil, fmt.Errorf("failed to write cert fixture to %s: %v", certFixturePath, err)
+ }
+ if err := ioutil.WriteFile(keyFixturePath, keyBuffer.Bytes(), 0644); err != nil {
+ return nil, nil, fmt.Errorf("failed to write key fixture to %s: %v", certFixturePath, err)
+ }
+ }
+
return certBuffer.Bytes(), keyBuffer.Bytes(), nil
}
-// FormatBytesCert receives byte array certificate and formats in human-readable format
-func FormatBytesCert(cert []byte) (string, error) {
- block, _ := pem.Decode(cert)
- c, err := x509.ParseCertificate(block.Bytes)
- if err != nil {
- return "", fmt.Errorf("failed to parse certificate [%v]", err)
+func ipsToStrings(ips []net.IP) []string {
+ ss := make([]string, 0, len(ips))
+ for _, ip := range ips {
+ ss = append(ss, ip.String())
}
- return FormatCert(c), nil
-}
-
-// FormatCert receives certificate and formats in human-readable format
-func FormatCert(c *x509.Certificate) string {
- var ips []string
- for _, ip := range c.IPAddresses {
- ips = append(ips, ip.String())
- }
- altNames := append(ips, c.DNSNames...)
- res := fmt.Sprintf(
- "Issuer: CN=%s | Subject: CN=%s | CA: %t\n",
- c.Issuer.CommonName, c.Subject.CommonName, c.IsCA,
- )
- res += fmt.Sprintf("Not before: %s Not After: %s", c.NotBefore, c.NotAfter)
- if len(altNames) > 0 {
- res += fmt.Sprintf("\nAlternate Names: %v", altNames)
- }
- return res
+ return ss
}