diff options
Diffstat (limited to 'vendor/k8s.io/client-go/util/cert')
| -rw-r--r-- | vendor/k8s.io/client-go/util/cert/OWNERS | 9 | ||||
| -rw-r--r-- | vendor/k8s.io/client-go/util/cert/cert.go | 206 | ||||
| -rw-r--r-- | vendor/k8s.io/client-go/util/cert/csr.go | 75 | ||||
| -rw-r--r-- | vendor/k8s.io/client-go/util/cert/io.go | 98 | ||||
| -rw-r--r-- | vendor/k8s.io/client-go/util/cert/pem.go | 61 |
5 files changed, 0 insertions, 449 deletions
diff --git a/vendor/k8s.io/client-go/util/cert/OWNERS b/vendor/k8s.io/client-go/util/cert/OWNERS deleted file mode 100644 index 3cf036438..000000000 --- a/vendor/k8s.io/client-go/util/cert/OWNERS +++ /dev/null @@ -1,9 +0,0 @@ -# See the OWNERS docs at https://go.k8s.io/owners - -approvers: -- sig-auth-certificates-approvers -reviewers: -- sig-auth-certificates-reviewers -labels: -- sig/auth - diff --git a/vendor/k8s.io/client-go/util/cert/cert.go b/vendor/k8s.io/client-go/util/cert/cert.go deleted file mode 100644 index 9fd097af5..000000000 --- a/vendor/k8s.io/client-go/util/cert/cert.go +++ /dev/null @@ -1,206 +0,0 @@ -/* -Copyright 2014 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package cert - -import ( - "bytes" - "crypto" - cryptorand "crypto/rand" - "crypto/rsa" - "crypto/x509" - "crypto/x509/pkix" - "encoding/pem" - "fmt" - "io/ioutil" - "math/big" - "net" - "path" - "strings" - "time" - - "k8s.io/client-go/util/keyutil" -) - -const duration365d = time.Hour * 24 * 365 - -// Config contains the basic fields required for creating a certificate -type Config struct { - CommonName string - Organization []string - AltNames AltNames - Usages []x509.ExtKeyUsage -} - -// AltNames contains the domain names and IP addresses that will be added -// to the API Server's x509 certificate SubAltNames field. The values will -// be passed directly to the x509.Certificate object. -type AltNames struct { - DNSNames []string - IPs []net.IP -} - -// NewSelfSignedCACert creates a CA certificate -func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) { - now := time.Now() - tmpl := x509.Certificate{ - SerialNumber: new(big.Int).SetInt64(0), - Subject: pkix.Name{ - CommonName: cfg.CommonName, - Organization: cfg.Organization, - }, - NotBefore: now.UTC(), - NotAfter: now.Add(duration365d * 10).UTC(), - KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, - BasicConstraintsValid: true, - IsCA: true, - } - - certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key) - if err != nil { - return nil, err - } - return x509.ParseCertificate(certDERBytes) -} - -// GenerateSelfSignedCertKey creates a self-signed certificate and key for the given host. -// Host may be an IP or a DNS name -// You may also specify additional subject alt names (either ip or dns names) for the certificate. -func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS []string) ([]byte, []byte, error) { - return GenerateSelfSignedCertKeyWithFixtures(host, alternateIPs, alternateDNS, "") -} - -// GenerateSelfSignedCertKeyWithFixtures creates a self-signed certificate and key for the given host. -// Host may be an IP or a DNS name. You may also specify additional subject alt names (either ip or dns names) -// for the certificate. -// -// If fixtureDirectory is non-empty, it is a directory path which can contain pre-generated certs. The format is: -// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.crt -// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.key -// Certs/keys not existing in that directory are created. -func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, alternateDNS []string, fixtureDirectory string) ([]byte, []byte, error) { - validFrom := time.Now().Add(-time.Hour) // valid an hour earlier to avoid flakes due to clock skew - maxAge := time.Hour * 24 * 365 // one year self-signed certs - - baseName := fmt.Sprintf("%s_%s_%s", host, strings.Join(ipsToStrings(alternateIPs), "-"), strings.Join(alternateDNS, "-")) - certFixturePath := path.Join(fixtureDirectory, baseName+".crt") - keyFixturePath := path.Join(fixtureDirectory, baseName+".key") - if len(fixtureDirectory) > 0 { - cert, err := ioutil.ReadFile(certFixturePath) - if err == nil { - key, err := ioutil.ReadFile(keyFixturePath) - if err == nil { - return cert, key, nil - } - return nil, nil, fmt.Errorf("cert %s can be read, but key %s cannot: %v", certFixturePath, keyFixturePath, err) - } - maxAge = 100 * time.Hour * 24 * 365 // 100 years fixtures - } - - caKey, err := rsa.GenerateKey(cryptorand.Reader, 2048) - if err != nil { - return nil, nil, err - } - - caTemplate := x509.Certificate{ - SerialNumber: big.NewInt(1), - Subject: pkix.Name{ - CommonName: fmt.Sprintf("%s-ca@%d", host, time.Now().Unix()), - }, - NotBefore: validFrom, - NotAfter: validFrom.Add(maxAge), - - KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, - BasicConstraintsValid: true, - IsCA: true, - } - - caDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &caTemplate, &caTemplate, &caKey.PublicKey, caKey) - if err != nil { - return nil, nil, err - } - - caCertificate, err := x509.ParseCertificate(caDERBytes) - if err != nil { - return nil, nil, err - } - - priv, err := rsa.GenerateKey(cryptorand.Reader, 2048) - if err != nil { - return nil, nil, err - } - - template := x509.Certificate{ - SerialNumber: big.NewInt(2), - Subject: pkix.Name{ - CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()), - }, - NotBefore: validFrom, - NotAfter: validFrom.Add(maxAge), - - KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, - BasicConstraintsValid: true, - } - - if ip := net.ParseIP(host); ip != nil { - template.IPAddresses = append(template.IPAddresses, ip) - } else { - template.DNSNames = append(template.DNSNames, host) - } - - template.IPAddresses = append(template.IPAddresses, alternateIPs...) - template.DNSNames = append(template.DNSNames, alternateDNS...) - - derBytes, err := x509.CreateCertificate(cryptorand.Reader, &template, caCertificate, &priv.PublicKey, caKey) - if err != nil { - return nil, nil, err - } - - // Generate cert, followed by ca - certBuffer := bytes.Buffer{} - if err := pem.Encode(&certBuffer, &pem.Block{Type: CertificateBlockType, Bytes: derBytes}); err != nil { - return nil, nil, err - } - if err := pem.Encode(&certBuffer, &pem.Block{Type: CertificateBlockType, Bytes: caDERBytes}); err != nil { - return nil, nil, err - } - - // Generate key - keyBuffer := bytes.Buffer{} - if err := pem.Encode(&keyBuffer, &pem.Block{Type: keyutil.RSAPrivateKeyBlockType, Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil { - return nil, nil, err - } - - if len(fixtureDirectory) > 0 { - if err := ioutil.WriteFile(certFixturePath, certBuffer.Bytes(), 0644); err != nil { - return nil, nil, fmt.Errorf("failed to write cert fixture to %s: %v", certFixturePath, err) - } - if err := ioutil.WriteFile(keyFixturePath, keyBuffer.Bytes(), 0644); err != nil { - return nil, nil, fmt.Errorf("failed to write key fixture to %s: %v", certFixturePath, err) - } - } - - return certBuffer.Bytes(), keyBuffer.Bytes(), nil -} - -func ipsToStrings(ips []net.IP) []string { - ss := make([]string, 0, len(ips)) - for _, ip := range ips { - ss = append(ss, ip.String()) - } - return ss -} diff --git a/vendor/k8s.io/client-go/util/cert/csr.go b/vendor/k8s.io/client-go/util/cert/csr.go deleted file mode 100644 index 39a6751f7..000000000 --- a/vendor/k8s.io/client-go/util/cert/csr.go +++ /dev/null @@ -1,75 +0,0 @@ -/* -Copyright 2016 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package cert - -import ( - cryptorand "crypto/rand" - "crypto/rsa" - "crypto/x509" - "crypto/x509/pkix" - "encoding/pem" - "net" -) - -// MakeCSR generates a PEM-encoded CSR using the supplied private key, subject, and SANs. -// All key types that are implemented via crypto.Signer are supported (This includes *rsa.PrivateKey and *ecdsa.PrivateKey.) -func MakeCSR(privateKey interface{}, subject *pkix.Name, dnsSANs []string, ipSANs []net.IP) (csr []byte, err error) { - template := &x509.CertificateRequest{ - Subject: *subject, - DNSNames: dnsSANs, - IPAddresses: ipSANs, - } - - return MakeCSRFromTemplate(privateKey, template) -} - -// MakeCSRFromTemplate generates a PEM-encoded CSR using the supplied private -// key and certificate request as a template. All key types that are -// implemented via crypto.Signer are supported (This includes *rsa.PrivateKey -// and *ecdsa.PrivateKey.) -func MakeCSRFromTemplate(privateKey interface{}, template *x509.CertificateRequest) ([]byte, error) { - t := *template - t.SignatureAlgorithm = sigType(privateKey) - - csrDER, err := x509.CreateCertificateRequest(cryptorand.Reader, &t, privateKey) - if err != nil { - return nil, err - } - - csrPemBlock := &pem.Block{ - Type: CertificateRequestBlockType, - Bytes: csrDER, - } - - return pem.EncodeToMemory(csrPemBlock), nil -} - -func sigType(privateKey interface{}) x509.SignatureAlgorithm { - // Customize the signature for RSA keys, depending on the key size - if privateKey, ok := privateKey.(*rsa.PrivateKey); ok { - keySize := privateKey.N.BitLen() - switch { - case keySize >= 4096: - return x509.SHA512WithRSA - case keySize >= 3072: - return x509.SHA384WithRSA - default: - return x509.SHA256WithRSA - } - } - return x509.UnknownSignatureAlgorithm -} diff --git a/vendor/k8s.io/client-go/util/cert/io.go b/vendor/k8s.io/client-go/util/cert/io.go deleted file mode 100644 index 5efb24894..000000000 --- a/vendor/k8s.io/client-go/util/cert/io.go +++ /dev/null @@ -1,98 +0,0 @@ -/* -Copyright 2014 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package cert - -import ( - "crypto/x509" - "fmt" - "io/ioutil" - "os" - "path/filepath" -) - -// CanReadCertAndKey returns true if the certificate and key files already exists, -// otherwise returns false. If lost one of cert and key, returns error. -func CanReadCertAndKey(certPath, keyPath string) (bool, error) { - certReadable := canReadFile(certPath) - keyReadable := canReadFile(keyPath) - - if certReadable == false && keyReadable == false { - return false, nil - } - - if certReadable == false { - return false, fmt.Errorf("error reading %s, certificate and key must be supplied as a pair", certPath) - } - - if keyReadable == false { - return false, fmt.Errorf("error reading %s, certificate and key must be supplied as a pair", keyPath) - } - - return true, nil -} - -// If the file represented by path exists and -// readable, returns true otherwise returns false. -func canReadFile(path string) bool { - f, err := os.Open(path) - if err != nil { - return false - } - - defer f.Close() - - return true -} - -// WriteCert writes the pem-encoded certificate data to certPath. -// The certificate file will be created with file mode 0644. -// If the certificate file already exists, it will be overwritten. -// The parent directory of the certPath will be created as needed with file mode 0755. -func WriteCert(certPath string, data []byte) error { - if err := os.MkdirAll(filepath.Dir(certPath), os.FileMode(0755)); err != nil { - return err - } - return ioutil.WriteFile(certPath, data, os.FileMode(0644)) -} - -// NewPool returns an x509.CertPool containing the certificates in the given PEM-encoded file. -// Returns an error if the file could not be read, a certificate could not be parsed, or if the file does not contain any certificates -func NewPool(filename string) (*x509.CertPool, error) { - certs, err := CertsFromFile(filename) - if err != nil { - return nil, err - } - pool := x509.NewCertPool() - for _, cert := range certs { - pool.AddCert(cert) - } - return pool, nil -} - -// CertsFromFile returns the x509.Certificates contained in the given PEM-encoded file. -// Returns an error if the file could not be read, a certificate could not be parsed, or if the file does not contain any certificates -func CertsFromFile(file string) ([]*x509.Certificate, error) { - pemBlock, err := ioutil.ReadFile(file) - if err != nil { - return nil, err - } - certs, err := ParseCertsPEM(pemBlock) - if err != nil { - return nil, fmt.Errorf("error reading %s: %s", file, err) - } - return certs, nil -} diff --git a/vendor/k8s.io/client-go/util/cert/pem.go b/vendor/k8s.io/client-go/util/cert/pem.go deleted file mode 100644 index 9185e2e22..000000000 --- a/vendor/k8s.io/client-go/util/cert/pem.go +++ /dev/null @@ -1,61 +0,0 @@ -/* -Copyright 2014 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package cert - -import ( - "crypto/x509" - "encoding/pem" - "errors" -) - -const ( - // CertificateBlockType is a possible value for pem.Block.Type. - CertificateBlockType = "CERTIFICATE" - // CertificateRequestBlockType is a possible value for pem.Block.Type. - CertificateRequestBlockType = "CERTIFICATE REQUEST" -) - -// ParseCertsPEM returns the x509.Certificates contained in the given PEM-encoded byte array -// Returns an error if a certificate could not be parsed, or if the data does not contain any certificates -func ParseCertsPEM(pemCerts []byte) ([]*x509.Certificate, error) { - ok := false - certs := []*x509.Certificate{} - for len(pemCerts) > 0 { - var block *pem.Block - block, pemCerts = pem.Decode(pemCerts) - if block == nil { - break - } - // Only use PEM "CERTIFICATE" blocks without extra headers - if block.Type != CertificateBlockType || len(block.Headers) != 0 { - continue - } - - cert, err := x509.ParseCertificate(block.Bytes) - if err != nil { - return certs, err - } - - certs = append(certs, cert) - ok = true - } - - if !ok { - return certs, errors.New("data does not contain any valid RSA or ECDSA certificates") - } - return certs, nil -} |