You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
245 lines
7.2 KiB
245 lines
7.2 KiB
/* |
|
Copyright 2014 The Kubernetes Authors. |
|
|
|
Licensed under the Apache License, Version 2.0 (the "License"); |
|
you may not use this file except in compliance with the License. |
|
You may obtain a copy of the License at |
|
|
|
http://www.apache.org/licenses/LICENSE-2.0 |
|
|
|
Unless required by applicable law or agreed to in writing, software |
|
distributed under the License is distributed on an "AS IS" BASIS, |
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
See the License for the specific language governing permissions and |
|
limitations under the License. |
|
*/ |
|
|
|
package cert |
|
|
|
import ( |
|
"bytes" |
|
"crypto/ecdsa" |
|
"crypto/elliptic" |
|
cryptorand "crypto/rand" |
|
"crypto/rsa" |
|
"crypto/x509" |
|
"crypto/x509/pkix" |
|
"encoding/pem" |
|
"errors" |
|
"fmt" |
|
"math" |
|
"math/big" |
|
"net" |
|
"time" |
|
) |
|
|
|
const ( |
|
rsaKeySize = 2048 |
|
duration365d = time.Hour * 24 * 365 |
|
) |
|
|
|
// Config contains the basic fields required for creating a certificate |
|
type Config struct { |
|
CommonName string |
|
Organization []string |
|
AltNames AltNames |
|
Usages []x509.ExtKeyUsage |
|
} |
|
|
|
// AltNames contains the domain names and IP addresses that will be added |
|
// to the API Server's x509 certificate SubAltNames field. The values will |
|
// be passed directly to the x509.Certificate object. |
|
type AltNames struct { |
|
DNSNames []string |
|
IPs []net.IP |
|
} |
|
|
|
// NewPrivateKey creates an RSA private key |
|
func NewPrivateKey() (*rsa.PrivateKey, error) { |
|
return rsa.GenerateKey(cryptorand.Reader, rsaKeySize) |
|
} |
|
|
|
// NewSelfSignedCACert creates a CA certificate |
|
func NewSelfSignedCACert(cfg Config, key *rsa.PrivateKey) (*x509.Certificate, error) { |
|
now := time.Now() |
|
tmpl := x509.Certificate{ |
|
SerialNumber: new(big.Int).SetInt64(0), |
|
Subject: pkix.Name{ |
|
CommonName: cfg.CommonName, |
|
Organization: cfg.Organization, |
|
}, |
|
NotBefore: now.UTC(), |
|
NotAfter: now.Add(duration365d * 10).UTC(), |
|
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, |
|
BasicConstraintsValid: true, |
|
IsCA: true, |
|
} |
|
|
|
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key) |
|
if err != nil { |
|
return nil, err |
|
} |
|
return x509.ParseCertificate(certDERBytes) |
|
} |
|
|
|
// NewSignedCert creates a signed certificate using the given CA certificate and key |
|
func NewSignedCert(cfg Config, key *rsa.PrivateKey, caCert *x509.Certificate, caKey *rsa.PrivateKey) (*x509.Certificate, error) { |
|
serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64)) |
|
if err != nil { |
|
return nil, err |
|
} |
|
if len(cfg.CommonName) == 0 { |
|
return nil, errors.New("must specify a CommonName") |
|
} |
|
if len(cfg.Usages) == 0 { |
|
return nil, errors.New("must specify at least one ExtKeyUsage") |
|
} |
|
|
|
certTmpl := x509.Certificate{ |
|
Subject: pkix.Name{ |
|
CommonName: cfg.CommonName, |
|
Organization: cfg.Organization, |
|
}, |
|
DNSNames: cfg.AltNames.DNSNames, |
|
IPAddresses: cfg.AltNames.IPs, |
|
SerialNumber: serial, |
|
NotBefore: caCert.NotBefore, |
|
NotAfter: time.Now().Add(duration365d).UTC(), |
|
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, |
|
ExtKeyUsage: cfg.Usages, |
|
} |
|
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey) |
|
if err != nil { |
|
return nil, err |
|
} |
|
return x509.ParseCertificate(certDERBytes) |
|
} |
|
|
|
// MakeEllipticPrivateKeyPEM creates an ECDSA private key |
|
func MakeEllipticPrivateKeyPEM() ([]byte, error) { |
|
privateKey, err := ecdsa.GenerateKey(elliptic.P256(), cryptorand.Reader) |
|
if err != nil { |
|
return nil, err |
|
} |
|
|
|
derBytes, err := x509.MarshalECPrivateKey(privateKey) |
|
if err != nil { |
|
return nil, err |
|
} |
|
|
|
privateKeyPemBlock := &pem.Block{ |
|
Type: ECPrivateKeyBlockType, |
|
Bytes: derBytes, |
|
} |
|
return pem.EncodeToMemory(privateKeyPemBlock), nil |
|
} |
|
|
|
// GenerateSelfSignedCertKey creates a self-signed certificate and key for the given host. |
|
// Host may be an IP or a DNS name |
|
// You may also specify additional subject alt names (either ip or dns names) for the certificate |
|
func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS []string) ([]byte, []byte, error) { |
|
caKey, err := rsa.GenerateKey(cryptorand.Reader, 2048) |
|
if err != nil { |
|
return nil, nil, err |
|
} |
|
|
|
caTemplate := x509.Certificate{ |
|
SerialNumber: big.NewInt(1), |
|
Subject: pkix.Name{ |
|
CommonName: fmt.Sprintf("%s-ca@%d", host, time.Now().Unix()), |
|
}, |
|
NotBefore: time.Now(), |
|
NotAfter: time.Now().Add(time.Hour * 24 * 365), |
|
|
|
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, |
|
BasicConstraintsValid: true, |
|
IsCA: true, |
|
} |
|
|
|
caDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &caTemplate, &caTemplate, &caKey.PublicKey, caKey) |
|
if err != nil { |
|
return nil, nil, err |
|
} |
|
|
|
caCertificate, err := x509.ParseCertificate(caDERBytes) |
|
if err != nil { |
|
return nil, nil, err |
|
} |
|
|
|
priv, err := rsa.GenerateKey(cryptorand.Reader, 2048) |
|
if err != nil { |
|
return nil, nil, err |
|
} |
|
|
|
template := x509.Certificate{ |
|
SerialNumber: big.NewInt(2), |
|
Subject: pkix.Name{ |
|
CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()), |
|
}, |
|
NotBefore: time.Now(), |
|
NotAfter: time.Now().Add(time.Hour * 24 * 365), |
|
|
|
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, |
|
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, |
|
BasicConstraintsValid: true, |
|
} |
|
|
|
if ip := net.ParseIP(host); ip != nil { |
|
template.IPAddresses = append(template.IPAddresses, ip) |
|
} else { |
|
template.DNSNames = append(template.DNSNames, host) |
|
} |
|
|
|
template.IPAddresses = append(template.IPAddresses, alternateIPs...) |
|
template.DNSNames = append(template.DNSNames, alternateDNS...) |
|
|
|
derBytes, err := x509.CreateCertificate(cryptorand.Reader, &template, caCertificate, &priv.PublicKey, caKey) |
|
if err != nil { |
|
return nil, nil, err |
|
} |
|
|
|
// Generate cert, followed by ca |
|
certBuffer := bytes.Buffer{} |
|
if err := pem.Encode(&certBuffer, &pem.Block{Type: CertificateBlockType, Bytes: derBytes}); err != nil { |
|
return nil, nil, err |
|
} |
|
if err := pem.Encode(&certBuffer, &pem.Block{Type: CertificateBlockType, Bytes: caDERBytes}); err != nil { |
|
return nil, nil, err |
|
} |
|
|
|
// Generate key |
|
keyBuffer := bytes.Buffer{} |
|
if err := pem.Encode(&keyBuffer, &pem.Block{Type: RSAPrivateKeyBlockType, Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil { |
|
return nil, nil, err |
|
} |
|
|
|
return certBuffer.Bytes(), keyBuffer.Bytes(), nil |
|
} |
|
|
|
// FormatBytesCert receives byte array certificate and formats in human-readable format |
|
func FormatBytesCert(cert []byte) (string, error) { |
|
block, _ := pem.Decode(cert) |
|
c, err := x509.ParseCertificate(block.Bytes) |
|
if err != nil { |
|
return "", fmt.Errorf("failed to parse certificate [%v]", err) |
|
} |
|
return FormatCert(c), nil |
|
} |
|
|
|
// FormatCert receives certificate and formats in human-readable format |
|
func FormatCert(c *x509.Certificate) string { |
|
var ips []string |
|
for _, ip := range c.IPAddresses { |
|
ips = append(ips, ip.String()) |
|
} |
|
altNames := append(ips, c.DNSNames...) |
|
res := fmt.Sprintf( |
|
"Issuer: CN=%s | Subject: CN=%s | CA: %t\n", |
|
c.Issuer.CommonName, c.Subject.CommonName, c.IsCA, |
|
) |
|
res += fmt.Sprintf("Not before: %s Not After: %s", c.NotBefore, c.NotAfter) |
|
if len(altNames) > 0 { |
|
res += fmt.Sprintf("\nAlternate Names: %v", altNames) |
|
} |
|
return res |
|
}
|
|
|