| /* |
| Copyright 2014 The Kubernetes Authors. |
| |
| Licensed under the Apache License, Version 2.0 (the "License"); |
| you may not use this file except in compliance with the License. |
| You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| */ |
| |
| package cert |
| |
| import ( |
| "bytes" |
| "crypto/ecdsa" |
| "crypto/elliptic" |
| cryptorand "crypto/rand" |
| "crypto/rsa" |
| "crypto/x509" |
| "crypto/x509/pkix" |
| "encoding/pem" |
| "errors" |
| "fmt" |
| "math" |
| "math/big" |
| "net" |
| "time" |
| ) |
| |
| const ( |
| rsaKeySize = 2048 |
| duration365d = time.Hour * 24 * 365 |
| ) |
| |
| // Config contains the basic fields required for creating a certificate |
| type Config struct { |
| CommonName string |
| Organization []string |
| AltNames AltNames |
| Usages []x509.ExtKeyUsage |
| } |
| |
| // AltNames contains the domain names and IP addresses that will be added |
| // to the API Server's x509 certificate SubAltNames field. The values will |
| // be passed directly to the x509.Certificate object. |
| type AltNames struct { |
| DNSNames []string |
| IPs []net.IP |
| } |
| |
| // NewPrivateKey creates an RSA private key |
| func NewPrivateKey() (*rsa.PrivateKey, error) { |
| return rsa.GenerateKey(cryptorand.Reader, rsaKeySize) |
| } |
| |
| // NewSelfSignedCACert creates a CA certificate |
| func NewSelfSignedCACert(cfg Config, key *rsa.PrivateKey) (*x509.Certificate, error) { |
| now := time.Now() |
| tmpl := x509.Certificate{ |
| SerialNumber: new(big.Int).SetInt64(0), |
| Subject: pkix.Name{ |
| CommonName: cfg.CommonName, |
| Organization: cfg.Organization, |
| }, |
| NotBefore: now.UTC(), |
| NotAfter: now.Add(duration365d * 10).UTC(), |
| KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, |
| BasicConstraintsValid: true, |
| IsCA: true, |
| } |
| |
| certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key) |
| if err != nil { |
| return nil, err |
| } |
| return x509.ParseCertificate(certDERBytes) |
| } |
| |
| // NewSignedCert creates a signed certificate using the given CA certificate and key |
| func NewSignedCert(cfg Config, key *rsa.PrivateKey, caCert *x509.Certificate, caKey *rsa.PrivateKey) (*x509.Certificate, error) { |
| serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64)) |
| if err != nil { |
| return nil, err |
| } |
| if len(cfg.CommonName) == 0 { |
| return nil, errors.New("must specify a CommonName") |
| } |
| if len(cfg.Usages) == 0 { |
| return nil, errors.New("must specify at least one ExtKeyUsage") |
| } |
| |
| certTmpl := x509.Certificate{ |
| Subject: pkix.Name{ |
| CommonName: cfg.CommonName, |
| Organization: cfg.Organization, |
| }, |
| DNSNames: cfg.AltNames.DNSNames, |
| IPAddresses: cfg.AltNames.IPs, |
| SerialNumber: serial, |
| NotBefore: caCert.NotBefore, |
| NotAfter: time.Now().Add(duration365d).UTC(), |
| KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, |
| ExtKeyUsage: cfg.Usages, |
| } |
| certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey) |
| if err != nil { |
| return nil, err |
| } |
| return x509.ParseCertificate(certDERBytes) |
| } |
| |
| // MakeEllipticPrivateKeyPEM creates an ECDSA private key |
| func MakeEllipticPrivateKeyPEM() ([]byte, error) { |
| privateKey, err := ecdsa.GenerateKey(elliptic.P256(), cryptorand.Reader) |
| if err != nil { |
| return nil, err |
| } |
| |
| derBytes, err := x509.MarshalECPrivateKey(privateKey) |
| if err != nil { |
| return nil, err |
| } |
| |
| privateKeyPemBlock := &pem.Block{ |
| Type: ECPrivateKeyBlockType, |
| Bytes: derBytes, |
| } |
| return pem.EncodeToMemory(privateKeyPemBlock), nil |
| } |
| |
| // GenerateSelfSignedCertKey creates a self-signed certificate and key for the given host. |
| // Host may be an IP or a DNS name |
| // You may also specify additional subject alt names (either ip or dns names) for the certificate |
| func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS []string) ([]byte, []byte, error) { |
| caKey, err := rsa.GenerateKey(cryptorand.Reader, 2048) |
| if err != nil { |
| return nil, nil, err |
| } |
| |
| caTemplate := x509.Certificate{ |
| SerialNumber: big.NewInt(1), |
| Subject: pkix.Name{ |
| CommonName: fmt.Sprintf("%s-ca@%d", host, time.Now().Unix()), |
| }, |
| NotBefore: time.Now(), |
| NotAfter: time.Now().Add(time.Hour * 24 * 365), |
| |
| KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, |
| BasicConstraintsValid: true, |
| IsCA: true, |
| } |
| |
| caDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &caTemplate, &caTemplate, &caKey.PublicKey, caKey) |
| if err != nil { |
| return nil, nil, err |
| } |
| |
| caCertificate, err := x509.ParseCertificate(caDERBytes) |
| if err != nil { |
| return nil, nil, err |
| } |
| |
| priv, err := rsa.GenerateKey(cryptorand.Reader, 2048) |
| if err != nil { |
| return nil, nil, err |
| } |
| |
| template := x509.Certificate{ |
| SerialNumber: big.NewInt(2), |
| Subject: pkix.Name{ |
| CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()), |
| }, |
| NotBefore: time.Now(), |
| NotAfter: time.Now().Add(time.Hour * 24 * 365), |
| |
| KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, |
| ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, |
| BasicConstraintsValid: true, |
| } |
| |
| if ip := net.ParseIP(host); ip != nil { |
| template.IPAddresses = append(template.IPAddresses, ip) |
| } else { |
| template.DNSNames = append(template.DNSNames, host) |
| } |
| |
| template.IPAddresses = append(template.IPAddresses, alternateIPs...) |
| template.DNSNames = append(template.DNSNames, alternateDNS...) |
| |
| derBytes, err := x509.CreateCertificate(cryptorand.Reader, &template, caCertificate, &priv.PublicKey, caKey) |
| if err != nil { |
| return nil, nil, err |
| } |
| |
| // Generate cert, followed by ca |
| certBuffer := bytes.Buffer{} |
| if err := pem.Encode(&certBuffer, &pem.Block{Type: CertificateBlockType, Bytes: derBytes}); err != nil { |
| return nil, nil, err |
| } |
| if err := pem.Encode(&certBuffer, &pem.Block{Type: CertificateBlockType, Bytes: caDERBytes}); err != nil { |
| return nil, nil, err |
| } |
| |
| // Generate key |
| keyBuffer := bytes.Buffer{} |
| if err := pem.Encode(&keyBuffer, &pem.Block{Type: RSAPrivateKeyBlockType, Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil { |
| return nil, nil, err |
| } |
| |
| return certBuffer.Bytes(), keyBuffer.Bytes(), nil |
| } |
| |
| // FormatBytesCert receives byte array certificate and formats in human-readable format |
| func FormatBytesCert(cert []byte) (string, error) { |
| block, _ := pem.Decode(cert) |
| c, err := x509.ParseCertificate(block.Bytes) |
| if err != nil { |
| return "", fmt.Errorf("failed to parse certificate [%v]", err) |
| } |
| return FormatCert(c), nil |
| } |
| |
| // FormatCert receives certificate and formats in human-readable format |
| func FormatCert(c *x509.Certificate) string { |
| var ips []string |
| for _, ip := range c.IPAddresses { |
| ips = append(ips, ip.String()) |
| } |
| altNames := append(ips, c.DNSNames...) |
| res := fmt.Sprintf( |
| "Issuer: CN=%s | Subject: CN=%s | CA: %t\n", |
| c.Issuer.CommonName, c.Subject.CommonName, c.IsCA, |
| ) |
| res += fmt.Sprintf("Not before: %s Not After: %s", c.NotBefore, c.NotAfter) |
| if len(altNames) > 0 { |
| res += fmt.Sprintf("\nAlternate Names: %v", altNames) |
| } |
| return res |
| } |