From 4bda71482ccb7efe8f51e58632a85b9122b2eb3b Mon Sep 17 00:00:00 2001 From: David Eads Date: Tue, 12 Nov 2019 10:10:26 -0500 Subject: [PATCH] create utilities inspecting server TLS certs Kubernetes-commit: e44352f31a8d506d77d2757dbb354fd539826c92 --- util/cert/server_inspection.go | 97 ++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 util/cert/server_inspection.go diff --git a/util/cert/server_inspection.go b/util/cert/server_inspection.go new file mode 100644 index 00000000..6d228916 --- /dev/null +++ b/util/cert/server_inspection.go @@ -0,0 +1,97 @@ +/* +Copyright 2019 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package cert + +import ( + "crypto/tls" + "crypto/x509" + "net/url" + "strings" +) + +// GetClientCANames gets the CA names for client certs that a server accepts. This is useful when inspecting the +// state of particular servers. apiHost is "host:port" +func GetClientCANames(apiHost string) ([]string, error) { + // when we run this the second time, we know which one we are expecting + acceptableCAs := []string{} + tlsConfig := &tls.Config{ + InsecureSkipVerify: true, // this is insecure to always get to the GetClientCertificate + GetClientCertificate: func(hello *tls.CertificateRequestInfo) (*tls.Certificate, error) { + acceptableCAs = []string{} + for _, curr := range hello.AcceptableCAs { + acceptableCAs = append(acceptableCAs, string(curr)) + } + return &tls.Certificate{}, nil + }, + } + + conn, err := tls.Dial("tcp", apiHost, tlsConfig) + if err != nil { + return nil, err + } + defer conn.Close() + + return acceptableCAs, nil +} + +// GetClientCANamesForURL is GetClientCANames against a URL string like we use in kubeconfigs +func GetClientCANamesForURL(kubeConfigURL string) ([]string, error) { + apiserverURL, err := url.Parse(kubeConfigURL) + if err != nil { + return nil, err + } + return GetClientCANames(apiserverURL.Host) +} + +// GetServingCertificates returns the x509 certs used by a server. The serverName is optional for specifying a different +// name to get SNI certificates. apiHost is "host:port" +func GetServingCertificates(apiHost, serverName string) ([]*x509.Certificate, [][]byte, error) { + tlsConfig := &tls.Config{ + InsecureSkipVerify: true, // this is insecure so that we always get connected + } + // if a name is specified for SNI, set it. + if len(serverName) > 0 { + tlsConfig.ServerName = serverName + } + + conn, err := tls.Dial("tcp", apiHost, tlsConfig) + if err != nil { + return nil, nil, err + } + conn.Close() + + peerCerts := conn.ConnectionState().PeerCertificates + peerCertBytes := [][]byte{} + for _, a := range peerCerts { + actualCert, err := EncodeCertificates(a) + if err != nil { + return nil, nil, err + } + peerCertBytes = append(peerCertBytes, []byte(strings.TrimSpace(string(actualCert)))) + } + + return peerCerts, peerCertBytes, err +} + +// GetServingCertificatesForURL is GetServingCertificates against a URL string like we use in kubeconfigs +func GetServingCertificatesForURL(kubeConfigURL, serverName string) ([]*x509.Certificate, [][]byte, error) { + apiserverURL, err := url.Parse(kubeConfigURL) + if err != nil { + return nil, nil, err + } + return GetServingCertificates(apiserverURL.Host, serverName) +}