From ab6fed13f4fc103568db66e619a6479748380b8b Mon Sep 17 00:00:00 2001
From: Andrew Lytvynov <awly@google.com>
Date: Wed, 13 Jun 2018 11:27:25 -0700
Subject: [PATCH] Re-use private key after failed CSR

If we create a new key on each CSR, if CSR fails the next attempt will
create a new one instead of reusing previous CSR.

If approver/signer don't handle CSRs as quickly as new nodes come up,
they can pile up and approver would keep handling old abandoned CSRs and
Nodes would keep timing out on startup.

Kubernetes-commit: 2c0f043957d25da162fe4e1026c50e2587529ff9
---
 util/cert/io.go | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/util/cert/io.go b/util/cert/io.go
index 374e8cae6..a57bf09d5 100644
--- a/util/cert/io.go
+++ b/util/cert/io.go
@@ -88,7 +88,8 @@ func WriteKey(keyPath string, data []byte) error {
 // can't find one, it will generate a new key and store it there.
 func LoadOrGenerateKeyFile(keyPath string) (data []byte, wasGenerated bool, err error) {
 	loadedData, err := ioutil.ReadFile(keyPath)
-	if err == nil {
+	// Call verifyKeyData to ensure the file wasn't empty/corrupt.
+	if err == nil && verifyKeyData(loadedData) {
 		return loadedData, false, err
 	}
 	if !os.IsNotExist(err) {
@@ -181,3 +182,12 @@ func PublicKeysFromFile(file string) ([]interface{}, error) {
 	}
 	return keys, nil
 }
+
+// verifyKeyData returns true if the provided data appears to be a valid private key.
+func verifyKeyData(data []byte) bool {
+	if len(data) == 0 {
+		return false
+	}
+	_, err := ParsePrivateKeyPEM(data)
+	return err == nil
+}