From db078d2f1bfd49c88d950fe9ef0000554374932c Mon Sep 17 00:00:00 2001 From: Yusuke Tsutsumi Date: Mon, 3 May 2021 06:48:02 -0700 Subject: [PATCH] client-go: NewSelfSignedCACert makes Go 1.15+ compatible cert (#100324) * NewSelfSignedCACert makes Go 1.15+ compatible cert As of Go 1.15, X.509 certificates without a SAN no longer fall back to the CommonName of the certificate. https://golang.org/doc/go1.15#commonname Updating NewSelfSignedCACert to produce certificates that work with this change. * add missing license Kubernetes-commit: a41a3ed4ae77a7902577bdb50b35fc5f42ed7c60 --- Godeps/Godeps.json | 4 ++-- go.mod | 8 ++++---- go.sum | 8 ++++---- util/cert/cert.go | 1 + util/cert/cert_test.go | 46 ++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 57 insertions(+), 10 deletions(-) create mode 100644 util/cert/cert_test.go diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json index 0441fbaa..66da3896 100644 --- a/Godeps/Godeps.json +++ b/Godeps/Godeps.json @@ -476,11 +476,11 @@ }, { "ImportPath": "k8s.io/api", - "Rev": "010282aa9cba" + "Rev": "73cb810742ad" }, { "ImportPath": "k8s.io/apimachinery", - "Rev": "05188bab0ab7" + "Rev": "83e6b5ff9c68" }, { "ImportPath": "k8s.io/gengo", diff --git a/go.mod b/go.mod index 0a5f0a5b..d8056af5 100644 --- a/go.mod +++ b/go.mod @@ -28,8 +28,8 @@ require ( golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba google.golang.org/protobuf v1.25.0 - k8s.io/api v0.0.0-20210518101600-010282aa9cba - k8s.io/apimachinery v0.0.0-20210518100453-05188bab0ab7 + k8s.io/api v0.0.0-20210518101604-73cb810742ad + k8s.io/apimachinery v0.0.0-20210518100455-83e6b5ff9c68 k8s.io/klog/v2 v2.8.0 k8s.io/utils v0.0.0-20201110183641-67b214c5f920 sigs.k8s.io/structured-merge-diff/v4 v4.1.1 @@ -37,6 +37,6 @@ require ( ) replace ( - k8s.io/api => k8s.io/api v0.0.0-20210518101600-010282aa9cba - k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20210518100453-05188bab0ab7 + k8s.io/api => k8s.io/api v0.0.0-20210518101604-73cb810742ad + k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20210518100455-83e6b5ff9c68 ) diff --git a/go.sum b/go.sum index 04a07aa6..0a251ac3 100644 --- a/go.sum +++ b/go.sum @@ -426,10 +426,10 @@ honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.0.0-20210518101600-010282aa9cba h1:Pa+/+oGk2i/TXM4QY9xEqAqG6l+gNtLltIu+YplL+rM= -k8s.io/api v0.0.0-20210518101600-010282aa9cba/go.mod h1:d6qZeU++Xji60DRinRcYmfSlybOHHk5fvkuWH3PVSUw= -k8s.io/apimachinery v0.0.0-20210518100453-05188bab0ab7 h1:NRTRRkVKRii4TRjauTt5m/ZL78XXVORn0SdhoPwSAVs= -k8s.io/apimachinery v0.0.0-20210518100453-05188bab0ab7/go.mod h1:fBRSkoylGO2QUTae8Wb2wac6pZ83/r+tL6HFSXGbzfs= +k8s.io/api v0.0.0-20210518101604-73cb810742ad h1:Y3Y8dvutfX0ctUvW8lOIRWtGQ78do2iq0kyzOgP7Kzs= +k8s.io/api v0.0.0-20210518101604-73cb810742ad/go.mod h1:oMHvpJd6cjQV4EGOZctXILY3h91ViVRHybL+6tnKvPA= +k8s.io/apimachinery v0.0.0-20210518100455-83e6b5ff9c68 h1:TOBIgeJvdBu5pIW9s0eqs8ZlkY0Ld5oP84shav2e7Co= +k8s.io/apimachinery v0.0.0-20210518100455-83e6b5ff9c68/go.mod h1:fBRSkoylGO2QUTae8Wb2wac6pZ83/r+tL6HFSXGbzfs= k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.8.0 h1:Q3gmuM9hKEjefWFFYF0Mat+YyFJvsUyYuwyNNJ5C9Ts= diff --git a/util/cert/cert.go b/util/cert/cert.go index 3da14416..bffb1526 100644 --- a/util/cert/cert.go +++ b/util/cert/cert.go @@ -62,6 +62,7 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro CommonName: cfg.CommonName, Organization: cfg.Organization, }, + DNSNames: []string{cfg.CommonName}, NotBefore: now.UTC(), NotAfter: now.Add(duration365d * 10).UTC(), KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, diff --git a/util/cert/cert_test.go b/util/cert/cert_test.go new file mode 100644 index 00000000..40acaf3d --- /dev/null +++ b/util/cert/cert_test.go @@ -0,0 +1,46 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package cert_test + +import ( + cryptorand "crypto/rand" + "crypto/rsa" + "testing" + + "k8s.io/client-go/util/cert" +) + +const COMMON_NAME = "foo.example.com" + +// TestSelfSignedCertHasSAN verifies the existing of +// a SAN on the generated self-signed certificate. +// a SAN ensures that the certificate is considered +// valid by default in go 1.15 and above, which +// turns off fallback to Common Name by default. +func TestSelfSignedCertHasSAN(t *testing.T) { + key, err := rsa.GenerateKey(cryptorand.Reader, 2048) + if err != nil { + t.Fatalf("rsa key failed to generate: %v", err) + } + selfSignedCert, err := cert.NewSelfSignedCACert(cert.Config{CommonName: COMMON_NAME}, key) + if err != nil { + t.Fatalf("self signed certificate failed to generate: %v", err) + } + if len(selfSignedCert.DNSNames) == 0 { + t.Fatalf("self signed certificate has zero DNS names.") + } +}