diff --git a/util/certificate/csr/csr.go b/util/certificate/csr/csr.go index 9bcaa1db..6338eef9 100644 --- a/util/certificate/csr/csr.go +++ b/util/certificate/csr/csr.go @@ -18,10 +18,7 @@ package csr import ( "crypto" - "crypto/sha512" "crypto/x509" - "crypto/x509/pkix" - "encoding/base64" "encoding/pem" "fmt" "reflect" @@ -34,7 +31,6 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/apimachinery/pkg/watch" certificatesclient "k8s.io/client-go/kubernetes/typed/certificates/v1beta1" @@ -43,41 +39,6 @@ import ( certutil "k8s.io/client-go/util/cert" ) -// RequestNodeCertificate will create a certificate signing request for a node -// (Organization and CommonName for the CSR will be set as expected for node -// certificates) and send it to API server, then it will watch the object's -// status, once approved by API server, it will return the API server's issued -// certificate (pem-encoded). If there is any errors, or the watch timeouts, it -// will return an error. This is intended for use on nodes (kubelet and -// kubeadm). -func RequestNodeCertificate(client certificatesclient.CertificateSigningRequestInterface, privateKeyData []byte, nodeName types.NodeName) (certData []byte, err error) { - subject := &pkix.Name{ - Organization: []string{"system:nodes"}, - CommonName: "system:node:" + string(nodeName), - } - - privateKey, err := certutil.ParsePrivateKeyPEM(privateKeyData) - if err != nil { - return nil, fmt.Errorf("invalid private key for certificate request: %v", err) - } - csrData, err := certutil.MakeCSR(privateKey, subject, nil, nil) - if err != nil { - return nil, fmt.Errorf("unable to generate certificate request: %v", err) - } - - usages := []certificates.KeyUsage{ - certificates.UsageDigitalSignature, - certificates.UsageKeyEncipherment, - certificates.UsageClientAuth, - } - name := digestedName(privateKeyData, subject, usages) - req, err := RequestCertificate(client, csrData, name, usages, privateKey) - if err != nil { - return nil, err - } - return WaitForCertificate(client, req, 3600*time.Second) -} - // RequestCertificate will either use an existing (if this process has run // before but not to completion) or create a certificate signing request using the // PEM encoded CSR and send it to API server, then it will watch the object's @@ -168,38 +129,6 @@ func WaitForCertificate(client certificatesclient.CertificateSigningRequestInter return event.Object.(*certificates.CertificateSigningRequest).Status.Certificate, nil } -// This digest should include all the relevant pieces of the CSR we care about. -// We can't direcly hash the serialized CSR because of random padding that we -// regenerate every loop and we include usages which are not contained in the -// CSR. This needs to be kept up to date as we add new fields to the node -// certificates and with ensureCompatible. -func digestedName(privateKeyData []byte, subject *pkix.Name, usages []certificates.KeyUsage) string { - hash := sha512.New512_256() - - // Here we make sure two different inputs can't write the same stream - // to the hash. This delimiter is not in the base64.URLEncoding - // alphabet so there is no way to have spill over collisions. Without - // it 'CN:foo,ORG:bar' hashes to the same value as 'CN:foob,ORG:ar' - const delimiter = '|' - encode := base64.RawURLEncoding.EncodeToString - - write := func(data []byte) { - hash.Write([]byte(encode(data))) - hash.Write([]byte{delimiter}) - } - - write(privateKeyData) - write([]byte(subject.CommonName)) - for _, v := range subject.Organization { - write([]byte(v)) - } - for _, v := range usages { - write([]byte(v)) - } - - return "node-csr-" + encode(hash.Sum(nil)) -} - // ensureCompatible ensures that a CSR object is compatible with an original CSR func ensureCompatible(new, orig *certificates.CertificateSigningRequest, privateKey interface{}) error { newCSR, err := parseCSR(new) diff --git a/util/certificate/csr/csr_test.go b/util/certificate/csr/csr_test.go deleted file mode 100644 index d0182abe..00000000 --- a/util/certificate/csr/csr_test.go +++ /dev/null @@ -1,135 +0,0 @@ -/* -Copyright 2017 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package csr - -import ( - "fmt" - "testing" - - certificates "k8s.io/api/certificates/v1beta1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - watch "k8s.io/apimachinery/pkg/watch" - certificatesclient "k8s.io/client-go/kubernetes/typed/certificates/v1beta1" - certutil "k8s.io/client-go/util/cert" -) - -func TestRequestNodeCertificateNoKeyData(t *testing.T) { - certData, err := RequestNodeCertificate(&fakeClient{}, []byte{}, "fake-node-name") - if err == nil { - t.Errorf("Got no error, wanted error an error because there was an empty private key passed in.") - } - if certData != nil { - t.Errorf("Got cert data, wanted nothing as there should have been an error.") - } -} - -func TestRequestNodeCertificateErrorCreatingCSR(t *testing.T) { - client := &fakeClient{ - failureType: createError, - } - privateKeyData, err := certutil.MakeEllipticPrivateKeyPEM() - if err != nil { - t.Fatalf("Unable to generate a new private key: %v", err) - } - - certData, err := RequestNodeCertificate(client, privateKeyData, "fake-node-name") - if err == nil { - t.Errorf("Got no error, wanted error an error because client.Create failed.") - } - if certData != nil { - t.Errorf("Got cert data, wanted nothing as there should have been an error.") - } -} - -func TestRequestNodeCertificate(t *testing.T) { - privateKeyData, err := certutil.MakeEllipticPrivateKeyPEM() - if err != nil { - t.Fatalf("Unable to generate a new private key: %v", err) - } - - certData, err := RequestNodeCertificate(&fakeClient{}, privateKeyData, "fake-node-name") - if err != nil { - t.Errorf("Got %v, wanted no error.", err) - } - if certData == nil { - t.Errorf("Got nothing, expected a CSR.") - } -} - -type FailureType int - -const ( - noError FailureType = iota - createError - certificateSigningRequestDenied -) - -type fakeClient struct { - certificatesclient.CertificateSigningRequestInterface - watch *watch.FakeWatcher - failureType FailureType -} - -func (c *fakeClient) Create(*certificates.CertificateSigningRequest) (*certificates.CertificateSigningRequest, error) { - if c.failureType == createError { - return nil, fmt.Errorf("fakeClient failed creating request") - } - csr := certificates.CertificateSigningRequest{ - ObjectMeta: metav1.ObjectMeta{ - UID: "fake-uid", - Name: "fake-certificate-signing-request-name", - }, - } - return &csr, nil -} - -func (c *fakeClient) List(opts metav1.ListOptions) (*certificates.CertificateSigningRequestList, error) { - return &certificates.CertificateSigningRequestList{}, nil -} - -func (c *fakeClient) Watch(opts metav1.ListOptions) (watch.Interface, error) { - c.watch = watch.NewFakeWithChanSize(1, false) - c.watch.Add(c.generateCSR()) - c.watch.Stop() - return c.watch, nil -} - -func (c *fakeClient) generateCSR() *certificates.CertificateSigningRequest { - var condition certificates.CertificateSigningRequestCondition - if c.failureType == certificateSigningRequestDenied { - condition = certificates.CertificateSigningRequestCondition{ - Type: certificates.CertificateDenied, - } - } else { - condition = certificates.CertificateSigningRequestCondition{ - Type: certificates.CertificateApproved, - } - } - - csr := certificates.CertificateSigningRequest{ - ObjectMeta: metav1.ObjectMeta{ - UID: "fake-uid", - }, - Status: certificates.CertificateSigningRequestStatus{ - Conditions: []certificates.CertificateSigningRequestCondition{ - condition, - }, - Certificate: []byte{}, - }, - } - return &csr -}