github/dynamiclistener
1
0
Fork 1
mirror of https://github.com/rancher/dynamiclistener.git synced 2025-09-04 14:44:31 +00:00
Code Issues Projects Releases Wiki Activity

Enable intermediate CA Certificates

Browse Source 
Signed-off-by: Jonas Wagner <jwagner@knoppiks.de>
This commit is contained in:
Jonas Wagner
2023-07-10 08:59:37 +02:00
parent 4c1ac9bd4b
commit 02304047cf
5 changed files with 58 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
factory/ca.go
View File

@@ -25,18 +25,25 @@ func GenCA() (*x509.Certificate, crypto.Signer, error) {
return caCert, caKey, nil
}
// Deprecated: Use LoadOrGenCAChain instead as it supports intermediate CAs
func LoadOrGenCA() (*x509.Certificate, crypto.Signer, error) {
cert, key, err := loadCA()
chain, signer, err := LoadOrGenCAChain()
return chain[0], signer, err
}
func LoadOrGenCAChain() ([]*x509.Certificate, crypto.Signer, error) {
certs, key, err := loadCA()
if err == nil {
return cert, key, nil
return certs, key, nil
}
cert, key, err = GenCA()
cert, key, err := GenCA()
if err != nil {
return nil, nil, err
}
certs = []*x509.Certificate{cert}
certBytes, keyBytes, err := Marshal(cert, key)
certBytes, keyBytes, err := MarshalChain(key, certs...)
if err != nil {
return nil, nil, err
}
@@ -53,14 +60,19 @@ func LoadOrGenCA() (*x509.Certificate, crypto.Signer, error) {
return nil, nil, err
}
return cert, key, nil
return certs, key, nil
}
func loadCA() (*x509.Certificate, crypto.Signer, error) {
return LoadCerts("./certs/ca.pem", "./certs/ca.key")
func loadCA() ([]*x509.Certificate, crypto.Signer, error) {
return LoadCertsChain("./certs/ca.pem", "./certs/ca.key")
}
func LoadCA(caPem, caKey []byte) (*x509.Certificate, crypto.Signer, error) {
chain, signer, err := LoadCAChain(caPem, caKey)
return chain[0], signer, err
}
func LoadCAChain(caPem, caKey []byte) ([]*x509.Certificate, crypto.Signer, error) {
key, err := cert.ParsePrivateKeyPEM(caKey)
if err != nil {
return nil, nil, err
@@ -70,15 +82,21 @@ func LoadCA(caPem, caKey []byte) (*x509.Certificate, crypto.Signer, error) {
return nil, nil, fmt.Errorf("key is not a crypto.Signer")
}
cert, err := ParseCertPEM(caPem)
certs, err := cert.ParseCertsPEM(caPem)
if err != nil {
return nil, nil, err
}
return cert, signer, nil
return certs, signer, nil
}
// Deprecated: Use LoadCertsChain instead as it supports intermediate CAs
func LoadCerts(certFile, keyFile string) (*x509.Certificate, crypto.Signer, error) {
chain, signer, err := LoadCertsChain(certFile, keyFile)
return chain[0], signer, err
}
func LoadCertsChain(certFile, keyFile string) ([]*x509.Certificate, crypto.Signer, error) {
caPem, err := ioutil.ReadFile(certFile)
if err != nil {
return nil, nil, err
@@ -88,5 +106,5 @@ func LoadCerts(certFile, keyFile string) (*x509.Certificate, crypto.Signer, erro
return nil, nil, err
}
return LoadCA(caPem, caKey)
return LoadCAChain(caPem, caKey)
}

10
factory/gen.go
View File

@@ -33,7 +33,7 @@ var (
)
type TLS struct {
CACert *x509.Certificate
CACert []*x509.Certificate
CAKey crypto.Signer
CN string
Organization []string
@@ -178,7 +178,7 @@ func (t *TLS) generateCert(secret *v1.Secret, cn ...string) (*v1.Secret, bool, e
return nil, false, err
}
keyBytes, certBytes, err := MarshalChain(privateKey, newCert, t.CACert)
keyBytes, certBytes, err := MarshalChain(privateKey, append([]*x509.Certificate{newCert}, t.CACert...)...)
if err != nil {
return nil, false, err
}
@@ -226,14 +226,16 @@ func (t *TLS) Verify(secret *v1.Secret) error {
x509.ExtKeyUsageAny,
},
}
verifyOpts.Roots.AddCert(t.CACert)
for _, c := range t.CACert {
verifyOpts.Roots.AddCert(c)
}
_, err = certificates[0].Verify(verifyOpts)
return err
}
func (t *TLS) newCert(domains []string, ips []net.IP, privateKey crypto.Signer) (*x509.Certificate, error) {
return NewSignedCert(privateKey, t.CACert, t.CAKey, t.CN, t.Organization, domains, ips)
return NewSignedCert(privateKey, t.CACert[0], t.CAKey, t.CN, t.Organization, domains, ips)
}
func populateCN(secret *v1.Secret, cn ...string) *v1.Secret {