Merge pull request #40152 from liggitt/sign-cert-org

Automatic merge from submit-queue (batch tested with PRs 40187, 40231, 40152) Update client/server cert generation utilities Limit generated cert usage to client or server use.
2025-07-22 03:11:40 +00:00 · 2017-01-20 13:29:48 -08:00 · 2017-01-20 13:29:48 -08:00 · 0efee9a67e
commit 0efee9a67e
parent 5e272d6a0c 11012c19df
4 changed files with 21 additions and 7 deletions
--- a/cmd/kubeadm/app/phases/certs/pki_helpers.go
+++ b/cmd/kubeadm/app/phases/certs/pki_helpers.go
@ -51,6 +51,7 @@ func newServerKeyAndCert(caCert *x509.Certificate, caKey *rsa.PrivateKey, altNam
 	config := certutil.Config{
 		CommonName: "kube-apiserver",
 		AltNames:   altNames,
+		Usages:     []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 	}
 	cert, err := certutil.NewSignedCert(config, key, caCert, caKey)
 	if err != nil {
@ -65,8 +66,10 @@ func NewClientKeyAndCert(config *certutil.Config, caCert *x509.Certificate, caKe
 	if err != nil {
 		return nil, nil, fmt.Errorf("unable to create private key [%v]", err)
 	}
-
-	cert, err := certutil.NewSignedCert(*config, key, caCert, caKey)
+	// force usage to client usage
+	configCopy := *config
+	configCopy.Usages = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
+	cert, err := certutil.NewSignedCert(configCopy, key, caCert, caKey)
 	if err != nil {
 		return nil, nil, fmt.Errorf("unable to sign certificate [%v]", err)
 	}
--- a/federation/pkg/kubefed/init/init.go
+++ b/federation/pkg/kubefed/init/init.go
@ -334,11 +334,11 @@ func genCerts(svcNamespace, name, svcName, localDNSZoneName string, ips, hostnam
 	if err != nil {
 		return nil, fmt.Errorf("failed to create federation API server key and certificate: %v", err)
 	}
-	cm, err := triple.NewClientKeyPair(ca, ControllerManagerCN)
+	cm, err := triple.NewClientKeyPair(ca, ControllerManagerCN, nil)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create federation controller manager client key and certificate: %v", err)
 	}
-	admin, err := triple.NewClientKeyPair(ca, AdminCN)
+	admin, err := triple.NewClientKeyPair(ca, AdminCN, nil)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create client key and certificate for an admin: %v", err)
 	}
--- a/staging/src/k8s.io/client-go/pkg/util/cert/cert.go
+++ b/staging/src/k8s.io/client-go/pkg/util/cert/cert.go
@ -25,6 +25,7 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
+	"errors"
 	"fmt"
 	"math"
 	"math/big"
@ -42,6 +43,7 @@ type Config struct {
 	CommonName   string
 	Organization []string
 	AltNames     AltNames
+	Usages       []x509.ExtKeyUsage
 }

 // AltNames contains the domain names and IP addresses that will be added
@ -86,6 +88,12 @@ func NewSignedCert(cfg Config, key *rsa.PrivateKey, caCert *x509.Certificate, ca
 	if err != nil {
 		return nil, err
 	}
+	if len(cfg.CommonName) == 0 {
+		return nil, errors.New("must specify a CommonName")
+	}
+	if len(cfg.Usages) == 0 {
+		return nil, errors.New("must specify at least one ExtKeyUsage")
+	}

 	certTmpl := x509.Certificate{
 		Subject: pkix.Name{
@ -98,7 +106,7 @@ func NewSignedCert(cfg Config, key *rsa.PrivateKey, caCert *x509.Certificate, ca
 		NotBefore:    caCert.NotBefore,
 		NotAfter:     time.Now().Add(duration365d).UTC(),
 		KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+		ExtKeyUsage:  cfg.Usages,
 	}
 	certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
 	if err != nil {
--- a/staging/src/k8s.io/client-go/pkg/util/cert/triple/triple.go
+++ b/staging/src/k8s.io/client-go/pkg/util/cert/triple/triple.go
@ -80,6 +80,7 @@ func NewServerKeyPair(ca *KeyPair, commonName, svcName, svcNamespace, dnsDomain
 	config := certutil.Config{
 		CommonName: commonName,
 		AltNames:   altNames,
+		Usages:     []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 	}
 	cert, err := certutil.NewSignedCert(config, key, ca.Cert, ca.Key)
 	if err != nil {
@ -92,14 +93,16 @@ func NewServerKeyPair(ca *KeyPair, commonName, svcName, svcNamespace, dnsDomain
 	}, nil
 }

-func NewClientKeyPair(ca *KeyPair, commonName string) (*KeyPair, error) {
+func NewClientKeyPair(ca *KeyPair, commonName string, organizations []string) (*KeyPair, error) {
 	key, err := certutil.NewPrivateKey()
 	if err != nil {
 		return nil, fmt.Errorf("unable to create a client private key: %v", err)
 	}

 	config := certutil.Config{
-		CommonName: commonName,
+		CommonName:   commonName,
+		Organization: organizations,
+		Usages:       []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 	}
 	cert, err := certutil.NewSignedCert(config, key, ca.Cert, ca.Key)
 	if err != nil {