github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 03:41:45 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #40152 from liggitt/sign-cert-org

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 40187, 40231, 40152)

Update client/server cert generation utilities

Limit generated cert usage to client or server use.
This commit is contained in:
Kubernetes Submit Queue 2017-01-20 13:29:48 -08:00 committed by GitHub
commit 0efee9a67e
4 changed files with 21 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
cmd/kubeadm/app/phases/certs/pki_helpers.go
View File

@ -51,6 +51,7 @@ func newServerKeyAndCert(caCert *x509.Certificate, caKey *rsa.PrivateKey, altNam
config := certutil.Config{ config := certutil.Config{
CommonName: "kube-apiserver", CommonName: "kube-apiserver",
AltNames: altNames, AltNames: altNames,
Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
} }
cert, err := certutil.NewSignedCert(config, key, caCert, caKey) cert, err := certutil.NewSignedCert(config, key, caCert, caKey)
if err != nil { if err != nil {
@ -65,8 +66,10 @@ func NewClientKeyAndCert(config *certutil.Config, caCert *x509.Certificate, caKe
if err != nil { if err != nil {
return nil, nil, fmt.Errorf("unable to create private key [%v]", err) return nil, nil, fmt.Errorf("unable to create private key [%v]", err)
} }
// force usage to client usage
cert, err := certutil.NewSignedCert(*config, key, caCert, caKey) configCopy := *config
configCopy.Usages = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
cert, err := certutil.NewSignedCert(configCopy, key, caCert, caKey)
if err != nil { if err != nil {
return nil, nil, fmt.Errorf("unable to sign certificate [%v]", err) return nil, nil, fmt.Errorf("unable to sign certificate [%v]", err)
} }

4
federation/pkg/kubefed/init/init.go
View File

@ -334,11 +334,11 @@ func genCerts(svcNamespace, name, svcName, localDNSZoneName string, ips, hostnam
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to create federation API server key and certificate: %v", err) return nil, fmt.Errorf("failed to create federation API server key and certificate: %v", err)
} }
cm, err := triple.NewClientKeyPair(ca, ControllerManagerCN) cm, err := triple.NewClientKeyPair(ca, ControllerManagerCN, nil)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to create federation controller manager client key and certificate: %v", err) return nil, fmt.Errorf("failed to create federation controller manager client key and certificate: %v", err)
} }
admin, err := triple.NewClientKeyPair(ca, AdminCN) admin, err := triple.NewClientKeyPair(ca, AdminCN, nil)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to create client key and certificate for an admin: %v", err) return nil, fmt.Errorf("failed to create client key and certificate for an admin: %v", err)
} }

10
staging/src/k8s.io/client-go/pkg/util/cert/cert.go
View File

@ -25,6 +25,7 @@ import (
"crypto/x509" "crypto/x509"
"crypto/x509/pkix" "crypto/x509/pkix"
"encoding/pem" "encoding/pem"
"errors"
"fmt" "fmt"
"math" "math"
"math/big" "math/big"
@ -42,6 +43,7 @@ type Config struct {
CommonName string CommonName string
Organization []string Organization []string
AltNames AltNames AltNames AltNames
Usages []x509.ExtKeyUsage
} }
// AltNames contains the domain names and IP addresses that will be added // AltNames contains the domain names and IP addresses that will be added
@ -86,6 +88,12 @@ func NewSignedCert(cfg Config, key *rsa.PrivateKey, caCert *x509.Certificate, ca
if err != nil { if err != nil {
return nil, err return nil, err
} }
if len(cfg.CommonName) == 0 {
return nil, errors.New("must specify a CommonName")
}
if len(cfg.Usages) == 0 {
return nil, errors.New("must specify at least one ExtKeyUsage")
}
certTmpl := x509.Certificate{ certTmpl := x509.Certificate{
Subject: pkix.Name{ Subject: pkix.Name{
@ -98,7 +106,7 @@ func NewSignedCert(cfg Config, key *rsa.PrivateKey, caCert *x509.Certificate, ca
NotBefore: caCert.NotBefore, NotBefore: caCert.NotBefore,
NotAfter: time.Now().Add(duration365d).UTC(), NotAfter: time.Now().Add(duration365d).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, ExtKeyUsage: cfg.Usages,
} }
certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey) certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
if err != nil { if err != nil {

7
staging/src/k8s.io/client-go/pkg/util/cert/triple/triple.go
View File

@ -80,6 +80,7 @@ func NewServerKeyPair(ca *KeyPair, commonName, svcName, svcNamespace, dnsDomain
config := certutil.Config{ config := certutil.Config{
CommonName: commonName, CommonName: commonName,
AltNames: altNames, AltNames: altNames,
Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
} }
cert, err := certutil.NewSignedCert(config, key, ca.Cert, ca.Key) cert, err := certutil.NewSignedCert(config, key, ca.Cert, ca.Key)
if err != nil { if err != nil {
@ -92,14 +93,16 @@ func NewServerKeyPair(ca *KeyPair, commonName, svcName, svcNamespace, dnsDomain
}, nil }, nil
} }
func NewClientKeyPair(ca *KeyPair, commonName string) (*KeyPair, error) { func NewClientKeyPair(ca *KeyPair, commonName string, organizations []string) (*KeyPair, error) {
key, err := certutil.NewPrivateKey() key, err := certutil.NewPrivateKey()
if err != nil { if err != nil {
return nil, fmt.Errorf("unable to create a client private key: %v", err) return nil, fmt.Errorf("unable to create a client private key: %v", err)
} }
config := certutil.Config{ config := certutil.Config{
CommonName: commonName, CommonName: commonName,
Organization: organizations,
Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
} }
cert, err := certutil.NewSignedCert(config, key, ca.Cert, ca.Key) cert, err := certutil.NewSignedCert(config, key, ca.Cert, ca.Key)
if err != nil { if err != nil {