github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-27 13:37:30 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #32390 from liggitt/ecdhe

Browse Source 
Automatic merge from submit-queue

Remove duplicated ECDHE key handling

This PR removes the duplicated ECDHE private key handling. `x509.CreateCertificateRequest` picks the signature type for ECDHE keys already (see https://golang.org/src/crypto/x509/x509.go `signingParamsForPublicKey`). Only the RSA key signature needed customization.

It also defers to `CreateCertificateRequest` to return errors on unknown private key types.
This commit is contained in:
Kubernetes Submit Queue 2016-09-23 01:53:20 -07:00 committed by GitHub
commit 7144f54d78
1 changed files with 3 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
pkg/util/cert/csr.go
View File

@ -17,15 +17,12 @@ limitations under the License.
package cert package cert
import ( import (
"crypto/ecdsa"
"crypto/elliptic"
cryptorand "crypto/rand" cryptorand "crypto/rand"
"crypto/rsa" "crypto/rsa"
"crypto/x509" "crypto/x509"
"crypto/x509/pkix" "crypto/x509/pkix"
"encoding/pem" "encoding/pem"
"errors" "errors"
"fmt"
"net" "net"
"k8s.io/kubernetes/pkg/apis/certificates" "k8s.io/kubernetes/pkg/apis/certificates"
@ -47,23 +44,11 @@ func ParseCSR(obj *certificates.CertificateSigningRequest) (*x509.CertificateReq
} }
// MakeCSR generates a PEM-encoded CSR using the supplied private key, subject, and SANs. // MakeCSR generates a PEM-encoded CSR using the supplied private key, subject, and SANs.
// privateKey must be a *ecdsa.PrivateKey or *rsa.PrivateKey. // All key types that are implemented via crypto.Signer are supported (This includes *rsa.PrivateKey and *ecdsa.PrivateKey.)
func MakeCSR(privateKey interface{}, subject *pkix.Name, dnsSANs []string, ipSANs []net.IP) (csr []byte, err error) { func MakeCSR(privateKey interface{}, subject *pkix.Name, dnsSANs []string, ipSANs []net.IP) (csr []byte, err error) {
// Customize the signature for RSA keys, depending on the key size
var sigType x509.SignatureAlgorithm var sigType x509.SignatureAlgorithm
if privateKey, ok := privateKey.(*rsa.PrivateKey); ok {
switch privateKey := privateKey.(type) {
case *ecdsa.PrivateKey:
switch privateKey.Curve {
case elliptic.P224(), elliptic.P256():
sigType = x509.ECDSAWithSHA256
case elliptic.P384():
sigType = x509.ECDSAWithSHA384
case elliptic.P521():
sigType = x509.ECDSAWithSHA512
default:
return nil, fmt.Errorf("unknown elliptic curve: %v", privateKey.Curve)
}
case *rsa.PrivateKey:
keySize := privateKey.N.BitLen() keySize := privateKey.N.BitLen()
switch { switch {
case keySize >= 4096: case keySize >= 4096:
@ -73,9 +58,6 @@ func MakeCSR(privateKey interface{}, subject *pkix.Name, dnsSANs []string, ipSAN
default: default:
sigType = x509.SHA256WithRSA sigType = x509.SHA256WithRSA
} }
default:
return nil, fmt.Errorf("unsupported key type: %T", privateKey)
} }
template := &x509.CertificateRequest{ template := &x509.CertificateRequest{