Vendor cfssl and cfssljson

2025-12-07 09:43:15 +00:00 · 2018-08-06 16:30:17 -07:00
parent 1c5b968152
commit 952fc9f6f8
245 changed files with 251725 additions and 4 deletions
--- a/vendor/github.com/cloudflare/cfssl/signer/remote/BUILD
+++ b/vendor/github.com/cloudflare/cfssl/signer/remote/BUILD
@@ -0,0 +1,32 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["remote.go"],
+    importmap = "k8s.io/kubernetes/vendor/github.com/cloudflare/cfssl/signer/remote",
+    importpath = "github.com/cloudflare/cfssl/signer/remote",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//vendor/github.com/cloudflare/cfssl/api/client:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/certdb:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/config:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/errors:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/helpers:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/info:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/signer:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)
--- a/vendor/github.com/cloudflare/cfssl/signer/remote/remote.go
+++ b/vendor/github.com/cloudflare/cfssl/signer/remote/remote.go
@@ -0,0 +1,133 @@
+package remote
+
+import (
+	"crypto/x509"
+	"encoding/json"
+	"errors"
+	"net/http"
+
+	"github.com/cloudflare/cfssl/api/client"
+	"github.com/cloudflare/cfssl/certdb"
+	"github.com/cloudflare/cfssl/config"
+	cferr "github.com/cloudflare/cfssl/errors"
+	"github.com/cloudflare/cfssl/helpers"
+	"github.com/cloudflare/cfssl/info"
+	"github.com/cloudflare/cfssl/signer"
+)
+
+// A Signer represents a CFSSL instance running as signing server.
+// fulfills the signer.Signer interface
+type Signer struct {
+	policy      *config.Signing
+	reqModifier func(*http.Request, []byte)
+}
+
+// NewSigner creates a new remote Signer directly from a
+// signing policy.
+func NewSigner(policy *config.Signing) (*Signer, error) {
+	if policy != nil {
+		if !policy.Valid() {
+			return nil, cferr.New(cferr.PolicyError,
+				cferr.InvalidPolicy)
+		}
+		return &Signer{policy: policy}, nil
+	}
+
+	return nil, cferr.New(cferr.PolicyError,
+		cferr.InvalidPolicy)
+}
+
+// Sign sends a signature request to the remote CFSSL server,
+// receiving a signed certificate or an error in response. The hostname,
+// csr, and profileName are used as with a local signing operation, and
+// the label is used to select a signing root in a multi-root CA.
+func (s *Signer) Sign(req signer.SignRequest) (cert []byte, err error) {
+	resp, err := s.remoteOp(req, req.Profile, "sign")
+	if err != nil {
+		return
+	}
+	if cert, ok := resp.([]byte); ok {
+		return cert, nil
+	}
+	return
+}
+
+// Info sends an info request to the remote CFSSL server, receiving an
+// Resp struct or an error in response.
+func (s *Signer) Info(req info.Req) (resp *info.Resp, err error) {
+	respInterface, err := s.remoteOp(req, req.Profile, "info")
+	if err != nil {
+		return
+	}
+	if resp, ok := respInterface.(*info.Resp); ok {
+		return resp, nil
+	}
+	return
+}
+
+// Helper function to perform a remote sign or info request.
+func (s *Signer) remoteOp(req interface{}, profile, target string) (resp interface{}, err error) {
+	jsonData, err := json.Marshal(req)
+	if err != nil {
+		return nil, cferr.Wrap(cferr.APIClientError, cferr.JSONError, err)
+	}
+
+	p, err := signer.Profile(s, profile)
+	if err != nil {
+		return
+	}
+
+	server := client.NewServerTLS(p.RemoteServer, helpers.CreateTLSConfig(p.RemoteCAs, p.ClientCert))
+	if server == nil {
+		return nil, cferr.Wrap(cferr.PolicyError, cferr.InvalidRequest,
+			errors.New("failed to connect to remote"))
+	}
+
+	server.SetReqModifier(s.reqModifier)
+
+	// There's no auth provider for the "info" method
+	if target == "info" {
+		resp, err = server.Info(jsonData)
+	} else if p.RemoteProvider != nil {
+		resp, err = server.AuthSign(jsonData, nil, p.RemoteProvider)
+	} else {
+		resp, err = server.Sign(jsonData)
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	return
+}
+
+// SigAlgo returns the RSA signer's signature algorithm.
+func (s *Signer) SigAlgo() x509.SignatureAlgorithm {
+	// TODO: implement this as a remote info call
+	return x509.UnknownSignatureAlgorithm
+}
+
+// SetPolicy sets the signer's signature policy.
+func (s *Signer) SetPolicy(policy *config.Signing) {
+	s.policy = policy
+}
+
+// SetDBAccessor sets the signers' cert db accessor, currently noop.
+func (s *Signer) SetDBAccessor(dba certdb.Accessor) {
+	// noop
+}
+
+// GetDBAccessor returns the signers' cert db accessor, currently noop.
+func (s *Signer) GetDBAccessor() certdb.Accessor {
+	return nil
+}
+
+// SetReqModifier sets the function to call to modify the HTTP request prior to sending it
+func (s *Signer) SetReqModifier(mod func(*http.Request, []byte)) {
+	s.reqModifier = mod
+}
+
+// Policy returns the signer's policy.
+func (s *Signer) Policy() *config.Signing {
+	return s.policy
+}