github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-03 17:30:00 +00:00
Code Issues Projects Releases Wiki Activity

client-go: NewSelfSignedCACert makes Go 1.15+ compatible cert (#100324)

Browse Source 
* NewSelfSignedCACert makes Go 1.15+ compatible cert

As of Go 1.15, X.509 certificates without a SAN no longer
fall back to the CommonName of the certificate.

https://golang.org/doc/go1.15#commonname

Updating NewSelfSignedCACert to produce certificates that
work with this change.

* add missing license
This commit is contained in:
Yusuke Tsutsumi 2021-05-03 06:48:02 -07:00 committed by GitHub
parent dfc91819b7
commit a41a3ed4ae
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 47 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
staging/src/k8s.io/client-go/util/cert/cert.go
View File

@ -62,6 +62,7 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro
CommonName: cfg.CommonName, CommonName: cfg.CommonName,
Organization: cfg.Organization, Organization: cfg.Organization,
}, },
DNSNames: []string{cfg.CommonName},
NotBefore: now.UTC(), NotBefore: now.UTC(),
NotAfter: now.Add(duration365d * 10).UTC(), NotAfter: now.Add(duration365d * 10).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,

46
staging/src/k8s.io/client-go/util/cert/cert_test.go Normal file
View File

@ -0,0 +1,46 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package cert_test
import (
cryptorand "crypto/rand"
"crypto/rsa"
"testing"
"k8s.io/client-go/util/cert"
)
const COMMON_NAME = "foo.example.com"
// TestSelfSignedCertHasSAN verifies the existing of
// a SAN on the generated self-signed certificate.
// a SAN ensures that the certificate is considered
// valid by default in go 1.15 and above, which
// turns off fallback to Common Name by default.
func TestSelfSignedCertHasSAN(t *testing.T) {
key, err := rsa.GenerateKey(cryptorand.Reader, 2048)
if err != nil {
t.Fatalf("rsa key failed to generate: %v", err)
}
selfSignedCert, err := cert.NewSelfSignedCACert(cert.Config{CommonName: COMMON_NAME}, key)
if err != nil {
t.Fatalf("self signed certificate failed to generate: %v", err)
}
if len(selfSignedCert.DNSNames) == 0 {
t.Fatalf("self signed certificate has zero DNS names.")
}
}