github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-10 12:32:03 +00:00
Code Issues Projects Releases Wiki Activity

update serial number to a valid non-zero number in ca certificate (#117791)

Browse Source 
* update serial number to a valid non-zero number in ca certificate

* fix the existing problem (0 SerialNumber in all certificate) as part of this PR in a separate commit
This commit is contained in:
Min Ni 2023-05-09 06:34:08 -07:00 committed by GitHub
parent 9e9ec8f62c
commit e865b30abd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 34 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cmd/kubeadm/app/util/pkiutil/pki_helpers.go
View File

@ -631,10 +631,12 @@ func GeneratePrivateKey(keyType x509.PublicKeyAlgorithm) (crypto.Signer, error)
// NewSignedCert creates a signed certificate using the given CA certificate and key // NewSignedCert creates a signed certificate using the given CA certificate and key
func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, isCA bool) (*x509.Certificate, error) { func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, isCA bool) (*x509.Certificate, error) {
serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64)) // returns a uniform random value in [0, max-1), then add 1 to serial to make it a uniform random value in [1, max).
serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64-1))
if err != nil { if err != nil {
return nil, err return nil, err
} }
serial = new(big.Int).Add(serial, big.NewInt(1))
if len(cfg.CommonName) == 0 { if len(cfg.CommonName) == 0 {
return nil, errors.New("must specify a CommonName") return nil, errors.New("must specify a CommonName")
} }

27
staging/src/k8s.io/client-go/util/cert/cert.go
View File

@ -25,6 +25,7 @@ import (
"crypto/x509/pkix" "crypto/x509/pkix"
"encoding/pem" "encoding/pem"
"fmt" "fmt"
"math"
"math/big" "math/big"
"net" "net"
"os" "os"
@ -57,8 +58,14 @@ type AltNames struct {
// NewSelfSignedCACert creates a CA certificate // NewSelfSignedCACert creates a CA certificate
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) { func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
now := time.Now() now := time.Now()
// returns a uniform random value in [0, max-1), then add 1 to serial to make it a uniform random value in [1, max).
serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64-1))
if err != nil {
return nil, err
}
serial = new(big.Int).Add(serial, big.NewInt(1))
tmpl := x509.Certificate{ tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0), SerialNumber: serial,
Subject: pkix.Name{ Subject: pkix.Name{
CommonName: cfg.CommonName, CommonName: cfg.CommonName,
Organization: cfg.Organization, Organization: cfg.Organization,
@ -116,9 +123,14 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }
// returns a uniform random value in [0, max-1), then add 1 to serial to make it a uniform random value in [1, max).
serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64-1))
if err != nil {
return nil, nil, err
}
serial = new(big.Int).Add(serial, big.NewInt(1))
caTemplate := x509.Certificate{ caTemplate := x509.Certificate{
SerialNumber: big.NewInt(1), SerialNumber: serial,
Subject: pkix.Name{ Subject: pkix.Name{
CommonName: fmt.Sprintf("%s-ca@%d", host, time.Now().Unix()), CommonName: fmt.Sprintf("%s-ca@%d", host, time.Now().Unix()),
}, },
@ -144,9 +156,14 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }
// returns a uniform random value in [0, max-1), then add 1 to serial to make it a uniform random value in [1, max).
serial, err = cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64-1))
if err != nil {
return nil, nil, err
}
serial = new(big.Int).Add(serial, big.NewInt(1))
template := x509.Certificate{ template := x509.Certificate{
SerialNumber: big.NewInt(2), SerialNumber: serial,
Subject: pkix.Name{ Subject: pkix.Name{
CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()), CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()),
}, },

5
test/integration/apiserver/podlogs/podlogs_test.go
View File

@ -346,11 +346,12 @@ func generateClientCert(t *testing.T) testCerts {
t.Fatal(err) t.Fatal(err)
} }
serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64)) // returns a uniform random value in [0, max-1), then add 1 to serial to make it a uniform random value in [1, max).
serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64-1))
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
serial = new(big.Int).Add(serial, big.NewInt(1))
certTmpl := x509.Certificate{ certTmpl := x509.Certificate{
Subject: pkix.Name{ Subject: pkix.Name{
CommonName: "the-api-server-user", CommonName: "the-api-server-user",

4
test/integration/client/cert_rotation_test.go
View File

@ -183,10 +183,12 @@ func writeCerts(t *testing.T, clientSigningCert *x509.Certificate, clientSigning
t.Fatal(err) t.Fatal(err)
} }
serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64)) // returns a uniform random value in [0, max-1), then add 1 to serial to make it a uniform random value in [1, max).
serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64-1))
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
serial = new(big.Int).Add(serial, big.NewInt(1))
certTmpl := x509.Certificate{ certTmpl := x509.Certificate{
Subject: pkix.Name{ Subject: pkix.Name{

4
test/utils/pki_helpers.go
View File

@ -53,10 +53,12 @@ func EncodeCertPEM(cert *x509.Certificate) []byte {
// NewSignedCert creates a signed certificate using the given CA certificate and key // NewSignedCert creates a signed certificate using the given CA certificate and key
func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) { func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64)) // returns a uniform random value in [0, max-1), then add 1 to serial to make it a uniform random value in [1, max).
serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64-1))
if err != nil { if err != nil {
return nil, err return nil, err
} }
serial = new(big.Int).Add(serial, big.NewInt(1))
if len(cfg.CommonName) == 0 { if len(cfg.CommonName) == 0 {
return nil, fmt.Errorf("must specify a CommonName") return nil, fmt.Errorf("must specify a CommonName")
} }