Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
3148eb75
Unverified
Commit
3148eb75
authored
Apr 26, 2019
by
Kubernetes Prow Robot
Committed by
GitHub
Apr 26, 2019
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #76390 from rojkov/ecdsa-v2
kubeadm: add support for ECDSA keys
parents
7a9e1fb7
d125f3bd
Hide whitespace changes
Inline
Side-by-side
Showing
14 changed files
with
148 additions
and
98 deletions
+148
-98
certs_test.go
cmd/kubeadm/app/cmd/alpha/certs_test.go
+6
-4
BUILD
cmd/kubeadm/app/phases/certs/BUILD
+1
-0
certlist.go
cmd/kubeadm/app/phases/certs/certlist.go
+4
-4
certs.go
cmd/kubeadm/app/phases/certs/certs.go
+9
-9
certs_test.go
cmd/kubeadm/app/phases/certs/certs_test.go
+20
-8
certsapi.go
cmd/kubeadm/app/phases/certs/renewal/certsapi.go
+2
-2
filerenewal.go
cmd/kubeadm/app/phases/certs/renewal/filerenewal.go
+4
-4
interface.go
cmd/kubeadm/app/phases/certs/renewal/interface.go
+2
-2
renewal_test.go
cmd/kubeadm/app/phases/certs/renewal/renewal_test.go
+2
-2
kubeconfig.go
cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go
+2
-2
kubeconfig_test.go
cmd/kubeadm/app/phases/kubeconfig/kubeconfig_test.go
+2
-2
util.go
cmd/kubeadm/app/util/certs/util.go
+4
-3
pki_helpers.go
cmd/kubeadm/app/util/pkiutil/pki_helpers.go
+17
-14
pki_helpers_test.go
cmd/kubeadm/app/util/pkiutil/pki_helpers_test.go
+73
-42
No files found.
cmd/kubeadm/app/cmd/alpha/certs_test.go
View file @
3148eb75
...
@@ -209,11 +209,13 @@ func TestRunRenewCommands(t *testing.T) {
...
@@ -209,11 +209,13 @@ func TestRunRenewCommands(t *testing.T) {
t
.
Errorf
(
"couldn't verify renewed cert: %v"
,
err
)
t
.
Errorf
(
"couldn't verify renewed cert: %v"
,
err
)
}
}
pubKey
,
ok
:=
newCert
.
PublicKey
.
(
*
rsa
.
PublicKey
)
switch
pubKey
:=
newCert
.
PublicKey
.
(
type
)
{
if
!
ok
{
case
*
rsa
.
PublicKey
:
if
pubKey
.
N
.
Cmp
(
newKey
.
(
*
rsa
.
PrivateKey
)
.
N
)
!=
0
{
t
.
Error
(
"private key does not match public key"
)
}
default
:
t
.
Errorf
(
"unknown public key type %T"
,
newCert
.
PublicKey
)
t
.
Errorf
(
"unknown public key type %T"
,
newCert
.
PublicKey
)
}
else
if
pubKey
.
N
.
Cmp
(
newKey
.
N
)
!=
0
{
t
.
Error
(
"private key does not match public key"
)
}
}
}
}
...
...
cmd/kubeadm/app/phases/certs/BUILD
View file @
3148eb75
...
@@ -20,6 +20,7 @@ go_test(
...
@@ -20,6 +20,7 @@ go_test(
"//cmd/kubeadm/app/util/pkiutil:go_default_library",
"//cmd/kubeadm/app/util/pkiutil:go_default_library",
"//cmd/kubeadm/test:go_default_library",
"//cmd/kubeadm/test:go_default_library",
"//staging/src/k8s.io/client-go/util/cert:go_default_library",
"//staging/src/k8s.io/client-go/util/cert:go_default_library",
"//staging/src/k8s.io/client-go/util/keyutil:go_default_library",
"//vendor/github.com/pkg/errors:go_default_library",
"//vendor/github.com/pkg/errors:go_default_library",
"//vendor/github.com/stretchr/testify/assert:go_default_library",
"//vendor/github.com/stretchr/testify/assert:go_default_library",
],
],
...
...
cmd/kubeadm/app/phases/certs/certlist.go
View file @
3148eb75
...
@@ -17,7 +17,7 @@ limitations under the License.
...
@@ -17,7 +17,7 @@ limitations under the License.
package
certs
package
certs
import
(
import
(
"crypto
/rsa
"
"crypto"
"crypto/x509"
"crypto/x509"
"github.com/pkg/errors"
"github.com/pkg/errors"
...
@@ -54,7 +54,7 @@ func (k *KubeadmCert) GetConfig(ic *kubeadmapi.InitConfiguration) (*certutil.Con
...
@@ -54,7 +54,7 @@ func (k *KubeadmCert) GetConfig(ic *kubeadmapi.InitConfiguration) (*certutil.Con
}
}
// CreateFromCA makes and writes a certificate using the given CA cert and key.
// CreateFromCA makes and writes a certificate using the given CA cert and key.
func
(
k
*
KubeadmCert
)
CreateFromCA
(
ic
*
kubeadmapi
.
InitConfiguration
,
caCert
*
x509
.
Certificate
,
caKey
*
rsa
.
PrivateKey
)
error
{
func
(
k
*
KubeadmCert
)
CreateFromCA
(
ic
*
kubeadmapi
.
InitConfiguration
,
caCert
*
x509
.
Certificate
,
caKey
crypto
.
Signer
)
error
{
cfg
,
err
:=
k
.
GetConfig
(
ic
)
cfg
,
err
:=
k
.
GetConfig
(
ic
)
if
err
!=
nil
{
if
err
!=
nil
{
return
errors
.
Wrapf
(
err
,
"couldn't create %q certificate"
,
k
.
Name
)
return
errors
.
Wrapf
(
err
,
"couldn't create %q certificate"
,
k
.
Name
)
...
@@ -80,7 +80,7 @@ func (k *KubeadmCert) CreateFromCA(ic *kubeadmapi.InitConfiguration, caCert *x50
...
@@ -80,7 +80,7 @@ func (k *KubeadmCert) CreateFromCA(ic *kubeadmapi.InitConfiguration, caCert *x50
}
}
// CreateAsCA creates a certificate authority, writing the files to disk and also returning the created CA so it can be used to sign child certs.
// CreateAsCA creates a certificate authority, writing the files to disk and also returning the created CA so it can be used to sign child certs.
func
(
k
*
KubeadmCert
)
CreateAsCA
(
ic
*
kubeadmapi
.
InitConfiguration
)
(
*
x509
.
Certificate
,
*
rsa
.
PrivateKey
,
error
)
{
func
(
k
*
KubeadmCert
)
CreateAsCA
(
ic
*
kubeadmapi
.
InitConfiguration
)
(
*
x509
.
Certificate
,
crypto
.
Signer
,
error
)
{
cfg
,
err
:=
k
.
GetConfig
(
ic
)
cfg
,
err
:=
k
.
GetConfig
(
ic
)
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
nil
,
errors
.
Wrapf
(
err
,
"couldn't get configuration for %q CA certificate"
,
k
.
Name
)
return
nil
,
nil
,
errors
.
Wrapf
(
err
,
"couldn't get configuration for %q CA certificate"
,
k
.
Name
)
...
@@ -114,7 +114,7 @@ func (t CertificateTree) CreateTree(ic *kubeadmapi.InitConfiguration) error {
...
@@ -114,7 +114,7 @@ func (t CertificateTree) CreateTree(ic *kubeadmapi.InitConfiguration) error {
return
err
return
err
}
}
var
caKey
*
rsa
.
PrivateKey
var
caKey
crypto
.
Signer
caCert
,
err
:=
pkiutil
.
TryLoadCertFromDisk
(
ic
.
CertificatesDir
,
ca
.
BaseName
)
caCert
,
err
:=
pkiutil
.
TryLoadCertFromDisk
(
ic
.
CertificatesDir
,
ca
.
BaseName
)
if
err
==
nil
{
if
err
==
nil
{
...
...
cmd/kubeadm/app/phases/certs/certs.go
View file @
3148eb75
...
@@ -17,7 +17,7 @@ limitations under the License.
...
@@ -17,7 +17,7 @@ limitations under the License.
package
certs
package
certs
import
(
import
(
"crypto
/rsa
"
"crypto"
"crypto/x509"
"crypto/x509"
"fmt"
"fmt"
"os"
"os"
...
@@ -80,7 +80,7 @@ func CreateServiceAccountKeyAndPublicKeyFiles(certsDir string) error {
...
@@ -80,7 +80,7 @@ func CreateServiceAccountKeyAndPublicKeyFiles(certsDir string) error {
}
}
// NewServiceAccountSigningKey generate public/private key pairs for signing service account tokens.
// NewServiceAccountSigningKey generate public/private key pairs for signing service account tokens.
func
NewServiceAccountSigningKey
()
(
*
rsa
.
PrivateKey
,
error
)
{
func
NewServiceAccountSigningKey
()
(
crypto
.
Signer
,
error
)
{
// The key does NOT exist, let's generate it now
// The key does NOT exist, let's generate it now
saSigningKey
,
err
:=
pkiutil
.
NewPrivateKey
()
saSigningKey
,
err
:=
pkiutil
.
NewPrivateKey
()
if
err
!=
nil
{
if
err
!=
nil
{
...
@@ -117,7 +117,7 @@ func CreateCACertAndKeyFiles(certSpec *KubeadmCert, cfg *kubeadmapi.InitConfigur
...
@@ -117,7 +117,7 @@ func CreateCACertAndKeyFiles(certSpec *KubeadmCert, cfg *kubeadmapi.InitConfigur
}
}
// NewCSR will generate a new CSR and accompanying key
// NewCSR will generate a new CSR and accompanying key
func
NewCSR
(
certSpec
*
KubeadmCert
,
cfg
*
kubeadmapi
.
InitConfiguration
)
(
*
x509
.
CertificateRequest
,
*
rsa
.
PrivateKey
,
error
)
{
func
NewCSR
(
certSpec
*
KubeadmCert
,
cfg
*
kubeadmapi
.
InitConfiguration
)
(
*
x509
.
CertificateRequest
,
crypto
.
Signer
,
error
)
{
certConfig
,
err
:=
certSpec
.
GetConfig
(
cfg
)
certConfig
,
err
:=
certSpec
.
GetConfig
(
cfg
)
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
nil
,
errors
.
Wrap
(
err
,
"failed to retrieve cert configuration"
)
return
nil
,
nil
,
errors
.
Wrap
(
err
,
"failed to retrieve cert configuration"
)
...
@@ -151,7 +151,7 @@ func CreateCertAndKeyFilesWithCA(certSpec *KubeadmCert, caCertSpec *KubeadmCert,
...
@@ -151,7 +151,7 @@ func CreateCertAndKeyFilesWithCA(certSpec *KubeadmCert, caCertSpec *KubeadmCert,
}
}
// LoadCertificateAuthority tries to load a CA in the given directory with the given name.
// LoadCertificateAuthority tries to load a CA in the given directory with the given name.
func
LoadCertificateAuthority
(
pkiDir
string
,
baseName
string
)
(
*
x509
.
Certificate
,
*
rsa
.
PrivateKey
,
error
)
{
func
LoadCertificateAuthority
(
pkiDir
string
,
baseName
string
)
(
*
x509
.
Certificate
,
crypto
.
Signer
,
error
)
{
// Checks if certificate authority exists in the PKI directory
// Checks if certificate authority exists in the PKI directory
if
!
pkiutil
.
CertOrKeyExist
(
pkiDir
,
baseName
)
{
if
!
pkiutil
.
CertOrKeyExist
(
pkiDir
,
baseName
)
{
return
nil
,
nil
,
errors
.
Errorf
(
"couldn't load %s certificate authority from %s"
,
baseName
,
pkiDir
)
return
nil
,
nil
,
errors
.
Errorf
(
"couldn't load %s certificate authority from %s"
,
baseName
,
pkiDir
)
...
@@ -175,7 +175,7 @@ func LoadCertificateAuthority(pkiDir string, baseName string) (*x509.Certificate
...
@@ -175,7 +175,7 @@ func LoadCertificateAuthority(pkiDir string, baseName string) (*x509.Certificate
// If there already is a certificate file at the given path; kubeadm tries to load it and check if the values in the
// If there already is a certificate file at the given path; kubeadm tries to load it and check if the values in the
// existing and the expected certificate equals. If they do; kubeadm will just skip writing the file as it's up-to-date,
// existing and the expected certificate equals. If they do; kubeadm will just skip writing the file as it's up-to-date,
// otherwise this function returns an error.
// otherwise this function returns an error.
func
writeCertificateAuthorithyFilesIfNotExist
(
pkiDir
string
,
baseName
string
,
caCert
*
x509
.
Certificate
,
caKey
*
rsa
.
PrivateKey
)
error
{
func
writeCertificateAuthorithyFilesIfNotExist
(
pkiDir
string
,
baseName
string
,
caCert
*
x509
.
Certificate
,
caKey
crypto
.
Signer
)
error
{
// If cert or key exists, we should try to load them
// If cert or key exists, we should try to load them
if
pkiutil
.
CertOrKeyExist
(
pkiDir
,
baseName
)
{
if
pkiutil
.
CertOrKeyExist
(
pkiDir
,
baseName
)
{
...
@@ -210,7 +210,7 @@ func writeCertificateAuthorithyFilesIfNotExist(pkiDir string, baseName string, c
...
@@ -210,7 +210,7 @@ func writeCertificateAuthorithyFilesIfNotExist(pkiDir string, baseName string, c
// If there already is a certificate file at the given path; kubeadm tries to load it and check if the values in the
// If there already is a certificate file at the given path; kubeadm tries to load it and check if the values in the
// existing and the expected certificate equals. If they do; kubeadm will just skip writing the file as it's up-to-date,
// existing and the expected certificate equals. If they do; kubeadm will just skip writing the file as it's up-to-date,
// otherwise this function returns an error.
// otherwise this function returns an error.
func
writeCertificateFilesIfNotExist
(
pkiDir
string
,
baseName
string
,
signingCert
*
x509
.
Certificate
,
cert
*
x509
.
Certificate
,
key
*
rsa
.
PrivateKey
,
cfg
*
certutil
.
Config
)
error
{
func
writeCertificateFilesIfNotExist
(
pkiDir
string
,
baseName
string
,
signingCert
*
x509
.
Certificate
,
cert
*
x509
.
Certificate
,
key
crypto
.
Signer
,
cfg
*
certutil
.
Config
)
error
{
// Checks if the signed certificate exists in the PKI directory
// Checks if the signed certificate exists in the PKI directory
if
pkiutil
.
CertOrKeyExist
(
pkiDir
,
baseName
)
{
if
pkiutil
.
CertOrKeyExist
(
pkiDir
,
baseName
)
{
...
@@ -250,7 +250,7 @@ func writeCertificateFilesIfNotExist(pkiDir string, baseName string, signingCert
...
@@ -250,7 +250,7 @@ func writeCertificateFilesIfNotExist(pkiDir string, baseName string, signingCert
// If there already is a key file at the given path; kubeadm tries to load it and check if the values in the
// If there already is a key file at the given path; kubeadm tries to load it and check if the values in the
// existing and the expected key equals. If they do; kubeadm will just skip writing the file as it's up-to-date,
// existing and the expected key equals. If they do; kubeadm will just skip writing the file as it's up-to-date,
// otherwise this function returns an error.
// otherwise this function returns an error.
func
writeKeyFilesIfNotExist
(
pkiDir
string
,
baseName
string
,
key
*
rsa
.
PrivateKey
)
error
{
func
writeKeyFilesIfNotExist
(
pkiDir
string
,
baseName
string
,
key
crypto
.
Signer
)
error
{
// Checks if the key exists in the PKI directory
// Checks if the key exists in the PKI directory
if
pkiutil
.
CertOrKeyExist
(
pkiDir
,
baseName
)
{
if
pkiutil
.
CertOrKeyExist
(
pkiDir
,
baseName
)
{
...
@@ -274,7 +274,7 @@ func writeKeyFilesIfNotExist(pkiDir string, baseName string, key *rsa.PrivateKey
...
@@ -274,7 +274,7 @@ func writeKeyFilesIfNotExist(pkiDir string, baseName string, key *rsa.PrivateKey
return
errors
.
Wrapf
(
err
,
"failure while saving %s key"
,
baseName
)
return
errors
.
Wrapf
(
err
,
"failure while saving %s key"
,
baseName
)
}
}
if
err
:=
pkiutil
.
WritePublicKey
(
pkiDir
,
baseName
,
&
key
.
PublicKey
);
err
!=
nil
{
if
err
:=
pkiutil
.
WritePublicKey
(
pkiDir
,
baseName
,
key
.
Public
()
);
err
!=
nil
{
return
errors
.
Wrapf
(
err
,
"failure while saving %s public key"
,
baseName
)
return
errors
.
Wrapf
(
err
,
"failure while saving %s public key"
,
baseName
)
}
}
}
}
...
@@ -285,7 +285,7 @@ func writeKeyFilesIfNotExist(pkiDir string, baseName string, key *rsa.PrivateKey
...
@@ -285,7 +285,7 @@ func writeKeyFilesIfNotExist(pkiDir string, baseName string, key *rsa.PrivateKey
// writeCSRFilesIfNotExist writes a new CSR to the given path.
// writeCSRFilesIfNotExist writes a new CSR to the given path.
// If there already is a CSR file at the given path; kubeadm tries to load it and check if it's a valid certificate.
// If there already is a CSR file at the given path; kubeadm tries to load it and check if it's a valid certificate.
// otherwise this function returns an error.
// otherwise this function returns an error.
func
writeCSRFilesIfNotExist
(
csrDir
string
,
baseName
string
,
csr
*
x509
.
CertificateRequest
,
key
*
rsa
.
PrivateKey
)
error
{
func
writeCSRFilesIfNotExist
(
csrDir
string
,
baseName
string
,
csr
*
x509
.
CertificateRequest
,
key
crypto
.
Signer
)
error
{
if
pkiutil
.
CSROrKeyExist
(
csrDir
,
baseName
)
{
if
pkiutil
.
CSROrKeyExist
(
csrDir
,
baseName
)
{
_
,
_
,
err
:=
pkiutil
.
TryLoadCSRAndKeyFromDisk
(
csrDir
,
baseName
)
_
,
_
,
err
:=
pkiutil
.
TryLoadCSRAndKeyFromDisk
(
csrDir
,
baseName
)
if
err
!=
nil
{
if
err
!=
nil
{
...
...
cmd/kubeadm/app/phases/certs/certs_test.go
View file @
3148eb75
...
@@ -17,7 +17,8 @@ limitations under the License.
...
@@ -17,7 +17,8 @@ limitations under the License.
package
certs
package
certs
import
(
import
(
"crypto/rsa"
"bytes"
"crypto"
"crypto/sha256"
"crypto/sha256"
"crypto/x509"
"crypto/x509"
"io/ioutil"
"io/ioutil"
...
@@ -31,6 +32,7 @@ import (
...
@@ -31,6 +32,7 @@ import (
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/assert"
certutil
"k8s.io/client-go/util/cert"
certutil
"k8s.io/client-go/util/cert"
"k8s.io/client-go/util/keyutil"
kubeadmapi
"k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
kubeadmapi
"k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
kubeadmconstants
"k8s.io/kubernetes/cmd/kubeadm/app/constants"
kubeadmconstants
"k8s.io/kubernetes/cmd/kubeadm/app/constants"
certstestutil
"k8s.io/kubernetes/cmd/kubeadm/app/util/certs"
certstestutil
"k8s.io/kubernetes/cmd/kubeadm/app/util/certs"
...
@@ -38,7 +40,7 @@ import (
...
@@ -38,7 +40,7 @@ import (
testutil
"k8s.io/kubernetes/cmd/kubeadm/test"
testutil
"k8s.io/kubernetes/cmd/kubeadm/test"
)
)
func
createTestCSR
(
t
*
testing
.
T
)
(
*
x509
.
CertificateRequest
,
*
rsa
.
PrivateKey
)
{
func
createTestCSR
(
t
*
testing
.
T
)
(
*
x509
.
CertificateRequest
,
crypto
.
Signer
)
{
csr
,
key
,
err
:=
pkiutil
.
NewCSRAndKey
(
csr
,
key
,
err
:=
pkiutil
.
NewCSRAndKey
(
&
certutil
.
Config
{
&
certutil
.
Config
{
CommonName
:
"testCert"
,
CommonName
:
"testCert"
,
...
@@ -307,7 +309,7 @@ func TestWriteKeyFilesIfNotExist(t *testing.T) {
...
@@ -307,7 +309,7 @@ func TestWriteKeyFilesIfNotExist(t *testing.T) {
var
tests
=
[]
struct
{
var
tests
=
[]
struct
{
setupFunc
func
(
pkiDir
string
)
error
setupFunc
func
(
pkiDir
string
)
error
expectedError
bool
expectedError
bool
expectedKey
*
rsa
.
PrivateKey
expectedKey
crypto
.
Signer
}{
}{
{
// key does not exists > key written
{
// key does not exists > key written
expectedKey
:
key
,
expectedKey
:
key
,
...
@@ -349,7 +351,7 @@ func TestWriteKeyFilesIfNotExist(t *testing.T) {
...
@@ -349,7 +351,7 @@ func TestWriteKeyFilesIfNotExist(t *testing.T) {
}
else
if
test
.
expectedError
&&
err
==
nil
{
}
else
if
test
.
expectedError
&&
err
==
nil
{
t
.
Error
(
"error writeKeyFilesIfNotExist didn't failed when expected"
)
t
.
Error
(
"error writeKeyFilesIfNotExist didn't failed when expected"
)
continue
continue
}
else
if
test
.
expectedError
{
}
else
if
test
.
expectedError
||
test
.
expectedKey
==
nil
{
continue
continue
}
}
...
@@ -363,8 +365,18 @@ func TestWriteKeyFilesIfNotExist(t *testing.T) {
...
@@ -363,8 +365,18 @@ func TestWriteKeyFilesIfNotExist(t *testing.T) {
continue
continue
}
}
//TODO: check if there is a better method to compare keys
resultingKeyPEM
,
err
:=
keyutil
.
MarshalPrivateKeyToPEM
(
resultingKey
)
if
resultingKey
.
D
==
test
.
expectedKey
.
D
{
if
err
!=
nil
{
t
.
Errorf
(
"failure marshaling created key: %v"
,
err
)
continue
}
expectedKeyPEM
,
err
:=
keyutil
.
MarshalPrivateKeyToPEM
(
test
.
expectedKey
)
if
err
!=
nil
{
t
.
Fatalf
(
"Failed to marshal expected private key: %v"
,
err
)
}
if
bytes
.
Compare
(
resultingKeyPEM
,
expectedKeyPEM
)
!=
0
{
t
.
Error
(
"created key does not match expected key"
)
t
.
Error
(
"created key does not match expected key"
)
}
}
}
}
...
@@ -373,7 +385,7 @@ func TestWriteKeyFilesIfNotExist(t *testing.T) {
...
@@ -373,7 +385,7 @@ func TestWriteKeyFilesIfNotExist(t *testing.T) {
func
TestSharedCertificateExists
(
t
*
testing
.
T
)
{
func
TestSharedCertificateExists
(
t
*
testing
.
T
)
{
caCert
,
caKey
:=
certstestutil
.
CreateCACert
(
t
)
caCert
,
caKey
:=
certstestutil
.
CreateCACert
(
t
)
_
,
key
,
_
:=
certstestutil
.
CreateTestCert
(
t
,
caCert
,
caKey
,
certutil
.
AltNames
{})
_
,
key
,
_
:=
certstestutil
.
CreateTestCert
(
t
,
caCert
,
caKey
,
certutil
.
AltNames
{})
publicKey
:=
&
key
.
PublicKey
publicKey
:=
key
.
Public
()
var
tests
=
[]
struct
{
var
tests
=
[]
struct
{
name
string
name
string
...
@@ -664,7 +676,7 @@ func TestValidateMethods(t *testing.T) {
...
@@ -664,7 +676,7 @@ func TestValidateMethods(t *testing.T) {
{
{
name
:
"validatePrivatePublicKey"
,
name
:
"validatePrivatePublicKey"
,
files
:
certstestutil
.
PKIFiles
{
files
:
certstestutil
.
PKIFiles
{
"sa.pub"
:
&
key
.
PublicKey
,
"sa.pub"
:
key
.
Public
()
,
"sa.key"
:
key
,
"sa.key"
:
key
,
},
},
validateFunc
:
validatePrivatePublicKey
,
validateFunc
:
validatePrivatePublicKey
,
...
...
cmd/kubeadm/app/phases/certs/renewal/certsapi.go
View file @
3148eb75
...
@@ -17,7 +17,7 @@ limitations under the License.
...
@@ -17,7 +17,7 @@ limitations under the License.
package
renewal
package
renewal
import
(
import
(
"crypto
/rsa
"
"crypto"
"crypto/x509"
"crypto/x509"
"crypto/x509/pkix"
"crypto/x509/pkix"
"fmt"
"fmt"
...
@@ -51,7 +51,7 @@ func NewCertsAPIRenawal(client kubernetes.Interface) Interface {
...
@@ -51,7 +51,7 @@ func NewCertsAPIRenawal(client kubernetes.Interface) Interface {
}
}
// Renew takes a certificate using the cert and key.
// Renew takes a certificate using the cert and key.
func
(
r
*
CertsAPIRenewal
)
Renew
(
cfg
*
certutil
.
Config
)
(
*
x509
.
Certificate
,
*
rsa
.
PrivateKey
,
error
)
{
func
(
r
*
CertsAPIRenewal
)
Renew
(
cfg
*
certutil
.
Config
)
(
*
x509
.
Certificate
,
crypto
.
Signer
,
error
)
{
reqTmp
:=
&
x509
.
CertificateRequest
{
reqTmp
:=
&
x509
.
CertificateRequest
{
Subject
:
pkix
.
Name
{
Subject
:
pkix
.
Name
{
CommonName
:
cfg
.
CommonName
,
CommonName
:
cfg
.
CommonName
,
...
...
cmd/kubeadm/app/phases/certs/renewal/filerenewal.go
View file @
3148eb75
...
@@ -17,7 +17,7 @@ limitations under the License.
...
@@ -17,7 +17,7 @@ limitations under the License.
package
renewal
package
renewal
import
(
import
(
"crypto
/rsa
"
"crypto"
"crypto/x509"
"crypto/x509"
certutil
"k8s.io/client-go/util/cert"
certutil
"k8s.io/client-go/util/cert"
...
@@ -27,11 +27,11 @@ import (
...
@@ -27,11 +27,11 @@ import (
// FileRenewal renews a certificate using local certs
// FileRenewal renews a certificate using local certs
type
FileRenewal
struct
{
type
FileRenewal
struct
{
caCert
*
x509
.
Certificate
caCert
*
x509
.
Certificate
caKey
*
rsa
.
PrivateKey
caKey
crypto
.
Signer
}
}
// NewFileRenewal takes a certificate pair to construct the Interface.
// NewFileRenewal takes a certificate pair to construct the Interface.
func
NewFileRenewal
(
caCert
*
x509
.
Certificate
,
caKey
*
rsa
.
PrivateKey
)
Interface
{
func
NewFileRenewal
(
caCert
*
x509
.
Certificate
,
caKey
crypto
.
Signer
)
Interface
{
return
&
FileRenewal
{
return
&
FileRenewal
{
caCert
:
caCert
,
caCert
:
caCert
,
caKey
:
caKey
,
caKey
:
caKey
,
...
@@ -39,6 +39,6 @@ func NewFileRenewal(caCert *x509.Certificate, caKey *rsa.PrivateKey) Interface {
...
@@ -39,6 +39,6 @@ func NewFileRenewal(caCert *x509.Certificate, caKey *rsa.PrivateKey) Interface {
}
}
// Renew takes a certificate using the cert and key
// Renew takes a certificate using the cert and key
func
(
r
*
FileRenewal
)
Renew
(
cfg
*
certutil
.
Config
)
(
*
x509
.
Certificate
,
*
rsa
.
PrivateKey
,
error
)
{
func
(
r
*
FileRenewal
)
Renew
(
cfg
*
certutil
.
Config
)
(
*
x509
.
Certificate
,
crypto
.
Signer
,
error
)
{
return
pkiutil
.
NewCertAndKey
(
r
.
caCert
,
r
.
caKey
,
cfg
)
return
pkiutil
.
NewCertAndKey
(
r
.
caCert
,
r
.
caKey
,
cfg
)
}
}
cmd/kubeadm/app/phases/certs/renewal/interface.go
View file @
3148eb75
...
@@ -17,7 +17,7 @@ limitations under the License.
...
@@ -17,7 +17,7 @@ limitations under the License.
package
renewal
package
renewal
import
(
import
(
"crypto
/rsa
"
"crypto"
"crypto/x509"
"crypto/x509"
certutil
"k8s.io/client-go/util/cert"
certutil
"k8s.io/client-go/util/cert"
...
@@ -25,5 +25,5 @@ import (
...
@@ -25,5 +25,5 @@ import (
// Interface represents a standard way to renew a certificate.
// Interface represents a standard way to renew a certificate.
type
Interface
interface
{
type
Interface
interface
{
Renew
(
*
certutil
.
Config
)
(
*
x509
.
Certificate
,
*
rsa
.
PrivateKey
,
error
)
Renew
(
*
certutil
.
Config
)
(
*
x509
.
Certificate
,
crypto
.
Signer
,
error
)
}
}
cmd/kubeadm/app/phases/certs/renewal/renewal_test.go
View file @
3148eb75
...
@@ -17,7 +17,7 @@ limitations under the License.
...
@@ -17,7 +17,7 @@ limitations under the License.
package
renewal
package
renewal
import
(
import
(
"crypto
/rsa
"
"crypto"
"crypto/x509"
"crypto/x509"
"crypto/x509/pkix"
"crypto/x509/pkix"
"net"
"net"
...
@@ -113,7 +113,7 @@ func defaultReactionFunc(obj runtime.Object) k8stesting.ReactionFunc {
...
@@ -113,7 +113,7 @@ func defaultReactionFunc(obj runtime.Object) k8stesting.ReactionFunc {
}
}
}
}
func
getCertReq
(
t
*
testing
.
T
,
caCert
*
x509
.
Certificate
,
caKey
*
rsa
.
PrivateKey
)
*
certsapi
.
CertificateSigningRequest
{
func
getCertReq
(
t
*
testing
.
T
,
caCert
*
x509
.
Certificate
,
caKey
crypto
.
Signer
)
*
certsapi
.
CertificateSigningRequest
{
cert
,
_
,
err
:=
pkiutil
.
NewCertAndKey
(
caCert
,
caKey
,
&
certutil
.
Config
{
cert
,
_
,
err
:=
pkiutil
.
NewCertAndKey
(
caCert
,
caKey
,
&
certutil
.
Config
{
CommonName
:
"testcert"
,
CommonName
:
"testcert"
,
AltNames
:
certutil
.
AltNames
{
AltNames
:
certutil
.
AltNames
{
...
...
cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go
View file @
3148eb75
...
@@ -18,7 +18,7 @@ package kubeconfig
...
@@ -18,7 +18,7 @@ package kubeconfig
import
(
import
(
"bytes"
"bytes"
"crypto
/rsa
"
"crypto"
"crypto/x509"
"crypto/x509"
"fmt"
"fmt"
"io"
"io"
...
@@ -41,7 +41,7 @@ import (
...
@@ -41,7 +41,7 @@ import (
// clientCertAuth struct holds info required to build a client certificate to provide authentication info in a kubeconfig object
// clientCertAuth struct holds info required to build a client certificate to provide authentication info in a kubeconfig object
type
clientCertAuth
struct
{
type
clientCertAuth
struct
{
CAKey
*
rsa
.
PrivateKey
CAKey
crypto
.
Signer
Organizations
[]
string
Organizations
[]
string
}
}
...
...
cmd/kubeadm/app/phases/kubeconfig/kubeconfig_test.go
View file @
3148eb75
...
@@ -18,7 +18,7 @@ package kubeconfig
...
@@ -18,7 +18,7 @@ package kubeconfig
import
(
import
(
"bytes"
"bytes"
"crypto
/rsa
"
"crypto"
"crypto/x509"
"crypto/x509"
"fmt"
"fmt"
"io"
"io"
...
@@ -621,7 +621,7 @@ func TestValidateKubeconfigsForExternalCA(t *testing.T) {
...
@@ -621,7 +621,7 @@ func TestValidateKubeconfigsForExternalCA(t *testing.T) {
}
}
// setupdKubeConfigWithClientAuth is a test utility function that wraps buildKubeConfigFromSpec for building a KubeConfig object With ClientAuth
// setupdKubeConfigWithClientAuth is a test utility function that wraps buildKubeConfigFromSpec for building a KubeConfig object With ClientAuth
func
setupdKubeConfigWithClientAuth
(
t
*
testing
.
T
,
caCert
*
x509
.
Certificate
,
caKey
*
rsa
.
PrivateKey
,
APIServer
,
clientName
,
clustername
string
,
organizations
...
string
)
*
clientcmdapi
.
Config
{
func
setupdKubeConfigWithClientAuth
(
t
*
testing
.
T
,
caCert
*
x509
.
Certificate
,
caKey
crypto
.
Signer
,
APIServer
,
clientName
,
clustername
string
,
organizations
...
string
)
*
clientcmdapi
.
Config
{
spec
:=
&
kubeConfigSpec
{
spec
:=
&
kubeConfigSpec
{
CACert
:
caCert
,
CACert
:
caCert
,
APIServer
:
APIServer
,
APIServer
:
APIServer
,
...
...
cmd/kubeadm/app/util/certs/util.go
View file @
3148eb75
...
@@ -17,6 +17,7 @@ limitations under the License.
...
@@ -17,6 +17,7 @@ limitations under the License.
package
certs
package
certs
import
(
import
(
"crypto"
"crypto/rsa"
"crypto/rsa"
"crypto/x509"
"crypto/x509"
"net"
"net"
...
@@ -30,7 +31,7 @@ import (
...
@@ -30,7 +31,7 @@ import (
// SetupCertificateAuthorithy is a utility function for kubeadm testing that creates a
// SetupCertificateAuthorithy is a utility function for kubeadm testing that creates a
// CertificateAuthorithy cert/key pair
// CertificateAuthorithy cert/key pair
func
SetupCertificateAuthorithy
(
t
*
testing
.
T
)
(
*
x509
.
Certificate
,
*
rsa
.
PrivateKey
)
{
func
SetupCertificateAuthorithy
(
t
*
testing
.
T
)
(
*
x509
.
Certificate
,
crypto
.
Signer
)
{
caCert
,
caKey
,
err
:=
pkiutil
.
NewCertificateAuthority
(
&
certutil
.
Config
{
CommonName
:
"kubernetes"
})
caCert
,
caKey
,
err
:=
pkiutil
.
NewCertificateAuthority
(
&
certutil
.
Config
{
CommonName
:
"kubernetes"
})
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Fatalf
(
"failure while generating CA certificate and key: %v"
,
err
)
t
.
Fatalf
(
"failure while generating CA certificate and key: %v"
,
err
)
...
@@ -130,7 +131,7 @@ func AssertCertificateHasIPAddresses(t *testing.T, cert *x509.Certificate, IPAdd
...
@@ -130,7 +131,7 @@ func AssertCertificateHasIPAddresses(t *testing.T, cert *x509.Certificate, IPAdd
}
}
// CreateCACert creates a generic CA cert.
// CreateCACert creates a generic CA cert.
func
CreateCACert
(
t
*
testing
.
T
)
(
*
x509
.
Certificate
,
*
rsa
.
PrivateKey
)
{
func
CreateCACert
(
t
*
testing
.
T
)
(
*
x509
.
Certificate
,
crypto
.
Signer
)
{
certCfg
:=
&
certutil
.
Config
{
CommonName
:
"kubernetes"
}
certCfg
:=
&
certutil
.
Config
{
CommonName
:
"kubernetes"
}
cert
,
key
,
err
:=
pkiutil
.
NewCertificateAuthority
(
certCfg
)
cert
,
key
,
err
:=
pkiutil
.
NewCertificateAuthority
(
certCfg
)
if
err
!=
nil
{
if
err
!=
nil
{
...
@@ -140,7 +141,7 @@ func CreateCACert(t *testing.T) (*x509.Certificate, *rsa.PrivateKey) {
...
@@ -140,7 +141,7 @@ func CreateCACert(t *testing.T) (*x509.Certificate, *rsa.PrivateKey) {
}
}
// CreateTestCert makes a generic certificate with the given CA and alternative names.
// CreateTestCert makes a generic certificate with the given CA and alternative names.
func
CreateTestCert
(
t
*
testing
.
T
,
caCert
*
x509
.
Certificate
,
caKey
*
rsa
.
PrivateKey
,
altNames
certutil
.
AltNames
)
(
*
x509
.
Certificate
,
*
rsa
.
PrivateKey
,
*
certutil
.
Config
)
{
func
CreateTestCert
(
t
*
testing
.
T
,
caCert
*
x509
.
Certificate
,
caKey
crypto
.
Signer
,
altNames
certutil
.
AltNames
)
(
*
x509
.
Certificate
,
crypto
.
Signer
,
*
certutil
.
Config
)
{
config
:=
&
certutil
.
Config
{
config
:=
&
certutil
.
Config
{
CommonName
:
"testCert"
,
CommonName
:
"testCert"
,
Usages
:
[]
x509
.
ExtKeyUsage
{
x509
.
ExtKeyUsageAny
},
Usages
:
[]
x509
.
ExtKeyUsage
{
x509
.
ExtKeyUsageAny
},
...
...
cmd/kubeadm/app/util/pkiutil/pki_helpers.go
View file @
3148eb75
...
@@ -18,6 +18,7 @@ package pkiutil
...
@@ -18,6 +18,7 @@ package pkiutil
import
(
import
(
"crypto"
"crypto"
"crypto/ecdsa"
"crypto/rand"
"crypto/rand"
cryptorand
"crypto/rand"
cryptorand
"crypto/rand"
"crypto/rsa"
"crypto/rsa"
...
@@ -58,7 +59,7 @@ const (
...
@@ -58,7 +59,7 @@ const (
)
)
// NewCertificateAuthority creates new certificate and private key for the certificate authority
// NewCertificateAuthority creates new certificate and private key for the certificate authority
func
NewCertificateAuthority
(
config
*
certutil
.
Config
)
(
*
x509
.
Certificate
,
*
rsa
.
PrivateKey
,
error
)
{
func
NewCertificateAuthority
(
config
*
certutil
.
Config
)
(
*
x509
.
Certificate
,
crypto
.
Signer
,
error
)
{
key
,
err
:=
NewPrivateKey
()
key
,
err
:=
NewPrivateKey
()
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
nil
,
errors
.
Wrap
(
err
,
"unable to create private key while generating CA certificate"
)
return
nil
,
nil
,
errors
.
Wrap
(
err
,
"unable to create private key while generating CA certificate"
)
...
@@ -73,7 +74,7 @@ func NewCertificateAuthority(config *certutil.Config) (*x509.Certificate, *rsa.P
...
@@ -73,7 +74,7 @@ func NewCertificateAuthority(config *certutil.Config) (*x509.Certificate, *rsa.P
}
}
// NewCertAndKey creates new certificate and key by passing the certificate authority certificate and key
// NewCertAndKey creates new certificate and key by passing the certificate authority certificate and key
func
NewCertAndKey
(
caCert
*
x509
.
Certificate
,
caKey
*
rsa
.
PrivateKey
,
config
*
certutil
.
Config
)
(
*
x509
.
Certificate
,
*
rsa
.
PrivateKey
,
error
)
{
func
NewCertAndKey
(
caCert
*
x509
.
Certificate
,
caKey
crypto
.
Signer
,
config
*
certutil
.
Config
)
(
*
x509
.
Certificate
,
crypto
.
Signer
,
error
)
{
key
,
err
:=
NewPrivateKey
()
key
,
err
:=
NewPrivateKey
()
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
nil
,
errors
.
Wrap
(
err
,
"unable to create private key"
)
return
nil
,
nil
,
errors
.
Wrap
(
err
,
"unable to create private key"
)
...
@@ -88,7 +89,7 @@ func NewCertAndKey(caCert *x509.Certificate, caKey *rsa.PrivateKey, config *cert
...
@@ -88,7 +89,7 @@ func NewCertAndKey(caCert *x509.Certificate, caKey *rsa.PrivateKey, config *cert
}
}
// NewCSRAndKey generates a new key and CSR and that could be signed to create the given certificate
// NewCSRAndKey generates a new key and CSR and that could be signed to create the given certificate
func
NewCSRAndKey
(
config
*
certutil
.
Config
)
(
*
x509
.
CertificateRequest
,
*
rsa
.
PrivateKey
,
error
)
{
func
NewCSRAndKey
(
config
*
certutil
.
Config
)
(
*
x509
.
CertificateRequest
,
crypto
.
Signer
,
error
)
{
key
,
err
:=
NewPrivateKey
()
key
,
err
:=
NewPrivateKey
()
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
nil
,
errors
.
Wrap
(
err
,
"unable to create private key"
)
return
nil
,
nil
,
errors
.
Wrap
(
err
,
"unable to create private key"
)
...
@@ -113,7 +114,7 @@ func HasServerAuth(cert *x509.Certificate) bool {
...
@@ -113,7 +114,7 @@ func HasServerAuth(cert *x509.Certificate) bool {
}
}
// WriteCertAndKey stores certificate and key at the specified location
// WriteCertAndKey stores certificate and key at the specified location
func
WriteCertAndKey
(
pkiPath
string
,
name
string
,
cert
*
x509
.
Certificate
,
key
*
rsa
.
PrivateKey
)
error
{
func
WriteCertAndKey
(
pkiPath
string
,
name
string
,
cert
*
x509
.
Certificate
,
key
crypto
.
Signer
)
error
{
if
err
:=
WriteKey
(
pkiPath
,
name
,
key
);
err
!=
nil
{
if
err
:=
WriteKey
(
pkiPath
,
name
,
key
);
err
!=
nil
{
return
errors
.
Wrap
(
err
,
"couldn't write key"
)
return
errors
.
Wrap
(
err
,
"couldn't write key"
)
}
}
...
@@ -136,7 +137,7 @@ func WriteCert(pkiPath, name string, cert *x509.Certificate) error {
...
@@ -136,7 +137,7 @@ func WriteCert(pkiPath, name string, cert *x509.Certificate) error {
}
}
// WriteKey stores the given key at the given location
// WriteKey stores the given key at the given location
func
WriteKey
(
pkiPath
,
name
string
,
key
*
rsa
.
PrivateKey
)
error
{
func
WriteKey
(
pkiPath
,
name
string
,
key
crypto
.
Signer
)
error
{
if
key
==
nil
{
if
key
==
nil
{
return
errors
.
New
(
"private key cannot be nil when writing to file"
)
return
errors
.
New
(
"private key cannot be nil when writing to file"
)
}
}
...
@@ -175,7 +176,7 @@ func WriteCSR(csrDir, name string, csr *x509.CertificateRequest) error {
...
@@ -175,7 +176,7 @@ func WriteCSR(csrDir, name string, csr *x509.CertificateRequest) error {
}
}
// WritePublicKey stores the given public key at the given location
// WritePublicKey stores the given public key at the given location
func
WritePublicKey
(
pkiPath
,
name
string
,
key
*
rsa
.
PublicKey
)
error
{
func
WritePublicKey
(
pkiPath
,
name
string
,
key
crypto
.
PublicKey
)
error
{
if
key
==
nil
{
if
key
==
nil
{
return
errors
.
New
(
"public key cannot be nil when writing to file"
)
return
errors
.
New
(
"public key cannot be nil when writing to file"
)
}
}
...
@@ -219,7 +220,7 @@ func CSROrKeyExist(csrDir, name string) bool {
...
@@ -219,7 +220,7 @@ func CSROrKeyExist(csrDir, name string) bool {
}
}
// TryLoadCertAndKeyFromDisk tries to load a cert and a key from the disk and validates that they are valid
// TryLoadCertAndKeyFromDisk tries to load a cert and a key from the disk and validates that they are valid
func
TryLoadCertAndKeyFromDisk
(
pkiPath
,
name
string
)
(
*
x509
.
Certificate
,
*
rsa
.
PrivateKey
,
error
)
{
func
TryLoadCertAndKeyFromDisk
(
pkiPath
,
name
string
)
(
*
x509
.
Certificate
,
crypto
.
Signer
,
error
)
{
cert
,
err
:=
TryLoadCertFromDisk
(
pkiPath
,
name
)
cert
,
err
:=
TryLoadCertFromDisk
(
pkiPath
,
name
)
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
nil
,
errors
.
Wrap
(
err
,
"failed to load certificate"
)
return
nil
,
nil
,
errors
.
Wrap
(
err
,
"failed to load certificate"
)
...
@@ -259,7 +260,7 @@ func TryLoadCertFromDisk(pkiPath, name string) (*x509.Certificate, error) {
...
@@ -259,7 +260,7 @@ func TryLoadCertFromDisk(pkiPath, name string) (*x509.Certificate, error) {
}
}
// TryLoadKeyFromDisk tries to load the key from the disk and validates that it is valid
// TryLoadKeyFromDisk tries to load the key from the disk and validates that it is valid
func
TryLoadKeyFromDisk
(
pkiPath
,
name
string
)
(
*
rsa
.
PrivateKey
,
error
)
{
func
TryLoadKeyFromDisk
(
pkiPath
,
name
string
)
(
crypto
.
Signer
,
error
)
{
privateKeyPath
:=
pathForKey
(
pkiPath
,
name
)
privateKeyPath
:=
pathForKey
(
pkiPath
,
name
)
// Parse the private key from a file
// Parse the private key from a file
...
@@ -268,20 +269,22 @@ func TryLoadKeyFromDisk(pkiPath, name string) (*rsa.PrivateKey, error) {
...
@@ -268,20 +269,22 @@ func TryLoadKeyFromDisk(pkiPath, name string) (*rsa.PrivateKey, error) {
return
nil
,
errors
.
Wrapf
(
err
,
"couldn't load the private key file %s"
,
privateKeyPath
)
return
nil
,
errors
.
Wrapf
(
err
,
"couldn't load the private key file %s"
,
privateKeyPath
)
}
}
// Allow RSA
format
only
// Allow RSA
and ECDSA formats
only
var
key
*
rsa
.
PrivateKey
var
key
crypto
.
Signer
switch
k
:=
privKey
.
(
type
)
{
switch
k
:=
privKey
.
(
type
)
{
case
*
rsa
.
PrivateKey
:
case
*
rsa
.
PrivateKey
:
key
=
k
key
=
k
case
*
ecdsa
.
PrivateKey
:
key
=
k
default
:
default
:
return
nil
,
errors
.
Errorf
(
"the private key file %s is
n't in R
SA format"
,
privateKeyPath
)
return
nil
,
errors
.
Errorf
(
"the private key file %s is
neither in RSA nor ECD
SA format"
,
privateKeyPath
)
}
}
return
key
,
nil
return
key
,
nil
}
}
// TryLoadCSRAndKeyFromDisk tries to load the CSR and key from the disk
// TryLoadCSRAndKeyFromDisk tries to load the CSR and key from the disk
func
TryLoadCSRAndKeyFromDisk
(
pkiPath
,
name
string
)
(
*
x509
.
CertificateRequest
,
*
rsa
.
PrivateKey
,
error
)
{
func
TryLoadCSRAndKeyFromDisk
(
pkiPath
,
name
string
)
(
*
x509
.
CertificateRequest
,
crypto
.
Signer
,
error
)
{
csrPath
:=
pathForCSR
(
pkiPath
,
name
)
csrPath
:=
pathForCSR
(
pkiPath
,
name
)
csr
,
err
:=
CertificateRequestFromFile
(
csrPath
)
csr
,
err
:=
CertificateRequestFromFile
(
csrPath
)
...
@@ -528,7 +531,7 @@ func EncodeCertPEM(cert *x509.Certificate) []byte {
...
@@ -528,7 +531,7 @@ func EncodeCertPEM(cert *x509.Certificate) []byte {
}
}
// EncodePublicKeyPEM returns PEM-encoded public data
// EncodePublicKeyPEM returns PEM-encoded public data
func
EncodePublicKeyPEM
(
key
*
rsa
.
PublicKey
)
([]
byte
,
error
)
{
func
EncodePublicKeyPEM
(
key
crypto
.
PublicKey
)
([]
byte
,
error
)
{
der
,
err
:=
x509
.
MarshalPKIXPublicKey
(
key
)
der
,
err
:=
x509
.
MarshalPKIXPublicKey
(
key
)
if
err
!=
nil
{
if
err
!=
nil
{
return
[]
byte
{},
err
return
[]
byte
{},
err
...
@@ -541,7 +544,7 @@ func EncodePublicKeyPEM(key *rsa.PublicKey) ([]byte, error) {
...
@@ -541,7 +544,7 @@ func EncodePublicKeyPEM(key *rsa.PublicKey) ([]byte, error) {
}
}
// NewPrivateKey creates an RSA private key
// NewPrivateKey creates an RSA private key
func
NewPrivateKey
()
(
*
rsa
.
PrivateKey
,
error
)
{
func
NewPrivateKey
()
(
crypto
.
Signer
,
error
)
{
return
rsa
.
GenerateKey
(
cryptorand
.
Reader
,
rsaKeySize
)
return
rsa
.
GenerateKey
(
cryptorand
.
Reader
,
rsaKeySize
)
}
}
...
...
cmd/kubeadm/app/util/pkiutil/pki_helpers_test.go
View file @
3148eb75
...
@@ -17,6 +17,9 @@ limitations under the License.
...
@@ -17,6 +17,9 @@ limitations under the License.
package
pkiutil
package
pkiutil
import
(
import
(
"crypto"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/rand"
"crypto/rsa"
"crypto/rsa"
"crypto/x509"
"crypto/x509"
...
@@ -49,27 +52,38 @@ func TestNewCertificateAuthority(t *testing.T) {
...
@@ -49,27 +52,38 @@ func TestNewCertificateAuthority(t *testing.T) {
func
TestNewCertAndKey
(
t
*
testing
.
T
)
{
func
TestNewCertAndKey
(
t
*
testing
.
T
)
{
var
tests
=
[]
struct
{
var
tests
=
[]
struct
{
name
string
name
string
caKeySize
int
keyGenFunc
func
()
(
crypto
.
Signer
,
error
)
expected
bool
expected
bool
}{
}{
{
{
name
:
"RSA key too small"
,
name
:
"RSA key too small"
,
caKeySize
:
128
,
keyGenFunc
:
func
()
(
crypto
.
Signer
,
error
)
{
expected
:
false
,
return
rsa
.
GenerateKey
(
rand
.
Reader
,
128
)
},
expected
:
false
,
},
},
{
{
name
:
"Should succeed"
,
name
:
"RSA should succeed"
,
caKeySize
:
2048
,
keyGenFunc
:
func
()
(
crypto
.
Signer
,
error
)
{
expected
:
true
,
return
rsa
.
GenerateKey
(
rand
.
Reader
,
2048
)
},
expected
:
true
,
},
{
name
:
"ECDSA should succeed"
,
keyGenFunc
:
func
()
(
crypto
.
Signer
,
error
)
{
return
ecdsa
.
GenerateKey
(
elliptic
.
P256
(),
rand
.
Reader
)
},
expected
:
true
,
},
},
}
}
for
_
,
rt
:=
range
tests
{
for
_
,
rt
:=
range
tests
{
t
.
Run
(
rt
.
name
,
func
(
t
*
testing
.
T
)
{
t
.
Run
(
rt
.
name
,
func
(
t
*
testing
.
T
)
{
caKey
,
err
:=
r
sa
.
GenerateKey
(
rand
.
Reader
,
rt
.
caKeySize
)
caKey
,
err
:=
r
t
.
keyGenFunc
(
)
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Fatalf
(
"Couldn't create
rsa
Private Key"
)
t
.
Fatalf
(
"Couldn't create Private Key"
)
}
}
caCert
:=
&
x509
.
Certificate
{}
caCert
:=
&
x509
.
Certificate
{}
config
:=
&
certutil
.
Config
{
config
:=
&
certutil
.
Config
{
...
@@ -375,49 +389,66 @@ func TestTryLoadCertFromDisk(t *testing.T) {
...
@@ -375,49 +389,66 @@ func TestTryLoadCertFromDisk(t *testing.T) {
}
}
func
TestTryLoadKeyFromDisk
(
t
*
testing
.
T
)
{
func
TestTryLoadKeyFromDisk
(
t
*
testing
.
T
)
{
tmpdir
,
err
:=
ioutil
.
TempDir
(
""
,
""
)
if
err
!=
nil
{
t
.
Fatalf
(
"Couldn't create tmpdir"
)
}
defer
os
.
RemoveAll
(
tmpdir
)
_
,
caKey
,
err
:=
NewCertificateAuthority
(
&
certutil
.
Config
{
CommonName
:
"kubernetes"
})
if
err
!=
nil
{
t
.
Errorf
(
"failed to create cert and key with an error: %v"
,
err
,
)
}
err
=
WriteKey
(
tmpdir
,
"foo"
,
caKey
)
if
err
!=
nil
{
t
.
Errorf
(
"failed to write cert and key with an error: %v"
,
err
,
)
}
var
tests
=
[]
struct
{
var
tests
=
[]
struct
{
desc
string
desc
string
path
string
pathSuffix
string
name
string
name
string
expected
bool
keyGenFunc
func
()
(
crypto
.
Signer
,
error
)
expected
bool
}{
}{
{
{
desc
:
"empty path and name"
,
desc
:
"empty path and name"
,
path
:
""
,
pathSuffix
:
"somegarbage"
,
name
:
""
,
name
:
""
,
keyGenFunc
:
func
()
(
crypto
.
Signer
,
error
)
{
return
rsa
.
GenerateKey
(
rand
.
Reader
,
2048
)
},
expected
:
false
,
expected
:
false
,
},
},
{
{
desc
:
"valid path and name"
,
desc
:
"RSA valid path and name"
,
path
:
tmpdir
,
pathSuffix
:
""
,
name
:
"foo"
,
name
:
"foo"
,
keyGenFunc
:
func
()
(
crypto
.
Signer
,
error
)
{
return
rsa
.
GenerateKey
(
rand
.
Reader
,
2048
)
},
expected
:
true
,
},
{
desc
:
"ECDSA valid path and name"
,
pathSuffix
:
""
,
name
:
"foo"
,
keyGenFunc
:
func
()
(
crypto
.
Signer
,
error
)
{
return
ecdsa
.
GenerateKey
(
elliptic
.
P256
(),
rand
.
Reader
)
},
expected
:
true
,
expected
:
true
,
},
},
}
}
for
_
,
rt
:=
range
tests
{
for
_
,
rt
:=
range
tests
{
t
.
Run
(
rt
.
desc
,
func
(
t
*
testing
.
T
)
{
t
.
Run
(
rt
.
desc
,
func
(
t
*
testing
.
T
)
{
_
,
actual
:=
TryLoadKeyFromDisk
(
rt
.
path
,
rt
.
name
)
tmpdir
,
err
:=
ioutil
.
TempDir
(
""
,
""
)
if
err
!=
nil
{
t
.
Fatalf
(
"Couldn't create tmpdir"
)
}
defer
os
.
RemoveAll
(
tmpdir
)
caKey
,
err
:=
rt
.
keyGenFunc
()
if
err
!=
nil
{
t
.
Errorf
(
"failed to create key with an error: %v"
,
err
,
)
}
err
=
WriteKey
(
tmpdir
,
"foo"
,
caKey
)
if
err
!=
nil
{
t
.
Errorf
(
"failed to write key with an error: %v"
,
err
,
)
}
_
,
actual
:=
TryLoadKeyFromDisk
(
tmpdir
+
rt
.
pathSuffix
,
rt
.
name
)
if
(
actual
==
nil
)
!=
rt
.
expected
{
if
(
actual
==
nil
)
!=
rt
.
expected
{
t
.
Errorf
(
t
.
Errorf
(
"failed TryLoadCertAndKeyFromDisk:
\n\t
expected: %t
\n\t
actual: %t"
,
"failed TryLoadCertAndKeyFromDisk:
\n\t
expected: %t
\n\t
actual: %t"
,
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment