Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
ce52bf12
Unverified
Commit
ce52bf12
authored
Jan 25, 2019
by
Kubernetes Prow Robot
Committed by
GitHub
Jan 25, 2019
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #73093 from ereslibre/verify-certificate-sans
kubeadm: verify that present certificates contain at least the required SANs
parents
408d4c0c
f22f594d
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
73 additions
and
27 deletions
+73
-27
certlist.go
cmd/kubeadm/app/phases/certs/certlist.go
+2
-1
certs.go
cmd/kubeadm/app/phases/certs/certs.go
+22
-5
certs_test.go
cmd/kubeadm/app/phases/certs/certs_test.go
+39
-12
util.go
cmd/kubeadm/app/util/certs/util.go
+10
-9
No files found.
cmd/kubeadm/app/phases/certs/certlist.go
View file @
ce52bf12
...
@@ -69,10 +69,11 @@ func (k *KubeadmCert) CreateFromCA(ic *kubeadmapi.InitConfiguration, caCert *x50
...
@@ -69,10 +69,11 @@ func (k *KubeadmCert) CreateFromCA(ic *kubeadmapi.InitConfiguration, caCert *x50
caCert
,
caCert
,
cert
,
cert
,
key
,
key
,
cfg
,
)
)
if
err
!=
nil
{
if
err
!=
nil
{
return
errors
.
Wrapf
(
err
,
"failed to write certificate %q"
,
k
.
Name
)
return
errors
.
Wrapf
(
err
,
"failed to write
or validate
certificate %q"
,
k
.
Name
)
}
}
return
nil
return
nil
...
...
cmd/kubeadm/app/phases/certs/certs.go
View file @
ce52bf12
...
@@ -220,7 +220,7 @@ func writeCertificateAuthorithyFilesIfNotExist(pkiDir string, baseName string, c
...
@@ -220,7 +220,7 @@ func writeCertificateAuthorithyFilesIfNotExist(pkiDir string, baseName string, c
// If there already is a certificate file at the given path; kubeadm tries to load it and check if the values in the
// If there already is a certificate file at the given path; kubeadm tries to load it and check if the values in the
// existing and the expected certificate equals. If they do; kubeadm will just skip writing the file as it's up-to-date,
// existing and the expected certificate equals. If they do; kubeadm will just skip writing the file as it's up-to-date,
// otherwise this function returns an error.
// otherwise this function returns an error.
func
writeCertificateFilesIfNotExist
(
pkiDir
string
,
baseName
string
,
signingCert
*
x509
.
Certificate
,
cert
*
x509
.
Certificate
,
key
*
rsa
.
PrivateKey
)
error
{
func
writeCertificateFilesIfNotExist
(
pkiDir
string
,
baseName
string
,
signingCert
*
x509
.
Certificate
,
cert
*
x509
.
Certificate
,
key
*
rsa
.
PrivateKey
,
cfg
*
certutil
.
Config
)
error
{
// Checks if the signed certificate exists in the PKI directory
// Checks if the signed certificate exists in the PKI directory
if
pkiutil
.
CertOrKeyExist
(
pkiDir
,
baseName
)
{
if
pkiutil
.
CertOrKeyExist
(
pkiDir
,
baseName
)
{
...
@@ -235,10 +235,11 @@ func writeCertificateFilesIfNotExist(pkiDir string, baseName string, signingCert
...
@@ -235,10 +235,11 @@ func writeCertificateFilesIfNotExist(pkiDir string, baseName string, signingCert
return
errors
.
Errorf
(
"certificate %s is not signed by corresponding CA"
,
baseName
)
return
errors
.
Errorf
(
"certificate %s is not signed by corresponding CA"
,
baseName
)
}
}
// kubeadm doesn't validate the existing certificate more than this;
// Check if the certificate has the correct attributes
// Basically, if we find a certificate file with the same path; and it is signed by
if
err
:=
validateCertificateWithConfig
(
signedCert
,
baseName
,
cfg
);
err
!=
nil
{
// the expected certificate authority, kubeadm thinks those files are equal and
return
err
// doesn't bother writing a new file
}
fmt
.
Printf
(
"[certs] Using the existing %q certificate and key
\n
"
,
baseName
)
fmt
.
Printf
(
"[certs] Using the existing %q certificate and key
\n
"
,
baseName
)
}
else
{
}
else
{
// Write .crt and .key files to disk
// Write .crt and .key files to disk
...
@@ -458,3 +459,19 @@ func validatePrivatePublicKey(l certKeyLocation) error {
...
@@ -458,3 +459,19 @@ func validatePrivatePublicKey(l certKeyLocation) error {
}
}
return
nil
return
nil
}
}
// validateCertificateWithConfig makes sure that a given certificate is valid at
// least for the SANs defined in the configuration.
func
validateCertificateWithConfig
(
cert
*
x509
.
Certificate
,
baseName
string
,
cfg
*
certutil
.
Config
)
error
{
for
_
,
dnsName
:=
range
cfg
.
AltNames
.
DNSNames
{
if
err
:=
cert
.
VerifyHostname
(
dnsName
);
err
!=
nil
{
return
errors
.
Wrapf
(
err
,
"certificate %s is invalid"
,
baseName
)
}
}
for
_
,
ipAddress
:=
range
cfg
.
AltNames
.
IPs
{
if
err
:=
cert
.
VerifyHostname
(
ipAddress
.
String
());
err
!=
nil
{
return
errors
.
Wrapf
(
err
,
"certificate %s is invalid"
,
baseName
)
}
}
return
nil
}
cmd/kubeadm/app/phases/certs/certs_test.go
View file @
ce52bf12
...
@@ -21,6 +21,7 @@ import (
...
@@ -21,6 +21,7 @@ import (
"crypto/sha256"
"crypto/sha256"
"crypto/x509"
"crypto/x509"
"io/ioutil"
"io/ioutil"
"net"
"os"
"os"
"path"
"path"
"path/filepath"
"path/filepath"
...
@@ -76,8 +77,8 @@ func TestWriteCertificateAuthorithyFilesIfNotExist(t *testing.T) {
...
@@ -76,8 +77,8 @@ func TestWriteCertificateAuthorithyFilesIfNotExist(t *testing.T) {
},
},
{
// cert exists, but it is not a ca > err
{
// cert exists, but it is not a ca > err
setupFunc
:
func
(
pkiDir
string
)
error
{
setupFunc
:
func
(
pkiDir
string
)
error
{
cert
,
key
:=
certstestutil
.
CreateTestCert
(
t
,
setupCert
,
setupKey
)
cert
,
key
,
config
:=
certstestutil
.
CreateTestCert
(
t
,
setupCert
,
setupKey
,
certutil
.
AltNames
{}
)
return
writeCertificateFilesIfNotExist
(
pkiDir
,
"dummy"
,
setupCert
,
cert
,
key
)
return
writeCertificateFilesIfNotExist
(
pkiDir
,
"dummy"
,
setupCert
,
cert
,
key
,
config
)
},
},
expectedError
:
true
,
expectedError
:
true
,
},
},
...
@@ -125,10 +126,16 @@ func TestWriteCertificateAuthorithyFilesIfNotExist(t *testing.T) {
...
@@ -125,10 +126,16 @@ func TestWriteCertificateAuthorithyFilesIfNotExist(t *testing.T) {
}
}
func
TestWriteCertificateFilesIfNotExist
(
t
*
testing
.
T
)
{
func
TestWriteCertificateFilesIfNotExist
(
t
*
testing
.
T
)
{
altNames
:=
certutil
.
AltNames
{
DNSNames
:
[]
string
{
"example.com"
},
IPs
:
[]
net
.
IP
{
net
.
IPv4
(
0
,
0
,
0
,
0
),
},
}
caCert
,
caKey
:=
certstestutil
.
CreateCACert
(
t
)
caCert
,
caKey
:=
certstestutil
.
CreateCACert
(
t
)
setupCert
,
setupKey
:=
certstestutil
.
CreateTestCert
(
t
,
caCert
,
caKey
)
setupCert
,
setupKey
,
_
:=
certstestutil
.
CreateTestCert
(
t
,
caCert
,
caKey
,
altNames
)
cert
,
key
:=
certstestutil
.
CreateTestCert
(
t
,
caCert
,
caKey
)
cert
,
key
,
config
:=
certstestutil
.
CreateTestCert
(
t
,
caCert
,
caKey
,
altNames
)
var
tests
=
[]
struct
{
var
tests
=
[]
struct
{
setupFunc
func
(
pkiDir
string
)
error
setupFunc
func
(
pkiDir
string
)
error
...
@@ -138,9 +145,29 @@ func TestWriteCertificateFilesIfNotExist(t *testing.T) {
...
@@ -138,9 +145,29 @@ func TestWriteCertificateFilesIfNotExist(t *testing.T) {
{
// cert does not exists > cert written
{
// cert does not exists > cert written
expectedCert
:
cert
,
expectedCert
:
cert
,
},
},
{
// cert exists, is signed by the same ca > existing cert used
{
// cert exists, is signed by the same ca, missing SANs (dns name) > err
setupFunc
:
func
(
pkiDir
string
)
error
{
setupCert
,
setupKey
,
setupConfig
:=
certstestutil
.
CreateTestCert
(
t
,
caCert
,
caKey
,
certutil
.
AltNames
{
IPs
:
[]
net
.
IP
{
net
.
IPv4
(
0
,
0
,
0
,
0
),
},
})
return
writeCertificateFilesIfNotExist
(
pkiDir
,
"dummy"
,
caCert
,
setupCert
,
setupKey
,
setupConfig
)
},
expectedError
:
true
,
},
{
// cert exists, is signed by the same ca, missing SANs (IP address) > err
setupFunc
:
func
(
pkiDir
string
)
error
{
setupCert
,
setupKey
,
setupConfig
:=
certstestutil
.
CreateTestCert
(
t
,
caCert
,
caKey
,
certutil
.
AltNames
{
DNSNames
:
[]
string
{
"example.com"
},
})
return
writeCertificateFilesIfNotExist
(
pkiDir
,
"dummy"
,
caCert
,
setupCert
,
setupKey
,
setupConfig
)
},
expectedError
:
true
,
},
{
// cert exists, is signed by the same ca, all SANs present > existing cert used
setupFunc
:
func
(
pkiDir
string
)
error
{
setupFunc
:
func
(
pkiDir
string
)
error
{
return
writeCertificateFilesIfNotExist
(
pkiDir
,
"dummy"
,
caCert
,
setupCert
,
setupKey
)
return
writeCertificateFilesIfNotExist
(
pkiDir
,
"dummy"
,
caCert
,
setupCert
,
setupKey
,
config
)
},
},
expectedCert
:
setupCert
,
expectedCert
:
setupCert
,
},
},
...
@@ -154,9 +181,9 @@ func TestWriteCertificateFilesIfNotExist(t *testing.T) {
...
@@ -154,9 +181,9 @@ func TestWriteCertificateFilesIfNotExist(t *testing.T) {
{
// cert exists, is signed by another ca > err
{
// cert exists, is signed by another ca > err
setupFunc
:
func
(
pkiDir
string
)
error
{
setupFunc
:
func
(
pkiDir
string
)
error
{
anotherCaCert
,
anotherCaKey
:=
certstestutil
.
CreateCACert
(
t
)
anotherCaCert
,
anotherCaKey
:=
certstestutil
.
CreateCACert
(
t
)
anotherCert
,
anotherKey
:=
certstestutil
.
CreateTestCert
(
t
,
anotherCaCert
,
anotherCaKey
)
anotherCert
,
anotherKey
,
config
:=
certstestutil
.
CreateTestCert
(
t
,
anotherCaCert
,
anotherCaKey
,
certutil
.
AltNames
{}
)
return
writeCertificateFilesIfNotExist
(
pkiDir
,
"dummy"
,
anotherCaCert
,
anotherCert
,
anotherKey
)
return
writeCertificateFilesIfNotExist
(
pkiDir
,
"dummy"
,
anotherCaCert
,
anotherCert
,
anotherKey
,
config
)
},
},
expectedError
:
true
,
expectedError
:
true
,
},
},
...
@@ -176,13 +203,13 @@ func TestWriteCertificateFilesIfNotExist(t *testing.T) {
...
@@ -176,13 +203,13 @@ func TestWriteCertificateFilesIfNotExist(t *testing.T) {
}
}
// executes create func
// executes create func
err
:=
writeCertificateFilesIfNotExist
(
tmpdir
,
"dummy"
,
caCert
,
cert
,
key
)
err
:=
writeCertificateFilesIfNotExist
(
tmpdir
,
"dummy"
,
caCert
,
cert
,
key
,
config
)
if
!
test
.
expectedError
&&
err
!=
nil
{
if
!
test
.
expectedError
&&
err
!=
nil
{
t
.
Errorf
(
"error writeCertificateFilesIfNotExist failed when not expected to fail: %v"
,
err
)
t
.
Errorf
(
"error writeCertificateFilesIfNotExist failed when not expected to fail: %v"
,
err
)
continue
continue
}
else
if
test
.
expectedError
&&
err
==
nil
{
}
else
if
test
.
expectedError
&&
err
==
nil
{
t
.
Error
(
"error writeCertificateFilesIfNotExist didn't fail
ed
when expected"
)
t
.
Error
(
"error writeCertificateFilesIfNotExist didn't fail when expected"
)
continue
continue
}
else
if
test
.
expectedError
{
}
else
if
test
.
expectedError
{
continue
continue
...
@@ -355,7 +382,7 @@ func TestNewCACertAndKey(t *testing.T) {
...
@@ -355,7 +382,7 @@ func TestNewCACertAndKey(t *testing.T) {
func
TestSharedCertificateExists
(
t
*
testing
.
T
)
{
func
TestSharedCertificateExists
(
t
*
testing
.
T
)
{
caCert
,
caKey
:=
certstestutil
.
CreateCACert
(
t
)
caCert
,
caKey
:=
certstestutil
.
CreateCACert
(
t
)
_
,
key
:=
certstestutil
.
CreateTestCert
(
t
,
caCert
,
caKey
)
_
,
key
,
_
:=
certstestutil
.
CreateTestCert
(
t
,
caCert
,
caKey
,
certutil
.
AltNames
{}
)
publicKey
:=
&
key
.
PublicKey
publicKey
:=
&
key
.
PublicKey
var
tests
=
[]
struct
{
var
tests
=
[]
struct
{
...
@@ -536,7 +563,7 @@ func TestUsingExternalCA(t *testing.T) {
...
@@ -536,7 +563,7 @@ func TestUsingExternalCA(t *testing.T) {
func
TestValidateMethods
(
t
*
testing
.
T
)
{
func
TestValidateMethods
(
t
*
testing
.
T
)
{
caCert
,
caKey
:=
certstestutil
.
CreateCACert
(
t
)
caCert
,
caKey
:=
certstestutil
.
CreateCACert
(
t
)
cert
,
key
:=
certstestutil
.
CreateTestCert
(
t
,
caCert
,
caKey
)
cert
,
key
,
_
:=
certstestutil
.
CreateTestCert
(
t
,
caCert
,
caKey
,
certutil
.
AltNames
{}
)
tests
:=
[]
struct
{
tests
:=
[]
struct
{
name
string
name
string
...
...
cmd/kubeadm/app/util/certs/util.go
View file @
ce52bf12
...
@@ -145,17 +145,18 @@ func CreateCACert(t *testing.T) (*x509.Certificate, *rsa.PrivateKey) {
...
@@ -145,17 +145,18 @@ func CreateCACert(t *testing.T) (*x509.Certificate, *rsa.PrivateKey) {
return
cert
,
key
return
cert
,
key
}
}
// CreateTestCert makes a generic certficate with the given CA.
// CreateTestCert makes a generic certificate with the given CA and alternative names.
func
CreateTestCert
(
t
*
testing
.
T
,
caCert
*
x509
.
Certificate
,
caKey
*
rsa
.
PrivateKey
)
(
*
x509
.
Certificate
,
*
rsa
.
PrivateKey
)
{
func
CreateTestCert
(
t
*
testing
.
T
,
caCert
*
x509
.
Certificate
,
caKey
*
rsa
.
PrivateKey
,
altNames
certutil
.
AltNames
)
(
*
x509
.
Certificate
,
*
rsa
.
PrivateKey
,
*
certutil
.
Config
)
{
cert
,
key
,
err
:=
pkiutil
.
NewCertAndKey
(
caCert
,
caKey
,
config
:=
&
certutil
.
Config
{
&
certutil
.
Config
{
CommonName
:
"testCert"
,
CommonName
:
"testCert"
,
Usages
:
[]
x509
.
ExtKeyUsage
{
x509
.
ExtKeyUsageAny
},
Usages
:
[]
x509
.
ExtKeyUsage
{
x509
.
ExtKeyUsageAny
},
AltNames
:
altNames
,
})
}
cert
,
key
,
err
:=
pkiutil
.
NewCertAndKey
(
caCert
,
caKey
,
config
)
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Fatalf
(
"couldn't create test cert: %v"
,
err
)
t
.
Fatalf
(
"couldn't create test cert: %v"
,
err
)
}
}
return
cert
,
key
return
cert
,
key
,
config
}
}
// CertTestCase is a configuration of certificates and whether it's expected to work.
// CertTestCase is a configuration of certificates and whether it's expected to work.
...
@@ -172,7 +173,7 @@ func GetSparseCertTestCases(t *testing.T) []CertTestCase {
...
@@ -172,7 +173,7 @@ func GetSparseCertTestCases(t *testing.T) []CertTestCase {
fpCACert
,
fpCAKey
:=
CreateCACert
(
t
)
fpCACert
,
fpCAKey
:=
CreateCACert
(
t
)
etcdCACert
,
etcdCAKey
:=
CreateCACert
(
t
)
etcdCACert
,
etcdCAKey
:=
CreateCACert
(
t
)
fpCert
,
fpKey
:=
CreateTestCert
(
t
,
fpCACert
,
fpCAKey
)
fpCert
,
fpKey
,
_
:=
CreateTestCert
(
t
,
fpCACert
,
fpCAKey
,
certutil
.
AltNames
{}
)
return
[]
CertTestCase
{
return
[]
CertTestCase
{
{
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment