certmanager updated
This commit is contained in:
Олег Бородин
@@ -15,8 +15,8 @@ import (
|
||||
|
||||
type CreateIssuerPairParams struct {
|
||||
CommonName string
|
||||
SignerCert string
|
||||
SignerKey string
|
||||
SignerCert string
|
||||
SignerKey string
|
||||
}
|
||||
type CreateIssuerPairResult struct {
|
||||
Name string
|
||||
@@ -24,34 +24,33 @@ type CreateIssuerPairResult struct {
|
||||
Key string
|
||||
}
|
||||
|
||||
|
||||
func CreateIssuerPair(params *CreateIssuerPairParams) (*CreateIssuerPairResult, error) {
|
||||
var err error
|
||||
res := &CreateIssuerPairResult{}
|
||||
|
||||
if params.SignerKey != "" && params.SignerCert == "" {
|
||||
err = fmt.Errorf("The signature key and certificate must be defined together")
|
||||
return res, err
|
||||
}
|
||||
if params.SignerKey == "" && params.SignerCert != "" {
|
||||
err = fmt.Errorf("The signature key and certificate must be defined together")
|
||||
return res, err
|
||||
}
|
||||
if params.SignerKey != "" && params.SignerCert == "" {
|
||||
err = fmt.Errorf("The signature key and certificate must be defined together")
|
||||
return res, err
|
||||
}
|
||||
if params.SignerKey == "" && params.SignerCert != "" {
|
||||
err = fmt.Errorf("The signature key and certificate must be defined together")
|
||||
return res, err
|
||||
}
|
||||
|
||||
var signerKey any
|
||||
if params.SignerKey != "" {
|
||||
signerKey, err = ParseDoubleEncodedKey(params.SignerKey)
|
||||
if err != nil {
|
||||
return res, err
|
||||
}
|
||||
}
|
||||
var signerCert *x509.Certificate
|
||||
if params.SignerCert != "" {
|
||||
signerCert, err = ParseDoubleEncodedCerificate(params.SignerCert)
|
||||
if err != nil {
|
||||
return res, err
|
||||
}
|
||||
}
|
||||
var signerKey any
|
||||
if params.SignerKey != "" {
|
||||
signerKey, err = ParseDoubleEncodedKey(params.SignerKey)
|
||||
if err != nil {
|
||||
return res, err
|
||||
}
|
||||
}
|
||||
var signerCert *x509.Certificate
|
||||
if params.SignerCert != "" {
|
||||
signerCert, err = ParseDoubleEncodedCerificate(params.SignerCert)
|
||||
if err != nil {
|
||||
return res, err
|
||||
}
|
||||
}
|
||||
|
||||
certPem := make([]byte, 0)
|
||||
keyPem := make([]byte, 0)
|
||||
@@ -77,34 +76,35 @@ func CreateIssuerPair(params *CreateIssuerPairParams) (*CreateIssuerPairResult,
|
||||
CommonName: params.CommonName,
|
||||
}
|
||||
|
||||
certIssuer := certSubject
|
||||
if signerCert != nil {
|
||||
certIssuer = signerCert.Subject
|
||||
}
|
||||
certIssuer := certSubject
|
||||
if signerCert != nil {
|
||||
certIssuer = signerCert.Subject
|
||||
}
|
||||
|
||||
var issuerKey any = certKey
|
||||
if signerKey != nil {
|
||||
issuerKey = signerKey
|
||||
}
|
||||
var issuerKey any = certKey
|
||||
if signerKey != nil {
|
||||
issuerKey = signerKey
|
||||
}
|
||||
|
||||
res.Name = certSubject.String()
|
||||
|
||||
certTempl := &x509.Certificate{
|
||||
SerialNumber: big.NewInt(now.Unix()),
|
||||
NotBefore: now,
|
||||
NotAfter: now.AddDate(yearsAfter, 0, 0),
|
||||
Subject: certSubject,
|
||||
Issuer: certIssuer,
|
||||
IsCA: true,
|
||||
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
|
||||
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
|
||||
SerialNumber: big.NewInt(now.Unix()),
|
||||
NotBefore: now,
|
||||
NotAfter: now.AddDate(yearsAfter, 0, 0),
|
||||
Subject: certSubject,
|
||||
Issuer: certIssuer,
|
||||
IsCA: true,
|
||||
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
|
||||
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign |
|
||||
x509.KeyUsageKeyEncipherment | x509.KeyUsageCRLSign,
|
||||
BasicConstraintsValid: true,
|
||||
}
|
||||
|
||||
parentCert := certTempl
|
||||
if signerCert != nil {
|
||||
parentCert = signerCert
|
||||
}
|
||||
parentCert := certTempl
|
||||
if signerCert != nil {
|
||||
parentCert = signerCert
|
||||
}
|
||||
|
||||
certBytes, err := x509.CreateCertificate(rand.Reader, certTempl, parentCert, &certKey.PublicKey, issuerKey)
|
||||
if err != nil {
|
||||
@@ -126,69 +126,6 @@ func CreateIssuerPair(params *CreateIssuerPairParams) (*CreateIssuerPairResult,
|
||||
return res, err
|
||||
}
|
||||
|
||||
|
||||
|
||||
func CreateIssuerPairV0(params *CreateIssuerPairParams) (*CreateIssuerPairResult, error) {
|
||||
var err error
|
||||
res := &CreateIssuerPairResult{}
|
||||
|
||||
certPem := make([]byte, 0)
|
||||
keyPem := make([]byte, 0)
|
||||
|
||||
now := time.Now()
|
||||
|
||||
const yearsAfter int = 10
|
||||
const keySize int = 2048
|
||||
|
||||
key, err := rsa.GenerateKey(rand.Reader, keySize)
|
||||
if err != nil {
|
||||
err := fmt.Errorf("Can't create a private key: %v", err)
|
||||
return res, err
|
||||
|
||||
}
|
||||
keyPemBlock := pem.Block{
|
||||
Type: "RSA PRIVATE KEY",
|
||||
Bytes: x509.MarshalPKCS1PrivateKey(key),
|
||||
}
|
||||
keyPem = pem.EncodeToMemory(&keyPemBlock)
|
||||
|
||||
subjectName := pkix.Name{
|
||||
CommonName: params.CommonName,
|
||||
}
|
||||
issuerName := subjectName
|
||||
res.Name = subjectName.String()
|
||||
|
||||
certTempl := x509.Certificate{
|
||||
SerialNumber: big.NewInt(now.Unix()),
|
||||
NotBefore: now,
|
||||
NotAfter: now.AddDate(yearsAfter, 0, 0),
|
||||
Subject: subjectName,
|
||||
Issuer: issuerName,
|
||||
IsCA: true,
|
||||
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
|
||||
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
|
||||
BasicConstraintsValid: true,
|
||||
}
|
||||
certBytes, err := x509.CreateCertificate(rand.Reader, &certTempl, &certTempl, &key.PublicKey, key)
|
||||
if err != nil {
|
||||
err := fmt.Errorf("Can't create a certificate: %v", err)
|
||||
return res, err
|
||||
|
||||
}
|
||||
certPemBlock := pem.Block{
|
||||
Type: "CERTIFICATE",
|
||||
Bytes: certBytes,
|
||||
}
|
||||
certPem = pem.EncodeToMemory(&certPemBlock)
|
||||
if err != nil {
|
||||
return res, err
|
||||
}
|
||||
|
||||
res.Cert = base64.StdEncoding.EncodeToString(certPem)
|
||||
res.Key = base64.StdEncoding.EncodeToString(keyPem)
|
||||
return res, err
|
||||
}
|
||||
|
||||
type CreateServicePairParams struct {
|
||||
CommonName string
|
||||
DNSNames []string
|
||||
@@ -202,7 +139,116 @@ type CreateServicePairResult struct {
|
||||
Key string
|
||||
}
|
||||
|
||||
func CreateServicePairV2(params *CreateServicePairParams) (*CreateServicePairResult, error) {
|
||||
func CreateServicePair(params *CreateServicePairParams) (*CreateServicePairResult, error) {
|
||||
var err error
|
||||
res := &CreateServicePairResult{}
|
||||
|
||||
if params.IssuerKey != "" && params.IssuerCert == "" {
|
||||
err = fmt.Errorf("The signature key and certificate must be defined together")
|
||||
return res, err
|
||||
}
|
||||
if params.IssuerKey == "" && params.IssuerCert != "" {
|
||||
err = fmt.Errorf("The signature key and certificate must be defined together")
|
||||
return res, err
|
||||
}
|
||||
|
||||
var signerKey any
|
||||
if params.IssuerKey != "" {
|
||||
signerKey, err = ParseDoubleEncodedKey(params.IssuerKey)
|
||||
if err != nil {
|
||||
return res, err
|
||||
}
|
||||
}
|
||||
var signerCert *x509.Certificate
|
||||
if params.IssuerCert != "" {
|
||||
signerCert, err = ParseDoubleEncodedCerificate(params.IssuerCert)
|
||||
if err != nil {
|
||||
return res, err
|
||||
}
|
||||
}
|
||||
|
||||
certPem := make([]byte, 0)
|
||||
keyPem := make([]byte, 0)
|
||||
|
||||
now := time.Now()
|
||||
|
||||
const yearsAfter int = 10
|
||||
const keySize int = 2048
|
||||
|
||||
certKey, err := rsa.GenerateKey(rand.Reader, keySize)
|
||||
if err != nil {
|
||||
err := fmt.Errorf("Can't create a private key: %v", err)
|
||||
return res, err
|
||||
|
||||
}
|
||||
keyPemBlock := &pem.Block{
|
||||
Type: "RSA PRIVATE KEY",
|
||||
Bytes: x509.MarshalPKCS1PrivateKey(certKey),
|
||||
}
|
||||
keyPem = pem.EncodeToMemory(keyPemBlock)
|
||||
|
||||
certSubject := pkix.Name{
|
||||
CommonName: params.CommonName,
|
||||
}
|
||||
|
||||
certIssuer := certSubject
|
||||
if signerCert != nil {
|
||||
certIssuer = signerCert.Subject
|
||||
}
|
||||
|
||||
var issuerKey any = certKey
|
||||
if signerKey != nil {
|
||||
issuerKey = signerKey
|
||||
}
|
||||
|
||||
res.Name = certSubject.String()
|
||||
|
||||
netAddresses := make([]net.IP, 0)
|
||||
for _, ipAddress := range params.IPAddresses {
|
||||
netAddress := net.ParseIP(ipAddress)
|
||||
netAddresses = append(netAddresses, netAddress)
|
||||
}
|
||||
|
||||
certTempl := &x509.Certificate{
|
||||
SerialNumber: big.NewInt(now.Unix()),
|
||||
NotBefore: now,
|
||||
NotAfter: now.AddDate(yearsAfter, 0, 0),
|
||||
Subject: certSubject,
|
||||
Issuer: certIssuer,
|
||||
DNSNames: params.DNSNames,
|
||||
IPAddresses: netAddresses,
|
||||
IsCA: false,
|
||||
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
|
||||
KeyUsage: x509.KeyUsageDigitalSignature,
|
||||
BasicConstraintsValid: true,
|
||||
}
|
||||
|
||||
parentCert := certTempl
|
||||
if signerCert != nil {
|
||||
parentCert = signerCert
|
||||
}
|
||||
|
||||
certBytes, err := x509.CreateCertificate(rand.Reader, certTempl, parentCert, &certKey.PublicKey, issuerKey)
|
||||
if err != nil {
|
||||
err := fmt.Errorf("Can't create a certificate: %v", err)
|
||||
return res, err
|
||||
|
||||
}
|
||||
certPemBlock := pem.Block{
|
||||
Type: "CERTIFICATE",
|
||||
Bytes: certBytes,
|
||||
}
|
||||
certPem = pem.EncodeToMemory(&certPemBlock)
|
||||
if err != nil {
|
||||
return res, err
|
||||
}
|
||||
|
||||
res.Cert = base64.StdEncoding.EncodeToString(certPem)
|
||||
res.Key = base64.StdEncoding.EncodeToString(keyPem)
|
||||
return res, err
|
||||
}
|
||||
|
||||
func XXXCreateServicePair(params *CreateServicePairParams) (*CreateServicePairResult, error) {
|
||||
var err error
|
||||
|
||||
res := &CreateServicePairResult{}
|
||||
@@ -278,18 +324,13 @@ func CreateServicePairV2(params *CreateServicePairParams) (*CreateServicePairRes
|
||||
return res, err
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
func ParseDoubleEncodedCerificate(certString string) (*x509.Certificate, error) {
|
||||
var err error
|
||||
res := &x509.Certificate{}
|
||||
|
||||
certPEM, err := base64.StdEncoding.DecodeString(certString)
|
||||
if err != nil {
|
||||
err := fmt.Errorf("Failed to parse base64 certificate string: %v", err)
|
||||
err := fmt.Errorf("Failed to parse base64 certificate string: %v", err)
|
||||
return res, err
|
||||
}
|
||||
certBlock, _ := pem.Decode([]byte(certPEM))
|
||||
@@ -297,14 +338,14 @@ func ParseDoubleEncodedCerificate(certString string) (*x509.Certificate, error)
|
||||
err := fmt.Errorf("Failed to parse certificate PEM")
|
||||
return res, err
|
||||
}
|
||||
if certBlock.Type != "CERTIFICATE" {
|
||||
if certBlock.Type != "CERTIFICATE" {
|
||||
err := fmt.Errorf("Unknown PEM certificate type: %s", certBlock.Type)
|
||||
return res, err
|
||||
}
|
||||
if len(certBlock.Bytes) == 0 {
|
||||
}
|
||||
if len(certBlock.Bytes) == 0 {
|
||||
err := fmt.Errorf("Empty PEM certificate block")
|
||||
return res, err
|
||||
}
|
||||
}
|
||||
|
||||
res, err = x509.ParseCertificate(certBlock.Bytes)
|
||||
if err != nil {
|
||||
@@ -322,14 +363,14 @@ func ParseEncodedCerificate(certPEM string) (*x509.Certificate, error) {
|
||||
err := fmt.Errorf("Failed to parse certificate PEM")
|
||||
return res, err
|
||||
}
|
||||
if certBlock.Type != "CERTIFICATE" {
|
||||
if certBlock.Type != "CERTIFICATE" {
|
||||
err := fmt.Errorf("Unknown PEM certificate type: %s", certBlock.Type)
|
||||
return res, err
|
||||
}
|
||||
if len(certBlock.Bytes) == 0 {
|
||||
}
|
||||
if len(certBlock.Bytes) == 0 {
|
||||
err := fmt.Errorf("Empty PEM certificate block")
|
||||
return res, err
|
||||
}
|
||||
}
|
||||
res, err = x509.ParseCertificate(certBlock.Bytes)
|
||||
if err != nil {
|
||||
return res, err
|
||||
@@ -343,7 +384,7 @@ func ParseDoubleEncodedKey(keyString string) (any, error) {
|
||||
|
||||
keyPEM, err := base64.StdEncoding.DecodeString(keyString)
|
||||
if err != nil {
|
||||
err := fmt.Errorf("Failed to parse base64 key string: %v", err)
|
||||
err := fmt.Errorf("Failed to parse base64 key string: %v", err)
|
||||
return res, err
|
||||
}
|
||||
keyBlock, _ := pem.Decode([]byte(keyPEM))
|
||||
|
||||
Reference in New Issue
Block a user