2016-11-10 22:56:29 +00:00
|
|
|
/*
|
|
|
|
|
Copyright 2015 The Kubernetes Authors.
|
|
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
|
limitations under the License.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
package ssl
|
|
|
|
|
|
|
|
|
|
import (
|
2017-03-01 00:11:16 +00:00
|
|
|
"crypto/rand"
|
|
|
|
|
"crypto/rsa"
|
2017-06-13 13:11:49 +00:00
|
|
|
"crypto/tls"
|
2016-11-10 22:56:29 +00:00
|
|
|
"crypto/x509"
|
2017-03-01 00:11:16 +00:00
|
|
|
"crypto/x509/pkix"
|
2017-06-20 23:47:06 +00:00
|
|
|
"encoding/asn1"
|
2016-11-10 22:56:29 +00:00
|
|
|
"encoding/pem"
|
2016-11-16 18:24:26 +00:00
|
|
|
"errors"
|
2016-11-10 22:56:29 +00:00
|
|
|
"fmt"
|
|
|
|
|
"io/ioutil"
|
2017-03-01 00:11:16 +00:00
|
|
|
"math/big"
|
2017-06-20 23:47:06 +00:00
|
|
|
"net"
|
2016-11-10 22:56:29 +00:00
|
|
|
"os"
|
2017-06-20 23:47:06 +00:00
|
|
|
"strconv"
|
2017-03-01 00:11:16 +00:00
|
|
|
"time"
|
2016-11-10 22:56:29 +00:00
|
|
|
|
|
|
|
|
"github.com/golang/glog"
|
2017-10-04 20:11:03 +00:00
|
|
|
"github.com/zakjan/cert-chain-resolver/certUtil"
|
2016-11-10 22:56:29 +00:00
|
|
|
|
2017-07-12 17:31:15 +00:00
|
|
|
"k8s.io/apimachinery/pkg/util/sets"
|
2017-09-17 18:42:31 +00:00
|
|
|
|
2017-11-07 22:02:12 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/file"
|
|
|
|
|
"k8s.io/ingress-nginx/internal/ingress"
|
2016-11-10 22:56:29 +00:00
|
|
|
)
|
|
|
|
|
|
2017-06-20 23:47:06 +00:00
|
|
|
var (
|
|
|
|
|
oidExtensionSubjectAltName = asn1.ObjectIdentifier{2, 5, 29, 17}
|
|
|
|
|
)
|
|
|
|
|
|
2016-11-10 22:56:29 +00:00
|
|
|
// AddOrUpdateCertAndKey creates a .pem file wth the cert and the key with the specified name
|
|
|
|
|
func AddOrUpdateCertAndKey(name string, cert, key, ca []byte) (*ingress.SSLCert, error) {
|
|
|
|
|
pemName := fmt.Sprintf("%v.pem", name)
|
|
|
|
|
pemFileName := fmt.Sprintf("%v/%v", ingress.DefaultSSLDirectory, pemName)
|
2017-10-04 20:11:03 +00:00
|
|
|
fullChainPemFileName := fmt.Sprintf("%v/%v-full-chain.pem", ingress.DefaultSSLDirectory, name)
|
2016-11-10 22:56:29 +00:00
|
|
|
|
2017-01-24 13:21:49 +00:00
|
|
|
tempPemFile, err := ioutil.TempFile(ingress.DefaultSSLDirectory, pemName)
|
2017-02-06 18:16:36 +00:00
|
|
|
|
2016-11-10 22:56:29 +00:00
|
|
|
if err != nil {
|
2017-02-03 20:50:51 +00:00
|
|
|
return nil, fmt.Errorf("could not create temp pem file %v: %v", pemFileName, err)
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
2017-03-07 14:27:53 +00:00
|
|
|
glog.V(3).Infof("Creating temp file %v for Keypair: %v", tempPemFile.Name(), pemName)
|
2016-11-10 22:56:29 +00:00
|
|
|
|
|
|
|
|
_, err = tempPemFile.Write(cert)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("could not write to pem file %v: %v", tempPemFile.Name(), err)
|
|
|
|
|
}
|
|
|
|
|
_, err = tempPemFile.Write([]byte("\n"))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("could not write to pem file %v: %v", tempPemFile.Name(), err)
|
|
|
|
|
}
|
|
|
|
|
_, err = tempPemFile.Write(key)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("could not write to pem file %v: %v", tempPemFile.Name(), err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = tempPemFile.Close()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("could not close temp pem file %v: %v", tempPemFile.Name(), err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pemCerts, err := ioutil.ReadFile(tempPemFile.Name())
|
|
|
|
|
if err != nil {
|
2017-03-06 19:33:44 +00:00
|
|
|
_ = os.Remove(tempPemFile.Name())
|
2016-11-10 22:56:29 +00:00
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2017-02-06 18:16:36 +00:00
|
|
|
pemBlock, _ := pem.Decode(pemCerts)
|
|
|
|
|
if pemBlock == nil {
|
2017-03-06 19:33:44 +00:00
|
|
|
_ = os.Remove(tempPemFile.Name())
|
2017-01-06 08:12:25 +00:00
|
|
|
return nil, fmt.Errorf("no valid PEM formatted block found")
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
|
|
|
|
|
2017-03-01 18:44:39 +00:00
|
|
|
// If the file does not start with 'BEGIN CERTIFICATE' it's invalid and must not be used.
|
|
|
|
|
if pemBlock.Type != "CERTIFICATE" {
|
2017-03-06 19:29:33 +00:00
|
|
|
_ = os.Remove(tempPemFile.Name())
|
2017-01-06 08:12:25 +00:00
|
|
|
return nil, fmt.Errorf("certificate %v contains invalid data, and must be created with 'kubectl create secret tls'", name)
|
2017-03-01 18:44:39 +00:00
|
|
|
}
|
|
|
|
|
|
2017-02-06 18:16:36 +00:00
|
|
|
pemCert, err := x509.ParseCertificate(pemBlock.Bytes)
|
2016-11-10 22:56:29 +00:00
|
|
|
if err != nil {
|
2017-03-06 19:33:44 +00:00
|
|
|
_ = os.Remove(tempPemFile.Name())
|
2016-11-10 22:56:29 +00:00
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2017-06-13 13:11:49 +00:00
|
|
|
//Ensure that certificate and private key have a matching public key
|
|
|
|
|
if _, err := tls.X509KeyPair(cert, key); err != nil {
|
|
|
|
|
_ = os.Remove(tempPemFile.Name())
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2017-07-12 17:31:15 +00:00
|
|
|
cn := sets.NewString(pemCert.Subject.CommonName)
|
|
|
|
|
for _, dns := range pemCert.DNSNames {
|
|
|
|
|
if !cn.Has(dns) {
|
|
|
|
|
cn.Insert(dns)
|
|
|
|
|
}
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
|
|
|
|
|
2017-06-20 23:47:06 +00:00
|
|
|
if len(pemCert.Extensions) > 0 {
|
2017-07-12 17:31:15 +00:00
|
|
|
glog.V(3).Info("parsing ssl certificate extensions")
|
2017-06-20 23:47:06 +00:00
|
|
|
for _, ext := range getExtension(pemCert, oidExtensionSubjectAltName) {
|
|
|
|
|
dns, _, _, err := parseSANExtension(ext.Value)
|
|
|
|
|
if err != nil {
|
|
|
|
|
glog.Warningf("unexpected error parsing certificate extensions: %v", err)
|
|
|
|
|
continue
|
|
|
|
|
}
|
2017-07-12 17:31:15 +00:00
|
|
|
|
|
|
|
|
for _, dns := range dns {
|
|
|
|
|
if !cn.Has(dns) {
|
|
|
|
|
cn.Insert(dns)
|
|
|
|
|
}
|
|
|
|
|
}
|
2017-06-20 23:47:06 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2016-11-10 22:56:29 +00:00
|
|
|
err = os.Rename(tempPemFile.Name(), pemFileName)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("could not move temp pem file %v to destination %v: %v", tempPemFile.Name(), pemFileName, err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(ca) > 0 {
|
|
|
|
|
bundle := x509.NewCertPool()
|
|
|
|
|
bundle.AppendCertsFromPEM(ca)
|
|
|
|
|
opts := x509.VerifyOptions{
|
|
|
|
|
Roots: bundle,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_, err := pemCert.Verify(opts)
|
|
|
|
|
if err != nil {
|
2016-11-16 18:24:26 +00:00
|
|
|
oe := fmt.Sprintf("failed to verify certificate chain: \n\t%s\n", err)
|
|
|
|
|
return nil, errors.New(oe)
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
|
|
|
|
|
2017-02-06 18:16:36 +00:00
|
|
|
caFile, err := os.OpenFile(pemFileName, os.O_RDWR|os.O_APPEND, 0600)
|
2016-11-10 22:56:29 +00:00
|
|
|
if err != nil {
|
2017-01-06 08:12:25 +00:00
|
|
|
return nil, fmt.Errorf("could not open file %v for writing additional CA chains: %v", pemFileName, err)
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
2017-02-06 18:16:36 +00:00
|
|
|
|
|
|
|
|
defer caFile.Close()
|
|
|
|
|
_, err = caFile.Write([]byte("\n"))
|
2016-11-10 22:56:29 +00:00
|
|
|
if err != nil {
|
2017-02-06 18:16:36 +00:00
|
|
|
return nil, fmt.Errorf("could not append CA to cert file %v: %v", pemFileName, err)
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
2017-02-06 18:16:36 +00:00
|
|
|
caFile.Write(ca)
|
|
|
|
|
caFile.Write([]byte("\n"))
|
2016-11-10 22:56:29 +00:00
|
|
|
|
|
|
|
|
return &ingress.SSLCert{
|
2017-08-10 03:27:57 +00:00
|
|
|
Certificate: pemCert,
|
2017-02-06 18:16:36 +00:00
|
|
|
CAFileName: pemFileName,
|
2016-11-10 22:56:29 +00:00
|
|
|
PemFileName: pemFileName,
|
2017-07-31 18:22:10 +00:00
|
|
|
PemSHA: file.SHA1(pemFileName),
|
2017-07-12 17:31:15 +00:00
|
|
|
CN: cn.List(),
|
2017-06-12 12:45:08 +00:00
|
|
|
ExpireTime: pemCert.NotAfter,
|
2016-11-10 22:56:29 +00:00
|
|
|
}, nil
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-04 20:11:03 +00:00
|
|
|
s := &ingress.SSLCert{
|
2017-08-10 03:27:57 +00:00
|
|
|
Certificate: pemCert,
|
2016-11-10 22:56:29 +00:00
|
|
|
PemFileName: pemFileName,
|
2017-07-31 18:22:10 +00:00
|
|
|
PemSHA: file.SHA1(pemFileName),
|
2017-07-12 17:31:15 +00:00
|
|
|
CN: cn.List(),
|
2017-06-12 12:45:08 +00:00
|
|
|
ExpireTime: pemCert.NotAfter,
|
2017-10-04 20:11:03 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = fullChainCert(pemFileName, fullChainPemFileName)
|
|
|
|
|
if err != nil {
|
|
|
|
|
glog.Errorf("unexpected error generating SSL certificate with full chain: %v", err)
|
|
|
|
|
return s, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
s.FullChainPemFileName = fullChainPemFileName
|
|
|
|
|
|
|
|
|
|
return s, nil
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
|
|
|
|
|
2017-06-20 23:47:06 +00:00
|
|
|
func getExtension(c *x509.Certificate, id asn1.ObjectIdentifier) []pkix.Extension {
|
|
|
|
|
var exts []pkix.Extension
|
|
|
|
|
for _, ext := range c.Extensions {
|
|
|
|
|
if ext.Id.Equal(id) {
|
|
|
|
|
exts = append(exts, ext)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return exts
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func parseSANExtension(value []byte) (dnsNames, emailAddresses []string, ipAddresses []net.IP, err error) {
|
|
|
|
|
// RFC 5280, 4.2.1.6
|
|
|
|
|
|
|
|
|
|
// SubjectAltName ::= GeneralNames
|
|
|
|
|
//
|
|
|
|
|
// GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
|
|
|
|
|
//
|
|
|
|
|
// GeneralName ::= CHOICE {
|
|
|
|
|
// otherName [0] OtherName,
|
|
|
|
|
// rfc822Name [1] IA5String,
|
|
|
|
|
// dNSName [2] IA5String,
|
|
|
|
|
// x400Address [3] ORAddress,
|
|
|
|
|
// directoryName [4] Name,
|
|
|
|
|
// ediPartyName [5] EDIPartyName,
|
|
|
|
|
// uniformResourceIdentifier [6] IA5String,
|
|
|
|
|
// iPAddress [7] OCTET STRING,
|
|
|
|
|
// registeredID [8] OBJECT IDENTIFIER }
|
|
|
|
|
var seq asn1.RawValue
|
|
|
|
|
var rest []byte
|
|
|
|
|
if rest, err = asn1.Unmarshal(value, &seq); err != nil {
|
|
|
|
|
return
|
|
|
|
|
} else if len(rest) != 0 {
|
|
|
|
|
err = errors.New("x509: trailing data after X.509 extension")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if !seq.IsCompound || seq.Tag != 16 || seq.Class != 0 {
|
|
|
|
|
err = asn1.StructuralError{Msg: "bad SAN sequence"}
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rest = seq.Bytes
|
|
|
|
|
for len(rest) > 0 {
|
|
|
|
|
var v asn1.RawValue
|
|
|
|
|
rest, err = asn1.Unmarshal(rest, &v)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
switch v.Tag {
|
|
|
|
|
case 1:
|
|
|
|
|
emailAddresses = append(emailAddresses, string(v.Bytes))
|
|
|
|
|
case 2:
|
|
|
|
|
dnsNames = append(dnsNames, string(v.Bytes))
|
|
|
|
|
case 7:
|
|
|
|
|
switch len(v.Bytes) {
|
|
|
|
|
case net.IPv4len, net.IPv6len:
|
|
|
|
|
ipAddresses = append(ipAddresses, v.Bytes)
|
|
|
|
|
default:
|
|
|
|
|
err = errors.New("x509: certificate contained IP address of length " + strconv.Itoa(len(v.Bytes)))
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2017-02-06 18:16:36 +00:00
|
|
|
// AddCertAuth creates a .pem file with the specified CAs to be used in Cert Authentication
|
|
|
|
|
// If it's already exists, it's clobbered.
|
|
|
|
|
func AddCertAuth(name string, ca []byte) (*ingress.SSLCert, error) {
|
|
|
|
|
|
|
|
|
|
caName := fmt.Sprintf("ca-%v.pem", name)
|
|
|
|
|
caFileName := fmt.Sprintf("%v/%v", ingress.DefaultSSLDirectory, caName)
|
|
|
|
|
|
|
|
|
|
pemCABlock, _ := pem.Decode(ca)
|
|
|
|
|
if pemCABlock == nil {
|
2017-01-06 08:12:25 +00:00
|
|
|
return nil, fmt.Errorf("no valid PEM formatted block found")
|
2017-02-06 18:16:36 +00:00
|
|
|
}
|
2017-03-01 18:44:39 +00:00
|
|
|
// If the first certificate does not start with 'BEGIN CERTIFICATE' it's invalid and must not be used.
|
|
|
|
|
if pemCABlock.Type != "CERTIFICATE" {
|
2017-01-06 08:12:25 +00:00
|
|
|
return nil, fmt.Errorf("CA file %v contains invalid data, and must be created only with PEM formated certificates", name)
|
2017-03-01 18:44:39 +00:00
|
|
|
}
|
2017-02-06 18:16:36 +00:00
|
|
|
|
|
|
|
|
_, err := x509.ParseCertificate(pemCABlock.Bytes)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = ioutil.WriteFile(caFileName, ca, 0644)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("could not write CA file %v: %v", caFileName, err)
|
|
|
|
|
}
|
|
|
|
|
|
2017-09-27 03:46:22 +00:00
|
|
|
glog.V(3).Infof("Created CA Certificate for Authentication: %v", caFileName)
|
2017-02-06 18:16:36 +00:00
|
|
|
return &ingress.SSLCert{
|
|
|
|
|
CAFileName: caFileName,
|
|
|
|
|
PemFileName: caFileName,
|
2017-07-31 18:22:10 +00:00
|
|
|
PemSHA: file.SHA1(caFileName),
|
2017-02-06 18:16:36 +00:00
|
|
|
}, nil
|
|
|
|
|
}
|
|
|
|
|
|
2017-03-08 13:41:55 +00:00
|
|
|
// AddOrUpdateDHParam creates a dh parameters file with the specified name
|
|
|
|
|
func AddOrUpdateDHParam(name string, dh []byte) (string, error) {
|
|
|
|
|
pemName := fmt.Sprintf("%v.pem", name)
|
|
|
|
|
pemFileName := fmt.Sprintf("%v/%v", ingress.DefaultSSLDirectory, pemName)
|
2016-11-10 22:56:29 +00:00
|
|
|
|
2017-03-08 13:41:55 +00:00
|
|
|
tempPemFile, err := ioutil.TempFile(ingress.DefaultSSLDirectory, pemName)
|
|
|
|
|
|
|
|
|
|
glog.V(3).Infof("Creating temp file %v for DH param: %v", tempPemFile.Name(), pemName)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", fmt.Errorf("could not create temp pem file %v: %v", pemFileName, err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_, err = tempPemFile.Write(dh)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", fmt.Errorf("could not write to pem file %v: %v", tempPemFile.Name(), err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = tempPemFile.Close()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", fmt.Errorf("could not close temp pem file %v: %v", tempPemFile.Name(), err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pemCerts, err := ioutil.ReadFile(tempPemFile.Name())
|
|
|
|
|
if err != nil {
|
|
|
|
|
_ = os.Remove(tempPemFile.Name())
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pemBlock, _ := pem.Decode(pemCerts)
|
|
|
|
|
if pemBlock == nil {
|
|
|
|
|
_ = os.Remove(tempPemFile.Name())
|
2017-01-06 08:12:25 +00:00
|
|
|
return "", fmt.Errorf("no valid PEM formatted block found")
|
2017-03-08 13:41:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// If the file does not start with 'BEGIN DH PARAMETERS' it's invalid and must not be used.
|
|
|
|
|
if pemBlock.Type != "DH PARAMETERS" {
|
|
|
|
|
_ = os.Remove(tempPemFile.Name())
|
2017-01-06 08:12:25 +00:00
|
|
|
return "", fmt.Errorf("certificate %v contains invalid data", name)
|
2017-03-08 13:41:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = os.Rename(tempPemFile.Name(), pemFileName)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", fmt.Errorf("could not move temp pem file %v to destination %v: %v", tempPemFile.Name(), pemFileName, err)
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
|
|
|
|
|
2017-03-08 13:41:55 +00:00
|
|
|
return pemFileName, nil
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
|
|
|
|
|
2017-03-01 00:11:16 +00:00
|
|
|
// GetFakeSSLCert creates a Self Signed Certificate
|
|
|
|
|
// Based in the code https://golang.org/src/crypto/tls/generate_cert.go
|
2016-11-10 22:56:29 +00:00
|
|
|
func GetFakeSSLCert() ([]byte, []byte) {
|
2017-03-01 00:11:16 +00:00
|
|
|
|
|
|
|
|
var priv interface{}
|
|
|
|
|
var err error
|
|
|
|
|
|
|
|
|
|
priv, err = rsa.GenerateKey(rand.Reader, 2048)
|
|
|
|
|
|
2016-11-10 22:56:29 +00:00
|
|
|
if err != nil {
|
2017-03-01 00:11:16 +00:00
|
|
|
glog.Fatalf("failed to generate fake private key: %s", err)
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
|
|
|
|
|
2017-03-01 00:11:16 +00:00
|
|
|
notBefore := time.Now()
|
|
|
|
|
// This certificate is valid for 365 days
|
|
|
|
|
notAfter := notBefore.Add(365 * 24 * time.Hour)
|
|
|
|
|
|
|
|
|
|
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
|
|
|
|
|
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
|
|
|
|
|
|
2016-11-10 22:56:29 +00:00
|
|
|
if err != nil {
|
2017-03-01 00:11:16 +00:00
|
|
|
glog.Fatalf("failed to generate fake serial number: %s", err)
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
|
|
|
|
|
2017-03-01 00:11:16 +00:00
|
|
|
template := x509.Certificate{
|
|
|
|
|
SerialNumber: serialNumber,
|
|
|
|
|
Subject: pkix.Name{
|
|
|
|
|
Organization: []string{"Acme Co"},
|
|
|
|
|
CommonName: "Kubernetes Ingress Controller Fake Certificate",
|
|
|
|
|
},
|
|
|
|
|
NotBefore: notBefore,
|
|
|
|
|
NotAfter: notAfter,
|
|
|
|
|
|
|
|
|
|
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
|
|
|
|
|
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
|
|
|
|
BasicConstraintsValid: true,
|
|
|
|
|
DNSNames: []string{"ingress.local"},
|
|
|
|
|
}
|
|
|
|
|
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.(*rsa.PrivateKey).PublicKey, priv)
|
|
|
|
|
if err != nil {
|
|
|
|
|
glog.Fatalf("Failed to create fake certificate: %s", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cert := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
|
|
|
|
|
|
|
|
|
|
key := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv.(*rsa.PrivateKey))})
|
|
|
|
|
|
2016-11-10 22:56:29 +00:00
|
|
|
return cert, key
|
|
|
|
|
}
|
2017-10-04 20:11:03 +00:00
|
|
|
|
|
|
|
|
func fullChainCert(in, out string) error {
|
|
|
|
|
inputFile, err := os.Open(in)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
data, err := ioutil.ReadAll(inputFile)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cert, err := certUtil.DecodeCertificate(data)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
certs, err := certUtil.FetchCertificateChain(cert)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
certs, err = certUtil.AddRootCA(certs)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
data = certUtil.EncodeCertificates(certs)
|
|
|
|
|
return ioutil.WriteFile(out, data, 0644)
|
|
|
|
|
}
|
