DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Improve the Fake Certificate Creation

Browse source
This commit is contained in:
Ricardo Pchevuzinske Katz 2017-01-31 17:00:01 -02:00
parent 3cdbc4120b
commit 1df6687805
1 changed files with 46 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

56
core/pkg/net/ssl/ssl.go
View file

@ -19,12 +19,17 @@ package ssl
import ( import (
"crypto/sha1" "crypto/sha1"
"crypto/x509" "crypto/x509"
"crypto/x509/pkix"
"crypto/rand"
"crypto/rsa"
"encoding/hex" "encoding/hex"
"encoding/pem" "encoding/pem"
"errors" "errors"
"fmt" "fmt"
"math/big"
"io/ioutil" "io/ioutil"
"os" "os"
"time"
"github.com/golang/glog" "github.com/golang/glog"
@ -159,23 +164,54 @@ func pemSHA1(filename string) string {
return hex.EncodeToString(hasher.Sum(nil)) return hex.EncodeToString(hasher.Sum(nil))
} }
const (
snakeOilPem = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
snakeOilKey = "/etc/ssl/private/ssl-cert-snakeoil.key"
)
// GetFakeSSLCert returns the snake oil ssl certificate created by the command // GetFakeSSLCert creates a Self Signed Certificate
// make-ssl-cert generate-default-snakeoil --force-overwrite // Based in the code https://golang.org/src/crypto/tls/generate_cert.go
func GetFakeSSLCert() ([]byte, []byte) { func GetFakeSSLCert() ([]byte, []byte) {
cert, err := ioutil.ReadFile(snakeOilPem)
var priv, privtype interface{}
var err error
priv, err = rsa.GenerateKey(rand.Reader, 2048)
privtype = &priv.(*rsa.PrivateKey).PublicKey
if err != nil { if err != nil {
return nil, nil glog.Fatalf("failed to generate fake private key: %s", err)
} }
key, err := ioutil.ReadFile(snakeOilKey) notBefore := time.Now()
// This certificate is valid for 365 days
notAfter := notBefore.Add(365*24*time.Hour)
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil { if err != nil {
return nil, nil glog.Fatalf("failed to generate fake serial number: %s", err)
} }
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Organization: []string{"Acme Co"},
},
NotBefore: notBefore,
NotAfter: notAfter,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
DNSNames: []string{"ingress.local"},
}
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, privtype, priv)
if err != nil {
glog.Fatalf("Failed to create fake certificate: %s", err)
}
cert := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
key := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv.(*rsa.PrivateKey))})
return cert, key return cert, key
} }