introduce certopts (#9606)

* introduce cert opts

* it should be using the same signer

* lint and omit serial
This commit is contained in:
Hans Hasselberg 2021-03-22 10:16:41 +01:00 committed by hashicorp-ci
parent 3ade77cd2e
commit 0d0f14f901
7 changed files with 80 additions and 92 deletions

View File

@ -52,21 +52,14 @@ func testTLSCertificates(serverName string) (cert string, key string, cacert str
return "", "", "", err
}
serial, err := tlsutil.GenerateSerialNumber()
if err != nil {
return "", "", "", err
}
cert, privateKey, err := tlsutil.GenerateCert(
signer,
ca,
serial,
"Test Cert Name",
365,
[]string{serverName},
nil,
[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
)
cert, privateKey, err := tlsutil.GenerateCert(tlsutil.CertOpts{
Signer: signer,
CA: ca,
Name: "Test Cert Name",
Days: 365,
DNSNames: []string{serverName},
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
})
if err != nil {
return "", "", "", err
}

View File

@ -201,22 +201,14 @@ func generateTestCert(serverName string) (cert tls.Certificate, caPEM []byte, er
return tls.Certificate{}, nil, err
}
// generate leaf
serial, err := tlsutil.GenerateSerialNumber()
if err != nil {
return tls.Certificate{}, nil, err
}
certificate, privateKey, err := tlsutil.GenerateCert(
signer,
ca,
serial,
"Test Cert Name",
365,
[]string{serverName},
nil,
[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
)
certificate, privateKey, err := tlsutil.GenerateCert(tlsutil.CertOpts{
Signer: signer,
CA: ca,
Name: "Test Cert Name",
Days: 365,
DNSNames: []string{serverName},
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
})
if err != nil {
return tls.Certificate{}, nil, err
}

View File

@ -16,32 +16,24 @@ import (
)
func testTLSCertificates(serverName string) (cert string, key string, cacert string, err error) {
ca, _, err := tlsutil.GenerateCA(tlsutil.CAOpts{})
if err != nil {
return "", "", "", err
}
// generate leaf
serial, err := tlsutil.GenerateSerialNumber()
if err != nil {
return "", "", "", err
}
signer, _, err := tlsutil.GeneratePrivateKey()
if err != nil {
return "", "", "", err
}
cert, privateKey, err := tlsutil.GenerateCert(
signer,
ca,
serial,
"Test Cert Name",
365,
[]string{serverName},
nil,
[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
)
ca, _, err := tlsutil.GenerateCA(tlsutil.CAOpts{Signer: signer})
if err != nil {
return "", "", "", err
}
cert, privateKey, err := tlsutil.GenerateCert(tlsutil.CertOpts{
Signer: signer,
CA: ca,
Name: "Test Cert Name",
Days: 365,
DNSNames: []string{serverName},
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
})
if err != nil {
return "", "", "", err
}

View File

@ -563,21 +563,14 @@ func testTLSCertificates(serverName string) (cert string, key string, cacert str
return "", "", "", err
}
serial, err := tlsutil.GenerateSerialNumber()
if err != nil {
return "", "", "", err
}
cert, privateKey, err := tlsutil.GenerateCert(
signer,
ca,
serial,
"Test Cert Name",
365,
[]string{serverName},
nil,
[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
)
cert, privateKey, err := tlsutil.GenerateCert(tlsutil.CertOpts{
Signer: signer,
CA: ca,
Name: "Test Cert Name",
Days: 365,
DNSNames: []string{serverName},
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
})
if err != nil {
return "", "", "", err
}

View File

@ -176,13 +176,10 @@ func (c *cmd) Run(args []string) int {
return 1
}
sn, err := tlsutil.GenerateSerialNumber()
if err != nil {
c.UI.Error(err.Error())
return 1
}
pub, priv, err := tlsutil.GenerateCert(signer, string(cert), sn, name, c.days, DNSNames, IPAddresses, extKeyUsage)
pub, priv, err := tlsutil.GenerateCert(tlsutil.CertOpts{
Signer: signer, CA: string(cert), Name: name, Days: c.days,
DNSNames: DNSNames, IPAddresses: IPAddresses, ExtKeyUsage: extKeyUsage,
})
if err != nil {
c.UI.Error(err.Error())
return 1

View File

@ -43,6 +43,17 @@ type CAOpts struct {
Name string
}
type CertOpts struct {
Signer crypto.Signer
CA string
Serial *big.Int
Name string
Days int
DNSNames []string
IPAddresses []net.IP
ExtKeyUsage []x509.ExtKeyUsage
}
// GenerateCA generates a new CA for agent TLS (not to be confused with Connect TLS)
func GenerateCA(opts CAOpts) (string, string, error) {
signer := opts.Signer
@ -126,8 +137,8 @@ func GenerateCA(opts CAOpts) (string, string, error) {
}
// GenerateCert generates a new certificate for agent TLS (not to be confused with Connect TLS)
func GenerateCert(signer crypto.Signer, ca string, sn *big.Int, name string, days int, DNSNames []string, IPAddresses []net.IP, extKeyUsage []x509.ExtKeyUsage) (string, string, error) {
parent, err := parseCert(ca)
func GenerateCert(opts CertOpts) (string, string, error) {
parent, err := parseCert(opts.CA)
if err != nil {
return "", "", err
}
@ -142,21 +153,30 @@ func GenerateCert(signer crypto.Signer, ca string, sn *big.Int, name string, day
return "", "", err
}
template := x509.Certificate{
SerialNumber: sn,
Subject: pkix.Name{CommonName: name},
BasicConstraintsValid: true,
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
ExtKeyUsage: extKeyUsage,
IsCA: false,
NotAfter: time.Now().AddDate(0, 0, days),
NotBefore: time.Now(),
SubjectKeyId: id,
DNSNames: DNSNames,
IPAddresses: IPAddresses,
sn := opts.Serial
if sn == nil {
var err error
sn, err = GenerateSerialNumber()
if err != nil {
return "", "", err
}
}
bs, err := x509.CreateCertificate(rand.Reader, &template, parent, signee.Public(), signer)
template := x509.Certificate{
SerialNumber: sn,
Subject: pkix.Name{CommonName: opts.Name},
BasicConstraintsValid: true,
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
ExtKeyUsage: opts.ExtKeyUsage,
IsCA: false,
NotAfter: time.Now().AddDate(0, 0, opts.Days),
NotBefore: time.Now(),
SubjectKeyId: id,
DNSNames: opts.DNSNames,
IPAddresses: opts.IPAddresses,
}
bs, err := x509.CreateCertificate(rand.Reader, &template, parent, signee.Public(), opts.Signer)
if err != nil {
return "", "", err
}

View File

@ -98,13 +98,14 @@ func TestGenerateCert(t *testing.T) {
ca, _, err := GenerateCA(CAOpts{Signer: signer})
require.Nil(t, err)
sn, err := GenerateSerialNumber()
require.Nil(t, err)
DNSNames := []string{"server.dc1.consul"}
IPAddresses := []net.IP{net.ParseIP("123.234.243.213")}
extKeyUsage := []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
name := "Cert Name"
certificate, pk, err := GenerateCert(signer, ca, sn, name, 365, DNSNames, IPAddresses, extKeyUsage)
certificate, pk, err := GenerateCert(CertOpts{
Signer: signer, CA: ca, Name: name, Days: 365,
DNSNames: DNSNames, IPAddresses: IPAddresses, ExtKeyUsage: extKeyUsage,
})
require.Nil(t, err)
require.NotEmpty(t, certificate)
require.NotEmpty(t, pk)