diff --git a/agent/consul/server_test.go b/agent/consul/server_test.go index dc6c77f513..5df82e8737 100644 --- a/agent/consul/server_test.go +++ b/agent/consul/server_test.go @@ -53,21 +53,14 @@ func testTLSCertificates(serverName string) (cert string, key string, cacert str return "", "", "", err } - serial, err := tlsutil.GenerateSerialNumber() - if err != nil { - return "", "", "", err - } - - cert, privateKey, err := tlsutil.GenerateCert( - signer, - ca, - serial, - "Test Cert Name", - 365, - []string{serverName}, - nil, - []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, - ) + cert, privateKey, err := tlsutil.GenerateCert(tlsutil.CertOpts{ + Signer: signer, + CA: ca, + Name: "Test Cert Name", + Days: 365, + DNSNames: []string{serverName}, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, + }) if err != nil { return "", "", "", err } diff --git a/agent/pool/peek_test.go b/agent/pool/peek_test.go index ab830fc070..8b50bb2ead 100644 --- a/agent/pool/peek_test.go +++ b/agent/pool/peek_test.go @@ -201,22 +201,14 @@ func generateTestCert(serverName string) (cert tls.Certificate, caPEM []byte, er return tls.Certificate{}, nil, err } - // generate leaf - serial, err := tlsutil.GenerateSerialNumber() - if err != nil { - return tls.Certificate{}, nil, err - } - - certificate, privateKey, err := tlsutil.GenerateCert( - signer, - ca, - serial, - "Test Cert Name", - 365, - []string{serverName}, - nil, - []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, - ) + certificate, privateKey, err := tlsutil.GenerateCert(tlsutil.CertOpts{ + Signer: signer, + CA: ca, + Name: "Test Cert Name", + Days: 365, + DNSNames: []string{serverName}, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, + }) if err != nil { return tls.Certificate{}, nil, err } diff --git a/agent/routine-leak-checker/leak_test.go b/agent/routine-leak-checker/leak_test.go index 60ac2de39e..8eac5be913 100644 --- a/agent/routine-leak-checker/leak_test.go +++ b/agent/routine-leak-checker/leak_test.go @@ -15,32 +15,24 @@ import ( ) func testTLSCertificates(serverName string) (cert string, key string, cacert string, err error) { - ca, _, err := tlsutil.GenerateCA(tlsutil.CAOpts{}) - if err != nil { - return "", "", "", err - } - - // generate leaf - serial, err := tlsutil.GenerateSerialNumber() - if err != nil { - return "", "", "", err - } - signer, _, err := tlsutil.GeneratePrivateKey() if err != nil { return "", "", "", err } - cert, privateKey, err := tlsutil.GenerateCert( - signer, - ca, - serial, - "Test Cert Name", - 365, - []string{serverName}, - nil, - []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, - ) + ca, _, err := tlsutil.GenerateCA(tlsutil.CAOpts{Signer: signer}) + if err != nil { + return "", "", "", err + } + + cert, privateKey, err := tlsutil.GenerateCert(tlsutil.CertOpts{ + Signer: signer, + CA: ca, + Name: "Test Cert Name", + Days: 365, + DNSNames: []string{serverName}, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, + }) if err != nil { return "", "", "", err } diff --git a/agent/testagent.go b/agent/testagent.go index 3bbfe0cbe3..d2b5c8e11b 100644 --- a/agent/testagent.go +++ b/agent/testagent.go @@ -572,21 +572,14 @@ func testTLSCertificates(serverName string) (cert string, key string, cacert str return "", "", "", err } - serial, err := tlsutil.GenerateSerialNumber() - if err != nil { - return "", "", "", err - } - - cert, privateKey, err := tlsutil.GenerateCert( - signer, - ca, - serial, - "Test Cert Name", - 365, - []string{serverName}, - nil, - []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, - ) + cert, privateKey, err := tlsutil.GenerateCert(tlsutil.CertOpts{ + Signer: signer, + CA: ca, + Name: "Test Cert Name", + Days: 365, + DNSNames: []string{serverName}, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, + }) if err != nil { return "", "", "", err } diff --git a/command/tls/cert/create/tls_cert_create.go b/command/tls/cert/create/tls_cert_create.go index 0e06537f55..6281ca3ae2 100644 --- a/command/tls/cert/create/tls_cert_create.go +++ b/command/tls/cert/create/tls_cert_create.go @@ -176,13 +176,10 @@ func (c *cmd) Run(args []string) int { return 1 } - sn, err := tlsutil.GenerateSerialNumber() - if err != nil { - c.UI.Error(err.Error()) - return 1 - } - - pub, priv, err := tlsutil.GenerateCert(signer, string(cert), sn, name, c.days, DNSNames, IPAddresses, extKeyUsage) + pub, priv, err := tlsutil.GenerateCert(tlsutil.CertOpts{ + Signer: signer, CA: string(cert), Name: name, Days: c.days, + DNSNames: DNSNames, IPAddresses: IPAddresses, ExtKeyUsage: extKeyUsage, + }) if err != nil { c.UI.Error(err.Error()) return 1 diff --git a/tlsutil/generate.go b/tlsutil/generate.go index 0b649a816d..8b4ac0f09b 100644 --- a/tlsutil/generate.go +++ b/tlsutil/generate.go @@ -44,6 +44,17 @@ type CAOpts struct { Name string } +type CertOpts struct { + Signer crypto.Signer + CA string + Serial *big.Int + Name string + Days int + DNSNames []string + IPAddresses []net.IP + ExtKeyUsage []x509.ExtKeyUsage +} + // GenerateCA generates a new CA for agent TLS (not to be confused with Connect TLS) func GenerateCA(opts CAOpts) (string, string, error) { signer := opts.Signer @@ -127,8 +138,8 @@ func GenerateCA(opts CAOpts) (string, string, error) { } // GenerateCert generates a new certificate for agent TLS (not to be confused with Connect TLS) -func GenerateCert(signer crypto.Signer, ca string, sn *big.Int, name string, days int, DNSNames []string, IPAddresses []net.IP, extKeyUsage []x509.ExtKeyUsage) (string, string, error) { - parent, err := parseCert(ca) +func GenerateCert(opts CertOpts) (string, string, error) { + parent, err := parseCert(opts.CA) if err != nil { return "", "", err } @@ -143,21 +154,30 @@ func GenerateCert(signer crypto.Signer, ca string, sn *big.Int, name string, day return "", "", err } - template := x509.Certificate{ - SerialNumber: sn, - Subject: pkix.Name{CommonName: name}, - BasicConstraintsValid: true, - KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment, - ExtKeyUsage: extKeyUsage, - IsCA: false, - NotAfter: time.Now().AddDate(0, 0, days), - NotBefore: time.Now(), - SubjectKeyId: id, - DNSNames: DNSNames, - IPAddresses: IPAddresses, + sn := opts.Serial + if sn == nil { + var err error + sn, err = GenerateSerialNumber() + if err != nil { + return "", "", err + } } - bs, err := x509.CreateCertificate(rand.Reader, &template, parent, signee.Public(), signer) + template := x509.Certificate{ + SerialNumber: sn, + Subject: pkix.Name{CommonName: opts.Name}, + BasicConstraintsValid: true, + KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment, + ExtKeyUsage: opts.ExtKeyUsage, + IsCA: false, + NotAfter: time.Now().AddDate(0, 0, opts.Days), + NotBefore: time.Now(), + SubjectKeyId: id, + DNSNames: opts.DNSNames, + IPAddresses: opts.IPAddresses, + } + + bs, err := x509.CreateCertificate(rand.Reader, &template, parent, signee.Public(), opts.Signer) if err != nil { return "", "", err } diff --git a/tlsutil/generate_test.go b/tlsutil/generate_test.go index 486a5abd63..974d3548e5 100644 --- a/tlsutil/generate_test.go +++ b/tlsutil/generate_test.go @@ -117,13 +117,14 @@ func TestGenerateCert(t *testing.T) { ca, _, err := GenerateCA(CAOpts{Signer: signer}) require.Nil(t, err) - sn, err := GenerateSerialNumber() - require.Nil(t, err) DNSNames := []string{"server.dc1.consul"} IPAddresses := []net.IP{net.ParseIP("123.234.243.213")} extKeyUsage := []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth} name := "Cert Name" - certificate, pk, err := GenerateCert(signer, ca, sn, name, 365, DNSNames, IPAddresses, extKeyUsage) + certificate, pk, err := GenerateCert(CertOpts{ + Signer: signer, CA: ca, Name: name, Days: 365, + DNSNames: DNSNames, IPAddresses: IPAddresses, ExtKeyUsage: extKeyUsage, + }) require.Nil(t, err) require.NotEmpty(t, certificate) require.NotEmpty(t, pk)