introduce certopts (#9606)

* introduce cert opts

* it should be using the same signer

* lint and omit serial

agent/consul/server_test.go

@@ -53,21 +53,14 @@ func testTLSCertificates(serverName string) (cert string, key string, cacert str
 		return "", "", "", err
 	}
 
-	serial, err := tlsutil.GenerateSerialNumber()
+	cert, privateKey, err := tlsutil.GenerateCert(tlsutil.CertOpts{
-	if err != nil {
+		Signer:      signer,
-		return "", "", "", err
+		CA:          ca,
-	}
+		Name:        "Test Cert Name",
-
+		Days:        365,
-	cert, privateKey, err := tlsutil.GenerateCert(
+		DNSNames:    []string{serverName},
-		signer,
+		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
-		ca,
+	})
-		serial,
-		"Test Cert Name",
-		365,
-		[]string{serverName},
-		nil,
-		[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
-	)
 	if err != nil {
 		return "", "", "", err
 	}

agent/pool/peek_test.go

@@ -201,22 +201,14 @@ func generateTestCert(serverName string) (cert tls.Certificate, caPEM []byte, er
 		return tls.Certificate{}, nil, err
 	}
 
-	// generate leaf
+	certificate, privateKey, err := tlsutil.GenerateCert(tlsutil.CertOpts{
-	serial, err := tlsutil.GenerateSerialNumber()
+		Signer:      signer,
-	if err != nil {
+		CA:          ca,
-		return tls.Certificate{}, nil, err
+		Name:        "Test Cert Name",
-	}
+		Days:        365,
-
+		DNSNames:    []string{serverName},
-	certificate, privateKey, err := tlsutil.GenerateCert(
+		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		signer,
+	})
-		ca,
-		serial,
-		"Test Cert Name",
-		365,
-		[]string{serverName},
-		nil,
-		[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-	)
 	if err != nil {
 		return tls.Certificate{}, nil, err
 	}

agent/routine-leak-checker/leak_test.go

@@ -15,32 +15,24 @@ import (
 )
 
 func testTLSCertificates(serverName string) (cert string, key string, cacert string, err error) {
-	ca, _, err := tlsutil.GenerateCA(tlsutil.CAOpts{})
-	if err != nil {
-		return "", "", "", err
-	}
-
-	// generate leaf
-	serial, err := tlsutil.GenerateSerialNumber()
-	if err != nil {
-		return "", "", "", err
-	}
-
 	signer, _, err := tlsutil.GeneratePrivateKey()
 	if err != nil {
 		return "", "", "", err
 	}
 
-	cert, privateKey, err := tlsutil.GenerateCert(
+	ca, _, err := tlsutil.GenerateCA(tlsutil.CAOpts{Signer: signer})
-		signer,
+	if err != nil {
-		ca,
+		return "", "", "", err
-		serial,
+	}
-		"Test Cert Name",
+
-		365,
+	cert, privateKey, err := tlsutil.GenerateCert(tlsutil.CertOpts{
-		[]string{serverName},
+		Signer:      signer,
-		nil,
+		CA:          ca,
-		[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+		Name:        "Test Cert Name",
-	)
+		Days:        365,
+		DNSNames:    []string{serverName},
+		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+	})
 	if err != nil {
 		return "", "", "", err
 	}

agent/testagent.go

@@ -572,21 +572,14 @@ func testTLSCertificates(serverName string) (cert string, key string, cacert str
 		return "", "", "", err
 	}
 
-	serial, err := tlsutil.GenerateSerialNumber()
+	cert, privateKey, err := tlsutil.GenerateCert(tlsutil.CertOpts{
-	if err != nil {
+		Signer:      signer,
-		return "", "", "", err
+		CA:          ca,
-	}
+		Name:        "Test Cert Name",
-
+		Days:        365,
-	cert, privateKey, err := tlsutil.GenerateCert(
+		DNSNames:    []string{serverName},
-		signer,
+		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
-		ca,
+	})
-		serial,
-		"Test Cert Name",
-		365,
-		[]string{serverName},
-		nil,
-		[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
-	)
 	if err != nil {
 		return "", "", "", err
 	}

command/tls/cert/create/tls_cert_create.go

@@ -176,13 +176,10 @@ func (c *cmd) Run(args []string) int {
 		return 1
 	}
 
-	sn, err := tlsutil.GenerateSerialNumber()
+	pub, priv, err := tlsutil.GenerateCert(tlsutil.CertOpts{
-	if err != nil {
+		Signer: signer, CA: string(cert), Name: name, Days: c.days,
-		c.UI.Error(err.Error())
+		DNSNames: DNSNames, IPAddresses: IPAddresses, ExtKeyUsage: extKeyUsage,
-		return 1
+	})
-	}
-
-	pub, priv, err := tlsutil.GenerateCert(signer, string(cert), sn, name, c.days, DNSNames, IPAddresses, extKeyUsage)
 	if err != nil {
 		c.UI.Error(err.Error())
 		return 1

tlsutil/generate.go

@@ -44,6 +44,17 @@ type CAOpts struct {
 	Name                string
 }
 
+type CertOpts struct {
+	Signer      crypto.Signer
+	CA          string
+	Serial      *big.Int
+	Name        string
+	Days        int
+	DNSNames    []string
+	IPAddresses []net.IP
+	ExtKeyUsage []x509.ExtKeyUsage
+}
+
 // GenerateCA generates a new CA for agent TLS (not to be confused with Connect TLS)
 func GenerateCA(opts CAOpts) (string, string, error) {
 	signer := opts.Signer
@@ -127,8 +138,8 @@ func GenerateCA(opts CAOpts) (string, string, error) {
 }
 
 // GenerateCert generates a new certificate for agent TLS (not to be confused with Connect TLS)
-func GenerateCert(signer crypto.Signer, ca string, sn *big.Int, name string, days int, DNSNames []string, IPAddresses []net.IP, extKeyUsage []x509.ExtKeyUsage) (string, string, error) {
+func GenerateCert(opts CertOpts) (string, string, error) {
-	parent, err := parseCert(ca)
+	parent, err := parseCert(opts.CA)
 	if err != nil {
 		return "", "", err
 	}
@@ -143,21 +154,30 @@ func GenerateCert(signer crypto.Signer, ca string, sn *big.Int, name string, day
 		return "", "", err
 	}
 
-	template := x509.Certificate{
+	sn := opts.Serial
-		SerialNumber:          sn,
+	if sn == nil {
-		Subject:               pkix.Name{CommonName: name},
+		var err error
-		BasicConstraintsValid: true,
+		sn, err = GenerateSerialNumber()
-		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		if err != nil {
-		ExtKeyUsage:           extKeyUsage,
+			return "", "", err
-		IsCA:                  false,
+		}
-		NotAfter:              time.Now().AddDate(0, 0, days),
-		NotBefore:             time.Now(),
-		SubjectKeyId:          id,
-		DNSNames:              DNSNames,
-		IPAddresses:           IPAddresses,
 	}
 
-	bs, err := x509.CreateCertificate(rand.Reader, &template, parent, signee.Public(), signer)
+	template := x509.Certificate{
+		SerialNumber:          sn,
+		Subject:               pkix.Name{CommonName: opts.Name},
+		BasicConstraintsValid: true,
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		ExtKeyUsage:           opts.ExtKeyUsage,
+		IsCA:                  false,
+		NotAfter:              time.Now().AddDate(0, 0, opts.Days),
+		NotBefore:             time.Now(),
+		SubjectKeyId:          id,
+		DNSNames:              opts.DNSNames,
+		IPAddresses:           opts.IPAddresses,
+	}
+
+	bs, err := x509.CreateCertificate(rand.Reader, &template, parent, signee.Public(), opts.Signer)
 	if err != nil {
 		return "", "", err
 	}

tlsutil/generate_test.go

@@ -117,13 +117,14 @@ func TestGenerateCert(t *testing.T) {
 	ca, _, err := GenerateCA(CAOpts{Signer: signer})
 	require.Nil(t, err)
 
-	sn, err := GenerateSerialNumber()
-	require.Nil(t, err)
 	DNSNames := []string{"server.dc1.consul"}
 	IPAddresses := []net.IP{net.ParseIP("123.234.243.213")}
 	extKeyUsage := []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
 	name := "Cert Name"
-	certificate, pk, err := GenerateCert(signer, ca, sn, name, 365, DNSNames, IPAddresses, extKeyUsage)
+	certificate, pk, err := GenerateCert(CertOpts{
+		Signer: signer, CA: ca, Name: name, Days: 365,
+		DNSNames: DNSNames, IPAddresses: IPAddresses, ExtKeyUsage: extKeyUsage,
+	})
 	require.Nil(t, err)
 	require.NotEmpty(t, certificate)
 	require.NotEmpty(t, pk)