cluster/prodvider: rewrite against x509 lib for ed25519 support
This gets rid of cfssl for the kubernetes bits of prodvider, instead
using plain crypto/x509. This also allows to support our new fancy
ED25519 CA.
Change-Id: If677b3f4523014f56ea802b87499d1c0eb6d92e9
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1489
Reviewed-by: q3k <q3k@hackerspace.pl>
diff --git a/cluster/prodvider/certs.go b/cluster/prodvider/certs.go
index 309af1f..acc89f9 100644
--- a/cluster/prodvider/certs.go
+++ b/cluster/prodvider/certs.go
@@ -1,113 +1,118 @@
package main
import (
+ "crypto/ed25519"
+ "crypto/rand"
"crypto/tls"
+ "crypto/x509"
+ "crypto/x509/pkix"
+ "encoding/pem"
"fmt"
+ "math/big"
+ "net"
"time"
- "github.com/cloudflare/cfssl/csr"
- "github.com/cloudflare/cfssl/signer"
"github.com/golang/glog"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
)
+func serializeCert(der []byte) []byte {
+ return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der})
+}
+
+func serializeKey(priv ed25519.PrivateKey) []byte {
+ pkcs8, err := x509.MarshalPKCS8PrivateKey(priv)
+ if err != nil {
+ return nil
+ }
+
+ block := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: pkcs8})
+ return block
+}
+
func (p *prodvider) selfCreds() grpc.ServerOption {
glog.Infof("Bootstrapping certificate for self (%q)...", flagProdviderCN)
- // Create a key and CSR.
- csrPEM, keyPEM, err := p.makeSelfCSR()
- if err != nil {
- glog.Exitf("Could not generate key and CSR for self: %v", err)
- }
-
// Create a cert
- certPEM, err := p.makeSelfCertificate(csrPEM)
+ keyRaw, certRaw, err := p.makeSelfCertificate()
if err != nil {
glog.Exitf("Could not sign certificate for self: %v", err)
}
- serverCert, err := tls.X509KeyPair(certPEM, keyPEM)
+ serverCert, err := tls.X509KeyPair(serializeCert(certRaw), serializeKey(keyRaw))
if err != nil {
glog.Exitf("Could not use gRPC certificate: %v", err)
}
- signerCert, _ := p.sign.Certificate("", "")
- serverCert.Certificate = append(serverCert.Certificate, signerCert.Raw)
+ serverCert.Certificate = append(serverCert.Certificate, p.intermediateCACert.Raw)
return grpc.Creds(credentials.NewTLS(&tls.Config{
Certificates: []tls.Certificate{serverCert},
}))
}
-func (p *prodvider) makeSelfCSR() ([]byte, []byte, error) {
- signerCert, _ := p.sign.Certificate("", "")
- req := &csr.CertificateRequest{
- CN: flagProdviderCN,
- KeyRequest: &csr.BasicKeyRequest{
- A: "rsa",
- S: 4096,
+func (p *prodvider) makeSelfCertificate() (ed25519.PrivateKey, []byte, error) {
+ serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 127)
+ serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+ if err != nil {
+ return nil, nil, err
+ }
+ template := &x509.Certificate{
+ Subject: pkix.Name{
+ CommonName: flagProdviderCN,
},
- Names: []csr.Name{
- {
- C: signerCert.Subject.Country[0],
- ST: signerCert.Subject.Province[0],
- L: signerCert.Subject.Locality[0],
- O: signerCert.Subject.Organization[0],
- OU: signerCert.Subject.OrganizationalUnit[0],
- },
+ NotBefore: time.Now(),
+ NotAfter: time.Now().Add(30 * 24 * time.Hour),
+ KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+ ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+ SerialNumber: serialNumber,
+ DNSNames: []string{flagProdviderCN},
+ IPAddresses: []net.IP{
+ {127, 0, 0, 1},
},
- Hosts: []string{flagProdviderCN},
}
- g := &csr.Generator{
- Validator: func(req *csr.CertificateRequest) error { return nil },
+ pkey, skey, err := ed25519.GenerateKey(rand.Reader)
+ if err != nil {
+ return nil, nil, err
}
-
- return g.ProcessRequest(req)
+ bytes, err := x509.CreateCertificate(rand.Reader, template, p.intermediateCACert, pkey, p.intermediateCAKey)
+ if err != nil {
+ return nil, nil, err
+ }
+ return skey, bytes, nil
}
-func (p *prodvider) makeSelfCertificate(csr []byte) ([]byte, error) {
- req := signer.SignRequest{
- Hosts: []string{flagProdviderCN},
- Request: string(csr),
- Profile: "server",
+func (p *prodvider) makeKubernetesCertificate(username, o string, notAfter time.Time) (ed25519.PrivateKey, []byte, error) {
+ serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 127)
+ serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+ if err != nil {
+ return nil, nil, err
}
- return p.sign.Sign(req)
-}
-
-func (p *prodvider) makeKubernetesCSR(username, o string) ([]byte, []byte, error) {
- signerCert, _ := p.sign.Certificate("", "")
- req := &csr.CertificateRequest{
- CN: username,
- KeyRequest: &csr.BasicKeyRequest{
- A: "rsa",
- S: 4096,
+ template := &x509.Certificate{
+ Subject: pkix.Name{
+ Organization: []string{o},
+ OrganizationalUnit: []string{fmt.Sprintf("Prodvider Kubernetes Cert for %s/%s", username, o)},
+ CommonName: username,
},
- Names: []csr.Name{
- {
- C: signerCert.Subject.Country[0],
- ST: signerCert.Subject.Province[0],
- L: signerCert.Subject.Locality[0],
- O: o,
- OU: fmt.Sprintf("Prodvider Kubernetes Cert for %s/%s", username, o),
- },
+ NotBefore: time.Now(),
+ NotAfter: notAfter,
+ KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+ ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+ DNSNames: []string{
+ username,
},
+ SerialNumber: serialNumber,
}
- g := &csr.Generator{
- Validator: func(req *csr.CertificateRequest) error { return nil },
+ pkey, skey, err := ed25519.GenerateKey(rand.Reader)
+ if err != nil {
+ return nil, nil, err
}
-
- return g.ProcessRequest(req)
-}
-
-func (p *prodvider) makeKubernetesCertificate(csr []byte, notAfter time.Time) ([]byte, error) {
- req := signer.SignRequest{
- Hosts: []string{},
- Request: string(csr),
- Profile: "client",
- NotAfter: notAfter,
+ bytes, err := x509.CreateCertificate(rand.Reader, template, p.intermediateCACert, pkey, p.intermediateCAKey)
+ if err != nil {
+ return nil, nil, err
}
- return p.sign.Sign(req)
+ return skey, bytes, nil
}