Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / de83f4904f53d787a3294d7e0d9c0aa73ce82286 / . / cluster / prodvider / certs.go
blob: acc89f953f67465b488ed7d5a9b6d0a15c0a48ef [file] [log] [blame]
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame]1package main
2
3import (
Serge Bazanski3a6d67e2023-03-31 22:36:27 +0000[diff] [blame]4 "crypto/ed25519"
5 "crypto/rand"
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame]6 "crypto/tls"
Serge Bazanski3a6d67e2023-03-31 22:36:27 +0000[diff] [blame]7 "crypto/x509"
8 "crypto/x509/pkix"
9 "encoding/pem"
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame]10 "fmt"
Serge Bazanski3a6d67e2023-03-31 22:36:27 +0000[diff] [blame]11 "math/big"
12 "net"
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame]13 "time"
14
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame]15 "github.com/golang/glog"
16 "google.golang.org/grpc"
17 "google.golang.org/grpc/credentials"
18)
19
Serge Bazanski3a6d67e2023-03-31 22:36:27 +0000[diff] [blame]20func serializeCert(der []byte) []byte {
21 return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der})
22}
23
24func serializeKey(priv ed25519.PrivateKey) []byte {
25 pkcs8, err := x509.MarshalPKCS8PrivateKey(priv)
26 if err != nil {
27 return nil
28 }
29
30 block := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: pkcs8})
31 return block
32}
33
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame]34func (p *prodvider) selfCreds() grpc.ServerOption {
35 glog.Infof("Bootstrapping certificate for self (%q)...", flagProdviderCN)
36
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame]37 // Create a cert
Serge Bazanski3a6d67e2023-03-31 22:36:27 +0000[diff] [blame]38 keyRaw, certRaw, err := p.makeSelfCertificate()
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame]39 if err != nil {
40 glog.Exitf("Could not sign certificate for self: %v", err)
41 }
42
Serge Bazanski3a6d67e2023-03-31 22:36:27 +0000[diff] [blame]43 serverCert, err := tls.X509KeyPair(serializeCert(certRaw), serializeKey(keyRaw))
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame]44 if err != nil {
45 glog.Exitf("Could not use gRPC certificate: %v", err)
46 }
47
Serge Bazanski3a6d67e2023-03-31 22:36:27 +0000[diff] [blame]48 serverCert.Certificate = append(serverCert.Certificate, p.intermediateCACert.Raw)
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame]49
50 return grpc.Creds(credentials.NewTLS(&tls.Config{
51 Certificates: []tls.Certificate{serverCert},
52 }))
53}
54
Serge Bazanski3a6d67e2023-03-31 22:36:27 +0000[diff] [blame]55func (p *prodvider) makeSelfCertificate() (ed25519.PrivateKey, []byte, error) {
56 serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 127)
57 serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
58 if err != nil {
59 return nil, nil, err
60 }
61 template := &x509.Certificate{
62 Subject: pkix.Name{
63 CommonName: flagProdviderCN,
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame]64 },
Serge Bazanski3a6d67e2023-03-31 22:36:27 +0000[diff] [blame]65 NotBefore: time.Now(),
66 NotAfter: time.Now().Add(30 * 24 * time.Hour),
67 KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
68 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
69 SerialNumber: serialNumber,
70 DNSNames: []string{flagProdviderCN},
71 IPAddresses: []net.IP{
72 {127, 0, 0, 1},
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame]73 },
74 }
75
Serge Bazanski3a6d67e2023-03-31 22:36:27 +0000[diff] [blame]76 pkey, skey, err := ed25519.GenerateKey(rand.Reader)
77 if err != nil {
78 return nil, nil, err
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame]79 }
Serge Bazanski3a6d67e2023-03-31 22:36:27 +0000[diff] [blame]80 bytes, err := x509.CreateCertificate(rand.Reader, template, p.intermediateCACert, pkey, p.intermediateCAKey)
81 if err != nil {
82 return nil, nil, err
83 }
84 return skey, bytes, nil
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame]85}
86
Serge Bazanski3a6d67e2023-03-31 22:36:27 +0000[diff] [blame]87func (p *prodvider) makeKubernetesCertificate(username, o string, notAfter time.Time) (ed25519.PrivateKey, []byte, error) {
88 serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 127)
89 serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
90 if err != nil {
91 return nil, nil, err
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame]92 }
Serge Bazanski3a6d67e2023-03-31 22:36:27 +0000[diff] [blame]93 template := &x509.Certificate{
94 Subject: pkix.Name{
95 Organization: []string{o},
96 OrganizationalUnit: []string{fmt.Sprintf("Prodvider Kubernetes Cert for %s/%s", username, o)},
97 CommonName: username,
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame]98 },
Serge Bazanski3a6d67e2023-03-31 22:36:27 +0000[diff] [blame]99 NotBefore: time.Now(),
100 NotAfter: notAfter,
101 KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
102 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
103 DNSNames: []string{
104 username,
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame]105 },
Serge Bazanski3a6d67e2023-03-31 22:36:27 +0000[diff] [blame]106 SerialNumber: serialNumber,
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame]107 }
108
Serge Bazanski3a6d67e2023-03-31 22:36:27 +0000[diff] [blame]109 pkey, skey, err := ed25519.GenerateKey(rand.Reader)
110 if err != nil {
111 return nil, nil, err
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame]112 }
Serge Bazanski3a6d67e2023-03-31 22:36:27 +0000[diff] [blame]113 bytes, err := x509.CreateCertificate(rand.Reader, template, p.intermediateCACert, pkey, p.intermediateCAKey)
114 if err != nil {
115 return nil, nil, err
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame]116 }
Serge Bazanski3a6d67e2023-03-31 22:36:27 +0000[diff] [blame]117 return skey, bytes, nil
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame]118}