14
"github.com/pkg/errors"
16
"github.com/kumahq/kuma/pkg/core"
17
util_rsa "github.com/kumahq/kuma/pkg/util/rsa"
20
var DefaultValidityPeriod = 10 * 365 * 24 * time.Hour
25
ServerCertType CertType = "server"
26
ClientCertType CertType = "client"
27
DefaultAllowedClockSkew = 5 * time.Minute
28
DefaultCACertValidityPeriod = 10 * 365 * 24 * time.Hour
31
type KeyType func() (crypto.Signer, error)
33
var ECDSAKeyType KeyType = func() (crypto.Signer, error) {
34
return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
37
var RSAKeyType KeyType = func() (crypto.Signer, error) {
38
return util_rsa.GenerateKey(util_rsa.DefaultKeySize)
41
var DefaultKeyType = RSAKeyType
43
func NewSelfSignedCert(certType CertType, keyType KeyType, hosts ...string) (KeyPair, error) {
46
return KeyPair{}, errors.Wrap(err, "failed to generate TLS key")
49
csr, err := newCert(nil, certType, hosts...)
53
certDerBytes, err := x509.CreateCertificate(rand.Reader, &csr, &csr, key.Public(), key)
55
return KeyPair{}, errors.Wrap(err, "failed to generate TLS certificate")
58
certBytes, err := pemEncodeCert(certDerBytes)
63
keyBytes, err := pemEncodeKey(key)
74
// NewCert generates certificate that is signed by the CA (parent)
76
parent x509.Certificate,
77
parentKey crypto.Signer,
84
return KeyPair{}, errors.Wrap(err, "failed to generate TLS key")
87
csr, err := newCert(&parent.Subject, certType, hosts...)
92
certDerBytes, err := x509.CreateCertificate(rand.Reader, &csr, &parent, key.Public(), parentKey)
94
return KeyPair{}, errors.Wrap(err, "failed to generate TLS certificate")
97
certBytes, err := pemEncodeCert(certDerBytes)
102
keyBytes, err := pemEncodeKey(key)
104
return KeyPair{}, err
113
func newCert(issuer *pkix.Name, certType CertType, hosts ...string) (x509.Certificate, error) {
114
notBefore := time.Now()
115
notAfter := notBefore.Add(DefaultValidityPeriod)
116
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
117
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
119
return x509.Certificate{}, errors.Wrap(err, "failed to generate serial number")
121
csr := x509.Certificate{
122
SerialNumber: serialNumber,
123
Subject: pkix.Name{},
124
NotBefore: notBefore,
127
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
128
ExtKeyUsage: []x509.ExtKeyUsage{},
129
BasicConstraintsValid: true,
134
csr.KeyUsage |= x509.KeyUsageCertSign
138
csr.ExtKeyUsage = append(csr.ExtKeyUsage, x509.ExtKeyUsageServerAuth)
140
csr.ExtKeyUsage = append(csr.ExtKeyUsage, x509.ExtKeyUsageClientAuth)
142
return x509.Certificate{}, errors.Errorf("invalid certificate type %q, expected either %q or %q",
143
certType, ServerCertType, ClientCertType)
145
for _, host := range hosts {
146
if ip := net.ParseIP(host); ip != nil {
147
csr.IPAddresses = append(csr.IPAddresses, ip)
149
csr.DNSNames = append(csr.DNSNames, host)
155
func GenerateCA(keyType KeyType, subject pkix.Name) (*KeyPair, error) {
156
key, err := keyType()
158
return nil, errors.Wrap(err, "failed to generate a private key")
162
notBefore := now.Add(-DefaultAllowedClockSkew)
163
notAfter := now.Add(DefaultCACertValidityPeriod)
164
caTemplate := &x509.Certificate{
165
SerialNumber: big.NewInt(0),
167
NotBefore: notBefore,
169
KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
170
BasicConstraintsValid: true,
172
PublicKey: key.Public(),
175
ca, err := x509.CreateCertificate(rand.Reader, caTemplate, caTemplate, key.Public(), key)
179
return ToKeyPair(key, ca)