istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pkg/test/cert/ca/root.go

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pkg/test/cert/ca/root.go (about)

     1  //  Copyright Istio Authors
     2  //
     3  //  Licensed under the Apache License, Version 2.0 (the "License");
     4  //  you may not use this file except in compliance with the License.
     5  //  You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  //  Unless required by applicable law or agreed to in writing, software
    10  //  distributed under the License is distributed on an "AS IS" BASIS,
    11  //  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  //  See the License for the specific language governing permissions and
    13  //  limitations under the License.
    14  
    15  package ca
    16  
    17  import (
    18  	"os"
    19  	"path/filepath"
    20  
    21  	"istio.io/istio/pkg/test/cert"
    22  )
    23  
    24  var rootCAConf = `
    25  [ req ]
    26  encrypt_key = no
    27  prompt = no
    28  utf8 = yes
    29  default_md = sha256
    30  default_bits = 4096
    31  req_extensions = req_ext
    32  x509_extensions = req_ext
    33  distinguished_name = req_dn
    34  [ req_ext ]
    35  subjectKeyIdentifier = hash
    36  basicConstraints = critical, CA:true
    37  keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign
    38  [ req_dn ]
    39  O = Istio
    40  CN = Root CA`
    41  
    42  // Root contains the cryptographic files for a self-signed root CA.
    43  type Root struct {
    44  	// KeyFile is the path to the file containing the private key for the CA.
    45  	KeyFile string
    46  
    47  	// ConfFile is the path to the file containing the extensions configuration file.
    48  	ConfFile string
    49  
    50  	// CSRFile used to generate the cert.
    51  	CSRFile string
    52  
    53  	// CertFile the cert for the root CA.
    54  	CertFile string
    55  }
    56  
    57  // NewRoot generates the files for a new self-signed Root CA files under the given directory.
    58  func NewRoot(workDir string) (Root, error) {
    59  	root := Root{
    60  		KeyFile:  filepath.Join(workDir, "root-key.pem"),
    61  		ConfFile: filepath.Join(workDir, "root-ca.conf"),
    62  		CSRFile:  filepath.Join(workDir, "root-ca.csr"),
    63  		CertFile: filepath.Join(workDir, "root-cert.pem"),
    64  	}
    65  
    66  	// Write out the conf file.
    67  	if err := os.WriteFile(root.ConfFile, []byte(rootCAConf), os.ModePerm); err != nil {
    68  		return Root{}, err
    69  	}
    70  
    71  	// Create the root key.
    72  	if err := cert.GenerateKey(root.KeyFile); err != nil {
    73  		return Root{}, err
    74  	}
    75  
    76  	// Create the root CSR
    77  	if err := cert.GenerateCSR(root.ConfFile, root.KeyFile, root.CSRFile); err != nil {
    78  		return Root{}, err
    79  	}
    80  
    81  	// Create the root cert
    82  	if err := cert.GenerateCert(root.ConfFile, root.CSRFile, root.KeyFile, root.CertFile); err != nil {
    83  		return Root{}, err
    84  	}
    85  	return root, nil
    86  }