sigs.k8s.io/cluster-api@v1.7.1/util/certs/types.go

sigs.k8s.io/cluster-api@v1.7.1/util/certs/types.go (about)

     1  /*
     2  Copyright 2019 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package certs
    18  
    19  import (
    20  	"crypto"
    21  	"crypto/rand"
    22  	"crypto/rsa"
    23  	"crypto/x509"
    24  	"crypto/x509/pkix"
    25  	"math"
    26  	"math/big"
    27  	"net"
    28  	"time"
    29  
    30  	"github.com/pkg/errors"
    31  )
    32  
    33  // KeyPair holds the raw bytes for a certificate and key.
    34  type KeyPair struct {
    35  	Cert, Key []byte
    36  }
    37  
    38  // IsValid returns true if both the certificate and key are non-nil.
    39  func (k *KeyPair) IsValid() bool {
    40  	return k.Cert != nil && k.Key != nil
    41  }
    42  
    43  // Config contains the basic fields required for creating a certificate.
    44  type Config struct {
    45  	CommonName   string
    46  	Organization []string
    47  	AltNames     AltNames
    48  	Usages       []x509.ExtKeyUsage
    49  }
    50  
    51  // NewSignedCert creates a signed certificate using the given CA certificate and key.
    52  func (cfg *Config) NewSignedCert(key *rsa.PrivateKey, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
    53  	serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
    54  	if err != nil {
    55  		return nil, errors.Wrap(err, "failed to generate random integer for signed cerficate")
    56  	}
    57  
    58  	if cfg.CommonName == "" {
    59  		return nil, errors.New("must specify a CommonName")
    60  	}
    61  
    62  	if len(cfg.Usages) == 0 {
    63  		return nil, errors.New("must specify at least one ExtKeyUsage")
    64  	}
    65  
    66  	tmpl := x509.Certificate{
    67  		Subject: pkix.Name{
    68  			CommonName:   cfg.CommonName,
    69  			Organization: cfg.Organization,
    70  		},
    71  		DNSNames:     cfg.AltNames.DNSNames,
    72  		IPAddresses:  cfg.AltNames.IPs,
    73  		SerialNumber: serial,
    74  		NotBefore:    caCert.NotBefore,
    75  		NotAfter:     time.Now().Add(DefaultCertDuration).UTC(),
    76  		KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
    77  		ExtKeyUsage:  cfg.Usages,
    78  	}
    79  
    80  	b, err := x509.CreateCertificate(rand.Reader, &tmpl, caCert, key.Public(), caKey)
    81  	if err != nil {
    82  		return nil, errors.Wrapf(err, "failed to create signed certificate: %+v", tmpl)
    83  	}
    84  
    85  	return x509.ParseCertificate(b)
    86  }
    87  
    88  // AltNames contains the domain names and IP addresses that will be added
    89  // to the API Server's x509 certificate SubAltNames field. The values will
    90  // be passed directly to the x509.Certificate object.
    91  type AltNames struct {
    92  	DNSNames []string
    93  	IPs      []net.IP
    94  }