forked from hswaw/hscloud
Serge Bazanski
f0acf16564
This fixes compatibility with prodaccess tools built with Go 1.15, which introduced 'X.509 CommonName deprecation' [1]. [1] - https://golang.org/doc/go1.15#commonname Change-Id: I228cde3e5651a3e36f527783f2ccb4a2f6b7a8e3
113 lines
2.7 KiB
Go
113 lines
2.7 KiB
Go
package main
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/cloudflare/cfssl/csr"
|
|
"github.com/cloudflare/cfssl/signer"
|
|
"github.com/golang/glog"
|
|
"google.golang.org/grpc"
|
|
"google.golang.org/grpc/credentials"
|
|
)
|
|
|
|
func (p *prodvider) selfCreds() grpc.ServerOption {
|
|
glog.Infof("Bootstrapping certificate for self (%q)...", flagProdviderCN)
|
|
|
|
// Create a key and CSR.
|
|
csrPEM, keyPEM, err := p.makeSelfCSR()
|
|
if err != nil {
|
|
glog.Exitf("Could not generate key and CSR for self: %v", err)
|
|
}
|
|
|
|
// Create a cert
|
|
certPEM, err := p.makeSelfCertificate(csrPEM)
|
|
if err != nil {
|
|
glog.Exitf("Could not sign certificate for self: %v", err)
|
|
}
|
|
|
|
serverCert, err := tls.X509KeyPair(certPEM, keyPEM)
|
|
if err != nil {
|
|
glog.Exitf("Could not use gRPC certificate: %v", err)
|
|
}
|
|
|
|
signerCert, _ := p.sign.Certificate("", "")
|
|
serverCert.Certificate = append(serverCert.Certificate, signerCert.Raw)
|
|
|
|
return grpc.Creds(credentials.NewTLS(&tls.Config{
|
|
Certificates: []tls.Certificate{serverCert},
|
|
}))
|
|
}
|
|
|
|
func (p *prodvider) makeSelfCSR() ([]byte, []byte, error) {
|
|
signerCert, _ := p.sign.Certificate("", "")
|
|
req := &csr.CertificateRequest{
|
|
CN: flagProdviderCN,
|
|
KeyRequest: &csr.BasicKeyRequest{
|
|
A: "rsa",
|
|
S: 4096,
|
|
},
|
|
Names: []csr.Name{
|
|
{
|
|
C: signerCert.Subject.Country[0],
|
|
ST: signerCert.Subject.Province[0],
|
|
L: signerCert.Subject.Locality[0],
|
|
O: signerCert.Subject.Organization[0],
|
|
OU: signerCert.Subject.OrganizationalUnit[0],
|
|
},
|
|
},
|
|
Hosts: []string{flagProdviderCN},
|
|
}
|
|
|
|
g := &csr.Generator{
|
|
Validator: func(req *csr.CertificateRequest) error { return nil },
|
|
}
|
|
|
|
return g.ProcessRequest(req)
|
|
}
|
|
|
|
func (p *prodvider) makeSelfCertificate(csr []byte) ([]byte, error) {
|
|
req := signer.SignRequest{
|
|
Hosts: []string{flagProdviderCN},
|
|
Request: string(csr),
|
|
Profile: "server",
|
|
}
|
|
return p.sign.Sign(req)
|
|
}
|
|
|
|
func (p *prodvider) makeKubernetesCSR(username, o string) ([]byte, []byte, error) {
|
|
signerCert, _ := p.sign.Certificate("", "")
|
|
req := &csr.CertificateRequest{
|
|
CN: username,
|
|
KeyRequest: &csr.BasicKeyRequest{
|
|
A: "rsa",
|
|
S: 4096,
|
|
},
|
|
Names: []csr.Name{
|
|
{
|
|
C: signerCert.Subject.Country[0],
|
|
ST: signerCert.Subject.Province[0],
|
|
L: signerCert.Subject.Locality[0],
|
|
O: o,
|
|
OU: fmt.Sprintf("Prodvider Kubernetes Cert for %s/%s", username, o),
|
|
},
|
|
},
|
|
}
|
|
|
|
g := &csr.Generator{
|
|
Validator: func(req *csr.CertificateRequest) error { return nil },
|
|
}
|
|
|
|
return g.ProcessRequest(req)
|
|
}
|
|
|
|
func (p *prodvider) makeKubernetesCertificate(csr []byte, notAfter time.Time) ([]byte, error) {
|
|
req := signer.SignRequest{
|
|
Hosts: []string{},
|
|
Request: string(csr),
|
|
Profile: "client",
|
|
NotAfter: notAfter,
|
|
}
|
|
return p.sign.Sign(req)
|
|
}
|