hscloud/cluster/prodvider/certs.go
Serge Bazanski f0acf16564 prodvider: use SANs in service certificates
This fixes compatibility with prodaccess tools built with Go 1.15, which
introduced 'X.509 CommonName deprecation' [1].

[1] - https://golang.org/doc/go1.15#commonname

Change-Id: I228cde3e5651a3e36f527783f2ccb4a2f6b7a8e3
2020-10-03 14:56:35 +00:00

113 lines
2.7 KiB
Go

package main
import (
"crypto/tls"
"fmt"
"time"
"github.com/cloudflare/cfssl/csr"
"github.com/cloudflare/cfssl/signer"
"github.com/golang/glog"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
)
func (p *prodvider) selfCreds() grpc.ServerOption {
glog.Infof("Bootstrapping certificate for self (%q)...", flagProdviderCN)
// Create a key and CSR.
csrPEM, keyPEM, err := p.makeSelfCSR()
if err != nil {
glog.Exitf("Could not generate key and CSR for self: %v", err)
}
// Create a cert
certPEM, err := p.makeSelfCertificate(csrPEM)
if err != nil {
glog.Exitf("Could not sign certificate for self: %v", err)
}
serverCert, err := tls.X509KeyPair(certPEM, keyPEM)
if err != nil {
glog.Exitf("Could not use gRPC certificate: %v", err)
}
signerCert, _ := p.sign.Certificate("", "")
serverCert.Certificate = append(serverCert.Certificate, signerCert.Raw)
return grpc.Creds(credentials.NewTLS(&tls.Config{
Certificates: []tls.Certificate{serverCert},
}))
}
func (p *prodvider) makeSelfCSR() ([]byte, []byte, error) {
signerCert, _ := p.sign.Certificate("", "")
req := &csr.CertificateRequest{
CN: flagProdviderCN,
KeyRequest: &csr.BasicKeyRequest{
A: "rsa",
S: 4096,
},
Names: []csr.Name{
{
C: signerCert.Subject.Country[0],
ST: signerCert.Subject.Province[0],
L: signerCert.Subject.Locality[0],
O: signerCert.Subject.Organization[0],
OU: signerCert.Subject.OrganizationalUnit[0],
},
},
Hosts: []string{flagProdviderCN},
}
g := &csr.Generator{
Validator: func(req *csr.CertificateRequest) error { return nil },
}
return g.ProcessRequest(req)
}
func (p *prodvider) makeSelfCertificate(csr []byte) ([]byte, error) {
req := signer.SignRequest{
Hosts: []string{flagProdviderCN},
Request: string(csr),
Profile: "server",
}
return p.sign.Sign(req)
}
func (p *prodvider) makeKubernetesCSR(username, o string) ([]byte, []byte, error) {
signerCert, _ := p.sign.Certificate("", "")
req := &csr.CertificateRequest{
CN: username,
KeyRequest: &csr.BasicKeyRequest{
A: "rsa",
S: 4096,
},
Names: []csr.Name{
{
C: signerCert.Subject.Country[0],
ST: signerCert.Subject.Province[0],
L: signerCert.Subject.Locality[0],
O: o,
OU: fmt.Sprintf("Prodvider Kubernetes Cert for %s/%s", username, o),
},
},
}
g := &csr.Generator{
Validator: func(req *csr.CertificateRequest) error { return nil },
}
return g.ProcessRequest(req)
}
func (p *prodvider) makeKubernetesCertificate(csr []byte, notAfter time.Time) ([]byte, error) {
req := signer.SignRequest{
Hosts: []string{},
Request: string(csr),
Profile: "client",
NotAfter: notAfter,
}
return p.sign.Sign(req)
}