Sign In
golang
/
flannel
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: e6edfac9cb
Branches Tags
flannel
/
vendor
/
k8s.io
/
kubernetes
/
pkg
/
util
/
crypto
/
crypto.go

crypto.go 6.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212 
  1. /*
    2. 

  2. Copyright 2014 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package crypto
    18. 

  18. 

  19. import (
    20. 

  20. 	"bytes"
    21. 

  21. 	"crypto/rand"
    22. 

  22. 	"crypto/rsa"
    23. 

  23. 	"crypto/x509"
    24. 

  24. 	"crypto/x509/pkix"
    25. 

  25. 	"encoding/pem"
    26. 

  26. 	"errors"
    27. 

  27. 	"fmt"
    28. 

  28. 	"io/ioutil"
    29. 

  29. 	"math/big"
    30. 

  30. 	"net"
    31. 

  31. 	"os"
    32. 

  32. 	"path/filepath"
    33. 

  33. 	"time"
    34. 

  34. )
    35. 

  35. 

  36. // FoundCertOrKey returns true if the certificate or key files already exists,
    37. 

  37. // otherwise returns false.
    38. 

  38. func FoundCertOrKey(certPath, keyPath string) bool {
    39. 

  39. 	if canReadFile(certPath) || canReadFile(keyPath) {
    40. 

  40. 		return true
    41. 

  41. 	}
    42. 

  42. 

  43. 	return false
    44. 

  44. }
    45. 

  45. 

  46. // If the file represented by path exists and
    47. 

  47. // readable, returns true otherwise returns false.
    48. 

  48. func canReadFile(path string) bool {
    49. 

  49. 	f, err := os.Open(path)
    50. 

  50. 	if err != nil {
    51. 

  51. 		return false
    52. 

  52. 	}
    53. 

  53. 

  54. 	defer f.Close()
    55. 

  55. 

  56. 	return true
    57. 

  57. }
    58. 

  58. 

  59. // GenerateSelfSignedCert creates a self-signed certificate and key for the given host.
    60. 

  60. // Host may be an IP or a DNS name
    61. 

  61. // You may also specify additional subject alt names (either ip or dns names) for the certificate
    62. 

  62. // The certificate will be created with file mode 0644. The key will be created with file mode 0600.
    63. 

  63. // If the certificate or key files already exist, they will be overwritten.
    64. 

  64. // Any parent directories of the certPath or keyPath will be created as needed with file mode 0755.
    65. 

  65. func GenerateSelfSignedCert(host, certPath, keyPath string, alternateIPs []net.IP, alternateDNS []string) error {
    66. 

  66. 	priv, err := rsa.GenerateKey(rand.Reader, 2048)
    67. 

  67. 	if err != nil {
    68. 

  68. 		return err
    69. 

  69. 	}
    70. 

  70. 

  71. 	template := x509.Certificate{
    72. 

  72. 		SerialNumber: big.NewInt(1),
    73. 

  73. 		Subject: pkix.Name{
    74. 

  74. 			CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()),
    75. 

  75. 		},
    76. 

  76. 		NotBefore: time.Now(),
    77. 

  77. 		NotAfter:  time.Now().Add(time.Hour * 24 * 365),
    78. 

  78. 

  79. 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
    80. 

  80. 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
    81. 

  81. 		BasicConstraintsValid: true,
    82. 

  82. 		IsCA: true,
    83. 

  83. 	}
    84. 

  84. 

  85. 	if ip := net.ParseIP(host); ip != nil {
    86. 

  86. 		template.IPAddresses = append(template.IPAddresses, ip)
    87. 

  87. 	} else {
    88. 

  88. 		template.DNSNames = append(template.DNSNames, host)
    89. 

  89. 	}
    90. 

  90. 

  91. 	template.IPAddresses = append(template.IPAddresses, alternateIPs...)
    92. 

  92. 	template.DNSNames = append(template.DNSNames, alternateDNS...)
    93. 

  93. 

  94. 	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
    95. 

  95. 	if err != nil {
    96. 

  96. 		return err
    97. 

  97. 	}
    98. 

  98. 

  99. 	// Generate cert
    100. 

  100. 	certBuffer := bytes.Buffer{}
    101. 

  101. 	if err := pem.Encode(&certBuffer, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil {
    102. 

  102. 		return err
    103. 

  103. 	}
    104. 

  104. 

  105. 	// Generate key
    106. 

  106. 	keyBuffer := bytes.Buffer{}
    107. 

  107. 	if err := pem.Encode(&keyBuffer, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil {
    108. 

  108. 		return err
    109. 

  109. 	}
    110. 

  110. 

  111. 	// Write cert
    112. 

  112. 	if err := WriteCertToPath(certPath, certBuffer.Bytes()); err != nil {
    113. 

  113. 		return err
    114. 

  114. 	}
    115. 

  115. 

  116. 	// Write key
    117. 

  117. 	if err := WriteKeyToPath(keyPath, keyBuffer.Bytes()); err != nil {
    118. 

  118. 		return err
    119. 

  119. 	}
    120. 

  120. 

  121. 	return nil
    122. 

  122. }
    123. 

  123. 

  124. // WriteCertToPath writes the pem-encoded certificate data to certPath.
    125. 

  125. // The certificate file will be created with file mode 0644.
    126. 

  126. // If the certificate file already exists, it will be overwritten.
    127. 

  127. // The parent directory of the certPath will be created as needed with file mode 0755.
    128. 

  128. func WriteCertToPath(certPath string, data []byte) error {
    129. 

  129. 	if err := os.MkdirAll(filepath.Dir(certPath), os.FileMode(0755)); err != nil {
    130. 

  130. 		return err
    131. 

  131. 	}
    132. 

  132. 	if err := ioutil.WriteFile(certPath, data, os.FileMode(0644)); err != nil {
    133. 

  133. 		return err
    134. 

  134. 	}
    135. 

  135. 	return nil
    136. 

  136. }
    137. 

  137. 

  138. // WriteKeyToPath writes the pem-encoded key data to keyPath.
    139. 

  139. // The key file will be created with file mode 0600.
    140. 

  140. // If the key file already exists, it will be overwritten.
    141. 

  141. // The parent directory of the keyPath will be created as needed with file mode 0755.
    142. 

  142. func WriteKeyToPath(keyPath string, data []byte) error {
    143. 

  143. 	if err := os.MkdirAll(filepath.Dir(keyPath), os.FileMode(0755)); err != nil {
    144. 

  144. 		return err
    145. 

  145. 	}
    146. 

  146. 	if err := ioutil.WriteFile(keyPath, data, os.FileMode(0600)); err != nil {
    147. 

  147. 		return err
    148. 

  148. 	}
    149. 

  149. 	return nil
    150. 

  150. }
    151. 

  151. 

  152. // CertPoolFromFile returns an x509.CertPool containing the certificates in the given PEM-encoded file.
    153. 

  153. // Returns an error if the file could not be read, a certificate could not be parsed, or if the file does not contain any certificates
    154. 

  154. func CertPoolFromFile(filename string) (*x509.CertPool, error) {
    155. 

  155. 	certs, err := certificatesFromFile(filename)
    156. 

  156. 	if err != nil {
    157. 

  157. 		return nil, err
    158. 

  158. 	}
    159. 

  159. 	pool := x509.NewCertPool()
    160. 

  160. 	for _, cert := range certs {
    161. 

  161. 		pool.AddCert(cert)
    162. 

  162. 	}
    163. 

  163. 	return pool, nil
    164. 

  164. }
    165. 

  165. 

  166. // certificatesFromFile returns the x509.Certificates contained in the given PEM-encoded file.
    167. 

  167. // Returns an error if the file could not be read, a certificate could not be parsed, or if the file does not contain any certificates
    168. 

  168. func certificatesFromFile(file string) ([]*x509.Certificate, error) {
    169. 

  169. 	if len(file) == 0 {
    170. 

  170. 		return nil, errors.New("error reading certificates from an empty filename")
    171. 

  171. 	}
    172. 

  172. 	pemBlock, err := ioutil.ReadFile(file)
    173. 

  173. 	if err != nil {
    174. 

  174. 		return nil, err
    175. 

  175. 	}
    176. 

  176. 	certs, err := CertsFromPEM(pemBlock)
    177. 

  177. 	if err != nil {
    178. 

  178. 		return nil, fmt.Errorf("error reading %s: %s", file, err)
    179. 

  179. 	}
    180. 

  180. 	return certs, nil
    181. 

  181. }
    182. 

  182. 

  183. // CertsFromPEM returns the x509.Certificates contained in the given PEM-encoded byte array
    184. 

  184. // Returns an error if a certificate could not be parsed, or if the data does not contain any certificates
    185. 

  185. func CertsFromPEM(pemCerts []byte) ([]*x509.Certificate, error) {
    186. 

  186. 	ok := false
    187. 

  187. 	certs := []*x509.Certificate{}
    188. 

  188. 	for len(pemCerts) > 0 {
    189. 

  189. 		var block *pem.Block
    190. 

  190. 		block, pemCerts = pem.Decode(pemCerts)
    191. 

  191. 		if block == nil {
    192. 

  192. 			break
    193. 

  193. 		}
    194. 

  194. 		// Only use PEM "CERTIFICATE" blocks without extra headers
    195. 

  195. 		if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
    196. 

  196. 			continue
    197. 

  197. 		}
    198. 

  198. 

  199. 		cert, err := x509.ParseCertificate(block.Bytes)
    200. 

  200. 		if err != nil {
    201. 

  201. 			return certs, err
    202. 

  202. 		}
    203. 

  203. 

  204. 		certs = append(certs, cert)
    205. 

  205. 		ok = true
    206. 

  206. 	}
    207. 

  207. 

  208. 	if !ok {
    209. 

  209. 		return certs, errors.New("could not read any certificates")
    210. 

  210. 	}
    211. 

  211. 	return certs, nil
    212. 

  212. }
    213.