mirror of
https://github.com/kubesphere/kubekey.git
synced 2025-12-27 19:52:49 +00:00
321 lines
10 KiB
Go
321 lines
10 KiB
Go
/*
|
|
Copyright 2016 The Kubernetes Authors.
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package certs
|
|
|
|
import (
|
|
"crypto"
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
cryptorand "crypto/rand"
|
|
"crypto/rsa"
|
|
"crypto/x509"
|
|
"encoding/pem"
|
|
"fmt"
|
|
"github.com/pkg/errors"
|
|
certutil "k8s.io/client-go/util/cert"
|
|
"k8s.io/client-go/util/keyutil"
|
|
"os"
|
|
"path/filepath"
|
|
"sync"
|
|
"time"
|
|
)
|
|
|
|
// CertOrKeyExist returns a boolean whether the cert or the key exists
|
|
func CertOrKeyExist(pkiPath, name string) bool {
|
|
certificatePath, privateKeyPath := PathsForCertAndKey(pkiPath, name)
|
|
|
|
_, certErr := os.Stat(certificatePath)
|
|
_, keyErr := os.Stat(privateKeyPath)
|
|
if os.IsNotExist(certErr) && os.IsNotExist(keyErr) {
|
|
// The cert and the key do not exist
|
|
return false
|
|
}
|
|
|
|
// Both files exist or one of them
|
|
return true
|
|
}
|
|
|
|
// PathsForCertAndKey returns the paths for the certificate and key given the path and basename.
|
|
func PathsForCertAndKey(pkiPath, name string) (string, string) {
|
|
return pathForCert(pkiPath, name), pathForKey(pkiPath, name)
|
|
}
|
|
|
|
func pathForCert(pkiPath, name string) string {
|
|
return filepath.Join(pkiPath, fmt.Sprintf("%s.pem", name))
|
|
}
|
|
|
|
func pathForKey(pkiPath, name string) string {
|
|
return filepath.Join(pkiPath, fmt.Sprintf("%s-key.pem", name))
|
|
}
|
|
|
|
// TryLoadKeyFromDisk tries to load the key from the disk and validates that it is valid
|
|
func TryLoadKeyFromDisk(pkiPath, name string) (crypto.Signer, error) {
|
|
privateKeyPath := pathForKey(pkiPath, name)
|
|
|
|
// Parse the private key from a file
|
|
privKey, err := keyutil.PrivateKeyFromFile(privateKeyPath)
|
|
if err != nil {
|
|
return nil, errors.Wrapf(err, "couldn't load the private key file %s", privateKeyPath)
|
|
}
|
|
|
|
// Allow RSA and ECDSA formats only
|
|
var key crypto.Signer
|
|
switch k := privKey.(type) {
|
|
case *rsa.PrivateKey:
|
|
key = k
|
|
case *ecdsa.PrivateKey:
|
|
key = k
|
|
default:
|
|
return nil, errors.Errorf("the private key file %s is neither in RSA nor ECDSA format", privateKeyPath)
|
|
}
|
|
|
|
return key, nil
|
|
}
|
|
|
|
// TryLoadCertChainFromDisk tries to load the cert chain from the disk
|
|
func TryLoadCertChainFromDisk(pkiPath, name string) (*x509.Certificate, []*x509.Certificate, error) {
|
|
certificatePath := pathForCert(pkiPath, name)
|
|
|
|
certs, err := certutil.CertsFromFile(certificatePath)
|
|
if err != nil {
|
|
return nil, nil, errors.Wrapf(err, "couldn't load the certificate file %s", certificatePath)
|
|
}
|
|
|
|
cert := certs[0]
|
|
intermediates := certs[1:]
|
|
|
|
return cert, intermediates, nil
|
|
}
|
|
|
|
// VerifyCertChain verifies that a certificate has a valid chain of
|
|
// intermediate CAs back to the root CA
|
|
func VerifyCertChain(cert *x509.Certificate, intermediates []*x509.Certificate, root *x509.Certificate) error {
|
|
rootPool := x509.NewCertPool()
|
|
rootPool.AddCert(root)
|
|
|
|
intermediatePool := x509.NewCertPool()
|
|
for _, c := range intermediates {
|
|
intermediatePool.AddCert(c)
|
|
}
|
|
|
|
verifyOptions := x509.VerifyOptions{
|
|
Roots: rootPool,
|
|
Intermediates: intermediatePool,
|
|
KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
|
|
}
|
|
|
|
if _, err := cert.Verify(verifyOptions); err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// TryLoadCertAndKeyFromDisk tries to load a cert and a key from the disk and validates that they are valid
|
|
func TryLoadCertAndKeyFromDisk(pkiPath, name string) (*x509.Certificate, crypto.Signer, error) {
|
|
cert, err := TryLoadCertFromDisk(pkiPath, name)
|
|
if err != nil {
|
|
return nil, nil, errors.Wrap(err, "failed to load certificate")
|
|
}
|
|
|
|
key, err := TryLoadKeyFromDisk(pkiPath, name)
|
|
if err != nil {
|
|
return nil, nil, errors.Wrap(err, "failed to load key")
|
|
}
|
|
|
|
return cert, key, nil
|
|
}
|
|
|
|
// TryLoadCertFromDisk tries to load the cert from the disk
|
|
func TryLoadCertFromDisk(pkiPath, name string) (*x509.Certificate, error) {
|
|
certificatePath := pathForCert(pkiPath, name)
|
|
|
|
certs, err := certutil.CertsFromFile(certificatePath)
|
|
if err != nil {
|
|
return nil, errors.Wrapf(err, "couldn't load the certificate file %s", certificatePath)
|
|
}
|
|
|
|
// We are only putting one certificate in the certificate pem file, so it's safe to just pick the first one
|
|
// TODO: Support multiple certs here in order to be able to rotate certs
|
|
cert := certs[0]
|
|
|
|
return cert, nil
|
|
}
|
|
|
|
// CertConfig is a wrapper around certutil.Config extending it with PublicKeyAlgorithm.
|
|
type CertConfig struct {
|
|
certutil.Config
|
|
NotAfter *time.Time
|
|
PublicKeyAlgorithm x509.PublicKeyAlgorithm
|
|
}
|
|
|
|
var (
|
|
// certPeriodValidation is used to store if period validation was done for a certificate
|
|
certPeriodValidationMutex sync.Mutex
|
|
certPeriodValidation = map[string]struct{}{}
|
|
)
|
|
|
|
// NewPrivateKey returns a new private key.
|
|
var NewPrivateKey = GeneratePrivateKey
|
|
|
|
func GeneratePrivateKey(keyType x509.PublicKeyAlgorithm) (crypto.Signer, error) {
|
|
if keyType == x509.ECDSA {
|
|
return ecdsa.GenerateKey(elliptic.P256(), cryptorand.Reader)
|
|
}
|
|
|
|
return rsa.GenerateKey(cryptorand.Reader, rsaKeySize)
|
|
}
|
|
|
|
// NewCertificateAuthority creates new certificate and private key for the certificate authority
|
|
func NewCertificateAuthority(config *CertConfig) (*x509.Certificate, crypto.Signer, error) {
|
|
key, err := NewPrivateKey(config.PublicKeyAlgorithm)
|
|
if err != nil {
|
|
return nil, nil, errors.Wrap(err, "unable to create private key while generating CA certificate")
|
|
}
|
|
|
|
cert, err := certutil.NewSelfSignedCACert(config.Config, key)
|
|
if err != nil {
|
|
return nil, nil, errors.Wrap(err, "unable to create self-signed CA certificate")
|
|
}
|
|
|
|
return cert, key, nil
|
|
}
|
|
|
|
// writeCertificateAuthorityFilesIfNotExist write a new certificate Authority to the given path.
|
|
// If there already is a certificate file at the given path; kubeadm tries to load it and check if the values in the
|
|
// existing and the expected certificate equals. If they do; kubeadm will just skip writing the file as it's up-to-date,
|
|
// otherwise this function returns an error.
|
|
func writeCertificateAuthorityFilesIfNotExist(pkiDir string, baseName string, caCert *x509.Certificate, caKey crypto.Signer) error {
|
|
|
|
// If cert or key exists, we should try to load them
|
|
if CertOrKeyExist(pkiDir, baseName) {
|
|
|
|
// Try to load .crt and .key from the PKI directory
|
|
caCert, _, err := TryLoadCertAndKeyFromDisk(pkiDir, baseName)
|
|
if err != nil {
|
|
return errors.Wrapf(err, "failure loading %s certificate", baseName)
|
|
}
|
|
// Validate period
|
|
CheckCertificatePeriodValidity(baseName, caCert)
|
|
|
|
// Check if the existing cert is a CA
|
|
if !caCert.IsCA {
|
|
return errors.Errorf("certificate %s is not a CA", baseName)
|
|
}
|
|
|
|
// kubeadm doesn't validate the existing certificate Authority more than this;
|
|
// Basically, if we find a certificate file with the same path; and it is a CA
|
|
// kubeadm thinks those files are equal and doesn't bother writing a new file
|
|
fmt.Printf("[certs] Using the existing %q certificate and key\n", baseName)
|
|
} else {
|
|
// Write .crt and .key files to disk
|
|
fmt.Printf("[certs] Generating %q certificate and key\n", baseName)
|
|
|
|
if err := WriteCertAndKey(pkiDir, baseName, caCert, caKey); err != nil {
|
|
return errors.Wrapf(err, "failure while saving %s certificate and key", baseName)
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// validateCertificateWithConfig makes sure that a given certificate is valid at
|
|
// least for the SANs defined in the configuration.
|
|
func validateCertificateWithConfig(cert *x509.Certificate, baseName string, cfg *CertConfig) error {
|
|
for _, dnsName := range cfg.AltNames.DNSNames {
|
|
if err := cert.VerifyHostname(dnsName); err != nil {
|
|
return errors.Wrapf(err, "certificate %s is invalid", baseName)
|
|
}
|
|
}
|
|
for _, ipAddress := range cfg.AltNames.IPs {
|
|
if err := cert.VerifyHostname(ipAddress.String()); err != nil {
|
|
return errors.Wrapf(err, "certificate %s is invalid", baseName)
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// WriteCertAndKey stores certificate and key at the specified location
|
|
func WriteCertAndKey(pkiPath string, name string, cert *x509.Certificate, key crypto.Signer) error {
|
|
if err := WriteKey(pkiPath, name, key); err != nil {
|
|
return errors.Wrap(err, "couldn't write key")
|
|
}
|
|
|
|
return WriteCert(pkiPath, name, cert)
|
|
}
|
|
|
|
// HasServerAuth returns true if the given certificate is a ServerAuth
|
|
func HasServerAuth(cert *x509.Certificate) bool {
|
|
for i := range cert.ExtKeyUsage {
|
|
if cert.ExtKeyUsage[i] == x509.ExtKeyUsageServerAuth {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// ValidateCertPeriod checks if the certificate is valid relative to the current time
|
|
// (+/- offset)
|
|
func ValidateCertPeriod(cert *x509.Certificate, offset time.Duration) error {
|
|
period := fmt.Sprintf("NotBefore: %v, NotAfter: %v", cert.NotBefore, cert.NotAfter)
|
|
now := time.Now().Add(offset)
|
|
if now.Before(cert.NotBefore) {
|
|
return errors.Errorf("the certificate is not valid yet: %s", period)
|
|
}
|
|
if now.After(cert.NotAfter) {
|
|
return errors.Errorf("the certificate has expired: %s", period)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// WriteKey stores the given key at the given location
|
|
func WriteKey(pkiPath, name string, key crypto.Signer) error {
|
|
if key == nil {
|
|
return errors.New("private key cannot be nil when writing to file")
|
|
}
|
|
|
|
privateKeyPath := pathForKey(pkiPath, name)
|
|
encoded, err := keyutil.MarshalPrivateKeyToPEM(key)
|
|
if err != nil {
|
|
return errors.Wrapf(err, "unable to marshal private key to PEM")
|
|
}
|
|
if err := keyutil.WriteKey(privateKeyPath, encoded); err != nil {
|
|
return errors.Wrapf(err, "unable to write private key to file %s", privateKeyPath)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// WriteCert stores the given certificate at the given location
|
|
func WriteCert(pkiPath, name string, cert *x509.Certificate) error {
|
|
if cert == nil {
|
|
return errors.New("certificate cannot be nil when writing to file")
|
|
}
|
|
|
|
certificatePath := pathForCert(pkiPath, name)
|
|
if err := certutil.WriteCert(certificatePath, EncodeCertPEM(cert)); err != nil {
|
|
return errors.Wrapf(err, "unable to write certificate to file %s", certificatePath)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// EncodeCertPEM returns PEM-endcoded certificate data
|
|
func EncodeCertPEM(cert *x509.Certificate) []byte {
|
|
block := pem.Block{
|
|
Type: CertificateBlockType,
|
|
Bytes: cert.Raw,
|
|
}
|
|
return pem.EncodeToMemory(&block)
|
|
}
|