webserver will now automatically create a certificate for itself if no certificates are defined.

2023-03-13 17:46:09 -05:00
parent 2d7593ddf9
commit dd19b87e8d
6 changed files with 218 additions and 30 deletions
--- a/internal/certificate/create-ca.go
+++ b/internal/certificate/create-ca.go
@@ -0,0 +1,68 @@
+package certificate
+
+import (
+	"bytes"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"strconv"
+	"time"
+)
+
+func CreateCA() ([]byte, []byte, []byte, error) {
+	serial, _ := strconv.ParseInt(time.Now().Format("20060102150405"), 10, 64)
+	ca := &x509.Certificate{
+		SerialNumber: big.NewInt(serial),
+		Subject: pkix.Name{
+			Organization: []string{"Kubernetes Mutating Webserver CA"},
+			Country:      []string{"K8S"},
+			Province:     []string{"Cluster Service"},
+			Locality:     []string{"Cluster Local"},
+			//StreetAddress: []string{""},
+			//PostalCode:    []string{""},
+		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().AddDate(10, 0, 0),
+		IsCA:      true,
+		ExtKeyUsage: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageClientAuth,
+			x509.ExtKeyUsageServerAuth,
+		},
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		BasicConstraintsValid: true,
+		SignatureAlgorithm:    x509.SHA384WithRSA,
+	}
+
+	keyPair, err := rsa.GenerateKey(rand.Reader, 4096)
+	if err != nil {
+		return []byte(""), []byte(""), []byte(""), err
+	}
+
+	certBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &keyPair.PublicKey, keyPair)
+	if err != nil {
+		return []byte(""), []byte(""), []byte(""), err
+	}
+
+	c := new(bytes.Buffer)
+	pem.Encode(c, &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: certBytes,
+	})
+
+	k := new(bytes.Buffer)
+	pem.Encode(k, &pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(keyPair),
+	})
+
+	p := new(bytes.Buffer)
+	pem.Encode(p, &pem.Block{
+		Type:  "PUBLIC KEY",
+		Bytes: x509.MarshalPKCS1PublicKey(&keyPair.PublicKey),
+	})
+
+	return c.Bytes(), k.Bytes(), p.Bytes(), nil
+}
--- a/internal/certificate/create-cert.go
+++ b/internal/certificate/create-cert.go
@@ -0,0 +1,71 @@
+package certificate
+
+import (
+	"bytes"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"strconv"
+	"time"
+)
+
+func CreateCert() ([]byte, []byte, []byte, error) {
+	serial, _ := strconv.ParseInt(time.Now().Format("20060102150405"), 10, 64)
+	ca := &x509.Certificate{
+		SerialNumber: big.NewInt(serial + 1),
+		Subject: pkix.Name{
+			Organization: []string{"Kubernetes Mutating Webserver"},
+			Country:      []string{"K8S"},
+			Province:     []string{"Cluster Service"},
+			Locality:     []string{"Cluster Local"},
+			//StreetAddress: []string{""},
+			//PostalCode:    []string{""},
+		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().AddDate(1, 6, 0),
+		ExtKeyUsage: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageClientAuth,
+			x509.ExtKeyUsageServerAuth,
+		},
+		DNSNames: []string{
+			"svc.cluster.local",
+			"*.svc.cluster.local",
+		},
+		SubjectKeyId:       []byte{1, 2, 3, 4, 6},
+		KeyUsage:           x509.KeyUsageDigitalSignature,
+		SignatureAlgorithm: x509.SHA384WithRSA,
+	}
+
+	keyPair, err := rsa.GenerateKey(rand.Reader, 4096)
+	if err != nil {
+		return []byte(""), []byte(""), []byte(""), err
+	}
+
+	certBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &keyPair.PublicKey, keyPair)
+	if err != nil {
+		return []byte(""), []byte(""), []byte(""), err
+	}
+
+	c := new(bytes.Buffer)
+	pem.Encode(c, &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: certBytes,
+	})
+
+	k := new(bytes.Buffer)
+	pem.Encode(k, &pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(keyPair),
+	})
+
+	p := new(bytes.Buffer)
+	pem.Encode(p, &pem.Block{
+		Type:  "PUBLIC KEY",
+		Bytes: x509.MarshalPKCS1PublicKey(&keyPair.PublicKey),
+	})
+
+	return c.Bytes(), k.Bytes(), p.Bytes(), nil
+}
--- a/internal/certificate/create-server-cert.go
+++ b/internal/certificate/create-server-cert.go
@@ -0,0 +1,42 @@
+package certificate
+
+import (
+	"bytes"
+	"crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
+	"log"
+)
+
+func CreateServerCert() tls.Certificate {
+	caCertPem, caPrivKeyPem, _, _ := CreateCA()
+	certCertPem, certPrivKeyPem, certPublicKeyPem, _ := CreateCert()
+
+	caCertBlob, _ := pem.Decode(caCertPem)
+	caCert, _ := x509.ParseCertificate(caCertBlob.Bytes)
+	caPrivKeyBlob, _ := pem.Decode(caPrivKeyPem)
+	caPrivKey, _ := x509.ParsePKCS1PrivateKey(caPrivKeyBlob.Bytes)
+	certCertBlob, _ := pem.Decode(certCertPem)
+	certCert, _ := x509.ParseCertificate(certCertBlob.Bytes)
+	certPublicKeyBlob, _ := pem.Decode(certPublicKeyPem)
+	certPublicKey, _ := x509.ParsePKCS1PublicKey(certPublicKeyBlob.Bytes)
+
+	signedCert, err := x509.CreateCertificate(rand.Reader, certCert, caCert, certPublicKey, caPrivKey)
+	if err != nil {
+		log.Fatalf("[FATAL] CreateCertificate: %v", err)
+	}
+
+	serverCertPem := new(bytes.Buffer)
+	pem.Encode(serverCertPem, &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: signedCert,
+	})
+
+	serverCert, err := tls.X509KeyPair(append(serverCertPem.Bytes(), caCertPem...), certPrivKeyPem)
+	if err != nil {
+		log.Fatalf("[FATAL] x509KeyPair: %v", err)
+	}
+
+	return serverCert
+}