From 0cf0f80b40f8bcda2792b641986c2c31cec18e5c Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Tue, 9 May 2023 15:48:06 +0200 Subject: [PATCH] switch to non-deprecated functions in source code Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- cmd/ctl/pkg/inspect/secret/secret_test.go | 4 +- .../validation/certificaterequest.go | 6 +- .../validation/certificaterequest_test.go | 78 ++++++++++++++++++- .../certificaterequests/acme/acme_test.go | 9 ++- pkg/controller/certificaterequests/ca/ca.go | 2 +- .../certificaterequests/ca/ca_test.go | 6 +- .../selfsigned/selfsigned.go | 2 +- .../selfsigned/selfsigned_test.go | 6 +- .../certificaterequests/sync_test.go | 2 +- .../certificaterequests/vault/vault_test.go | 2 +- .../certificaterequests/venafi/venafi_test.go | 2 +- .../issuing/internal/keystore_test.go | 4 +- .../certificates/requestmanager/util_test.go | 2 +- .../acme/acme_test.go | 4 +- .../certificatesigningrequests/ca/ca.go | 2 +- .../certificatesigningrequests/ca/ca_test.go | 6 +- .../selfsigned/selfsigned.go | 2 +- .../selfsigned/selfsigned_test.go | 4 +- .../venafi/venafi_test.go | 14 +++- pkg/issuer/venafi/client/request.go | 7 +- pkg/util/pki/kube_test.go | 4 +- pkg/util/pki/match_test.go | 2 +- pkg/util/pki/temporarycertificate.go | 4 +- .../certificates/issuing_controller_test.go | 8 +- .../certificates/trigger_controller_test.go | 2 +- test/unit/crypto/crypto.go | 6 +- 26 files changed, 143 insertions(+), 47 deletions(-) diff --git a/cmd/ctl/pkg/inspect/secret/secret_test.go b/cmd/ctl/pkg/inspect/secret/secret_test.go index fbe63ff64..9a8769afa 100644 --- a/cmd/ctl/pkg/inspect/secret/secret_test.go +++ b/cmd/ctl/pkg/inspect/secret/secret_test.go @@ -64,7 +64,7 @@ func init() { Localities: []string{"San Francisco"}, Provinces: []string{"California"}, } - caX509Cert, err := pki.GenerateTemplate(caCertificateTemplate) + caX509Cert, err := pki.CertificateTemplateFromCertificate(caCertificateTemplate) if err != nil { panic(err) } @@ -101,7 +101,7 @@ func init() { Countries: []string{"GB"}, OrganizationalUnits: []string{"cert-manager"}, } - testX509Cert, err := pki.GenerateTemplate(testCertTemplate) + testX509Cert, err := pki.CertificateTemplateFromCertificate(testCertTemplate) if err != nil { panic(err) } diff --git a/internal/apis/certmanager/validation/certificaterequest.go b/internal/apis/certmanager/validation/certificaterequest.go index 4ceb3b559..856f76a3f 100644 --- a/internal/apis/certmanager/validation/certificaterequest.go +++ b/internal/apis/certmanager/validation/certificaterequest.go @@ -40,7 +40,7 @@ var defaultInternalKeyUsages = []cmapi.KeyUsage{cmapi.UsageDigitalSignature, cma func ValidateCertificateRequest(a *admissionv1.AdmissionRequest, obj runtime.Object) (field.ErrorList, []string) { cr := obj.(*cmapi.CertificateRequest) - allErrs := ValidateCertificateRequestSpec(&cr.Spec, field.NewPath("spec"), true) + allErrs := ValidateCertificateRequestSpec(&cr.Spec, field.NewPath("spec")) allErrs = append(allErrs, ValidateCertificateRequestApprovalCondition(cr.Status.Conditions, field.NewPath("status", "conditions"))...) @@ -83,7 +83,7 @@ func validateCertificateRequestAnnotations(objA, objB *cmapi.CertificateRequest, return el } -func ValidateCertificateRequestSpec(crSpec *cmapi.CertificateRequestSpec, fldPath *field.Path, validateCSRContent bool) field.ErrorList { +func ValidateCertificateRequestSpec(crSpec *cmapi.CertificateRequestSpec, fldPath *field.Path) field.ErrorList { el := field.ErrorList{} el = append(el, validateIssuerRef(crSpec.IssuerRef, fldPath)...) @@ -96,7 +96,7 @@ func ValidateCertificateRequestSpec(crSpec *cmapi.CertificateRequestSpec, fldPat el = append(el, field.Invalid(fldPath.Child("request"), crSpec.Request, fmt.Sprintf("failed to decode csr: %s", err))) } else { // only compare usages if set on CR and in the CSR - if len(crSpec.Usages) > 0 && len(csr.Extensions) > 0 && validateCSRContent && !reflect.DeepEqual(crSpec.Usages, defaultInternalKeyUsages) { + if len(crSpec.Usages) > 0 && len(csr.Extensions) > 0 && !reflect.DeepEqual(crSpec.Usages, defaultInternalKeyUsages) { if crSpec.IsCA { crSpec.Usages = ensureCertSignIsSet(crSpec.Usages) } diff --git a/internal/apis/certmanager/validation/certificaterequest_test.go b/internal/apis/certmanager/validation/certificaterequest_test.go index bb70e0ae6..a7e11037a 100644 --- a/internal/apis/certmanager/validation/certificaterequest_test.go +++ b/internal/apis/certmanager/validation/certificaterequest_test.go @@ -18,6 +18,9 @@ package validation import ( "bytes" + "crypto/x509" + "crypto/x509/pkix" + "encoding/asn1" "encoding/pem" "reflect" "testing" @@ -29,6 +32,7 @@ import ( cminternal "github.com/cert-manager/cert-manager/internal/apis/certmanager" cminternalmeta "github.com/cert-manager/cert-manager/internal/apis/meta" cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" + "github.com/cert-manager/cert-manager/pkg/util/pki" utilpki "github.com/cert-manager/cert-manager/pkg/util/pki" "github.com/cert-manager/cert-manager/test/unit/gen" ) @@ -540,6 +544,75 @@ func TestValidateCertificateRequest(t *testing.T) { a: someAdmissionRequest, wantE: []*field.Error{}, }, + "Test csr with default usages and isCA": { + cr: &cminternal.CertificateRequest{ + Spec: cminternal.CertificateRequestSpec{ + Request: mustGenerateCSR(t, gen.Certificate("test", gen.SetCertificateDNSNames("example.com"), gen.SetCertificateKeyUsages(cmapi.UsageDigitalSignature, cmapi.UsageCertSign, cmapi.UsageKeyEncipherment), gen.SetCertificateIsCA(true))), + IssuerRef: validIssuerRef, + IsCA: true, + Usages: nil, + }, + }, + a: someAdmissionRequest, + wantE: []*field.Error{}, + }, + "Test cr with default usages": { + cr: &cminternal.CertificateRequest{ + Spec: cminternal.CertificateRequestSpec{ + // mustGenerateCSR will set the default usages for us + Request: mustGenerateCSR(t, gen.Certificate("test", gen.SetCertificateDNSNames("example.com"))), + IssuerRef: validIssuerRef, + Usages: []cminternal.KeyUsage{cminternal.UsageKeyEncipherment, cminternal.UsageDigitalSignature}, + }, + }, + a: someAdmissionRequest, + wantE: []*field.Error{}, + }, + "Test cr with default usages, without any encoded in csr": { + cr: &cminternal.CertificateRequest{ + Spec: cminternal.CertificateRequestSpec{ + // mustGenerateCSR will set the default usages for us + Request: mustGenerateCSR(t, gen.Certificate("test", gen.SetCertificateDNSNames("example.com")), func(cr *x509.CertificateRequest) { + // manually remove extensions that encode default usages + cr.Extensions = nil + cr.ExtraExtensions = nil + }), + IssuerRef: validIssuerRef, + Usages: []cminternal.KeyUsage{cminternal.UsageKeyEncipherment, cminternal.UsageDigitalSignature}, + }, + }, + a: someAdmissionRequest, + wantE: []*field.Error{}, + }, + "Test cr with default usages, with empty set encoded in csr": { + cr: &cminternal.CertificateRequest{ + Spec: cminternal.CertificateRequestSpec{ + // mustGenerateCSR will set the default usages for us + Request: mustGenerateCSR(t, gen.Certificate("test", gen.SetCertificateDNSNames("example.com")), func(cr *x509.CertificateRequest) { + // manually remove extensions that encode default usages + cr.Extensions = nil + cr.ExtraExtensions = []pkix.Extension{ + { + Id: pki.OIDExtensionKeyUsage, + Critical: false, + Value: func(t *testing.T) []byte { + asn1KeyUsage, err := asn1.Marshal(asn1.BitString{Bytes: []byte{}, BitLength: 0}) + if err != nil { + t.Fatal(err) + } + + return asn1KeyUsage + }(t), + }, + } + }), + IssuerRef: validIssuerRef, + Usages: []cminternal.KeyUsage{cminternal.UsageKeyEncipherment, cminternal.UsageDigitalSignature}, + }, + }, + a: someAdmissionRequest, + wantE: []*field.Error{}, + }, "Error on csr not having all usages": { cr: &cminternal.CertificateRequest{ Spec: cminternal.CertificateRequestSpec{ @@ -802,7 +875,7 @@ func TestValidateCertificateRequest(t *testing.T) { } } -func mustGenerateCSR(t *testing.T, crt *cmapi.Certificate) []byte { +func mustGenerateCSR(t *testing.T, crt *cmapi.Certificate, modifiers ...func(*x509.CertificateRequest)) []byte { // Create a new private key pk, err := utilpki.GenerateRSAPrivateKey(2048) if err != nil { @@ -813,6 +886,9 @@ func mustGenerateCSR(t *testing.T, crt *cmapi.Certificate) []byte { if err != nil { t.Fatal(err) } + for _, modifier := range modifiers { + modifier(x509CSR) + } csrDER, err := utilpki.EncodeCSR(x509CSR, pk) if err != nil { t.Fatal(err) diff --git a/pkg/controller/certificaterequests/acme/acme_test.go b/pkg/controller/certificaterequests/acme/acme_test.go index 65985a350..2eb674c8d 100644 --- a/pkg/controller/certificaterequests/acme/acme_test.go +++ b/pkg/controller/certificaterequests/acme/acme_test.go @@ -153,7 +153,7 @@ func TestSign(t *testing.T) { t.Fatal(err) } - template, err := pki.GenerateTemplateFromCertificateRequest(baseCR) + template, err := pki.CertificateTemplateFromCertificateRequest(baseCR) if err != nil { t.Errorf("error generating template: %v", err) } @@ -169,7 +169,12 @@ func TestSign(t *testing.T) { if err != nil { t.Fatal(err) } - template2, err := pki.GenerateTemplateFromCSRPEM(generateCSR(t, sk2, "example.com", "example.com", "foo.com"), time.Hour, false) + template2, err := pki.CertificateTemplateFromCSRPEM( + generateCSR(t, sk2, "example.com", "example.com", "foo.com"), + pki.CertificateTemplateOverrideDuration(time.Hour), + pki.CertificateTemplateOverrideBasicConstraints(false, nil), + pki.CertificateTemplateOverrideKeyUsages(0, nil), + ) if err != nil { t.Fatal(err) } diff --git a/pkg/controller/certificaterequests/ca/ca.go b/pkg/controller/certificaterequests/ca/ca.go index 615ead77c..9c6afd516 100644 --- a/pkg/controller/certificaterequests/ca/ca.go +++ b/pkg/controller/certificaterequests/ca/ca.go @@ -69,7 +69,7 @@ func NewCA(ctx *controllerpkg.Context) certificaterequests.Issuer { issuerOptions: ctx.IssuerOptions, secretsLister: ctx.KubeSharedInformerFactory.Secrets().Lister(), reporter: crutil.NewReporter(ctx.Clock, ctx.Recorder), - templateGenerator: pki.GenerateTemplateFromCertificateRequest, + templateGenerator: pki.CertificateTemplateFromCertificateRequest, signingFn: pki.SignCSRTemplate, } } diff --git a/pkg/controller/certificaterequests/ca/ca_test.go b/pkg/controller/certificaterequests/ca/ca_test.go index ff42c29e5..8b7719b75 100644 --- a/pkg/controller/certificaterequests/ca/ca_test.go +++ b/pkg/controller/certificaterequests/ca/ca_test.go @@ -161,7 +161,7 @@ func TestSign(t *testing.T) { badDataSecret := rsaCASecret.DeepCopy() badDataSecret.Data[corev1.TLSPrivateKeyKey] = []byte("bad key") - template, err := pki.GenerateTemplateFromCertificateRequest(baseCR) + template, err := pki.CertificateTemplateFromCertificateRequest(baseCR) if err != nil { t.Fatal(err) } @@ -360,7 +360,7 @@ func TestSign(t *testing.T) { "a successful signing should set condition to Ready": { certificateRequest: baseCR.DeepCopy(), templateGenerator: func(cr *cmapi.CertificateRequest) (*x509.Certificate, error) { - _, err := pki.GenerateTemplateFromCertificateRequest(cr) + _, err := pki.CertificateTemplateFromCertificateRequest(cr) if err != nil { return nil, err } @@ -586,7 +586,7 @@ func TestCA_Sign(t *testing.T) { secretsLister: testlisters.FakeSecretListerFrom(testlisters.NewFakeSecretLister(), testlisters.SetFakeSecretNamespaceListerGet(test.givenCASecret, nil), ), - templateGenerator: pki.GenerateTemplateFromCertificateRequest, + templateGenerator: pki.CertificateTemplateFromCertificateRequest, signingFn: pki.SignCSRTemplate, } diff --git a/pkg/controller/certificaterequests/selfsigned/selfsigned.go b/pkg/controller/certificaterequests/selfsigned/selfsigned.go index 0538b77d3..1d3cac27b 100644 --- a/pkg/controller/certificaterequests/selfsigned/selfsigned.go +++ b/pkg/controller/certificaterequests/selfsigned/selfsigned.go @@ -147,7 +147,7 @@ func (s *SelfSigned) Sign(ctx context.Context, cr *cmapi.CertificateRequest, iss return nil, err } - template, err := pki.GenerateTemplateFromCertificateRequest(cr) + template, err := pki.CertificateTemplateFromCertificateRequest(cr) if err != nil { message := "Error generating certificate template" s.reporter.Failed(cr, err, "ErrorGenerating", message) diff --git a/pkg/controller/certificaterequests/selfsigned/selfsigned_test.go b/pkg/controller/certificaterequests/selfsigned/selfsigned_test.go index b53cf146b..0aca090b7 100644 --- a/pkg/controller/certificaterequests/selfsigned/selfsigned_test.go +++ b/pkg/controller/certificaterequests/selfsigned/selfsigned_test.go @@ -158,7 +158,7 @@ func TestSign(t *testing.T) { gen.SetCertificateRequestCSR(csrEmptyCertPEM), ) - templateRSA, err := pki.GenerateTemplateFromCertificateRequest(baseCR) + templateRSA, err := pki.CertificateTemplateFromCertificateRequest(baseCR) if err != nil { t.Error(err) t.FailNow() @@ -169,7 +169,7 @@ func TestSign(t *testing.T) { t.FailNow() } - templateEC, err := pki.GenerateTemplateFromCertificateRequest(ecCR) + templateEC, err := pki.CertificateTemplateFromCertificateRequest(ecCR) if err != nil { t.Error(err) t.FailNow() @@ -180,7 +180,7 @@ func TestSign(t *testing.T) { t.FailNow() } - templateEmptyCert, err := pki.GenerateTemplateFromCertificateRequest(emptyCR) + templateEmptyCert, err := pki.CertificateTemplateFromCertificateRequest(emptyCR) if err != nil { t.Error(err) t.FailNow() diff --git a/pkg/controller/certificaterequests/sync_test.go b/pkg/controller/certificaterequests/sync_test.go index 1ce6548d4..ac9aea884 100644 --- a/pkg/controller/certificaterequests/sync_test.go +++ b/pkg/controller/certificaterequests/sync_test.go @@ -63,7 +63,7 @@ func generateCSR(t *testing.T, secretKey crypto.Signer) []byte { func generateSelfSignedCert(t *testing.T, cr *cmapi.CertificateRequest, key crypto.Signer, notBefore, notAfter time.Time) []byte { t.Helper() - template, err := pki.GenerateTemplateFromCertificateRequest(cr) + template, err := pki.CertificateTemplateFromCertificateRequest(cr) if err != nil { t.Errorf("failed to generate cert template from CSR: %v", err) t.FailNow() diff --git a/pkg/controller/certificaterequests/vault/vault_test.go b/pkg/controller/certificaterequests/vault/vault_test.go index ba3b207c1..35dc0207b 100644 --- a/pkg/controller/certificaterequests/vault/vault_test.go +++ b/pkg/controller/certificaterequests/vault/vault_test.go @@ -66,7 +66,7 @@ func generateCSR(t *testing.T, secretKey crypto.Signer) []byte { func generateSelfSignedCertFromCR(cr *cmapi.CertificateRequest, key crypto.Signer, duration time.Duration) ([]byte, error) { - template, err := pki.GenerateTemplateFromCertificateRequest(cr) + template, err := pki.CertificateTemplateFromCertificateRequest(cr) if err != nil { return nil, fmt.Errorf("error generating template: %v", err) } diff --git a/pkg/controller/certificaterequests/venafi/venafi_test.go b/pkg/controller/certificaterequests/venafi/venafi_test.go index 617f95009..357f52a50 100644 --- a/pkg/controller/certificaterequests/venafi/venafi_test.go +++ b/pkg/controller/certificaterequests/venafi/venafi_test.go @@ -211,7 +211,7 @@ func TestSign(t *testing.T) { }, } - template, err := pki.GenerateTemplateFromCertificateRequest(baseCR) + template, err := pki.CertificateTemplateFromCertificateRequest(baseCR) if err != nil { t.Fatal(err) } diff --git a/pkg/controller/certificates/issuing/internal/keystore_test.go b/pkg/controller/certificates/issuing/internal/keystore_test.go index 740670e9c..7a1da09ed 100644 --- a/pkg/controller/certificates/issuing/internal/keystore_test.go +++ b/pkg/controller/certificates/issuing/internal/keystore_test.go @@ -56,7 +56,7 @@ func mustSelfSignCertificate(t *testing.T, pkBytes []byte) []byte { if err != nil { t.Fatal(err) } - x509Crt, err := pki.GenerateTemplate(&cmapi.Certificate{ + x509Crt, err := pki.CertificateTemplateFromCertificate(&cmapi.Certificate{ Spec: cmapi.CertificateSpec{ DNSNames: []string{"example.com"}, }, @@ -84,7 +84,7 @@ func mustCert(t *testing.T, commonName string, isCA bool) *keyAndCert { keyPEM, err := pki.EncodePrivateKey(key, cmapi.PKCS8) require.NoError(t, err) - cert, err := pki.GenerateTemplate(&cmapi.Certificate{ + cert, err := pki.CertificateTemplateFromCertificate(&cmapi.Certificate{ Spec: cmapi.CertificateSpec{ CommonName: commonName, IsCA: isCA, diff --git a/pkg/controller/certificates/requestmanager/util_test.go b/pkg/controller/certificates/requestmanager/util_test.go index f24031108..1f301fbab 100644 --- a/pkg/controller/certificates/requestmanager/util_test.go +++ b/pkg/controller/certificates/requestmanager/util_test.go @@ -128,7 +128,7 @@ func createCryptoBundle(originalCert *cmapi.Certificate) (*cryptoBundle, error) }, } - unsignedCert, err := pki.GenerateTemplateFromCertificateRequest(certificateRequest) + unsignedCert, err := pki.CertificateTemplateFromCertificateRequest(certificateRequest) if err != nil { return nil, err } diff --git a/pkg/controller/certificatesigningrequests/acme/acme_test.go b/pkg/controller/certificatesigningrequests/acme/acme_test.go index c9729f506..9494c6cf0 100644 --- a/pkg/controller/certificatesigningrequests/acme/acme_test.go +++ b/pkg/controller/certificatesigningrequests/acme/acme_test.go @@ -225,7 +225,7 @@ func Test_ProcessItem(t *testing.T) { }), ) - tmpl, err := pki.GenerateTemplateFromCertificateSigningRequest(baseCSR) + tmpl, err := pki.CertificateTemplateFromCertificateSigningRequest(baseCSR) if err != nil { t.Fatal(err) } @@ -234,7 +234,7 @@ func Test_ProcessItem(t *testing.T) { t.Fatal(err) } - tmpl, err = pki.GenerateTemplateFromCertificateSigningRequest(gen.CertificateSigningRequestFrom(baseCSR, + tmpl, err = pki.CertificateTemplateFromCertificateSigningRequest(gen.CertificateSigningRequestFrom(baseCSR, gen.SetCertificateSigningRequestRequest(csrPEMExampleNotPresent), )) if err != nil { diff --git a/pkg/controller/certificatesigningrequests/ca/ca.go b/pkg/controller/certificatesigningrequests/ca/ca.go index 195a05d04..e0139cb4e 100644 --- a/pkg/controller/certificatesigningrequests/ca/ca.go +++ b/pkg/controller/certificatesigningrequests/ca/ca.go @@ -82,7 +82,7 @@ func NewCA(ctx *controllerpkg.Context) certificatesigningrequests.Signer { certClient: ctx.Client.CertificatesV1().CertificateSigningRequests(), fieldManager: ctx.FieldManager, recorder: ctx.Recorder, - templateGenerator: pki.GenerateTemplateFromCertificateSigningRequest, + templateGenerator: pki.CertificateTemplateFromCertificateSigningRequest, signingFn: pki.SignCSRTemplate, } } diff --git a/pkg/controller/certificatesigningrequests/ca/ca_test.go b/pkg/controller/certificatesigningrequests/ca/ca_test.go index 7cabf3a31..ddedb195b 100644 --- a/pkg/controller/certificatesigningrequests/ca/ca_test.go +++ b/pkg/controller/certificatesigningrequests/ca/ca_test.go @@ -166,7 +166,7 @@ func TestSign(t *testing.T) { badDataSecret := ecCASecret.DeepCopy() badDataSecret.Data[corev1.TLSPrivateKeyKey] = []byte("bad key") - template, err := pki.GenerateTemplateFromCertificateSigningRequest(baseCSR) + template, err := pki.CertificateTemplateFromCertificateSigningRequest(baseCSR) if err != nil { t.Fatal(err) } @@ -465,7 +465,7 @@ func TestSign(t *testing.T) { templateGenerator: func(csr *certificatesv1.CertificateSigningRequest) (*x509.Certificate, error) { // Pass the given CSR to a "real" template generator to ensure that it // doesn't err. Return the pre-generated template. - _, err := pki.GenerateTemplateFromCertificateSigningRequest(csr) + _, err := pki.CertificateTemplateFromCertificateSigningRequest(csr) if err != nil { return nil, err } @@ -743,7 +743,7 @@ func TestCA_Sign(t *testing.T) { secretsLister: testlisters.FakeSecretListerFrom(testlisters.NewFakeSecretLister(), testlisters.SetFakeSecretNamespaceListerGet(test.givenCASecret, nil), ), - templateGenerator: pki.GenerateTemplateFromCertificateSigningRequest, + templateGenerator: pki.CertificateTemplateFromCertificateSigningRequest, signingFn: pki.SignCSRTemplate, } diff --git a/pkg/controller/certificatesigningrequests/selfsigned/selfsigned.go b/pkg/controller/certificatesigningrequests/selfsigned/selfsigned.go index 7a1b40c5c..01843a017 100644 --- a/pkg/controller/certificatesigningrequests/selfsigned/selfsigned.go +++ b/pkg/controller/certificatesigningrequests/selfsigned/selfsigned.go @@ -160,7 +160,7 @@ func (s *SelfSigned) Sign(ctx context.Context, csr *certificatesv1.CertificateSi return err } - template, err := pki.GenerateTemplateFromCertificateSigningRequest(csr) + template, err := pki.CertificateTemplateFromCertificateSigningRequest(csr) if err != nil { message := fmt.Sprintf("Error generating certificate template: %s", err) log.Error(err, message) diff --git a/pkg/controller/certificatesigningrequests/selfsigned/selfsigned_test.go b/pkg/controller/certificatesigningrequests/selfsigned/selfsigned_test.go index a7e910665..da7e9e816 100644 --- a/pkg/controller/certificatesigningrequests/selfsigned/selfsigned_test.go +++ b/pkg/controller/certificatesigningrequests/selfsigned/selfsigned_test.go @@ -320,7 +320,7 @@ func TestProcessItem(t *testing.T) { CertManagerObjects: []runtime.Object{baseIssuer.DeepCopy()}, KubeObjects: []runtime.Object{csrBundle.secret}, ExpectedEvents: []string{ - "Warning ErrorGenerating Error generating certificate template: failed to decode csr", + "Warning ErrorGenerating Error generating certificate template: error decoding certificate request PEM block", }, ExpectedActions: []testpkg.Action{ @@ -364,7 +364,7 @@ func TestProcessItem(t *testing.T) { Type: certificatesv1.CertificateFailed, Status: corev1.ConditionTrue, Reason: "ErrorGenerating", - Message: "Error generating certificate template: failed to decode csr", + Message: "Error generating certificate template: error decoding certificate request PEM block", LastTransitionTime: metaFixedClockStart, LastUpdateTime: metaFixedClockStart, }), diff --git a/pkg/controller/certificatesigningrequests/venafi/venafi_test.go b/pkg/controller/certificatesigningrequests/venafi/venafi_test.go index 9ed2a8100..e20b3b980 100644 --- a/pkg/controller/certificatesigningrequests/venafi/venafi_test.go +++ b/pkg/controller/certificatesigningrequests/venafi/venafi_test.go @@ -69,7 +69,12 @@ func TestProcessItem(t *testing.T) { t.Fatal(err) } - rootTmpl, err := pki.GenerateTemplateFromCSRPEM(rootCSRPEM, time.Hour, true) + rootTmpl, err := pki.CertificateTemplateFromCSRPEM( + rootCSRPEM, + pki.CertificateTemplateOverrideDuration(time.Hour), + pki.CertificateTemplateOverrideBasicConstraints(true, nil), + pki.CertificateTemplateOverrideKeyUsages(0, nil), + ) if err != nil { t.Fatal(err) } @@ -84,7 +89,12 @@ func TestProcessItem(t *testing.T) { if err != nil { t.Fatal(err) } - leafTmpl, err := pki.GenerateTemplateFromCSRPEM(leafCSRPEM, time.Hour, false) + leafTmpl, err := pki.CertificateTemplateFromCSRPEM( + leafCSRPEM, + pki.CertificateTemplateOverrideDuration(time.Hour), + pki.CertificateTemplateOverrideBasicConstraints(false, nil), + pki.CertificateTemplateOverrideKeyUsages(0, nil), + ) if err != nil { t.Fatal(err) } diff --git a/pkg/issuer/venafi/client/request.go b/pkg/issuer/venafi/client/request.go index 928e743ec..9fd1e2c8a 100644 --- a/pkg/issuer/venafi/client/request.go +++ b/pkg/issuer/venafi/client/request.go @@ -83,7 +83,12 @@ func (v *Venafi) buildVReq(csrPEM []byte, duration time.Duration, customFields [ return nil, err } - tmpl, err := pki.GenerateTemplateFromCSRPEM(csrPEM, duration, false) + tmpl, err := pki.CertificateTemplateFromCSRPEM( + csrPEM, + pki.CertificateTemplateOverrideDuration(duration), + pki.CertificateTemplateOverrideBasicConstraints(false, nil), + pki.CertificateTemplateOverrideKeyUsages(0, nil), + ) if err != nil { return nil, err } diff --git a/pkg/util/pki/kube_test.go b/pkg/util/pki/kube_test.go index cd3b60d2c..83f8c2a86 100644 --- a/pkg/util/pki/kube_test.go +++ b/pkg/util/pki/kube_test.go @@ -30,7 +30,7 @@ import ( "github.com/cert-manager/cert-manager/test/unit/gen" ) -func TestGenerateTemplateFromCertificateSigningRequest(t *testing.T) { +func TestCertificateTemplateFromCertificateSigningRequest(t *testing.T) { csr, pk, err := gen.CSR(x509.RSA, gen.SetCSRCommonName("example.com"), gen.SetCSRDNSNames("example.com", "foo.example.com")) if err != nil { t.Fatal(err) @@ -202,7 +202,7 @@ func TestGenerateTemplateFromCertificateSigningRequest(t *testing.T) { for name, test := range tests { t.Run(name, func(t *testing.T) { - templ, err := pki.GenerateTemplateFromCertificateSigningRequest(test.csr) + templ, err := pki.CertificateTemplateFromCertificateSigningRequest(test.csr) assert.Equal(t, test.expErr, err != nil) if err == nil { diff --git a/pkg/util/pki/match_test.go b/pkg/util/pki/match_test.go index 7db575d4c..e9d961787 100644 --- a/pkg/util/pki/match_test.go +++ b/pkg/util/pki/match_test.go @@ -277,7 +277,7 @@ func selfSignCertificate(t *testing.T, spec cmapi.CertificateSpec) []byte { t.Fatal(err) } - template, err := GenerateTemplate(&cmapi.Certificate{Spec: spec}) + template, err := CertificateTemplateFromCertificate(&cmapi.Certificate{Spec: spec}) if err != nil { t.Fatal(err) } diff --git a/pkg/util/pki/temporarycertificate.go b/pkg/util/pki/temporarycertificate.go index 1231f2bd1..81817e02d 100644 --- a/pkg/util/pki/temporarycertificate.go +++ b/pkg/util/pki/temporarycertificate.go @@ -33,7 +33,7 @@ func GenerateLocallySignedTemporaryCertificate(crt *cmapi.Certificate, pkData [] if err != nil { return nil, err } - caCertTemplate, err := GenerateTemplate(&cmapi.Certificate{ + caCertTemplate, err := CertificateTemplateFromCertificate(&cmapi.Certificate{ Spec: cmapi.CertificateSpec{ CommonName: "cert-manager.local", IsCA: true, @@ -48,7 +48,7 @@ func GenerateLocallySignedTemporaryCertificate(crt *cmapi.Certificate, pkData [] } // sign a temporary certificate using the root CA - template, err := GenerateTemplate(crt) + template, err := CertificateTemplateFromCertificate(crt) if err != nil { return nil, err } diff --git a/test/integration/certificates/issuing_controller_test.go b/test/integration/certificates/issuing_controller_test.go index 7bd059957..aa063bd6d 100644 --- a/test/integration/certificates/issuing_controller_test.go +++ b/test/integration/certificates/issuing_controller_test.go @@ -168,7 +168,7 @@ func TestIssuingController(t *testing.T) { }) // Sign Certificate - certTemplate, err := utilpki.GenerateTemplate(crt) + certTemplate, err := utilpki.CertificateTemplateFromCertificate(crt) if err != nil { t.Fatal(err) } @@ -391,7 +391,7 @@ func TestIssuingController_PKCS8_PrivateKey(t *testing.T) { }) // Sign Certificate - certTemplate, err := utilpki.GenerateTemplate(crt) + certTemplate, err := utilpki.CertificateTemplateFromCertificate(crt) if err != nil { t.Fatal(err) } @@ -609,7 +609,7 @@ func Test_IssuingController_SecretTemplate(t *testing.T) { }) // Sign Certificate - certTemplate, err := utilpki.GenerateTemplate(crt) + certTemplate, err := utilpki.CertificateTemplateFromCertificate(crt) if err != nil { t.Fatal(err) } @@ -858,7 +858,7 @@ func Test_IssuingController_AdditionalOutputFormats(t *testing.T) { }) // Sign Certificate - certTemplate, err := utilpki.GenerateTemplate(crt) + certTemplate, err := utilpki.CertificateTemplateFromCertificate(crt) if err != nil { t.Fatal(err) } diff --git a/test/integration/certificates/trigger_controller_test.go b/test/integration/certificates/trigger_controller_test.go index 16a6ac0fa..971e6b809 100644 --- a/test/integration/certificates/trigger_controller_test.go +++ b/test/integration/certificates/trigger_controller_test.go @@ -393,7 +393,7 @@ func selfSignCertificateWithNotBeforeAfter(t *testing.T, pkData []byte, spec *cm t.Fatal(err) } - template, err := pki.GenerateTemplate(spec) + template, err := pki.CertificateTemplateFromCertificate(spec) if err != nil { t.Fatal(err) } diff --git a/test/unit/crypto/crypto.go b/test/unit/crypto/crypto.go index fa4256af2..7ebe707ad 100644 --- a/test/unit/crypto/crypto.go +++ b/test/unit/crypto/crypto.go @@ -135,7 +135,7 @@ func CreateCryptoBundle(originalCert *cmapi.Certificate, clock clock.Clock) (*Cr }, } - unsignedCert, err := pki.GenerateTemplateFromCertificateRequest(certificateRequest) + unsignedCert, err := pki.CertificateTemplateFromCertificateRequest(certificateRequest) if err != nil { return nil, err } @@ -255,7 +255,7 @@ func MustCreateCertWithNotBeforeAfter(t *testing.T, pkData []byte, spec *cmapi.C t.Fatal(err) } - template, err := pki.GenerateTemplate(spec) + template, err := pki.CertificateTemplateFromCertificate(spec) if err != nil { t.Fatal(err) } @@ -278,7 +278,7 @@ func MustCreateCert(t *testing.T, pkData []byte, spec *cmapi.Certificate) []byte t.Fatal(err) } - template, err := pki.GenerateTemplate(spec) + template, err := pki.CertificateTemplateFromCertificate(spec) if err != nil { t.Fatal(err) }