diff --git a/pkg/util/pki/csr.go b/pkg/util/pki/csr.go index e0b48391e..4f2db6a5e 100644 --- a/pkg/util/pki/csr.go +++ b/pkg/util/pki/csr.go @@ -78,7 +78,7 @@ func GenerateCSR(issuer v1alpha1.GenericIssuer, crt *v1alpha1.Certificate) (*x50 return nil, fmt.Errorf("no domains specified on certificate") } - sigAlgo, err := SignatureAlgorithm(crt) + pubKeyAlgo, sigAlgo, err := SignatureAlgorithm(crt) if err != nil { return nil, err } @@ -86,6 +86,7 @@ func GenerateCSR(issuer v1alpha1.GenericIssuer, crt *v1alpha1.Certificate) (*x50 return &x509.CertificateRequest{ Version: 3, SignatureAlgorithm: sigAlgo, + PublicKeyAlgorithm: pubKeyAlgo, Subject: pkix.Name{ Organization: organization, CommonName: commonName, @@ -114,7 +115,7 @@ func GenerateTemplate(issuer v1alpha1.GenericIssuer, crt *v1alpha1.Certificate, return nil, fmt.Errorf("failed to generate serial number: %s", err.Error()) } - sigAlgo, err := SignatureAlgorithm(crt) + pubKeyAlgo, sigAlgo, err := SignatureAlgorithm(crt) if err != nil { return nil, err } @@ -123,11 +124,13 @@ func GenerateTemplate(issuer v1alpha1.GenericIssuer, crt *v1alpha1.Certificate, if crt.Spec.IsCA { keyUsages |= x509.KeyUsageCertSign } + return &x509.Certificate{ Version: 3, BasicConstraintsValid: true, SerialNumber: serialNumber, SignatureAlgorithm: sigAlgo, + PublicKeyAlgorithm: pubKeyAlgo, IsCA: crt.Spec.IsCA, Subject: pkix.Name{ Organization: organization, @@ -198,34 +201,40 @@ func EncodeX509(cert *x509.Certificate) ([]byte, error) { // Return the appropriate signature algorithm for the certificate // Adapted from https://github.com/cloudflare/cfssl/blob/master/csr/csr.go#L102 -func SignatureAlgorithm(crt *v1alpha1.Certificate) (x509.SignatureAlgorithm, error) { +func SignatureAlgorithm(crt *v1alpha1.Certificate) (x509.PublicKeyAlgorithm, x509.SignatureAlgorithm, error) { + var sigAlgo x509.SignatureAlgorithm + var pubKeyAlgo x509.PublicKeyAlgorithm switch crt.Spec.KeyAlgorithm { case v1alpha1.KeyAlgorithm(""): // If keyAlgorithm is not specified, we default to rsa with keysize 2048 - return x509.SHA256WithRSA, nil + pubKeyAlgo = x509.RSA + sigAlgo = x509.SHA256WithRSA case v1alpha1.RSAKeyAlgorithm: + pubKeyAlgo = x509.RSA switch { case crt.Spec.KeySize >= 4096: - return x509.SHA512WithRSA, nil + sigAlgo = x509.SHA512WithRSA case crt.Spec.KeySize >= 3072: - return x509.SHA384WithRSA, nil + sigAlgo = x509.SHA384WithRSA case crt.Spec.KeySize >= 2048: - return x509.SHA256WithRSA, nil + sigAlgo = x509.SHA256WithRSA default: - return x509.UnknownSignatureAlgorithm, fmt.Errorf("unsupported rsa keysize specified: %d. min keysize %d", crt.Spec.KeySize, MinRSAKeySize) + return x509.UnknownPublicKeyAlgorithm, x509.UnknownSignatureAlgorithm, fmt.Errorf("unsupported rsa keysize specified: %d. min keysize %d", crt.Spec.KeySize, MinRSAKeySize) } case v1alpha1.ECDSAKeyAlgorithm: + pubKeyAlgo = x509.ECDSA switch crt.Spec.KeySize { case 521: - return x509.ECDSAWithSHA512, nil + sigAlgo = x509.ECDSAWithSHA512 case 384: - return x509.ECDSAWithSHA384, nil + sigAlgo = x509.ECDSAWithSHA384 case 256: - return x509.ECDSAWithSHA256, nil + sigAlgo = x509.ECDSAWithSHA256 default: - return x509.UnknownSignatureAlgorithm, fmt.Errorf("unsupported ecdsa keysize specified: %d", crt.Spec.KeySize) + return x509.UnknownPublicKeyAlgorithm, x509.UnknownSignatureAlgorithm, fmt.Errorf("unsupported ecdsa keysize specified: %d", crt.Spec.KeySize) } default: - return x509.UnknownSignatureAlgorithm, fmt.Errorf("unsupported algorithm specified: %s. should be either 'ecdsa' or 'rsa", crt.Spec.KeyAlgorithm) + return x509.UnknownPublicKeyAlgorithm, x509.UnknownSignatureAlgorithm, fmt.Errorf("unsupported algorithm specified: %s. should be either 'ecdsa' or 'rsa", crt.Spec.KeyAlgorithm) } + return pubKeyAlgo, sigAlgo, nil }