From b2d719d6c3e80f21af56d1abf4324b7d8259fc68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Pinson?= Date: Tue, 22 Sep 2020 11:39:18 +0200 Subject: [PATCH] Add encode_usages_in_request to Certificate spec (fix #3301) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Raphaƫl Pinson --- pkg/apis/certmanager/v1/types_certificate.go | 5 +++++ pkg/apis/certmanager/v1alpha2/types_certificate.go | 5 +++++ pkg/apis/certmanager/v1alpha3/types_certificate.go | 5 +++++ pkg/apis/certmanager/v1beta1/types_certificate.go | 5 +++++ pkg/internal/apis/certmanager/types_certificate.go | 4 ++++ pkg/util/pki/csr.go | 11 +++++++---- pkg/util/pki/csr_test.go | 8 ++++---- 7 files changed, 35 insertions(+), 8 deletions(-) diff --git a/pkg/apis/certmanager/v1/types_certificate.go b/pkg/apis/certmanager/v1/types_certificate.go index eee809a1c..9a53c2c46 100644 --- a/pkg/apis/certmanager/v1/types_certificate.go +++ b/pkg/apis/certmanager/v1/types_certificate.go @@ -160,6 +160,11 @@ type CertificateSpec struct { // Options to control private keys used for the Certificate. // +optional PrivateKey *CertificatePrivateKey `json:"privateKey,omitempty"` + + // EncodeUsagesInRequest controls whether key usages should be present + // in the CertificateRequest + // +optional + EncodeUsagesInRequest *bool `json:"encodeUsagesInRequest,omitempty"` } // CertificatePrivateKey contains configuration options for private keys diff --git a/pkg/apis/certmanager/v1alpha2/types_certificate.go b/pkg/apis/certmanager/v1alpha2/types_certificate.go index 75aa6c46a..74c03205a 100644 --- a/pkg/apis/certmanager/v1alpha2/types_certificate.go +++ b/pkg/apis/certmanager/v1alpha2/types_certificate.go @@ -188,6 +188,11 @@ type CertificateSpec struct { // Options to control private keys used for the Certificate. // +optional PrivateKey *CertificatePrivateKey `json:"privateKey,omitempty"` + + // EncodeUsagesInRequest controls whether key usages should be present + // in the CertificateRequest + // +optional + EncodeUsagesInRequest *bool `json:"encodeUsagesInRequest,omitempty"` } // CertificatePrivateKey contains configuration options for private keys diff --git a/pkg/apis/certmanager/v1alpha3/types_certificate.go b/pkg/apis/certmanager/v1alpha3/types_certificate.go index 28d3d12eb..bf0f1ecae 100644 --- a/pkg/apis/certmanager/v1alpha3/types_certificate.go +++ b/pkg/apis/certmanager/v1alpha3/types_certificate.go @@ -186,6 +186,11 @@ type CertificateSpec struct { // Options to control private keys used for the Certificate. // +optional PrivateKey *CertificatePrivateKey `json:"privateKey,omitempty"` + + // EncodeUsagesInRequest controls whether key usages should be present + // in the CertificateRequest + // +optional + EncodeUsagesInRequest *bool `json:"encodeUsagesInRequest,omitempty"` } // CertificatePrivateKey contains configuration options for private keys diff --git a/pkg/apis/certmanager/v1beta1/types_certificate.go b/pkg/apis/certmanager/v1beta1/types_certificate.go index 86462b3b6..540ab47b4 100644 --- a/pkg/apis/certmanager/v1beta1/types_certificate.go +++ b/pkg/apis/certmanager/v1beta1/types_certificate.go @@ -159,6 +159,11 @@ type CertificateSpec struct { // Options to control private keys used for the Certificate. // +optional PrivateKey *CertificatePrivateKey `json:"privateKey,omitempty"` + + // EncodeUsagesInRequest controls whether key usages should be present + // in the CertificateRequest + // +optional + EncodeUsagesInRequest *bool `json:"encodeUsagesInRequest,omitempty"` } // CertificatePrivateKey contains configuration options for private keys diff --git a/pkg/internal/apis/certmanager/types_certificate.go b/pkg/internal/apis/certmanager/types_certificate.go index 0c55673b2..eeeadf66d 100644 --- a/pkg/internal/apis/certmanager/types_certificate.go +++ b/pkg/internal/apis/certmanager/types_certificate.go @@ -142,6 +142,10 @@ type CertificateSpec struct { // Options to control private keys used for the Certificate. PrivateKey *CertificatePrivateKey + + // EncodeUsagesInRequest controls whether key usages should be present + // in the CertificateRequest + EncodeUsagesInRequest *bool } // CertificatePrivateKey contains configuration options for private keys diff --git a/pkg/util/pki/csr.go b/pkg/util/pki/csr.go index b941e529b..841a7e6c1 100644 --- a/pkg/util/pki/csr.go +++ b/pkg/util/pki/csr.go @@ -202,9 +202,12 @@ func GenerateCSR(crt *v1.Certificate) (*x509.CertificateRequest, error) { return nil, err } - extraExtensions, err := extensionsForCertificate(crt) - if err != nil { - return nil, err + var extraExtensions []pkix.Extension + if crt.Spec.EncodeUsagesInRequest == nil || *crt.Spec.EncodeUsagesInRequest { + extraExtensions, err = buildKeyUsagesExtensionsForCertificate(crt) + if err != nil { + return nil, err + } } return &x509.CertificateRequest{ @@ -230,7 +233,7 @@ func GenerateCSR(crt *v1.Certificate) (*x509.CertificateRequest, error) { }, nil } -func extensionsForCertificate(crt *v1.Certificate) ([]pkix.Extension, error) { +func buildKeyUsagesExtensionsForCertificate(crt *v1.Certificate) ([]pkix.Extension, error) { ku, ekus, err := BuildKeyUsages(crt.Spec.Usages, crt.Spec.IsCA) if err != nil { return nil, fmt.Errorf("failed to build key usages: %w", err) diff --git a/pkg/util/pki/csr_test.go b/pkg/util/pki/csr_test.go index 78f88ba51..e77c3c068 100644 --- a/pkg/util/pki/csr_test.go +++ b/pkg/util/pki/csr_test.go @@ -467,7 +467,7 @@ func TestGenerateCSR(t *testing.T) { } } -func Test_extensionsForCertificate(t *testing.T) { +func Test_buildKeyUsagesExtensionsForCertificate(t *testing.T) { // 0xa0 = DigitalSignature and Encipherment usage asn1DefaultKeyUsage, err := asn1.Marshal(asn1.BitString{Bytes: []byte{0xa0}, BitLength: asn1BitLength([]byte{0xa0})}) if err != nil { @@ -542,13 +542,13 @@ func Test_extensionsForCertificate(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got, err := extensionsForCertificate(tt.crt) + got, err := buildKeyUsagesExtensionsForCertificate(tt.crt) if (err != nil) != tt.wantErr { - t.Errorf("extensionsForCertificate() error = %v, wantErr %v", err, tt.wantErr) + t.Errorf("buildKeyUsagesExtensionsForCertificate() error = %v, wantErr %v", err, tt.wantErr) return } if !reflect.DeepEqual(got, tt.want) { - t.Errorf("extensionsForCertificate() got = %v, want %v", got, tt.want) + t.Errorf("buildKeyUsagesExtensionsForCertificate() got = %v, want %v", got, tt.want) } }) }