improve gen.CSR and use it everywhere

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
2022-11-10 09:21:31 +01:00 · 2022-11-10 09:21:31 +01:00 · b999749854
commit b999749854
parent d06ebdf3b5
13 changed files with 160 additions and 251 deletions
--- a/internal/vault/vault_test.go
+++ b/internal/vault/vault_test.go
@ -19,12 +19,8 @@ package vault
 import (
 	"bytes"
 	"crypto"
-	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/asn1"
-	"encoding/pem"
 	"errors"
 	"fmt"
 	"io"
@ -157,22 +153,13 @@ func generateRSAPrivateKey(t *testing.T) *rsa.PrivateKey {
 }

 func generateCSR(t *testing.T, secretKey crypto.Signer) []byte {
-	asn1Subj, _ := asn1.Marshal(pkix.Name{
-		CommonName: "test",
-	}.ToRDNSequence())
-	template := x509.CertificateRequest{
-		RawSubject:         asn1Subj,
-		SignatureAlgorithm: x509.SHA256WithRSA,
-	}
-
-	csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, secretKey)
+	csr, err := gen.CSRWithSigner(secretKey,
+		gen.SetCSRCommonName("test"),
+	)
 	if err != nil {
-		t.Errorf("failed to create CSR: %s", err)
-		t.FailNow()
+		t.Fatal(err)
 	}

-	csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes})
-
 	return csr
 }

--- a/pkg/controller/certificaterequests/acme/acme_test.go
+++ b/pkg/controller/certificaterequests/acme/acme_test.go
@ -19,13 +19,10 @@ package acme
 import (
 	"context"
 	"crypto"
-	"crypto/rand"
 	"crypto/x509"
 	"crypto/x509/pkix"
-	"encoding/pem"
 	"errors"
 	"math/big"
-	"net"
 	"reflect"
 	"testing"
 	"time"
@ -56,50 +53,27 @@ var (
 )

 func generateCSR(t *testing.T, secretKey crypto.Signer, commonName string, dnsNames ...string) []byte {
-	// The CommonName of the certificate request must also be present in the DNS
-	// Names.
-	template := x509.CertificateRequest{
-		Subject: pkix.Name{
-			CommonName: commonName,
-		},
-		SignatureAlgorithm: x509.SHA256WithRSA,
-		DNSNames:           dnsNames,
-	}
-
-	csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, secretKey)
+	csr, err := gen.CSRWithSigner(secretKey,
+		gen.SetCSRCommonName(commonName),
+		gen.SetCSRDNSNames(dnsNames...),
+	)
 	if err != nil {
 		t.Fatal(err)
 	}

-	csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes})
-
 	return csr
 }

 func generateCSRWithIPs(t *testing.T, secretKey crypto.Signer, commonName string, dnsNames []string, ips []string) []byte {
-	// The CommonName of the certificate request must also be present in the DNS
-	// Names.
-
-	var certIPs []net.IP
-	for _, ip := range ips {
-		certIPs = append(certIPs, net.ParseIP(ip))
-	}
-	template := x509.CertificateRequest{
-		Subject: pkix.Name{
-			CommonName: commonName,
-		},
-		SignatureAlgorithm: x509.SHA256WithRSA,
-		DNSNames:           dnsNames,
-		IPAddresses:        certIPs,
-	}
-
-	csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, secretKey)
+	csr, err := gen.CSRWithSigner(secretKey,
+		gen.SetCSRCommonName(commonName),
+		gen.SetCSRDNSNames(dnsNames...),
+		gen.SetCSRIPAddressesFromStrings(ips...),
+	)
 	if err != nil {
 		t.Fatal(err)
 	}

-	csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes})
-
 	return csr
 }

--- a/pkg/controller/certificaterequests/ca/ca_test.go
+++ b/pkg/controller/certificaterequests/ca/ca_test.go
@ -23,8 +23,6 @@ import (
 	"crypto/rand"
 	"crypto/x509"
 	"crypto/x509/pkix"
-	"encoding/asn1"
-	"encoding/pem"
 	"errors"
 	"math"
 	"math/big"
@ -58,22 +56,14 @@ var (
 	fixedClock      = fakeclock.NewFakeClock(fixedClockStart)
 )

-func generateCSR(t *testing.T, secretKey crypto.Signer, sigAlg x509.SignatureAlgorithm) []byte {
-	asn1Subj, _ := asn1.Marshal(pkix.Name{
-		CommonName: "test",
-	}.ToRDNSequence())
-	template := x509.CertificateRequest{
-		RawSubject:         asn1Subj,
-		SignatureAlgorithm: sigAlg,
-	}
-
-	csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, secretKey)
+func generateCSR(t *testing.T, secretKey crypto.Signer) []byte {
+	csr, err := gen.CSRWithSigner(secretKey,
+		gen.SetCSRCommonName("test"),
+	)
 	if err != nil {
 		t.Fatal(err)
 	}

-	csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes})
-
 	return csr
 }

@ -124,7 +114,7 @@ func TestSign(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	testCSR := generateCSR(t, testpk, x509.ECDSAWithSHA256)
+	testCSR := generateCSR(t, testpk)

 	baseCRNotApproved := gen.CertificateRequest("test-cr",
 		gen.SetCertificateRequestIsCA(true),
@ -476,7 +466,7 @@ func TestCA_Sign(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	testCSR := generateCSR(t, testpk, x509.ECDSAWithSHA256)
+	testCSR := generateCSR(t, testpk)

 	tests := map[string]struct {
 		givenCASecret    *corev1.Secret
--- a/pkg/controller/certificaterequests/selfsigned/selfsigned_test.go
+++ b/pkg/controller/certificaterequests/selfsigned/selfsigned_test.go
@ -19,11 +19,7 @@ package selfsigned
 import (
 	"context"
 	"crypto"
-	"crypto/rand"
 	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/asn1"
-	"encoding/pem"
 	"errors"
 	"fmt"
 	"testing"
@ -53,23 +49,14 @@ var (
 	fixedClock      = fakeclock.NewFakeClock(fixedClockStart)
 )

-func generateCSR(t *testing.T, secretKey crypto.Signer, alg x509.SignatureAlgorithm, commonName string) []byte {
-	asn1Subj, _ := asn1.Marshal(pkix.Name{
-		CommonName: commonName,
-	}.ToRDNSequence())
-	template := x509.CertificateRequest{
-		RawSubject:         asn1Subj,
-		SignatureAlgorithm: alg,
-	}
-
-	csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, secretKey)
+func generateCSR(t *testing.T, secretKey crypto.Signer, commonName string) []byte {
+	csr, err := gen.CSRWithSigner(secretKey,
+		gen.SetCSRCommonName(commonName),
+	)
 	if err != nil {
-		t.Error(err)
-		t.FailNow()
+		t.Fatal(err)
 	}

-	csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes})
-
 	return csr
 }

@ -108,7 +95,7 @@ func TestSign(t *testing.T) {
 			corev1.TLSPrivateKeyKey: []byte("this is a bad key"),
 		},
 	}
-	csrRSAPEM := generateCSR(t, skRSA, x509.SHA256WithRSA, "test-rsa")
+	csrRSAPEM := generateCSR(t, skRSA, "test-rsa")

 	skEC, err := pki.GenerateECPrivateKey(256)
 	if err != nil {
@ -129,9 +116,9 @@ func TestSign(t *testing.T) {
 			corev1.TLSPrivateKeyKey: skECPEM,
 		},
 	}
-	csrECPEM := generateCSR(t, skEC, x509.ECDSAWithSHA256, "test-ec")
+	csrECPEM := generateCSR(t, skEC, "test-ec")

-	csrEmptyCertPEM := generateCSR(t, skEC, x509.ECDSAWithSHA256, "")
+	csrEmptyCertPEM := generateCSR(t, skEC, "")

 	baseCRNotApproved := gen.CertificateRequest("test-cr",
 		gen.SetCertificateRequestAnnotations(
--- a/pkg/controller/certificaterequests/sync_test.go
+++ b/pkg/controller/certificaterequests/sync_test.go
@ -22,8 +22,6 @@ import (
 	"crypto"
 	"crypto/rand"
 	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/asn1"
 	"encoding/pem"
 	"errors"
 	"testing"
@ -52,24 +50,14 @@ var (
 	fixedClock      = fakeclock.NewFakeClock(fixedClockStart)
 )

-func generateCSR(t *testing.T, secretKey crypto.Signer, alg x509.SignatureAlgorithm) []byte {
-	t.Helper()
-	asn1Subj, _ := asn1.Marshal(pkix.Name{
-		CommonName: "test",
-	}.ToRDNSequence())
-	template := x509.CertificateRequest{
-		RawSubject:         asn1Subj,
-		SignatureAlgorithm: alg,
-	}
-
-	csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, secretKey)
+func generateCSR(t *testing.T, secretKey crypto.Signer) []byte {
+	csr, err := gen.CSRWithSigner(secretKey,
+		gen.SetCSRCommonName("test"),
+	)
 	if err != nil {
-		t.Error(err)
-		t.FailNow()
+		t.Fatal(err)
 	}

-	csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes})
-
 	return csr
 }

@ -115,8 +103,8 @@ func TestSync(t *testing.T) {
 		t.FailNow()
 	}

-	csrRSAPEM := generateCSR(t, skRSA, x509.SHA256WithRSA)
-	csrECPEM := generateCSR(t, skEC, x509.ECDSAWithSHA256)
+	csrRSAPEM := generateCSR(t, skRSA)
+	csrECPEM := generateCSR(t, skEC)

 	baseIssuer := gen.Issuer("test-issuer",
 		gen.SetIssuerSelfSigned(cmapi.SelfSignedIssuer{}),
--- a/pkg/controller/certificaterequests/vault/vault_test.go
+++ b/pkg/controller/certificaterequests/vault/vault_test.go
@ -22,8 +22,6 @@ import (
 	"crypto"
 	"crypto/rand"
 	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/asn1"
 	"encoding/pem"
 	"errors"
 	"fmt"
@ -56,22 +54,13 @@ var (
 )

 func generateCSR(t *testing.T, secretKey crypto.Signer) []byte {
-	asn1Subj, _ := asn1.Marshal(pkix.Name{
-		CommonName: "test",
-	}.ToRDNSequence())
-	template := x509.CertificateRequest{
-		RawSubject:         asn1Subj,
-		SignatureAlgorithm: x509.SHA256WithRSA,
-	}
-
-	csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, secretKey)
+	csr, err := gen.CSRWithSigner(secretKey,
+		gen.SetCSRCommonName("test"),
+	)
 	if err != nil {
-		t.Error(err)
-		t.FailNow()
+		t.Fatal(err)
 	}

-	csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes})
-
 	return csr
 }

--- a/pkg/controller/certificaterequests/venafi/venafi_test.go
+++ b/pkg/controller/certificaterequests/venafi/venafi_test.go
@ -22,7 +22,6 @@ import (
 	"crypto/rand"
 	"crypto/x509"
 	"crypto/x509/pkix"
-	"encoding/pem"
 	"errors"
 	"math/big"
 	"testing"
@ -58,25 +57,15 @@ var (
 	fixedClock      = fakeclock.NewFakeClock(fixedClockStart)
 )

-func generateCSR(t *testing.T, secretKey crypto.Signer, alg x509.SignatureAlgorithm) []byte {
-	template := x509.CertificateRequest{
-		Subject: pkix.Name{
-			CommonName: "test-common-name",
-		},
-		DNSNames: []string{
-			"foo.example.com", "bar.example.com",
-		},
-		SignatureAlgorithm: alg,
-		PublicKey:          secretKey.Public(),
-	}
-
-	csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, secretKey)
+func generateCSR(t *testing.T, secretKey crypto.Signer) []byte {
+	csr, err := gen.CSRWithSigner(secretKey,
+		gen.SetCSRCommonName("test-common-name"),
+		gen.SetCSRDNSNames("foo.example.com", "bar.example.com"),
+	)
 	if err != nil {
 		t.Fatal(err)
 	}

-	csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes})
-
 	return csr
 }

@ -116,7 +105,7 @@ func TestSign(t *testing.T) {
 		t.Fatal(err)
 	}

-	csrPEM := generateCSR(t, testPK, x509.ECDSAWithSHA256)
+	csrPEM := generateCSR(t, testPK)

 	tppSecret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
--- a/pkg/controller/certificatesigningrequests/ca/ca_test.go
+++ b/pkg/controller/certificatesigningrequests/ca/ca_test.go
@ -23,7 +23,6 @@ import (
 	"crypto/rand"
 	"crypto/x509"
 	"crypto/x509/pkix"
-	"encoding/pem"
 	"errors"
 	"math"
 	"math/big"
@ -59,19 +58,13 @@ var (
 	fixedClock      = fakeclock.NewFakeClock(fixedClockStart)
 )

-func generateCSR(t *testing.T, secretKey crypto.Signer, sigAlg x509.SignatureAlgorithm) []byte {
-	template := x509.CertificateRequest{
-		Subject: pkix.Name{
-			CommonName: "test",
-		},
-		SignatureAlgorithm: sigAlg,
-	}
-
-	csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, secretKey)
+func generateCSR(t *testing.T, secretKey crypto.Signer) []byte {
+	csr, err := gen.CSRWithSigner(secretKey,
+		gen.SetCSRCommonName("test"),
+	)
 	if err != nil {
 		t.Fatal(err)
 	}
-	csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes})

 	return csr
 }
@ -124,7 +117,7 @@ func TestSign(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	testCSR := generateCSR(t, testpk, x509.ECDSAWithSHA256)
+	testCSR := generateCSR(t, testpk)

 	baseCSRNotApproved := gen.CertificateSigningRequest("test-cr",
 		gen.SetCertificateSigningRequestIsCA(true),
@ -606,7 +599,7 @@ func TestCA_Sign(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	testCSR := generateCSR(t, testpk, x509.ECDSAWithSHA256)
+	testCSR := generateCSR(t, testpk)

 	tests := map[string]struct {
 		givenCASecret    *corev1.Secret
--- a/pkg/controller/certificatesigningrequests/selfsigned/selfsigned_test.go
+++ b/pkg/controller/certificatesigningrequests/selfsigned/selfsigned_test.go
@ -19,10 +19,7 @@ package selfsigned
 import (
 	"context"
 	"crypto"
-	"crypto/rand"
 	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/pem"
 	"errors"
 	"math"
 	"testing"
@ -69,18 +66,10 @@ func mustCryptoBundle(t *testing.T) cryptoBundle {
 		t.Fatal(err)
 	}

-	template := x509.CertificateRequest{
-		Subject: pkix.Name{
-			CommonName: "test",
-		},
-		SignatureAlgorithm: x509.ECDSAWithSHA256,
-	}
-
-	csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, key)
+	csrPEM, err := gen.CSRWithSigner(key, gen.SetCSRCommonName("test"))
 	if err != nil {
 		t.Fatal(err)
 	}
-	csrPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes})

 	keyPEM, err := pki.EncodePKCS8PrivateKey(key)
 	if err != nil {
--- a/pkg/issuer/venafi/client/request_test.go
+++ b/pkg/issuer/venafi/client/request_test.go
@ -18,10 +18,6 @@ package client

 import (
 	"crypto"
-	"crypto/rand"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/pem"
 	"errors"
 	"testing"
 	"time"
@ -34,6 +30,7 @@ import (
 	internalfake "github.com/cert-manager/cert-manager/pkg/issuer/venafi/client/fake"
 	"github.com/cert-manager/cert-manager/pkg/util"
 	"github.com/cert-manager/cert-manager/pkg/util/pki"
+	"github.com/cert-manager/cert-manager/test/unit/gen"
 )

 func checkCertificateIssued(t *testing.T, csrPEM []byte, resp []byte) {
@ -77,22 +74,15 @@ func checkCertificateIssued(t *testing.T, csrPEM []byte, resp []byte) {
 	}
 }

-func generateCSR(t *testing.T, sk crypto.Signer, commonName string, dnsNames []string) []byte {
-	template := x509.CertificateRequest{
-		Subject: pkix.Name{
-			CommonName: commonName,
-		},
-		SignatureAlgorithm: x509.SHA256WithRSA,
-		DNSNames:           dnsNames,
-	}
-
-	csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, sk)
+func generateCSR(t *testing.T, secretKey crypto.Signer, commonName string, dnsNames []string) []byte {
+	csr, err := gen.CSRWithSigner(secretKey,
+		gen.SetCSRCommonName(commonName),
+		gen.SetCSRDNSNames(dnsNames...),
+	)
 	if err != nil {
-		t.Error(err)
-		t.FailNow()
+		t.Fatal(err)
 	}

-	csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes})
 	return csr
 }

--- a/test/e2e/suite/issuers/selfsigned/fixtures.go
+++ b/test/e2e/suite/issuers/selfsigned/fixtures.go
@ -18,18 +18,12 @@ package selfsigned

 import (
 	"crypto"
-	"crypto/rand"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/asn1"
-	"encoding/pem"
-	"net"
-	"net/url"

 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

 	"github.com/cert-manager/cert-manager/pkg/util/pki"
+	"github.com/cert-manager/cert-manager/test/unit/gen"
 )

 var rootRSAKeySigner, rootECKeySigner, rootEd25519Signer crypto.Signer
@ -107,7 +101,7 @@ func newPrivateKeySecret(name, namespace string, keyData []byte) *corev1.Secret
 }

 func generateRSACSR() ([]byte, error) {
-	csr, err := generateCSR(rootRSAKeySigner, x509.SHA256WithRSA)
+	csr, err := generateCSR(rootRSAKeySigner)
 	if err != nil {
 		return nil, err
 	}
@ -116,7 +110,7 @@ func generateRSACSR() ([]byte, error) {
 }

 func generateECCSR() ([]byte, error) {
-	csr, err := generateCSR(rootECKeySigner, x509.ECDSAWithSHA256)
+	csr, err := generateCSR(rootECKeySigner)
 	if err != nil {
 		return nil, err
 	}
@ -125,7 +119,7 @@ func generateECCSR() ([]byte, error) {
 }

 func generateEd25519CSR() ([]byte, error) {
-	csr, err := generateCSR(rootEd25519Signer, x509.PureEd25519)
+	csr, err := generateCSR(rootEd25519Signer)
 	if err != nil {
 		return nil, err
 	}
@ -133,40 +127,16 @@ func generateEd25519CSR() ([]byte, error) {
 	return csr, nil
 }

-func generateCSR(privateKey crypto.Signer, alg x509.SignatureAlgorithm) ([]byte, error) {
-	var uris []*url.URL
-	for _, uri := range []string{
-		"spiffe://foo.foo.example.net",
-		"spiffe://foo.bar.example.net",
-	} {
-		parsed, err := url.Parse(uri)
-		if err != nil {
-			return nil, err
-		}
-		uris = append(uris, parsed)
-	}
-
-	asn1Subj, _ := asn1.Marshal(pkix.Name{
-		CommonName: "my-common-name",
-	}.ToRDNSequence())
-	template := x509.CertificateRequest{
-		RawSubject:         asn1Subj,
-		SignatureAlgorithm: alg,
-		URIs:               uris,
-
-		DNSNames: []string{"dnsName1.co", "dnsName2.ninja"},
-		IPAddresses: []net.IP{
-			[]byte{8, 8, 8, 8},
-			[]byte{1, 1, 1, 1},
-		},
-	}
-
-	csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, privateKey)
+func generateCSR(secretKey crypto.Signer) ([]byte, error) {
+	csr, err := gen.CSRWithSigner(secretKey,
+		gen.SetCSRCommonName("my-common-name"),
+		gen.SetCSRURIsFromStrings("spiffe://foo.foo.example.net", "spiffe://foo.bar.example.net"),
+		gen.SetCSRDNSNames("dnsName1.co", "dnsName2.ninja"),
+		gen.SetCSRIPAddresses([]byte{8, 8, 8, 8}, []byte{1, 1, 1, 1}),
+	)
 	if err != nil {
 		return nil, err
 	}

-	csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes})
-
 	return csr, nil
 }
--- a/test/integration/ctl/ctl_status_certificate_test.go
+++ b/test/integration/ctl/ctl_status_certificate_test.go
@ -18,11 +18,6 @@ package ctl

 import (
 	"context"
-	"crypto/rand"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/asn1"
-	"encoding/pem"
 	"fmt"
 	"regexp"
 	"strings"
@ -54,20 +49,14 @@ func generateCSR(t *testing.T) []byte {
 	if err != nil {
 		t.Fatal(err)
 	}
-	asn1Subj, _ := asn1.Marshal(pkix.Name{
-		CommonName: "test",
-	}.ToRDNSequence())
-	template := x509.CertificateRequest{
-		RawSubject: asn1Subj,
-	}

-	csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, skRSA)
+	csr, err := gen.CSRWithSigner(skRSA,
+		gen.SetCSRCommonName("test"),
+	)
 	if err != nil {
 		t.Fatal(err)
 	}

-	csr := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes})
-
 	return csr
 }

--- a/test/unit/gen/csr.go
+++ b/test/unit/gen/csr.go
@ -18,6 +18,10 @@ package gen

 import (
 	"crypto"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/elliptic"
+	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
@ -27,32 +31,68 @@ import (
 	"github.com/cert-manager/cert-manager/pkg/util/pki"
 )

-type CSRModifier func(*x509.CertificateRequest)
+type CSRModifier func(*x509.CertificateRequest) error

 func CSR(keyAlgorithm x509.PublicKeyAlgorithm, mods ...CSRModifier) (csr []byte, sk crypto.Signer, err error) {
-	var signatureAlgorithm x509.SignatureAlgorithm
-
 	switch keyAlgorithm {
 	case x509.RSA:
-		sk, err = pki.GenerateRSAPrivateKey(2048)
+		sk, err = pki.GenerateRSAPrivateKey(pki.MinRSAKeySize)
 		if err != nil {
 			return nil, nil, err
 		}
-		signatureAlgorithm = x509.SHA256WithRSA
 	case x509.ECDSA:
 		sk, err = pki.GenerateECPrivateKey(pki.ECCurve256)
 		if err != nil {
 			return nil, nil, err
 		}
-		signatureAlgorithm = x509.ECDSAWithSHA256
 	case x509.Ed25519:
 		sk, err = pki.GenerateEd25519PrivateKey()
 		if err != nil {
 			return nil, nil, err
 		}
+	default:
+		return nil, nil, fmt.Errorf("unrecognised key algorithm: %s", keyAlgorithm)
+	}
+
+	csr, err = CSRWithSigner(sk, mods...)
+	return
+}
+
+func CSRWithSigner(sk crypto.Signer, mods ...CSRModifier) (csr []byte, err error) {
+	var keyAlgorithm x509.PublicKeyAlgorithm
+	var signatureAlgorithm x509.SignatureAlgorithm
+
+	switch pub := sk.Public().(type) {
+	case *rsa.PublicKey:
+		keyAlgorithm = x509.RSA
+		keySize := pub.N.BitLen()
+		switch {
+		case keySize >= 4096:
+			signatureAlgorithm = x509.SHA512WithRSA
+		case keySize >= 3072:
+			signatureAlgorithm = x509.SHA384WithRSA
+		case keySize >= 2048:
+			signatureAlgorithm = x509.SHA256WithRSA
+		default:
+			signatureAlgorithm = x509.SHA1WithRSA
+		}
+	case *ecdsa.PublicKey:
+		keyAlgorithm = x509.ECDSA
+		switch pub.Curve {
+		case elliptic.P256():
+			signatureAlgorithm = x509.ECDSAWithSHA256
+		case elliptic.P384():
+			signatureAlgorithm = x509.ECDSAWithSHA384
+		case elliptic.P521():
+			signatureAlgorithm = x509.ECDSAWithSHA512
+		default:
+			signatureAlgorithm = x509.ECDSAWithSHA1
+		}
+	case ed25519.PublicKey:
+		keyAlgorithm = x509.Ed25519
 		signatureAlgorithm = x509.PureEd25519
 	default:
-		return nil, nil, fmt.Errorf("unrecognised key algorithm: %s", err)
+		return nil, fmt.Errorf("unrecognised public key type: %T", sk)
 	}

 	cr := &x509.CertificateRequest{
@ -62,12 +102,15 @@ func CSR(keyAlgorithm x509.PublicKeyAlgorithm, mods ...CSRModifier) (csr []byte,
 		PublicKey:          sk.Public(),
 	}
 	for _, mod := range mods {
-		mod(cr)
+		err = mod(cr)
+		if err != nil {
+			return
+		}
 	}

 	csrBytes, err := pki.EncodeCSR(cr, sk)
 	if err != nil {
-		return nil, nil, err
+		return nil, err
 	}
 	csr = pem.EncodeToMemory(&pem.Block{
 		Type: "CERTIFICATE REQUEST", Bytes: csrBytes,
@ -76,31 +119,62 @@ func CSR(keyAlgorithm x509.PublicKeyAlgorithm, mods ...CSRModifier) (csr []byte,
 }

 func SetCSRDNSNames(dnsNames ...string) CSRModifier {
-	return func(c *x509.CertificateRequest) {
+	return func(c *x509.CertificateRequest) error {
 		c.DNSNames = dnsNames
+		return nil
 	}
 }

 func SetCSRIPAddresses(ips ...net.IP) CSRModifier {
-	return func(c *x509.CertificateRequest) {
+	return func(c *x509.CertificateRequest) error {
 		c.IPAddresses = ips
+		return nil
+	}
+}
+
+func SetCSRIPAddressesFromStrings(ips ...string) CSRModifier {
+	return func(c *x509.CertificateRequest) error {
+		var certIPs []net.IP
+		for _, ip := range ips {
+			certIPs = append(certIPs, net.ParseIP(ip))
+		}
+		c.IPAddresses = certIPs
+		return nil
 	}
 }

 func SetCSRURIs(uris ...*url.URL) CSRModifier {
-	return func(c *x509.CertificateRequest) {
+	return func(c *x509.CertificateRequest) error {
 		c.URIs = uris
+		return nil
+	}
+}
+
+func SetCSRURIsFromStrings(uris ...string) CSRModifier {
+	return func(c *x509.CertificateRequest) error {
+		var certUris []*url.URL
+		for _, uri := range uris {
+			parsed, err := url.Parse(uri)
+			if err != nil {
+				return err
+			}
+			certUris = append(certUris, parsed)
+		}
+		c.URIs = certUris
+		return nil
 	}
 }

 func SetCSRCommonName(commonName string) CSRModifier {
-	return func(c *x509.CertificateRequest) {
+	return func(c *x509.CertificateRequest) error {
 		c.Subject.CommonName = commonName
+		return nil
 	}
 }

 func SetCSREmails(emails []string) CSRModifier {
-	return func(c *x509.CertificateRequest) {
+	return func(c *x509.CertificateRequest) error {
 		c.EmailAddresses = emails
+		return nil
 	}
 }