see also https://github.com/jetstack/cert-manager/issues/4142
EncodeX509Chain checked for self-signed certs by comparing the subject
and issuer of the cert in question, which is invalid since it's
perfectly fine for those to match.
the correct behavior is to use cert.CheckSignatureFrom(cert). this bug
was exposed in 1.4 when ParseSingleCertificateChain started using
EncodeX509Chain in the critical path of several issuers; when end-users
had leaf certificates with subjects matching their issuer's subject, the
bug was triggered.
includes newly written tests for EncodeX509Chain and a test for
ParseSingleCertificateChain
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Note that using ed25519 on the public internet is not currently
recommended, since it's not widely supported. You'd likely not be able
to use an Ed25519 cert with an ACME issuer today.
Ed25519 certs might be useful for internal PKI, though - an ed25519 CA
issuer, say - or for testing ed25519 certs before they become more
widely available on the public internet. They're not currently
supported by Vault, Venafi or ACME (Letsencrypt) issuers.
Signed-off-by: Anner J. Bonilla <abonilla@hoyosintegrity.com>
Signed-off-by: Anner J. Bonilla <annerjb@gmail.com>
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
also adds/improves doc comments on related functions, and adds tests of
comparisons RSA keys and ECDSA keys. these tests failed as expected
before the function was changed, e.g.:
```text
Executing tests from //pkg/util/pki:go_default_test
---------------------------------------------------
--- FAIL: TestPublicKeysEqualECDSA (0.00s)
generate_test.go:492: got an incorrect match from different curves:
pub1 type: "P-256"
pub2 type: "P-521"
--- FAIL: TestPublicKeysEqualRSA (0.00s)
generate_test.go:560: got an incorrect match from different RSA keys:
pub1: &rsa.PublicKey{N:2293...<snip>...8869, E:65537}
pub2: &rsa.PublicKey{N:2293...<snip>...8869, E:3}
```
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
As discussed in #3847, I went too fast and /lgtm from my bed. That led
to having a piece of code that could potentially break people's
cert-manager deployments.
Our plan is to have the same PR re-opened so that we can have it
released for v1.4 (due on Friday 11 June 2021 as per our timeline).
Signed-off-by: Maël Valais <mael@vls.dev>
it's conceivable that in the future we could have Ed25519 certs,
which would also have a key size of 256 but would be a new named entry
here
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Found by running this command:
codespell -S .git,*.png,go.sum -L keypair,iam,ans,unknwon,tage,ths,creater
Signed-off-by: Mateusz Gozdek <mgozdekof@gmail.com>
Enable users to request x509 key usages and extended key usages when
defining a certificate or certificate signing request
fixes: #301
Signed-off-by: stuart.warren <stuart.warren@ocado.com>
* Added KeyEncoding spec value to Certificate type.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Added validation for Certificate Spec field KeyEncoding.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Added Encoding PKCS8 function for encoding private keys in generate.go.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Modified the call to the private key encoding function for each issuer in issue.go to pass in the extra KeyEncoding field.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Added case for decoding pkcs8 key.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Converting decoded PKCS8 key into crypto.Signer.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Added debugging log statements for decoding private keys.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Log messages for decoding private keys.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Added logs for decoding private keys.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Added debug logs.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Add debug logs.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Modified keys package.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Changed the key converter to the ssh package.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Testing decoding as pkcs1 key instead.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Trying to convert to crypto.Signer for PKCS8.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Converting to rsa.PrivateKey.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Changed return to type private key.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Changing parsing.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Cleaned up logs.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Removed logging info.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Removed debug logging.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Fix parse test for new pkcs8 support.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Removed extra lines.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Removed extra lines and spaces.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Removed duplicate PKCS8 functions.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Changed the KeyEncoding field from an int to a string.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Changed issue.go for issuers to pass in the certificate when encoding private key.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Corrected capitalization of Spec.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Changed the error message to use the correct variable.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Fixed selfsigned issue.go to pass in certificate object instead of the keyEncoding.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Changed error format.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Changed test to pass in certificate variable into encoding private key function.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Fixed syntax issue.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Changed parameter for encode private key function in parse_test.go.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Fixed parse test for encode private key function.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Removed invalid syntax.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Moved the if statement.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Cleaned up go-fmt errors.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Ran bazel run //hack:update-reference-docs.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Changed encode private key to take keyEncoding instead of certificate.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Removed setting keyEncoding for ca issue test.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Fixing passing in the correct type for encoding private key.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Fixing passing in the correct type for encoding private key.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Fixed parameter passed into encode private key for parse test.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Added unit test for encoding different private key types.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Removed key encoding field from existing test.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Added KeyEncoding spec value to Certificate type.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Added validation for Certificate Spec field KeyEncoding.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Added Encoding PKCS8 function for encoding private keys in generate.go.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Modified the call to the private key encoding function for each issuer in issue.go to pass in the extra KeyEncoding field.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Added case for decoding pkcs8 key.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Converting decoded PKCS8 key into crypto.Signer.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Added debugging log statements for decoding private keys.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Log messages for decoding private keys.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Added logs for decoding private keys.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Added debug logs.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Add debug logs.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Modified keys package.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Changed the key converter to the ssh package.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Testing decoding as pkcs1 key instead.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Trying to convert to crypto.Signer for PKCS8.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Converting to rsa.PrivateKey.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Changed return to type private key.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Changing parsing.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Cleaned up logs.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Removed logging info.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Removed debug logging.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Fix parse test for new pkcs8 support.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Removed extra lines.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Removed extra lines and spaces.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Removed duplicate PKCS8 functions.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Changed the KeyEncoding field from an int to a string.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Changed issue.go for issuers to pass in the certificate when encoding private key.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Corrected capitalization of Spec.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Changed the error message to use the correct variable.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Fixed selfsigned issue.go to pass in certificate object instead of the keyEncoding.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Changed error format.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Changed test to pass in certificate variable into encoding private key function.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Fixed syntax issue.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Changed parameter for encode private key function in parse_test.go.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Fixed parse test for encode private key function.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Removed invalid syntax.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Moved the if statement.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Cleaned up go-fmt errors.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Ran bazel run //hack:update-reference-docs.
Signed-off-by: Crystal Chun <crystalchun@crystals-mbp.raleigh.ibm.com>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Changed encode private key to take keyEncoding instead of certificate.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Removed setting keyEncoding for ca issue test.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Fixing passing in the correct type for encoding private key.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Fixing passing in the correct type for encoding private key.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Fixed parameter passed into encode private key for parse test.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Added unit test for encoding different private key types.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Removed key encoding field from existing test.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Removed syntax error for declaring constant.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Moving private key all to one line.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Added commas after each test case and changed the private key to a pkcs1 rsa private key.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Fixed test errors.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Added default error.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Predefined actualEncoding variable.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Undeclared actualEncoding variable.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Declared actualEncoding variable to nil.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Declared actualEncoding variable to empty key encoding type.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Fixed unit test.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Ran update go-fmt.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Added e2e test for pkcs8 certificate.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Removed unused variable.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Creating issue in pkcs8 e2e test.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Fixing no new variables on the left side of := for err variable.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* Updated docs to mention the key encoding field.
Signed-off-by: Crystal Chun <crystalchun@Crystals-MacBook-Pro.local>
* change venafi issuer to support different cert encoding
Signed-off-by: Daniel Morsing <dmo@jetstack.io>
* update crds
Signed-off-by: Daniel Morsing <dmo@jetstack.io>
Allow a user to provide an entire certificate chain to the ca issuer. Include that chain in all generated certificates
Signed-off-by: Mike Bryant <m@ocado.com>
* Configurable issuer duration and renewBefore [1/3]
This is part one of (probably) three parts manually moving the changes from commit 723015174a167d746323f506ab3575cfb243d8bd to the new master. This commit moves the basic functionality of configurable duration while skipping e2e tests and docs. It does not include new work.
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Configurable issuer duration and renewBefore [2/3]
This commit moves over most of the e2e testing updates, some things are intentionally left out as they may be obsolete
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Configurable issuer duration and renewBefore [3/3]
This commit moves the documentation changes, completely the migration of the original code to the latest master
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Rerunning all hack scripts with since the massive bazel update
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Add missing boilerplate headers
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Rerun codegen hack
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Rerunning update-docs hack
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix failing unit tests
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix build errors in e2e tests
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Rerun update-deps
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Don't recreate the CA issuer, it already exists
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Need to create new issuers for the duration and renew time tests because those fields are set in the issuer, so make sure they are named uniquely
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Add duration e2e tests for self-signed issuer
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Add duration e2e tests for vault w/ custom mount path
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Add validation to disallow acme certificates with duration and renewBefore set and update unit tests to verify
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Update docs to mention duration/renew for self-signed issuer and fix potential parsing errors with rst formatting
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Self-signed issuer was missing duration validation
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix a bug causing certificates with a short enough renew-before w.r.t their duration to be renewed instantly and forever
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Print the exact time until renewal
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Move duration and renwal validation to the issuer validation
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Update e2e tests to work with new validation
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Add e2e test for the self-signed issuer
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Redo cert duration and renew before to appear as part of the CSR and not the issuer
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Updating tests to match new duration/renewbefore format
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Update e2e tests to match new format
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Update docs to reflect changing the field from issuers to certificates
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Remove event firing and replace with a TODO as of discussion on PR
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Run hack scripts
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Remove the sync unit test since without events there is no way to catch the warnings that it was testing
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Use IssuerOptions RenewBeforeExpiryDuration if certificates dont set a renewBefore value for immediate renewal checks
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Delete check on certificate data length in e2e test for certificate duration as there is no reason it should be there
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Update e2e tests since certificate creation will never generate an event
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Rerunning hack scripts after big rebase
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix a few problems that slipped through during the rebase
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix an e2e error that resulted from the rebase
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Add unit test for the calculateTimeBeforeExpiry function
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Adding back in a bunch of missing error checks
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Remove unused function
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Add missing boilerplate
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Remove unused constant
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Move log constants to function body
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Rerun hack scripts
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Remove mistakenly commited file
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Remove double-import of util package
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix bad function call in e2e vault issuer
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Change duration and renewBefore to be pointer fields as they are optional
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Remove wrong vault issuer test that got passed the rebase somehow
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Change e2e to use pointer format
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Move e2e cert tests out of issuer test file
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Move e2e self-signed issuer test to new location
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Make sure to check for nil in GenerateTemplate
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Add more empty checks to be safe
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Rerunning hacks after rebase
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix bad function call in new e2e test
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Try not setting duration and renewbefore on acme e2e tests
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Zero checks should really just be replaced by nil tests, zero should be caught as any other too-small value
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fixed a missing nil check that got away
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Change e2e duration test format to use pointer times to better simulate API calls
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix sync unit test to match e2e test format
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix vault e2e test
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Revert changes to Certificate sync function
Signed-off-by: James Munnelly <james@munnelly.eu>
* Remove selfsigned e2e issuer.go
Signed-off-by: James Munnelly <james@munnelly.eu>
* Don't use ACME issuer in duration example and tidy up line endings
Signed-off-by: James Munnelly <james@munnelly.eu>
* Allow renewBefore to be set on ACME certificates
Signed-off-by: James Munnelly <james@munnelly.eu>
* Update renewBefore ACME docs. Remove unused fields.
Signed-off-by: James Munnelly <james@munnelly.eu>
* Rename calculateTimeBeforeExpiry to calculateDurationUntilRenew
Signed-off-by: James Munnelly <james@munnelly.eu>
- This PR adds two fields to CertificateSpec:
- `keyAlgorithm`, denotes which algorithm to use when generating
a private key. Can be either `rsa` or `ecdsa`. When not set, the
default algorithm used `rsa`.
- `keySize`, denotes the key size of the private key being generated.
For `rsa`, minimum key size is 2048 and maximum is 8192.
For `ecdsa`, sizes 224, 256, 384 & 521 are supported.
See https://golang.org/pkg/crypto/elliptic
- `keySize` can be set without being explicit about `keyAlgorithm`.
- If `keySize` is specified and `keyAlgorithm` is not provided, `rsa` will
be used as the key algorithm.
- `keyAlgorithm` can be set without being explicit about `keySize`.
- If `keyAlgorithm` is specified and `keySize` is not provided, key size
key size of `256` will be used for `ecdsa` key algorithm and
key size of `2048` will be used for `rsa` key algorithm.
- helper functions in `pki` package now return crypto.PrivateKey
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Improve validation of certificates. Fix bug in checking certificate validity
**What this PR does / why we need it**:
Improves the validation of dnsNames and commonNames on certificate resources.
Fixes a bug in checking certificate validity.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes#176, fixes#175
**Release note**:
```release-note
Fix a bug in checking certificate validity and improve validation of dnsNames and commonName
```
