forked from kubernetes/ingress-gce
-
Notifications
You must be signed in to change notification settings - Fork 0
/
tls.go
103 lines (82 loc) · 2.78 KB
/
tls.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
/*
Copyright 2018 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package app
import (
"bytes"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"io/ioutil"
"math/big"
"time"
"github.com/golang/glog"
)
// createCert creates a certificate and key in temporary files and returns their paths.
func createCert() (certFilePath string, keyFilepath string) {
cert, key, err := generateInsecureCertAndKey("echo", time.Now(), F.CertificateLifeSpan)
if err != nil {
glog.Fatal(err)
}
tmpCert, err := ioutil.TempFile("", "server.crt")
if err != nil {
glog.Fatal(err)
}
tmpKey, err := ioutil.TempFile("", "server.key")
if err != nil {
glog.Fatal(err)
}
if err := ioutil.WriteFile(tmpCert.Name(), cert, 0644); err != nil {
glog.Fatal(err)
}
if err := ioutil.WriteFile(tmpKey.Name(), key, 0644); err != nil {
glog.Fatal(err)
}
return tmpCert.Name(), tmpKey.Name()
}
const rsaBits = 2048
// https://golang.org/src/crypto/tls/generate_cert.go
func generateInsecureCertAndKey(organization string, validFrom time.Time, validFor time.Duration) (cert, key []byte, err error) {
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
glog.Fatalf("failed to generate serial number: %s", err)
}
validUntill := validFrom.Add(validFor)
priv, err := rsa.GenerateKey(rand.Reader, rsaBits)
if err != nil {
glog.Fatalf("failed to generate private key: %s", err)
}
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Organization: []string{organization},
},
NotBefore: validFrom,
NotAfter: validUntill,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
}
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
if err != nil {
glog.Fatalf("Failed to create certificate: %s", err)
}
var certBytes bytes.Buffer
pem.Encode(&certBytes, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
var keyBytes bytes.Buffer
pb := &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)}
pem.Encode(&keyBytes, pb)
return certBytes.Bytes(), keyBytes.Bytes(), nil
}