cryptutil: generate certificates from deriveca (#3992)

2025-05-06 05:46:05 +02:00 · 2023-02-23 08:38:56 -07:00 · 2023-02-23 08:38:56 -07:00 · d2b732243a
commit d2b732243a
parent 00c047b114
8 changed files with 28 additions and 62 deletions
--- a/config/config.go
+++ b/config/config.go
@ -189,8 +189,13 @@ func (cfg *Config) GetCertificateForServerName(serverName string) (*tls.Certific
 		return &cert, nil
 	}
 	sharedKey, err := cfg.Options.GetSharedKey()
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate cert, invalid shared key: %w", err)
 	}
 	// finally fall back to a generated, self-signed certificate
-	return cryptutil.GenerateSelfSignedCertificate(serverName)
+	return cryptutil.GenerateCertificate(sharedKey, serverName)
 }
 // WillHaveCertificateForServerName returns true if there will be a certificate for the given server name.
--- a/config/config_test.go
+++ b/config/config_test.go
@ -11,7 +11,7 @@ import (
 func TestConfig_GetCertificateForServerName(t *testing.T) {
 	gen := func(t *testing.T, serverName string) *tls.Certificate {
-		cert, err := cryptutil.GenerateSelfSignedCertificate(serverName)
+		cert, err := cryptutil.GenerateCertificate(nil, serverName)
 		if !assert.NoError(t, err, "error generating certificate for: %s", serverName) {
 			t.FailNow()
 		}
--- a/config/envoyconfig/listeners_test.go
+++ b/config/envoyconfig/listeners_test.go
@ -211,7 +211,7 @@ func Test_buildDownstreamTLSContext(t *testing.T) {
 }
 func Test_getAllDomains(t *testing.T) {
-	cert, err := cryptutil.GenerateSelfSignedCertificate("*.unknown.example.com")
+	cert, err := cryptutil.GenerateCertificate(nil, "*.unknown.example.com")
 	require.NoError(t, err)
 	certPEM, keyPEM, err := cryptutil.EncodeCertificate(cert)
 	require.NoError(t, err)
--- a/config/envoyconfig/tls_test.go
+++ b/config/envoyconfig/tls_test.go
@ -46,7 +46,7 @@ func TestBuildSubjectNameIndication(t *testing.T) {
 }
 func TestValidateCertificate(t *testing.T) {
-	cert, err := cryptutil.GenerateSelfSignedCertificate("example.com", func(tpl *x509.Certificate) {
+	cert, err := cryptutil.GenerateCertificate(nil, "example.com", func(tpl *x509.Certificate) {
 		// set the must staple flag on the cert
 		tpl.ExtraExtensions = append(tpl.ExtraExtensions, pkix.Extension{
 			Id: oidMustStaple,
--- a/config/options_test.go
+++ b/config/options_test.go
@ -722,14 +722,14 @@ func TestOptions_ApplySettings(t *testing.T) {
 	t.Run("certificates", func(t *testing.T) {
 		options := NewDefaultOptions()
-		cert1, err := cryptutil.GenerateSelfSignedCertificate("example.com")
+		cert1, err := cryptutil.GenerateCertificate(nil, "example.com")
 		require.NoError(t, err)
 		options.CertificateFiles = append(options.CertificateFiles, certificateFilePair{
 			CertFile: base64.StdEncoding.EncodeToString(encodeCert(cert1)),
 		})
-		cert2, err := cryptutil.GenerateSelfSignedCertificate("example.com")
+		cert2, err := cryptutil.GenerateCertificate(nil, "example.com")
 		require.NoError(t, err)
-		cert3, err := cryptutil.GenerateSelfSignedCertificate("not.example.com")
+		cert3, err := cryptutil.GenerateCertificate(nil, "not.example.com")
 		require.NoError(t, err)
 		settings := &config.Settings{
--- a/pkg/cryptutil/certificates.go
+++ b/pkg/cryptutil/certificates.go
@ -2,8 +2,6 @@ package cryptutil
 import (
 	"crypto/ecdsa"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
@ -12,10 +10,9 @@ import (
 	"errors"
 	"fmt"
 	"io"
 	"math/big"
 	"net"
 	"os"
-	"time"
+
 	"github.com/pomerium/pomerium/pkg/derivecert"
 )
 const (
@ -160,63 +157,24 @@ func EncodePrivateKey(key *ecdsa.PrivateKey) ([]byte, error) {
 	return pem.EncodeToMemory(keyBlock), nil
 }
-// GenerateSelfSignedCertificate generates a self-signed TLS certificate.
+// GenerateCertificate generates a TLS certificate derived from a shared key.
-//
+func GenerateCertificate(sharedKey []byte, domain string, configure ...func(*x509.Certificate)) (*tls.Certificate, error) {
-// mostly copied from https://golang.org/src/crypto/tls/generate_cert.go
+	ca, err := derivecert.NewCA(sharedKey)
 func GenerateSelfSignedCertificate(domain string, configure ...func(*x509.Certificate)) (*tls.Certificate, error) {
 	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
-		return nil, fmt.Errorf("failed to generate private key: %w", err)
+		return nil, fmt.Errorf("cryptutil: failed to generate certificate, error deriving CA: %w", err)
 	}
-	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	pem, err := ca.NewServerCert([]string{domain}, configure...)
 	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
 	if err != nil {
-		return nil, fmt.Errorf("failed to generate serial number: %w", err)
+		return nil, fmt.Errorf("cryptutil: failed to generate certificate, error creating server certificate: %w", err)
 	}
-	template := &x509.Certificate{
+	tlsCert, err := pem.TLS()
 		SerialNumber: serialNumber,
 		Subject: pkix.Name{
 			Organization: []string{"Pomerium"},
 		},
 		NotBefore:             time.Now().Add(-time.Minute * 10),
 		NotAfter:              time.Now().Add(time.Hour * 24 * 365),
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		BasicConstraintsValid: true,
 	}
 	if ip := net.ParseIP(domain); ip != nil {
 		template.IPAddresses = append(template.IPAddresses, ip)
 	} else {
 		template.DNSNames = append(template.DNSNames, domain)
 	}
 	for _, f := range configure {
 		f(template)
 	}
 	publicKeyBytes, err := x509.CreateCertificate(rand.Reader,
 		template, template,
 		privateKey.Public(), privateKey,
 	)
 	if err != nil {
-		return nil, fmt.Errorf("failed to create certificate: %w", err)
+		return nil, fmt.Errorf("cryptutil: failed to generate certificate, error converting server certificate to TLS certificate: %w", err)
 	}
-	privateKeyBytes, err := x509.MarshalPKCS8PrivateKey(privateKey)
+	return &tlsCert, nil
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal private key: %w", err)
 	}
 	cert, err := tls.X509KeyPair(
 		pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: publicKeyBytes}),
 		pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: privateKeyBytes}),
 	)
 	if err != nil {
 		return nil, fmt.Errorf("failed to convert x509 bytes into tls certificate: %w", err)
 	}
 	return &cert, nil
 }
 // EncodeCertificate encodes a TLS certificate into PEM compatible byte slices.
--- a/pkg/cryptutil/tls_test.go
+++ b/pkg/cryptutil/tls_test.go
@ -8,7 +8,7 @@ import (
 )
 func TestGetCertificateServerNames(t *testing.T) {
-	cert, err := GenerateSelfSignedCertificate("www.example.com")
+	cert, err := GenerateCertificate(nil, "www.example.com")
 	require.NoError(t, err)
 	assert.Equal(t, []string{"www.example.com"}, GetCertificateServerNames(cert))
 }
--- a/pkg/derivecert/ca.go
+++ b/pkg/derivecert/ca.go
@ -83,7 +83,7 @@ func CAFromPEM(p PEM) (*CA, string, error) {
 }
 // NewServerCert generates certificate for the given domain name(s)
-func (ca *CA) NewServerCert(domains []string) (*PEM, error) {
+func (ca *CA) NewServerCert(domains []string, configure ...func(*x509.Certificate)) (*PEM, error) {
 	key, err := deriveKey(newReader(readerTypeServerPrivateKey, ca.psk, domains...))
 	if err != nil {
 		return nil, fmt.Errorf("derive key: %w", err)
@ -93,6 +93,9 @@ func (ca *CA) NewServerCert(domains []string) (*PEM, error) {
 	if err != nil {
 		return nil, fmt.Errorf("cert template: %w", err)
 	}
 	for _, f := range configure {
 		f(tmpl)
 	}
 	cert, err := x509.CreateCertificate(
 		newReader(readerTypeServerCertificate, ca.psk, domains...),