mirror of
https://github.com/optim-enterprises-bv/kubernetes.git
synced 2025-10-31 18:28:13 +00:00
update serial number to a valid non-zero number in ca certificate (#117791)
* update serial number to a valid non-zero number in ca certificate * fix the existing problem (0 SerialNumber in all certificate) as part of this PR in a separate commit
This commit is contained in:
Min Ni
@@ -631,10 +631,12 @@ func GeneratePrivateKey(keyType x509.PublicKeyAlgorithm) (crypto.Signer, error)
|
|||||||
|
|
||||||
// NewSignedCert creates a signed certificate using the given CA certificate and key
|
// NewSignedCert creates a signed certificate using the given CA certificate and key
|
||||||
func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, isCA bool) (*x509.Certificate, error) {
|
func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer, isCA bool) (*x509.Certificate, error) {
|
||||||
serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
|
// returns a uniform random value in [0, max-1), then add 1 to serial to make it a uniform random value in [1, max).
|
||||||
|
serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64-1))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
serial = new(big.Int).Add(serial, big.NewInt(1))
|
||||||
if len(cfg.CommonName) == 0 {
|
if len(cfg.CommonName) == 0 {
|
||||||
return nil, errors.New("must specify a CommonName")
|
return nil, errors.New("must specify a CommonName")
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -25,6 +25,7 @@ import (
|
|||||||
"crypto/x509/pkix"
|
"crypto/x509/pkix"
|
||||||
"encoding/pem"
|
"encoding/pem"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"math"
|
||||||
"math/big"
|
"math/big"
|
||||||
"net"
|
"net"
|
||||||
"os"
|
"os"
|
||||||
@@ -57,8 +58,14 @@ type AltNames struct {
|
|||||||
// NewSelfSignedCACert creates a CA certificate
|
// NewSelfSignedCACert creates a CA certificate
|
||||||
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
|
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
|
||||||
now := time.Now()
|
now := time.Now()
|
||||||
|
// returns a uniform random value in [0, max-1), then add 1 to serial to make it a uniform random value in [1, max).
|
||||||
|
serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64-1))
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
serial = new(big.Int).Add(serial, big.NewInt(1))
|
||||||
tmpl := x509.Certificate{
|
tmpl := x509.Certificate{
|
||||||
SerialNumber: new(big.Int).SetInt64(0),
|
SerialNumber: serial,
|
||||||
Subject: pkix.Name{
|
Subject: pkix.Name{
|
||||||
CommonName: cfg.CommonName,
|
CommonName: cfg.CommonName,
|
||||||
Organization: cfg.Organization,
|
Organization: cfg.Organization,
|
||||||
@@ -116,9 +123,14 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, err
|
return nil, nil, err
|
||||||
}
|
}
|
||||||
|
// returns a uniform random value in [0, max-1), then add 1 to serial to make it a uniform random value in [1, max).
|
||||||
|
serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64-1))
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
serial = new(big.Int).Add(serial, big.NewInt(1))
|
||||||
caTemplate := x509.Certificate{
|
caTemplate := x509.Certificate{
|
||||||
SerialNumber: big.NewInt(1),
|
SerialNumber: serial,
|
||||||
Subject: pkix.Name{
|
Subject: pkix.Name{
|
||||||
CommonName: fmt.Sprintf("%s-ca@%d", host, time.Now().Unix()),
|
CommonName: fmt.Sprintf("%s-ca@%d", host, time.Now().Unix()),
|
||||||
},
|
},
|
||||||
@@ -144,9 +156,14 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, err
|
return nil, nil, err
|
||||||
}
|
}
|
||||||
|
// returns a uniform random value in [0, max-1), then add 1 to serial to make it a uniform random value in [1, max).
|
||||||
|
serial, err = cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64-1))
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
serial = new(big.Int).Add(serial, big.NewInt(1))
|
||||||
template := x509.Certificate{
|
template := x509.Certificate{
|
||||||
SerialNumber: big.NewInt(2),
|
SerialNumber: serial,
|
||||||
Subject: pkix.Name{
|
Subject: pkix.Name{
|
||||||
CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()),
|
CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()),
|
||||||
},
|
},
|
||||||
|
|||||||
@@ -346,11 +346,12 @@ func generateClientCert(t *testing.T) testCerts {
|
|||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
|
// returns a uniform random value in [0, max-1), then add 1 to serial to make it a uniform random value in [1, max).
|
||||||
|
serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64-1))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
|
serial = new(big.Int).Add(serial, big.NewInt(1))
|
||||||
certTmpl := x509.Certificate{
|
certTmpl := x509.Certificate{
|
||||||
Subject: pkix.Name{
|
Subject: pkix.Name{
|
||||||
CommonName: "the-api-server-user",
|
CommonName: "the-api-server-user",
|
||||||
|
|||||||
@@ -183,10 +183,12 @@ func writeCerts(t *testing.T, clientSigningCert *x509.Certificate, clientSigning
|
|||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
|
// returns a uniform random value in [0, max-1), then add 1 to serial to make it a uniform random value in [1, max).
|
||||||
|
serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64-1))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
|
serial = new(big.Int).Add(serial, big.NewInt(1))
|
||||||
|
|
||||||
certTmpl := x509.Certificate{
|
certTmpl := x509.Certificate{
|
||||||
Subject: pkix.Name{
|
Subject: pkix.Name{
|
||||||
|
|||||||
@@ -53,10 +53,12 @@ func EncodeCertPEM(cert *x509.Certificate) []byte {
|
|||||||
|
|
||||||
// NewSignedCert creates a signed certificate using the given CA certificate and key
|
// NewSignedCert creates a signed certificate using the given CA certificate and key
|
||||||
func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
|
func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
|
||||||
serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
|
// returns a uniform random value in [0, max-1), then add 1 to serial to make it a uniform random value in [1, max).
|
||||||
|
serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64-1))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
serial = new(big.Int).Add(serial, big.NewInt(1))
|
||||||
if len(cfg.CommonName) == 0 {
|
if len(cfg.CommonName) == 0 {
|
||||||
return nil, fmt.Errorf("must specify a CommonName")
|
return nil, fmt.Errorf("must specify a CommonName")
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user