Merge pull request #78 from knoppiks/multiple-ca-certs

dereknola · web-flow · commit e6585da47a9a · 2023-08-11T12:43:10.000-07:00
Allow multiple (intermediate) CA certs
diff --git a/factory/ca.go b/factory/ca.go
@@ -25,18 +25,28 @@ func GenCA() (*x509.Certificate, crypto.Signer, error) {
 	return caCert, caKey, nil
 }
 
+// Deprecated: Use LoadOrGenCAChain instead as it supports intermediate CAs
 func LoadOrGenCA() (*x509.Certificate, crypto.Signer, error) {
-	cert, key, err := loadCA()
+	chain, signer, err := LoadOrGenCAChain()
+	if err != nil {
+		return nil, nil, err
+	}
+	return chain[0], signer, err
+}
+
+func LoadOrGenCAChain() ([]*x509.Certificate, crypto.Signer, error) {
+	certs, key, err := loadCA()
 	if err == nil {
-		return cert, key, nil
+		return certs, key, nil
 	}
 
-	cert, key, err = GenCA()
+	cert, key, err := GenCA()
 	if err != nil {
 		return nil, nil, err
 	}
+	certs = []*x509.Certificate{cert}
 
-	certBytes, keyBytes, err := Marshal(cert, key)
+	certBytes, keyBytes, err := MarshalChain(key, certs...)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -53,14 +63,22 @@ func LoadOrGenCA() (*x509.Certificate, crypto.Signer, error) {
 		return nil, nil, err
 	}
 
-	return cert, key, nil
+	return certs, key, nil
 }
 
-func loadCA() (*x509.Certificate, crypto.Signer, error) {
-	return LoadCerts("./certs/ca.pem", "./certs/ca.key")
+func loadCA() ([]*x509.Certificate, crypto.Signer, error) {
+	return LoadCertsChain("./certs/ca.pem", "./certs/ca.key")
 }
 
 func LoadCA(caPem, caKey []byte) (*x509.Certificate, crypto.Signer, error) {
+	chain, signer, err := LoadCAChain(caPem, caKey)
+	if err != nil {
+		return nil, nil, err
+	}
+	return chain[0], signer, nil
+}
+
+func LoadCAChain(caPem, caKey []byte) ([]*x509.Certificate, crypto.Signer, error) {
 	key, err := cert.ParsePrivateKeyPEM(caKey)
 	if err != nil {
 		return nil, nil, err
@@ -70,15 +88,24 @@ func LoadCA(caPem, caKey []byte) (*x509.Certificate, crypto.Signer, error) {
 		return nil, nil, fmt.Errorf("key is not a crypto.Signer")
 	}
 
-	cert, err := ParseCertPEM(caPem)
+	certs, err := cert.ParseCertsPEM(caPem)
 	if err != nil {
 		return nil, nil, err
 	}
 
-	return cert, signer, nil
+	return certs, signer, nil
 }
 
+// Deprecated: Use LoadCertsChain instead as it supports intermediate CAs
 func LoadCerts(certFile, keyFile string) (*x509.Certificate, crypto.Signer, error) {
+	chain, signer, err := LoadCertsChain(certFile, keyFile)
+	if err != nil {
+		return nil, nil, err
+	}
+	return chain[0], signer, err
+}
+
+func LoadCertsChain(certFile, keyFile string) ([]*x509.Certificate, crypto.Signer, error) {
 	caPem, err := ioutil.ReadFile(certFile)
 	if err != nil {
 		return nil, nil, err
@@ -88,5 +115,5 @@ func LoadCerts(certFile, keyFile string) (*x509.Certificate, crypto.Signer, erro
 		return nil, nil, err
 	}
 
-	return LoadCA(caPem, caKey)
+	return LoadCAChain(caPem, caKey)
 }
diff --git a/factory/gen.go b/factory/gen.go
@@ -33,7 +33,7 @@ var (
 )
 
 type TLS struct {
-	CACert              *x509.Certificate
+	CACert              []*x509.Certificate
 	CAKey               crypto.Signer
 	CN                  string
 	Organization        []string
@@ -178,7 +178,7 @@ func (t *TLS) generateCert(secret *v1.Secret, cn ...string) (*v1.Secret, bool, e
 		return nil, false, err
 	}
 
-	keyBytes, certBytes, err := MarshalChain(privateKey, newCert, t.CACert)
+	keyBytes, certBytes, err := MarshalChain(privateKey, append([]*x509.Certificate{newCert}, t.CACert...)...)
 	if err != nil {
 		return nil, false, err
 	}
@@ -226,14 +226,16 @@ func (t *TLS) Verify(secret *v1.Secret) error {
 			x509.ExtKeyUsageAny,
 		},
 	}
-	verifyOpts.Roots.AddCert(t.CACert)
+	for _, c := range t.CACert {
+		verifyOpts.Roots.AddCert(c)
+	}
 
 	_, err = certificates[0].Verify(verifyOpts)
 	return err
 }
 
 func (t *TLS) newCert(domains []string, ips []net.IP, privateKey crypto.Signer) (*x509.Certificate, error) {
-	return NewSignedCert(privateKey, t.CACert, t.CAKey, t.CN, t.Organization, domains, ips)
+	return NewSignedCert(privateKey, t.CACert[0], t.CAKey, t.CN, t.Organization, domains, ips)
 }
 
 func populateCN(secret *v1.Secret, cn ...string) *v1.Secret {
diff --git a/listener.go b/listener.go
@@ -34,7 +34,12 @@ type SetFactory interface {
 	SetFactory(tls TLSFactory)
 }
 
+// Deprecated: Use NewListenerWithChain instead as it supports intermediate CAs
 func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, caKey crypto.Signer, config Config) (net.Listener, http.Handler, error) {
+	return NewListenerWithChain(l, storage, []*x509.Certificate{caCert}, caKey, config)
+}
+
+func NewListenerWithChain(l net.Listener, storage TLSStorage, caCert []*x509.Certificate, caKey crypto.Signer, config Config) (net.Listener, http.Handler, error) {
 	if config.CN == "" {
 		config.CN = "dynamic"
 	}
diff --git a/server/server.go b/server/server.go
@@ -21,6 +21,8 @@ import (
 )
 
 type ListenOpts struct {
+	CAChain []*x509.Certificate
+	// Deprecated: Use CAChain instead
 	CA                *x509.Certificate
 	CAKey             crypto.Signer
 	Storage           dynamiclistener.TLSStorage
@@ -132,21 +134,25 @@ func getTLSListener(ctx context.Context, tcp net.Listener, handler http.Handler,
 		return nil, nil, err
 	}
 
-	listener, dynHandler, err := dynamiclistener.NewListener(tcp, storage, caCert, caKey, opts.TLSListenerConfig)
+	listener, dynHandler, err := dynamiclistener.NewListener2(tcp, storage, caCert, caKey, opts.TLSListenerConfig)
 	if err != nil {
 		return nil, nil, err
 	}
 
 	return listener, wrapHandler(dynHandler, handler), nil
 }
 
-func getCA(opts ListenOpts) (*x509.Certificate, crypto.Signer, error) {
-	if opts.CA != nil && opts.CAKey != nil {
-		return opts.CA, opts.CAKey, nil
+func getCA(opts ListenOpts) ([]*x509.Certificate, crypto.Signer, error) {
+	if opts.CAKey != nil {
+		if opts.CAChain != nil {
+			return opts.CAChain, opts.CAKey, nil
+		} else if opts.CA != nil {
+			return []*x509.Certificate{opts.CA}, opts.CAKey, nil
+		}
 	}
 
 	if opts.Secrets == nil {
-		return factory.LoadOrGenCA()
+		return factory.LoadOrGenCAChain()
 	}
 
 	if opts.CAName == "" {
@@ -161,7 +167,7 @@ func getCA(opts ListenOpts) (*x509.Certificate, crypto.Signer, error) {
 		opts.CANamespace = "kube-system"
 	}
 
-	return kubernetes.LoadOrGenCA(opts.Secrets, opts.CANamespace, opts.CAName)
+	return kubernetes.LoadOrGenCAChain(opts.Secrets, opts.CANamespace, opts.CAName)
 }
 
 func newStorage(ctx context.Context, opts ListenOpts) dynamiclistener.TLSStorage {
diff --git a/storage/kubernetes/ca.go b/storage/kubernetes/ca.go
@@ -11,12 +11,21 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+// Deprecated: Use LoadOrGenCAChain instead as it supports intermediate CAs
 func LoadOrGenCA(secrets v1controller.SecretClient, namespace, name string) (*x509.Certificate, crypto.Signer, error) {
+	chain, signer, err := LoadOrGenCAChain(secrets, namespace, name)
+	if err != nil {
+		return nil, nil, err
+	}
+	return chain[0], signer, err
+}
+
+func LoadOrGenCAChain(secrets v1controller.SecretClient, namespace, name string) ([]*x509.Certificate, crypto.Signer, error) {
 	secret, err := getSecret(secrets, namespace, name)
 	if err != nil {
 		return nil, nil, err
 	}
-	return factory.LoadCA(secret.Data[v1.TLSCertKey], secret.Data[v1.TLSPrivateKeyKey])
+	return factory.LoadCAChain(secret.Data[v1.TLSCertKey], secret.Data[v1.TLSPrivateKeyKey])
 }
 
 func LoadOrGenClient(secrets v1controller.SecretClient, namespace, name, cn string, ca *x509.Certificate, key crypto.Signer) (*x509.Certificate, crypto.Signer, error) {

Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ var (`
`33`	`33`	`)`
`34`	`34`
`35`	`35`	`type TLS struct {`
`36`		`- CACert *x509.Certificate`
	`36`	`+ CACert []*x509.Certificate`
`37`	`37`	`CAKey crypto.Signer`
`38`	`38`	`CN string`
`39`	`39`	`Organization []string`
`@@ -178,7 +178,7 @@ func (t TLS) generateCert(secret v1.Secret, cn ...string) (*v1.Secret, bool, e`
`178`	`178`	`return nil, false, err`
`179`	`179`	`}`
`180`	`180`
`181`		`- keyBytes, certBytes, err := MarshalChain(privateKey, newCert, t.CACert)`
	`181`	`+ keyBytes, certBytes, err := MarshalChain(privateKey, append([]*x509.Certificate{newCert}, t.CACert...)...)`
`182`	`182`	`if err != nil {`
`183`	`183`	`return nil, false, err`
`184`	`184`	`}`
`@@ -226,14 +226,16 @@ func (t TLS) Verify(secret v1.Secret) error {`
`226`	`226`	`x509.ExtKeyUsageAny,`
`227`	`227`	`},`
`228`	`228`	`}`
`229`		`- verifyOpts.Roots.AddCert(t.CACert)`
	`229`	`+ for _, c := range t.CACert {`
	`230`	`+ verifyOpts.Roots.AddCert(c)`
	`231`	`+ }`
`230`	`232`
`231`	`233`	`_, err = certificates[0].Verify(verifyOpts)`
`232`	`234`	`return err`
`233`	`235`	`}`
`234`	`236`
`235`	`237`	`func (t TLS) newCert(domains []string, ips []net.IP, privateKey crypto.Signer) (x509.Certificate, error) {`
`236`		`- return NewSignedCert(privateKey, t.CACert, t.CAKey, t.CN, t.Organization, domains, ips)`
	`238`	`+ return NewSignedCert(privateKey, t.CACert[0], t.CAKey, t.CN, t.Organization, domains, ips)`
`237`	`239`	`}`
`238`	`240`
`239`	`241`	`func populateCN(secret v1.Secret, cn ...string) v1.Secret {`
Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,12 @@ type SetFactory interface {`
`34`	`34`	`SetFactory(tls TLSFactory)`
`35`	`35`	`}`
`36`	`36`
	`37`	`+// Deprecated: Use NewListenerWithChain instead as it supports intermediate CAs`
`37`	`38`	`func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, caKey crypto.Signer, config Config) (net.Listener, http.Handler, error) {`
	`39`	`+ return NewListenerWithChain(l, storage, []*x509.Certificate{caCert}, caKey, config)`
	`40`	`+}`
	`41`	`+`
	`42`	`+func NewListenerWithChain(l net.Listener, storage TLSStorage, caCert []*x509.Certificate, caKey crypto.Signer, config Config) (net.Listener, http.Handler, error) {`
`38`	`43`	`if config.CN == "" {`
`39`	`44`	`config.CN = "dynamic"`
`40`	`45`	`}`
Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,8 @@ import (`
`21`	`21`	`)`
`22`	`22`
`23`	`23`	`type ListenOpts struct {`
	`24`	`+ CAChain []*x509.Certificate`
	`25`	`+ // Deprecated: Use CAChain instead`
`24`	`26`	`CA *x509.Certificate`
`25`	`27`	`CAKey crypto.Signer`
`26`	`28`	`Storage dynamiclistener.TLSStorage`
`@@ -132,21 +134,25 @@ func getTLSListener(ctx context.Context, tcp net.Listener, handler http.Handler,`
`132`	`134`	`return nil, nil, err`
`133`	`135`	`}`
`134`	`136`
`135`		`- listener, dynHandler, err := dynamiclistener.NewListener(tcp, storage, caCert, caKey, opts.TLSListenerConfig)`
	`137`	`+ listener, dynHandler, err := dynamiclistener.NewListener2(tcp, storage, caCert, caKey, opts.TLSListenerConfig)`
`136`	`138`	`if err != nil {`
`137`	`139`	`return nil, nil, err`
`138`	`140`	`}`
`139`	`141`
`140`	`142`	`return listener, wrapHandler(dynHandler, handler), nil`
`141`	`143`	`}`
`142`	`144`
`143`		`-func getCA(opts ListenOpts) (*x509.Certificate, crypto.Signer, error) {`
`144`		`- if opts.CA != nil && opts.CAKey != nil {`
`145`		`- return opts.CA, opts.CAKey, nil`
	`145`	`+func getCA(opts ListenOpts) ([]*x509.Certificate, crypto.Signer, error) {`
	`146`	`+ if opts.CAKey != nil {`
	`147`	`+ if opts.CAChain != nil {`
	`148`	`+ return opts.CAChain, opts.CAKey, nil`
	`149`	`+ } else if opts.CA != nil {`
	`150`	`+ return []*x509.Certificate{opts.CA}, opts.CAKey, nil`
	`151`	`+ }`
`146`	`152`	`}`
`147`	`153`
`148`	`154`	`if opts.Secrets == nil {`
`149`		`- return factory.LoadOrGenCA()`
	`155`	`+ return factory.LoadOrGenCAChain()`
`150`	`156`	`}`
`151`	`157`
`152`	`158`	`if opts.CAName == "" {`
`@@ -161,7 +167,7 @@ func getCA(opts ListenOpts) (*x509.Certificate, crypto.Signer, error) {`
`161`	`167`	`opts.CANamespace = "kube-system"`
`162`	`168`	`}`
`163`	`169`
`164`		`- return kubernetes.LoadOrGenCA(opts.Secrets, opts.CANamespace, opts.CAName)`
	`170`	`+ return kubernetes.LoadOrGenCAChain(opts.Secrets, opts.CANamespace, opts.CAName)`
`165`	`171`	`}`
`166`	`172`
`167`	`173`	`func newStorage(ctx context.Context, opts ListenOpts) dynamiclistener.TLSStorage {`