From a84c3dde49f0ecdd67019065dcdffc22acaa56c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20Th=C3=B6mmes?= Date: Tue, 25 May 2021 08:37:52 +0200 Subject: [PATCH] Rollback certificate algorithm changes (#1281) --- .../pkg/webhook/certificates/certificates.go | 4 ++-- .../webhook/certificates/resources/certs.go | 23 ++++++++----------- .../webhook/certificates/resources/secret.go | 4 +--- 3 files changed, 12 insertions(+), 19 deletions(-) diff --git a/vendor/knative.dev/pkg/webhook/certificates/certificates.go b/vendor/knative.dev/pkg/webhook/certificates/certificates.go index 5239279e526..95a9633b130 100644 --- a/vendor/knative.dev/pkg/webhook/certificates/certificates.go +++ b/vendor/knative.dev/pkg/webhook/certificates/certificates.go @@ -36,7 +36,7 @@ import ( const ( // Time used for updating a certificate before it expires. - oneDay = 24 * time.Hour + oneWeek = 7 * 24 * time.Hour ) type reconciler struct { @@ -89,7 +89,7 @@ func (r *reconciler) reconcileCertificate(ctx context.Context) error { certData, err := x509.ParseCertificate(cert.Certificate[0]) if err != nil { logger.Errorw("Error parsing certificate", zap.Error(err)) - } else if time.Now().Add(oneDay).Before(certData.NotAfter) { + } else if time.Now().Add(oneWeek).Before(certData.NotAfter) { return nil } } diff --git a/vendor/knative.dev/pkg/webhook/certificates/resources/certs.go b/vendor/knative.dev/pkg/webhook/certificates/resources/certs.go index c7ab8f6a3de..3b148646900 100644 --- a/vendor/knative.dev/pkg/webhook/certificates/resources/certs.go +++ b/vendor/knative.dev/pkg/webhook/certificates/resources/certs.go @@ -18,8 +18,8 @@ package resources import ( "context" - "crypto/ed25519" "crypto/rand" + "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/pem" @@ -62,7 +62,7 @@ func createCertTemplate(name, namespace string, notAfter time.Time) (*x509.Certi Organization: []string{organization}, CommonName: commonName, }, - SignatureAlgorithm: x509.PureEd25519, + SignatureAlgorithm: x509.SHA256WithRSA, NotBefore: time.Now(), NotAfter: notAfter, BasicConstraintsValid: true, @@ -112,9 +112,9 @@ func createCert(template, parent *x509.Certificate, pub, parentPriv interface{}) return } -func createCA(ctx context.Context, name, namespace string, notAfter time.Time) (ed25519.PrivateKey, *x509.Certificate, []byte, error) { +func createCA(ctx context.Context, name, namespace string, notAfter time.Time) (*rsa.PrivateKey, *x509.Certificate, []byte, error) { logger := logging.FromContext(ctx) - publicKey, privateKey, err := ed25519.GenerateKey(rand.Reader) + rootKey, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { logger.Errorw("error generating random key", zap.Error(err)) return nil, nil, nil, err @@ -126,12 +126,12 @@ func createCA(ctx context.Context, name, namespace string, notAfter time.Time) ( return nil, nil, nil, err } - rootCert, rootCertPEM, err := createCert(rootCertTmpl, rootCertTmpl, publicKey, privateKey) + rootCert, rootCertPEM, err := createCert(rootCertTmpl, rootCertTmpl, &rootKey.PublicKey, rootKey) if err != nil { logger.Errorw("error signing the CA cert", zap.Error(err)) return nil, nil, nil, err } - return privateKey, rootCert, rootCertPEM, nil + return rootKey, rootCert, rootCertPEM, nil } // CreateCerts creates and returns a CA certificate and certificate and @@ -148,7 +148,7 @@ func CreateCerts(ctx context.Context, name, namespace string, notAfter time.Time } // Then create the private key for the serving cert - publicKey, privateKey, err := ed25519.GenerateKey(rand.Reader) + servKey, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { logger.Errorw("error generating random key", zap.Error(err)) return nil, nil, nil, err @@ -160,18 +160,13 @@ func CreateCerts(ctx context.Context, name, namespace string, notAfter time.Time } // create a certificate which wraps the server's public key, sign it with the CA private key - _, servCertPEM, err := createCert(servCertTemplate, caCertificate, publicKey, caKey) + _, servCertPEM, err := createCert(servCertTemplate, caCertificate, &servKey.PublicKey, caKey) if err != nil { logger.Errorw("error signing server certificate template", zap.Error(err)) return nil, nil, nil, err } - privKeyBytes, err := x509.MarshalPKCS8PrivateKey(privateKey) - if err != nil { - logger.Errorw("error marshaling private key", zap.Error(err)) - return nil, nil, nil, err - } servKeyPEM := pem.EncodeToMemory(&pem.Block{ - Type: "PRIVATE KEY", Bytes: privKeyBytes, + Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(servKey), }) return servKeyPEM, servCertPEM, caCertificatePEM, nil } diff --git a/vendor/knative.dev/pkg/webhook/certificates/resources/secret.go b/vendor/knative.dev/pkg/webhook/certificates/resources/secret.go index 6fad6629f14..48e57e87004 100644 --- a/vendor/knative.dev/pkg/webhook/certificates/resources/secret.go +++ b/vendor/knative.dev/pkg/webhook/certificates/resources/secret.go @@ -32,8 +32,6 @@ const ( // CACert is the name of the key associated with the certificate of the CA for // the keypair. CACert = "ca-cert.pem" - - oneWeek = 7 * 24 * time.Hour ) // MakeSecret synthesizes a Kubernetes Secret object with the keys specified by @@ -43,7 +41,7 @@ var MakeSecret = MakeSecretInternal // MakeSecretInternal is only public so MakeSecret can be restored in testing. Use MakeSecret. func MakeSecretInternal(ctx context.Context, name, namespace, serviceName string) (*corev1.Secret, error) { - serverKey, serverCert, caCert, err := CreateCerts(ctx, serviceName, namespace, time.Now().Add(oneWeek)) + serverKey, serverCert, caCert, err := CreateCerts(ctx, serviceName, namespace, time.Now().AddDate(1, 0, 0)) if err != nil { return nil, err }