openshift · openshift-merge-robot · May 25, 2021 · May 25, 2021
diff --git a/vendor/knative.dev/pkg/webhook/certificates/certificates.go b/vendor/knative.dev/pkg/webhook/certificates/certificates.go
@@ -36,7 +36,7 @@ import (
 
 const (
  // Time used for updating a certificate before it expires.
- oneDay = 24 * time.Hour
+ oneWeek = 7 * 24 * time.Hour
 )
 
 type reconciler struct {
@@ -89,7 +89,7 @@ func (r *reconciler) reconcileCertificate(ctx context.Context) error {
  certData, err := x509.ParseCertificate(cert.Certificate[0])
  if err != nil {
  logger.Errorw("Error parsing certificate", zap.Error(err))
- } else if time.Now().Add(oneDay).Before(certData.NotAfter) {
+ } else if time.Now().Add(oneWeek).Before(certData.NotAfter) {
  return nil
  }
  }

diff --git a/vendor/knative.dev/pkg/webhook/certificates/resources/certs.go b/vendor/knative.dev/pkg/webhook/certificates/resources/certs.go
@@ -18,8 +18,8 @@ package resources
 
 import (
  "context"
- "crypto/ed25519"
  "crypto/rand"
+ "crypto/rsa"
  "crypto/x509"
  "crypto/x509/pkix"
  "encoding/pem"
@@ -62,7 +62,7 @@ func createCertTemplate(name, namespace string, notAfter time.Time) (*x509.Certi
  Organization: []string{organization},
  CommonName: commonName,
  },
- SignatureAlgorithm: x509.PureEd25519,
+ SignatureAlgorithm: x509.SHA256WithRSA,
  NotBefore: time.Now(),
  NotAfter: notAfter,
  BasicConstraintsValid: true,
@@ -112,9 +112,9 @@ func createCert(template, parent *x509.Certificate, pub, parentPriv interface{})
  return
 }
 
-func createCA(ctx context.Context, name, namespace string, notAfter time.Time) (ed25519.PrivateKey, *x509.Certificate, []byte, error) {
+func createCA(ctx context.Context, name, namespace string, notAfter time.Time) (*rsa.PrivateKey, *x509.Certificate, []byte, error) {
  logger := logging.FromContext(ctx)
- publicKey, privateKey, err := ed25519.GenerateKey(rand.Reader)
+ rootKey, err := rsa.GenerateKey(rand.Reader, 2048)
  if err != nil {
  logger.Errorw("error generating random key", zap.Error(err))
  return nil, nil, nil, err
@@ -126,12 +126,12 @@ func createCA(ctx context.Context, name, namespace string, notAfter time.Time) (
  return nil, nil, nil, err
  }
 
- rootCert, rootCertPEM, err := createCert(rootCertTmpl, rootCertTmpl, publicKey, privateKey)
+ rootCert, rootCertPEM, err := createCert(rootCertTmpl, rootCertTmpl, &rootKey.PublicKey, rootKey)
  if err != nil {
  logger.Errorw("error signing the CA cert", zap.Error(err))
  return nil, nil, nil, err
  }
- return privateKey, rootCert, rootCertPEM, nil
+ return rootKey, rootCert, rootCertPEM, nil
 }
 
 // CreateCerts creates and returns a CA certificate and certificate and
@@ -148,7 +148,7 @@ func CreateCerts(ctx context.Context, name, namespace string, notAfter time.Time
  }
 
  // Then create the private key for the serving cert
- publicKey, privateKey, err := ed25519.GenerateKey(rand.Reader)
+ servKey, err := rsa.GenerateKey(rand.Reader, 2048)
  if err != nil {
  logger.Errorw("error generating random key", zap.Error(err))
  return nil, nil, nil, err
@@ -160,18 +160,13 @@ func CreateCerts(ctx context.Context, name, namespace string, notAfter time.Time
  }
 
  // create a certificate which wraps the server's public key, sign it with the CA private key
- _, servCertPEM, err := createCert(servCertTemplate, caCertificate, publicKey, caKey)
+ _, servCertPEM, err := createCert(servCertTemplate, caCertificate, &servKey.PublicKey, caKey)
  if err != nil {
  logger.Errorw("error signing server certificate template", zap.Error(err))
  return nil, nil, nil, err
  }
- privKeyBytes, err := x509.MarshalPKCS8PrivateKey(privateKey)
- if err != nil {
- logger.Errorw("error marshaling private key", zap.Error(err))
- return nil, nil, nil, err
- }
  servKeyPEM := pem.EncodeToMemory(&pem.Block{
- Type: "PRIVATE KEY", Bytes: privKeyBytes,
+ Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(servKey),
  })
  return servKeyPEM, servCertPEM, caCertificatePEM, nil
 }
diff --git a/vendor/knative.dev/pkg/webhook/certificates/resources/secret.go b/vendor/knative.dev/pkg/webhook/certificates/resources/secret.go
@@ -32,8 +32,6 @@ const (
  // CACert is the name of the key associated with the certificate of the CA for
  // the keypair.
  CACert = "ca-cert.pem"
-
- oneWeek = 7 * 24 * time.Hour
 )
 
 // MakeSecret synthesizes a Kubernetes Secret object with the keys specified by
@@ -43,7 +41,7 @@ var MakeSecret = MakeSecretInternal
 
 // MakeSecretInternal is only public so MakeSecret can be restored in testing. Use MakeSecret.
 func MakeSecretInternal(ctx context.Context, name, namespace, serviceName string) (*corev1.Secret, error) {
- serverKey, serverCert, caCert, err := CreateCerts(ctx, serviceName, namespace, time.Now().Add(oneWeek))
+ serverKey, serverCert, caCert, err := CreateCerts(ctx, serviceName, namespace, time.Now().AddDate(1, 0, 0))
  if err != nil {
  return nil, err
  }