Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

certutil: add functional options #240

Merged
merged 2 commits into from
Oct 16, 2024
Merged

certutil: add functional options #240

merged 2 commits into from
Oct 16, 2024

Conversation

AndersonQ
Copy link
Member

What does this PR do?

Add functional options to NewRootCA and GenerateChildCert to allow setting a prefix for the CN and multiple DNS names.

Also, it fixes GenerateChildCert generating a RSA instead of EC certificate

Why is it important?

  • set CN prefix: when generating and using multiple certificates, such as to configure mTLS, it's hard to debug any issue if all certificates have the same CN
  • add multiple DNS names: when trying to simulate a real situation, it might require a certificate to have multiple DNSs

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • [ ] I have added tests that prove my fix is effective or that my feature works

Author's Checklist

@AndersonQ AndersonQ added the Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team label Oct 16, 2024
@AndersonQ AndersonQ self-assigned this Oct 16, 2024
@AndersonQ AndersonQ requested a review from a team as a code owner October 16, 2024 09:02
@AndersonQ AndersonQ requested review from belimawr and rdner and removed request for a team October 16, 2024 09:02
This was referenced Oct 16, 2024
Closed
Merged
@AndersonQ
certutil: add functional options
cdacf83 
add functional options to New*RootCA and Generate*ChildCert to allow setting a prefix for the CN and multiple DNS names
@AndersonQ AndersonQ force-pushed the certutil-add-opts-func branch from 1656938 to cdacf83 Compare October 16, 2024 09:24
belimawr
belimawr reviewed Oct 16, 2024
View reviewed changes
testing/certutil/certutil.go Outdated
func GenerateChildCert(name string, ips []net.IP, caPrivKey crypto.PrivateKey, caCert *x509.Certificate, opts ...Option) (*tls.Certificate, Pair, error) {
priv, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
if err != nil {
return nil, Pair{}, fmt.Errorf("could not create RSA private key: %w", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're calling ecdsa.GenerateKey, it looks like a typo in the error message:

Suggested change
return nil, Pair{}, fmt.Errorf("could not create RSA private key: %w", err)
return nil, Pair{}, fmt.Errorf("could not create ECDSA private key: %w", err)

testing/certutil/certutil.go
opts...)
if err != nil {
return nil, Pair{}, fmt.Errorf(
"could not generate child TLS certificate CA: %w", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is the 'CA' at the end of this error message? I believe "could not generate child TLS certificate: %w" would be enough.

Suggested change
"could not generate child TLS certificate CA: %w", err)
"could not generate child TLS certificate: %w", err)

testing/certutil/certutil.go Show resolved Hide resolved
@AndersonQ AndersonQ requested a review from belimawr October 16, 2024 13:01
@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

History

cc @AndersonQ

@AndersonQ AndersonQ merged commit 0e8760f into main Oct 16, 2024
6 checks passed
@AndersonQ AndersonQ deleted the certutil-add-opts-func branch October 16, 2024 14:31
AndersonQ added a commit to AndersonQ/elastic-agent-libs that referenced this pull request Oct 23, 2024
@AndersonQ
certutil: add functional options (elastic#240)
2158076 
add functional options to New*RootCA and Generate*ChildCert to allow setting a prefix for the CN and multiple DNS names
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@belimawr belimawr belimawr approved these changes

@rdner rdner Awaiting requested review from rdner rdner is a code owner automatically assigned from elastic/elastic-agent-data-plane

Assignees

@AndersonQ AndersonQ

Labels
Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@AndersonQ @elasticmachine @belimawr