introduce certopts (#9606)

* introduce cert opts * it should be using the same signer * lint and omit serial
hashicorp · Mar 22, 2021 · c2f5643 · c2f5643
1 parent 245591a
commit c2f5643
Show file tree

Hide file tree

Showing 7 changed files with 70 additions and 82 deletions.
diff --git a/agent/consul/server_test.go b/agent/consul/server_test.go
@@ -51,21 +51,14 @@ func testTLSCertificates(serverName string) (cert string, key string, cacert str
 		return "", "", "", err
 	}
 
-	serial, err := tlsutil.GenerateSerialNumber()
-	if err != nil {
-		return "", "", "", err
-	}
-
-	cert, privateKey, err := tlsutil.GenerateCert(
-		signer,
-		ca,
-		serial,
-		"Test Cert Name",
-		365,
-		[]string{serverName},
-		nil,
-		[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
-	)
+	cert, privateKey, err := tlsutil.GenerateCert(tlsutil.CertOpts{
+		Signer:      signer,
+		CA:          ca,
+		Name:        "Test Cert Name",
+		Days:        365,
+		DNSNames:    []string{serverName},
+		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+	})
 	if err != nil {
 		return "", "", "", err
 	}

diff --git a/agent/pool/peek_test.go b/agent/pool/peek_test.go
@@ -201,22 +201,14 @@ func generateTestCert(serverName string) (cert tls.Certificate, caPEM []byte, er
 		return tls.Certificate{}, nil, err
 	}
 
-	// generate leaf
-	serial, err := tlsutil.GenerateSerialNumber()
-	if err != nil {
-		return tls.Certificate{}, nil, err
-	}
-
-	certificate, privateKey, err := tlsutil.GenerateCert(
-		signer,
-		ca,
-		serial,
-		"Test Cert Name",
-		365,
-		[]string{serverName},
-		nil,
-		[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-	)
+	certificate, privateKey, err := tlsutil.GenerateCert(tlsutil.CertOpts{
+		Signer:      signer,
+		CA:          ca,
+		Name:        "Test Cert Name",
+		Days:        365,
+		DNSNames:    []string{serverName},
+		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+	})
 	if err != nil {
 		return tls.Certificate{}, nil, err
 	}

diff --git a/agent/routine-leak-checker/leak_test.go b/agent/routine-leak-checker/leak_test.go
@@ -15,32 +15,24 @@ import (
 )
 
 func testTLSCertificates(serverName string) (cert string, key string, cacert string, err error) {
-	ca, _, err := tlsutil.GenerateCA(tlsutil.CAOpts{})
-	if err != nil {
-		return "", "", "", err
-	}
-
-	// generate leaf
-	serial, err := tlsutil.GenerateSerialNumber()
+	signer, _, err := tlsutil.GeneratePrivateKey()
 	if err != nil {
 		return "", "", "", err
 	}
 
-	signer, _, err := tlsutil.GeneratePrivateKey()
+	ca, _, err := tlsutil.GenerateCA(tlsutil.CAOpts{Signer: signer})
 	if err != nil {
 		return "", "", "", err
 	}
 
-	cert, privateKey, err := tlsutil.GenerateCert(
-		signer,
-		ca,
-		serial,
-		"Test Cert Name",
-		365,
-		[]string{serverName},
-		nil,
-		[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
-	)
+	cert, privateKey, err := tlsutil.GenerateCert(tlsutil.CertOpts{
+		Signer:      signer,
+		CA:          ca,
+		Name:        "Test Cert Name",
+		Days:        365,
+		DNSNames:    []string{serverName},
+		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+	})
 	if err != nil {
 		return "", "", "", err
 	}

diff --git a/agent/testagent.go b/agent/testagent.go
@@ -576,21 +576,14 @@ func testTLSCertificates(serverName string) (cert string, key string, cacert str
 		return "", "", "", err
 	}
 
-	serial, err := tlsutil.GenerateSerialNumber()
-	if err != nil {
-		return "", "", "", err
-	}
-
-	cert, privateKey, err := tlsutil.GenerateCert(
-		signer,
-		ca,
-		serial,
-		"Test Cert Name",
-		365,
-		[]string{serverName},
-		nil,
-		[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
-	)
+	cert, privateKey, err := tlsutil.GenerateCert(tlsutil.CertOpts{
+		Signer:      signer,
+		CA:          ca,
+		Name:        "Test Cert Name",
+		Days:        365,
+		DNSNames:    []string{serverName},
+		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+	})
 	if err != nil {
 		return "", "", "", err
 	}

diff --git a/command/tls/cert/create/tls_cert_create.go b/command/tls/cert/create/tls_cert_create.go
@@ -176,13 +176,10 @@ func (c *cmd) Run(args []string) int {
 		return 1
 	}
 
-	sn, err := tlsutil.GenerateSerialNumber()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	pub, priv, err := tlsutil.GenerateCert(signer, string(cert), sn, name, c.days, DNSNames, IPAddresses, extKeyUsage)
+	pub, priv, err := tlsutil.GenerateCert(tlsutil.CertOpts{
+		Signer: signer, CA: string(cert), Name: name, Days: c.days,
+		DNSNames: DNSNames, IPAddresses: IPAddresses, ExtKeyUsage: extKeyUsage,
+	})
 	if err != nil {
 		c.UI.Error(err.Error())
 		return 1

diff --git a/tlsutil/generate.go b/tlsutil/generate.go
@@ -43,6 +43,17 @@ type CAOpts struct {
 	Name                string
 }
 
+type CertOpts struct {
+	Signer      crypto.Signer
+	CA          string
+	Serial      *big.Int
+	Name        string
+	Days        int
+	DNSNames    []string
+	IPAddresses []net.IP
+	ExtKeyUsage []x509.ExtKeyUsage
+}
+
 // GenerateCA generates a new CA for agent TLS (not to be confused with Connect TLS)
 func GenerateCA(opts CAOpts) (string, string, error) {
 	signer := opts.Signer
@@ -126,8 +137,8 @@ func GenerateCA(opts CAOpts) (string, string, error) {
 }
 
 // GenerateCert generates a new certificate for agent TLS (not to be confused with Connect TLS)
-func GenerateCert(signer crypto.Signer, ca string, sn *big.Int, name string, days int, DNSNames []string, IPAddresses []net.IP, extKeyUsage []x509.ExtKeyUsage) (string, string, error) {
-	parent, err := parseCert(ca)
+func GenerateCert(opts CertOpts) (string, string, error) {
+	parent, err := parseCert(opts.CA)
 	if err != nil {
 		return "", "", err
 	}
@@ -142,21 +153,30 @@ func GenerateCert(signer crypto.Signer, ca string, sn *big.Int, name string, day
 		return "", "", err
 	}
 
+	sn := opts.Serial
+	if sn == nil {
+		var err error
+		sn, err = GenerateSerialNumber()
+		if err != nil {
+			return "", "", err
+		}
+	}
+
 	template := x509.Certificate{
 		SerialNumber:          sn,
-		Subject:               pkix.Name{CommonName: name},
+		Subject:               pkix.Name{CommonName: opts.Name},
 		BasicConstraintsValid: true,
 		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
-		ExtKeyUsage:           extKeyUsage,
+		ExtKeyUsage:           opts.ExtKeyUsage,
 		IsCA:                  false,
-		NotAfter:              time.Now().AddDate(0, 0, days),
+		NotAfter:              time.Now().AddDate(0, 0, opts.Days),
 		NotBefore:             time.Now(),
 		SubjectKeyId:          id,
-		DNSNames:              DNSNames,
-		IPAddresses:           IPAddresses,
+		DNSNames:              opts.DNSNames,
+		IPAddresses:           opts.IPAddresses,
 	}
 
-	bs, err := x509.CreateCertificate(rand.Reader, &template, parent, signee.Public(), signer)
+	bs, err := x509.CreateCertificate(rand.Reader, &template, parent, signee.Public(), opts.Signer)
 	if err != nil {
 		return "", "", err
 	}

diff --git a/tlsutil/generate_test.go b/tlsutil/generate_test.go
@@ -98,13 +98,14 @@ func TestGenerateCert(t *testing.T) {
 	ca, _, err := GenerateCA(CAOpts{Signer: signer})
 	require.Nil(t, err)
 
-	sn, err := GenerateSerialNumber()
-	require.Nil(t, err)
 	DNSNames := []string{"server.dc1.consul"}
 	IPAddresses := []net.IP{net.ParseIP("123.234.243.213")}
 	extKeyUsage := []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
 	name := "Cert Name"
-	certificate, pk, err := GenerateCert(signer, ca, sn, name, 365, DNSNames, IPAddresses, extKeyUsage)
+	certificate, pk, err := GenerateCert(CertOpts{
+		Signer: signer, CA: ca, Name: name, Days: 365,
+		DNSNames: DNSNames, IPAddresses: IPAddresses, ExtKeyUsage: extKeyUsage,
+	})
 	require.Nil(t, err)
 	require.NotEmpty(t, certificate)
 	require.NotEmpty(t, pk)