security/tools/generate_cert/main.go - dubbo-go-pixiu - Git at Google

 // Copyright Istio Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 // Provide a tool to generate X.509 certificate with different options.

 package main

 import (
 	"crypto"
 	"crypto/x509"
 	"encoding/json"
 	"flag"
 	"fmt"
 	"log"
 	"os"
 	"os/exec"
 	"time"
 )

 import (
 	k8s "k8s.io/api/core/v1"
 )

 import (
 	"github.com/apache/dubbo-go-pixiu/security/pkg/pki/ca"
 	"github.com/apache/dubbo-go-pixiu/security/pkg/pki/util"
 )

 const (
 	// Layout for parsing time
 	timeLayout = "Jan 2 15:04:05 2006"

 	// modes supported by this tool.
 	selfSignedMode = "self-signed"
 	signerMode     = "signer"
 	citadelMode    = "citadel"
 )

 var (
 	host           = flag.String("host", "", "Comma-separated hostnames and IPs to generate a certificate for.")
 	validFrom      = flag.String("start-date", "", "Creation date in format of "+timeLayout)
 	validFor       = flag.Duration("duration", 10*365*24*time.Hour, "Duration that certificate is valid for.")
 	isCA           = flag.Bool("ca", false, "Whether this cert should be a Certificate Authority.")
 	signerCertFile = flag.String("signer-cert", "", "Signer certificate file (PEM encoded).")
 	signerPrivFile = flag.String("signer-priv", "", "Signer private key file (PEM encoded).")
 	isClient       = flag.Bool("client", false, "Whether this certificate is for a client.")
 	org            = flag.String("organization", "Juju org", "Organization for the cert.")
 	outCert        = flag.String("out-cert", "cert.pem", "Output certificate file.")
 	outPriv        = flag.String("out-priv", "priv.pem", "Output private key file.")
 	keySize        = flag.Int("key-size", 2048, "Size of the generated private key")
 	mode           = flag.String("mode", selfSignedMode, "Supported mode: self-signed, signer, citadel")
 	// Enable this flag if istio mTLS is enabled and the service is running as server side
 	isServer  = flag.Bool("server", false, "Whether this certificate is for a server.")
 	ec        = flag.String("ec-sig-alg", "", "Generate an elliptical curve private key with the specified algorithm")
 	sanFields = flag.String("san", "", "Subject Alternative Names")
 )

 func checkCmdLine() {
 	flag.Parse()

 	hasCert, hasPriv := len(*signerCertFile) != 0, len(*signerPrivFile) != 0
 	switch *mode {
 	case selfSignedMode:
 		if hasCert || hasPriv {
 			log.Fatalf("--mode=%v is incompatible with --signer-cert or --signer-priv.", selfSignedMode)
 		}
 	case signerMode:
 		if !hasCert || !hasPriv {
 			log.Fatalf("Need --signer-cert and --signer-priv for --mode=%v.", signerMode)
 		}
 	case citadelMode:
 		if hasCert || hasPriv {
 			log.Fatalf("--mode=%v is incompatible with --signer-cert or --signer-priv.", citadelMode)
 		}
 	default:
 		log.Fatalf("Unsupported mode %v", *mode)
 	}
 }

 func saveCreds(certPem []byte, privPem []byte) {
 	err := os.WriteFile(*outCert, certPem, 0o644)
 	if err != nil {
 		log.Fatalf("Could not write output certificate: %s.", err)
 	}

 	err = os.WriteFile(*outPriv, privPem, 0o600)
 	if err != nil {
 		log.Fatalf("Could not write output private key: %s.", err)
 	}
 }

 func signCertFromCitadel() (*x509.Certificate, crypto.PrivateKey) {
 	args := []string{"get", "secret", "-n", "dubbo-system", "istio-ca-secret", "-o", "json"}
 	cmd := exec.Command("kubectl", args...)
 	out, err := cmd.CombinedOutput()
 	if err != nil {
 		log.Fatalf("Command failed error: %v\n, output\n%v\n", err, string(out))
 	}

 	var secret k8s.Secret
 	err = json.Unmarshal(out, &secret)
 	if err != nil {
 		log.Fatalf("Unmarshal secret error: %v", err)
 	}
 	key, err := util.ParsePemEncodedKey(secret.Data[ca.CAPrivateKeyFile])
 	if err != nil {
 		log.Fatalf("Unrecognized key format from citadel %v", err)
 	}
 	cert, err := util.ParsePemEncodedCertificate(secret.Data[ca.CACertFile])
 	if err != nil {
 		log.Fatalf("Unrecognized cert format from citadel %v", err)
 	}
 	return cert, key
 }

 func main() {
 	checkCmdLine()

 	var signerCert *x509.Certificate
 	var signerPriv crypto.PrivateKey
 	var err error
 	switch *mode {
 	case selfSignedMode:
 	case signerMode:
 		signerCert, signerPriv, err = util.LoadSignerCredsFromFiles(*signerCertFile, *signerPrivFile)
 		if err != nil {
 			log.Fatalf("Failed to load signer key cert from file: %v\n", err)
 		}
 	case citadelMode:
 		signerCert, signerPriv = signCertFromCitadel()
 	default:
 		log.Fatalf("Unsupported mode %v", *mode)
 	}

 	opts := util.CertOptions{
 		Host:         *host,
 		NotBefore:    getNotBefore(),
 		TTL:          *validFor,
 		SignerCert:   signerCert,
 		SignerPriv:   signerPriv,
 		Org:          *org,
 		IsCA:         *isCA,
 		IsSelfSigned: *mode == selfSignedMode,
 		IsClient:     *isClient,
 		RSAKeySize:   *keySize,
 		IsServer:     *isServer,
 		ECSigAlg:     util.SupportedECSignatureAlgorithms(*ec),
 		DNSNames:     *sanFields,
 	}
 	certPem, privPem, err := util.GenCertKeyFromOptions(opts)
 	if err != nil {
 		log.Fatalf("Failed to generate certificate: %v\n", err)
 	}

 	saveCreds(certPem, privPem)
 	fmt.Printf("Certificate and private files successfully saved in %s and %s\n", *outCert, *outPriv)
 }

 func getNotBefore() time.Time {
 	if *validFrom == "" {
 		return time.Now()
 	}

 	t, err := time.Parse(timeLayout, *validFrom)
 	if err != nil {
 		log.Fatalf("Failed to parse the '-start-from' option as a time (error: %s)\n", err)
 	}

 	return t
 }
	// Copyright Istio Authors
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	// Provide a tool to generate X.509 certificate with different options.

	package main

	import (
	"crypto"
	"crypto/x509"
	"encoding/json"
	"flag"
	"fmt"
	"log"
	"os"
	"os/exec"
	"time"
	)

	import (
	k8s "k8s.io/api/core/v1"
	)

	import (
	"github.com/apache/dubbo-go-pixiu/security/pkg/pki/ca"
	"github.com/apache/dubbo-go-pixiu/security/pkg/pki/util"
	)

	const (
	// Layout for parsing time
	timeLayout = "Jan 2 15:04:05 2006"

	// modes supported by this tool.
	selfSignedMode = "self-signed"
	signerMode = "signer"
	citadelMode = "citadel"
	)

	var (
	host = flag.String("host", "", "Comma-separated hostnames and IPs to generate a certificate for.")
	validFrom = flag.String("start-date", "", "Creation date in format of "+timeLayout)
	validFor = flag.Duration("duration", 1036524*time.Hour, "Duration that certificate is valid for.")
	isCA = flag.Bool("ca", false, "Whether this cert should be a Certificate Authority.")
	signerCertFile = flag.String("signer-cert", "", "Signer certificate file (PEM encoded).")
	signerPrivFile = flag.String("signer-priv", "", "Signer private key file (PEM encoded).")
	isClient = flag.Bool("client", false, "Whether this certificate is for a client.")
	org = flag.String("organization", "Juju org", "Organization for the cert.")
	outCert = flag.String("out-cert", "cert.pem", "Output certificate file.")
	outPriv = flag.String("out-priv", "priv.pem", "Output private key file.")
	keySize = flag.Int("key-size", 2048, "Size of the generated private key")
	mode = flag.String("mode", selfSignedMode, "Supported mode: self-signed, signer, citadel")
	// Enable this flag if istio mTLS is enabled and the service is running as server side
	isServer = flag.Bool("server", false, "Whether this certificate is for a server.")
	ec = flag.String("ec-sig-alg", "", "Generate an elliptical curve private key with the specified algorithm")
	sanFields = flag.String("san", "", "Subject Alternative Names")
	)

	func checkCmdLine() {
	flag.Parse()

	hasCert, hasPriv := len(signerCertFile) != 0, len(signerPrivFile) != 0
	switch *mode {
	case selfSignedMode:
	if hasCert \|\| hasPriv {
	log.Fatalf("--mode=%v is incompatible with --signer-cert or --signer-priv.", selfSignedMode)
	}
	case signerMode:
	if !hasCert \|\| !hasPriv {
	log.Fatalf("Need --signer-cert and --signer-priv for --mode=%v.", signerMode)
	}
	case citadelMode:
	if hasCert \|\| hasPriv {
	log.Fatalf("--mode=%v is incompatible with --signer-cert or --signer-priv.", citadelMode)
	}
	default:
	log.Fatalf("Unsupported mode %v", *mode)
	}
	}

	func saveCreds(certPem []byte, privPem []byte) {
	err := os.WriteFile(*outCert, certPem, 0o644)
	if err != nil {
	log.Fatalf("Could not write output certificate: %s.", err)
	}

	err = os.WriteFile(*outPriv, privPem, 0o600)
	if err != nil {
	log.Fatalf("Could not write output private key: %s.", err)
	}
	}

	func signCertFromCitadel() (*x509.Certificate, crypto.PrivateKey) {
	args := []string{"get", "secret", "-n", "dubbo-system", "istio-ca-secret", "-o", "json"}
	cmd := exec.Command("kubectl", args...)
	out, err := cmd.CombinedOutput()
	if err != nil {
	log.Fatalf("Command failed error: %v\n, output\n%v\n", err, string(out))
	}

	var secret k8s.Secret
	err = json.Unmarshal(out, &secret)
	if err != nil {
	log.Fatalf("Unmarshal secret error: %v", err)
	}
	key, err := util.ParsePemEncodedKey(secret.Data[ca.CAPrivateKeyFile])
	if err != nil {
	log.Fatalf("Unrecognized key format from citadel %v", err)
	}
	cert, err := util.ParsePemEncodedCertificate(secret.Data[ca.CACertFile])
	if err != nil {
	log.Fatalf("Unrecognized cert format from citadel %v", err)
	}
	return cert, key
	}

	func main() {
	checkCmdLine()

	var signerCert *x509.Certificate
	var signerPriv crypto.PrivateKey
	var err error
	switch *mode {
	case selfSignedMode:
	case signerMode:
	signerCert, signerPriv, err = util.LoadSignerCredsFromFiles(signerCertFile, signerPrivFile)
	if err != nil {
	log.Fatalf("Failed to load signer key cert from file: %v\n", err)
	}
	case citadelMode:
	signerCert, signerPriv = signCertFromCitadel()
	default:
	log.Fatalf("Unsupported mode %v", *mode)
	}

	opts := util.CertOptions{
	Host: *host,
	NotBefore: getNotBefore(),
	TTL: *validFor,
	SignerCert: signerCert,
	SignerPriv: signerPriv,
	Org: *org,
	IsCA: *isCA,
	IsSelfSigned: *mode == selfSignedMode,
	IsClient: *isClient,
	RSAKeySize: *keySize,
	IsServer: *isServer,
	ECSigAlg: util.SupportedECSignatureAlgorithms(*ec),
	DNSNames: *sanFields,
	}
	certPem, privPem, err := util.GenCertKeyFromOptions(opts)
	if err != nil {
	log.Fatalf("Failed to generate certificate: %v\n", err)
	}

	saveCreds(certPem, privPem)
	fmt.Printf("Certificate and private files successfully saved in %s and %s\n", outCert, outPriv)
	}

	func getNotBefore() time.Time {
	if *validFrom == "" {
	return time.Now()
	}

	t, err := time.Parse(timeLayout, *validFrom)
	if err != nil {
	log.Fatalf("Failed to parse the '-start-from' option as a time (error: %s)\n", err)
	}

	return t
	}