introduce cert opts

hashicorp · Mar 19, 2021 · e117682 · e117682
1 parent 0b0ec7f
commit e117682
Show file tree

Hide file tree

Showing 7 changed files with 44 additions and 18 deletions.
diff --git a/agent/consul/server_test.go b/agent/consul/server_test.go
@@ -58,7 +58,7 @@ func testTLSCertificates(serverName string) (cert string, key string, cacert str
 		return "", "", "", err
 	}
 
-	cert, privateKey, err := tlsutil.GenerateCert(
+	cert, privateKey, err := tlsutil.GenerateCert(tlsutil.CertOpts{
 		signer,
 		ca,
 		serial,
@@ -67,7 +67,7 @@ func testTLSCertificates(serverName string) (cert string, key string, cacert str
 		[]string{serverName},
 		nil,
 		[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
-	)
+	})
 	if err != nil {
 		return "", "", "", err
 	}

diff --git a/agent/pool/peek_test.go b/agent/pool/peek_test.go
@@ -207,7 +207,7 @@ func generateTestCert(serverName string) (cert tls.Certificate, caPEM []byte, er
 		return tls.Certificate{}, nil, err
 	}
 
-	certificate, privateKey, err := tlsutil.GenerateCert(
+	certificate, privateKey, err := tlsutil.GenerateCert(tlsutil.CertOpts{
 		signer,
 		ca,
 		serial,
@@ -216,7 +216,7 @@ func generateTestCert(serverName string) (cert tls.Certificate, caPEM []byte, er
 		[]string{serverName},
 		nil,
 		[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-	)
+	})
 	if err != nil {
 		return tls.Certificate{}, nil, err
 	}

diff --git a/agent/routine-leak-checker/leak_test.go b/agent/routine-leak-checker/leak_test.go
@@ -31,7 +31,7 @@ func testTLSCertificates(serverName string) (cert string, key string, cacert str
 		return "", "", "", err
 	}
 
-	cert, privateKey, err := tlsutil.GenerateCert(
+	cert, privateKey, err := tlsutil.GenerateCert(tlsutil.CertOpts{
 		signer,
 		ca,
 		serial,
@@ -40,7 +40,7 @@ func testTLSCertificates(serverName string) (cert string, key string, cacert str
 		[]string{serverName},
 		nil,
 		[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
-	)
+	})
 	if err != nil {
 		return "", "", "", err
 	}

diff --git a/agent/testagent.go b/agent/testagent.go
@@ -577,7 +577,7 @@ func testTLSCertificates(serverName string) (cert string, key string, cacert str
 		return "", "", "", err
 	}
 
-	cert, privateKey, err := tlsutil.GenerateCert(
+	cert, privateKey, err := tlsutil.GenerateCert(tlsutil.CertOpts{
 		signer,
 		ca,
 		serial,
@@ -586,7 +586,7 @@ func testTLSCertificates(serverName string) (cert string, key string, cacert str
 		[]string{serverName},
 		nil,
 		[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
-	)
+	})
 	if err != nil {
 		return "", "", "", err
 	}

diff --git a/command/tls/cert/create/tls_cert_create.go b/command/tls/cert/create/tls_cert_create.go
@@ -182,7 +182,10 @@ func (c *cmd) Run(args []string) int {
 		return 1
 	}
 
-	pub, priv, err := tlsutil.GenerateCert(signer, string(cert), sn, name, c.days, DNSNames, IPAddresses, extKeyUsage)
+	pub, priv, err := tlsutil.GenerateCert(tlsutil.CertOpts{
+		signer, string(cert), sn, name, c.days,
+		DNSNames, IPAddresses, extKeyUsage,
+	})
 	if err != nil {
 		c.UI.Error(err.Error())
 		return 1

diff --git a/tlsutil/generate.go b/tlsutil/generate.go
@@ -44,6 +44,17 @@ type CAOpts struct {
 	Name                string
 }
 
+type CertOpts struct {
+	Signer crypto.Signer
+	CA string
+	Serial *big.Int
+	Name string
+	Days int
+	DNSNames []string
+	IPAddresses []net.IP
+	ExtKeyUsage []x509.ExtKeyUsage
+}
+
 // GenerateCA generates a new CA for agent TLS (not to be confused with Connect TLS)
 func GenerateCA(opts CAOpts) (string, string, error) {
 	signer := opts.Signer
@@ -127,8 +138,8 @@ func GenerateCA(opts CAOpts) (string, string, error) {
 }
 
 // GenerateCert generates a new certificate for agent TLS (not to be confused with Connect TLS)
-func GenerateCert(signer crypto.Signer, ca string, sn *big.Int, name string, days int, DNSNames []string, IPAddresses []net.IP, extKeyUsage []x509.ExtKeyUsage) (string, string, error) {
-	parent, err := parseCert(ca)
+func GenerateCert(opts CertOpts) (string, string, error) {
+	parent, err := parseCert(opts.CA)
 	if err != nil {
 		return "", "", err
 	}
@@ -143,21 +154,30 @@ func GenerateCert(signer crypto.Signer, ca string, sn *big.Int, name string, day
 		return "", "", err
 	}
 
+	sn := opts.Serial
+	if sn == nil {
+		var err error
+		sn, err = GenerateSerialNumber()
+		if err != nil {
+			return "", "", err
+		}
+	}
+
 	template := x509.Certificate{
 		SerialNumber:          sn,
-		Subject:               pkix.Name{CommonName: name},
+		Subject:               pkix.Name{CommonName: opts.Name},
 		BasicConstraintsValid: true,
 		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
-		ExtKeyUsage:           extKeyUsage,
+		ExtKeyUsage:           opts.ExtKeyUsage,
 		IsCA:                  false,
-		NotAfter:              time.Now().AddDate(0, 0, days),
+		NotAfter:              time.Now().AddDate(0, 0, opts.Days),
 		NotBefore:             time.Now(),
 		SubjectKeyId:          id,
-		DNSNames:              DNSNames,
-		IPAddresses:           IPAddresses,
+		DNSNames:              opts.DNSNames,
+		IPAddresses:           opts.IPAddresses,
 	}
 
-	bs, err := x509.CreateCertificate(rand.Reader, &template, parent, signee.Public(), signer)
+	bs, err := x509.CreateCertificate(rand.Reader, &template, parent, signee.Public(), opts.Signer)
 	if err != nil {
 		return "", "", err
 	}

diff --git a/tlsutil/generate_test.go b/tlsutil/generate_test.go
@@ -123,7 +123,10 @@ func TestGenerateCert(t *testing.T) {
 	IPAddresses := []net.IP{net.ParseIP("123.234.243.213")}
 	extKeyUsage := []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
 	name := "Cert Name"
-	certificate, pk, err := GenerateCert(signer, ca, sn, name, 365, DNSNames, IPAddresses, extKeyUsage)
+	certificate, pk, err := GenerateCert(CertOpts{
+		signer, ca, sn, name, 365,
+		DNSNames, IPAddresses, extKeyUsage,
+	})
 	require.Nil(t, err)
 	require.NotEmpty(t, certificate)
 	require.NotEmpty(t, pk)