From fa49beb6238257c51fd98b90c0adcca2f7653d13 Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Fri, 26 Feb 2021 12:05:17 -0800 Subject: [PATCH] Change length of TLS certs and CA. Signed-off-by: Ryan Richard --- .../impersonatorconfig/impersonator_config.go | 4 ++-- .../impersonatorconfig/impersonator_config_test.go | 12 ++++++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/internal/controller/impersonatorconfig/impersonator_config.go b/internal/controller/impersonatorconfig/impersonator_config.go index c7b6d3e2..b4eba710 100644 --- a/internal/controller/impersonatorconfig/impersonator_config.go +++ b/internal/controller/impersonatorconfig/impersonator_config.go @@ -448,7 +448,7 @@ func (c *impersonatorConfigController) ensureTLSSecretIsCreatedAndLoaded(ctx con // TODO create/save/watch the CA separately so we can reuse it to mint tls certs as the settings are dynamically changed, // so that clients don't need to be updated to use a different CA just because the server-side settings were changed. - impersonationCA, err := certauthority.New(pkix.Name{CommonName: "test CA"}, 24*time.Hour) // TODO change the expiration of this to 100 years + impersonationCA, err := certauthority.New(pkix.Name{CommonName: "Pinniped Impersonation Proxy CA"}, 100*365*24*time.Hour) if err != nil { return fmt.Errorf("could not create impersonation CA: %w", err) } @@ -534,7 +534,7 @@ func (c *impersonatorConfigController) findTLSCertificateNameFromLoadBalancer() } func (c *impersonatorConfigController) createNewTLSSecret(ctx context.Context, ca *certauthority.CA, ips []net.IP, hostnames []string) (*v1.Secret, error) { - impersonationCert, err := ca.Issue(pkix.Name{}, hostnames, ips, 24*time.Hour) // TODO change the length of this too 100 years for now? + impersonationCert, err := ca.Issue(pkix.Name{}, hostnames, ips, 100*365*24*time.Hour) if err != nil { return nil, fmt.Errorf("could not create impersonation cert: %w", err) } diff --git a/internal/controller/impersonatorconfig/impersonator_config_test.go b/internal/controller/impersonatorconfig/impersonator_config_test.go index 27e8f6ea..a246bbca 100644 --- a/internal/controller/impersonatorconfig/impersonator_config_test.go +++ b/internal/controller/impersonatorconfig/impersonator_config_test.go @@ -8,6 +8,7 @@ import ( "crypto/tls" "crypto/x509" "crypto/x509/pkix" + "encoding/pem" "errors" "fmt" "io/ioutil" @@ -668,6 +669,17 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { r.NotNil(createdSecret.Data["ca.crt"]) r.NotNil(createdSecret.Data[corev1.TLSPrivateKeyKey]) r.NotNil(createdSecret.Data[corev1.TLSCertKey]) + validCert := testutil.ValidateCertificate(t, string(createdSecret.Data["ca.crt"]), string(createdSecret.Data[corev1.TLSCertKey])) + validCert.RequireMatchesPrivateKey(string(createdSecret.Data[corev1.TLSPrivateKeyKey])) + validCert.RequireLifetime(time.Now().Add(-10*time.Second), time.Now().Add(100*time.Hour*24*365), 10*time.Second) + // Make sure the CA certificate looks roughly like what we expect. + block, _ := pem.Decode(createdSecret.Data["ca.crt"]) + require.NotNil(t, block) + caCert, err := x509.ParseCertificate(block.Bytes) + require.NoError(t, err) + require.Equal(t, "Pinniped Impersonation Proxy CA", caCert.Subject.CommonName) + require.WithinDuration(t, time.Now().Add(-10*time.Second), caCert.NotBefore, 10*time.Second) + require.WithinDuration(t, time.Now().Add(100*time.Hour*24*365), caCert.NotAfter, 10*time.Second) return createdSecret.Data["ca.crt"] }