Update base (istio#61)

* Update base * Change to dev8 * Renew expired certs for TestCertOptionsAndRetrieveID (istio#32442) (istio#32476) * Renew expired certs for TestCertOptionsAndRetrieveID Signed-off-by: Rei Shimizu <[email protected]> * fix Signed-off-by: Rei Shimizu <[email protected]> Co-authored-by: Rei Shimizu <[email protected]> Co-authored-by: jacob-delgado <[email protected]> Co-authored-by: Rei Shimizu <[email protected]>
airbnb · May 7, 2021 · 6736275 · 6736275
1 parent 749b8f8
commit 6736275
Show file tree

Hide file tree

Showing 9 changed files with 55 additions and 27 deletions.
diff --git a/Makefile.core.mk b/Makefile.core.mk
@@ -22,7 +22,7 @@ SHELL := /bin/bash -o pipefail
 export VERSION ?= 1.9-dev
 
 # Base version of Istio image to use
-BASE_VERSION ?= 1.9-dev.6
+BASE_VERSION ?= 1.9-dev.8
 
 export GO111MODULE ?= on
 export GOPROXY ?= https://proxy.golang.org

diff --git a/security/pkg/pki/testdata/README.md b/security/pkg/pki/testdata/README.md
@@ -0,0 +1,15 @@
+# Generating ECC certificate for unit test
+
+In general, we prefer to generate certs by running `security/tools/generate_cert/main.go`
+
+## ECC root certificate
+
+```bash
+go run main.go -ec-sig-alg ECDSA -ca true
+```
+
+## ECC client certificate signed by root certificate
+
+```bash
+go run main.go -ec-sig-alg ECDSA -san watt -signer-cert ../../pkg/pki/testdata/ec-root-cert.pem -signer-priv ../../pkg/pki/testdata/ec-root-key.pem -mode signer
+```
diff --git a/security/pkg/pki/testdata/ec-root-cert.pem b/security/pkg/pki/testdata/ec-root-cert.pem
@@ -1,9 +1,10 @@
 -----BEGIN CERTIFICATE-----
-MIIBRTCB7aADAgECAhBrXnHEzo6ficRxHTqVkhpXMAoGCCqGSM49BAMCMBMxETAP
-BgNVBAoTCEp1anUgb3JnMB4XDTIwMDQyNDAxMjg0MVoXDTIxMDQyNDAxMjg0MVow
-EzERMA8GA1UEChMISnVqdSBvcmcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQn
-OrqOojlPW3hVMnxhPvi9hpb7pgoWkPuXPkpNd737SSkIvePL/Od1RNl2ZgRVlGHu
-pTKNxbr2PgWjzinYGMKWoyMwITAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUw
-AwEB/zAKBggqhkjOPQQDAgNHADBEAiBwqE22zEeiOLjze48h3wVjg4gIKAOLLLml
-ftYXwrHYyQIgeAD56ZGhpywak4zLAdE/nWYuNWfYTSLhswLCwo8x3EE=
+MIIBZTCCAQygAwIBAgIQJ3oELRM2MUXeo5i1hlVBVzAKBggqhkjOPQQDAjATMREw
+DwYDVQQKEwhKdWp1IG9yZzAeFw0yMTA0MjUwMjU2NDRaFw0zMTA0MjMwMjU2NDRa
+MBMxETAPBgNVBAoTCEp1anUgb3JnMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
+VfgavwbYmrGNMZg/l2jMbeSNSLfqgVebgo3Mhs4Hhl0529PiVvdbsS0NPoER9IBa
+gFs2uxeH0SypCXnEOc8c+KNCMEAwDgYDVR0PAQH/BAQDAgIEMA8GA1UdEwEB/wQF
+MAMBAf8wHQYDVR0OBBYEFA7UyJls9sBVHjiCR6/otVfQVzIqMAoGCCqGSM49BAMC
+A0cAMEQCIGvYSG6c7fQkM0nhDvJZHPMMOsTh0IXRcS57yQ3CkWyuAiAsLJvnMzZC
+1hy5zewJZuL+htWuBRy+mrZ9RpI9JjP6zQ==
 -----END CERTIFICATE-----
diff --git a/security/pkg/pki/testdata/ec-root-key.pem b/security/pkg/pki/testdata/ec-root-key.pem
@@ -1,5 +1,5 @@
 -----BEGIN EC PRIVATE KEY-----
-MHcCAQEEIIVpk1ef0vR5sV/PFiNT/GRx2qwm8A4tJ3qGJFfxJ2j/oAoGCCqGSM49
-AwEHoUQDQgAEJzq6jqI5T1t4VTJ8YT74vYaW+6YKFpD7lz5KTXe9+0kpCL3jy/zn
-dUTZdmYEVZRh7qUyjcW69j4Fo84p2BjClg==
+MHcCAQEEID1/56HQO0X1qhaOGCtj/U47TKy4jzj6lEcpfH4hnLYnoAoGCCqGSM49
+AwEHoUQDQgAEVfgavwbYmrGNMZg/l2jMbeSNSLfqgVebgo3Mhs4Hhl0529PiVvdb
+sS0NPoER9IBagFs2uxeH0SypCXnEOc8c+A==
 -----END EC PRIVATE KEY-----
diff --git a/security/pkg/pki/testdata/ec-workload-cert.pem b/security/pkg/pki/testdata/ec-workload-cert.pem
@@ -1,10 +1,10 @@
 -----BEGIN CERTIFICATE-----
-MIIBWDCB/6ADAgECAhEAznebEvQzXeeo//Uub9V0PTAKBggqhkjOPQQDAjATMREw
-DwYDVQQKEwhKdWp1IG9yZzAeFw0yMDA0MjQwMjA1MTVaFw0yMTA0MjQwMjA1MTVa
-MBMxETAPBgNVBAoTCEp1anUgb3JnMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
-1UaBDHGElz0MR2dynUfBbJkoX8p/ru56maHwl/oxDFoXxT2NVaAja1JO1dRa3mCi
-4VqdZn0mTU2UaRZj8h3EkKM0MDIwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQC
-MAAwEgYDVR0RAQH/BAgwBoIEd2F0dDAKBggqhkjOPQQDAgNIADBFAiEAl1sIluHk
-dq8m5VqdmUWTsIGWq4sQwri1NkKU0nirsGYCIHoWOptmbUGgGehcK8XnyV69yjke
-qNdLwEABudIIrFjg
+MIIBUzCB+6ADAgECAhBQCICNL1AItK+U7Y1xB5ZyMAoGCCqGSM49BAMCMBMxETAP
+BgNVBAoTCEp1anUgb3JnMB4XDTIxMDQyNTAyNTczNloXDTMxMDQyMzAyNTczNlow
+EzERMA8GA1UEChMISnVqdSBvcmcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQk
+XQZYEyiug7lkZxBSGXjwg0MTGoS9C2VJUrUoVqisfIW2IUGZayAIA8eSixY1v8UD
+OHxO/6TvjRyauIzWzWDsozEwLzAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIw
+ADAPBgNVHREECDAGggR3YXR0MAoGCCqGSM49BAMCA0cAMEQCID2XGmwzOuzQqIlP
+JLnUYeBeaLHLgB/PsJ1wN8iwnTlPAiBNg6lGxQ0J1jI8KCpQSCb9qMNnBXqjqA+s
+PHjtECxe5g==
 -----END CERTIFICATE-----
diff --git a/security/pkg/pki/testdata/ec-workload-key.pem b/security/pkg/pki/testdata/ec-workload-key.pem
@@ -1,5 +1,5 @@
 -----BEGIN EC PRIVATE KEY-----
-MHcCAQEEIO39+hceDAgp4KlNsfrCs9b9dgqG4d1zyVErHtPYENnxoAoGCCqGSM49
-AwEHoUQDQgAE1UaBDHGElz0MR2dynUfBbJkoX8p/ru56maHwl/oxDFoXxT2NVaAj
-a1JO1dRa3mCi4VqdZn0mTU2UaRZj8h3EkA==
+MHcCAQEEILe5InDwcnOFchsKXAVR0keo+uXWJ5aJqa352OAwcX79oAoGCCqGSM49
+AwEHoUQDQgAEJF0GWBMoroO5ZGcQUhl48INDExqEvQtlSVK1KFaorHyFtiFBmWsg
+CAPHkosWNb/FAzh8Tv+k740cmriM1s1g7A==
 -----END EC PRIVATE KEY-----
diff --git a/security/pkg/pki/util/generate_cert.go b/security/pkg/pki/util/generate_cert.go
@@ -97,6 +97,9 @@ type CertOptions struct {
 	// when generating private keys. Currently only ECDSA is supported.
 	// If empty, RSA is used, otherwise ECC is used.
 	ECSigAlg SupportedECSignatureAlgorithms
+
+	// Subjective Alternative Name values.
+	DNSNames string
 }
 
 // GenCertKeyFromOptions generates a X.509 certificate and a private key with the given options.
@@ -360,6 +363,11 @@ func genCertTemplateFromOptions(options CertOptions) (*x509.Certificate, error)
 		exts = []pkix.Extension{*s}
 	}
 
+	dnsNames := strings.Split(options.DNSNames, ",")
+	if len(dnsNames[0]) == 0 {
+		dnsNames = nil
+	}
+
 	return &x509.Certificate{
 		SerialNumber:          serialNum,
 		Subject:               subject,
@@ -369,7 +377,9 @@ func genCertTemplateFromOptions(options CertOptions) (*x509.Certificate, error)
 		ExtKeyUsage:           extKeyUsages,
 		IsCA:                  options.IsCA,
 		BasicConstraintsValid: true,
-		ExtraExtensions:       exts}, nil
+		ExtraExtensions:       exts,
+		DNSNames:              dnsNames,
+	}, nil
 }
 
 func genSerialNum() (*big.Int, error) {

diff --git a/security/pkg/pki/util/keycertbundle_test.go b/security/pkg/pki/util/keycertbundle_test.go
@@ -176,7 +176,7 @@ func TestCertOptionsAndRetrieveID(t *testing.T) {
 			rootCertFile:  ecRootCertFile,
 			certOptions: &CertOptions{
 				Host:     "watt",
-				TTL:      365 * 24 * time.Hour,
+				TTL:      10 * 365 * 24 * time.Hour,
 				Org:      "Juju org",
 				IsCA:     false,
 				ECSigAlg: EcdsaSigAlg,

diff --git a/security/tools/generate_cert/main.go b/security/tools/generate_cert/main.go
@@ -45,7 +45,7 @@ const (
 var (
 	host           = flag.String("host", "", "Comma-separated hostnames and IPs to generate a certificate for.")
 	validFrom      = flag.String("start-date", "", "Creation date in format of "+timeLayout)
-	validFor       = flag.Duration("duration", 365*24*time.Hour, "Duration that certificate is valid for.")
+	validFor       = flag.Duration("duration", 10*365*24*time.Hour, "Duration that certificate is valid for.")
 	isCA           = flag.Bool("ca", false, "Whether this cert should be a Certificate Authority.")
 	signerCertFile = flag.String("signer-cert", "", "Signer certificate file (PEM encoded).")
 	signerPrivFile = flag.String("signer-priv", "", "Signer private key file (PEM encoded).")
@@ -56,8 +56,9 @@ var (
 	keySize        = flag.Int("key-size", 2048, "Size of the generated private key")
 	mode           = flag.String("mode", selfSignedMode, "Supported mode: self-signed, signer, citadel")
 	// Enable this flag if istio mTLS is enabled and the service is running as server side
-	isServer = flag.Bool("server", false, "Whether this certificate is for a server.")
-	ec       = flag.String("ec-sig-alg", "", "Generate an elliptical curve private key with the specified algorithm")
+	isServer  = flag.Bool("server", false, "Whether this certificate is for a server.")
+	ec        = flag.String("ec-sig-alg", "", "Generate an elliptical curve private key with the specified algorithm")
+	sanFields = flag.String("san", "", "Subject Alternative Names")
 )
 
 func checkCmdLine() {
@@ -150,6 +151,7 @@ func main() {
 		RSAKeySize:   *keySize,
 		IsServer:     *isServer,
 		ECSigAlg:     util.SupportedECSignatureAlgorithms(*ec),
+		DNSNames:     *sanFields,
 	}
 	certPem, privPem, err := util.GenCertKeyFromOptions(opts)