oauth2-proxy/pkg/util/util.go

package util

import (
	"crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"crypto/x509/pkix"
	"fmt"
	"io/ioutil"
	"math/big"
	"net"
	"time"
)

func GetCertPool(paths []string) (*x509.CertPool, error) {
	if len(paths) == 0 {
		return nil, fmt.Errorf("invalid empty list of Root CAs file paths")
	}
	pool := x509.NewCertPool()
	for _, path := range paths {
		// Cert paths are a configurable option
		data, err := ioutil.ReadFile(path) // #nosec G304
		if err != nil {
			return nil, fmt.Errorf("certificate authority file (%s) could not be read - %s", path, err)
		}
		if !pool.AppendCertsFromPEM(data) {
			return nil, fmt.Errorf("loading certificate authority (%s) failed", path)
		}
	}
	return pool, nil
}

// https://golang.org/src/crypto/tls/generate_cert.go as a function
func GenerateCert() ([]byte, []byte, error) {
	var err error

	priv, err := rsa.GenerateKey(rand.Reader, 2048)
	if err != nil {
		return nil, nil, err
	}

	keyBytes, err := x509.MarshalPKCS8PrivateKey(priv)
	if err != nil {
		return nil, keyBytes, err
	}

	serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
	if err != nil {
		return nil, keyBytes, err
	}

	notBefore := time.Now()
	template := x509.Certificate{
		SerialNumber: serialNumber,
		Subject: pkix.Name{
			Organization: []string{"OAuth2 Proxy Test Suite"},
		},
		NotBefore: notBefore,
		NotAfter:  notBefore.Add(time.Hour),
		KeyUsage:  x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,

		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},

		IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
	}
	certBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
	return certBytes, keyBytes, err
}
Fix #635: Support specifying alternative provider TLS trust source(s) (#645) * Fix #635: Support specifying alternative provider TLS trust source(s) * Update pkg/apis/options/options.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Update pkg/validation/options.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Address review comments * upd CHANGELOG.md * refactor test to assert textual subjects + add openssl gen cmd Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-07-03 16:09:17 +01:00			`package util`

			`import (`
Initalize TLS.Config when connecting to Redis with TLS (#1296) * init TLS.Config when connecting to Redis with TLS * don't overwrite TLS config if it exists * add tests for Redis with TLS * remove hardcoded certs * add GenerateCert func * use GenerateCert util func * fix issue reported by go fmt * limit return statements in GenerateCert 2021-10-19 10:17:42 +02:00			`"crypto/rand"`
			`"crypto/rsa"`
Fix #635: Support specifying alternative provider TLS trust source(s) (#645) * Fix #635: Support specifying alternative provider TLS trust source(s) * Update pkg/apis/options/options.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Update pkg/validation/options.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Address review comments * upd CHANGELOG.md * refactor test to assert textual subjects + add openssl gen cmd Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-07-03 16:09:17 +01:00			`"crypto/x509"`
Initalize TLS.Config when connecting to Redis with TLS (#1296) * init TLS.Config when connecting to Redis with TLS * don't overwrite TLS config if it exists * add tests for Redis with TLS * remove hardcoded certs * add GenerateCert func * use GenerateCert util func * fix issue reported by go fmt * limit return statements in GenerateCert 2021-10-19 10:17:42 +02:00			`"crypto/x509/pkix"`
Fix #635: Support specifying alternative provider TLS trust source(s) (#645) * Fix #635: Support specifying alternative provider TLS trust source(s) * Update pkg/apis/options/options.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Update pkg/validation/options.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Address review comments * upd CHANGELOG.md * refactor test to assert textual subjects + add openssl gen cmd Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-07-03 16:09:17 +01:00			`"fmt"`
			`"io/ioutil"`
Initalize TLS.Config when connecting to Redis with TLS (#1296) * init TLS.Config when connecting to Redis with TLS * don't overwrite TLS config if it exists * add tests for Redis with TLS * remove hardcoded certs * add GenerateCert func * use GenerateCert util func * fix issue reported by go fmt * limit return statements in GenerateCert 2021-10-19 10:17:42 +02:00			`"math/big"`
			`"net"`
			`"time"`
Fix #635: Support specifying alternative provider TLS trust source(s) (#645) * Fix #635: Support specifying alternative provider TLS trust source(s) * Update pkg/apis/options/options.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Update pkg/validation/options.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Address review comments * upd CHANGELOG.md * refactor test to assert textual subjects + add openssl gen cmd Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-07-03 16:09:17 +01:00			`)`

			`func GetCertPool(paths []string) (*x509.CertPool, error) {`
			`if len(paths) == 0 {`
			`return nil, fmt.Errorf("invalid empty list of Root CAs file paths")`
			`}`
			`pool := x509.NewCertPool()`
			`for _, path := range paths {`
Document GoSec nosec skip comments 2020-07-20 18:49:45 -07:00			`// Cert paths are a configurable option`
Address gosec findings Mostly handling unhandled errors appropriately. If logging to STDERR fails, we panic. Added #nosec comments to findings we are OK with. 2020-07-19 22:24:18 -07:00			`data, err := ioutil.ReadFile(path) // #nosec G304`
Fix #635: Support specifying alternative provider TLS trust source(s) (#645) * Fix #635: Support specifying alternative provider TLS trust source(s) * Update pkg/apis/options/options.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Update pkg/validation/options.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Address review comments * upd CHANGELOG.md * refactor test to assert textual subjects + add openssl gen cmd Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-07-03 16:09:17 +01:00			`if err != nil {`
			`return nil, fmt.Errorf("certificate authority file (%s) could not be read - %s", path, err)`
			`}`
			`if !pool.AppendCertsFromPEM(data) {`
			`return nil, fmt.Errorf("loading certificate authority (%s) failed", path)`
			`}`
			`}`
			`return pool, nil`
			`}`
Initalize TLS.Config when connecting to Redis with TLS (#1296) * init TLS.Config when connecting to Redis with TLS * don't overwrite TLS config if it exists * add tests for Redis with TLS * remove hardcoded certs * add GenerateCert func * use GenerateCert util func * fix issue reported by go fmt * limit return statements in GenerateCert 2021-10-19 10:17:42 +02:00
			`// https://golang.org/src/crypto/tls/generate_cert.go as a function`
			`func GenerateCert() ([]byte, []byte, error) {`
			`var err error`

			`priv, err := rsa.GenerateKey(rand.Reader, 2048)`
			`if err != nil {`
			`return nil, nil, err`
			`}`

			`keyBytes, err := x509.MarshalPKCS8PrivateKey(priv)`
			`if err != nil {`
			`return nil, keyBytes, err`
			`}`

			`serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))`
			`if err != nil {`
			`return nil, keyBytes, err`
			`}`

			`notBefore := time.Now()`
			`template := x509.Certificate{`
			`SerialNumber: serialNumber,`
			`Subject: pkix.Name{`
			`Organization: []string{"OAuth2 Proxy Test Suite"},`
			`},`
			`NotBefore: notBefore,`
			`NotAfter: notBefore.Add(time.Hour),`
			`KeyUsage: x509.KeyUsageDigitalSignature \| x509.KeyUsageKeyEncipherment,`

			`ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},`

			`IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},`
			`}`
			`certBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)`
			`return certBytes, keyBytes, err`
			`}`