Consolidate PKI choices in a single file

It is easier to evaluate curves, curve parameters, signature algorithms,
key lengths, certificate constraints, and validity periods when they are
all in one place.

Author: cbandy

internal/pki/common.go

@@ -20,6 +20,7 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/x509"
+	"crypto/x509/pkix"
 	"math/big"
 	"time"
 )
@@ -44,3 +45,62 @@ func generateKey() (*ecdsa.PrivateKey, error) {
 func generateSerialNumber() (*big.Int, error) {
 	return rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
 }
+
+func generateLeafCertificate(
+	signer *x509.Certificate, signerPrivate *ecdsa.PrivateKey,
+	signeePublic *ecdsa.PublicKey, serialNumber *big.Int,
+	commonName string, dnsNames []string,
+) (*x509.Certificate, error) {
+	const leafExpiration = time.Hour * 24 * 365
+	const leafStartValid = time.Hour * -1
+
+	now := currentTime()
+	template := &x509.Certificate{
+		BasicConstraintsValid: true,
+		DNSNames:              dnsNames,
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		NotBefore:             now.Add(leafStartValid),
+		NotAfter:              now.Add(leafExpiration),
+		SerialNumber:          serialNumber,
+		SignatureAlgorithm:    certificateSignatureAlgorithm,
+		Subject: pkix.Name{
+			CommonName: commonName,
+		},
+	}
+
+	bytes, err := x509.CreateCertificate(rand.Reader, template, signer,
+		signeePublic, signerPrivate)
+
+	parsed, _ := x509.ParseCertificate(bytes)
+	return parsed, err
+}
+
+func generateRootCertificate(
+	privateKey *ecdsa.PrivateKey, serialNumber *big.Int,
+) (*x509.Certificate, error) {
+	const rootCommonName = "postgres-operator-ca"
+	const rootExpiration = time.Hour * 24 * 365 * 10
+	const rootStartValid = time.Hour * -1
+
+	now := currentTime()
+	template := &x509.Certificate{
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+		MaxPathLenZero:        true, // there are no intermediate certificates
+		NotBefore:             now.Add(rootStartValid),
+		NotAfter:              now.Add(rootExpiration),
+		SerialNumber:          serialNumber,
+		SignatureAlgorithm:    certificateSignatureAlgorithm,
+		Subject: pkix.Name{
+			CommonName: rootCommonName,
+		},
+	}
+
+	// A root certificate is self-signed, so pass in the template twice.
+	bytes, err := x509.CreateCertificate(rand.Reader, template, template,
+		privateKey.Public(), privateKey)
+
+	parsed, _ := x509.ParseCertificate(bytes)
+	return parsed, err
+}

internal/pki/leaf.go

@@ -17,21 +17,8 @@ package pki
 
 import (
 	"context"
-	"crypto/ecdsa"
-	"crypto/rand"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"math/big"
-	"time"
 )
 
-// LeafCertificate is a certificate and private key pair that can be validated
-// by RootCertificateAuthority.
-type LeafCertificate struct {
-	Certificate Certificate
-	PrivateKey  PrivateKey
-}
-
 // LeafCertIsBad checks at least one leaf cert has been generated, the basic constraints
 // are valid and it has been verified with the root certpool
 //
@@ -45,32 +32,3 @@ func LeafCertIsBad(
 ) bool {
 	return !rootCertCA.leafIsValid(leaf)
 }
-
-func generateLeafCertificate(
-	signer *x509.Certificate, signerPrivate *ecdsa.PrivateKey,
-	signeePublic *ecdsa.PublicKey, serialNumber *big.Int,
-	commonName string, dnsNames []string,
-) (*x509.Certificate, error) {
-	const leafExpiration = time.Hour * 24 * 365
-	const leafStartValid = time.Hour * -1
-
-	now := currentTime()
-	template := &x509.Certificate{
-		BasicConstraintsValid: true,
-		DNSNames:              dnsNames,
-		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
-		NotBefore:             now.Add(leafStartValid),
-		NotAfter:              now.Add(leafExpiration),
-		SerialNumber:          serialNumber,
-		SignatureAlgorithm:    certificateSignatureAlgorithm,
-		Subject: pkix.Name{
-			CommonName: commonName,
-		},
-	}
-
-	bytes, err := x509.CreateCertificate(rand.Reader, template, signer,
-		signeePublic, signerPrivate)
-
-	parsed, _ := x509.ParseCertificate(bytes)
-	return parsed, err
-}

internal/pki/pki.go

@@ -58,6 +58,38 @@ func (k PrivateKey) Equal(other PrivateKey) bool {
 	return k.ecdsa.Equal(other.ecdsa)
 }
 
+// LeafCertificate is a certificate and private key pair that can be validated
+// by RootCertificateAuthority.
+type LeafCertificate struct {
+	Certificate Certificate
+	PrivateKey  PrivateKey
+}
+
+// RootCertificateAuthority is a certificate and private key pair that can
+// generate other certificates.
+type RootCertificateAuthority struct {
+	Certificate Certificate
+	PrivateKey  PrivateKey
+}
+
+// NewRootCertificateAuthority generates a new key and self-signed certificate
+// for issuing other certificates.
+func NewRootCertificateAuthority() (*RootCertificateAuthority, error) {
+	var root RootCertificateAuthority
+	var serial *big.Int
+
+	key, err := generateKey()
+	if err == nil {
+		serial, err = generateSerialNumber()
+	}
+	if err == nil {
+		root.PrivateKey.ecdsa = key
+		root.Certificate.x509, err = generateRootCertificate(key, serial)
+	}
+
+	return &root, err
+}
+
 // RootIsValid checks if root is valid according to this package's policies.
 func RootIsValid(root *RootCertificateAuthority) bool {
 	if root == nil || root.Certificate.x509 == nil {

internal/pki/root.go

@@ -15,40 +15,6 @@
 
 package pki
 
-import (
-	"crypto/ecdsa"
-	"crypto/rand"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"math/big"
-	"time"
-)
-
-// RootCertificateAuthority is a certificate and private key pair that can
-// generate other certificates.
-type RootCertificateAuthority struct {
-	Certificate Certificate
-	PrivateKey  PrivateKey
-}
-
-// NewRootCertificateAuthority generates a new key and self-signed certificate
-// for issuing other certificates.
-func NewRootCertificateAuthority() (*RootCertificateAuthority, error) {
-	var root RootCertificateAuthority
-	var serial *big.Int
-
-	key, err := generateKey()
-	if err == nil {
-		serial, err = generateSerialNumber()
-	}
-	if err == nil {
-		root.PrivateKey.ecdsa = key
-		root.Certificate.x509, err = generateRootCertificate(key, serial)
-	}
-
-	return &root, err
-}
-
 // RootCAIsBad checks that at least one root CA has been generated and that
 // all returned certs are CAs and not expired
 //
@@ -59,33 +25,3 @@ func NewRootCertificateAuthority() (*RootCertificateAuthority, error) {
 func RootCAIsBad(root *RootCertificateAuthority) bool {
 	return !RootIsValid(root)
 }
-
-func generateRootCertificate(
-	privateKey *ecdsa.PrivateKey, serialNumber *big.Int,
-) (*x509.Certificate, error) {
-	const rootCommonName = "postgres-operator-ca"
-	const rootExpiration = time.Hour * 24 * 365 * 10
-	const rootStartValid = time.Hour * -1
-
-	now := currentTime()
-	template := &x509.Certificate{
-		BasicConstraintsValid: true,
-		IsCA:                  true,
-		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
-		MaxPathLenZero:        true, // there are no intermediate certificates
-		NotBefore:             now.Add(rootStartValid),
-		NotAfter:              now.Add(rootExpiration),
-		SerialNumber:          serialNumber,
-		SignatureAlgorithm:    certificateSignatureAlgorithm,
-		Subject: pkix.Name{
-			CommonName: rootCommonName,
-		},
-	}
-
-	// A root certificate is self-signed, so pass in the template twice.
-	bytes, err := x509.CreateCertificate(rand.Reader, template, template,
-		privateKey.Public(), privateKey)
-
-	parsed, _ := x509.ParseCertificate(bytes)
-	return parsed, err
-}