Initial MVP

Signed-off-by: Erik Godding Boye <[email protected]>

Author: erikgb

go.mod

@@ -0,0 +1,3 @@
+module github.com/cert-manager/webhook-cert-lib
+
+go 1.22.0

go.sum

@@ -0,0 +1,190 @@
+/*
+Copyright The cert-manager Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package pki
+
+import (
+	"bytes"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"slices"
+	"time"
+)
+
+// CertPool is a set of certificates.
+type CertPool struct {
+	certificates map[[32]byte]*x509.Certificate
+
+	filterExpired bool
+}
+
+type Option func(*CertPool)
+
+func WithFilteredExpiredCerts(filterExpired bool) Option {
+	return func(cp *CertPool) {
+		cp.filterExpired = filterExpired
+	}
+}
+
+// NewCertPool returns a new, empty CertPool.
+// It will deduplicate certificates based on their SHA256 hash.
+// Optionally, it can filter out expired certificates.
+func NewCertPool(options ...Option) *CertPool {
+	certPool := &CertPool{
+		certificates: make(map[[32]byte]*x509.Certificate),
+	}
+
+	for _, option := range options {
+		option(certPool)
+	}
+
+	return certPool
+}
+
+func (cp *CertPool) AddCert(cert *x509.Certificate) bool {
+	if cert == nil {
+		panic("adding nil Certificate to CertPool")
+	}
+	if cp.filterExpired && time.Now().After(cert.NotAfter) {
+		return false
+	}
+
+	hash := sha256.Sum256(cert.Raw)
+	cp.certificates[hash] = cert
+	return true
+}
+
+// AddCertsFromPEM strictly validates a given input PEM bundle to confirm it contains
+// only valid CERTIFICATE PEM blocks. If successful, returns the validated PEM blocks with any
+// comments or extra data stripped.
+//
+// This validation is broadly similar to the standard library function
+// crypto/x509.CertPool.AppendCertsFromPEM - that is, we decode each PEM block at a time and parse
+// it as a certificate.
+//
+// The difference here is that we want to ensure that the bundle _only_ contains certificates, and
+// not just skip over things which aren't certificates.
+//
+// If, for example, someone accidentally used a combined cert + private key as an input to a trust
+// bundle, we wouldn't want to then distribute the private key in the target.
+//
+// In addition, the standard library AppendCertsFromPEM also silently skips PEM blocks with
+// non-empty Headers. We error on such PEM blocks, for the same reason as above; headers could
+// contain (accidental) private information. They're also non-standard according to
+// https://www.rfc-editor.org/rfc/rfc7468
+//
+// Additionally, if the input PEM bundle contains no non-expired certificates, an error is returned.
+// TODO: Reconsider what should happen if the input only contains expired certificates.
+func (cp *CertPool) AddCertsFromPEM(pemData []byte) error {
+	if pemData == nil {
+		return fmt.Errorf("certificate data can't be nil")
+	}
+
+	ok := false
+	for {
+		var block *pem.Block
+		block, pemData = pem.Decode(pemData)
+
+		if block == nil {
+			break
+		}
+
+		if block.Type != "CERTIFICATE" {
+			// only certificates are allowed in a bundle
+			return fmt.Errorf("invalid PEM block in bundle: only CERTIFICATE blocks are permitted but found '%s'", block.Type)
+		}
+
+		if len(block.Headers) != 0 {
+			return fmt.Errorf("invalid PEM block in bundle; blocks are not permitted to have PEM headers")
+		}
+
+		certificate, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			// the presence of an invalid cert (including things which aren't certs)
+			// should cause the bundle to be rejected
+			return fmt.Errorf("invalid PEM block in bundle; invalid PEM certificate: %w", err)
+		}
+
+		if certificate == nil {
+			return fmt.Errorf("failed appending a certificate: certificate is nil")
+		}
+
+		if cp.AddCert(certificate) {
+			ok = true // at least one non-expired certificate was found in the input
+		}
+	}
+
+	if !ok {
+		return fmt.Errorf("no non-expired certificates found in input bundle")
+	}
+
+	return nil
+}
+
+// Get certificates quantity in the certificates pool
+func (cp *CertPool) Size() int {
+	return len(cp.certificates)
+}
+
+func (cp *CertPool) PEM() string {
+	if cp == nil || len(cp.certificates) == 0 {
+		return ""
+	}
+
+	buffer := bytes.Buffer{}
+
+	for _, cert := range cp.Certificates() {
+		if err := pem.Encode(&buffer, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}); err != nil {
+			return ""
+		}
+	}
+
+	return string(bytes.TrimSpace(buffer.Bytes()))
+}
+
+func (cp *CertPool) PEMSplit() []string {
+	if cp == nil || len(cp.certificates) == 0 {
+		return nil
+	}
+
+	pems := make([]string, 0, len(cp.certificates))
+	for _, cert := range cp.Certificates() {
+		pems = append(pems, string(bytes.TrimSpace(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}))))
+	}
+
+	return pems
+}
+
+// Get the list of all x509 Certificates in the certificates pool
+func (cp *CertPool) Certificates() []*x509.Certificate {
+	hashes := make([][32]byte, 0, len(cp.certificates))
+	for hash := range cp.certificates {
+		hashes = append(hashes, hash)
+	}
+
+	slices.SortFunc(hashes, func(i, j [32]byte) int {
+		return bytes.Compare(i[:], j[:])
+	})
+
+	orderedCertificates := make([]*x509.Certificate, 0, len(cp.certificates))
+	for _, hash := range hashes {
+		orderedCertificates = append(orderedCertificates, cp.certificates[hash])
+	}
+
+	return orderedCertificates
+}

internal/pki/cert_pool.go

@@ -0,0 +1,166 @@
+/*
+Copyright The cert-manager Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package pki
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+)
+
+// SignCertificate returns a signed *x509.Certificate given a template
+// *x509.Certificate crt and an issuer.
+// publicKey is the public key of the signee, and signerKey is the private
+// key of the signer.
+// It returns a PEM encoded copy of the Certificate as well as a *x509.Certificate
+// which can be used for reading the encoded values.
+func SignCertificate(template *x509.Certificate, issuerCert *x509.Certificate, publicKey crypto.PublicKey, signerKey any) ([]byte, *x509.Certificate, error) {
+	typedSigner, ok := signerKey.(crypto.Signer)
+	if !ok {
+		return nil, nil, fmt.Errorf("didn't get an expected Signer in call to SignCertificate")
+	}
+
+	var pubKeyAlgo x509.PublicKeyAlgorithm
+	var sigAlgoArg any
+
+	// NB: can't rely on issuerCert.Public or issuercert.PublicKeyAlgorithm being set reliably;
+	// but we know that signerKey.Public() will work!
+	switch pubKey := typedSigner.Public().(type) {
+	case *rsa.PublicKey:
+		pubKeyAlgo = x509.RSA
+
+		// Size is in bytes so multiply by 8 to get bits because they're more familiar
+		// This is technically not portable but if you're using cert-manager on a platform
+		// with bytes that don't have 8 bits, you've got bigger problems than this!
+		sigAlgoArg = pubKey.Size() * 8
+
+	case *ecdsa.PublicKey:
+		pubKeyAlgo = x509.ECDSA
+		sigAlgoArg = pubKey.Curve
+
+	case ed25519.PublicKey:
+		pubKeyAlgo = x509.Ed25519
+		sigAlgoArg = nil // ignored by signatureAlgorithmFromPublicKey
+
+	default:
+		return nil, nil, fmt.Errorf("unknown public key type on signing certificate: %T", issuerCert.PublicKey)
+	}
+
+	var err error
+	template.SignatureAlgorithm, err = signatureAlgorithmFromPublicKey(pubKeyAlgo, sigAlgoArg)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	derBytes, err := x509.CreateCertificate(rand.Reader, template, issuerCert, publicKey, signerKey)
+	if err != nil {
+		return nil, nil, fmt.Errorf("error creating x509 certificate: %s", err.Error())
+	}
+
+	cert, err := x509.ParseCertificate(derBytes)
+	if err != nil {
+		return nil, nil, fmt.Errorf("error decoding DER certificate bytes: %s", err.Error())
+	}
+
+	pemBytes := bytes.NewBuffer([]byte{})
+	err = pem.Encode(pemBytes, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
+	if err != nil {
+		return nil, nil, fmt.Errorf("error encoding certificate PEM: %s", err.Error())
+	}
+
+	return pemBytes.Bytes(), cert, err
+}
+
+// EncodeX509 will encode a single *x509.Certificate into PEM format.
+func EncodeX509(cert *x509.Certificate) ([]byte, error) {
+	caPem := bytes.NewBuffer([]byte{})
+	err := pem.Encode(caPem, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
+	if err != nil {
+		return nil, err
+	}
+
+	return caPem.Bytes(), nil
+}
+
+// signatureAlgorithmFromPublicKey takes a public key type and an argument specific to that public
+// key, and returns an appropriate signature algorithm for that key.
+// If alg is x509.RSA, arg must be an integer key size in bits
+// If alg is x509.ECDSA, arg must be an elliptic.Curve
+// If alg is x509.Ed25519, arg is ignored
+// All other algorithms and args cause an error
+// The signature algorithms returned by this function are to some degree a matter of preference. The
+// choices here are motivated by what is common and what is required by bodies such as the US DoD.
+func signatureAlgorithmFromPublicKey(alg x509.PublicKeyAlgorithm, arg any) (x509.SignatureAlgorithm, error) {
+	var signatureAlgorithm x509.SignatureAlgorithm
+
+	switch alg {
+	case x509.RSA:
+		size, ok := arg.(int)
+		if !ok {
+			return x509.UnknownSignatureAlgorithm, fmt.Errorf("expected to get an integer key size for RSA key but got %T", arg)
+		}
+
+		switch {
+		case size >= 4096:
+			signatureAlgorithm = x509.SHA512WithRSA
+
+		case size >= 3072:
+			signatureAlgorithm = x509.SHA384WithRSA
+
+		case size >= 2048:
+			signatureAlgorithm = x509.SHA256WithRSA
+
+		default:
+			return x509.UnknownSignatureAlgorithm, fmt.Errorf("invalid size %d for RSA key on signing certificate", size)
+		}
+
+	case x509.ECDSA:
+		curve, ok := arg.(elliptic.Curve)
+		if !ok {
+			return x509.UnknownSignatureAlgorithm, fmt.Errorf("expected to get an ECDSA curve for ECDSA key but got %T", arg)
+		}
+
+		switch curve {
+		case elliptic.P521():
+			signatureAlgorithm = x509.ECDSAWithSHA512
+
+		case elliptic.P384():
+			signatureAlgorithm = x509.ECDSAWithSHA384
+
+		case elliptic.P256():
+			signatureAlgorithm = x509.ECDSAWithSHA256
+
+		default:
+			return x509.UnknownSignatureAlgorithm, fmt.Errorf("unknown / unsupported curve attached to ECDSA signing certificate")
+		}
+
+	case x509.Ed25519:
+		signatureAlgorithm = x509.PureEd25519
+
+	default:
+		return x509.UnknownSignatureAlgorithm, fmt.Errorf("got unsupported public key type when trying to calculate signature algorithm")
+	}
+
+	return signatureAlgorithm, nil
+}

internal/pki/csr.go

@@ -0,0 +1,25 @@
+/*
+Copyright The cert-manager Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package errors
+
+import "fmt"
+
+type invalidDataError struct{ error }
+
+func NewInvalidData(str string, obj ...interface{}) error {
+	return &invalidDataError{error: fmt.Errorf(str, obj...)}
+}