From 3bb58fba8b4b71ec505c3d0972110af4e96f4651 Mon Sep 17 00:00:00 2001 From: "ian.buse" Date: Tue, 7 May 2024 17:34:35 -0700 Subject: [PATCH] chore(cli): Replace BouncyCastle with built-in libs --- .../Certificates/CertificateGenerator.cs | 129 ------------------ src/KubeOps.Cli/Certificates/Extensions.cs | 22 --- .../Generators/CertificateGenerator.cs | 18 +-- src/KubeOps.Cli/KubeOps.Cli.csproj | 5 +- 4 files changed, 8 insertions(+), 166 deletions(-) delete mode 100644 src/KubeOps.Cli/Certificates/CertificateGenerator.cs delete mode 100644 src/KubeOps.Cli/Certificates/Extensions.cs diff --git a/src/KubeOps.Cli/Certificates/CertificateGenerator.cs b/src/KubeOps.Cli/Certificates/CertificateGenerator.cs deleted file mode 100644 index 5d4d04c7..00000000 --- a/src/KubeOps.Cli/Certificates/CertificateGenerator.cs +++ /dev/null @@ -1,129 +0,0 @@ -using Org.BouncyCastle.Asn1.X509; -using Org.BouncyCastle.Crypto; -using Org.BouncyCastle.Crypto.Generators; -using Org.BouncyCastle.Crypto.Operators; -using Org.BouncyCastle.Crypto.Prng; -using Org.BouncyCastle.Math; -using Org.BouncyCastle.Security; -using Org.BouncyCastle.Utilities; -using Org.BouncyCastle.X509; -using Org.BouncyCastle.X509.Extension; - -namespace KubeOps.Cli.Certificates; - -internal static class CertificateGenerator -{ - public static (X509Certificate Certificate, AsymmetricCipherKeyPair Key) CreateCaCertificate() - { - var randomGenerator = new CryptoApiRandomGenerator(); - var random = new SecureRandom(randomGenerator); - - // The Certificate Generator - var certificateGenerator = new X509V3CertificateGenerator(); - - // Serial Number - var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(long.MaxValue), random); - certificateGenerator.SetSerialNumber(serialNumber); - - // Issuer and Subject Name - var name = new X509Name("CN=Operator Root CA, C=DEV, L=Kubernetes"); - certificateGenerator.SetIssuerDN(name); - certificateGenerator.SetSubjectDN(name); - - // Valid For - var notBefore = DateTime.UtcNow.Date; - var notAfter = notBefore.AddYears(5); - certificateGenerator.SetNotBefore(notBefore); - certificateGenerator.SetNotAfter(notAfter); - - // Cert Extensions - certificateGenerator.AddExtension( - X509Extensions.BasicConstraints, - true, - new BasicConstraints(true)); - certificateGenerator.AddExtension( - X509Extensions.KeyUsage, - true, - new KeyUsage(KeyUsage.KeyCertSign | KeyUsage.CrlSign | KeyUsage.KeyEncipherment)); - - // Subject Public Key - const int keyStrength = 256; - var keyGenerator = new ECKeyPairGenerator("ECDSA"); - keyGenerator.Init(new KeyGenerationParameters(random, keyStrength)); - var key = keyGenerator.GenerateKeyPair(); - - certificateGenerator.SetPublicKey(key.Public); - - var signatureFactory = new Asn1SignatureFactory("SHA512WITHECDSA", key.Private, random); - var certificate = certificateGenerator.Generate(signatureFactory); - - return (certificate, key); - } - - public static (X509Certificate Certificate, AsymmetricCipherKeyPair Key) CreateServerCertificate( - (X509Certificate Certificate, AsymmetricCipherKeyPair Key) ca, string serverName, string serverNamespace) - { - var randomGenerator = new CryptoApiRandomGenerator(); - var random = new SecureRandom(randomGenerator); - - // The Certificate Generator - var certificateGenerator = new X509V3CertificateGenerator(); - - // Serial Number - var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(long.MaxValue), random); - certificateGenerator.SetSerialNumber(serialNumber); - - // Issuer and Subject Name - certificateGenerator.SetIssuerDN(ca.Certificate.SubjectDN); - certificateGenerator.SetSubjectDN(new X509Name("CN=Operator Service, C=DEV, L=Kubernetes")); - - // Valid For - var notBefore = DateTime.UtcNow.Date; - var notAfter = notBefore.AddYears(5); - certificateGenerator.SetNotBefore(notBefore); - certificateGenerator.SetNotAfter(notAfter); - - // Cert Extensions - certificateGenerator.AddExtension( - X509Extensions.BasicConstraints, - false, - new BasicConstraints(false)); - certificateGenerator.AddExtension( - X509Extensions.KeyUsage, - true, - new KeyUsage(KeyUsage.NonRepudiation | KeyUsage.KeyEncipherment | KeyUsage.DigitalSignature)); - certificateGenerator.AddExtension( - X509Extensions.ExtendedKeyUsage, - false, - new ExtendedKeyUsage(KeyPurposeID.id_kp_clientAuth, KeyPurposeID.id_kp_serverAuth)); - certificateGenerator.AddExtension( - X509Extensions.SubjectKeyIdentifier, - false, - new SubjectKeyIdentifierStructure(ca.Key.Public)); - certificateGenerator.AddExtension( - X509Extensions.AuthorityKeyIdentifier, - false, - new AuthorityKeyIdentifierStructure(ca.Certificate)); - certificateGenerator.AddExtension( - X509Extensions.SubjectAlternativeName, - false, - new GeneralNames([ - new GeneralName(GeneralName.DnsName, $"{serverName}.{serverNamespace}.svc"), - new GeneralName(GeneralName.DnsName, $"*.{serverNamespace}.svc"), - new GeneralName(GeneralName.DnsName, "*.svc"), - ])); - - // Subject Public Key - const int keyStrength = 256; - var keyGenerator = new ECKeyPairGenerator("ECDSA"); - keyGenerator.Init(new KeyGenerationParameters(random, keyStrength)); - var key = keyGenerator.GenerateKeyPair(); - - certificateGenerator.SetPublicKey(key.Public); - - var signatureFactory = new Asn1SignatureFactory("SHA512WITHECDSA", ca.Key.Private, random); - var certificate = certificateGenerator.Generate(signatureFactory); - - return (certificate, key); - } -} diff --git a/src/KubeOps.Cli/Certificates/Extensions.cs b/src/KubeOps.Cli/Certificates/Extensions.cs deleted file mode 100644 index dfe53b83..00000000 --- a/src/KubeOps.Cli/Certificates/Extensions.cs +++ /dev/null @@ -1,22 +0,0 @@ -using System.Text; - -using Org.BouncyCastle.Crypto; -using Org.BouncyCastle.OpenSsl; -using Org.BouncyCastle.X509; - -namespace KubeOps.Cli.Certificates; - -internal static class Extensions -{ - public static string ToPem(this X509Certificate cert) => ObjToPem(cert); - - public static string ToPem(this AsymmetricCipherKeyPair key) => ObjToPem(key); - - private static string ObjToPem(object obj) - { - var sb = new StringBuilder(); - using var writer = new PemWriter(new StringWriter(sb)); - writer.WriteObject(obj); - return sb.ToString(); - } -} diff --git a/src/KubeOps.Cli/Generators/CertificateGenerator.cs b/src/KubeOps.Cli/Generators/CertificateGenerator.cs index 101a5c0e..3eb720e1 100644 --- a/src/KubeOps.Cli/Generators/CertificateGenerator.cs +++ b/src/KubeOps.Cli/Generators/CertificateGenerator.cs @@ -1,5 +1,5 @@ -using KubeOps.Cli.Certificates; using KubeOps.Cli.Output; +using KubeOps.Operator.Web.Certificates; namespace KubeOps.Cli.Generators; @@ -7,17 +7,11 @@ internal class CertificateGenerator(string serverName, string namespaceName) : I { public void Generate(ResultOutput output) { - var (caCert, caKey) = Certificates.CertificateGenerator.CreateCaCertificate(); + using Operator.Web.CertificateGenerator generator = new(serverName, namespaceName); - output.Add("ca.pem", caCert.ToPem(), OutputFormat.Plain); - output.Add("ca-key.pem", caKey.ToPem(), OutputFormat.Plain); - - var (srvCert, srvKey) = Certificates.CertificateGenerator.CreateServerCertificate( - (caCert, caKey), - serverName, - namespaceName); - - output.Add("svc.pem", srvCert.ToPem(), OutputFormat.Plain); - output.Add("svc-key.pem", srvKey.ToPem(), OutputFormat.Plain); + output.Add("ca.pem", generator.Root.Certificate.EncodeToPem(), OutputFormat.Plain); + output.Add("ca-key.pem", generator.Root.Key.EncodeToPem(), OutputFormat.Plain); + output.Add("svc.pem", generator.Server.Certificate.EncodeToPem(), OutputFormat.Plain); + output.Add("svc-key.pem", generator.Server.Key.EncodeToPem(), OutputFormat.Plain); } } diff --git a/src/KubeOps.Cli/KubeOps.Cli.csproj b/src/KubeOps.Cli/KubeOps.Cli.csproj index 9be286d5..6f731eae 100644 --- a/src/KubeOps.Cli/KubeOps.Cli.csproj +++ b/src/KubeOps.Cli/KubeOps.Cli.csproj @@ -1,4 +1,4 @@ - + Exe @@ -18,7 +18,6 @@ - @@ -34,7 +33,7 @@ - +