diff --git a/go.mod b/go.mod index 7ee69163dcab..d506f4239032 100644 --- a/go.mod +++ b/go.mod @@ -34,7 +34,7 @@ require ( k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 knative.dev/caching v0.0.0-20240129153625-506882f82a5a knative.dev/hack v0.0.0-20240123160146-ab9b69024c39 - knative.dev/networking v0.0.0-20240129121848-a874708a2962 + knative.dev/networking v0.0.0-20240130141901-060ef7acae5d knative.dev/pkg v0.0.0-20240129160226-b6659cc45066 sigs.k8s.io/yaml v1.4.0 ) diff --git a/go.sum b/go.sum index 47527ed66c20..49729b8f15d5 100644 --- a/go.sum +++ b/go.sum @@ -941,8 +941,8 @@ knative.dev/caching v0.0.0-20240129153625-506882f82a5a h1:ctwsGrQyCrI7QcDVaJN4ix knative.dev/caching v0.0.0-20240129153625-506882f82a5a/go.mod h1:v3u49MzRucWIgAKkWl6wxXiedPaF+pFMHMvu/e+/1as= knative.dev/hack v0.0.0-20240123160146-ab9b69024c39 h1:Or4ri7cAUQNEWwMPaGGaIe1hsPHGdVtr8lIaHh2JF7s= knative.dev/hack v0.0.0-20240123160146-ab9b69024c39/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q= -knative.dev/networking v0.0.0-20240129121848-a874708a2962 h1:y6w5txU8C4KmplUizkS4uOsctaFqEij/MBNpzBfFhwc= -knative.dev/networking v0.0.0-20240129121848-a874708a2962/go.mod h1:YJFObd3oRdKVHLeOyHm/BCDKoY0dD9IUci77BYyxjwY= +knative.dev/networking v0.0.0-20240130141901-060ef7acae5d h1:DzWpqd8cGg72Fv0aklX5kqMe3xq8f9noBnIa7QtHLig= +knative.dev/networking v0.0.0-20240130141901-060ef7acae5d/go.mod h1:s0rxrxjcN3A/vxZTIf+NLS/qc6UPmdVtXHE6uiqKjmQ= knative.dev/pkg v0.0.0-20240129160226-b6659cc45066 h1:CZSdKszK3MTCuchbQK643y/nHLQs87ESuFQn011XsJ8= knative.dev/pkg v0.0.0-20240129160226-b6659cc45066/go.mod h1:cGCJe6wkr0vQMAXTaUHi0XA/12JbxSTK15TnyBmn7ms= pgregory.net/rapid v1.1.0 h1:CMa0sjHSru3puNx+J0MIAuiiEV4N0qj8/cMWGBBCsjw= diff --git a/vendor/knative.dev/networking/pkg/certificates/certs.go b/vendor/knative.dev/networking/pkg/certificates/certs.go deleted file mode 100644 index 16cca6047a9f..000000000000 --- a/vendor/knative.dev/networking/pkg/certificates/certs.go +++ /dev/null @@ -1,184 +0,0 @@ -/* -Copyright 2021 The Knative Authors - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package certificates - -import ( - "context" - "crypto/rand" - "crypto/rsa" - "crypto/x509" - "crypto/x509/pkix" - "encoding/pem" - "fmt" - "math/big" - "time" -) - -var randReader = rand.Reader -var serialNumberLimit = new(big.Int).Lsh(big.NewInt(1), 128) - -// Create template common to all certificates -func createCertTemplate(expirationInterval time.Duration, sans []string) (*x509.Certificate, error) { - serialNumber, err := rand.Int(randReader, serialNumberLimit) - if err != nil { - return nil, fmt.Errorf("failed to generate serial number: %w", err) - } - - tmpl := x509.Certificate{ - SerialNumber: serialNumber, - SignatureAlgorithm: x509.SHA256WithRSA, - NotBefore: time.Now(), - NotAfter: time.Now().Add(expirationInterval), - BasicConstraintsValid: true, - DNSNames: sans, - } - return &tmpl, nil -} - -// Create cert template suitable for CA and hence signing -func createCACertTemplate(expirationInterval time.Duration) (*x509.Certificate, error) { - rootCert, err := createCertTemplate(expirationInterval, []string{}) - if err != nil { - return nil, err - } - // Make it into a CA cert and change it so we can use it to sign certs - rootCert.IsCA = true - rootCert.KeyUsage = x509.KeyUsageCertSign - rootCert.Subject = pkix.Name{ - Organization: []string{Organization}, - } - return rootCert, nil -} - -// Create cert template that we can use on the client/server for TLS -func createTransportCertTemplate(expirationInterval time.Duration, sans []string) (*x509.Certificate, error) { - cert, err := createCertTemplate(expirationInterval, sans) - if err != nil { - return nil, err - } - cert.KeyUsage = x509.KeyUsageDigitalSignature - cert.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth} - cert.Subject = pkix.Name{ - Organization: []string{Organization}, - CommonName: "control-protocol-certificate", - } - return cert, err -} - -func createCert(template, parent *x509.Certificate, pub, parentPriv interface{}) (certPEM *pem.Block, err error) { - certDER, err := x509.CreateCertificate(rand.Reader, template, parent, pub, parentPriv) - if err != nil { - return - } - _, err = x509.ParseCertificate(certDER) - if err != nil { - return - } - certPEM = &pem.Block{Type: "CERTIFICATE", Bytes: certDER} - return -} - -// CreateCACerts generates the root CA cert -func CreateCACerts(expirationInterval time.Duration) (*KeyPair, error) { - caKeyPair, err := rsa.GenerateKey(rand.Reader, 2048) - if err != nil { - return nil, fmt.Errorf("error generating random key: %w", err) - } - - rootCertTmpl, err := createCACertTemplate(expirationInterval) - if err != nil { - return nil, fmt.Errorf("error generating CA cert: %w", err) - } - - caCertPem, err := createCert(rootCertTmpl, rootCertTmpl, &caKeyPair.PublicKey, caKeyPair) - if err != nil { - return nil, fmt.Errorf("error signing the CA cert: %w", err) - } - caPrivateKeyPem := &pem.Block{ - Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(caKeyPair), - } - return NewKeyPair(caPrivateKeyPem, caCertPem), nil -} - -// Deprecated: CreateControlPlaneCert generates the certificate for the client -func CreateControlPlaneCert(_ context.Context, caKey *rsa.PrivateKey, caCertificate *x509.Certificate, expirationInterval time.Duration) (*KeyPair, error) { - return CreateCert(caKey, caCertificate, expirationInterval, LegacyFakeDnsName) -} - -// Deprecated: CreateDataPlaneCert generates the certificate for the server -func CreateDataPlaneCert(_ context.Context, caKey *rsa.PrivateKey, caCertificate *x509.Certificate, expirationInterval time.Duration) (*KeyPair, error) { - return CreateCert(caKey, caCertificate, expirationInterval, LegacyFakeDnsName) -} - -// CreateCert generates the certificate for use by client and server -func CreateCert(caKey *rsa.PrivateKey, caCertificate *x509.Certificate, expirationInterval time.Duration, sans ...string) (*KeyPair, error) { - - // Then create the private key for the serving cert - keyPair, err := rsa.GenerateKey(rand.Reader, 2048) - if err != nil { - return nil, fmt.Errorf("error generating random key: %w", err) - } - - certTemplate, err := createTransportCertTemplate(expirationInterval, sans) - if err != nil { - return nil, fmt.Errorf("failed to create the certificate template: %w", err) - } - - // create a certificate which wraps the public key, sign it with the CA private key - certPEM, err := createCert(certTemplate, caCertificate, &keyPair.PublicKey, caKey) - if err != nil { - return nil, fmt.Errorf("error signing certificate template: %w", err) - } - - privateKeyPEM := &pem.Block{ - Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(keyPair), - } - return NewKeyPair(privateKeyPEM, certPEM), nil -} - -// ParseCert parses a certificate/private key pair from serialized pem blocks -func ParseCert(certPemBytes []byte, privateKeyPemBytes []byte) (*x509.Certificate, *rsa.PrivateKey, error) { - certBlock, _ := pem.Decode(certPemBytes) - if certBlock == nil { - return nil, nil, fmt.Errorf("decoding the cert block returned nil") - } - if certBlock.Type != "CERTIFICATE" { - return nil, nil, fmt.Errorf("bad pem block, expecting type 'CERTIFICATE', found %q", certBlock.Type) - } - cert, err := x509.ParseCertificate(certBlock.Bytes) - if err != nil { - return nil, nil, err - } - - pkBlock, _ := pem.Decode(privateKeyPemBytes) - if pkBlock == nil { - return nil, nil, fmt.Errorf("decoding the pk block returned nil") - } - if pkBlock.Type != "RSA PRIVATE KEY" { - return nil, nil, fmt.Errorf("bad pem block, expecting type 'RSA PRIVATE KEY', found %q", pkBlock.Type) - } - pk, err := x509.ParsePKCS1PrivateKey(pkBlock.Bytes) - return cert, pk, err -} - -// CheckExpiry checks the expiration of the certificate -func CheckExpiry(cert *x509.Certificate, rotationThreshold time.Duration) error { - if time.Now().Add(rotationThreshold).After(cert.NotAfter) { - return fmt.Errorf("certificate is going to expire %v", cert.NotAfter) - } - return nil -} diff --git a/vendor/knative.dev/networking/pkg/certificates/constants.go b/vendor/knative.dev/networking/pkg/certificates/constants.go index 195e269c12c6..53f9c048dd24 100644 --- a/vendor/knative.dev/networking/pkg/certificates/constants.go +++ b/vendor/knative.dev/networking/pkg/certificates/constants.go @@ -38,17 +38,6 @@ const ( CaCertName = "ca.crt" CertName = "tls.crt" PrivateKeyName = "tls.key" - - // These should be able to be deprecated some time in the future when the new names are fully adopted - // #nosec - // Deprecated: please use CaCertName instead. - SecretCaCertKey = "ca-cert.pem" - // #nosec - // Deprecated: please use CertName instead. - SecretCertKey = "public-cert.pem" - // #nosec - // Deprecated: please use PrivateKeyName instead. - SecretPKKey = "private-key.pem" ) // DataPlaneUserSAN constructs a SAN for a data-plane-user certificate in the diff --git a/vendor/knative.dev/networking/pkg/certificates/key_pair.go b/vendor/knative.dev/networking/pkg/certificates/key_pair.go deleted file mode 100644 index 67abc42dd42a..000000000000 --- a/vendor/knative.dev/networking/pkg/certificates/key_pair.go +++ /dev/null @@ -1,60 +0,0 @@ -/* -Copyright 2021 The Knative Authors - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package certificates - -import ( - "crypto/rsa" - "crypto/x509" - "encoding/pem" -) - -type KeyPair struct { - privateKeyBlock *pem.Block - privateKeyPemBytes []byte - - certBlock *pem.Block - certPemBytes []byte -} - -func NewKeyPair(privateKey *pem.Block, cert *pem.Block) *KeyPair { - return &KeyPair{ - privateKeyBlock: privateKey, - privateKeyPemBytes: pem.EncodeToMemory(privateKey), - certBlock: cert, - certPemBytes: pem.EncodeToMemory(cert), - } -} - -func (kh *KeyPair) PrivateKey() *pem.Block { - return kh.privateKeyBlock -} - -func (kh *KeyPair) PrivateKeyBytes() []byte { - return kh.privateKeyPemBytes -} - -func (kh *KeyPair) Cert() *pem.Block { - return kh.certBlock -} - -func (kh *KeyPair) CertBytes() []byte { - return kh.certPemBytes -} - -func (kh *KeyPair) Parse() (*x509.Certificate, *rsa.PrivateKey, error) { - return ParseCert(kh.certPemBytes, kh.privateKeyPemBytes) -} diff --git a/vendor/modules.txt b/vendor/modules.txt index 2ae9b80c44bd..c3defd9b8509 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1334,7 +1334,7 @@ knative.dev/caching/pkg/client/listers/caching/v1alpha1 # knative.dev/hack v0.0.0-20240123160146-ab9b69024c39 ## explicit; go 1.18 knative.dev/hack -# knative.dev/networking v0.0.0-20240129121848-a874708a2962 +# knative.dev/networking v0.0.0-20240130141901-060ef7acae5d ## explicit; go 1.18 knative.dev/networking/config knative.dev/networking/pkg