// Copyright 2020 The Prometheus-operator Authors // Copyright 2022 The Prometheus Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. //go:build ignore // +build ignore // Program generating TLS certificates and keys for the tests. package main import ( "bytes" "crypto/rand" "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/pem" "fmt" "io" "log" "math/big" "net" "os" "time" ) const ( validityPeriod = 50 * 365 * 24 * time.Hour ) func EncodeCertificate(w io.Writer, cert *x509.Certificate) error { return pem.Encode(w, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}) } func EncodeKey(w io.Writer, priv *rsa.PrivateKey) error { b, err := x509.MarshalPKCS8PrivateKey(priv) if err != nil { return fmt.Errorf("failed to marshal private key: %v", err) } return pem.Encode(w, &pem.Block{Type: "PRIVATE KEY", Bytes: b}) } var serialNumber *big.Int func init() { serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) var err error serialNumber, err = rand.Int(rand.Reader, serialNumberLimit) if err != nil { panic(fmt.Errorf("failed to generate serial number: %v", err)) } } func SerialNumber() *big.Int { var serial big.Int serial.Set(serialNumber) serialNumber.Add(&serial, big.NewInt(1)) return &serial } func GenerateCertificateAuthority(commonName string, parentCert *x509.Certificate, parentKey *rsa.PrivateKey) (*x509.Certificate, *rsa.PrivateKey, error) { now := time.Now() caKey, err := rsa.GenerateKey(rand.Reader, 4096) if err != nil { return nil, nil, fmt.Errorf("failed to generate CA private key: %v", err) } caCert := &x509.Certificate{ SerialNumber: SerialNumber(), Subject: pkix.Name{ Country: []string{"US"}, Organization: []string{"Prometheus"}, OrganizationalUnit: []string{"Prometheus Certificate Authority"}, CommonName: commonName, }, NotBefore: now, NotAfter: now.Add(validityPeriod), KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageCertSign, IsCA: true, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, BasicConstraintsValid: true, } if parentCert == nil && parentKey == nil { parentCert = caCert parentKey = caKey } b, err := x509.CreateCertificate(rand.Reader, caCert, parentCert, &caKey.PublicKey, parentKey) if err != nil { return nil, nil, fmt.Errorf("failed to create CA certificate: %v", err) } caCert, err = x509.ParseCertificate(b) if err != nil { return nil, nil, fmt.Errorf("failed to decode CA certificate: %v", err) } return caCert, caKey, nil } func GenerateCertificate(caCert *x509.Certificate, caKey *rsa.PrivateKey, server bool, name string, ipAddresses ...net.IP) (*x509.Certificate, *rsa.PrivateKey, error) { now := time.Now() key, err := rsa.GenerateKey(rand.Reader, 4096) if err != nil { return nil, nil, fmt.Errorf("failed to generate private key: %v", err) } cert := &x509.Certificate{ SerialNumber: SerialNumber(), Subject: pkix.Name{ Country: []string{"US"}, Organization: []string{"Prometheus"}, CommonName: name, }, NotBefore: now, NotAfter: now.Add(validityPeriod), KeyUsage: x509.KeyUsageKeyEncipherment, BasicConstraintsValid: true, } if server { cert.DNSNames = []string{name} cert.IPAddresses = ipAddresses cert.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth} } else { cert.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth} } if caCert == nil && caKey == nil { caCert = cert caKey = key } b, err := x509.CreateCertificate(rand.Reader, cert, caCert, &key.PublicKey, caKey) if err != nil { return nil, nil, fmt.Errorf("failed to create certificate: %v", err) } cert, err = x509.ParseCertificate(b) if err != nil { return nil, nil, fmt.Errorf("failed to decode certificate: %v", err) } return cert, key, nil } func writeCertificateAndKey(path string, cert *x509.Certificate, key *rsa.PrivateKey) error { var b bytes.Buffer if err := EncodeCertificate(&b, cert); err != nil { return err } if err := os.WriteFile(fmt.Sprintf("%s.crt", path), b.Bytes(), 0o644); err != nil { return err } b.Reset() if err := EncodeKey(&b, key); err != nil { return err } if err := os.WriteFile(fmt.Sprintf("%s.key", path), b.Bytes(), 0o644); err != nil { return err } return nil } func main() { log.Println("Generating root CA") rootCert, rootKey, err := GenerateCertificateAuthority("Prometheus Root CA", nil, nil) if err != nil { log.Fatal(err) } log.Println("Generating CA") caCert, caKey, err := GenerateCertificateAuthority("Prometheus TLS CA", rootCert, rootKey) if err != nil { log.Fatal(err) } log.Println("Generating server certificate") cert, key, err := GenerateCertificate(caCert, caKey, true, "localhost", net.IPv4(127, 0, 0, 1), net.IPv4(127, 0, 0, 0)) if err != nil { log.Fatal(err) } if err := writeCertificateAndKey("testdata/server", cert, key); err != nil { log.Fatal(err) } log.Println("Generating client certificate") cert, key, err = GenerateCertificate(caCert, caKey, false, "localhost") if err != nil { log.Fatal(err) } if err := writeCertificateAndKey("testdata/client", cert, key); err != nil { log.Fatal(err) } log.Println("Generating self-signed client certificate") cert, key, err = GenerateCertificate(nil, nil, false, "localhost") if err != nil { log.Fatal(err) } if err := writeCertificateAndKey("testdata/self-signed-client", cert, key); err != nil { log.Fatal(err) } log.Println("Generating CA bundle") var b bytes.Buffer if err := EncodeCertificate(&b, caCert); err != nil { log.Fatal(err) } if err := EncodeCertificate(&b, rootCert); err != nil { log.Fatal(err) } if err := os.WriteFile("testdata/tls-ca-chain.pem", b.Bytes(), 0o644); err != nil { log.Fatal(err) } }