VOL-1967 move api-server to separate repository
Current with voltha-go acf0adaf2d91ae72b55192cc8a939e0485918d16
Change-Id: I000ea6be0789e20c922bd671562b58a7120892ae
diff --git a/vendor/k8s.io/client-go/util/cert/OWNERS b/vendor/k8s.io/client-go/util/cert/OWNERS
new file mode 100644
index 0000000..470b7a1
--- /dev/null
+++ b/vendor/k8s.io/client-go/util/cert/OWNERS
@@ -0,0 +1,7 @@
+approvers:
+- sig-auth-certificates-approvers
+reviewers:
+- sig-auth-certificates-reviewers
+labels:
+- sig/auth
+
diff --git a/vendor/k8s.io/client-go/util/cert/cert.go b/vendor/k8s.io/client-go/util/cert/cert.go
new file mode 100644
index 0000000..3429c82
--- /dev/null
+++ b/vendor/k8s.io/client-go/util/cert/cert.go
@@ -0,0 +1,269 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cert
+
+import (
+ "bytes"
+ "crypto"
+ "crypto/ecdsa"
+ "crypto/elliptic"
+ "crypto/rand"
+ cryptorand "crypto/rand"
+ "crypto/rsa"
+ "crypto/x509"
+ "crypto/x509/pkix"
+ "encoding/pem"
+ "errors"
+ "fmt"
+ "io/ioutil"
+ "math"
+ "math/big"
+ "net"
+ "path"
+ "strings"
+ "time"
+)
+
+const (
+ rsaKeySize = 2048
+ duration365d = time.Hour * 24 * 365
+)
+
+// Config contains the basic fields required for creating a certificate
+type Config struct {
+ CommonName string
+ Organization []string
+ AltNames AltNames
+ Usages []x509.ExtKeyUsage
+}
+
+// AltNames contains the domain names and IP addresses that will be added
+// to the API Server's x509 certificate SubAltNames field. The values will
+// be passed directly to the x509.Certificate object.
+type AltNames struct {
+ DNSNames []string
+ IPs []net.IP
+}
+
+// NewPrivateKey creates an RSA private key
+func NewPrivateKey() (*rsa.PrivateKey, error) {
+ return rsa.GenerateKey(cryptorand.Reader, rsaKeySize)
+}
+
+// NewSelfSignedCACert creates a CA certificate
+func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
+ now := time.Now()
+ tmpl := x509.Certificate{
+ SerialNumber: new(big.Int).SetInt64(0),
+ Subject: pkix.Name{
+ CommonName: cfg.CommonName,
+ Organization: cfg.Organization,
+ },
+ NotBefore: now.UTC(),
+ NotAfter: now.Add(duration365d * 10).UTC(),
+ KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+ BasicConstraintsValid: true,
+ IsCA: true,
+ }
+
+ certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
+ if err != nil {
+ return nil, err
+ }
+ return x509.ParseCertificate(certDERBytes)
+}
+
+// NewSignedCert creates a signed certificate using the given CA certificate and key
+func NewSignedCert(cfg Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
+ serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
+ if err != nil {
+ return nil, err
+ }
+ if len(cfg.CommonName) == 0 {
+ return nil, errors.New("must specify a CommonName")
+ }
+ if len(cfg.Usages) == 0 {
+ return nil, errors.New("must specify at least one ExtKeyUsage")
+ }
+
+ certTmpl := x509.Certificate{
+ Subject: pkix.Name{
+ CommonName: cfg.CommonName,
+ Organization: cfg.Organization,
+ },
+ DNSNames: cfg.AltNames.DNSNames,
+ IPAddresses: cfg.AltNames.IPs,
+ SerialNumber: serial,
+ NotBefore: caCert.NotBefore,
+ NotAfter: time.Now().Add(duration365d).UTC(),
+ KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+ ExtKeyUsage: cfg.Usages,
+ }
+ certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
+ if err != nil {
+ return nil, err
+ }
+ return x509.ParseCertificate(certDERBytes)
+}
+
+// MakeEllipticPrivateKeyPEM creates an ECDSA private key
+func MakeEllipticPrivateKeyPEM() ([]byte, error) {
+ privateKey, err := ecdsa.GenerateKey(elliptic.P256(), cryptorand.Reader)
+ if err != nil {
+ return nil, err
+ }
+
+ derBytes, err := x509.MarshalECPrivateKey(privateKey)
+ if err != nil {
+ return nil, err
+ }
+
+ privateKeyPemBlock := &pem.Block{
+ Type: ECPrivateKeyBlockType,
+ Bytes: derBytes,
+ }
+ return pem.EncodeToMemory(privateKeyPemBlock), nil
+}
+
+// GenerateSelfSignedCertKey creates a self-signed certificate and key for the given host.
+// Host may be an IP or a DNS name
+// You may also specify additional subject alt names (either ip or dns names) for the certificate.
+func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS []string) ([]byte, []byte, error) {
+ return GenerateSelfSignedCertKeyWithFixtures(host, alternateIPs, alternateDNS, "")
+}
+
+// GenerateSelfSignedCertKeyWithFixtures creates a self-signed certificate and key for the given host.
+// Host may be an IP or a DNS name. You may also specify additional subject alt names (either ip or dns names)
+// for the certificate.
+//
+// If fixtureDirectory is non-empty, it is a directory path which can contain pre-generated certs. The format is:
+// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.crt
+// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.key
+// Certs/keys not existing in that directory are created.
+func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, alternateDNS []string, fixtureDirectory string) ([]byte, []byte, error) {
+ validFrom := time.Now().Add(-time.Hour) // valid an hour earlier to avoid flakes due to clock skew
+ maxAge := time.Hour * 24 * 365 // one year self-signed certs
+
+ baseName := fmt.Sprintf("%s_%s_%s", host, strings.Join(ipsToStrings(alternateIPs), "-"), strings.Join(alternateDNS, "-"))
+ certFixturePath := path.Join(fixtureDirectory, baseName+".crt")
+ keyFixturePath := path.Join(fixtureDirectory, baseName+".key")
+ if len(fixtureDirectory) > 0 {
+ cert, err := ioutil.ReadFile(certFixturePath)
+ if err == nil {
+ key, err := ioutil.ReadFile(keyFixturePath)
+ if err == nil {
+ return cert, key, nil
+ }
+ return nil, nil, fmt.Errorf("cert %s can be read, but key %s cannot: %v", certFixturePath, keyFixturePath, err)
+ }
+ maxAge = 100 * time.Hour * 24 * 365 // 100 years fixtures
+ }
+
+ caKey, err := rsa.GenerateKey(cryptorand.Reader, 2048)
+ if err != nil {
+ return nil, nil, err
+ }
+
+ caTemplate := x509.Certificate{
+ SerialNumber: big.NewInt(1),
+ Subject: pkix.Name{
+ CommonName: fmt.Sprintf("%s-ca@%d", host, time.Now().Unix()),
+ },
+ NotBefore: validFrom,
+ NotAfter: validFrom.Add(maxAge),
+
+ KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+ BasicConstraintsValid: true,
+ IsCA: true,
+ }
+
+ caDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &caTemplate, &caTemplate, &caKey.PublicKey, caKey)
+ if err != nil {
+ return nil, nil, err
+ }
+
+ caCertificate, err := x509.ParseCertificate(caDERBytes)
+ if err != nil {
+ return nil, nil, err
+ }
+
+ priv, err := rsa.GenerateKey(cryptorand.Reader, 2048)
+ if err != nil {
+ return nil, nil, err
+ }
+
+ template := x509.Certificate{
+ SerialNumber: big.NewInt(2),
+ Subject: pkix.Name{
+ CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()),
+ },
+ NotBefore: validFrom,
+ NotAfter: validFrom.Add(maxAge),
+
+ KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+ ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+ BasicConstraintsValid: true,
+ }
+
+ if ip := net.ParseIP(host); ip != nil {
+ template.IPAddresses = append(template.IPAddresses, ip)
+ } else {
+ template.DNSNames = append(template.DNSNames, host)
+ }
+
+ template.IPAddresses = append(template.IPAddresses, alternateIPs...)
+ template.DNSNames = append(template.DNSNames, alternateDNS...)
+
+ derBytes, err := x509.CreateCertificate(cryptorand.Reader, &template, caCertificate, &priv.PublicKey, caKey)
+ if err != nil {
+ return nil, nil, err
+ }
+
+ // Generate cert, followed by ca
+ certBuffer := bytes.Buffer{}
+ if err := pem.Encode(&certBuffer, &pem.Block{Type: CertificateBlockType, Bytes: derBytes}); err != nil {
+ return nil, nil, err
+ }
+ if err := pem.Encode(&certBuffer, &pem.Block{Type: CertificateBlockType, Bytes: caDERBytes}); err != nil {
+ return nil, nil, err
+ }
+
+ // Generate key
+ keyBuffer := bytes.Buffer{}
+ if err := pem.Encode(&keyBuffer, &pem.Block{Type: RSAPrivateKeyBlockType, Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil {
+ return nil, nil, err
+ }
+
+ if len(fixtureDirectory) > 0 {
+ if err := ioutil.WriteFile(certFixturePath, certBuffer.Bytes(), 0644); err != nil {
+ return nil, nil, fmt.Errorf("failed to write cert fixture to %s: %v", certFixturePath, err)
+ }
+ if err := ioutil.WriteFile(keyFixturePath, keyBuffer.Bytes(), 0644); err != nil {
+ return nil, nil, fmt.Errorf("failed to write key fixture to %s: %v", certFixturePath, err)
+ }
+ }
+
+ return certBuffer.Bytes(), keyBuffer.Bytes(), nil
+}
+
+func ipsToStrings(ips []net.IP) []string {
+ ss := make([]string, 0, len(ips))
+ for _, ip := range ips {
+ ss = append(ss, ip.String())
+ }
+ return ss
+}
diff --git a/vendor/k8s.io/client-go/util/cert/csr.go b/vendor/k8s.io/client-go/util/cert/csr.go
new file mode 100644
index 0000000..39a6751
--- /dev/null
+++ b/vendor/k8s.io/client-go/util/cert/csr.go
@@ -0,0 +1,75 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cert
+
+import (
+ cryptorand "crypto/rand"
+ "crypto/rsa"
+ "crypto/x509"
+ "crypto/x509/pkix"
+ "encoding/pem"
+ "net"
+)
+
+// MakeCSR generates a PEM-encoded CSR using the supplied private key, subject, and SANs.
+// All key types that are implemented via crypto.Signer are supported (This includes *rsa.PrivateKey and *ecdsa.PrivateKey.)
+func MakeCSR(privateKey interface{}, subject *pkix.Name, dnsSANs []string, ipSANs []net.IP) (csr []byte, err error) {
+ template := &x509.CertificateRequest{
+ Subject: *subject,
+ DNSNames: dnsSANs,
+ IPAddresses: ipSANs,
+ }
+
+ return MakeCSRFromTemplate(privateKey, template)
+}
+
+// MakeCSRFromTemplate generates a PEM-encoded CSR using the supplied private
+// key and certificate request as a template. All key types that are
+// implemented via crypto.Signer are supported (This includes *rsa.PrivateKey
+// and *ecdsa.PrivateKey.)
+func MakeCSRFromTemplate(privateKey interface{}, template *x509.CertificateRequest) ([]byte, error) {
+ t := *template
+ t.SignatureAlgorithm = sigType(privateKey)
+
+ csrDER, err := x509.CreateCertificateRequest(cryptorand.Reader, &t, privateKey)
+ if err != nil {
+ return nil, err
+ }
+
+ csrPemBlock := &pem.Block{
+ Type: CertificateRequestBlockType,
+ Bytes: csrDER,
+ }
+
+ return pem.EncodeToMemory(csrPemBlock), nil
+}
+
+func sigType(privateKey interface{}) x509.SignatureAlgorithm {
+ // Customize the signature for RSA keys, depending on the key size
+ if privateKey, ok := privateKey.(*rsa.PrivateKey); ok {
+ keySize := privateKey.N.BitLen()
+ switch {
+ case keySize >= 4096:
+ return x509.SHA512WithRSA
+ case keySize >= 3072:
+ return x509.SHA384WithRSA
+ default:
+ return x509.SHA256WithRSA
+ }
+ }
+ return x509.UnknownSignatureAlgorithm
+}
diff --git a/vendor/k8s.io/client-go/util/cert/io.go b/vendor/k8s.io/client-go/util/cert/io.go
new file mode 100644
index 0000000..a57bf09
--- /dev/null
+++ b/vendor/k8s.io/client-go/util/cert/io.go
@@ -0,0 +1,193 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cert
+
+import (
+ "crypto"
+ "crypto/ecdsa"
+ "crypto/rsa"
+ "crypto/x509"
+ "encoding/pem"
+ "fmt"
+ "io/ioutil"
+ "os"
+ "path/filepath"
+)
+
+// CanReadCertAndKey returns true if the certificate and key files already exists,
+// otherwise returns false. If lost one of cert and key, returns error.
+func CanReadCertAndKey(certPath, keyPath string) (bool, error) {
+ certReadable := canReadFile(certPath)
+ keyReadable := canReadFile(keyPath)
+
+ if certReadable == false && keyReadable == false {
+ return false, nil
+ }
+
+ if certReadable == false {
+ return false, fmt.Errorf("error reading %s, certificate and key must be supplied as a pair", certPath)
+ }
+
+ if keyReadable == false {
+ return false, fmt.Errorf("error reading %s, certificate and key must be supplied as a pair", keyPath)
+ }
+
+ return true, nil
+}
+
+// If the file represented by path exists and
+// readable, returns true otherwise returns false.
+func canReadFile(path string) bool {
+ f, err := os.Open(path)
+ if err != nil {
+ return false
+ }
+
+ defer f.Close()
+
+ return true
+}
+
+// WriteCert writes the pem-encoded certificate data to certPath.
+// The certificate file will be created with file mode 0644.
+// If the certificate file already exists, it will be overwritten.
+// The parent directory of the certPath will be created as needed with file mode 0755.
+func WriteCert(certPath string, data []byte) error {
+ if err := os.MkdirAll(filepath.Dir(certPath), os.FileMode(0755)); err != nil {
+ return err
+ }
+ return ioutil.WriteFile(certPath, data, os.FileMode(0644))
+}
+
+// WriteKey writes the pem-encoded key data to keyPath.
+// The key file will be created with file mode 0600.
+// If the key file already exists, it will be overwritten.
+// The parent directory of the keyPath will be created as needed with file mode 0755.
+func WriteKey(keyPath string, data []byte) error {
+ if err := os.MkdirAll(filepath.Dir(keyPath), os.FileMode(0755)); err != nil {
+ return err
+ }
+ return ioutil.WriteFile(keyPath, data, os.FileMode(0600))
+}
+
+// LoadOrGenerateKeyFile looks for a key in the file at the given path. If it
+// can't find one, it will generate a new key and store it there.
+func LoadOrGenerateKeyFile(keyPath string) (data []byte, wasGenerated bool, err error) {
+ loadedData, err := ioutil.ReadFile(keyPath)
+ // Call verifyKeyData to ensure the file wasn't empty/corrupt.
+ if err == nil && verifyKeyData(loadedData) {
+ return loadedData, false, err
+ }
+ if !os.IsNotExist(err) {
+ return nil, false, fmt.Errorf("error loading key from %s: %v", keyPath, err)
+ }
+
+ generatedData, err := MakeEllipticPrivateKeyPEM()
+ if err != nil {
+ return nil, false, fmt.Errorf("error generating key: %v", err)
+ }
+ if err := WriteKey(keyPath, generatedData); err != nil {
+ return nil, false, fmt.Errorf("error writing key to %s: %v", keyPath, err)
+ }
+ return generatedData, true, nil
+}
+
+// MarshalPrivateKeyToPEM converts a known private key type of RSA or ECDSA to
+// a PEM encoded block or returns an error.
+func MarshalPrivateKeyToPEM(privateKey crypto.PrivateKey) ([]byte, error) {
+ switch t := privateKey.(type) {
+ case *ecdsa.PrivateKey:
+ derBytes, err := x509.MarshalECPrivateKey(t)
+ if err != nil {
+ return nil, err
+ }
+ privateKeyPemBlock := &pem.Block{
+ Type: ECPrivateKeyBlockType,
+ Bytes: derBytes,
+ }
+ return pem.EncodeToMemory(privateKeyPemBlock), nil
+ case *rsa.PrivateKey:
+ return EncodePrivateKeyPEM(t), nil
+ default:
+ return nil, fmt.Errorf("private key is not a recognized type: %T", privateKey)
+ }
+}
+
+// NewPool returns an x509.CertPool containing the certificates in the given PEM-encoded file.
+// Returns an error if the file could not be read, a certificate could not be parsed, or if the file does not contain any certificates
+func NewPool(filename string) (*x509.CertPool, error) {
+ certs, err := CertsFromFile(filename)
+ if err != nil {
+ return nil, err
+ }
+ pool := x509.NewCertPool()
+ for _, cert := range certs {
+ pool.AddCert(cert)
+ }
+ return pool, nil
+}
+
+// CertsFromFile returns the x509.Certificates contained in the given PEM-encoded file.
+// Returns an error if the file could not be read, a certificate could not be parsed, or if the file does not contain any certificates
+func CertsFromFile(file string) ([]*x509.Certificate, error) {
+ pemBlock, err := ioutil.ReadFile(file)
+ if err != nil {
+ return nil, err
+ }
+ certs, err := ParseCertsPEM(pemBlock)
+ if err != nil {
+ return nil, fmt.Errorf("error reading %s: %s", file, err)
+ }
+ return certs, nil
+}
+
+// PrivateKeyFromFile returns the private key in rsa.PrivateKey or ecdsa.PrivateKey format from a given PEM-encoded file.
+// Returns an error if the file could not be read or if the private key could not be parsed.
+func PrivateKeyFromFile(file string) (interface{}, error) {
+ data, err := ioutil.ReadFile(file)
+ if err != nil {
+ return nil, err
+ }
+ key, err := ParsePrivateKeyPEM(data)
+ if err != nil {
+ return nil, fmt.Errorf("error reading private key file %s: %v", file, err)
+ }
+ return key, nil
+}
+
+// PublicKeysFromFile returns the public keys in rsa.PublicKey or ecdsa.PublicKey format from a given PEM-encoded file.
+// Reads public keys from both public and private key files.
+func PublicKeysFromFile(file string) ([]interface{}, error) {
+ data, err := ioutil.ReadFile(file)
+ if err != nil {
+ return nil, err
+ }
+ keys, err := ParsePublicKeysPEM(data)
+ if err != nil {
+ return nil, fmt.Errorf("error reading public key file %s: %v", file, err)
+ }
+ return keys, nil
+}
+
+// verifyKeyData returns true if the provided data appears to be a valid private key.
+func verifyKeyData(data []byte) bool {
+ if len(data) == 0 {
+ return false
+ }
+ _, err := ParsePrivateKeyPEM(data)
+ return err == nil
+}
diff --git a/vendor/k8s.io/client-go/util/cert/pem.go b/vendor/k8s.io/client-go/util/cert/pem.go
new file mode 100644
index 0000000..b99e366
--- /dev/null
+++ b/vendor/k8s.io/client-go/util/cert/pem.go
@@ -0,0 +1,269 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cert
+
+import (
+ "crypto/ecdsa"
+ "crypto/rsa"
+ "crypto/x509"
+ "encoding/pem"
+ "errors"
+ "fmt"
+)
+
+const (
+ // ECPrivateKeyBlockType is a possible value for pem.Block.Type.
+ ECPrivateKeyBlockType = "EC PRIVATE KEY"
+ // RSAPrivateKeyBlockType is a possible value for pem.Block.Type.
+ RSAPrivateKeyBlockType = "RSA PRIVATE KEY"
+ // PrivateKeyBlockType is a possible value for pem.Block.Type.
+ PrivateKeyBlockType = "PRIVATE KEY"
+ // PublicKeyBlockType is a possible value for pem.Block.Type.
+ PublicKeyBlockType = "PUBLIC KEY"
+ // CertificateBlockType is a possible value for pem.Block.Type.
+ CertificateBlockType = "CERTIFICATE"
+ // CertificateRequestBlockType is a possible value for pem.Block.Type.
+ CertificateRequestBlockType = "CERTIFICATE REQUEST"
+)
+
+// EncodePublicKeyPEM returns PEM-encoded public data
+func EncodePublicKeyPEM(key *rsa.PublicKey) ([]byte, error) {
+ der, err := x509.MarshalPKIXPublicKey(key)
+ if err != nil {
+ return []byte{}, err
+ }
+ block := pem.Block{
+ Type: PublicKeyBlockType,
+ Bytes: der,
+ }
+ return pem.EncodeToMemory(&block), nil
+}
+
+// EncodePrivateKeyPEM returns PEM-encoded private key data
+func EncodePrivateKeyPEM(key *rsa.PrivateKey) []byte {
+ block := pem.Block{
+ Type: RSAPrivateKeyBlockType,
+ Bytes: x509.MarshalPKCS1PrivateKey(key),
+ }
+ return pem.EncodeToMemory(&block)
+}
+
+// EncodeCertPEM returns PEM-endcoded certificate data
+func EncodeCertPEM(cert *x509.Certificate) []byte {
+ block := pem.Block{
+ Type: CertificateBlockType,
+ Bytes: cert.Raw,
+ }
+ return pem.EncodeToMemory(&block)
+}
+
+// ParsePrivateKeyPEM returns a private key parsed from a PEM block in the supplied data.
+// Recognizes PEM blocks for "EC PRIVATE KEY", "RSA PRIVATE KEY", or "PRIVATE KEY"
+func ParsePrivateKeyPEM(keyData []byte) (interface{}, error) {
+ var privateKeyPemBlock *pem.Block
+ for {
+ privateKeyPemBlock, keyData = pem.Decode(keyData)
+ if privateKeyPemBlock == nil {
+ break
+ }
+
+ switch privateKeyPemBlock.Type {
+ case ECPrivateKeyBlockType:
+ // ECDSA Private Key in ASN.1 format
+ if key, err := x509.ParseECPrivateKey(privateKeyPemBlock.Bytes); err == nil {
+ return key, nil
+ }
+ case RSAPrivateKeyBlockType:
+ // RSA Private Key in PKCS#1 format
+ if key, err := x509.ParsePKCS1PrivateKey(privateKeyPemBlock.Bytes); err == nil {
+ return key, nil
+ }
+ case PrivateKeyBlockType:
+ // RSA or ECDSA Private Key in unencrypted PKCS#8 format
+ if key, err := x509.ParsePKCS8PrivateKey(privateKeyPemBlock.Bytes); err == nil {
+ return key, nil
+ }
+ }
+
+ // tolerate non-key PEM blocks for compatibility with things like "EC PARAMETERS" blocks
+ // originally, only the first PEM block was parsed and expected to be a key block
+ }
+
+ // we read all the PEM blocks and didn't recognize one
+ return nil, fmt.Errorf("data does not contain a valid RSA or ECDSA private key")
+}
+
+// ParsePublicKeysPEM is a helper function for reading an array of rsa.PublicKey or ecdsa.PublicKey from a PEM-encoded byte array.
+// Reads public keys from both public and private key files.
+func ParsePublicKeysPEM(keyData []byte) ([]interface{}, error) {
+ var block *pem.Block
+ keys := []interface{}{}
+ for {
+ // read the next block
+ block, keyData = pem.Decode(keyData)
+ if block == nil {
+ break
+ }
+
+ // test block against parsing functions
+ if privateKey, err := parseRSAPrivateKey(block.Bytes); err == nil {
+ keys = append(keys, &privateKey.PublicKey)
+ continue
+ }
+ if publicKey, err := parseRSAPublicKey(block.Bytes); err == nil {
+ keys = append(keys, publicKey)
+ continue
+ }
+ if privateKey, err := parseECPrivateKey(block.Bytes); err == nil {
+ keys = append(keys, &privateKey.PublicKey)
+ continue
+ }
+ if publicKey, err := parseECPublicKey(block.Bytes); err == nil {
+ keys = append(keys, publicKey)
+ continue
+ }
+
+ // tolerate non-key PEM blocks for backwards compatibility
+ // originally, only the first PEM block was parsed and expected to be a key block
+ }
+
+ if len(keys) == 0 {
+ return nil, fmt.Errorf("data does not contain any valid RSA or ECDSA public keys")
+ }
+ return keys, nil
+}
+
+// ParseCertsPEM returns the x509.Certificates contained in the given PEM-encoded byte array
+// Returns an error if a certificate could not be parsed, or if the data does not contain any certificates
+func ParseCertsPEM(pemCerts []byte) ([]*x509.Certificate, error) {
+ ok := false
+ certs := []*x509.Certificate{}
+ for len(pemCerts) > 0 {
+ var block *pem.Block
+ block, pemCerts = pem.Decode(pemCerts)
+ if block == nil {
+ break
+ }
+ // Only use PEM "CERTIFICATE" blocks without extra headers
+ if block.Type != CertificateBlockType || len(block.Headers) != 0 {
+ continue
+ }
+
+ cert, err := x509.ParseCertificate(block.Bytes)
+ if err != nil {
+ return certs, err
+ }
+
+ certs = append(certs, cert)
+ ok = true
+ }
+
+ if !ok {
+ return certs, errors.New("data does not contain any valid RSA or ECDSA certificates")
+ }
+ return certs, nil
+}
+
+// parseRSAPublicKey parses a single RSA public key from the provided data
+func parseRSAPublicKey(data []byte) (*rsa.PublicKey, error) {
+ var err error
+
+ // Parse the key
+ var parsedKey interface{}
+ if parsedKey, err = x509.ParsePKIXPublicKey(data); err != nil {
+ if cert, err := x509.ParseCertificate(data); err == nil {
+ parsedKey = cert.PublicKey
+ } else {
+ return nil, err
+ }
+ }
+
+ // Test if parsed key is an RSA Public Key
+ var pubKey *rsa.PublicKey
+ var ok bool
+ if pubKey, ok = parsedKey.(*rsa.PublicKey); !ok {
+ return nil, fmt.Errorf("data doesn't contain valid RSA Public Key")
+ }
+
+ return pubKey, nil
+}
+
+// parseRSAPrivateKey parses a single RSA private key from the provided data
+func parseRSAPrivateKey(data []byte) (*rsa.PrivateKey, error) {
+ var err error
+
+ // Parse the key
+ var parsedKey interface{}
+ if parsedKey, err = x509.ParsePKCS1PrivateKey(data); err != nil {
+ if parsedKey, err = x509.ParsePKCS8PrivateKey(data); err != nil {
+ return nil, err
+ }
+ }
+
+ // Test if parsed key is an RSA Private Key
+ var privKey *rsa.PrivateKey
+ var ok bool
+ if privKey, ok = parsedKey.(*rsa.PrivateKey); !ok {
+ return nil, fmt.Errorf("data doesn't contain valid RSA Private Key")
+ }
+
+ return privKey, nil
+}
+
+// parseECPublicKey parses a single ECDSA public key from the provided data
+func parseECPublicKey(data []byte) (*ecdsa.PublicKey, error) {
+ var err error
+
+ // Parse the key
+ var parsedKey interface{}
+ if parsedKey, err = x509.ParsePKIXPublicKey(data); err != nil {
+ if cert, err := x509.ParseCertificate(data); err == nil {
+ parsedKey = cert.PublicKey
+ } else {
+ return nil, err
+ }
+ }
+
+ // Test if parsed key is an ECDSA Public Key
+ var pubKey *ecdsa.PublicKey
+ var ok bool
+ if pubKey, ok = parsedKey.(*ecdsa.PublicKey); !ok {
+ return nil, fmt.Errorf("data doesn't contain valid ECDSA Public Key")
+ }
+
+ return pubKey, nil
+}
+
+// parseECPrivateKey parses a single ECDSA private key from the provided data
+func parseECPrivateKey(data []byte) (*ecdsa.PrivateKey, error) {
+ var err error
+
+ // Parse the key
+ var parsedKey interface{}
+ if parsedKey, err = x509.ParseECPrivateKey(data); err != nil {
+ return nil, err
+ }
+
+ // Test if parsed key is an ECDSA Private Key
+ var privKey *ecdsa.PrivateKey
+ var ok bool
+ if privKey, ok = parsedKey.(*ecdsa.PrivateKey); !ok {
+ return nil, fmt.Errorf("data doesn't contain valid ECDSA Private Key")
+ }
+
+ return privKey, nil
+}