vendor: remove dep and use vndr

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-06 09:19:04 +02:00 · 2017-06-06 09:19:04 +02:00 · 148e72d81e
commit 148e72d81e
parent 16f44674a4
16131 changed files with 73815 additions and 4235138 deletions
--- a/vendor/k8s.io/client-go/util/cert/cert.go
+++ b/vendor/k8s.io/client-go/util/cert/cert.go
@ -128,7 +128,7 @@ func MakeEllipticPrivateKeyPEM() ([]byte, error) {
 	}

 	privateKeyPemBlock := &pem.Block{
-		Type:  "EC PRIVATE KEY",
+		Type:  ECPrivateKeyBlockType,
 		Bytes: derBytes,
 	}
 	return pem.EncodeToMemory(privateKeyPemBlock), nil
@ -173,13 +173,13 @@ func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS

 	// Generate cert
 	certBuffer := bytes.Buffer{}
-	if err := pem.Encode(&certBuffer, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil {
+	if err := pem.Encode(&certBuffer, &pem.Block{Type: CertificateBlockType, Bytes: derBytes}); err != nil {
 		return nil, nil, err
 	}

 	// Generate key
 	keyBuffer := bytes.Buffer{}
-	if err := pem.Encode(&keyBuffer, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil {
+	if err := pem.Encode(&keyBuffer, &pem.Block{Type: RSAPrivateKeyBlockType, Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil {
 		return nil, nil, err
 	}

--- a/vendor/k8s.io/client-go/util/cert/csr.go
+++ b/vendor/k8s.io/client-go/util/cert/csr.go
@ -28,36 +28,48 @@ import (
 // MakeCSR generates a PEM-encoded CSR using the supplied private key, subject, and SANs.
 // All key types that are implemented via crypto.Signer are supported (This includes *rsa.PrivateKey and *ecdsa.PrivateKey.)
 func MakeCSR(privateKey interface{}, subject *pkix.Name, dnsSANs []string, ipSANs []net.IP) (csr []byte, err error) {
-	// Customize the signature for RSA keys, depending on the key size
-	var sigType x509.SignatureAlgorithm
-	if privateKey, ok := privateKey.(*rsa.PrivateKey); ok {
-		keySize := privateKey.N.BitLen()
-		switch {
-		case keySize >= 4096:
-			sigType = x509.SHA512WithRSA
-		case keySize >= 3072:
-			sigType = x509.SHA384WithRSA
-		default:
-			sigType = x509.SHA256WithRSA
-		}
-	}
-
 	template := &x509.CertificateRequest{
-		Subject:            *subject,
-		SignatureAlgorithm: sigType,
-		DNSNames:           dnsSANs,
-		IPAddresses:        ipSANs,
+		Subject:     *subject,
+		DNSNames:    dnsSANs,
+		IPAddresses: ipSANs,
 	}

-	csr, err = x509.CreateCertificateRequest(cryptorand.Reader, template, privateKey)
+	return MakeCSRFromTemplate(privateKey, template)
+}
+
+// MakeCSRFromTemplate generates a PEM-encoded CSR using the supplied private
+// key and certificate request as a template. All key types that are
+// implemented via crypto.Signer are supported (This includes *rsa.PrivateKey
+// and *ecdsa.PrivateKey.)
+func MakeCSRFromTemplate(privateKey interface{}, template *x509.CertificateRequest) ([]byte, error) {
+	t := *template
+	t.SignatureAlgorithm = sigType(privateKey)
+
+	csrDER, err := x509.CreateCertificateRequest(cryptorand.Reader, &t, privateKey)
 	if err != nil {
 		return nil, err
 	}

 	csrPemBlock := &pem.Block{
 		Type:  "CERTIFICATE REQUEST",
-		Bytes: csr,
+		Bytes: csrDER,
 	}

 	return pem.EncodeToMemory(csrPemBlock), nil
 }
+
+func sigType(privateKey interface{}) x509.SignatureAlgorithm {
+	// Customize the signature for RSA keys, depending on the key size
+	if privateKey, ok := privateKey.(*rsa.PrivateKey); ok {
+		keySize := privateKey.N.BitLen()
+		switch {
+		case keySize >= 4096:
+			return x509.SHA512WithRSA
+		case keySize >= 3072:
+			return x509.SHA384WithRSA
+		default:
+			return x509.SHA256WithRSA
+		}
+	}
+	return x509.UnknownSignatureAlgorithm
+}
--- a/vendor/k8s.io/client-go/util/cert/csr_test.go
+++ b/vendor/k8s.io/client-go/util/cert/csr_test.go
@ -1,46 +0,0 @@
-/*
-Copyright 2016 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package cert
-
-import (
-	"crypto/x509/pkix"
-	"io/ioutil"
-	"net"
-	"testing"
-)
-
-func TestMakeCSR(t *testing.T) {
-	keyFile := "testdata/dontUseThisKey.pem"
-	subject := &pkix.Name{
-		CommonName: "kube-worker",
-	}
-	dnsSANs := []string{"localhost"}
-	ipSANs := []net.IP{net.ParseIP("127.0.0.1")}
-
-	keyData, err := ioutil.ReadFile(keyFile)
-	if err != nil {
-		t.Fatal(err)
-	}
-	key, err := ParsePrivateKeyPEM(keyData)
-	if err != nil {
-		t.Fatal(err)
-	}
-	_, err = MakeCSR(key, subject, dnsSANs, ipSANs)
-	if err != nil {
-		t.Error(err)
-	}
-}
--- a/vendor/k8s.io/client-go/util/cert/io.go
+++ b/vendor/k8s.io/client-go/util/cert/io.go
@ -86,6 +86,27 @@ func WriteKey(keyPath string, data []byte) error {
 	return nil
 }

+// LoadOrGenerateKeyFile looks for a key in the file at the given path. If it
+// can't find one, it will generate a new key and store it there.
+func LoadOrGenerateKeyFile(keyPath string) (data []byte, wasGenerated bool, err error) {
+	loadedData, err := ioutil.ReadFile(keyPath)
+	if err == nil {
+		return loadedData, false, err
+	}
+	if !os.IsNotExist(err) {
+		return nil, false, fmt.Errorf("error loading key from %s: %v", keyPath, err)
+	}
+
+	generatedData, err := MakeEllipticPrivateKeyPEM()
+	if err != nil {
+		return nil, false, fmt.Errorf("error generating key: %v", err)
+	}
+	if err := WriteKey(keyPath, generatedData); err != nil {
+		return nil, false, fmt.Errorf("error writing key to %s: %v", keyPath, err)
+	}
+	return generatedData, true, nil
+}
+
 // NewPool returns an x509.CertPool containing the certificates in the given PEM-encoded file.
 // Returns an error if the file could not be read, a certificate could not be parsed, or if the file does not contain any certificates
 func NewPool(filename string) (*x509.CertPool, error) {
--- a/vendor/k8s.io/client-go/util/cert/pem.go
+++ b/vendor/k8s.io/client-go/util/cert/pem.go
@ -24,6 +24,21 @@ import (
 	"fmt"
 )

+const (
+	// ECPrivateKeyBlockType is a possible value for pem.Block.Type.
+	ECPrivateKeyBlockType = "EC PRIVATE KEY"
+	// RSAPrivateKeyBlockType is a possible value for pem.Block.Type.
+	RSAPrivateKeyBlockType = "RSA PRIVATE KEY"
+	// CertificateBlockType is a possible value for pem.Block.Type.
+	CertificateBlockType = "CERTIFICATE"
+	// CertificateRequestBlockType is a possible value for pem.Block.Type.
+	CertificateRequestBlockType = "CERTIFICATE REQUEST"
+	// PrivateKeyBlockType is a possible value for pem.Block.Type.
+	PrivateKeyBlockType = "PRIVATE KEY"
+	// PublicKeyBlockType is a possible value for pem.Block.Type.
+	PublicKeyBlockType = "PUBLIC KEY"
+)
+
 // EncodePublicKeyPEM returns PEM-endcode public data
 func EncodePublicKeyPEM(key *rsa.PublicKey) ([]byte, error) {
 	der, err := x509.MarshalPKIXPublicKey(key)
@ -31,7 +46,7 @@ func EncodePublicKeyPEM(key *rsa.PublicKey) ([]byte, error) {
 		return []byte{}, err
 	}
 	block := pem.Block{
-		Type:  "PUBLIC KEY",
+		Type:  PublicKeyBlockType,
 		Bytes: der,
 	}
 	return pem.EncodeToMemory(&block), nil
@ -40,7 +55,7 @@ func EncodePublicKeyPEM(key *rsa.PublicKey) ([]byte, error) {
 // EncodePrivateKeyPEM returns PEM-encoded private key data
 func EncodePrivateKeyPEM(key *rsa.PrivateKey) []byte {
 	block := pem.Block{
-		Type:  "RSA PRIVATE KEY",
+		Type:  RSAPrivateKeyBlockType,
 		Bytes: x509.MarshalPKCS1PrivateKey(key),
 	}
 	return pem.EncodeToMemory(&block)
@ -49,30 +64,46 @@ func EncodePrivateKeyPEM(key *rsa.PrivateKey) []byte {
 // EncodeCertPEM returns PEM-endcoded certificate data
 func EncodeCertPEM(cert *x509.Certificate) []byte {
 	block := pem.Block{
-		Type:  "CERTIFICATE",
+		Type:  CertificateBlockType,
 		Bytes: cert.Raw,
 	}
 	return pem.EncodeToMemory(&block)
 }

 // ParsePrivateKeyPEM returns a private key parsed from a PEM block in the supplied data.
-// Recognizes PEM blocks for "EC PRIVATE KEY" and "RSA PRIVATE KEY"
+// Recognizes PEM blocks for "EC PRIVATE KEY", "RSA PRIVATE KEY", or "PRIVATE KEY"
 func ParsePrivateKeyPEM(keyData []byte) (interface{}, error) {
+	var privateKeyPemBlock *pem.Block
 	for {
-		var privateKeyPemBlock *pem.Block
 		privateKeyPemBlock, keyData = pem.Decode(keyData)
 		if privateKeyPemBlock == nil {
-			// we read all the PEM blocks and didn't recognize one
-			return nil, fmt.Errorf("no private key PEM block found")
+			break
 		}

 		switch privateKeyPemBlock.Type {
-		case "EC PRIVATE KEY":
-			return x509.ParseECPrivateKey(privateKeyPemBlock.Bytes)
-		case "RSA PRIVATE KEY":
-			return x509.ParsePKCS1PrivateKey(privateKeyPemBlock.Bytes)
+		case ECPrivateKeyBlockType:
+			// ECDSA Private Key in ASN.1 format
+			if key, err := x509.ParseECPrivateKey(privateKeyPemBlock.Bytes); err == nil {
+				return key, nil
+			}
+		case RSAPrivateKeyBlockType:
+			// RSA Private Key in PKCS#1 format
+			if key, err := x509.ParsePKCS1PrivateKey(privateKeyPemBlock.Bytes); err == nil {
+				return key, nil
+			}
+		case PrivateKeyBlockType:
+			// RSA or ECDSA Private Key in unencrypted PKCS#8 format
+			if key, err := x509.ParsePKCS8PrivateKey(privateKeyPemBlock.Bytes); err == nil {
+				return key, nil
+			}
 		}
+
+		// tolerate non-key PEM blocks for compatibility with things like "EC PARAMETERS" blocks
+		// originally, only the first PEM block was parsed and expected to be a key block
 	}
+
+	// we read all the PEM blocks and didn't recognize one
+	return nil, fmt.Errorf("data does not contain a valid RSA or ECDSA private key")
 }

 // ParseCertsPEM returns the x509.Certificates contained in the given PEM-encoded byte array
@ -87,7 +118,7 @@ func ParseCertsPEM(pemCerts []byte) ([]*x509.Certificate, error) {
 			break
 		}
 		// Only use PEM "CERTIFICATE" blocks without extra headers
-		if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
+		if block.Type != CertificateBlockType || len(block.Headers) != 0 {
 			continue
 		}

--- a/vendor/k8s.io/client-go/util/cert/testdata/dontUseThisKey.pem
+++ b/vendor/k8s.io/client-go/util/cert/testdata/dontUseThisKey.pem
@ -1,6 +0,0 @@
-----BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDAPEbSXwyDfWf0+61Oofd7aHkmdX69mrzD2Xb1CHF5syfsoRIhnG0dJ
-ozBulPZCDDWgBwYFK4EEACKhZANiAATjlMJAtKhEPqU/i7MsrgKcK/RmXHC6He7W
-0p69+9qFXg2raJ9zvvbKxkiu2ELOYRDAz0utcFTBOIgoUJEzBVmsjZQ7dvFa1BKP
-Ym7MFAKG3O2espBqXn+audgdHGh5B0I=
-----END EC PRIVATE KEY-----
--- a/vendor/k8s.io/client-go/util/cert/triple/triple.go
+++ b/vendor/k8s.io/client-go/util/cert/triple/triple.go
@ -1,116 +0,0 @@
-/*
-Copyright 2016 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Package triple generates key-certificate pairs for the
-// triple (CA, Server, Client).
-package triple
-
-import (
-	"crypto/rsa"
-	"crypto/x509"
-	"fmt"
-	"net"
-
-	certutil "k8s.io/client-go/util/cert"
-)
-
-type KeyPair struct {
-	Key  *rsa.PrivateKey
-	Cert *x509.Certificate
-}
-
-func NewCA(name string) (*KeyPair, error) {
-	key, err := certutil.NewPrivateKey()
-	if err != nil {
-		return nil, fmt.Errorf("unable to create a private key for a new CA: %v", err)
-	}
-
-	config := certutil.Config{
-		CommonName: name,
-	}
-
-	cert, err := certutil.NewSelfSignedCACert(config, key)
-	if err != nil {
-		return nil, fmt.Errorf("unable to create a self-signed certificate for a new CA: %v", err)
-	}
-
-	return &KeyPair{
-		Key:  key,
-		Cert: cert,
-	}, nil
-}
-
-func NewServerKeyPair(ca *KeyPair, commonName, svcName, svcNamespace, dnsDomain string, ips, hostnames []string) (*KeyPair, error) {
-	key, err := certutil.NewPrivateKey()
-	if err != nil {
-		return nil, fmt.Errorf("unable to create a server private key: %v", err)
-	}
-
-	namespacedName := fmt.Sprintf("%s.%s", svcName, svcNamespace)
-	internalAPIServerFQDN := []string{
-		svcName,
-		namespacedName,
-		fmt.Sprintf("%s.svc", namespacedName),
-		fmt.Sprintf("%s.svc.%s", namespacedName, dnsDomain),
-	}
-
-	altNames := certutil.AltNames{}
-	for _, ipStr := range ips {
-		ip := net.ParseIP(ipStr)
-		if ip != nil {
-			altNames.IPs = append(altNames.IPs, ip)
-		}
-	}
-	altNames.DNSNames = append(altNames.DNSNames, hostnames...)
-	altNames.DNSNames = append(altNames.DNSNames, internalAPIServerFQDN...)
-
-	config := certutil.Config{
-		CommonName: commonName,
-		AltNames:   altNames,
-		Usages:     []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-	}
-	cert, err := certutil.NewSignedCert(config, key, ca.Cert, ca.Key)
-	if err != nil {
-		return nil, fmt.Errorf("unable to sign the server certificate: %v", err)
-	}
-
-	return &KeyPair{
-		Key:  key,
-		Cert: cert,
-	}, nil
-}
-
-func NewClientKeyPair(ca *KeyPair, commonName string, organizations []string) (*KeyPair, error) {
-	key, err := certutil.NewPrivateKey()
-	if err != nil {
-		return nil, fmt.Errorf("unable to create a client private key: %v", err)
-	}
-
-	config := certutil.Config{
-		CommonName:   commonName,
-		Organization: organizations,
-		Usages:       []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
-	}
-	cert, err := certutil.NewSignedCert(config, key, ca.Cert, ca.Key)
-	if err != nil {
-		return nil, fmt.Errorf("unable to sign the client certificate: %v", err)
-	}
-
-	return &KeyPair{
-		Key:  key,
-		Cert: cert,
-	}, nil
-}