configimage: migrate IngressOperatorSignerCertKey to library-go

sanchezl · sanchezl · commit a41ad194219a · 2026-04-04T10:04:34.000-04:00
Replace the forked selfSignedCertificate, generateSelfSignedCertificate,
generateSubjectKeyID, and rsaPublicKey with a single call to
libcrypto.NewSigningCertificate. The forked code existed to allow
empty OU in the Subject, which library-go handles natively.

This removes ~80 lines of duplicated crypto code including a SHA-1
SubjectKeyId implementation.
diff --git a/pkg/asset/imagebased/configimage/ingressoperatorsigner.go b/pkg/asset/imagebased/configimage/ingressoperatorsigner.go
@@ -2,21 +2,12 @@ package configimage
 
 import (
 	"context"
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/sha1" //nolint: gosec
-	"crypto/x509"
 	"crypto/x509/pkix"
-	"encoding/asn1"
-	"errors"
 	"fmt"
-	"math"
-	"math/big"
 	"time"
 
+	libcrypto "github.com/openshift/library-go/pkg/crypto"
+
 	"github.com/openshift/installer/pkg/asset"
 	"github.com/openshift/installer/pkg/asset/installconfig"
 	"github.com/openshift/installer/pkg/asset/tls"
@@ -47,23 +38,24 @@ func (a *IngressOperatorSignerCertKey) Generate(ctx context.Context, dependencie
 	installConfig := &installconfig.InstallConfig{}
 	dependencies.Get(installConfig)
 
-	cfg := &tls.CertCfg{
-		Subject:   pkix.Name{CommonName: signerName},
-		KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
-		Validity:  tls.ValidityOneYear(installConfig) * 2,
-		IsCA:      true,
-	}
-
-	key, crt, err := generateSelfSignedCertificate(cfg)
+	keyGen := libcrypto.RSAKeyPairGenerator{Bits: 2048}
+	tlsCfg, err := libcrypto.NewSigningCertificate(
+		signerName,
+		keyGen,
+		libcrypto.WithLifetime(tls.ValidityOneYear(installConfig)*2),
+		libcrypto.WithSubject(pkix.Name{CommonName: signerName}),
+	)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to generate ingress operator signer certificate: %w", err)
 	}
 
-	a.KeyRaw, err = tls.PrivateKeyToPem(key)
+	certPEM, keyPEM, err := tlsCfg.GetPEMBytes()
 	if err != nil {
-		return fmt.Errorf("failed to encode private key to PEM: %w", err)
+		return fmt.Errorf("failed to encode ingress operator signer to PEM: %w", err)
 	}
-	a.CertRaw = tls.CertToPem(crt)
+
+	a.CertRaw = certPEM
+	a.KeyRaw = keyPEM
 
 	return nil
 }
@@ -97,81 +89,3 @@ func (a *IngressOperatorCABundle) Generate(ctx context.Context, deps asset.Paren
 func (a *IngressOperatorCABundle) Name() string {
 	return "Certificate (ingress-operator-ca-bundle)"
 }
-
-// selfSignedCertificate creates a self signed certificate.
-//
-// TODO: this is a modified tls.SelfSignedCertificate function to allow the
-// certificate's Subject.OU to be empty. We should revisit this by sharing as
-// much code as possible with the tls package.
-//
-// https://github.com/openshift/installer/blob/6723dfd18056a6d002f792afce5547fc24874908/pkg/asset/tls/tls.go
-func selfSignedCertificate(cfg *tls.CertCfg, key *rsa.PrivateKey) (*x509.Certificate, error) {
-	serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
-	if err != nil {
-		return nil, err
-	}
-	cert := x509.Certificate{
-		BasicConstraintsValid: true,
-		IsCA:                  cfg.IsCA,
-		KeyUsage:              cfg.KeyUsages,
-		NotAfter:              time.Now().Add(cfg.Validity),
-		NotBefore:             time.Now(),
-		SerialNumber:          serial,
-		Subject:               cfg.Subject,
-	}
-	// verifies that the CN for the cert is set
-	if len(cfg.Subject.CommonName) == 0 {
-		return nil, errors.New("certification's subject is not set, or invalid")
-	}
-	pub := key.Public()
-	cert.SubjectKeyId, err = generateSubjectKeyID(pub)
-	if err != nil {
-		return nil, fmt.Errorf("failed to set subject key identifier: %w", err)
-	}
-	certBytes, err := x509.CreateCertificate(rand.Reader, &cert, &cert, key.Public(), key)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create certificate: %w", err)
-	}
-	return x509.ParseCertificate(certBytes)
-}
-
-// generateSelfSignedCertificate generates a key/cert pair defined by CertCfg.
-func generateSelfSignedCertificate(cfg *tls.CertCfg) (*rsa.PrivateKey, *x509.Certificate, error) {
-	key, err := tls.PrivateKey()
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to generate private key: %w", err)
-	}
-
-	crt, err := selfSignedCertificate(cfg, key)
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to create self-signed certificate: %w", err)
-	}
-	return key, crt, nil
-}
-
-// rsaPublicKey reflects the ASN.1 structure of a PKCS#1 public key.
-type rsaPublicKey struct {
-	N *big.Int
-	E int
-}
-
-// generateSubjectKeyID generates a SHA-1 hash of the subject public key.
-func generateSubjectKeyID(pub crypto.PublicKey) ([]byte, error) {
-	var publicKeyBytes []byte
-	var err error
-
-	switch pub := pub.(type) {
-	case *rsa.PublicKey:
-		publicKeyBytes, err = asn1.Marshal(rsaPublicKey{N: pub.N, E: pub.E})
-		if err != nil {
-			return nil, fmt.Errorf("failed to Marshal ans1 public key: %w", err)
-		}
-	case *ecdsa.PublicKey:
-		publicKeyBytes = elliptic.Marshal(pub.Curve, pub.X, pub.Y) //nolint: staticcheck
-	default:
-		return nil, errors.New("only RSA and ECDSA public keys supported")
-	}
-
-	hash := sha1.Sum(publicKeyBytes) //nolint: gosec
-	return hash[:], nil
-}
