From ec200a9edf87b8bb36d8065448d1728b10557d39 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Fri, 9 Sep 2016 11:15:29 -0400 Subject: [PATCH] Remove duplicated ECDHE key handling --- pkg/util/cert/csr.go | 24 +++--------------------- 1 file changed, 3 insertions(+), 21 deletions(-) diff --git a/pkg/util/cert/csr.go b/pkg/util/cert/csr.go index fa946cdd8a..91cc32f62b 100644 --- a/pkg/util/cert/csr.go +++ b/pkg/util/cert/csr.go @@ -17,15 +17,12 @@ limitations under the License. package cert import ( - "crypto/ecdsa" - "crypto/elliptic" cryptorand "crypto/rand" "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/pem" "errors" - "fmt" "net" "k8s.io/kubernetes/pkg/apis/certificates" @@ -47,23 +44,11 @@ func ParseCSR(obj *certificates.CertificateSigningRequest) (*x509.CertificateReq } // MakeCSR generates a PEM-encoded CSR using the supplied private key, subject, and SANs. -// privateKey must be a *ecdsa.PrivateKey or *rsa.PrivateKey. +// All key types that are implemented via crypto.Signer are supported (This includes *rsa.PrivateKey and *ecdsa.PrivateKey.) func MakeCSR(privateKey interface{}, subject *pkix.Name, dnsSANs []string, ipSANs []net.IP) (csr []byte, err error) { + // Customize the signature for RSA keys, depending on the key size var sigType x509.SignatureAlgorithm - - switch privateKey := privateKey.(type) { - case *ecdsa.PrivateKey: - switch privateKey.Curve { - case elliptic.P224(), elliptic.P256(): - sigType = x509.ECDSAWithSHA256 - case elliptic.P384(): - sigType = x509.ECDSAWithSHA384 - case elliptic.P521(): - sigType = x509.ECDSAWithSHA512 - default: - return nil, fmt.Errorf("unknown elliptic curve: %v", privateKey.Curve) - } - case *rsa.PrivateKey: + if privateKey, ok := privateKey.(*rsa.PrivateKey); ok { keySize := privateKey.N.BitLen() switch { case keySize >= 4096: @@ -73,9 +58,6 @@ func MakeCSR(privateKey interface{}, subject *pkix.Name, dnsSANs []string, ipSAN default: sigType = x509.SHA256WithRSA } - - default: - return nil, fmt.Errorf("unsupported key type: %T", privateKey) } template := &x509.CertificateRequest{