MCPcopy
hub / github.com/kubernetes/client-go / ensureCompatible

Function ensureCompatible

util/certificate/csr/csr.go:136–169  ·  view source on GitHub ↗

ensureCompatible ensures that a CSR object is compatible with an original CSR

(new, orig *certificates.CertificateSigningRequest, privateKey interface{})

Source from the content-addressed store, hash-verified

134
135// ensureCompatible ensures that a CSR object is compatible with an original CSR
136func ensureCompatible(new, orig *certificates.CertificateSigningRequest, privateKey interface{}) error {
137 newCSR, err := parseCSR(new)
138 if err != nil {
139 return fmt.Errorf("unable to parse new csr: %v", err)
140 }
141 origCSR, err := parseCSR(orig)
142 if err != nil {
143 return fmt.Errorf("unable to parse original csr: %v", err)
144 }
145 if !reflect.DeepEqual(newCSR.Subject, origCSR.Subject) {
146 return fmt.Errorf("csr subjects differ: new: %#v, orig: %#v", newCSR.Subject, origCSR.Subject)
147 }
148 signer, ok := privateKey.(crypto.Signer)
149 if !ok {
150 return fmt.Errorf("privateKey is not a signer")
151 }
152 newCSR.PublicKey = signer.Public()
153 if err := newCSR.CheckSignature(); err != nil {
154 return fmt.Errorf("error validating signature new CSR against old key: %v", err)
155 }
156 if len(new.Status.Certificate) > 0 {
157 certs, err := certutil.ParseCertsPEM(new.Status.Certificate)
158 if err != nil {
159 return fmt.Errorf("error parsing signed certificate for CSR: %v", err)
160 }
161 now := time.Now()
162 for _, cert := range certs {
163 if now.After(cert.NotAfter) {
164 return fmt.Errorf("one of the certificates for the CSR has expired: %s", cert.NotAfter)
165 }
166 }
167 }
168 return nil
169}
170
171// formatError preserves the type of an API message but alters the message. Expects
172// a single argument format string, and returns the wrapped error.

Callers 1

RequestCertificateFunction · 0.85

Calls 3

parseCSRFunction · 0.85
ErrorfMethod · 0.65
NowMethod · 0.65

Tested by

no test coverage detected