open-consul/test/integration/consul-container/libs/agent/encryption.go

package agent

import (
	"crypto/rand"
	"crypto/x509"
	"encoding/base64"
	"fmt"
	"net"

	"github.com/pkg/errors"

	"github.com/hashicorp/consul/tlsutil"
)

func newSerfEncryptionKey() (string, error) {
	key := make([]byte, 32)
	n, err := rand.Reader.Read(key)
	if err != nil {
		return "", errors.Wrap(err, "error reading random data")
	}
	if n != 32 {
		return "", errors.Wrap(err, "couldn't read enough entropy. Generate more entropy!")
	}

	return base64.StdEncoding.EncodeToString(key), nil
}

func newServerTLSKeyPair(dc string, ctx *BuildContext) (string, string, string, string) {
	// Generate agent-specific key pair. Borrowed from 'consul tls cert create -server -dc <dc_name>'
	name := fmt.Sprintf("server.%s.%s", dc, "consul")

	dnsNames := []string{
		name,
		"localhost",
	}
	ipAddresses := []net.IP{net.ParseIP("127.0.0.1")}
	extKeyUsage := []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}

	signer, err := tlsutil.ParseSigner(ctx.caKey)
	if err != nil {
		panic("could not parse signer from CA key")
	}

	pub, priv, err := tlsutil.GenerateCert(tlsutil.CertOpts{
		Signer: signer, CA: ctx.caCert, Name: name, Days: 365,
		DNSNames: dnsNames, IPAddresses: ipAddresses, ExtKeyUsage: extKeyUsage,
	})

	prefix := fmt.Sprintf("%s-server-%s", dc, "consul")
	certFileName := fmt.Sprintf("%s-%d.pem", prefix, ctx.index)
	keyFileName := fmt.Sprintf("%s-%d-key.pem", prefix, ctx.index)

	if err = tlsutil.Verify(ctx.caCert, pub, name); err != nil {
		panic(fmt.Sprintf("could not verify keypair for %s and %s", certFileName, keyFileName))
	}

	return keyFileName, priv, certFileName, pub
}
test: refactor testcontainers and add peering integ tests (#15084) 2022-11-01 19:03:23 +00:00			`package agent`

			`import (`
			`"crypto/rand"`
			`"crypto/x509"`
			`"encoding/base64"`
			`"fmt"`
			`"net"`

			`"github.com/pkg/errors"`

			`"github.com/hashicorp/consul/tlsutil"`
			`)`

			`func newSerfEncryptionKey() (string, error) {`
			`key := make([]byte, 32)`
			`n, err := rand.Reader.Read(key)`
			`if err != nil {`
			`return "", errors.Wrap(err, "error reading random data")`
			`}`
			`if n != 32 {`
			`return "", errors.Wrap(err, "couldn't read enough entropy. Generate more entropy!")`
			`}`

			`return base64.StdEncoding.EncodeToString(key), nil`
			`}`

			`func newServerTLSKeyPair(dc string, ctx *BuildContext) (string, string, string, string) {`
			`// Generate agent-specific key pair. Borrowed from 'consul tls cert create -server -dc <dc_name>'`
			`name := fmt.Sprintf("server.%s.%s", dc, "consul")`

			`dnsNames := []string{`
			`name,`
			`"localhost",`
			`}`
			`ipAddresses := []net.IP{net.ParseIP("127.0.0.1")}`
			`extKeyUsage := []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}`

			`signer, err := tlsutil.ParseSigner(ctx.caKey)`
			`if err != nil {`
			`panic("could not parse signer from CA key")`
			`}`

			`pub, priv, err := tlsutil.GenerateCert(tlsutil.CertOpts{`
			`Signer: signer, CA: ctx.caCert, Name: name, Days: 365,`
			`DNSNames: dnsNames, IPAddresses: ipAddresses, ExtKeyUsage: extKeyUsage,`
			`})`

			`prefix := fmt.Sprintf("%s-server-%s", dc, "consul")`
			`certFileName := fmt.Sprintf("%s-%d.pem", prefix, ctx.index)`
			`keyFileName := fmt.Sprintf("%s-%d-key.pem", prefix, ctx.index)`

			`if err = tlsutil.Verify(ctx.caCert, pub, name); err != nil {`
			`panic(fmt.Sprintf("could not verify keypair for %s and %s", certFileName, keyFileName))`
			`}`

			`return keyFileName, priv, certFileName, pub`
			`}`