Vendor cfssl and cfssljson

vendor/github.com/cloudflare/cfssl/cmd/cfssl/BUILD

@@ -0,0 +1,54 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["cfssl.go"],
+    importmap = "k8s.io/kubernetes/vendor/github.com/cloudflare/cfssl/cmd/cfssl",
+    importpath = "github.com/cloudflare/cfssl/cmd/cfssl",
+    visibility = ["//visibility:private"],
+    deps = [
+        "//vendor/github.com/cloudflare/cfssl/cli:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/cli/bundle:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/cli/certinfo:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/cli/crl:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/cli/gencert:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/cli/gencrl:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/cli/gencsr:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/cli/genkey:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/cli/info:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/cli/ocspdump:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/cli/ocsprefresh:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/cli/ocspserve:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/cli/ocspsign:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/cli/printdefault:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/cli/revoke:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/cli/scan:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/cli/selfsign:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/cli/serve:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/cli/sign:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/cli/version:go_default_library",
+        "//vendor/github.com/go-sql-driver/mysql:go_default_library",
+        "//vendor/github.com/lib/pq:go_default_library",
+        "//vendor/github.com/mattn/go-sqlite3:go_default_library",
+    ],
+)
+
+go_binary(
+    name = "cfssl",
+    embed = [":go_default_library"],
+    visibility = ["//visibility:public"],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)

vendor/github.com/cloudflare/cfssl/cmd/cfssl/cfssl.go

@@ -0,0 +1,87 @@
+/*
+cfssl is the command line tool to issue/sign/bundle client certificate. It's
+also a tool to start a HTTP server to handle web requests for signing, bundling
+and verification.
+
+Usage:
+	cfssl command [-flags] arguments
+
+	The commands are
+
+	bundle	 create a certificate bundle
+	sign	 signs a certificate signing request (CSR)
+	serve	 starts a HTTP server handling sign and bundle requests
+	version	 prints the current cfssl version
+	genkey   generates a key and an associated CSR
+	gencert  generates a key and a signed certificate
+	gencsr   generates a certificate request
+	selfsign generates a self-signed certificate
+
+Use "cfssl [command] -help" to find out more about a command.
+*/
+package main
+
+import (
+	"flag"
+	"os"
+
+	"github.com/cloudflare/cfssl/cli"
+	"github.com/cloudflare/cfssl/cli/bundle"
+	"github.com/cloudflare/cfssl/cli/certinfo"
+	"github.com/cloudflare/cfssl/cli/crl"
+	"github.com/cloudflare/cfssl/cli/gencert"
+	"github.com/cloudflare/cfssl/cli/gencrl"
+	"github.com/cloudflare/cfssl/cli/gencsr"
+	"github.com/cloudflare/cfssl/cli/genkey"
+	"github.com/cloudflare/cfssl/cli/info"
+	"github.com/cloudflare/cfssl/cli/ocspdump"
+	"github.com/cloudflare/cfssl/cli/ocsprefresh"
+	"github.com/cloudflare/cfssl/cli/ocspserve"
+	"github.com/cloudflare/cfssl/cli/ocspsign"
+	"github.com/cloudflare/cfssl/cli/printdefault"
+	"github.com/cloudflare/cfssl/cli/revoke"
+	"github.com/cloudflare/cfssl/cli/scan"
+	"github.com/cloudflare/cfssl/cli/selfsign"
+	"github.com/cloudflare/cfssl/cli/serve"
+	"github.com/cloudflare/cfssl/cli/sign"
+	"github.com/cloudflare/cfssl/cli/version"
+
+	_ "github.com/go-sql-driver/mysql" // import to support MySQL
+	_ "github.com/lib/pq"              // import to support Postgres
+	_ "github.com/mattn/go-sqlite3"    // import to support SQLite3
+)
+
+// main defines the cfssl usage and registers all defined commands and flags.
+func main() {
+	// Add command names to cfssl usage
+	flag.Usage = nil // this is set to nil for testabilty
+	// Register commands.
+	cmds := map[string]*cli.Command{
+		"bundle":         bundle.Command,
+		"certinfo":       certinfo.Command,
+		"crl":            crl.Command,
+		"sign":           sign.Command,
+		"serve":          serve.Command,
+		"version":        version.Command,
+		"genkey":         genkey.Command,
+		"gencert":        gencert.Command,
+		"gencsr":         gencsr.Command,
+		"gencrl":         gencrl.Command,
+		"ocspdump":       ocspdump.Command,
+		"ocsprefresh":    ocsprefresh.Command,
+		"ocspsign":       ocspsign.Command,
+		"ocspserve":      ocspserve.Command,
+		"selfsign":       selfsign.Command,
+		"scan":           scan.Command,
+		"info":           info.Command,
+		"print-defaults": printdefaults.Command,
+		"revoke":         revoke.Command,
+	}
+
+	// If the CLI returns an error, exit with an appropriate status
+	// code.
+	err := cli.Start(cmds)
+	if err != nil {
+		os.Exit(1)
+	}
+}

vendor/github.com/cloudflare/cfssl/cmd/cfssljson/BUILD

@@ -0,0 +1,30 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["cfssljson.go"],
+    importmap = "k8s.io/kubernetes/vendor/github.com/cloudflare/cfssl/cmd/cfssljson",
+    importpath = "github.com/cloudflare/cfssl/cmd/cfssljson",
+    visibility = ["//visibility:private"],
+    deps = ["//vendor/github.com/cloudflare/cfssl/cli/version:go_default_library"],
+)
+
+go_binary(
+    name = "cfssljson",
+    embed = [":go_default_library"],
+    visibility = ["//visibility:public"],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)

vendor/github.com/cloudflare/cfssl/cmd/cfssljson/cfssljson.go

@@ -0,0 +1,211 @@
+// cfssljson splits out JSON with cert, csr, and key fields to separate
+// files.
+package main
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"io/ioutil"
+	"os"
+
+	"github.com/cloudflare/cfssl/cli/version"
+)
+
+func readFile(filespec string) ([]byte, error) {
+	if filespec == "-" {
+		return ioutil.ReadAll(os.Stdin)
+	}
+	return ioutil.ReadFile(filespec)
+}
+
+func writeFile(filespec, contents string, perms os.FileMode) {
+	err := ioutil.WriteFile(filespec, []byte(contents), perms)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "%v\n", err)
+		os.Exit(1)
+	}
+}
+
+// ResponseMessage represents the format of a CFSSL output for an error or message
+type ResponseMessage struct {
+	Code    int    `json:"int"`
+	Message string `json:"message"`
+}
+
+// Response represents the format of a CFSSL output
+type Response struct {
+	Success  bool                   `json:"success"`
+	Result   map[string]interface{} `json:"result"`
+	Errors   []ResponseMessage      `json:"errors"`
+	Messages []ResponseMessage      `json:"messages"`
+}
+
+type outputFile struct {
+	Filename string
+	Contents string
+	IsBinary bool
+	Perms    os.FileMode
+}
+
+func main() {
+	bare := flag.Bool("bare", false, "the response from CFSSL is not wrapped in the API standard response")
+	inFile := flag.String("f", "-", "JSON input")
+	output := flag.Bool("stdout", false, "output the response instead of saving to a file")
+	printVersion := flag.Bool("version", false, "print version and exit")
+	flag.Parse()
+
+	if *printVersion {
+		fmt.Printf("%s", version.FormatVersion())
+		return
+	}
+
+	var baseName string
+	if flag.NArg() == 0 {
+		baseName = "cert"
+	} else {
+		baseName = flag.Arg(0)
+	}
+
+	var input = map[string]interface{}{}
+	var outs []outputFile
+	var cert string
+	var key string
+	var csr string
+
+	fileData, err := readFile(*inFile)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Failed to read input: %v\n", err)
+		os.Exit(1)
+	}
+
+	if *bare {
+		err = json.Unmarshal(fileData, &input)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Failed to parse input: %v\n", err)
+			os.Exit(1)
+		}
+	} else {
+		var response Response
+		err = json.Unmarshal(fileData, &response)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Failed to parse input: %v\n", err)
+			os.Exit(1)
+		}
+
+		if !response.Success {
+			fmt.Fprintf(os.Stderr, "Request failed:\n")
+			for _, msg := range response.Errors {
+				fmt.Fprintf(os.Stderr, "\t%s\n", msg.Message)
+			}
+			os.Exit(1)
+		}
+
+		input = response.Result
+	}
+
+	if contents, ok := input["cert"]; ok {
+		cert = contents.(string)
+	} else if contents, ok = input["certificate"]; ok {
+		cert = contents.(string)
+	}
+	if cert != "" {
+		outs = append(outs, outputFile{
+			Filename: baseName + ".pem",
+			Contents: cert,
+			Perms:    0664,
+		})
+	}
+
+	if contents, ok := input["key"]; ok {
+		key = contents.(string)
+	} else if contents, ok = input["private_key"]; ok {
+		key = contents.(string)
+	}
+	if key != "" {
+		outs = append(outs, outputFile{
+			Filename: baseName + "-key.pem",
+			Contents: key,
+			Perms:    0600,
+		})
+	}
+
+	if contents, ok := input["encrypted_key"]; ok {
+		encKey := contents.(string)
+		outs = append(outs, outputFile{
+			Filename: baseName + "-key.enc",
+			Contents: encKey,
+			IsBinary: true,
+			Perms:    0600,
+		})
+	}
+
+	if contents, ok := input["csr"]; ok {
+		csr = contents.(string)
+	} else if contents, ok = input["certificate_request"]; ok {
+		csr = contents.(string)
+	}
+	if csr != "" {
+		outs = append(outs, outputFile{
+			Filename: baseName + ".csr",
+			Contents: csr,
+			Perms:    0644,
+		})
+	}
+
+	if result, ok := input["result"].(map[string]interface{}); ok {
+		if bundle, ok := result["bundle"].(map[string]interface{}); ok {
+
+			// if we've gotten this deep then we're trying to parse out
+			// a bundle, now we fail if we can't find the keys we need.
+
+			certificateBundle, ok := bundle["bundle"].(string)
+			if !ok {
+				fmt.Fprintf(os.Stderr, "inner bundle parsing failed!\n")
+				os.Exit(1)
+			}
+			rootCertificate, ok := bundle["root"].(string)
+			if !ok {
+				fmt.Fprintf(os.Stderr, "root parsing failed!\n")
+				os.Exit(1)
+			}
+			outs = append(outs, outputFile{
+				Filename: baseName + "-bundle.pem",
+				Contents: certificateBundle + "\n" + rootCertificate,
+				Perms:    0644,
+			})
+			outs = append(outs, outputFile{
+				Filename: baseName + "-root.pem",
+				Contents: rootCertificate,
+				Perms:    0644,
+			})
+		}
+	}
+
+	if contents, ok := input["ocspResponse"]; ok {
+		//ocspResponse is base64 encoded
+		resp, err := base64.StdEncoding.DecodeString(contents.(string))
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Failed to parse ocspResponse: %v\n", err)
+			os.Exit(1)
+		}
+		outs = append(outs, outputFile{
+			Filename: baseName + "-response.der",
+			Contents: string(resp),
+			IsBinary: true,
+			Perms:    0644,
+		})
+	}
+
+	for _, e := range outs {
+		if *output {
+			if e.IsBinary {
+				e.Contents = base64.StdEncoding.EncodeToString([]byte(e.Contents))
+			}
+			fmt.Fprintf(os.Stdout, "%s\n", e.Contents)
+		} else {
+			writeFile(e.Filename, e.Contents, e.Perms)
+		}
+	}
+}