m/n/core/localstorage: remove unused PKI options
Change-Id: Ifa6011fe7ab2868fac93483d0988c772c6f6fdf4
Reviewed-on: https://review.monogon.dev/c/monogon/+/1375
Reviewed-by: Leopold Schabel <leo@monogon.tech>
Tested-by: Jenkins CI
diff --git a/metropolis/node/core/localstorage/directory_pki.go b/metropolis/node/core/localstorage/directory_pki.go
index cddf395..028b5ef 100644
--- a/metropolis/node/core/localstorage/directory_pki.go
+++ b/metropolis/node/core/localstorage/directory_pki.go
@@ -18,14 +18,9 @@
import (
"crypto/ed25519"
- "crypto/rand"
- "crypto/tls"
"crypto/x509"
- "crypto/x509/pkix"
- "encoding/hex"
"encoding/pem"
"fmt"
- "math/big"
"time"
"source.monogon.dev/metropolis/node/core/localstorage/declarative"
@@ -38,107 +33,6 @@
type CertificateTemplateNamer func(pubkey []byte) x509.Certificate
-func CertificateForNode(pubkey []byte) x509.Certificate {
- // TODO(q3k): this should be unified with metroopolis/node/cluster:node.ID()
- name := "metropolis-" + hex.EncodeToString([]byte(pubkey[:16]))
-
- // This has no SANs because it authenticates by public key, not by name
- return x509.Certificate{
- Subject: pkix.Name{
- // We identify nodes by their ID public keys (not hashed since a
- // strong hash is longer and serves no benefit)
- CommonName: name,
- },
- IsCA: false,
- BasicConstraintsValid: true,
- NotBefore: time.Now(),
- NotAfter: unknownNotAfter,
- // Certificate is used both as server & client
- ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
- }
-}
-
-func (p *PKIDirectory) EnsureSelfSigned(namer CertificateTemplateNamer) (*tls.Certificate, error) {
- create := false
- for _, f := range []*declarative.File{&p.Certificate, &p.Key} {
- exists, err := f.Exists()
- if err != nil {
- return nil, fmt.Errorf("could not check existence of file %q: %w", f.FullPath(), err)
- }
- if !exists {
- create = true
- break
- }
- }
-
- if !create {
- certRaw, err := p.Certificate.Read()
- if err != nil {
- return nil, fmt.Errorf("could not read certificate: %w", err)
- }
- privKeyRaw, err := p.Key.Read()
- if err != nil {
- return nil, fmt.Errorf("could not read key: %w", err)
- }
- cert, err := x509.ParseCertificate(certRaw)
- if err != nil {
- return nil, fmt.Errorf("could not parse certificate: %w", err)
- }
- privKey, err := x509.ParsePKCS8PrivateKey(privKeyRaw)
- if err != nil {
- return nil, fmt.Errorf("could not parse key: %w", err)
- }
- return &tls.Certificate{
- Certificate: [][]byte{certRaw},
- PrivateKey: privKey,
- Leaf: cert,
- }, nil
- }
-
- pubKey, privKeyRaw, err := ed25519.GenerateKey(rand.Reader)
- if err != nil {
- return nil, fmt.Errorf("failed to generate key: %w", err)
- }
-
- privKey, err := x509.MarshalPKCS8PrivateKey(privKeyRaw)
- if err != nil {
- return nil, fmt.Errorf("failed to marshal key: %w", err)
- }
-
- if err := p.Key.Write(privKey, 0600); err != nil {
- return nil, fmt.Errorf("failed to write new private key: %w", err)
- }
-
- serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 127)
- serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
- if err != nil {
- return nil, fmt.Errorf("failed to generate serial number: %w", err)
- }
-
- template := namer(pubKey)
- template.SerialNumber = serialNumber
-
- certRaw, err := x509.CreateCertificate(rand.Reader, &template, &template, pubKey, privKeyRaw)
- if err != nil {
- return nil, fmt.Errorf("could not sign certificate: %w", err)
- }
-
- cert, err := x509.ParseCertificate(certRaw)
- if err != nil {
- return nil, fmt.Errorf("could not parse newly created certificate: %w", err)
- }
-
- if err := p.Certificate.Write(certRaw, 0600); err != nil {
- return nil, fmt.Errorf("failed to write new certificate: %w", err)
- }
-
- return &tls.Certificate{
- Certificate: [][]byte{certRaw},
- PrivateKey: privKey,
- Leaf: cert,
- }, nil
-}
-
// AllExist returns true if all PKI files (cert, key, CA cert) are present on
// the backing store.
func (p *PKIDirectory) AllExist() (bool, error) {