From 1b8d8079ef8930cd159cf83ae4ed7d62e2ff0604 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Wed, 28 Feb 2024 22:40:35 -0800
Subject: [PATCH] Make duration configurable

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 cert.go          | 14 +++++++++++---
 certstore/lib.go | 37 +++++++++++++++++++++++++++++++++++--
 2 files changed, 46 insertions(+), 5 deletions(-)

diff --git a/cert.go b/cert.go
index 7b041bd..68789f3 100644
--- a/cert.go
+++ b/cert.go
@@ -32,8 +32,8 @@ import (
 	"math"
 	"math/big"
 	"net"
-	"path"
 	"os"
+	"path"
 	"strings"
 	"time"
 )
@@ -49,6 +49,14 @@ type Config struct {
 	Organization []string
 	AltNames     AltNames
 	Usages       []x509.ExtKeyUsage
+	Duration     time.Duration
+}
+
+func (cfg Config) GetDuration() time.Duration {
+	if cfg.Duration > 0 {
+		return cfg.Duration
+	}
+	return duration365d
 }
 
 // AltNames contains the domain names and IP addresses that will be added
@@ -74,7 +82,7 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro
 			Organization: cfg.Organization,
 		},
 		NotBefore:             now.UTC(),
-		NotAfter:              now.Add(duration365d * 10).UTC(),
+		NotAfter:              now.Add(cfg.GetDuration() * 10).UTC(),
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
 		BasicConstraintsValid: true,
 		IsCA:                  true,
@@ -109,7 +117,7 @@ func NewSignedCert(cfg Config, key crypto.Signer, caCert *x509.Certificate, caKe
 		IPAddresses:  cfg.AltNames.IPs,
 		SerialNumber: serial,
 		NotBefore:    caCert.NotBefore,
-		NotAfter:     time.Now().Add(duration365d).UTC(),
+		NotAfter:     time.Now().Add(cfg.GetDuration()).UTC(),
 		KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:  cfg.Usages,
 	}
diff --git a/certstore/lib.go b/certstore/lib.go
index 14619e5..1d86cb0 100644
--- a/certstore/lib.go
+++ b/certstore/lib.go
@@ -9,6 +9,7 @@ import (
 	"os"
 	"path"
 	"strings"
+	"time"
 
 	"github.com/pkg/errors"
 	"gomodules.xyz/blobfs"
@@ -41,12 +42,19 @@ type CertStore struct {
 	organization []string
 	prefix       string
 	ca           string
+	duration     time.Duration
 	caKey        *rsa.PrivateKey
 	caCert       *x509.Certificate
 }
 
-func New(fs blobfs.Interface, dir string, organization ...string) (*CertStore, error) {
-	return &CertStore{fs: fs, dir: dir, ca: "ca", organization: append([]string(nil), organization...)}, nil
+func New(fs blobfs.Interface, dir string, duration time.Duration, organization ...string) *CertStore {
+	return &CertStore{
+		fs:           fs,
+		dir:          dir,
+		ca:           "ca",
+		duration:     duration,
+		organization: append([]string(nil), organization...),
+	}
 }
 
 func (s *CertStore) InitCA(prefix ...string) error {
@@ -138,6 +146,7 @@ func (s *CertStore) createCAFromKey(key *rsa.PrivateKey) error {
 			DNSNames: []string{s.ca},
 			IPs:      []net.IP{net.ParseIP("127.0.0.1")},
 		},
+		Duration: s.duration,
 	}
 	crt, err := cert.NewSelfSignedCACert(cfg, key)
 	if err != nil {
@@ -211,6 +220,7 @@ func (s *CertStore) NewServerCertPair(sans cert.AltNames) (*x509.Certificate, *r
 		Organization: s.organization,
 		AltNames:     sans,
 		Usages:       []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		Duration:     s.duration,
 	}
 	key, err := cert.NewPrivateKey()
 	if err != nil {
@@ -231,6 +241,27 @@ func (s *CertStore) NewServerCertPairBytes(sans cert.AltNames) ([]byte, []byte,
 	return cert.EncodeCertPEM(crt), cert.EncodePrivateKeyPEM(key), nil
 }
 
+func (cs *CertStore) GetServerCertPair(name string, sans cert.AltNames) (*x509.Certificate, *rsa.PrivateKey, error) {
+	crt, key, err := cs.Read(name)
+	if err != nil || time.Until(crt.NotAfter) < 10*time.Minute {
+		crt, key, err := cs.NewServerCertPair(sans)
+		if err != nil {
+			return nil, nil, err
+		}
+		err = cs.Write(name, crt, key)
+		return crt, key, err
+	}
+	return crt, key, nil
+}
+
+func (s *CertStore) GetServerCertPairBytes(name string, sans cert.AltNames) ([]byte, []byte, error) {
+	crt, key, err := s.GetServerCertPair(name, sans)
+	if err != nil {
+		return nil, nil, err
+	}
+	return cert.EncodeCertPEM(crt), cert.EncodePrivateKeyPEM(key), nil
+}
+
 // NewPeerCertPair is used to create cert pair that can serve as both server and client.
 // This is used to issue peer certificates for etcd.
 func (s *CertStore) NewPeerCertPair(sans cert.AltNames) (*x509.Certificate, *rsa.PrivateKey, error) {
@@ -239,6 +270,7 @@ func (s *CertStore) NewPeerCertPair(sans cert.AltNames) (*x509.Certificate, *rsa
 		Organization: s.organization,
 		AltNames:     sans,
 		Usages:       []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+		Duration:     s.duration,
 	}
 	key, err := cert.NewPrivateKey()
 	if err != nil {
@@ -265,6 +297,7 @@ func (s *CertStore) NewClientCertPair(sans cert.AltNames, organization ...string
 		Organization: organization,
 		AltNames:     sans,
 		Usages:       []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+		Duration:     s.duration,
 	}
 	key, err := cert.NewPrivateKey()
 	if err != nil {