MGMT-18684: WIP: Cryptographically verify CSRs of joining nodes.

go.mod

@@ -9,7 +9,6 @@ require (
 	github.com/coreos/ignition/v2 v2.18.0
 	github.com/go-openapi/runtime v0.28.0
 	github.com/go-openapi/strfmt v0.23.0
-	github.com/go-openapi/swag v0.23.0
 	github.com/google/uuid v1.6.0
 	github.com/hashicorp/go-version v1.6.0
 	github.com/kelseyhightower/envconfig v1.4.0
@@ -82,6 +81,7 @@ require (
 	github.com/go-openapi/jsonreference v0.21.0 // indirect
 	github.com/go-openapi/loads v0.22.0 // indirect
 	github.com/go-openapi/spec v0.21.0 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-openapi/validate v0.24.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect

src/assisted_installer_controller/reboots_notifier.go

@@ -8,8 +8,8 @@ import (
 	"time"
 
 	"github.com/go-openapi/strfmt"
-	"github.com/go-openapi/swag"
 	"github.com/openshift/assisted-installer/src/common"
+	"github.com/openshift/assisted-installer/src/convert"
 	"github.com/openshift/assisted-installer/src/inventory_client"
 	"github.com/openshift/assisted-installer/src/ops"
 	"github.com/openshift/assisted-installer/src/utils"
@@ -97,8 +97,8 @@ func (r *rebootsNotifier) run(ctx context.Context, nodeName string, hostId, infr
 		ClusterID:  clusterId,
 		Name:       eventName,
 		Category:   models.EventCategoryUser,
-		Severity:   swag.String(models.EventSeverityInfo),
-		Message:    swag.String(fmt.Sprintf(eventMessageTemplate, nodeName, numberOfReboots)),
+		Severity:   convert.String(models.EventSeverityInfo),
+		Message:    convert.String(fmt.Sprintf(eventMessageTemplate, nodeName, numberOfReboots)),
 	}
 
 	if err = r.ic.TriggerEvent(ctx, ev); err != nil {

src/assisted_installer_controller/reboots_notifier_test.go

@@ -5,10 +5,10 @@ import (
 	"fmt"
 
 	"github.com/go-openapi/strfmt"
-	"github.com/go-openapi/swag"
 	"github.com/google/uuid"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
+	"github.com/openshift/assisted-installer/src/convert"
 	"github.com/openshift/assisted-installer/src/inventory_client"
 	"github.com/openshift/assisted-installer/src/ops"
 	"github.com/openshift/assisted-service/models"
@@ -71,9 +71,9 @@ var _ = Describe("Reboots notifier", func() {
 				ClusterID:  &clusterId,
 				HostID:     &hostId,
 				InfraEnvID: &infraenvId,
-				Message:    swag.String(fmt.Sprintf(eventMessageTemplate, nodeName, 1)),
+				Message:    convert.String(fmt.Sprintf(eventMessageTemplate, nodeName, 1)),
 				Name:       eventName,
-				Severity:   swag.String(models.EventSeverityInfo),
+				Severity:   convert.String(models.EventSeverityInfo),
 			}).Return(nil)
 			notifier.Start(context.TODO(), nodeName, &hostId, &infraenvId, &clusterId)
 			notifier.Finalize()

src/common/common.go

@@ -3,6 +3,10 @@ package common
 import (
 	"bytes"
 	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"io"
 	"os"
@@ -16,6 +20,8 @@ import (
 	"github.com/openshift/assisted-installer/src/utils"
 	"github.com/openshift/assisted-service/models"
 
+	cryptorand "crypto/rand"
+
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/thoas/go-funk"
@@ -35,6 +41,7 @@ const (
 	installConfigMapAttribute      = "invoker"
 	InvokerAssisted                = "assisted-service"
 	InvokerAgent                   = "agent-installer"
+	ECPrivateKeyPEMLabel           = "EC PRIVATE KEY"
 )
 
 func GetHostsInStatus(hosts map[string]inventory_client.HostData, status []string, isMatch bool) map[string]inventory_client.HostData {
@@ -306,3 +313,22 @@ func DownloadKubeconfigNoingress(ctx context.Context, dir string, ic inventory_c
 
 	return kubeconfigPath, nil
 }
+
+func MakeEllipticPrivatePublicKeyPems() ([]byte, []byte, error) {
+	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), cryptorand.Reader)
+	if err != nil {
+		return nil, nil, err
+	}
+	derBytes, err := x509.MarshalECPrivateKey(privateKey)
+	if err != nil {
+		return nil, nil, err
+	}
+	publicKeyBytes, err := x509.MarshalPKIXPublicKey(&privateKey.PublicKey)
+	if err != nil {
+		return nil, nil, err
+	}
+	return pem.EncodeToMemory(&pem.Block{
+		Type:  ECPrivateKeyPEMLabel,
+		Bytes: derBytes,
+	}), publicKeyBytes, nil
+}