certauthority.go: Refactor issuing client versus server certs

We were previously issuing both client certs and server certs with
both extended key usages included. Split the Issue*() methods into
separate methods for issuing server certs versus client certs so
they can have different extended key usages tailored for each use
case.

Also took the opportunity to clean up the parameters of the Issue*()
methods and New() methods to more closely match how we prefer to call
them. We were always only passing the common name part of the
pkix.Name to New(), so now the New() method just takes the common name
as a string. When making a server cert, we don't need to set the
deprecated common name field, so remove that param. When making a client
cert, we're always making it in the format expected by the Kube API
server, so just accept the username and group as parameters directly.

cmd/local-user-authenticator/main_test.go

@@ -8,7 +8,6 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
-	"crypto/x509/pkix"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -464,10 +463,10 @@ func newCertProvider(t *testing.T) (dynamiccert.Provider, []byte, string) {
 
 	serverName := "local-user-authenticator"
 
-	ca, err := certauthority.New(pkix.Name{CommonName: serverName + " CA"}, time.Hour*24)
+	ca, err := certauthority.New(serverName+" CA", time.Hour*24)
 	require.NoError(t, err)
 
-	cert, err := ca.Issue(pkix.Name{CommonName: serverName}, []string{serverName}, nil, time.Hour*24)
+	cert, err := ca.IssueServerCert([]string{serverName}, nil, time.Hour*24)
 	require.NoError(t, err)
 
 	certPEM, keyPEM, err := certauthority.ToPEM(cert)

cmd/pinniped/cmd/flag_types_test.go

@@ -5,7 +5,6 @@ package cmd
 
 import (
 	"bytes"
-	"crypto/x509/pkix"
 	"fmt"
 	"io/ioutil"
 	"path/filepath"
@@ -51,7 +50,7 @@ func TestConciergeModeFlag(t *testing.T) {
 }
 
 func TestCABundleFlag(t *testing.T) {
-	testCA, err := certauthority.New(pkix.Name{CommonName: "Test CA"}, 1*time.Hour)
+	testCA, err := certauthority.New("Test CA", 1*time.Hour)
 	require.NoError(t, err)
 	tmpdir := testutil.TempDir(t)
 	emptyFilePath := filepath.Join(tmpdir, "empty")

cmd/pinniped/cmd/kubeconfig_test.go

@@ -5,7 +5,6 @@ package cmd
 
 import (
 	"bytes"
-	"crypto/x509/pkix"
 	"encoding/base64"
 	"fmt"
 	"io/ioutil"
@@ -30,13 +29,13 @@ import (
 )
 
 func TestGetKubeconfig(t *testing.T) {
-	testOIDCCA, err := certauthority.New(pkix.Name{CommonName: "Test CA"}, 1*time.Hour)
+	testOIDCCA, err := certauthority.New("Test CA", 1*time.Hour)
 	require.NoError(t, err)
 	tmpdir := testutil.TempDir(t)
 	testOIDCCABundlePath := filepath.Join(tmpdir, "testca.pem")
 	require.NoError(t, ioutil.WriteFile(testOIDCCABundlePath, testOIDCCA.Bundle(), 0600))
 
-	testConciergeCA, err := certauthority.New(pkix.Name{CommonName: "Test Concierge CA"}, 1*time.Hour)
+	testConciergeCA, err := certauthority.New("Test Concierge CA", 1*time.Hour)
 	require.NoError(t, err)
 	testConciergeCABundlePath := filepath.Join(tmpdir, "testconciergeca.pem")
 	require.NoError(t, ioutil.WriteFile(testConciergeCABundlePath, testConciergeCA.Bundle(), 0600))

cmd/pinniped/cmd/login_oidc_test.go

@@ -6,7 +6,6 @@ package cmd
 import (
 	"bytes"
 	"context"
-	"crypto/x509/pkix"
 	"encoding/base64"
 	"fmt"
 	"io/ioutil"
@@ -29,7 +28,7 @@ import (
 func TestLoginOIDCCommand(t *testing.T) {
 	cfgDir := mustGetConfigDir()
 
-	testCA, err := certauthority.New(pkix.Name{CommonName: "Test CA"}, 1*time.Hour)
+	testCA, err := certauthority.New("Test CA", 1*time.Hour)
 	require.NoError(t, err)
 	tmpdir := testutil.TempDir(t)
 	testCABundlePath := filepath.Join(tmpdir, "testca.pem")

cmd/pinniped/cmd/login_static_test.go

@@ -6,7 +6,6 @@ package cmd
 import (
 	"bytes"
 	"context"
-	"crypto/x509/pkix"
 	"fmt"
 	"io/ioutil"
 	"path/filepath"
@@ -24,7 +23,7 @@ import (
 )
 
 func TestLoginStaticCommand(t *testing.T) {
-	testCA, err := certauthority.New(pkix.Name{CommonName: "Test CA"}, 1*time.Hour)
+	testCA, err := certauthority.New("Test CA", 1*time.Hour)
 	require.NoError(t, err)
 	tmpdir := testutil.TempDir(t)
 	testCABundlePath := filepath.Join(tmpdir, "testca.pem")