packages/eggo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
eggo/0020-add-digitalSignature-for-certificates.patch
zhangxiaoyu 3c0e052f45 update from openeuler 
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
2023-02-03 15:03:58 +08:00

116 lines
4.7 KiB
Diff
Raw Permalink Blame History

From 8e1e06e2e4794c85c19d4ee9a528b6b2d35d9624 Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Tue, 18 Jan 2022 16:56:42 +0800
Subject: [PATCH 20/24] add digitalSignature for certificates
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
pkg/utils/certs/approvecsr.go | 10 ++++++----
pkg/utils/certs/localcerts.go | 2 +-
pkg/utils/template/template.go | 2 +-
pkg/utils/template/template_test.go | 6 +++---
4 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/pkg/utils/certs/approvecsr.go b/pkg/utils/certs/approvecsr.go
index 92af905..dfebbee 100644
--- a/pkg/utils/certs/approvecsr.go
+++ b/pkg/utils/certs/approvecsr.go
@@ -69,7 +69,7 @@ func (cv1 *CertificateV1) check(csr certificatesv1.CertificateSigningRequest, wo
// 3. check csr is requested for serving certificates
// usageRequired: "server auth"
- // usagesOptional: "digital signature", "key encipherment"
+ // usagesOptional: "digital signature", "key encipherment", "data encipherment"
required := false
for _, u := range csr.Spec.Usages {
if u == certificatesv1.UsageServerAuth {
@@ -77,7 +77,8 @@ func (cv1 *CertificateV1) check(csr certificatesv1.CertificateSigningRequest, wo
continue
}
- if u != certificatesv1.UsageDigitalSignature && u != certificatesv1.UsageKeyEncipherment {
+ if u != certificatesv1.UsageDigitalSignature && u != certificatesv1.UsageKeyEncipherment &&
+ u != certificatesv1.UsageDataEncipherment {
logrus.Warnf("csr %s is not requested for serving certificates", csr.Name)
return false
}
@@ -166,7 +167,7 @@ func (cv1beta1 *CertificateV1beta1) check(csr certificatesv1beta1.CertificateSig
// 3. check csr is requested for serving certificates
// usageRequired: "server auth"
- // usagesOptional: "digital signature", "key encipherment"
+ // usagesOptional: "digital signature", "key encipherment", "data encipherment"
required := false
for _, u := range csr.Spec.Usages {
if u == certificatesv1beta1.UsageServerAuth {
@@ -174,7 +175,8 @@ func (cv1beta1 *CertificateV1beta1) check(csr certificatesv1beta1.CertificateSig
continue
}
- if u != certificatesv1beta1.UsageDigitalSignature && u != certificatesv1beta1.UsageKeyEncipherment {
+ if u != certificatesv1beta1.UsageDigitalSignature && u != certificatesv1beta1.UsageKeyEncipherment &&
+ u != certificatesv1beta1.UsageDataEncipherment {
logrus.Warnf("csr %s is not requested for serving certificates", csr.Name)
return false
}
diff --git a/pkg/utils/certs/localcerts.go b/pkg/utils/certs/localcerts.go
index c5fe2e5..d613ea9 100644
--- a/pkg/utils/certs/localcerts.go
+++ b/pkg/utils/certs/localcerts.go
@@ -148,7 +148,7 @@ func (l *LocalCertGenerator) CreateCertAndKey(caCertPath, caKeyPath string, conf
DNSNames: config.AltNames.DNSNames,
IPAddresses: ips,
SerialNumber: serial,
- KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+ KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageDataEncipherment,
ExtKeyUsage: config.Usages,
NotBefore: caCert.NotBefore,
NotAfter: time.Now().Add(time.Hour * 24 * 36500).UTC(),
diff --git a/pkg/utils/template/template.go b/pkg/utils/template/template.go
index 3b3138a..b16f55a 100644
--- a/pkg/utils/template/template.go
+++ b/pkg/utils/template/template.go
@@ -77,7 +77,7 @@ IP.{{ Add $i 1 }} = {{ $v }}
[ v3_ext ]
authorityKeyIdentifier = keyid,issuer:always
basicConstraints = CA:FALSE
-keyUsage = keyEncipherment,dataEncipherment
+keyUsage = digitalSignature,keyEncipherment,dataEncipherment
extendedKeyUsage = {{ .ExtendedKeyUsage }}
{{- if .HaveAltNames }}
subjectAltName = @alt_names
diff --git a/pkg/utils/template/template_test.go b/pkg/utils/template/template_test.go
index ae46d48..30d6f2d 100644
--- a/pkg/utils/template/template_test.go
+++ b/pkg/utils/template/template_test.go
@@ -46,7 +46,7 @@ IP.3 = 127.0.0.1
[ v3_ext ]
authorityKeyIdentifier = keyid,issuer:always
basicConstraints = CA:FALSE
-keyUsage = keyEncipherment,dataEncipherment
+keyUsage = digitalSignature,keyEncipherment,dataEncipherment
extendedKeyUsage = serverAuth,clientAuth
subjectAltName = @alt_names
`
@@ -71,7 +71,7 @@ CN = kube-apiserver-kubelet-client
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
-keyUsage=keyEncipherment,dataEncipherment
+keyUsage=digitalSignature,keyEncipherment,dataEncipherment
extendedKeyUsage=clientAuth
`
kubelet_conf := &CsrConfig{
@@ -92,7 +92,7 @@ CN = front-proxy-client
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
-keyUsage=keyEncipherment,dataEncipherment
+keyUsage=digitalSignature,keyEncipherment,dataEncipherment
extendedKeyUsage=clientAuth
`
front_proxy_client_conf := &CsrConfig{
--
2.25.1
Reference in New Issue View Git Blame Copy Permalink