Projects
home:Eustace:branches:Eulaceura:Factory
eggo
_service:obs_scm:0020-add-digitalSignature-for-...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:obs_scm:0020-add-digitalSignature-for-certificates.patch of Package eggo
From 8e1e06e2e4794c85c19d4ee9a528b6b2d35d9624 Mon Sep 17 00:00:00 2001 From: zhangxiaoyu <zhangxiaoyu58@huawei.com> Date: Tue, 18 Jan 2022 16:56:42 +0800 Subject: [PATCH 20/24] add digitalSignature for certificates Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com> --- pkg/utils/certs/approvecsr.go | 10 ++++++---- pkg/utils/certs/localcerts.go | 2 +- pkg/utils/template/template.go | 2 +- pkg/utils/template/template_test.go | 6 +++--- 4 files changed, 11 insertions(+), 9 deletions(-) diff --git a/pkg/utils/certs/approvecsr.go b/pkg/utils/certs/approvecsr.go index 92af905..dfebbee 100644 --- a/pkg/utils/certs/approvecsr.go +++ b/pkg/utils/certs/approvecsr.go @@ -69,7 +69,7 @@ func (cv1 *CertificateV1) check(csr certificatesv1.CertificateSigningRequest, wo // 3. check csr is requested for serving certificates // usageRequired: "server auth" - // usagesOptional: "digital signature", "key encipherment" + // usagesOptional: "digital signature", "key encipherment", "data encipherment" required := false for _, u := range csr.Spec.Usages { if u == certificatesv1.UsageServerAuth { @@ -77,7 +77,8 @@ func (cv1 *CertificateV1) check(csr certificatesv1.CertificateSigningRequest, wo continue } - if u != certificatesv1.UsageDigitalSignature && u != certificatesv1.UsageKeyEncipherment { + if u != certificatesv1.UsageDigitalSignature && u != certificatesv1.UsageKeyEncipherment && + u != certificatesv1.UsageDataEncipherment { logrus.Warnf("csr %s is not requested for serving certificates", csr.Name) return false } @@ -166,7 +167,7 @@ func (cv1beta1 *CertificateV1beta1) check(csr certificatesv1beta1.CertificateSig // 3. check csr is requested for serving certificates // usageRequired: "server auth" - // usagesOptional: "digital signature", "key encipherment" + // usagesOptional: "digital signature", "key encipherment", "data encipherment" required := false for _, u := range csr.Spec.Usages { if u == certificatesv1beta1.UsageServerAuth { @@ -174,7 +175,8 @@ func (cv1beta1 *CertificateV1beta1) check(csr certificatesv1beta1.CertificateSig continue } - if u != certificatesv1beta1.UsageDigitalSignature && u != certificatesv1beta1.UsageKeyEncipherment { + if u != certificatesv1beta1.UsageDigitalSignature && u != certificatesv1beta1.UsageKeyEncipherment && + u != certificatesv1beta1.UsageDataEncipherment { logrus.Warnf("csr %s is not requested for serving certificates", csr.Name) return false } diff --git a/pkg/utils/certs/localcerts.go b/pkg/utils/certs/localcerts.go index c5fe2e5..d613ea9 100644 --- a/pkg/utils/certs/localcerts.go +++ b/pkg/utils/certs/localcerts.go @@ -148,7 +148,7 @@ func (l *LocalCertGenerator) CreateCertAndKey(caCertPath, caKeyPath string, conf DNSNames: config.AltNames.DNSNames, IPAddresses: ips, SerialNumber: serial, - KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, + KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageDataEncipherment, ExtKeyUsage: config.Usages, NotBefore: caCert.NotBefore, NotAfter: time.Now().Add(time.Hour * 24 * 36500).UTC(), diff --git a/pkg/utils/template/template.go b/pkg/utils/template/template.go index 3b3138a..b16f55a 100644 --- a/pkg/utils/template/template.go +++ b/pkg/utils/template/template.go @@ -77,7 +77,7 @@ IP.{{ Add $i 1 }} = {{ $v }} [ v3_ext ] authorityKeyIdentifier = keyid,issuer:always basicConstraints = CA:FALSE -keyUsage = keyEncipherment,dataEncipherment +keyUsage = digitalSignature,keyEncipherment,dataEncipherment extendedKeyUsage = {{ .ExtendedKeyUsage }} {{- if .HaveAltNames }} subjectAltName = @alt_names diff --git a/pkg/utils/template/template_test.go b/pkg/utils/template/template_test.go index ae46d48..30d6f2d 100644 --- a/pkg/utils/template/template_test.go +++ b/pkg/utils/template/template_test.go @@ -46,7 +46,7 @@ IP.3 = 127.0.0.1 [ v3_ext ] authorityKeyIdentifier = keyid,issuer:always basicConstraints = CA:FALSE -keyUsage = keyEncipherment,dataEncipherment +keyUsage = digitalSignature,keyEncipherment,dataEncipherment extendedKeyUsage = serverAuth,clientAuth subjectAltName = @alt_names ` @@ -71,7 +71,7 @@ CN = kube-apiserver-kubelet-client [ v3_ext ] authorityKeyIdentifier=keyid,issuer:always basicConstraints=CA:FALSE -keyUsage=keyEncipherment,dataEncipherment +keyUsage=digitalSignature,keyEncipherment,dataEncipherment extendedKeyUsage=clientAuth ` kubelet_conf := &CsrConfig{ @@ -92,7 +92,7 @@ CN = front-proxy-client [ v3_ext ] authorityKeyIdentifier=keyid,issuer:always basicConstraints=CA:FALSE -keyUsage=keyEncipherment,dataEncipherment +keyUsage=digitalSignature,keyEncipherment,dataEncipherment extendedKeyUsage=clientAuth ` front_proxy_client_conf := &CsrConfig{ -- 2.25.1
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2