This is an automated email from the ASF dual-hosted git repository.
albumenj pushed a commit to branch refactor-with-go
in repository https://gitbox.apache.org/repos/asf/dubbo-admin.git
The following commit(s) were added to refs/heads/refactor-with-go by this push:
new 5e8984e Fix cert sign
5e8984e is described below
commit 5e8984ef72008406c32164a1a3e9789023bce416
Author: Albumen Kevin <[email protected]>
AuthorDate: Wed Feb 22 19:28:02 2023 +0800
Fix cert sign
---
ca/pkg/cert/storage.go | 41 ++++++++++++++++++++---------------------
ca/pkg/cert/util.go | 8 ++------
ca/pkg/v1alpha1/ca_impl.go | 4 ++--
3 files changed, 24 insertions(+), 29 deletions(-)
diff --git a/ca/pkg/cert/storage.go b/ca/pkg/cert/storage.go
index 5d8ab95..357833e 100644
--- a/ca/pkg/cert/storage.go
+++ b/ca/pkg/cert/storage.go
@@ -34,7 +34,8 @@ type Storage struct {
AuthorityCert *Cert
TrustedCert []*Cert
- ServerCerts map[string]*Cert
+ ServerNames []string
+ ServerCerts *Cert
}
type Cert struct {
@@ -88,15 +89,24 @@ func (c *Cert) GetTlsCert() *tls.Certificate {
}
func (s *Storage) GetServerCert(serverName string) *tls.Certificate {
- if cert, exist := s.ServerCerts[serverName]; exist && cert.IsValid() {
- return cert.GetTlsCert()
+ nameSigned := serverName == ""
+ for _, name := range s.ServerNames {
+ if name == serverName {
+ nameSigned = true
+ break
+ }
+ }
+ if nameSigned && s.ServerCerts != nil && s.ServerCerts.IsValid() {
+ return s.ServerCerts.GetTlsCert()
}
s.Mutex.Lock()
defer s.Mutex.Unlock()
- log.Printf("Generate certificate for %s", serverName)
- cert := SignServerCert(s.AuthorityCert, serverName, s.CertValidity)
- s.ServerCerts[serverName] = cert
- return cert.GetTlsCert()
+ if !nameSigned {
+ s.ServerNames = append(s.ServerNames, serverName)
+ }
+ s.ServerNames = append(s.ServerNames, serverName)
+ s.ServerCerts = SignServerCert(s.AuthorityCert, s.ServerNames,
s.CertValidity)
+ return s.ServerCerts.GetTlsCert()
}
func (s *Storage) RefreshServerCert() {
@@ -104,21 +114,10 @@ func (s *Storage) RefreshServerCert() {
for true {
time.Sleep(time.Duration(interval) * time.Millisecond)
s.Mutex.Lock()
- wg := sync.WaitGroup{}
- wg.Add(len(s.ServerCerts))
- for serverName, cert := range s.ServerCerts {
- cert := cert
- serverName := serverName
- go func() {
- defer wg.Done()
- if cert.NeedRefresh() {
- log.Printf("Server cert for %s is
invalid, refresh it.", serverName)
- cert = SignServerCert(s.AuthorityCert,
serverName, s.CertValidity)
- s.ServerCerts[serverName] = cert
- }
- }()
+ if s.ServerCerts == nil || !s.ServerCerts.IsValid() {
+ log.Printf("Server cert is invalid, refresh it.")
+ s.ServerCerts = SignServerCert(s.AuthorityCert,
s.ServerNames, s.CertValidity)
}
- wg.Wait()
s.Mutex.Unlock()
}
}
diff --git a/ca/pkg/cert/util.go b/ca/pkg/cert/util.go
index 5fdfbe2..3314096 100644
--- a/ca/pkg/cert/util.go
+++ b/ca/pkg/cert/util.go
@@ -103,7 +103,7 @@ func CreateCA(rootCert *Cert, caValidity int64) *Cert {
}
}
-func SignServerCert(authorityCert *Cert, serverName string, certValidity
int64) *Cert {
+func SignServerCert(authorityCert *Cert, serverName []string, certValidity
int64) *Cert {
privKey, err := rsa.GenerateKey(rand.Reader, 4096)
if err != nil {
log.Fatal(err)
@@ -121,7 +121,7 @@ func SignServerCert(authorityCert *Cert, serverName string,
certValidity int64)
KeyUsage: x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
}
- cert.DNSNames = []string{serverName}
+ cert.DNSNames = serverName
c, err := x509.CreateCertificate(rand.Reader, cert, authorityCert.Cert,
&privKey.PublicKey, authorityCert.PrivateKey)
@@ -156,9 +156,6 @@ func LoadCSR(csrString string) (*x509.CertificateRequest,
error) {
func SignFromCSR(csr *x509.CertificateRequest, authorityCert *Cert,
certValidity int64) (string, error) {
csrTemplate := x509.Certificate{
- Signature: csr.Signature,
- SignatureAlgorithm: csr.SignatureAlgorithm,
-
PublicKeyAlgorithm: csr.PublicKeyAlgorithm,
PublicKey: csr.PublicKey,
@@ -187,7 +184,6 @@ func SignFromCSR(csr *x509.CertificateRequest,
authorityCert *Cert, certValidity
return "", err
}
pub := pubPEM.String()
- log.Printf("Sign csr request " + pub)
return pub, nil
}
diff --git a/ca/pkg/v1alpha1/ca_impl.go b/ca/pkg/v1alpha1/ca_impl.go
index 2664b3e..ad7df3a 100644
--- a/ca/pkg/v1alpha1/ca_impl.go
+++ b/ca/pkg/v1alpha1/ca_impl.go
@@ -63,13 +63,13 @@ func (s *DubboCertificateServiceServerImpl)
CreateCertificate(c context.Context,
}
// TODO check server token
- log.Printf("Receive csr request " + req.Csr)
if csr == nil {
return &DubboCertificateResponse{}, nil
}
publicKey, err := cert.SignFromCSR(csr, s.CertStorage.AuthorityCert,
s.Options.CertValidity)
if err != nil {
- log.Fatal(err)
+ log.Printf("Failed to sign certificate from csr: %v", err)
+ return &DubboCertificateResponse{}, nil
}
return &DubboCertificateResponse{
PublicKey: publicKey,
