Merge pull request #14112 from ninjadq/internal_tls_fail_early_without_san

Add sen existed check for internal cert
2025-02-02 13:01:23 +01:00 · 2021-01-28 17:28:17 +08:00 · 2021-01-28 17:28:17 +08:00 · 30a89f2368
commit 30a89f2368
parent ebe05919be 051b5f289d
2 changed files with 15 additions and 7 deletions
--- a/make/photon/prepare/models.py
+++ b/make/photon/prepare/models.py
@ -5,7 +5,7 @@ from shutil import copytree, rmtree

 from g import internal_tls_dir, DEFAULT_GID, DEFAULT_UID, PG_GID, PG_UID
 from utils.misc import check_permission, owner_can_read, get_realpath, port_number_valid
-
+from utils.cert import san_existed

 class InternalTLS:

@ -75,7 +75,7 @@ class InternalTLS:

    def _check(self, filename: str):
        """
-        Check the permission of cert and key is correct
+        Check cert and key files are correct
        """

        path = Path(os.path.join(internal_tls_dir, filename))
@ -92,12 +92,21 @@ class InternalTLS:
        if filename.endswith('.key') and not check_permission(path, mode=0o600):
            raise Exception('key file {} permission is not 600'.format(filename))

-        # check owner can read cert file
-        if filename.endswith('.crt') and not owner_can_read(path.stat().st_mode):
+        # check certificate file
+        if filename.endswith('.crt'):
+            if not owner_can_read(path.stat().st_mode):
+                # check owner can read cert file
                raise Exception('File {} should readable by owner'.format(filename))
+            if not san_existed(path):
+                # check SAN included
+                if filename == 'harbor_internal_ca.crt':
+                    return
+                raise Exception('cert file {} should include SAN'.format(filename))
+

    def validate(self) -> bool:
        if not self.enabled:
+            # pass the validation if not enabled
            return True

        if not internal_tls_dir.exists():
--- a/make/photon/prepare/utils/cert.py
+++ b/make/photon/prepare/utils/cert.py
@ -58,9 +58,8 @@ def create_ext_file(cn, ext_filename):

 def san_existed(cert_path):
    try:
-        return len(subprocess.check_output(
-            ["/usr/bin/openssl", "x509", "-in",cert_path, "-noout", "-ext", "subjectAltName"]
-            )) > 0
+        return "Subject Alternative Name:" in str(subprocess.check_output(
+            ["/usr/bin/openssl", "x509", "-in", cert_path, "-text"]))
    except subprocess.CalledProcessError:
        pass
    return False