From 52b6a5333af0a8a9f3f7e51f565caf610af99ce4 Mon Sep 17 00:00:00 2001 From: Qian Deng Date: Mon, 11 Jan 2021 11:41:52 +0800 Subject: [PATCH] Add san for notary cert (#13939) Signed-off-by: DQ --- make/photon/prepare/utils/cert.py | 9 +++++++-- make/photon/prepare/utils/notary.py | 5 +++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/make/photon/prepare/utils/cert.py b/make/photon/prepare/utils/cert.py index 3ba42861a..5cc40987a 100644 --- a/make/photon/prepare/utils/cert.py +++ b/make/photon/prepare/utils/cert.py @@ -65,8 +65,12 @@ def create_root_cert(subj, key_path="./k.key", cert_path="./cert.crt"): return subprocess.call(["/usr/bin/openssl", "req", "-new", "-x509", "-key", key_path,\ "-out", cert_path, "-days", "3650", "-subj", subj], stdout=DEVNULL, stderr=subprocess.STDOUT) +def create_ext_file(cn, ext_filename): + with open(ext_filename, 'w') as f: + f.write("subjectAltName = DNS.1:{}".format(cn)) + @stat_decorator -def create_cert(subj, ca_key, ca_cert, key_path="./k.key", cert_path="./cert.crt"): +def create_cert(subj, ca_key, ca_cert, key_path="./k.key", cert_path="./cert.crt", extfile='extfile.cnf'): cert_dir = os.path.dirname(cert_path) csr_path = os.path.join(cert_dir, "tmp.csr") rc = subprocess.call(["/usr/bin/openssl", "req", "-newkey", "rsa:4096", "-nodes","-sha256","-keyout", key_path,\ @@ -74,7 +78,8 @@ def create_cert(subj, ca_key, ca_cert, key_path="./k.key", cert_path="./cert.crt if rc != 0: return rc return subprocess.call(["/usr/bin/openssl", "x509", "-req", "-days", "3650", "-in", csr_path, "-CA", \ - ca_cert, "-CAkey", ca_key, "-CAcreateserial", "-out", cert_path], stdout=DEVNULL, stderr=subprocess.STDOUT) + ca_cert, "-CAkey", ca_key, "-CAcreateserial", "-extfile", extfile ,"-out", cert_path], + stdout=DEVNULL, stderr=subprocess.STDOUT) def openssl_installed(): diff --git a/make/photon/prepare/utils/notary.py b/make/photon/prepare/utils/notary.py index 2e571a462..15467cd66 100644 --- a/make/photon/prepare/utils/notary.py +++ b/make/photon/prepare/utils/notary.py @@ -1,6 +1,6 @@ import os, shutil, pathlib -from g import templates_dir, config_dir, root_crt_path, secret_key_dir,DEFAULT_UID, DEFAULT_GID -from .cert import openssl_installed, create_cert, create_root_cert, get_alias +from g import templates_dir, config_dir, root_crt_path, secret_key_dir, DEFAULT_UID, DEFAULT_GID +from .cert import openssl_installed, create_cert, create_root_cert, get_alias, create_ext_file from .jinja import render_jinja from .misc import mark_file, prepare_dir @@ -56,6 +56,7 @@ def prepare_env_notary(nginx_config_dir): signer_cert_path = os.path.join(temp_cert_dir, "notary-signer.crt") signer_key_path = os.path.join(temp_cert_dir, "notary-signer.key") create_root_cert(ca_subj, key_path=signer_ca_key, cert_path=signer_ca_cert) + create_ext_file('notarysigner', 'extfile.cnf') create_cert(cert_subj, signer_ca_key, signer_ca_cert, key_path=signer_key_path, cert_path=signer_cert_path) print("Copying certs for notary signer") shutil.copy2(signer_cert_path, signer_cert_secret_path)