Upstream/harbor
1
0
Fork 0
mirror of https://github.com/goharbor/harbor.git synced 2024-10-31 23:59:32 +01:00
Code Issues Projects Releases Wiki Activity

Add san for notary cert (#13939)

Browse Source 
Signed-off-by: DQ <dengq@vmware.com>
This commit is contained in:
Qian Deng 2021-01-11 11:41:52 +08:00 committed by GitHub
parent c6814f2bcc
commit 52b6a5333a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
make/photon/prepare/utils/cert.py
View File

@ -65,8 +65,12 @@ def create_root_cert(subj, key_path="./k.key", cert_path="./cert.crt"):
return subprocess.call(["/usr/bin/openssl", "req", "-new", "-x509", "-key", key_path,\ return subprocess.call(["/usr/bin/openssl", "req", "-new", "-x509", "-key", key_path,\
"-out", cert_path, "-days", "3650", "-subj", subj], stdout=DEVNULL, stderr=subprocess.STDOUT) "-out", cert_path, "-days", "3650", "-subj", subj], stdout=DEVNULL, stderr=subprocess.STDOUT)
def create_ext_file(cn, ext_filename):
with open(ext_filename, 'w') as f:
f.write("subjectAltName = DNS.1:{}".format(cn))
@stat_decorator @stat_decorator
def create_cert(subj, ca_key, ca_cert, key_path="./k.key", cert_path="./cert.crt"): def create_cert(subj, ca_key, ca_cert, key_path="./k.key", cert_path="./cert.crt", extfile='extfile.cnf'):
cert_dir = os.path.dirname(cert_path) cert_dir = os.path.dirname(cert_path)
csr_path = os.path.join(cert_dir, "tmp.csr") csr_path = os.path.join(cert_dir, "tmp.csr")
rc = subprocess.call(["/usr/bin/openssl", "req", "-newkey", "rsa:4096", "-nodes","-sha256","-keyout", key_path,\ rc = subprocess.call(["/usr/bin/openssl", "req", "-newkey", "rsa:4096", "-nodes","-sha256","-keyout", key_path,\
@ -74,7 +78,8 @@ def create_cert(subj, ca_key, ca_cert, key_path="./k.key", cert_path="./cert.crt
if rc != 0: if rc != 0:
return rc return rc
return subprocess.call(["/usr/bin/openssl", "x509", "-req", "-days", "3650", "-in", csr_path, "-CA", \ return subprocess.call(["/usr/bin/openssl", "x509", "-req", "-days", "3650", "-in", csr_path, "-CA", \
ca_cert, "-CAkey", ca_key, "-CAcreateserial", "-out", cert_path], stdout=DEVNULL, stderr=subprocess.STDOUT) ca_cert, "-CAkey", ca_key, "-CAcreateserial", "-extfile", extfile ,"-out", cert_path],
stdout=DEVNULL, stderr=subprocess.STDOUT)
def openssl_installed(): def openssl_installed():

5
make/photon/prepare/utils/notary.py
View File

@ -1,6 +1,6 @@
import os, shutil, pathlib import os, shutil, pathlib
from g import templates_dir, config_dir, root_crt_path, secret_key_dir,DEFAULT_UID, DEFAULT_GID from g import templates_dir, config_dir, root_crt_path, secret_key_dir, DEFAULT_UID, DEFAULT_GID
from .cert import openssl_installed, create_cert, create_root_cert, get_alias from .cert import openssl_installed, create_cert, create_root_cert, get_alias, create_ext_file
from .jinja import render_jinja from .jinja import render_jinja
from .misc import mark_file, prepare_dir from .misc import mark_file, prepare_dir
@ -56,6 +56,7 @@ def prepare_env_notary(nginx_config_dir):
signer_cert_path = os.path.join(temp_cert_dir, "notary-signer.crt") signer_cert_path = os.path.join(temp_cert_dir, "notary-signer.crt")
signer_key_path = os.path.join(temp_cert_dir, "notary-signer.key") signer_key_path = os.path.join(temp_cert_dir, "notary-signer.key")
create_root_cert(ca_subj, key_path=signer_ca_key, cert_path=signer_ca_cert) create_root_cert(ca_subj, key_path=signer_ca_key, cert_path=signer_ca_cert)
create_ext_file('notarysigner', 'extfile.cnf')
create_cert(cert_subj, signer_ca_key, signer_ca_cert, key_path=signer_key_path, cert_path=signer_cert_path) create_cert(cert_subj, signer_ca_key, signer_ca_cert, key_path=signer_key_path, cert_path=signer_cert_path)
print("Copying certs for notary signer") print("Copying certs for notary signer")
shutil.copy2(signer_cert_path, signer_cert_secret_path) shutil.copy2(signer_cert_path, signer_cert_secret_path)