Add san for notary cert (#13928)

Signed-off-by: DQ <dengq@vmware.com>
This commit is contained in:
Qian Deng 2021-01-08 01:00:34 +08:00 committed by GitHub
parent 4ea881564e
commit 642d56041d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 3 deletions

View File

@ -52,8 +52,12 @@ def create_root_cert(subj, key_path="./k.key", cert_path="./cert.crt"):
return subprocess.call(["/usr/bin/openssl", "req", "-new", "-x509", "-key", key_path,\
"-out", cert_path, "-days", "3650", "-subj", subj], stdout=DEVNULL, stderr=subprocess.STDOUT)
def create_ext_file(cn, ext_filename):
with open(ext_filename, 'w') as f:
f.write("subjectAltName = DNS.1:{}".format(cn))
@stat_decorator
def create_cert(subj, ca_key, ca_cert, key_path="./k.key", cert_path="./cert.crt"):
def create_cert(subj, ca_key, ca_cert, key_path="./k.key", cert_path="./cert.crt", extfile='extfile.cnf'):
cert_dir = os.path.dirname(cert_path)
csr_path = os.path.join(cert_dir, "tmp.csr")
rc = subprocess.call(["/usr/bin/openssl", "req", "-newkey", "rsa:4096", "-nodes","-sha256","-keyout", key_path,\
@ -61,7 +65,8 @@ def create_cert(subj, ca_key, ca_cert, key_path="./k.key", cert_path="./cert.crt
if rc != 0:
return rc
return subprocess.call(["/usr/bin/openssl", "x509", "-req", "-days", "3650", "-in", csr_path, "-CA", \
ca_cert, "-CAkey", ca_key, "-CAcreateserial", "-out", cert_path], stdout=DEVNULL, stderr=subprocess.STDOUT)
ca_cert, "-CAkey", ca_key, "-CAcreateserial", "-extfile", extfile ,"-out", cert_path],
stdout=DEVNULL, stderr=subprocess.STDOUT)
def openssl_installed():

View File

@ -1,6 +1,6 @@
import os, shutil, pathlib
from g import templates_dir, config_dir, root_crt_path, secret_key_dir, secret_dir, DEFAULT_UID, DEFAULT_GID
from .cert import openssl_installed, create_cert, create_root_cert, get_alias
from .cert import openssl_installed, create_cert, create_root_cert, get_alias, create_ext_file
from .jinja import render_jinja
from .misc import mark_file, prepare_dir
@ -56,6 +56,7 @@ def prepare_env_notary(nginx_config_dir):
signer_cert_path = os.path.join(temp_cert_dir, "notary-signer.crt")
signer_key_path = os.path.join(temp_cert_dir, "notary-signer.key")
create_root_cert(ca_subj, key_path=signer_ca_key, cert_path=signer_ca_cert)
create_ext_file('notarysigner', 'extfile.cnf')
create_cert(cert_subj, signer_ca_key, signer_ca_cert, key_path=signer_key_path, cert_path=signer_cert_path)
print("Copying certs for notary signer")
shutil.copy2(signer_cert_path, signer_cert_secret_path)