From a61e9b0e2eae9f07839d2c996832eab3edf2bb32 Mon Sep 17 00:00:00 2001 From: DQ Date: Thu, 14 Jan 2021 21:23:28 +0800 Subject: [PATCH] Add san for notary upgrading if san not exists then remove that cert, prepare will regenerate one Signed-off-by: DQ --- make/photon/prepare/utils/cert.py | 9 +++++++++ make/photon/prepare/utils/notary.py | 20 ++++++++++++++++---- 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/make/photon/prepare/utils/cert.py b/make/photon/prepare/utils/cert.py index 838518068..410529222 100644 --- a/make/photon/prepare/utils/cert.py +++ b/make/photon/prepare/utils/cert.py @@ -56,6 +56,15 @@ def create_ext_file(cn, ext_filename): with open(ext_filename, 'w') as f: f.write("subjectAltName = DNS.1:{}".format(cn)) +def san_existed(cert_path): + try: + return len(subprocess.check_output( + ["/usr/bin/openssl", "x509", "-in",cert_path, "-noout", "-ext", "subjectAltName"] + )) > 0 + except subprocess.CalledProcessError: + pass + return False + @stat_decorator def create_cert(subj, ca_key, ca_cert, key_path="./k.key", cert_path="./cert.crt", extfile='extfile.cnf'): cert_dir = os.path.dirname(cert_path) diff --git a/make/photon/prepare/utils/notary.py b/make/photon/prepare/utils/notary.py index 76a038ae0..12deea9d8 100644 --- a/make/photon/prepare/utils/notary.py +++ b/make/photon/prepare/utils/notary.py @@ -1,6 +1,6 @@ import os, shutil, pathlib from g import templates_dir, config_dir, root_crt_path, secret_key_dir, secret_dir, DEFAULT_UID, DEFAULT_GID -from .cert import openssl_installed, create_cert, create_root_cert, get_alias, create_ext_file +from .cert import openssl_installed, create_cert, create_root_cert, get_alias, create_ext_file, san_existed from .jinja import render_jinja from .misc import mark_file, prepare_dir @@ -30,20 +30,32 @@ def prepare_env_notary(nginx_config_dir): signer_key_secret_path = pathlib.Path(os.path.join(notary_secret_dir, 'notary-signer.key')) signer_ca_cert_secret_path = pathlib.Path(os.path.join(notary_secret_dir, 'notary-signer-ca.crt')) + + + # If openssl installed, using it to check san existed in cert. + # Remove cert file if it not contains san + if signer_cert_secret_path.exists() and openssl_installed(): + if not san_existed(signer_cert_secret_path): + signer_cert_secret_path.unlink(missing_ok=True) + if old_signer_cert_secret_path.exists() and openssl_installed(): + if not san_existed(old_signer_cert_secret_path): + old_signer_cert_secret_path.unlink(missing_ok=True) + # In version 1.8 the secret path changed - # If cert, key , ca all are exist in new place don't do anything + # If all cert, key and ca files are existed in new location don't do anything + # Or we should do the following logic if not( signer_cert_secret_path.exists() and signer_key_secret_path.exists() and signer_ca_cert_secret_path.exists() ): - # If the certs are exist in old place, move it to new place + # If the certs are exist in old localtion, move them to new location if old_signer_ca_cert_secret_path.exists() and old_signer_cert_secret_path.exists() and old_signer_key_secret_path.exists(): print("Copying certs for notary signer") shutil.copy2(old_signer_ca_cert_secret_path, signer_ca_cert_secret_path) shutil.copy2(old_signer_key_secret_path, signer_key_secret_path) shutil.copy2(old_signer_cert_secret_path, signer_cert_secret_path) - # If certs neither exist in new place nor in the old place, create it and move it to new place + # If certs neither existed in new location nor in the old place, create it and move it to new location elif openssl_installed(): try: temp_cert_dir = os.path.join('/tmp', "cert_tmp")