Add san for notary upgrading

if san not exists then remove that cert, prepare will regenerate one

Signed-off-by: DQ <dengq@vmware.com>
This commit is contained in:
DQ 2021-01-14 21:23:28 +08:00
parent 42559479e6
commit a61e9b0e2e
2 changed files with 25 additions and 4 deletions

View File

@ -56,6 +56,15 @@ def create_ext_file(cn, ext_filename):
with open(ext_filename, 'w') as f: with open(ext_filename, 'w') as f:
f.write("subjectAltName = DNS.1:{}".format(cn)) f.write("subjectAltName = DNS.1:{}".format(cn))
def san_existed(cert_path):
try:
return len(subprocess.check_output(
["/usr/bin/openssl", "x509", "-in",cert_path, "-noout", "-ext", "subjectAltName"]
)) > 0
except subprocess.CalledProcessError:
pass
return False
@stat_decorator @stat_decorator
def create_cert(subj, ca_key, ca_cert, key_path="./k.key", cert_path="./cert.crt", extfile='extfile.cnf'): def create_cert(subj, ca_key, ca_cert, key_path="./k.key", cert_path="./cert.crt", extfile='extfile.cnf'):
cert_dir = os.path.dirname(cert_path) cert_dir = os.path.dirname(cert_path)

View File

@ -1,6 +1,6 @@
import os, shutil, pathlib import os, shutil, pathlib
from g import templates_dir, config_dir, root_crt_path, secret_key_dir, secret_dir, DEFAULT_UID, DEFAULT_GID from g import templates_dir, config_dir, root_crt_path, secret_key_dir, secret_dir, DEFAULT_UID, DEFAULT_GID
from .cert import openssl_installed, create_cert, create_root_cert, get_alias, create_ext_file from .cert import openssl_installed, create_cert, create_root_cert, get_alias, create_ext_file, san_existed
from .jinja import render_jinja from .jinja import render_jinja
from .misc import mark_file, prepare_dir from .misc import mark_file, prepare_dir
@ -30,20 +30,32 @@ def prepare_env_notary(nginx_config_dir):
signer_key_secret_path = pathlib.Path(os.path.join(notary_secret_dir, 'notary-signer.key')) signer_key_secret_path = pathlib.Path(os.path.join(notary_secret_dir, 'notary-signer.key'))
signer_ca_cert_secret_path = pathlib.Path(os.path.join(notary_secret_dir, 'notary-signer-ca.crt')) signer_ca_cert_secret_path = pathlib.Path(os.path.join(notary_secret_dir, 'notary-signer-ca.crt'))
# If openssl installed, using it to check san existed in cert.
# Remove cert file if it not contains san
if signer_cert_secret_path.exists() and openssl_installed():
if not san_existed(signer_cert_secret_path):
signer_cert_secret_path.unlink(missing_ok=True)
if old_signer_cert_secret_path.exists() and openssl_installed():
if not san_existed(old_signer_cert_secret_path):
old_signer_cert_secret_path.unlink(missing_ok=True)
# In version 1.8 the secret path changed # In version 1.8 the secret path changed
# If cert, key , ca all are exist in new place don't do anything # If all cert, key and ca files are existed in new location don't do anything
# Or we should do the following logic
if not( if not(
signer_cert_secret_path.exists() and signer_cert_secret_path.exists() and
signer_key_secret_path.exists() and signer_key_secret_path.exists() and
signer_ca_cert_secret_path.exists() signer_ca_cert_secret_path.exists()
): ):
# If the certs are exist in old place, move it to new place # If the certs are exist in old localtion, move them to new location
if old_signer_ca_cert_secret_path.exists() and old_signer_cert_secret_path.exists() and old_signer_key_secret_path.exists(): if old_signer_ca_cert_secret_path.exists() and old_signer_cert_secret_path.exists() and old_signer_key_secret_path.exists():
print("Copying certs for notary signer") print("Copying certs for notary signer")
shutil.copy2(old_signer_ca_cert_secret_path, signer_ca_cert_secret_path) shutil.copy2(old_signer_ca_cert_secret_path, signer_ca_cert_secret_path)
shutil.copy2(old_signer_key_secret_path, signer_key_secret_path) shutil.copy2(old_signer_key_secret_path, signer_key_secret_path)
shutil.copy2(old_signer_cert_secret_path, signer_cert_secret_path) shutil.copy2(old_signer_cert_secret_path, signer_cert_secret_path)
# If certs neither exist in new place nor in the old place, create it and move it to new place # If certs neither existed in new location nor in the old place, create it and move it to new location
elif openssl_installed(): elif openssl_installed():
try: try:
temp_cert_dir = os.path.join('/tmp', "cert_tmp") temp_cert_dir = os.path.join('/tmp', "cert_tmp")