Add san for notary upgrading

if san not exists then remove that cert, prepare will regenerate one Signed-off-by: DQ <dengq@vmware.com>
2024-11-25 03:35:21 +01:00 · 2021-01-14 21:23:28 +08:00 · 2021-01-14 21:23:28 +08:00 · a61e9b0e2e
commit a61e9b0e2e
parent 42559479e6
2 changed files with 25 additions and 4 deletions
--- a/make/photon/prepare/utils/cert.py
+++ b/make/photon/prepare/utils/cert.py
@ -56,6 +56,15 @@ def create_ext_file(cn, ext_filename):
    with open(ext_filename, 'w') as f:
        f.write("subjectAltName = DNS.1:{}".format(cn))

+def san_existed(cert_path):
+    try:
+        return len(subprocess.check_output(
+            ["/usr/bin/openssl", "x509", "-in",cert_path, "-noout", "-ext", "subjectAltName"]
+            )) > 0
+    except subprocess.CalledProcessError:
+        pass
+    return False
+
@stat_decorator
 def create_cert(subj, ca_key, ca_cert, key_path="./k.key", cert_path="./cert.crt", extfile='extfile.cnf'):
    cert_dir = os.path.dirname(cert_path)
--- a/make/photon/prepare/utils/notary.py
+++ b/make/photon/prepare/utils/notary.py
@ -1,6 +1,6 @@
 import os, shutil, pathlib
 from g import templates_dir, config_dir, root_crt_path, secret_key_dir, secret_dir, DEFAULT_UID, DEFAULT_GID
-from .cert import openssl_installed, create_cert, create_root_cert, get_alias, create_ext_file
+from .cert import openssl_installed, create_cert, create_root_cert, get_alias, create_ext_file, san_existed
 from .jinja import render_jinja
 from .misc import mark_file, prepare_dir

@ -30,20 +30,32 @@ def prepare_env_notary(nginx_config_dir):
    signer_key_secret_path = pathlib.Path(os.path.join(notary_secret_dir, 'notary-signer.key'))
    signer_ca_cert_secret_path = pathlib.Path(os.path.join(notary_secret_dir, 'notary-signer-ca.crt'))

+
+
+    # If openssl installed, using it to check san existed in cert.
+    # Remove cert file if it not contains san
+    if signer_cert_secret_path.exists() and openssl_installed():
+        if not san_existed(signer_cert_secret_path):
+            signer_cert_secret_path.unlink(missing_ok=True)
+    if old_signer_cert_secret_path.exists() and openssl_installed():
+        if not san_existed(old_signer_cert_secret_path):
+            old_signer_cert_secret_path.unlink(missing_ok=True)
+
    # In version 1.8 the secret path changed
-    # If cert, key , ca all are exist in new place don't do anything
+    # If all cert, key and ca files are existed in new location don't do anything
+    # Or we should do the following logic
    if not(
        signer_cert_secret_path.exists() and
        signer_key_secret_path.exists() and
        signer_ca_cert_secret_path.exists()
        ):
-        # If the certs are exist in old place, move it to new place
+        # If the certs are exist in old localtion, move them to new location
        if old_signer_ca_cert_secret_path.exists() and old_signer_cert_secret_path.exists() and old_signer_key_secret_path.exists():
            print("Copying certs for notary signer")
            shutil.copy2(old_signer_ca_cert_secret_path, signer_ca_cert_secret_path)
            shutil.copy2(old_signer_key_secret_path, signer_key_secret_path)
            shutil.copy2(old_signer_cert_secret_path, signer_cert_secret_path)
-        # If certs neither exist in new place nor in the old place, create it and move it to new place
+        # If certs neither existed in new location nor in the old place, create it and move it to new location
        elif openssl_installed():
            try:
                temp_cert_dir = os.path.join('/tmp', "cert_tmp")