master

分支 (17)

标签 (12)

管理

管理

master

openEuler-23.09

openEuler-24.03-LTS

openEuler-24.03-LTS-Next

openEuler-24.09

openEuler-20.03-LTS-SP3

openEuler-20.03-LTS-SP4

openEuler-22.03-LTS

openEuler-22.03-LTS-Next

openEuler-22.03-LTS-SP2

openEuler-22.03-LTS-SP3

openEuler-22.03-LTS-SP4

openEuler-22.03-LTS-SP1

openEuler-23.03

openEuler-22.09

openEuler-21.09

openEuler-20.03-LTS-Next

openEuler-22.03-LTS-SP4-release

openEuler-24.03-LTS-release

openEuler-22.03-LTS-SP3-release

openEuler-23.09-rc5

openEuler-22.03-LTS-SP1-release

openEuler-22.09-release

openEuler-22.09-rc5

openEuler-22.09-20220829

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round4

openEuler-20.03-LTS-SP3-release

eggo
/
0020-add-digitalSignature-for-certifi...

From 8e1e06e2e4794c85c19d4ee9a528b6b2d35d9624 Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Tue, 18 Jan 2022 16:56:42 +0800
Subject: [PATCH 20/24] add digitalSignature for certificates

Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
 pkg/utils/certs/approvecsr.go       | 10 ++++++----
 pkg/utils/certs/localcerts.go       |  2 +-
 pkg/utils/template/template.go      |  2 +-
 pkg/utils/template/template_test.go |  6 +++---
 4 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/pkg/utils/certs/approvecsr.go b/pkg/utils/certs/approvecsr.go
index 92af905..dfebbee 100644
--- a/pkg/utils/certs/approvecsr.go
+++ b/pkg/utils/certs/approvecsr.go
@@ -69,7 +69,7 @@ func (cv1 *CertificateV1) check(csr certificatesv1.CertificateSigningRequest, wo

 	// 3. check csr is requested for serving certificates
 	// usageRequired: "server auth"
-	// usagesOptional: "digital signature", "key encipherment"
+	// usagesOptional: "digital signature", "key encipherment", "data encipherment"
 	required := false
 	for _, u := range csr.Spec.Usages {
 		if u == certificatesv1.UsageServerAuth {
@@ -77,7 +77,8 @@ func (cv1 *CertificateV1) check(csr certificatesv1.CertificateSigningRequest, wo
 			continue
 		}

-		if u != certificatesv1.UsageDigitalSignature && u != certificatesv1.UsageKeyEncipherment {
+		if u != certificatesv1.UsageDigitalSignature && u != certificatesv1.UsageKeyEncipherment &&
+			u != certificatesv1.UsageDataEncipherment {
 			logrus.Warnf("csr %s is not requested for serving certificates", csr.Name)
 			return false
 		}
@@ -166,7 +167,7 @@ func (cv1beta1 *CertificateV1beta1) check(csr certificatesv1beta1.CertificateSig

 	// 3. check csr is requested for serving certificates
 	// usageRequired: "server auth"
-	// usagesOptional: "digital signature", "key encipherment"
+	// usagesOptional: "digital signature", "key encipherment", "data encipherment"
 	required := false
 	for _, u := range csr.Spec.Usages {
 		if u == certificatesv1beta1.UsageServerAuth {
@@ -174,7 +175,8 @@ func (cv1beta1 *CertificateV1beta1) check(csr certificatesv1beta1.CertificateSig
 			continue
 		}

-		if u != certificatesv1beta1.UsageDigitalSignature && u != certificatesv1beta1.UsageKeyEncipherment {
+		if u != certificatesv1beta1.UsageDigitalSignature && u != certificatesv1beta1.UsageKeyEncipherment &&
+			u != certificatesv1beta1.UsageDataEncipherment {
 			logrus.Warnf("csr %s is not requested for serving certificates", csr.Name)
 			return false
 		}
diff --git a/pkg/utils/certs/localcerts.go b/pkg/utils/certs/localcerts.go
index c5fe2e5..d613ea9 100644
--- a/pkg/utils/certs/localcerts.go
+++ b/pkg/utils/certs/localcerts.go
@@ -148,7 +148,7 @@ func (l *LocalCertGenerator) CreateCertAndKey(caCertPath, caKeyPath string, conf
 		DNSNames:     config.AltNames.DNSNames,
 		IPAddresses:  ips,
 		SerialNumber: serial,
-		KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		KeyUsage:     x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageDataEncipherment,
 		ExtKeyUsage:  config.Usages,
 		NotBefore:    caCert.NotBefore,
 		NotAfter:     time.Now().Add(time.Hour * 24 * 36500).UTC(),
diff --git a/pkg/utils/template/template.go b/pkg/utils/template/template.go
index 3b3138a..b16f55a 100644
--- a/pkg/utils/template/template.go
+++ b/pkg/utils/template/template.go
@@ -77,7 +77,7 @@ IP.{{ Add $i 1 }} = {{ $v }}
 [ v3_ext ]
 authorityKeyIdentifier = keyid,issuer:always
 basicConstraints = CA:FALSE
-keyUsage = keyEncipherment,dataEncipherment
+keyUsage = digitalSignature,keyEncipherment,dataEncipherment
 extendedKeyUsage = {{ .ExtendedKeyUsage }}
 {{- if .HaveAltNames }}
 subjectAltName = @alt_names
diff --git a/pkg/utils/template/template_test.go b/pkg/utils/template/template_test.go
index ae46d48..30d6f2d 100644
--- a/pkg/utils/template/template_test.go
+++ b/pkg/utils/template/template_test.go
@@ -46,7 +46,7 @@ IP.3 = 127.0.0.1
 [ v3_ext ]
 authorityKeyIdentifier = keyid,issuer:always
 basicConstraints = CA:FALSE
-keyUsage = keyEncipherment,dataEncipherment
+keyUsage = digitalSignature,keyEncipherment,dataEncipherment
 extendedKeyUsage = serverAuth,clientAuth
 subjectAltName = @alt_names
 `
@@ -71,7 +71,7 @@ CN = kube-apiserver-kubelet-client
 [ v3_ext ]
 authorityKeyIdentifier=keyid,issuer:always
 basicConstraints=CA:FALSE
-keyUsage=keyEncipherment,dataEncipherment
+keyUsage=digitalSignature,keyEncipherment,dataEncipherment
 extendedKeyUsage=clientAuth
 `
 	kubelet_conf := &CsrConfig{
@@ -92,7 +92,7 @@ CN = front-proxy-client
 [ v3_ext ]
 authorityKeyIdentifier=keyid,issuer:always
 basicConstraints=CA:FALSE
-keyUsage=keyEncipherment,dataEncipherment
+keyUsage=digitalSignature,keyEncipherment,dataEncipherment
 extendedKeyUsage=clientAuth
 `
 	front_proxy_client_conf := &CsrConfig{
--
2.25.1