2 * ============LICENSE_START=======================================================
3 * oom-certservice-k8s-external-provider
4 * ================================================================================
5 * Copyright (c) 2019 Smallstep Labs, Inc.
6 * Modifications copyright (C) 2020 Nokia. All rights reserved.
7 * ================================================================================
8 * This source code was copied from the following git repository:
9 * https://github.com/smallstep/step-issuer
10 * The source code was modified for usage in the ONAP project.
11 * ================================================================================
12 * Licensed under the Apache License, Version 2.0 (the "License");
13 * you may not use this file except in compliance with the License.
14 * You may obtain a copy of the License at
16 * http://www.apache.org/licenses/LICENSE-2.0
18 * Unless required by applicable law or agreed to in writing, software
19 * distributed under the License is distributed on an "AS IS" BASIS,
20 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
21 * See the License for the specific language governing permissions and
22 * limitations under the License.
23 * ============LICENSE_END=========================================================
26 package cmpv2provisioner
37 certmanager "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
38 "k8s.io/apimachinery/pkg/types"
39 ctrl "sigs.k8s.io/controller-runtime"
41 "onap.org/oom-certservice/k8s-external-provider/src/certserviceclient"
42 "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
45 var collection = new(sync.Map)
47 type CertServiceCA struct {
51 certServiceClient certserviceclient.CertServiceClient
54 func New(cmpv2Issuer *cmpv2api.CMPv2Issuer, certServiceClient certserviceclient.CertServiceClient) (*CertServiceCA, error) {
57 ca.name = cmpv2Issuer.Name
58 ca.url = cmpv2Issuer.Spec.URL
59 ca.caName = cmpv2Issuer.Spec.CaName
60 ca.certServiceClient = certServiceClient
62 log := ctrl.Log.WithName("cmpv2-provisioner")
63 log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName)
68 func Load(namespacedName types.NamespacedName) (*CertServiceCA, bool) {
69 provisioner, ok := collection.Load(namespacedName)
73 certServiceCAprovisioner, ok := provisioner.(*CertServiceCA)
74 return certServiceCAprovisioner, ok
77 func Store(namespacedName types.NamespacedName, provisioner *CertServiceCA) {
78 collection.Store(namespacedName, provisioner)
81 func (ca *CertServiceCA) Sign(ctx context.Context, certificateRequest *certmanager.CertificateRequest, privateKeyBytes []byte) ([]byte, []byte, error) {
82 log := ctrl.Log.WithName("certservice-provisioner")
83 log.Info("Signing certificate: ", "cert-name", certificateRequest.Name)
85 log.Info("CA: ", "name", ca.name, "url", ca.url)
87 csrBytes := certificateRequest.Spec.Request
88 log.Info("Csr PEM: ", "bytes", csrBytes)
90 csr, err := decodeCSR(csrBytes)
95 response, err := ca.certServiceClient.GetCertificates(csrBytes, privateKeyBytes)
99 log.Info("Certificate Chain", "cert-chain", response.CertificateChain)
100 log.Info("Trusted Certificates", "trust-certs", response.TrustedCertificates)
102 cert := x509.Certificate{}
106 // write here code which will call CertServiceCA and sign CSR
109 encodedPEM, err := encodeX509(&cert)
114 signedPEM := encodedPEM
115 trustedCA := encodedPEM
117 log.Info("Successfully signed: ", "cert-name", certificateRequest.Name)
118 log.Info("Signed cert PEM: ", "bytes", signedPEM)
119 log.Info("Trusted CA PEM: ", "bytes", trustedCA)
121 return signedPEM, trustedCA, nil
124 // TODO JM utility methods - will be used in "real" implementation
126 // decodeCSR decodes a certificate request in PEM format and returns the
127 func decodeCSR(data []byte) (*x509.CertificateRequest, error) {
128 block, rest := pem.Decode(data)
129 if block == nil || len(rest) > 0 {
130 return nil, fmt.Errorf("unexpected CSR PEM on sign request")
132 if block.Type != "CERTIFICATE REQUEST" {
133 return nil, fmt.Errorf("PEM is not a certificate request")
135 csr, err := x509.ParseCertificateRequest(block.Bytes)
137 return nil, fmt.Errorf("error parsing certificate request: %v", err)
139 if err := csr.CheckSignature(); err != nil {
140 return nil, fmt.Errorf("error checking certificate request signature: %v", err)
145 // encodeX509 will encode a *x509.Certificate into PEM format.
146 func encodeX509(cert *x509.Certificate) ([]byte, error) {
147 caPem := bytes.NewBuffer([]byte{})
148 err := pem.Encode(caPem, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
152 return caPem.Bytes(), nil
155 // generateSubject returns the first SAN that is not 127.0.0.1 or localhost. The
156 // CSRs generated by the Certificate resource have always those SANs. If no SANs
157 // are available `certservice-issuer-certificate` will be used as a subject is always
159 func generateSubject(sans []string) string {
161 return "certservice-issuer-certificate"
163 for _, s := range sans {
164 if s != "127.0.0.1" && s != "localhost" {
171 func decode(cert string) []byte {
172 bytes, _ := base64.RawStdEncoding.DecodeString(cert)