* oom-certservice-k8s-external-provider
* ================================================================================
* Copyright (c) 2019 Smallstep Labs, Inc.
- * Modifications copyright (C) 2020 Nokia. All rights reserved.
+ * Copyright (C) 2020-2021 Nokia. All rights reserved.
* ================================================================================
* This source code was copied from the following git repository:
* https://github.com/smallstep/step-issuer
package cmpv2provisioner
import (
- "bytes"
"context"
- "crypto/x509"
- "encoding/base64"
- "encoding/pem"
- "fmt"
"sync"
- certmanager "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
"k8s.io/apimachinery/pkg/types"
- ctrl "sigs.k8s.io/controller-runtime"
+ "onap.org/oom-certservice/k8s-external-provider/src/certserviceclient"
"onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
+ "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner/csr"
+ "onap.org/oom-certservice/k8s-external-provider/src/leveledlogger"
+ "onap.org/oom-certservice/k8s-external-provider/src/model"
)
var collection = new(sync.Map)
type CertServiceCA struct {
- name string
- url string
- caName string
- key []byte
- cert []byte
- cacert []byte
+ name string
+ url string
+ healthEndpoint string
+ certEndpoint string
+ caName string
+ certServiceClient certserviceclient.CertServiceClient
}
-func New(cmpv2Issuer *cmpv2api.CMPv2Issuer, key []byte, cert []byte, cacert []byte) (*CertServiceCA, error) {
+func New(cmpv2Issuer *cmpv2api.CMPv2Issuer, certServiceClient certserviceclient.CertServiceClient) (*CertServiceCA, error) {
ca := CertServiceCA{}
ca.name = cmpv2Issuer.Name
ca.url = cmpv2Issuer.Spec.URL
ca.caName = cmpv2Issuer.Spec.CaName
- ca.key = key
- ca.cert = cert
- ca.cacert = cacert
+ ca.healthEndpoint = cmpv2Issuer.Spec.HealthEndpoint
+ ca.certEndpoint = cmpv2Issuer.Spec.CertEndpoint
+ ca.certServiceClient = certServiceClient
- log := ctrl.Log.WithName("cmpv2-provisioner")
- log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName, "key", ca.key,
- "cert", ca.cert, "cacert", ca.cacert)
+ log := leveledlogger.GetLoggerWithName("cmpv2-provisioner")
+ log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName, "healthEndpoint", ca.healthEndpoint, "certEndpoint", ca.certEndpoint)
return &ca, nil
}
+func (ca *CertServiceCA) CheckHealth() error {
+ log := leveledlogger.GetLoggerWithName("cmpv2-provisioner")
+ log.Info("Checking health of CMPv2 issuer: ", "name", ca.name)
+ return ca.certServiceClient.CheckHealth()
+}
+
func Load(namespacedName types.NamespacedName) (*CertServiceCA, bool) {
provisioner, ok := collection.Load(namespacedName)
if !ok {
collection.Store(namespacedName, provisioner)
}
-func (ca *CertServiceCA) Sign(ctx context.Context, certificateRequest *certmanager.CertificateRequest) ([]byte, []byte, error) {
- log := ctrl.Log.WithName("certservice-provisioner")
- log.Info("Signing certificate: ", "cert-name", certificateRequest.Name)
-
- key, _ := base64.RawStdEncoding.DecodeString(string(ca.key))
- log.Info("CA: ", "name", ca.name, "url", ca.url, "key", key)
+func (ca *CertServiceCA) Sign(
+ ctx context.Context,
+ signCertificateModel model.SignCertificateModel,
+) (signedCertificateChain []byte, trustedCertificates []byte, err error) {
+ log := leveledlogger.GetLoggerWithName("certservice-provisioner")
- crPEM := certificateRequest.Spec.Request
- csrBase64 := crPEM
- log.Info("Csr PEM: ", "bytes", csrBase64)
-
- csr, err := decodeCSR(crPEM)
- if err != nil {
- return nil, nil, err
+ if signCertificateModel.IsUpdateRevision {
+ log.Debug("Certificate will be updated.", "old-certificate", signCertificateModel.OldCertificate,
+ "old-private-key", signCertificateModel.OldPrivateKey)
}
- cert := x509.Certificate{}
- cert.Raw = csr.Raw
+ certificateRequest := signCertificateModel.CertificateRequest
+ privateKeyBytes := signCertificateModel.PrivateKeyBytes
+ log.Info("Signing certificate: ", "cert-name", certificateRequest.Name)
+
+ log.Info("CA: ", "name", ca.name, "url", ca.url)
- // TODO
- // write here code which will call CertServiceCA and sign CSR
- // END
+ csrBytes := certificateRequest.Spec.Request
+ log.Debug("Original CSR PEM: ", "bytes", csrBytes)
- encodedPEM, err := encodeX509(&cert)
+ filteredCsrBytes, err := csr.FilterFieldsFromCSR(csrBytes, privateKeyBytes)
if err != nil {
return nil, nil, err
}
+ log.Debug("Filtered out CSR PEM: ", "bytes", filteredCsrBytes)
- signedPEM := encodedPEM
- trustedCA := encodedPEM
+ var response *certserviceclient.CertificatesResponse
+ var errAPI error
- log.Info("Successfully signed: ", "cert-name", certificateRequest.Name)
- log.Info("Signed cert PEM: ", "bytes", signedPEM)
- log.Info("Trusted CA PEM: ", "bytes", trustedCA)
+ if signCertificateModel.IsUpdateRevision {
+ log.Info("Attempt to send certificate update request")
+ response, errAPI = ca.certServiceClient.UpdateCertificate(filteredCsrBytes, privateKeyBytes, signCertificateModel)
+ } else {
+ log.Info("Attempt to send certificate request")
+ response, errAPI = ca.certServiceClient.GetCertificates(filteredCsrBytes, privateKeyBytes)
+ }
- return signedPEM, trustedCA, nil
-}
+ if errAPI != nil {
+ return nil, nil, errAPI
+ }
+ log.Info("Successfully received response from CertService API")
+ log.Debug("Certificate Chain", "cert-chain", response.CertificateChain)
+ log.Debug("Trusted Certificates", "trust-certs", response.TrustedCertificates)
-// TODO JM utility methods - will be used in "real" implementation
+ log.Info("Start parsing response")
+ signedCertificateChain, trustedCertificates, signErr := parseResponseToBytes(response)
-// decodeCSR decodes a certificate request in PEM format and returns the
-func decodeCSR(data []byte) (*x509.CertificateRequest, error) {
- block, rest := pem.Decode(data)
- if block == nil || len(rest) > 0 {
- return nil, fmt.Errorf("unexpected CSR PEM on sign request")
+ if signErr != nil {
+ log.Error(signErr, "Cannot parse response from CertService API")
+ return nil, nil, signErr
}
- if block.Type != "CERTIFICATE REQUEST" {
- return nil, fmt.Errorf("PEM is not a certificate request")
- }
- csr, err := x509.ParseCertificateRequest(block.Bytes)
- if err != nil {
- return nil, fmt.Errorf("error parsing certificate request: %v", err)
- }
- if err := csr.CheckSignature(); err != nil {
- return nil, fmt.Errorf("error checking certificate request signature: %v", err)
- }
- return csr, nil
-}
-// encodeX509 will encode a *x509.Certificate into PEM format.
-func encodeX509(cert *x509.Certificate) ([]byte, error) {
- caPem := bytes.NewBuffer([]byte{})
- err := pem.Encode(caPem, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
- if err != nil {
- return nil, err
- }
- return caPem.Bytes(), nil
-}
+ log.Info("Successfully signed: ", "cert-name", certificateRequest.Name)
-// generateSubject returns the first SAN that is not 127.0.0.1 or localhost. The
-// CSRs generated by the Certificate resource have always those SANs. If no SANs
-// are available `certservice-issuer-certificate` will be used as a subject is always
-// required.
-func generateSubject(sans []string) string {
- if len(sans) == 0 {
- return "certservice-issuer-certificate"
- }
- for _, s := range sans {
- if s != "127.0.0.1" && s != "localhost" {
- return s
- }
- }
- return sans[0]
-}
+ log.Debug("Signed cert PEM: ", "bytes", signedCertificateChain)
+ log.Debug("Trusted CA PEM: ", "bytes", trustedCertificates)
-func decode(cert string) []byte {
- bytes, _ := base64.RawStdEncoding.DecodeString(cert)
- return bytes
+ return signedCertificateChain, trustedCertificates, nil
}