From 8795295e7783695618ebaa25951b8eb2e35f4333 Mon Sep 17 00:00:00 2001 From: Jan Malkiewicz Date: Wed, 28 Oct 2020 08:19:08 +0100 Subject: [PATCH] [OOM-K8S-CERT-EXTERNAL-PROVIDER] Add logging of supported CSR properties Issue-ID: OOM-2559 Signed-off-by: Jan Malkiewicz Change-Id: I8e6a55eea3d87b6bb5f3a26ca9a11d618bb61a77 --- .../certificate_request_controller.go | 23 +++++-- .../logger/certificate_request_logger.go | 74 +++++++++++++--------- .../logger/certificate_request_logger_test.go | 42 +++++++++++- .../src/cmpv2provisioner/cmpv2_provisioner.go | 37 +---------- .../src/x509/testdata/test_data.go | 66 +++++++++++++++++++ .../src/x509/x509_utils.go | 57 +++++++++++++++++ .../src/x509/x509_utils_test.go | 42 ++++++++++++ 7 files changed, 271 insertions(+), 70 deletions(-) create mode 100644 certServiceK8sExternalProvider/src/x509/testdata/test_data.go create mode 100644 certServiceK8sExternalProvider/src/x509/x509_utils.go create mode 100644 certServiceK8sExternalProvider/src/x509/x509_utils_test.go diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go index f77642cd..03eef35c 100644 --- a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go +++ b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go @@ -43,6 +43,7 @@ import ( "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" "onap.org/oom-certservice/k8s-external-provider/src/cmpv2controller/logger" provisioners "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner" + x509utils "onap.org/oom-certservice/k8s-external-provider/src/x509" ) const ( @@ -124,17 +125,25 @@ func (controller *CertificateRequestController) Reconcile(k8sRequest ctrl.Reques } privateKeyBytes := privateKeySecret.Data[privateKeySecretKey] - // 8. Log Certificate Request properties not supported or overridden by CertService API - logger.LogCertRequestProperties(ctrl.Log.WithName("CSR details"), certificateRequest) + // 8. Decode CSR + log.Info("Decoding CSR...") + csr, err := x509utils.DecodeCSR(certificateRequest.Spec.Request) + if err != nil { + controller.handleErrorFailedToDecodeCSR(ctx, log, err, certificateRequest) + return ctrl.Result{}, err + } + + // 9. Log Certificate Request properties not supported or overridden by CertService API + logger.LogCertRequestProperties(ctrl.Log.WithName("CSR details"), certificateRequest, csr) - // 9. Sign CertificateRequest + // 10. Sign CertificateRequest signedPEM, trustedCAs, err := provisioner.Sign(ctx, certificateRequest, privateKeyBytes) if err != nil { controller.handleErrorFailedToSignCertificate(ctx, log, err, certificateRequest) return ctrl.Result{}, err } - // 10. Store signed certificates in CertificateRequest + // 11. Store signed certificates in CertificateRequest certificateRequest.Status.Certificate = signedPEM certificateRequest.Status.CA = trustedCAs if err := controller.updateCertificateRequestWithSignedCerficates(ctx, certificateRequest); err != nil { @@ -221,6 +230,12 @@ func (controller *CertificateRequestController) handleErrorFailedToSignCertifica _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonFailed, "Failed to sign certificate request: %v", err) } +func (controller *CertificateRequestController) handleErrorFailedToDecodeCSR(ctx context.Context, log logr.Logger, err error, certificateRequest *cmapi.CertificateRequest) { + log.Error(err, "Failed to decode certificate sign request") + _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonFailed, "Failed to decode CSR: %v", err) +} + + func handleErrorResourceNotFound(log logr.Logger, err error) error { if apierrors.IsNotFound(err) { log.Error(err, "CertificateRequest resource not found") diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/logger/certificate_request_logger.go b/certServiceK8sExternalProvider/src/cmpv2controller/logger/certificate_request_logger.go index da439fb8..0aaf48d3 100644 --- a/certServiceK8sExternalProvider/src/cmpv2controller/logger/certificate_request_logger.go +++ b/certServiceK8sExternalProvider/src/cmpv2controller/logger/certificate_request_logger.go @@ -21,8 +21,7 @@ package logger import ( - "crypto/x509" - "encoding/pem" + x509 "crypto/x509" "net" "net/url" "strconv" @@ -36,9 +35,25 @@ const ( CMPv2ServerName = "CMPv2 Server" ) -func LogCertRequestProperties(log logr.Logger, request *cmapi.CertificateRequest) { +func LogCertRequestProperties(log logr.Logger, request *cmapi.CertificateRequest, csr *x509.CertificateRequest) { + logSupportedProperties(log, request, csr) + logPropertiesNotSupportedByCertService(log, request, csr) logPropertiesOverriddenByCMPv2Server(log, request) - logPropertiesNotSupportedByCertService(log, request) +} + +func logSupportedProperties(log logr.Logger, request *cmapi.CertificateRequest, csr *x509.CertificateRequest) { + logSupportedProperty(log, csr.Subject.Organization, "organization") + logSupportedProperty(log, csr.Subject.OrganizationalUnit, "organization unit") + logSupportedProperty(log, csr.Subject.Country, "country") + logSupportedProperty(log, csr.Subject.Province, "state") + logSupportedProperty(log, csr.Subject.Locality, "location") + logSupportedProperty(log, csr.DNSNames, "dns names") +} + +func logSupportedProperty(log logr.Logger, values []string, propertyName string) { + if len(values) > 0 { + log.Info(getSupportedMessage(propertyName, extractStringArray(values))) + } } func logPropertiesOverriddenByCMPv2Server(log logr.Logger, request *cmapi.CertificateRequest) { @@ -58,53 +73,44 @@ func extractUsages(usages []cmapi.KeyUsage) string { return values } -func getOverriddenMessage(property string, values string) string { - return "Property '" + property + "' with value: " + values + ", will be overridden by " + CMPv2ServerName -} - -func logPropertiesNotSupportedByCertService(log logr.Logger, request *cmapi.CertificateRequest) { +func logPropertiesNotSupportedByCertService(log logr.Logger, request *cmapi.CertificateRequest, csr *x509.CertificateRequest) { - block, _ := pem.Decode(request.Spec.Request) - cert, err := x509.ParseCertificateRequest(block.Bytes) - if err != nil { - log.Error(err, "Cannot parse Certificate Signing Request") - } //IP addresses in SANs - if len(cert.IPAddresses) > 0 { - log.Info(getNotSupportedMessage("ipAddresses", extractIPAddresses(cert.IPAddresses))) + if len(csr.IPAddresses) > 0 { + log.Info(getNotSupportedMessage("ipAddresses", extractIPAddresses(csr.IPAddresses))) } //URIs in SANs - if len(cert.URIs) > 0 { - log.Info(getNotSupportedMessage("uris", extractURIs(cert.URIs))) + if len(csr.URIs) > 0 { + log.Info(getNotSupportedMessage("uris", extractURIs(csr.URIs))) } //Email addresses in SANs - if len(cert.EmailAddresses) > 0 { - log.Info(getNotSupportedMessage("emailAddresses", extractStringArray(cert.EmailAddresses))) + if len(csr.EmailAddresses) > 0 { + log.Info(getNotSupportedMessage("emailAddresses", extractStringArray(csr.EmailAddresses))) } if request.Spec.IsCA == true { log.Info(getNotSupportedMessage("isCA", strconv.FormatBool(request.Spec.IsCA))) } - if len(cert.Subject.StreetAddress) > 0 { - log.Info(getNotSupportedMessage("subject.streetAddress", extractStringArray(cert.Subject.StreetAddress))) + if len(csr.Subject.StreetAddress) > 0 { + log.Info(getNotSupportedMessage("subject.streetAddress", extractStringArray(csr.Subject.StreetAddress))) } - if len(cert.Subject.PostalCode) > 0 { - log.Info(getNotSupportedMessage("subject.postalCodes", extractStringArray(cert.Subject.PostalCode))) + if len(csr.Subject.PostalCode) > 0 { + log.Info(getNotSupportedMessage("subject.postalCodes", extractStringArray(csr.Subject.PostalCode))) } - if len(cert.Subject.SerialNumber) > 0 { - log.Info(getNotSupportedMessage("subject.serialNumber", cert.Subject.SerialNumber)) + if len(csr.Subject.SerialNumber) > 0 { + log.Info(getNotSupportedMessage("subject.serialNumber", csr.Subject.SerialNumber)) } } func extractStringArray(strArray []string) string { values := "" - for _, emailSANs := range strArray { - values = values + emailSANs + ", " + for _, val := range strArray { + values = values + val + ", " } return values } @@ -125,6 +131,14 @@ func extractIPAddresses(addresses []net.IP) string { return values } -func getNotSupportedMessage(property string, values string) string { - return "WARNING: Property '" + property + "' with value: " + values + " is not supported by " + CertServiceName +func getNotSupportedMessage(property string, value string) string { + return "WARNING: Property '" + property + "' with value: " + value + " is not supported by " + CertServiceName +} + +func getSupportedMessage(property string, value string) string { + return "Property '" + property + "' with value: " + value + " will be sent in certificate signing request to " + CMPv2ServerName +} + +func getOverriddenMessage(property string, values string) string { + return "Property '" + property + "' with value: " + values + " will be overridden by " + CMPv2ServerName } diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/logger/certificate_request_logger_test.go b/certServiceK8sExternalProvider/src/cmpv2controller/logger/certificate_request_logger_test.go index 7d1abc2c..ea1076dc 100644 --- a/certServiceK8sExternalProvider/src/cmpv2controller/logger/certificate_request_logger_test.go +++ b/certServiceK8sExternalProvider/src/cmpv2controller/logger/certificate_request_logger_test.go @@ -33,12 +33,18 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/klog/v2" "k8s.io/klog/v2/klogr" + + x509utils "onap.org/oom-certservice/k8s-external-provider/src/x509" ) var checkedLogMessages = [7]string{"Property 'duration'", "Property 'usages'", "Property 'ipAddresses'", "Property 'isCA'", "Property 'subject.streetAddress'", "Property 'subject.postalCodes'", "Property 'subject.serialNumber'"} +var supportedProperties = [7]string{"Property 'organization'", "Property 'organization unit'", "Property 'country'", + "Property 'state'", "Property 'location'", "Property 'dns names'"} + + func TestMain(m *testing.M) { klog.InitFlags(nil) flag.CommandLine.Set("v", "10") @@ -55,8 +61,13 @@ func TestLogShouldNotProvideInformationAboutSkippedPropertiesIfNotExistInCSR(t * request := getCertificateRequestWithoutSkippedProperties() tmpWriteBuffer := getLogBuffer() + csr, err := x509utils.DecodeCSR(request.Spec.Request) + if err != nil { + assert.FailNow(t, "Could not parse Certificate Sign Request") + } + //when - LogCertRequestProperties(logger, request) + LogCertRequestProperties(logger, request, csr) closeLogBuffer() logsArray := convertBufferToStringArray(tmpWriteBuffer) //then @@ -71,8 +82,13 @@ func TestLogShouldProvideInformationAboutSkippedPropertiesIfExistInCSR(t *testin request := getCertificateRequestWithSkippedProperties() tmpWriteBuffer := getLogBuffer() + csr, err := x509utils.DecodeCSR(request.Spec.Request) + if err != nil { + assert.FailNow(t, "Could not parse Certificate Sign Request") + } + //when - LogCertRequestProperties(logger, request) + LogCertRequestProperties(logger, request, csr) closeLogBuffer() logsArray := convertBufferToStringArray(tmpWriteBuffer) @@ -82,6 +98,28 @@ func TestLogShouldProvideInformationAboutSkippedPropertiesIfExistInCSR(t *testin } } +func TestLogShouldListSupportedProperties(t *testing.T) { + //given + logger := klogr.New() + request := getCertificateRequestWithoutSkippedProperties() + tmpWriteBuffer := getLogBuffer() + + csr, err := x509utils.DecodeCSR(request.Spec.Request) + if err != nil { + assert.FailNow(t, "Could not parse Certificate Sign Request") + } + + //when + LogCertRequestProperties(logger, request, csr) + closeLogBuffer() + logsArray := convertBufferToStringArray(tmpWriteBuffer) + + //then + for _, logMsg := range supportedProperties { + assert.True(t, logsContainExpectedMessage(logsArray, logMsg), "Logs not contain: "+logMsg) + } +} + func getCertificateRequestWithoutSkippedProperties() *cmapi.CertificateRequest { request := new(cmapi.CertificateRequest) request.Spec.Request = []byte(csrWithoutSkippedProperties) diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go index c0304d7d..6e09e683 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go @@ -26,11 +26,8 @@ package cmpv2provisioner import ( - "bytes" "context" "crypto/x509" - "encoding/pem" - "fmt" "sync" certmanager "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" @@ -39,6 +36,7 @@ import ( "onap.org/oom-certservice/k8s-external-provider/src/certserviceclient" "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" + x509utils "onap.org/oom-certservice/k8s-external-provider/src/x509" ) var collection = new(sync.Map) @@ -96,7 +94,7 @@ func (ca *CertServiceCA) Sign(ctx context.Context, certificateRequest *certmanag csrBytes := certificateRequest.Spec.Request log.Info("Csr PEM: ", "bytes", csrBytes) - csr, err := decodeCSR(csrBytes) + csr, err := x509utils.DecodeCSR(csrBytes) if err != nil { return nil, nil, err } @@ -113,7 +111,7 @@ func (ca *CertServiceCA) Sign(ctx context.Context, certificateRequest *certmanag // stored response as PEM cert := x509.Certificate{} cert.Raw = csr.Raw - encodedPEM, err := encodeX509(&cert) + encodedPEM, err := x509utils.EncodeX509(&cert) if err != nil { return nil, nil, err } @@ -128,32 +126,3 @@ func (ca *CertServiceCA) Sign(ctx context.Context, certificateRequest *certmanag return signedPEM, trustedCA, nil } - -// decodeCSR decodes a certificate request in PEM format and returns the -func decodeCSR(data []byte) (*x509.CertificateRequest, error) { - block, rest := pem.Decode(data) - if block == nil || len(rest) > 0 { - return nil, fmt.Errorf("unexpected CSR PEM on sign request") - } - if block.Type != "CERTIFICATE REQUEST" { - return nil, fmt.Errorf("PEM is not a certificate request") - } - csr, err := x509.ParseCertificateRequest(block.Bytes) - if err != nil { - return nil, fmt.Errorf("error parsing certificate request: %v", err) - } - if err := csr.CheckSignature(); err != nil { - return nil, fmt.Errorf("error checking certificate request signature: %v", err) - } - return csr, nil -} - -// encodeX509 will encode a *x509.Certificate into PEM format. -func encodeX509(cert *x509.Certificate) ([]byte, error) { - caPem := bytes.NewBuffer([]byte{}) - err := pem.Encode(caPem, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}) - if err != nil { - return nil, err - } - return caPem.Bytes(), nil -} diff --git a/certServiceK8sExternalProvider/src/x509/testdata/test_data.go b/certServiceK8sExternalProvider/src/x509/testdata/test_data.go new file mode 100644 index 00000000..dad5d094 --- /dev/null +++ b/certServiceK8sExternalProvider/src/x509/testdata/test_data.go @@ -0,0 +1,66 @@ +/* + * ============LICENSE_START======================================================= + * oom-certservice-k8s-external-provider + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package testdata + + +const ValidCertificateSignRequest = (`-----BEGIN CERTIFICATE REQUEST----- +MIIDgjCCAmoCAQAwgaQxCzAJBgNVBAYTAlBMMRMwEQYDVQQIEwpEb2xueVNsYXNr +MRAwDgYDVQQHEwdXcm9jbGF3MREwDwYDVQQJEwhMb3RuaWN6YTEPMA0GA1UEERMG +MTItMzQ1MQ0wCwYDVQQKEwRPTkFQMQ0wCwYDVQQLEwRvbmFwMRwwGgYDVQQDExNj +ZXJ0aXNzdWVyLm9uYXAub3JnMQ4wDAYDVQQFEwUxMjM0NTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAPdrWRYpdGY6A9YEQ8mnQdOW7wzdaNHJ83ZrMPZd +V7jBOMvQbTw6Oe/Q4vD+Dla7FmGqlAajNIgKRiUUQLKVmASELhCYhtW7Mn91qe6l +xuyPyOEi9o8mArJosFAfPPF0nm9FQPi2qHgyi6C52QR7cKsgNPflpKVsEx9Y+Zns +YBqkaX16BukvcHUANgsvZ3rLUVeiOsCi2ysVcsm+4XMvF6ejoqKJ9k7Ti0VrQtqh +e1nKlaa4uP3dreeUXBMLfKUS7QrNavpiX6wVaohVp6p/AYQ2HZurMv86Q2E5D5SC +ReEpVuWx+r4MI8dAHbYe09ntkRGIe8mVyxHHEWLNfZiwKGsCAwEAAaCBlzCBlAYJ +KoZIhvcNAQkOMYGGMIGDMFUGA1UdEQROMEyCCWxvY2FsaG9zdIITY2VydGlzc3Vl +ci5vbmFwLm9yZ4ENb25hcEBvbmFwLm9yZ4cEfwAAAYYVb25hcDovL2NsdXN0ZXIu +bG9jYWwvMAsGA1UdDwQEAwICBDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH +AwIwDQYJKoZIhvcNAQELBQADggEBAHDMw3+fVOrbVnMI2g/IP40vt1eenkoriTHX +dnjRRFio75nCNRJdLOJ9FU3wIgdDZwGaiXdn5NDQxCe0BWcbElDJSYR/xOi7V0AM +2L3CrRAOhr2MjwX7CaOuYWcVtrbtIMf26NLKRXYPlGgc6YeofalDnezMJ/IuRQhj +bcm17a8owa5dH9u/rmTmlrIT7PV4JHkZIogctIcSqod6xdr1mbi8G9DMFAqV+o7W +9kV7XDKhTqYoBIsXwfehNMu3lo72VuklIyVNiEVz4mVzpeZy2DgjRjCLt106yDHZ +f3nco6O4y2EyexBVKq6QRFfZDUab6YcoEVvPAio01RmFrHgnxHs= +-----END CERTIFICATE REQUEST-----`) + +const InvalidCertificateSignRequest = (`-----BEGIN INVALID REQUEST----- +MIIDgjCCAmoCAQAwgaQxCzAJBgNVBAYTAlBMMRMwEQYDVQQIEwpEb2xueVNsYXNr +MRAwDgYDVQQHEwdXcm9jbGF3MREwDwYDVQQJEwhMb3RuaWN6YTEPMA0GA1UEERMG +MTItMzQ1MQ0wCwYDVQQKEwRPTkFQMQ0wCwYDVQQLEwRvbmFwMRwwGgYDVQQDExNj +ZXJ0aXNzdWVyLm9uYXAub3JnMQ4wDAYDVQQFEwUxMjM0NTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAPdrWRYpdGY6A9YEQ8mnQdOW7wzdaNHJ83ZrMPZd +V7jBOMvQbTw6Oe/Q4vD+Dla7FmGqlAajNIgKRiUUQLKVmASELhCYhtW7Mn91qe6l +xuyPyOEi9o8mArJosFAfPPF0nm9FQPi2qHgyi6C52QR7cKsgNPflpKVsEx9Y+Zns +YBqkaX16BukvcHUANgsvZ3rLUVeiOsCi2ysVcsm+4XMvF6ejoqKJ9k7Ti0VrQtqh +e1nKlaa4uP3dreeUXBMLfKUS7QrNavpiX6wVaohVp6p/AYQ2HZurMv86Q2E5D5SC +ReEpVuWx+r4MI8dAHbYe09ntkRGIe8mVyxHHEWLNfZiwKGsCAwEAAaCBlzCBlAYJ +KoZIhvcNAQkOMYGGMIGDMFUGA1UdEQROMEyCCWxvY2FsaG9zdIITY2VydGlzc3Vl +ci5vbmFwLm9yZ4ENb25hcEBvbmFwLm9yZ4cEfwAAAYYVb25hcDovL2NsdXN0ZXIu +bG9jYWwvMAsGA1UdDwQEAwICBDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH +AwIwDQYJKoZIhvcNAQELBQADggEBAHDMw3+fVOrbVnMI2g/IP40vt1eenkoriTHX +dnjRRFio75nCNRJdLOJ9FU3wIgdDZwGaiXdn5NDQxCe0BWcbElDJSYR/xOi7V0AM +2L3CrRAOhr2MjwX7CaOuYWcVtrbtIMf26NLKRXYPlGgc6YeofalDnezMJ/IuRQhj +bcm17a8owa5dH9u/rmTmlrIT7PV4JHkZIogctIcSqod6xdr1mbi8G9DMFAqV+o7W +9kV7XDKhTqYoBIsXwfehNMu3lo72VuklIyVNiEVz4mVzpeZy2DgjRjCLt106yDHZ +f3nco6O4y2EyexBVKq6QRFfZDUab6YcoEVvPAio01RmFrHgnxHs= +-----END CERTIFICATE REQUEST-----`) diff --git a/certServiceK8sExternalProvider/src/x509/x509_utils.go b/certServiceK8sExternalProvider/src/x509/x509_utils.go new file mode 100644 index 00000000..b8b03e1a --- /dev/null +++ b/certServiceK8sExternalProvider/src/x509/x509_utils.go @@ -0,0 +1,57 @@ +/* + * ============LICENSE_START======================================================= + * oom-certservice-k8s-external-provider + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package x509 + +import ( + "bytes" + "crypto/x509" + "encoding/pem" + "fmt" +) + +// decodeCSR decodes a certificate request in PEM format and returns the +func DecodeCSR(data []byte) (*x509.CertificateRequest, error) { + block, rest := pem.Decode(data) + if block == nil || len(rest) > 0 { + return nil, fmt.Errorf("unexpected CSR PEM on sign request") + } + if block.Type != "CERTIFICATE REQUEST" { + return nil, fmt.Errorf("PEM is not a certificate request") + } + csr, err := x509.ParseCertificateRequest(block.Bytes) + if err != nil { + return nil, fmt.Errorf("error parsing certificate request: %v", err) + } + if err := csr.CheckSignature(); err != nil { + return nil, fmt.Errorf("error checking certificate request signature: %v", err) + } + return csr, nil +} + +// encodeX509 will encode a *x509.Certificate into PEM format. +func EncodeX509(cert *x509.Certificate) ([]byte, error) { + caPem := bytes.NewBuffer([]byte{}) + err := pem.Encode(caPem, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}) + if err != nil { + return nil, err + } + return caPem.Bytes(), nil +} diff --git a/certServiceK8sExternalProvider/src/x509/x509_utils_test.go b/certServiceK8sExternalProvider/src/x509/x509_utils_test.go new file mode 100644 index 00000000..2692bf4e --- /dev/null +++ b/certServiceK8sExternalProvider/src/x509/x509_utils_test.go @@ -0,0 +1,42 @@ +/* + * ============LICENSE_START======================================================= + * oom-certservice-k8s-external-provider + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package x509 + +import ( + "testing" + + "github.com/stretchr/testify/assert" + + "onap.org/oom-certservice/k8s-external-provider/src/x509/testdata" +) + +func TestShouldDecodeCSR(t *testing.T) { + csr, err := DecodeCSR([]byte(testdata.ValidCertificateSignRequest)) + + assert.Nil(t, err) + assert.Equal(t, "ONAP", csr.Subject.Organization[0]) +} + +func TestShouldReturnError(t *testing.T) { + _, err := DecodeCSR([]byte(testdata.InvalidCertificateSignRequest)) + + assert.NotNil(t, err) +} -- 2.16.6