- streetAddresses
- postalCodes
- isCa
- - ipAddresses
- - uris
- - emails
- duration
- usages
- California
organizationalUnits:
- ONAP
- # DNS SAN
+ # SANs
dnsNames:
- localhost
- certissuer.onap.org
+ ipAddresses:
+ - "127.0.0.1"
+ uris:
+ - onap://cluster.local/
+ emailAddresses:
+ - onap@onap.org
# The reference to the CMPv2 issuer
issuerRef:
group: certmanager.onap.org
postalCodes: #***NOT SUPPORTED BY CERT SERVICE API***
- 12-345
serialNumber: "12345" #***NOT SUPPORTED BY CERT SERVICE API***
- # DNS SAN
+ # SANs
dnsNames:
- localhost
- certissuer.onap.org
- ipAddresses: #***NOT SUPPORTED BY CERT SERVICE API***
+ ipAddresses:
- "127.0.0.1"
- uris: #***NOT SUPPORTED BY CERT SERVICE API***
+ uris:
- onap://cluster.local/
- emailAddresses: #***NOT SUPPORTED BY CERT SERVICE API***
+ emailAddresses:
- onap@onap.org
duration: 24h #***OVERRIDDEN BY CMPV2 SERVER***
renewBefore: 8h
logSupportedMultiValueProperty(log, csr.Subject.Province, "state")
logSupportedMultiValueProperty(log, csr.Subject.Locality, "location")
logSupportedMultiValueProperty(log, csr.DNSNames, "dns names")
+ logSupportedMultiValueProperty(log, csr.EmailAddresses, "email addresses")
+ logSupportedMultiValueProperty(log, mapIpAddressesToText(csr.IPAddresses), "ipAddresses")
+ logSupportedMultiValueProperty(log, mapUrisToText(csr.URIs), "uris")
}
func logSupportedMultiValueProperty(log leveledlogger.Logger, values []string, propertyName string) {
}
func logPropertiesNotSupportedByCertService(log leveledlogger.Logger, request *cmapi.CertificateRequest, csr *x509.CertificateRequest) {
-
- //IP addresses in SANs
- if len(csr.IPAddresses) > 0 {
- log.Warning(getNotSupportedMessage("ipAddresses", extractIPAddresses(csr.IPAddresses)))
- }
- //URIs in SANs
- if len(csr.URIs) > 0 {
- log.Warning(getNotSupportedMessage("uris", extractURIs(csr.URIs)))
- }
-
- //Email addresses in SANs
- if len(csr.EmailAddresses) > 0 {
- log.Warning(getNotSupportedMessage("emailAddresses", extractStringArray(csr.EmailAddresses)))
- }
-
if request.Spec.IsCA == true {
log.Warning(getNotSupportedMessage("isCA", strconv.FormatBool(request.Spec.IsCA)))
}
return values
}
-func extractURIs(URIs []*url.URL) string {
- values := ""
- for _, uri := range URIs {
- values = values + uri.String() + ", "
+func mapUrisToText(uris []*url.URL) []string {
+ urisAsText := make([]string, len(uris))
+ for i, ipAddress := range uris {
+ urisAsText[i] = ipAddress.String()
}
- return values
+ return urisAsText
}
-func extractIPAddresses(addresses []net.IP) string {
- values := ""
- for _, ipAddress := range addresses {
- values = values + ipAddress.String() + ", "
+func mapIpAddressesToText(addresses []net.IP) []string {
+ ipsAsText := make([]string, len(addresses))
+ for i, ipAddress := range addresses {
+ ipsAsText[i] = ipAddress.String()
}
- return values
+ return ipsAsText
}
func getSupportedMessage(property string, value string) string {
var unsupportedProperties = []string{
"* property 'duration'",
"* property 'usages'",
- "- property 'ipAddresses'",
"- property 'isCA'",
"- property 'subject.streetAddress'",
"- property 'subject.postalCodes'",
"+ property 'country'",
"+ property 'state'",
"+ property 'location'",
- "+ property 'dns names'"}
+ "+ property 'dns names'",
+ "+ property 'ipAddresses'",
+ "+ property 'uris'",
+ "+ property 'email addresses'",
+ }
const RESULT_LOG = "testdata/test_result.log"
package logger
const csrWithoutSkippedProperties = (`-----BEGIN CERTIFICATE REQUEST-----
-MIIDETCCAfkCAQAwgYIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
+MIIDPTCCAiUCAQAwgYIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1TYW4tRnJhbmNpc2NvMRkwFwYDVQQKExBMaW51eC1Gb3VuZGF0
aW9uMQ0wCwYDVQQLEwRPTkFQMRwwGgYDVQQDExNjZXJ0aXNzdWVyLm9uYXAub3Jn
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxhQiSgyYGpEfX/HuCFwT
-GHkLe1CheKz2CQzSP9an5BSdET1OgABmuJjtnXZzKpPAZCGJX2QTyDE9zvdTN0Ci
-/8WRL/m2tWUPbt8qRVW36PSKazpB+ELZjQi3rmYtmWUlRuJNfLcksK59pcD5W46t
-d9eettkex0FAcxpQE/ukhpW9r6QrmlQAQHuF1rBw6uJMGzFSPWh9XFLFbxZJyJCu
-AIycvT95bgtot3EMPwGkxAYzxtAu6D5/n65nIZ0f9BuuNFtmnoHmn/9fPUnZHA0h
-qP9kXAAU10S3gig+Na6DeZFBE1y9jCt4vmSq2ssBO24kOAHrg5GrqEsnfoSnu8Nb
-sQIDAQABoEkwRwYJKoZIhvcNAQkOMTowODApBgNVHREEIjAggglsb2NhbGhvc3SC
-E2NlcnRpc3N1ZXIub25hcC5vcmcwCwYDVR0PBAQDAgWgMA0GCSqGSIb3DQEBCwUA
-A4IBAQAWkOeJHnmtlSvlb7HbBeSGY4E9M338sKtwV4ZSvH+n5rgwamkvjhUwhycs
-UR0XgeAyD86kK6kkvVewdIanHYp1k7CuDZkU6piy8t4RhosyqUWQNWtemGYdNZCL
-cgZ1Jbj4NdIZo2EKBIEbTrm9VFt1zidYRFNGNJp8RQQds6r4qATq1NKr6ptrLuIc
-dzfOm1ZPtSn8u4H4+z1re6q18JeM0VPXBiXBtEXwQRXIEnsjCzYxdjy+QwbEmlpB
-o2hMIamWNIbskYnNkaky8eQzjJ8uIesESeanWJlrMUbzicOwQeYMPmj+Mkn1nqlK
-YFwml5XnVXXpGLHGWCswpN3CDyXi
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3RKJGx0bXUz2hyWPssq5
+sZEOcC4ITkBWDx1b/g+abX1J2nTfKZK4JSRd1I/9Lz8LaiyuqacCzJ3vZ+IbvbwJ
+HjTvzakbdQgbm7TSOH4zBXUp6lN92PT+RwM5PGcipi3vcC/eT4aMohEhHH1qkNCP
+G7EC69hTnw3tyXX19euF/gAJwHeYNSHC6k2WwLYkYkkhRIndzv1vM8nBLb7C7JBE
+aAO0fq1trVEoIYdz3tNWZWs+T+Vu8fATqm1rLzKOj3bQljRluFsegrRPR2oD9Th5
+AE5nmw948higVTlXcdeoW0MiAn6pWyHzcTKhBizm+Yp4bejqx8oq+Joq7u5nue/p
+KQIDAQABoHUwcwYJKoZIhvcNAQkOMWYwZDBVBgNVHREETjBMgglsb2NhbGhvc3SC
+E2NlcnRpc3N1ZXIub25hcC5vcmeBDW9uYXBAb25hcC5vcmeHBH8AAAGGFW9uYXA6
+Ly9jbHVzdGVyLmxvY2FsLzALBgNVHQ8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEB
+AI3LghPWW3P8zO5CiLIMYwbYbQt0nA0AA/iDzBh/HXE+owLXECffGhidC9oG8d1r
+ZAL+fkjU1+hBSPyk8ZIeiPGi1NDL4h+65Cobv/D3O5PEDYui98FZSykrkcLCb3Qx
+ga6ki+l3sQYP6sWyK6N1U7uX8t1g7IMbcpMO7rASNMDRWkYtlmJhit0Yd6YgvYuL
+gqH+TRiUTvm6XKby5DaTK3lz7h78lqTxVcWHlxUGTvXAEF15cqbKGy9n/4y1LQUc
+AhEFo/1MKDqMpG8FTw/EFMMzKQAXofeLGcWepXo1oDGHal8/3kYN+0c2cH4ZASp4
+N8j9VQMXik3mDiJWFtM0oWI=
-----END CERTIFICATE REQUEST-----`)
const csrWithSkippedProperties = (`-----BEGIN CERTIFICATE REQUEST-----
-MIIDgjCCAmoCAQAwgaQxCzAJBgNVBAYTAlBMMRMwEQYDVQQIEwpEb2xueVNsYXNr
-MRAwDgYDVQQHEwdXcm9jbGF3MREwDwYDVQQJEwhMb3RuaWN6YTEPMA0GA1UEERMG
-MTItMzQ1MQ0wCwYDVQQKEwRPTkFQMQ0wCwYDVQQLEwRvbmFwMRwwGgYDVQQDExNj
-ZXJ0aXNzdWVyLm9uYXAub3JnMQ4wDAYDVQQFEwUxMjM0NTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAPdrWRYpdGY6A9YEQ8mnQdOW7wzdaNHJ83ZrMPZd
-V7jBOMvQbTw6Oe/Q4vD+Dla7FmGqlAajNIgKRiUUQLKVmASELhCYhtW7Mn91qe6l
-xuyPyOEi9o8mArJosFAfPPF0nm9FQPi2qHgyi6C52QR7cKsgNPflpKVsEx9Y+Zns
-YBqkaX16BukvcHUANgsvZ3rLUVeiOsCi2ysVcsm+4XMvF6ejoqKJ9k7Ti0VrQtqh
-e1nKlaa4uP3dreeUXBMLfKUS7QrNavpiX6wVaohVp6p/AYQ2HZurMv86Q2E5D5SC
-ReEpVuWx+r4MI8dAHbYe09ntkRGIe8mVyxHHEWLNfZiwKGsCAwEAAaCBlzCBlAYJ
-KoZIhvcNAQkOMYGGMIGDMFUGA1UdEQROMEyCCWxvY2FsaG9zdIITY2VydGlzc3Vl
-ci5vbmFwLm9yZ4ENb25hcEBvbmFwLm9yZ4cEfwAAAYYVb25hcDovL2NsdXN0ZXIu
-bG9jYWwvMAsGA1UdDwQEAwICBDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
-AwIwDQYJKoZIhvcNAQELBQADggEBAHDMw3+fVOrbVnMI2g/IP40vt1eenkoriTHX
-dnjRRFio75nCNRJdLOJ9FU3wIgdDZwGaiXdn5NDQxCe0BWcbElDJSYR/xOi7V0AM
-2L3CrRAOhr2MjwX7CaOuYWcVtrbtIMf26NLKRXYPlGgc6YeofalDnezMJ/IuRQhj
-bcm17a8owa5dH9u/rmTmlrIT7PV4JHkZIogctIcSqod6xdr1mbi8G9DMFAqV+o7W
-9kV7XDKhTqYoBIsXwfehNMu3lo72VuklIyVNiEVz4mVzpeZy2DgjRjCLt106yDHZ
-f3nco6O4y2EyexBVKq6QRFfZDUab6YcoEVvPAio01RmFrHgnxHs=
+MIIDaDCCAlACAQAwgboxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
+MRYwFAYDVQQHEw1TYW4tRnJhbmNpc2NvMRUwEwYDVQQJEwxzYW1wbGVTdHJlZXQx
+DzANBgNVBBETBjEyLTM0NTEZMBcGA1UEChMQTGludXgtRm91bmRhdGlvbjENMAsG
+A1UECxMET05BUDEcMBoGA1UEAxMTY2VydGlzc3Vlci5vbmFwLm9yZzEOMAwGA1UE
+BRMFMTIzNDUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOsn9B8AmR
+ZGcJ/b2pp+oeA0jQgr7wnJeDCWzF7v5k6vBSeladlERVTCBaWO5SSSVDqrhidnvv
++FpxG6LeN+Y/KQn/Hk8pQSoht3yZaTgQV352nOysIr/tI4QUwahAXH8RwvyS4CHJ
+vy1n/cJlvdiymC9z61dUx4DyHsMlZMRTldiFIs0/VKtgPPZ3hxMT1NJjg9dmyJhm
+RCZOn/cj1laIW6ie/BQJuXINf8VT3bl4mYkfc7yvrj7V3aMWKuzbr8/yMo9fpHqd
+gGQIqtmDOWOHkawkEAPqpeFLdryXcfFEFsy9iJHbr4N/5FKj4lbUaS4aVA04oigl
+RUKM8bE5uQUHAgMBAAGgaDBmBgkqhkiG9w0BCQ4xWTBXMCkGA1UdEQQiMCCCCWxv
+Y2FsaG9zdIITY2VydGlzc3Vlci5vbmFwLm9yZzALBgNVHQ8EBAMCAgQwHQYDVR0l
+BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQACQMf4
+OcJHOD1AWmIXy5G0VYUs2qogrSX0BEWWuXRGt9vicUmesgf9YLHNlg5dOujJmEIP
+HKkks1uy5dNXMlKAZ3i1TSaVhoFap5jZiXmfKfRXb5ImL3e5146hr+1dqRnPA7rR
+4fjjz8B7HeO2TiWu2xgJnyuPHKOwalSOYhVljpEE2hjs064Vc2yovj2FcYdPbfc2
+gFQqkUSBrviuzxhK63fWtMGStv/kSc3cEylDzV45LLIUCVFKzKaqXiG8MCQjhtFI
+2ve5+9NJxPQ3SqBKUuRoTHYBC3YppY/QagepVlENeDomvku8iS2FSkkOxGspbhla
+7uR7K5JP5H9jLQbj
-----END CERTIFICATE REQUEST-----`)
if err != nil {
return nil, nil, err
}
- log.Debug("Filtered out CSR PEM: ", "bytes", csrBytes)
+ log.Debug("Filtered out CSR PEM: ", "bytes", filteredCsrBytes)
response, err := ca.certServiceClient.GetCertificates(filteredCsrBytes, privateKeyBytes)
if err != nil {
filteredCsr, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{
Subject: filteredSubject,
DNSNames: csr.DNSNames,
+ IPAddresses: csr.IPAddresses,
+ URIs: csr.URIs,
+ EmailAddresses: csr.EmailAddresses,
}, key)
if err != nil {
return nil, err
filteredCsr := parseCsrBytes(filteredCsrBytes)
assert.Equal(t, originalCsr.DNSNames, filteredCsr.DNSNames)
+ assert.Equal(t, originalCsr.URIs, filteredCsr.URIs)
+ assert.Equal(t, originalCsr.EmailAddresses, filteredCsr.EmailAddresses)
+ assert.Equal(t, originalCsr.IPAddresses, filteredCsr.IPAddresses)
assert.Equal(t, originalCsr.PublicKey, filteredCsr.PublicKey)
assert.Equal(t, originalCsr.PublicKeyAlgorithm, filteredCsr.PublicKeyAlgorithm)
assert.Equal(t, originalCsr.SignatureAlgorithm, filteredCsr.SignatureAlgorithm)
func assertFilteredFieldsEmpty(t *testing.T, csrBytes []byte) {
csr := parseCsrBytes(csrBytes)
- assert.Nil(t, csr.URIs)
- assert.Nil(t, csr.EmailAddresses)
- assert.Nil(t, csr.IPAddresses)
assert.Nil(t, csr.Subject.PostalCode)
assert.Equal(t, "", csr.Subject.SerialNumber)
assert.Nil(t, csr.Subject.StreetAddress)
Code Review / oom / platform / cert-service.git / commitdiff