change the edgecert subject

Signed-off-by: Shelley-BaoYue <baoyue2@huawei.com>
author: Shelley-BaoYue <baoyue2@huawei.com> 2023-12-09 17:09:00 +0800
committer: Shelley-BaoYue <baoyue2@huawei.com> 2023-12-15 11:12:00 +0800
commit: 6be7475fa25478626132f8613868ff9730931698 (patch)
tree: a54654a3bc3e4844356130d3968f47b863e1261c
parent: Merge pull request #5278 from fisherxu/fix-slack (diff)
download: kubeedge-6be7475fa25478626132f8613868ff9730931698.tar.gz
5 files changed, 29 insertions, 14 deletions
diff --git a/cloud/pkg/cloudhub/servers/httpserver/server.go b/cloud/pkg/cloudhub/servers/httpserver/server.go
index 0104c8045..1ae061770 100644
--- a/cloud/pkg/cloudhub/servers/httpserver/server.go
+++ b/cloud/pkg/cloudhub/servers/httpserver/server.go
@@ -36,6 +36,7 @@ import (
 
 	hubconfig "github.com/kubeedge/kubeedge/cloud/pkg/cloudhub/config"
 	"github.com/kubeedge/kubeedge/common/constants"
+	"github.com/kubeedge/kubeedge/common/types"
 )
 
 // StartHTTPServer starts the http service
@@ -86,9 +87,10 @@ func EncodeCertPEM(cert *x509.Certificate) []byte {
 
 // edgeCoreClientCert will verify the certificate of EdgeCore or token then create EdgeCoreCert and return it
 func edgeCoreClientCert(request *restful.Request, response *restful.Response) {
+	nodeName := request.Request.Header.Get(types.NodeNameKey)
 	if cert := request.Request.TLS.PeerCertificates; len(cert) > 0 {
-		if err := verifyCert(cert[0]); err != nil {
-			klog.Errorf("failed to sign the certificate for edgenode: %s, failed to verify the certificate", request.Request.Header.Get(constants.NodeName))
+		if err := verifyCert(cert[0], nodeName); err != nil {
+			klog.Errorf("failed to sign the certificate for edgenode: %s, failed to verify the certificate", nodeName)
 			response.WriteHeader(http.StatusUnauthorized)
 			if _, err := response.Write([]byte(err.Error())); err != nil {
 				klog.Errorf("failed to write response, err: %v", err)
@@ -101,12 +103,12 @@ func edgeCoreClientCert(request *restful.Request, response *restful.Response) {
 	if verifyAuthorization(response, request.Request) {
 		signEdgeCert(response, request.Request)
 	} else {
-		klog.Errorf("failed to sign the certificate for edgenode: %s, invalid token", request.Request.Header.Get(constants.NodeName))
+		klog.Errorf("failed to sign the certificate for edgenode: %s, invalid token", nodeName)
 	}
 }
 
 // verifyCert verifies the edge certificate by CA certificate when edge certificates rotate.
-func verifyCert(cert *x509.Certificate) error {
+func verifyCert(cert *x509.Certificate, nodeName string) error {
 	roots := x509.NewCertPool()
 	ok := roots.AppendCertsFromPEM(pem.EncodeToMemory(&pem.Block{Type: certutil.CertificateBlockType, Bytes: hubconfig.Config.Ca}))
 	if !ok {
@@ -119,7 +121,20 @@ func verifyCert(cert *x509.Certificate) error {
 	if _, err := cert.Verify(opts); err != nil {
 		return fmt.Errorf("failed to verify edge certificate: %v", err)
 	}
-	return nil
+	return verifyCertSubject(cert, nodeName)
+}
+
+func verifyCertSubject(cert *x509.Certificate, nodeName string) error {
+	if cert.Subject.Organization[0] == "KubeEdge" && cert.Subject.CommonName == "kubeedge.io" {
+		// In order to maintain compatibility with older versions of certificates
+		// this condition will be removed in KubeEdge v1.18.
+		return nil
+	}
+	commonName := fmt.Sprintf("system:node:%s", nodeName)
+	if cert.Subject.Organization[0] == "system:nodes" && cert.Subject.CommonName == commonName {
+		return nil
+	}
+	return fmt.Errorf("request node name is not match with the certificate")
 }
 
 // verifyAuthorization verifies the token from EdgeCore CSR
@@ -177,12 +192,12 @@ func signEdgeCert(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, constants.MaxRespBodyLength)
 	csrContent, err := io.ReadAll(r.Body)
 	if err != nil {
-		klog.Errorf("fail to read file when signing the cert for edgenode:%s! error:%v", r.Header.Get(constants.NodeName), err)
+		klog.Errorf("fail to read file when signing the cert for edgenode:%s! error:%v", r.Header.Get(types.NodeNameKey), err)
 		return
 	}
 	csr, err := x509.ParseCertificateRequest(csrContent)
 	if err != nil {
-		klog.Errorf("fail to ParseCertificateRequest of edgenode: %s! error:%v", r.Header.Get(constants.NodeName), err)
+		klog.Errorf("fail to ParseCertificateRequest of edgenode: %s! error:%v", r.Header.Get(types.NodeNameKey), err)
 		return
 	}
 	usagesStr := r.Header.Get("ExtKeyUsages")
@@ -199,7 +214,7 @@ func signEdgeCert(w http.ResponseWriter, r *http.Request) {
 	klog.V(4).Infof("receive sign crt request, ExtKeyUsages: %v", usages)
 	clientCertDER, err := signCerts(csr.Subject, csr.PublicKey, usages)
 	if err != nil {
-		klog.Errorf("fail to signCerts for edgenode:%s! error:%v", r.Header.Get(constants.NodeName), err)
+		klog.Errorf("fail to signCerts for edgenode:%s! error:%v", r.Header.Get(types.NodeNameKey), err)
 		return
 	}
 
diff --git a/common/constants/default.go b/common/constants/default.go
index d3ecf7203..a19b47ce7 100644
--- a/common/constants/default.go
+++ b/common/constants/default.go
@@ -11,9 +11,6 @@ const (
 	// SyncController
 	DefaultContextSendModuleName = "cloudhub"
 
-	// NodeName is for the clearer log of cloudcore.
-	NodeName = "NodeName"
-
 	ProjectName = "KubeEdge"
 
 	SystemName      = "kubeedge"
diff --git a/common/types/http.go b/common/types/http.go
index 21a4ed7c2..c001b44ac 100644
--- a/common/types/http.go
+++ b/common/types/http.go
@@ -19,4 +19,5 @@ type HTTPResponse struct {
 
 const (
 	AuthorizationKey = "Authorization"
+	NodeNameKey      = "NodeName"
 )
diff --git a/edge/pkg/edgehub/certificate/certmanager.go b/edge/pkg/edgehub/certificate/certmanager.go
index d9e974f19..fb7bc5d1f 100644
--- a/edge/pkg/edgehub/certificate/certmanager.go
+++ b/edge/pkg/edgehub/certificate/certmanager.go
@@ -66,10 +66,10 @@ func NewCertManager(edgehub v1alpha2.EdgeHub, nodename string) CertManager {
 	certReq := &x509.CertificateRequest{
 		Subject: pkix.Name{
 			Country:      []string{"CN"},
-			Organization: []string{"kubeEdge"},
+			Organization: []string{"system:nodes"},
 			Locality:     []string{"Hangzhou"},
 			Province:     []string{"Zhejiang"},
-			CommonName:   "kubeedge.io",
+			CommonName:   fmt.Sprintf("system:node:%s", nodename),
 		},
 	}
 	return CertManager{
diff --git a/edge/pkg/edgehub/common/http/http.go b/edge/pkg/edgehub/common/http/http.go
index b5664643d..4f8315bc0 100644
--- a/edge/pkg/edgehub/common/http/http.go
+++ b/edge/pkg/edgehub/common/http/http.go
@@ -10,6 +10,8 @@ import (
 	"time"
 
 	"k8s.io/klog/v2"
+
+	"github.com/kubeedge/kubeedge/common/types"
 )
 
 const (
@@ -100,7 +102,7 @@ func BuildRequest(method string, urlStr string, body io.Reader, token string, no
 		req.Header.Add("Authorization", bearerToken)
 	}
 	if nodeName != "" {
-		req.Header.Add("NodeName", nodeName)
+		req.Header.Add(types.NodeNameKey, nodeName)
 	}
 	return req, nil
 }
author	Shelley-BaoYue <baoyue2@huawei.com>	2023-12-09 17:09:00 +0800
committer	Shelley-BaoYue <baoyue2@huawei.com>	2023-12-15 11:12:00 +0800
commit	6be7475fa25478626132f8613868ff9730931698 (patch)
tree	a54654a3bc3e4844356130d3968f47b863e1261c
parent	Merge pull request #5278 from fisherxu/fix-slack (diff)
download	kubeedge-6be7475fa25478626132f8613868ff9730931698.tar.gz