change the edgecert subject

Signed-off-by: Shelley-BaoYue <baoyue2@huawei.com>
author: Shelley-BaoYue <baoyue2@huawei.com> 2023-12-09 17:09:00 +0800
committer: Shelley-BaoYue <baoyue2@huawei.com> 2023-12-15 11:12:00 +0800
commit: 6be7475fa25478626132f8613868ff9730931698 (patch)
tree: a54654a3bc3e4844356130d3968f47b863e1261c /cloud
parent: Merge pull request #5278 from fisherxu/fix-slack (diff)
download: kubeedge-6be7475fa25478626132f8613868ff9730931698.tar.gz
1 files changed, 23 insertions, 8 deletions
diff --git a/cloud/pkg/cloudhub/servers/httpserver/server.go b/cloud/pkg/cloudhub/servers/httpserver/server.go
index 0104c8045..1ae061770 100644
--- a/cloud/pkg/cloudhub/servers/httpserver/server.go
+++ b/cloud/pkg/cloudhub/servers/httpserver/server.go
@@ -36,6 +36,7 @@ import (
 
 	hubconfig "github.com/kubeedge/kubeedge/cloud/pkg/cloudhub/config"
 	"github.com/kubeedge/kubeedge/common/constants"
+	"github.com/kubeedge/kubeedge/common/types"
 )
 
 // StartHTTPServer starts the http service
@@ -86,9 +87,10 @@ func EncodeCertPEM(cert *x509.Certificate) []byte {
 
 // edgeCoreClientCert will verify the certificate of EdgeCore or token then create EdgeCoreCert and return it
 func edgeCoreClientCert(request *restful.Request, response *restful.Response) {
+	nodeName := request.Request.Header.Get(types.NodeNameKey)
 	if cert := request.Request.TLS.PeerCertificates; len(cert) > 0 {
-		if err := verifyCert(cert[0]); err != nil {
-			klog.Errorf("failed to sign the certificate for edgenode: %s, failed to verify the certificate", request.Request.Header.Get(constants.NodeName))
+		if err := verifyCert(cert[0], nodeName); err != nil {
+			klog.Errorf("failed to sign the certificate for edgenode: %s, failed to verify the certificate", nodeName)
 			response.WriteHeader(http.StatusUnauthorized)
 			if _, err := response.Write([]byte(err.Error())); err != nil {
 				klog.Errorf("failed to write response, err: %v", err)
@@ -101,12 +103,12 @@ func edgeCoreClientCert(request *restful.Request, response *restful.Response) {
 	if verifyAuthorization(response, request.Request) {
 		signEdgeCert(response, request.Request)
 	} else {
-		klog.Errorf("failed to sign the certificate for edgenode: %s, invalid token", request.Request.Header.Get(constants.NodeName))
+		klog.Errorf("failed to sign the certificate for edgenode: %s, invalid token", nodeName)
 	}
 }
 
 // verifyCert verifies the edge certificate by CA certificate when edge certificates rotate.
-func verifyCert(cert *x509.Certificate) error {
+func verifyCert(cert *x509.Certificate, nodeName string) error {
 	roots := x509.NewCertPool()
 	ok := roots.AppendCertsFromPEM(pem.EncodeToMemory(&pem.Block{Type: certutil.CertificateBlockType, Bytes: hubconfig.Config.Ca}))
 	if !ok {
@@ -119,7 +121,20 @@ func verifyCert(cert *x509.Certificate) error {
 	if _, err := cert.Verify(opts); err != nil {
 		return fmt.Errorf("failed to verify edge certificate: %v", err)
 	}
-	return nil
+	return verifyCertSubject(cert, nodeName)
+}
+
+func verifyCertSubject(cert *x509.Certificate, nodeName string) error {
+	if cert.Subject.Organization[0] == "KubeEdge" && cert.Subject.CommonName == "kubeedge.io" {
+		// In order to maintain compatibility with older versions of certificates
+		// this condition will be removed in KubeEdge v1.18.
+		return nil
+	}
+	commonName := fmt.Sprintf("system:node:%s", nodeName)
+	if cert.Subject.Organization[0] == "system:nodes" && cert.Subject.CommonName == commonName {
+		return nil
+	}
+	return fmt.Errorf("request node name is not match with the certificate")
 }
 
 // verifyAuthorization verifies the token from EdgeCore CSR
@@ -177,12 +192,12 @@ func signEdgeCert(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, constants.MaxRespBodyLength)
 	csrContent, err := io.ReadAll(r.Body)
 	if err != nil {
-		klog.Errorf("fail to read file when signing the cert for edgenode:%s! error:%v", r.Header.Get(constants.NodeName), err)
+		klog.Errorf("fail to read file when signing the cert for edgenode:%s! error:%v", r.Header.Get(types.NodeNameKey), err)
 		return
 	}
 	csr, err := x509.ParseCertificateRequest(csrContent)
 	if err != nil {
-		klog.Errorf("fail to ParseCertificateRequest of edgenode: %s! error:%v", r.Header.Get(constants.NodeName), err)
+		klog.Errorf("fail to ParseCertificateRequest of edgenode: %s! error:%v", r.Header.Get(types.NodeNameKey), err)
 		return
 	}
 	usagesStr := r.Header.Get("ExtKeyUsages")
@@ -199,7 +214,7 @@ func signEdgeCert(w http.ResponseWriter, r *http.Request) {
 	klog.V(4).Infof("receive sign crt request, ExtKeyUsages: %v", usages)
 	clientCertDER, err := signCerts(csr.Subject, csr.PublicKey, usages)
 	if err != nil {
-		klog.Errorf("fail to signCerts for edgenode:%s! error:%v", r.Header.Get(constants.NodeName), err)
+		klog.Errorf("fail to signCerts for edgenode:%s! error:%v", r.Header.Get(types.NodeNameKey), err)
 		return
 	}
author	Shelley-BaoYue <baoyue2@huawei.com>	2023-12-09 17:09:00 +0800
committer	Shelley-BaoYue <baoyue2@huawei.com>	2023-12-15 11:12:00 +0800
commit	6be7475fa25478626132f8613868ff9730931698 (patch)
tree	a54654a3bc3e4844356130d3968f47b863e1261c /cloud
parent	Merge pull request #5278 from fisherxu/fix-slack (diff)
download	kubeedge-6be7475fa25478626132f8613868ff9730931698.tar.gz