From 3add8772857be0f19736ec22d2b0bbf59ef5f9a2 Mon Sep 17 00:00:00 2001 From: khalid-jobs Date: Mon, 27 Sep 2021 10:24:23 +0800 Subject: perf: cloudcore ecertificate application restful api supports certificate usages The certificate usages signed by the current cloudcore certificate application restful api are all x509.ExtKeyUsageClientAuth. By adding the certificate usage parameter, the client(such as edgemesh-server and edgemesh-agent) are allowed to apply for different usages of certificates. Signed-off-by: khalid-jobs --- cloud/pkg/cloudhub/servers/httpserver/server.go | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/cloud/pkg/cloudhub/servers/httpserver/server.go b/cloud/pkg/cloudhub/servers/httpserver/server.go index 443a818f9..53bf1b779 100644 --- a/cloud/pkg/cloudhub/servers/httpserver/server.go +++ b/cloud/pkg/cloudhub/servers/httpserver/server.go @@ -22,6 +22,7 @@ import ( "crypto/tls" "crypto/x509" "crypto/x509/pkix" + "encoding/json" "encoding/pem" "fmt" "io/ioutil" @@ -180,8 +181,19 @@ func signEdgeCert(w http.ResponseWriter, r *http.Request) { klog.Errorf("fail to ParseCertificateRequest of edgenode: %s! error:%v", r.Header.Get(constants.NodeName), err) return } - subject := csr.Subject - clientCertDER, err := signCerts(subject, csr.PublicKey) + usagesStr := r.Header.Get("ExtKeyUsages") + var usages []x509.ExtKeyUsage + if usagesStr == "" { + usages = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth} + } else { + err := json.Unmarshal([]byte(usagesStr), &usages) + if err != nil { + klog.Errorf("unmarshal http header ExtKeyUsages fail, err: %v", err) + return + } + } + klog.V(4).Infof("receive sign crt request, ExtKeyUsages: %v", usages) + clientCertDER, err := signCerts(csr.Subject, csr.PublicKey, usages) if err != nil { klog.Errorf("fail to signCerts for edgenode:%s! error:%v", r.Header.Get(constants.NodeName), err) return @@ -193,11 +205,11 @@ func signEdgeCert(w http.ResponseWriter, r *http.Request) { } // signCerts will create a certificate for EdgeCore -func signCerts(subInfo pkix.Name, pbKey crypto.PublicKey) ([]byte, error) { +func signCerts(subInfo pkix.Name, pbKey crypto.PublicKey, usages []x509.ExtKeyUsage) ([]byte, error) { cfgs := &certutil.Config{ CommonName: subInfo.CommonName, Organization: subInfo.Organization, - Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, + Usages: usages, } clientKey := pbKey -- cgit v1.2.3