// ParseAndLoad converts HashAlgo and KeyAlgo to corresponding ubiquity value and load
// certificates into internal KeyStore from KeyStoreFiles
func (p *Platform) ParseAndLoad() (ok bool) {
p.HashUbiquity = p.hashUbiquity()
p.KeyAlgoUbiquity = p.keyAlgoUbiquity()
p.KeyStore = map[string]bool{}
pemBytes, err := ioutil.ReadFile(p.KeyStoreFile)
if err != nil {
return false
}
// Best effort parsing the PEMs such that ignore all borken pem,
// since some of CA certs have negative serial number which trigger errors.
for len(pemBytes) > 0 {
var cert *x509.Certificate
cert, rest, err := helpers.ParseOneCertificateFromPEM(pemBytes)
// If one cert is parsed, record the raw SHA1 hash.
if err == nil && cert != nil {
p.KeyStore.Add(cert)
}
if len(rest) < len(pemBytes) {
pemBytes = rest
} else {
// No progress in bytes parsing, bail out.
break
}
}
if p.HashUbiquity <= UnknownHashUbiquity ||
p.KeyAlgoUbiquity <= UnknownAlgoUbiquity ||
len(p.KeyStore) == 0 {
return false
}
return true
}
// ParseValidateAndSignCSR returns a signed certificate from a particular rootCA and a CSR.
func (rca *RootCA) ParseValidateAndSignCSR(csrBytes []byte, cn, ou, org string) ([]byte, error) {
if !rca.CanSign() {
return nil, ErrNoValidSigner
}
// All managers get added the subject-alt-name of CA, so they can be used for cert issuance
hosts := []string{ou}
if ou == ManagerRole {
hosts = append(hosts, CARole)
}
cert, err := rca.Signer.Sign(cfsigner.SignRequest{
Request: string(csrBytes),
// OU is used for Authentication of the node type. The CN has the random
// node ID.
Subject: &cfsigner.Subject{CN: cn, Names: []cfcsr.Name{{OU: ou, O: org}}},
// Adding ou as DNS alt name, so clients can connect to ManagerRole and CARole
Hosts: hosts,
})
if err != nil {
log.Debugf("failed to sign node certificate: %v", err)
return nil, err
}
// Append the first root CA Cert to the certificate, to create a valid chain
// Get the first Root CA Cert on the bundle
firstRootCA, _, err := helpers.ParseOneCertificateFromPEM(rca.Cert)
if err != nil {
return nil, err
}
if len(firstRootCA) < 1 {
return nil, fmt.Errorf("no valid Root CA certificates found")
}
// Convert the first root CA back to PEM
firstRootCAPEM := helpers.EncodeCertificatePEM(firstRootCA[0])
if firstRootCAPEM == nil {
return nil, fmt.Errorf("error while encoding the Root CA certificate")
}
// Append this Root CA to the certificate to make [Cert PEM]\n[Root PEM][EOF]
certChain := append(cert, firstRootCAPEM...)
return certChain, nil
}
// AppendFirstRootPEM appends the first certificate from this RootCA's cert
// bundle to the given cert bundle (which should already be encoded as a series
// of PEM-encoded certificate blocks).
func (rca *RootCA) AppendFirstRootPEM(cert []byte) ([]byte, error) {
// Append the first root CA Cert to the certificate, to create a valid chain
// Get the first Root CA Cert on the bundle
firstRootCA, _, err := helpers.ParseOneCertificateFromPEM(rca.Cert)
if err != nil {
return nil, err
}
if len(firstRootCA) < 1 {
return nil, errors.New("no valid Root CA certificates found")
}
// Convert the first root CA back to PEM
firstRootCAPEM := helpers.EncodeCertificatePEM(firstRootCA[0])
if firstRootCAPEM == nil {
return nil, errors.New("error while encoding the Root CA certificate")
}
// Append this Root CA to the certificate to make [Cert PEM]\n[Root PEM][EOF]
certChain := append(cert, firstRootCAPEM...)
return certChain, nil
}
// ParseAndLoad converts HashAlgo and KeyAlgo to corresponding ubiquity value and load
// certificates into internal KeyStore from KeyStoreFiles
func (p *Platform) ParseAndLoad() (ok bool) {
p.HashUbiquity = p.hashUbiquity()
p.KeyAlgoUbiquity = p.keyAlgoUbiquity()
p.KeyStore = map[string]bool{}
if p.KeyStoreFile != "" {
pemBytes, err := ioutil.ReadFile(p.KeyStoreFile)
if err != nil {
log.Error(err)
return false
}
// Best effort parsing the PEMs such that ignore all borken pem,
// since some of CA certs have negative serial number which trigger errors.
for len(pemBytes) > 0 {
var certs []*x509.Certificate
certs, rest, err := helpers.ParseOneCertificateFromPEM(pemBytes)
// If one certificate object is parsed, possibly a PKCS#7
// structure containing multiple certs, record the raw SHA1 hash(es).
if err == nil && certs != nil {
for _, cert := range certs {
p.KeyStore.Add(cert)
}
}
if len(rest) < len(pemBytes) {
pemBytes = rest
} else {
// No progress in bytes parsing, bail out.
break
}
}
}
if p.HashUbiquity <= UnknownHashUbiquity ||
p.KeyAlgoUbiquity <= UnknownAlgoUbiquity {
return false
}
return true
}
