From e39f7a2b6d12872fc2dcda77f522b9409edc1fbf Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Tue, 28 May 2024 01:34:17 +0600 Subject: [PATCH] Generate file name using openssl hash command Signed-off-by: Tamal Saha --- Dockerfile.dbg | 2 +- Dockerfile.in | 2 +- pkg/driver/nodeserver.go | 62 +++++++++++++++++++++------------------- 3 files changed, 34 insertions(+), 32 deletions(-) diff --git a/Dockerfile.dbg b/Dockerfile.dbg index d4d70c6c..a9b4eac8 100644 --- a/Dockerfile.dbg +++ b/Dockerfile.dbg @@ -21,7 +21,7 @@ LABEL org.opencontainers.image.source https://github.com/kubeops/csi-driver-cace RUN set -x \ && apt-get update \ - && apt-get install -y --no-install-recommends apt-transport-https ca-certificates + && apt-get install -y --no-install-recommends apt-transport-https ca-certificates openssl ADD bin/{ARG_OS}_{ARG_ARCH}/{ARG_BIN} /{ARG_BIN} COPY --from=java /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts diff --git a/Dockerfile.in b/Dockerfile.in index bc61c9db..b10c1ca7 100644 --- a/Dockerfile.in +++ b/Dockerfile.in @@ -21,7 +21,7 @@ LABEL org.opencontainers.image.source https://github.com/kubeops/csi-driver-cace RUN set -x \ && apt-get update \ - && apt-get install -y --no-install-recommends apt-transport-https ca-certificates + && apt-get install -y --no-install-recommends apt-transport-https ca-certificates openssl ADD bin/{ARG_OS}_{ARG_ARCH}/{ARG_BIN} /{ARG_BIN} COPY --from=java /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts diff --git a/pkg/driver/nodeserver.go b/pkg/driver/nodeserver.go index f78f7cbe..49e7d697 100644 --- a/pkg/driver/nodeserver.go +++ b/pkg/driver/nodeserver.go @@ -18,13 +18,11 @@ package driver import ( "bytes" - "crypto/md5" - "crypto/sha1" "crypto/x509" - "encoding/hex" "encoding/pem" "fmt" "os" + "os/exec" "path/filepath" "sort" "strings" @@ -382,35 +380,19 @@ func updateCACerts(certs map[uint64]*x509.Certificate, osFamily OsFamily, srcDir switch osFamily { case OsFamilyDebian, OsFamilyUbuntu, OsFamilyAlpine, OsFamilyOpensuse: - // https://www.openssl.org/docs/man3.0/man1/openssl-rehash.html - // https://chatgpt.com/share/dc051bec-7cc5-4ddf-82bf-6a0235efee48 - addPayload := func(ca *x509.Certificate, payload map[string]atomic_writer.FileProjection, hashCertificate func(cert *x509.Certificate) string) { - hash := hashCertificate(ca) - seq := 0 - for { - key := fmt.Sprintf("%s.%d", hash, seq) - _, found := payload[key] - if found { - seq++ - continue - } - payload[key] = atomic_writer.FileProjection{Data: pemBuf.Bytes(), Mode: 0o444} - klog.Info("writing key=", key) - break + hash := opensslHash(pemBuf.Bytes()) + seq := 0 + for { + key := fmt.Sprintf("%s.%d", hash, seq) + _, found := payload[key] + if found { + seq++ + continue } + payload[key] = atomic_writer.FileProjection{Data: pemBuf.Bytes(), Mode: 0o444} + klog.Info("writing key=", key) + break } - - // md5 - addPayload(ca, payload, func(cert *x509.Certificate) string { - hash := md5.Sum(cert.RawSubject) - return hex.EncodeToString(hash[:])[:8] - }) - - // sha-1 - addPayload(ca, payload, func(cert *x509.Certificate) string { - hash := sha1.Sum(cert.RawSubject) - return hex.EncodeToString(hash[:])[:8] - }) } caBuf.Write(pemBuf.Bytes()) @@ -464,3 +446,23 @@ func updateCACerts(certs map[uint64]*x509.Certificate, osFamily OsFamily, srcDir } return nil } + +// https://www.openssl.org/docs/man3.0/man1/openssl-rehash.html +// https://github.com/openssl/openssl/blob/05faa4ffee7f20fcee129f77d153f2dcc609bdc8/crypto/x509/x509_cmp.c#L289 +// https://github.com/openssl/openssl/blob/05faa4ffee7f20fcee129f77d153f2dcc609bdc8/crypto/x509/x_name.c#L310 +// https://stackoverflow.com/a/71004482/244009 +// https://stackoverflow.com/a/19972185/244009 +// Note: Could not write a Go program equivalent to the openssl command. So, just shelling out. +func opensslHash(pemBytes []byte) string { + cmd := exec.Command("openssl", "x509", "-hash", "-noout") + + var out bytes.Buffer + cmd.Stdout = &out + cmd.Stdin = bytes.NewReader(pemBytes) + + err := cmd.Run() + if err != nil { + panic(err) + } + return out.String() +}