kubeops · tamalsaha · May 27, 2024 · May 27, 2024
diff --git a/Dockerfile.dbg b/Dockerfile.dbg
@@ -21,7 +21,7 @@ LABEL org.opencontainers.image.source https://github.com/kubeops/csi-driver-cace
 
 RUN set -x \
   && apt-get update \
-  && apt-get install -y --no-install-recommends apt-transport-https ca-certificates
+  && apt-get install -y --no-install-recommends apt-transport-https ca-certificates openssl
 
 ADD bin/{ARG_OS}_{ARG_ARCH}/{ARG_BIN} /{ARG_BIN}
 COPY --from=java /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts

diff --git a/Dockerfile.in b/Dockerfile.in
@@ -21,7 +21,7 @@ LABEL org.opencontainers.image.source https://github.com/kubeops/csi-driver-cace
 
 RUN set -x \
   && apt-get update \
-  && apt-get install -y --no-install-recommends apt-transport-https ca-certificates
+  && apt-get install -y --no-install-recommends apt-transport-https ca-certificates openssl
 
 ADD bin/{ARG_OS}_{ARG_ARCH}/{ARG_BIN} /{ARG_BIN}
 COPY --from=java /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts

diff --git a/pkg/driver/nodeserver.go b/pkg/driver/nodeserver.go
@@ -18,13 +18,11 @@ package driver
 
 import (
 	"bytes"
-	"crypto/md5"
-	"crypto/sha1"
 	"crypto/x509"
-	"encoding/hex"
 	"encoding/pem"
 	"fmt"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"sort"
 	"strings"
@@ -382,35 +380,19 @@ func updateCACerts(certs map[uint64]*x509.Certificate, osFamily OsFamily, srcDir
 
 		switch osFamily {
 		case OsFamilyDebian, OsFamilyUbuntu, OsFamilyAlpine, OsFamilyOpensuse:
-			// https://www.openssl.org/docs/man3.0/man1/openssl-rehash.html
-			// https://chatgpt.com/share/dc051bec-7cc5-4ddf-82bf-6a0235efee48
-			addPayload := func(ca *x509.Certificate, payload map[string]atomic_writer.FileProjection, hashCertificate func(cert *x509.Certificate) string) {
-				hash := hashCertificate(ca)
-				seq := 0
-				for {
-					key := fmt.Sprintf("%s.%d", hash, seq)
-					_, found := payload[key]
-					if found {
-						seq++
-						continue
-					}
-					payload[key] = atomic_writer.FileProjection{Data: pemBuf.Bytes(), Mode: 0o444}
-					klog.Info("writing key=", key)
-					break
+			hash := opensslHash(pemBuf.Bytes())
+			seq := 0
+			for {
+				key := fmt.Sprintf("%s.%d", hash, seq)
+				_, found := payload[key]
+				if found {
+					seq++
+					continue
 				}
+				payload[key] = atomic_writer.FileProjection{Data: pemBuf.Bytes(), Mode: 0o444}
+				klog.Info("writing key=", key)
+				break
 			}
-
-			// md5
-			addPayload(ca, payload, func(cert *x509.Certificate) string {
-				hash := md5.Sum(cert.RawSubject)
-				return hex.EncodeToString(hash[:])[:8]
-			})
-
-			// sha-1
-			addPayload(ca, payload, func(cert *x509.Certificate) string {
-				hash := sha1.Sum(cert.RawSubject)
-				return hex.EncodeToString(hash[:])[:8]
-			})
 		}
 
 		caBuf.Write(pemBuf.Bytes())
@@ -464,3 +446,23 @@ func updateCACerts(certs map[uint64]*x509.Certificate, osFamily OsFamily, srcDir
 	}
 	return nil
 }
+
+// https://www.openssl.org/docs/man3.0/man1/openssl-rehash.html
+// https://github.com/openssl/openssl/blob/05faa4ffee7f20fcee129f77d153f2dcc609bdc8/crypto/x509/x509_cmp.c#L289
+// https://github.com/openssl/openssl/blob/05faa4ffee7f20fcee129f77d153f2dcc609bdc8/crypto/x509/x_name.c#L310
+// https://stackoverflow.com/a/71004482/244009
+// https://stackoverflow.com/a/19972185/244009
+// Note: Could not write a Go program equivalent to the openssl command. So, just shelling out.
+func opensslHash(pemBytes []byte) string {
+	cmd := exec.Command("openssl", "x509", "-hash", "-noout")
+
+	var out bytes.Buffer
+	cmd.Stdout = &out
+	cmd.Stdin = bytes.NewReader(pemBytes)
+
+	err := cmd.Run()
+	if err != nil {
+		panic(err)
+	}
+	return out.String()
+}