Skip to content

Commit

Permalink
serverca: expand signed cert and cert chain PEMs with multiple cert b…
Browse files Browse the repository at this point in the history 
…locks inside
  • Loading branch information
@zliu-rh
zliu-rh committed Dec 19, 2024
1 parent bc6b3dc commit dc4e333
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 3 deletions.
16 changes: 13 additions & 3 deletions security/pkg/server/ca/server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ package ca

import (
"context"
"strings"
"time"

"google.golang.org/grpc"
Expand Down Expand Up @@ -140,11 +141,20 @@ func (s *Server) CreateCertificate(ctx context.Context, request *pb.IstioCertifi
if len(rootCertBytes) != 0 {
respCertChain = append(respCertChain, string(rootCertBytes))
}
response := &pb.IstioCertificateResponse{
CertChain: respCertChain,

// expanded `respCertChain` since each element might be a concatenated multi-cert PEM
// the expanded structure (one cert per `string` in `certChain`) is specifically expected by `ztunnel`
response := &pb.IstioCertificateResponse{}
for _, pem := range respCertChain {
for _, cert := range strings.SplitAfter(pem, "-----END CERTIFICATE-----") {
if trimmed := strings.TrimSpace(cert); trimmed != "" {
response.CertChain = append(response.CertChain, trimmed)
}
}
}
serverCaLog.Debugf("Responding with cert chain, %q", response.CertChain)
s.monitoring.Success.Increment()
serverCaLog.Debugf("CSR successfully signed, sans %v.", caller.Identities)
serverCaLog.Debugf("CSR successfully signed, sans %v.", sans)
return response, nil
}

Expand Down
12 changes: 12 additions & 0 deletions security/pkg/server/ca/server_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -243,6 +243,18 @@ func TestCreateCertificate(t *testing.T) {
certChain: []string{"cert", "cert_chain", "root_cert"},
code: codes.OK,
},
"Successful signing w/ multi-cert chain": {
authenticators: []security.Authenticator{&mockAuthenticator{identities: []string{"test-identity"}}},
ca: &mockca.FakeCA{
SignedCert: []byte("cert"),
KeyCertBundle: util.NewKeyCertBundleFromPem(nil, nil,
[]byte("cert_chain1-----END CERTIFICATE-----\ncert_chain2-----END CERTIFICATE-----\n"),
[]byte("root_cert"),
),
},
certChain: []string{"cert", "cert_chain1-----END CERTIFICATE-----", "cert_chain2-----END CERTIFICATE-----", "root_cert"},
code: codes.OK,
},
}

p := &peer.Peer{Addr: &net.IPAddr{IP: net.IPv4(192, 168, 1, 1)}, AuthInfo: credentials.TLSInfo{}}
Expand Down

0 comments on commit dc4e333

Please sign in to comment.