weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
8,459 Commits 45 Branches 0 Tags 96 MiB
04220447bc
Commit Graph

205 Commits

Author SHA1 Message Date
Tim Ramlot
04220447bc
remove deprecated files and functions 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-02-08 10:45:06 +01:00
Tim Ramlot
0acde5b1a4
fix changed behavior: set critical flag of SANs extension based on subject 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-02-07 11:01:34 +01:00
SpectralHiss
892e6eef01 Fix OtherName Value UniversalValue .Type() detection 
Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2024-01-10 10:35:43 +00:00
SpectralHiss
0b83f78fff Remove redundant otherName match tests 
* We do not need to include otherName in fuzzy certificate detection
  checks

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2024-01-09 17:02:24 +00:00
Tim Ramlot
3dad3f320b
don't check OtherNames when fuzzy matching 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-01-09 16:41:13 +01:00
Tim Ramlot
736896d264
introduce UniversalValue 'Type()' 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-01-09 16:40:32 +01:00
SpectralHiss
38c2b33a71 Add otherName detection to TestSecretDataAltNamesMatchSpec 
Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2024-01-09 14:01:09 +00:00
SpectralHiss
b6fdcede90 Add test for different order OtherName value 
* Simplify sorting implementation for OtherName slice equality

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2024-01-09 11:39:17 +00:00
SpectralHiss
7b13c72fed Detect otherName changes to CR trigger reissuance 
Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2024-01-09 09:58:43 +00:00
SpectralHiss
d186b61414 Add attribution to pkg/util/pki/asn1_util.go 
Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2024-01-08 13:34:09 +00:00
SpectralHiss
d07dd3de5f Fix OtherName feature flag validation logic 
* Improve test comments for UniversalValue

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2024-01-08 13:34:09 +00:00
Tim Ramlot
a49bc65b03
deprecate URLsFromStrings which is only used in other deprecated functions 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-01-05 11:50:13 +01:00
jetstack-bot
24d0fddec5
Merge pull request #6593 from inteon/use_slices 
Use slices go library
 2024-01-04 13:36:02 +00:00
Tim Ramlot
950948e465
start using the new 'slices' library and deprecate old util functions 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-01-04 09:32:17 +01:00
Tim Ramlot
9547fbdf94
add tests for the improvements made in #6561 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-01-03 17:25:15 +01:00
Tim Ramlot
41404a7fd7
rename UseCertificateRequestNameConstraints to NameConstraints 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2024-01-03 15:49:18 +01:00
jetstack-bot
cc8925ae9f
Merge pull request #6404 from SpectralHiss/hef/otherNameSANs 
Other name sans support in Certificates
 2024-01-03 14:16:23 +00:00
Houssem El Fekih
ddc1dffe87
Update pkg/util/pki/asn1_util.go 
Co-authored-by: Ashley Davis <SgtCoDFish@users.noreply.github.com>
Signed-off-by: Houssem El Fekih <hassoum92@hotmail.com>
 2024-01-03 13:30:42 +00:00
Richard Wall
036e3a8e74 Replace all uses of sets.String with the generic sets.Set 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
 2024-01-02 17:24:38 +00:00
SpectralHiss
1b48cb664b Fix csr_test.go critical SAN on tests without Subjects 
* Also fixed the conformance e2e test by including a Subject and
  matching the values

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2023-12-21 18:44:49 +00:00
SpectralHiss
c59037a19b Simplify e2e test fixture for otherName 
* Fix Bug in critical on empty subject logic

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2023-12-21 17:48:50 +00:00
SpectralHiss
ae4249b9e2 Go style variable rename 
Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2023-12-21 14:54:08 +00:00
SpectralHiss
2f6dbc85d3 Change openssl SAN order to simplify test assetion 
* Ordering does not matter for the GeneralNames as it is a tagged
  context

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2023-12-21 13:07:34 +00:00
SpectralHiss
8e2365dd54 Add UTF8 marshalling unit tests 
* Add test names to pkg/util/pki/sans_test.go tests

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2023-12-21 11:58:26 +00:00
SpectralHiss
f4bbe66737 Fix IA5String test assertion 
Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2023-12-21 10:02:53 +00:00
Tim Ramlot
f2af5672ee
add additional validation checks 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-12-20 10:13:11 +01:00
Tim Ramlot
cd58042746
improve the algorithm and add prevent DOS 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-12-20 10:13:11 +01:00
Tim Ramlot
c81609cdef
move certificate chain parsing to seperate file 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-12-20 10:13:07 +01:00
SpectralHiss
c87a2f6691 Add early feedback validation for otherName syntax and tests 
* Fixed warning

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2023-12-19 20:02:02 +00:00
SpectralHiss
4bdee5f010 Rename otherNameSANs to otherNames 
* Improve the CRD godoc comments

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2023-12-13 16:21:56 +00:00
SpectralHiss
45a8bb7edf Modified one sans processing test case to make more useful 
Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2023-12-13 09:37:25 +00:00
Tim Ramlot
721f71ed60 Refactor the solution 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-12-13 09:37:21 +00:00
Tim Ramlot
7b7912022a Add feature gate 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-12-13 09:16:06 +00:00
Tim Ramlot
bfd9a65160 Add OtherNameSANs field to Certificates 
* Added an otherName SAN extension mechanism
* Can take any otherName OID with String (UTF-8) like value
* cf [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280) p 37 for
  more info
* otherName is only a subset of GeneralName, our specific need for for
  UserPrincipalName used in Microsoft AD/ LDAP
* We treat UPN special but we might remove this in a later commit

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
 2023-12-13 09:12:23 +00:00
Tim Ramlot
849b6bda9e
add tests & final cleanup 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-12-12 15:57:07 +01:00
Tim Ramlot
cfaf3f338e
cleanup code 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-12-12 13:47:55 +01:00
tanujd11
da84cf5b88 fix: imports 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-12 17:10:32 +05:30
tanujd11
652feb50cc Addressed review comments 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-12 17:05:33 +05:30
tanujd11
5f0a715863 add nameConstraints from openssl 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-12 00:40:45 +05:30
tanujd11
bc75f8488d fix: structure of nameconstraint in CSR 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-11 18:00:15 +05:30
tanujd11
a29a5913d0 addressed review comments 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-07 23:42:35 +05:30
tanujd11
28ca4312b3 fix: additional review comments 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-07 22:30:31 +05:30
tanujd11
8d362439a8 fix UTs 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-07 22:30:31 +05:30
tanujd11
84d7dd4aed Addressed review comments 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-07 22:30:31 +05:30
tanujd11
d1b3e5ca83 Move critical from NameConstraintItem to NameConstraint and remove validateNameConstraints 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-07 22:30:29 +05:30
tanujd11
adb9311f56 validate name constraint before signing CSR 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-07 22:29:45 +05:30
tanujd11
50d84c1bbc nits: added new line at EOF and comment fix 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-07 22:27:42 +05:30
tanujd11
589030dec1 feature: added name constraints 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
 2023-12-07 22:27:31 +05:30
Tim Ramlot
767764d598
refactor GenerateCSR and deprecated the helper functions 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
 2023-12-06 18:16:19 +01:00
jetstack-bot
df4d15ce4a
Merge pull request #6053 from inteon/critical_change 
Make KeyUsage and BasicConstraints Critical extensions in the CSR blob
 2023-10-05 17:13:56 +02:00