diff options
author | Pawel Baniewski <pawel.baniewski@nokia.com> | 2021-07-16 08:11:04 +0000 |
---|---|---|
committer | Gerrit Code Review <gerrit@onap.org> | 2021-07-16 08:11:04 +0000 |
commit | c386b2b9fbf44de105f68ffa87bdcb3328e9c6ee (patch) | |
tree | 0dafde59aaf569a32b67066b82c3ab0ba8f6ab32 | |
parent | c37307cdda12ccf3abe3699879cc6edf3b40d398 (diff) | |
parent | d63a4674317497fd6700c52c705649ce85ac3725 (diff) |
Merge "[OOM-K8S-CERT-EXTERNAL-PROVIDER] Add send update request functionality"
13 files changed, 273 insertions, 53 deletions
diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go index 4806c4a1..f4cc9991 100644 --- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go +++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * oom-certservice-k8s-external-provider * ================================================================================ - * Copyright (C) 2020 Nokia. All rights reserved. + * Copyright (C) 2020-2021 Nokia. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -25,21 +25,27 @@ import ( "encoding/json" "fmt" "net/http" + + "onap.org/oom-certservice/k8s-external-provider/src/model" ) const ( - CsrHeaderName = "CSR" - PkHeaderName = "PK" + CsrHeaderName = "CSR" + PkHeaderName = "PK" + OldPkHeaderName = "OLD_PK" + OldCertificateHeaderName = "OLD_CERT" ) type CertServiceClient interface { GetCertificates(csr []byte, key []byte) (*CertificatesResponse, error) CheckHealth() error + UpdateCertificate(csr []byte, key []byte, signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error) } type CertServiceClientImpl struct { healthUrl string certificationUrl string + updateUrl string httpClient HTTPClient } @@ -83,6 +89,25 @@ func (client *CertServiceClientImpl) GetCertificates(csr []byte, key []byte) (*C request.Header.Add(CsrHeaderName, base64.StdEncoding.EncodeToString(csr)) request.Header.Add(PkHeaderName, base64.StdEncoding.EncodeToString(key)) + + return client.executeRequest(request) +} + +func (client *CertServiceClientImpl) UpdateCertificate(csr []byte, key []byte, signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error) { + request, err := http.NewRequest("GET", client.updateUrl, nil) + if err != nil { + return nil, err + } + + request.Header.Add(CsrHeaderName, base64.StdEncoding.EncodeToString(csr)) + request.Header.Add(PkHeaderName, base64.StdEncoding.EncodeToString(key)) + request.Header.Add(OldPkHeaderName, signCertificateModel.OldPrivateKey) + request.Header.Add(OldCertificateHeaderName, signCertificateModel.OldCertificate) + + return client.executeRequest(request) +} + +func (client *CertServiceClientImpl) executeRequest(request *http.Request) (*CertificatesResponse, error) { response, err := client.httpClient.Do(request) if err != nil { return nil, err diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go index 0fa1d165..380cbcf9 100644 --- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go +++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * oom-certservice-k8s-external-provider * ================================================================================ - * Copyright (C) 2020 Nokia. All rights reserved. + * Copyright (C) 2020-2021 Nokia. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -29,7 +29,7 @@ import ( "path" ) -func CreateCertServiceClient(baseUrl string, healthEndpoint string, certEndpoint string, caName string, +func CreateCertServiceClient(baseUrl string, healthEndpoint string, certEndpoint string, updateEndpoint string, caName string, keyPemBase64 []byte, certPemBase64 []byte, cacertPemBase64 []byte) (*CertServiceClientImpl, error) { cert, err := tls.X509KeyPair(certPemBase64, keyPemBase64) if err != nil { @@ -49,31 +49,34 @@ func CreateCertServiceClient(baseUrl string, healthEndpoint string, certEndpoint }, }, } - healthUrl, certificationUrl, err := validateAndParseUrls(baseUrl, healthEndpoint, certEndpoint, caName) + healthUrl, certificationUrl, updateUrl, err := validateAndParseUrls(baseUrl, healthEndpoint, certEndpoint, updateEndpoint, caName) if err != nil { return nil, err } client := CertServiceClientImpl{ healthUrl: healthUrl, certificationUrl: certificationUrl, + updateUrl: updateUrl, httpClient: httpClient, } return &client, nil } -func validateAndParseUrls(baseUrl string, healthEndpoint string, certEndpoint string, caName string) (string, string, error) { +func validateAndParseUrls(baseUrl string, healthEndpoint string, certEndpoint string, updateEndpoint string, caName string) (string, string, string, error) { if err := validateUrls(baseUrl, healthEndpoint, certEndpoint, caName); err != nil { - return "", "", err + return "", "", "", err } certUrl, _ := url.Parse(baseUrl) healthUrl, _ := url.Parse(baseUrl) + updateUrl, _ := url.Parse(baseUrl) certUrl.Path = path.Join(certEndpoint, caName) healthUrl.Path = path.Join(healthEndpoint) + updateUrl.Path = path.Join(updateEndpoint, caName) - return healthUrl.String(), certUrl.String(), nil + return healthUrl.String(), certUrl.String(), updateUrl.String(), nil } func validateUrls(baseUrl string, healthEndpoint string, certEndpoint string, caName string) error { diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go index 5d255a62..a844e53c 100644 --- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go +++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * oom-certservice-k8s-external-provider * ================================================================================ - * Copyright (C) 2020 Nokia. All rights reserved. + * Copyright (C) 2020-2021 Nokia. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -29,17 +29,19 @@ import ( ) const ( - validUrl = "https://oom-cert-service:8443/" - validUrl2 = "https://oom-cert-service:8443" - invalidUrl = "https://oom-cert service:8443/" - healthEndpoint = "actuator/health" - healthEndpointInvalid = ":/actuator/health" - certEndpoint = "v1/certificate" - certEndpointInvalid = ":/v1/certificate" - caName = "RA" - caNameInvalid = ":/RA" - expectedCertificationUrl = "https://oom-cert-service:8443/v1/certificate/RA" - expectedHealthCheckUrl = "https://oom-cert-service:8443/actuator/health" + validUrl = "https://oom-cert-service:8443/" + validUrl2 = "https://oom-cert-service:8443" + invalidUrl = "https://oom-cert service:8443/" + healthEndpoint = "actuator/health" + healthEndpointInvalid = ":/actuator/health" + certEndpoint = "v1/certificate" + updateEndpoint = "v1/certificate-update" + certEndpointInvalid = ":/v1/certificate" + certUpdateEndpointInvalid = ":/v1/certificate-update" + caName = "RA" + caNameInvalid = ":/RA" + expectedCertificationUrl = "https://oom-cert-service:8443/v1/certificate/RA" + expectedHealthCheckUrl = "https://oom-cert-service:8443/actuator/health" ) func Test_shouldCreateCertServiceClient(t *testing.T) { @@ -48,7 +50,7 @@ func Test_shouldCreateCertServiceClient(t *testing.T) { } func shouldCreateCertServiceClientWithExpectedUrl(t *testing.T, baseUrl string) { - client, err := CreateCertServiceClient(baseUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) + client, err := CreateCertServiceClient(baseUrl, healthEndpoint, certEndpoint, updateEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) assert.NotNil(t, client) assert.Nil(t, err) @@ -57,42 +59,49 @@ func shouldCreateCertServiceClientWithExpectedUrl(t *testing.T, baseUrl string) } func Test_shouldReturnError_whenCaNameInvalid(t *testing.T) { - client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caNameInvalid, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) + client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, updateEndpoint, caNameInvalid, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) assert.Nil(t, client) assert.Error(t, err) } func Test_shouldReturnError_whenHealthEndpointInvalid(t *testing.T) { - client, err := CreateCertServiceClient(validUrl, healthEndpointInvalid, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) + client, err := CreateCertServiceClient(validUrl, healthEndpointInvalid, certEndpoint, updateEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) assert.Nil(t, client) assert.Error(t, err) } func Test_shouldReturnError_whenCertEndpointInvalid(t *testing.T) { - client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpointInvalid, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) + client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpointInvalid, updateEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) + + assert.Nil(t, client) + assert.Error(t, err) +} + +func Test_shouldReturnError_whenUpdateCertificateEndpointInvalid(t *testing.T) { + client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, certUpdateEndpointInvalid, caName, testdata.KeyBytes, testdata.CertBytes, testdata.KeyBytes) assert.Nil(t, client) assert.Error(t, err) } func Test_shouldReturnError_whenUrlInvalid(t *testing.T) { - client, err := CreateCertServiceClient(invalidUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) + client, err := CreateCertServiceClient(invalidUrl, healthEndpoint, certEndpoint, updateEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) assert.Nil(t, client) assert.Error(t, err) } func Test_shouldReturnError_whenCanameEmpty(t *testing.T) { - client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, "", testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) + client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, updateEndpoint, "", testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) assert.Nil(t, client) assert.Error(t, err) } func Test_shouldReturnError_whenKeyNotMatchingCert(t *testing.T) { - client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.NotMatchingKeyBytes, testdata.CertBytes, testdata.CacertBytes) + client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, updateEndpoint, caName, testdata.NotMatchingKeyBytes, testdata.CertBytes, testdata.CacertBytes) assert.Nil(t, client) assert.Error(t, err) @@ -100,7 +109,7 @@ func Test_shouldReturnError_whenKeyNotMatchingCert(t *testing.T) { func Test_shouldReturnError_whenKeyInvalid(t *testing.T) { //Cert used as key - client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.CertBytes, testdata.CertBytes, testdata.CacertBytes) + client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, updateEndpoint, caName, testdata.CertBytes, testdata.CertBytes, testdata.CacertBytes) assert.Nil(t, client) assert.Error(t, err) @@ -108,7 +117,7 @@ func Test_shouldReturnError_whenKeyInvalid(t *testing.T) { func Test_shouldReturnError_whenCertInvalid(t *testing.T) { //Cacert used as cert - client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CacertBytes, testdata.CacertBytes) + client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, updateEndpoint, caName, testdata.KeyBytes, testdata.CacertBytes, testdata.CacertBytes) assert.Nil(t, client) assert.Error(t, err) @@ -116,7 +125,7 @@ func Test_shouldReturnError_whenCertInvalid(t *testing.T) { func Test_shouldReturnError_whenCacertInvalid(t *testing.T) { //Key used as cacert - client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.KeyBytes) + client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, updateEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.KeyBytes) assert.Nil(t, client) assert.Error(t, err) diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_mock.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_mock.go index d060a980..a6fec1fd 100644 --- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_mock.go +++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_mock.go @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * oom-certservice-k8s-external-provider * ================================================================================ - * Copyright (C) 2020 Nokia. All rights reserved. + * Copyright (C) 2020-2021 Nokia. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,8 +20,15 @@ package certserviceclient +import "onap.org/oom-certservice/k8s-external-provider/src/model" + type CertServiceClientMock struct { - GetCertificatesFunc func(csr []byte, key []byte) (*CertificatesResponse, error) + GetCertificatesFunc func(csr []byte, key []byte) (*CertificatesResponse, error) + UpdateCertificateFunc func(csr []byte, key []byte, signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error) +} + +func (client *CertServiceClientMock) UpdateCertificate(csr []byte, key []byte, signCertificateModel model.SignCertificateModel) (*CertificatesResponse, error) { + return client.UpdateCertificateFunc(csr, key, signCertificateModel) } func (client *CertServiceClientMock) GetCertificates(csr []byte, key []byte) (*CertificatesResponse, error) { diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go index 5e80f7f7..e1c6bb91 100644 --- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go +++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * oom-certservice-k8s-external-provider * ================================================================================ - * Copyright (C) 2020 Nokia. All rights reserved. + * Copyright (C) 2020-2021 Nokia. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -30,11 +30,13 @@ import ( "github.com/stretchr/testify/assert" + "onap.org/oom-certservice/k8s-external-provider/src/model" "onap.org/oom-certservice/k8s-external-provider/src/testdata" ) const ( - certificationUrl = "https://oom-cert-service:8443/v1/certificate/RA" + certificationUrl = "https://oom-cert-service:8443/v1/certificate/RA" + certificateUpdateUrl = "https://oom-cert-service:8443/v1/certificate-update/RA" ) func Test_GetCertificates_shouldParseCertificateResponseCorrectly(t *testing.T) { @@ -97,6 +99,48 @@ func Test_GetCertificates_shouldReturnError_whenResponseOtherThan200(t *testing. assert.Error(t, err) } +func Test_UpdateCertificates_shouldParseCertificateResponseCorrectly(t *testing.T) { + responseJson := `{"certificateChain": ["cert-0", "cert-1"], "trustedCertificates": ["trusted-cert-0", "trusted-cert-1"]}` + responseJsonReader := ioutil.NopCloser(bytes.NewReader([]byte(responseJson))) + client := CertServiceClientImpl{ + updateUrl: certificateUpdateUrl, + httpClient: getMockedClient(responseJsonReader, http.StatusOK), + } + + response, _ := client.UpdateCertificate(testdata.CsrBytes, testdata.PkBytes, getTestSignCertificateModel()) + assert.ElementsMatch(t, []string{"cert-0", "cert-1"}, response.CertificateChain) + assert.ElementsMatch(t, []string{"trusted-cert-0", "trusted-cert-1"}, response.TrustedCertificates) +} + + +func Test_UpdateCertificates_shouldReturnError_whenHttpClientReturnsError(t *testing.T) { + client := CertServiceClientImpl{ + updateUrl: certificateUpdateUrl, + httpClient: &httpClientMock{ + DoFunc: func(req *http.Request) (response *http.Response, err error) { + return nil, fmt.Errorf("mock error") + }, + }, + } + response, err := client.UpdateCertificate(testdata.CsrBytes, testdata.PkBytes, getTestSignCertificateModel()) + + assert.Nil(t, response) + assert.Error(t, err) +} + +func Test_UpdateCertificates_shouldReturnError_whenResponseOtherThan200(t *testing.T) { + responseJson := `{"errorMessage": "CertService API error"}` + responseJsonReader := ioutil.NopCloser(bytes.NewReader([]byte(responseJson))) + client := CertServiceClientImpl{ + updateUrl: updateEndpoint, + httpClient: getMockedClient(responseJsonReader, http.StatusNotFound), + } + response, err := client.UpdateCertificate(testdata.CsrBytes, testdata.PkBytes, getTestSignCertificateModel()) + + assert.Nil(t, response) + assert.Error(t, err) +} + func Test_CheckHealth_shouldReturnNil_whenHttpClientReturnsStatusCode200(t *testing.T) { client := CertServiceClientImpl{ certificationUrl: certificationUrl, @@ -168,3 +212,11 @@ type httpClientMock struct { func (client httpClientMock) Do(req *http.Request) (*http.Response, error) { return client.DoFunc(req) } + +func getTestSignCertificateModel() model.SignCertificateModel { + testSignCertificateModel := model.SignCertificateModel{ + OldCertificate: testdata.OldCertificateEncoded, + OldPrivateKey: testdata.OldPrivateKeyEncoded, + } + return testSignCertificateModel +} diff --git a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go index 73392060..9c2d3e1c 100644 --- a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go +++ b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go @@ -3,7 +3,7 @@ * oom-certservice-k8s-external-provider * ================================================================================ * Copyright (c) 2019 Smallstep Labs, Inc. - * Modifications copyright (C) 2020 Nokia. All rights reserved. + * Copyright (C) 2021 Nokia. All rights reserved. * ================================================================================ * This source code was copied from the following git repository: * https://github.com/smallstep/step-issuer @@ -41,6 +41,8 @@ type CMPv2IssuerSpec struct { HealthEndpoint string `json:"healthEndpoint"` // Path to certificate signing endpoint. CertEndpoint string `json:"certEndpoint"` + // Path to certificate update endpoint. + UpdateEndpoint string `json:"updateEndpoint"` // CaName is the name of the external CA server CaName string `json:"caName"` // KeyRef is a reference to a Secret containing the provisioner diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go index 1032ee00..9d266854 100644 --- a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go +++ b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go @@ -3,7 +3,7 @@ * oom-certservice-k8s-external-provider * ================================================================================ * Copyright 2019 The cert-manager authors. - * Modifications copyright (C) 2020-2021 Nokia. All rights reserved. + * Copyright (C) 2020-2021 Nokia. All rights reserved. * ================================================================================ * This source code was copied from the following git repository: * https://github.com/smallstep/step-issuer @@ -43,6 +43,7 @@ import ( "onap.org/oom-certservice/k8s-external-provider/src/cmpv2controller/util" provisioners "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner" "onap.org/oom-certservice/k8s-external-provider/src/leveledlogger" + "onap.org/oom-certservice/k8s-external-provider/src/model" x509utils "onap.org/oom-certservice/k8s-external-provider/src/x509" ) @@ -142,12 +143,18 @@ func (controller *CertificateRequestController) Reconcile(k8sRequest ctrl.Reques isUpdateRevision, oldCertificate, oldPrivateKey := util.CheckIfCertificateUpdateAndRetrieveOldCertificateAndPk( controller.Client, certificateRequest, ctx) if isUpdateRevision { - log.Debug("Certificate will be updated.", "old-certificate", oldCertificate, - "old-private-key", oldPrivateKey) //TODO: remove private key from logger + log.Info("Update revision detected") + } + signCertificateModel := model.SignCertificateModel{ + CertificateRequest: certificateRequest, + PrivateKeyBytes: privateKeyBytes, + IsUpdateRevision: isUpdateRevision, + OldCertificate: oldCertificate, + OldPrivateKey: oldPrivateKey, } // 11. Sign CertificateRequest - signedPEM, trustedCAs, err := provisioner.Sign(ctx, certificateRequest, privateKeyBytes) + signedPEM, trustedCAs, err := provisioner.Sign(ctx, signCertificateModel) if err != nil { controller.handleErrorFailedToSignCertificate(certUpdater, log, err) return ctrl.Result{}, nil diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go index ee65b3cb..dc2824ce 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go @@ -3,7 +3,7 @@ * oom-certservice-k8s-external-provider * ================================================================================ * Copyright (c) 2019 Smallstep Labs, Inc. - * Modifications copyright (C) 2020 Nokia. All rights reserved. + * Copyright (C) 2020-2021 Nokia. All rights reserved. * ================================================================================ * This source code was copied from the following git repository: * https://github.com/smallstep/step-issuer @@ -29,13 +29,13 @@ import ( "context" "sync" - certmanager "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" "k8s.io/apimachinery/pkg/types" "onap.org/oom-certservice/k8s-external-provider/src/certserviceclient" "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner/csr" "onap.org/oom-certservice/k8s-external-provider/src/leveledlogger" + "onap.org/oom-certservice/k8s-external-provider/src/model" ) var collection = new(sync.Map) @@ -86,10 +86,17 @@ func Store(namespacedName types.NamespacedName, provisioner *CertServiceCA) { func (ca *CertServiceCA) Sign( ctx context.Context, - certificateRequest *certmanager.CertificateRequest, - privateKeyBytes []byte, + signCertificateModel model.SignCertificateModel, ) (signedCertificateChain []byte, trustedCertificates []byte, err error) { log := leveledlogger.GetLoggerWithName("certservice-provisioner") + + if signCertificateModel.IsUpdateRevision { + log.Debug("Certificate will be updated.", "old-certificate", signCertificateModel.OldCertificate, + "old-private-key", signCertificateModel.OldPrivateKey) + } + + certificateRequest := signCertificateModel.CertificateRequest + privateKeyBytes := signCertificateModel.PrivateKeyBytes log.Info("Signing certificate: ", "cert-name", certificateRequest.Name) log.Info("CA: ", "name", ca.name, "url", ca.url) @@ -103,9 +110,19 @@ func (ca *CertServiceCA) Sign( } log.Debug("Filtered out CSR PEM: ", "bytes", filteredCsrBytes) - response, err := ca.certServiceClient.GetCertificates(filteredCsrBytes, privateKeyBytes) - if err != nil { - return nil, nil, err + var response *certserviceclient.CertificatesResponse + var errAPI error + + if signCertificateModel.IsUpdateRevision { + log.Info("Attempt to send certificate update request") + response, errAPI = ca.certServiceClient.UpdateCertificate(filteredCsrBytes, privateKeyBytes, signCertificateModel) + } else { + log.Info("Attempt to send certificate request") + response, errAPI = ca.certServiceClient.GetCertificates(filteredCsrBytes, privateKeyBytes) + } + + if errAPI != nil { + return nil, nil, errAPI } log.Info("Successfully received response from CertService API") log.Debug("Certificate Chain", "cert-chain", response.CertificateChain) diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go index cf55266c..ee06be33 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * oom-certservice-k8s-external-provider * ================================================================================ - * Copyright (C) 2020 Nokia. All rights reserved. + * Copyright (C) 2020-2021 Nokia. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -51,7 +51,7 @@ func (f *ProvisionerFactoryImpl) CreateProvisioner(issuer *cmpv2api.CMPv2Issuer, return nil, err } - certServiceClient, err := certserviceclient.CreateCertServiceClient(issuer.Spec.URL, issuer.Spec.HealthEndpoint, issuer.Spec.CertEndpoint, + certServiceClient, err := certserviceclient.CreateCertServiceClient(issuer.Spec.URL, issuer.Spec.HealthEndpoint, issuer.Spec.CertEndpoint, issuer.Spec.UpdateEndpoint, issuer.Spec.CaName, keyBase64, certBase64, cacertBase64) if err != nil { return nil, err diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_mock.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_mock.go index f2ffa860..cb3b8c63 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_mock.go +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_mock.go @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * oom-certservice-k8s-external-provider * ================================================================================ - * Copyright (C) 2020 Nokia. All rights reserved. + * Copyright (C) 2020-2021 Nokia. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -26,6 +26,7 @@ import ( "onap.org/oom-certservice/k8s-external-provider/src/certserviceclient" "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner/testdata" + "onap.org/oom-certservice/k8s-external-provider/src/model" ) type ProvisionerFactoryMock struct { @@ -37,6 +38,9 @@ func (f *ProvisionerFactoryMock) CreateProvisioner(issuer *cmpv2api.CMPv2Issuer, GetCertificatesFunc: func(csr []byte, pk []byte) (response *certserviceclient.CertificatesResponse, e error) { return &testdata.SampleCertServiceResponse, nil }, + UpdateCertificateFunc: func(csr []byte, key []byte, signCertificateModel model.SignCertificateModel) (*certserviceclient.CertificatesResponse, error) { + return &testdata.SampleCertServiceResponse, nil + }, }) return provisioner, err diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go index cfafe959..1a066657 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * oom-certservice-k8s-external-provider * ================================================================================ - * Copyright (C) 2020 Nokia. All rights reserved. + * Copyright (C) 2020-2021 Nokia. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -32,6 +32,7 @@ import ( "onap.org/oom-certservice/k8s-external-provider/src/certserviceclient" "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" + "onap.org/oom-certservice/k8s-external-provider/src/model" "onap.org/oom-certservice/k8s-external-provider/src/testdata" ) @@ -64,7 +65,7 @@ func Test_shouldSuccessfullyLoadPreviouslyStoredProvisioner(t *testing.T) { assert.Equal(t, provisioner.url, issuer.Spec.URL, "Unexpected provisioner url.") } -func Test_shouldReturnCorrectSignedPemsWhenParametersAreCorrect(t *testing.T) { +func Test_shouldReturnCorrectSignedPemsWhenParametersAreCorrectForCertificateRequest(t *testing.T) { issuer := createIssuerAndCerts(ISSUER_NAME, ISSUER_URL) provisionerFactory := ProvisionerFactoryMock{} provisioner, err := provisionerFactory.CreateProvisioner(&issuer, apiv1.Secret{}) @@ -80,7 +81,46 @@ func Test_shouldReturnCorrectSignedPemsWhenParametersAreCorrect(t *testing.T) { request := createCertificateRequest() privateKeyBytes := getPrivateKeyBytes() - signedPEM, trustedCAs, err := provisioner.Sign(ctx, request, privateKeyBytes) + signCertificateModel := model.SignCertificateModel{ + CertificateRequest: request, + PrivateKeyBytes: privateKeyBytes, + IsUpdateRevision: false, + OldCertificate: "", + OldPrivateKey: "", + } + + signedPEM, trustedCAs, err := provisioner.Sign(ctx, signCertificateModel) + + assert.Nil(t, err) + + testdata.VerifyCertsAreEqualToExpected(t, signedPEM, trustedCAs) +} + +func Test_shouldReturnCorrectSignedPemsWhenParametersAreCorrectForUpdateCertificateRequest(t *testing.T) { + issuer := createIssuerAndCerts(ISSUER_NAME, ISSUER_URL) + provisionerFactory := ProvisionerFactoryMock{} + provisioner, err := provisionerFactory.CreateProvisioner(&issuer, apiv1.Secret{}) + + issuerNamespaceName := testdata.CreateIssuerNamespaceName(ISSUER_NAMESPACE, ISSUER_NAME) + Store(issuerNamespaceName, provisioner) + + provisioner, ok := Load(issuerNamespaceName) + + testdata.VerifyThatConditionIsTrue(ok, "Provisioner could not be loaded", t) + + ctx := context.Background() + request := createCertificateRequest() + privateKeyBytes := getPrivateKeyBytes() + + signCertificateModel := model.SignCertificateModel{ + CertificateRequest: request, + PrivateKeyBytes: privateKeyBytes, + IsUpdateRevision: true, + OldCertificate: testdata.OldCertificateEncoded, + OldPrivateKey: testdata.OldPrivateKeyEncoded, + } + + signedPEM, trustedCAs, err := provisioner.Sign(ctx, signCertificateModel) assert.Nil(t, err) diff --git a/certServiceK8sExternalProvider/src/model/sign_certificate_model.go b/certServiceK8sExternalProvider/src/model/sign_certificate_model.go new file mode 100644 index 00000000..40dca1ae --- /dev/null +++ b/certServiceK8sExternalProvider/src/model/sign_certificate_model.go @@ -0,0 +1,31 @@ +/* + * ============LICENSE_START======================================================= + * oom-certservice-k8s-external-provider + * ================================================================================ + * Copyright (C) 2021 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package model + +import cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" + +type SignCertificateModel struct { + CertificateRequest *cmapi.CertificateRequest + PrivateKeyBytes []byte + IsUpdateRevision bool + OldCertificate string + OldPrivateKey string +} diff --git a/certServiceK8sExternalProvider/src/testdata/constants.go b/certServiceK8sExternalProvider/src/testdata/constants.go index d2097bae..c1e86146 100644 --- a/certServiceK8sExternalProvider/src/testdata/constants.go +++ b/certServiceK8sExternalProvider/src/testdata/constants.go @@ -1,3 +1,23 @@ +/* + * ============LICENSE_START======================================================= + * oom-certservice-k8s-external-provider + * ================================================================================ + * Copyright (C) 2021 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + package testdata import "encoding/base64" @@ -10,3 +30,6 @@ var ( CsrBytes, _ = base64.StdEncoding.DecodeString("LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQy9EQ0NBZVFDQVFBd2JqRUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdUQ2tOaGJHbG1iM0p1YVdFeApDekFKQmdOVkJBY1RBbFZUTVEwd0N3WURWUVFLRXdSdmJtRndNUkF3RGdZRFZRUUxFd2R2Ym1Gd0xXOTFNUnd3CkdnWURWUVFERXhOalpYSjBhWE56ZFdWeUxtOXVZWEF1YjNKbk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0MKQVE4QU1JSUJDZ0tDQVFFQTJSZDFCV3JIRm5wUGdkdy9VaFBOYWZPWjB1S3lGZytuWHNNQUJEbFB6YzBxaWRWWQp4RTVmU0E0dUFXUmpvV1FLQ1dxQWxGZS9LYjBSL3ZlTTN6K0hUMUQrRXBsNjNZWUF5dVYyNFdaa2JEeDhGdGV6CjBqd2l1R21Zb0lld1JXMmZXY25RcTV6WDZ4LzEyalJ3eThtQVpJaFRtUXloTjRQWGpjd09ZcVJrVTBQeGsrQnAKMmt4RWpTQi9SSlJGKzE5YWh6K2IreStLQ0dJRVdiSStXb0RpMzFNYmh0aVVrMnd2MXdzUk8vbmRnM1RxT2Y0Twp5QjNtVGlYMkIyL0t1ZXpLbFlseENobUdjS1UxdTUwU0pYT3JZYU9KNTZJemdDTU1FVk1YaEpzYlgweFlnMkZMCjZsSkxXcjlma3pxeFRmenMxYUdVWXdDcG9rWHROa1UybXBPT1lRSURBUUFCb0Vrd1J3WUpLb1pJaHZjTkFRa08KTVRvd09EQXBCZ05WSFJFRUlqQWdnZ2xzYjJOaGJHaHZjM1NDRTJObGNuUnBjM04xWlhJdWIyNWhjQzV2Y21jdwpDd1lEVlIwUEJBUURBZ1dnTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFDNThJWkt5dlFwdUFuVHR3NUd1eVh2ClQralNML240Kzg1b1dwamwxYVZnQTVRcWVHWU8wRzVQbzNMbGVLeTlCaEJIclBmY201eEFudFUvM0VKWmJBSFQKai9WWkRzdmVaR3JEc2hqRWI4dmNuSTRROXVpY0dNYnlUbktFcVpzSm5EMlpqN1RiWFBocXQrV1Z5S0RJc0ZLdAprNHVSWGpaRTI0VVh6ZFhiWnNUeWlscFl0RzJkR3RTTXVSdll6NlR1eUlWRVZMNVBXRWRGak5VUVJSK2czTVpDCmtrc2pKSzkvSC9OZVl1TS9QN1BUWjZkRWFUY3c5UmtSdEVGazBPQlRxWUlyaUhmczJUMUlIdzdMaVl6NFhyUEQKVFBncHppM1IyZVFINDhzSDVMS1UvblQxUWtNbHZiS3RpcWdoZkx6eGQ0MXEzRTZxNkRZdGJybHN6eTVpeTFqOAotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K") PkBytes, _ = base64.StdEncoding.DecodeString("LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRRFpGM1VGYXNjV2VrK0IKM0Q5U0U4MXA4NW5TNHJJV0Q2ZGV3d0FFT1UvTnpTcUoxVmpFVGw5SURpNEJaR09oWkFvSmFvQ1VWNzhwdlJIKwo5NHpmUDRkUFVQNFNtWHJkaGdESzVYYmhabVJzUEh3VzE3UFNQQ0s0YVppZ2g3QkZiWjlaeWRDcm5OZnJIL1hhCk5IREx5WUJraUZPWkRLRTNnOWVOekE1aXBHUlRRL0dUNEduYVRFU05JSDlFbEVYN1gxcUhQNXY3TDRvSVlnUloKc2o1YWdPTGZVeHVHMkpTVGJDL1hDeEU3K2QyRGRPbzUvZzdJSGVaT0pmWUhiOHE1N01xVmlYRUtHWVp3cFRXNwpuUklsYzZ0aG80bm5vak9BSXd3UlV4ZUVteHRmVEZpRFlVdnFVa3RhdjErVE9yRk4vT3pWb1pSakFLbWlSZTAyClJUYWFrNDVoQWdNQkFBRUNnZ0VBWk04NHZ5QTdmUnVsQ2hlZHE5NllOOGd3T1RhZUhoSjgxVXRXR2FBSGgvanEKOVFDR2JQbzcwcmtLOGdpTkgyZldKVk00akNwSEVmbkRmcE96N2dPUk1PcmFZUWEyZ0dIMndrRldPQXNWUFJIRgpTZEkycGJ6WkhxdWlmWUVsQU1pTUErVHNxcFIxeTdDV3VSSTdBdGI2Y1RUQkpVUXhKUmRySkdTS2xaSGpLS3A4Clo4V0xkNllqTnVzSlY0c1ZNb0pTR3RPc0tkcUx0RytlYnhPK2RCdWNnbm95S01KMi9LREl2bmxHWE1CME5IOUYKaXVOSVFYNnlReHI0VlNGSVZndldwZ0dPYTI0QWtxSlFGRm80UVdlc1JVa01EaFU5aTJPYWc4ekNxL1U4VmFpMQo2eTBTa2FucTBxbVFoN1c5UFV5RXlKdGhhbk5RczYzNDZXWkZmNWY0bFFLQmdRRHc1MzRLZFNiYkJjQTBZVmpaCjI1NDRLbE1MMzBSc04vN2JIdEt0djVVKzIyYjBXekRycHVVbFpVUmVFZGducGlBQVg3RUpLdFRDUVVCektuTmQKU1g4WTE4WTB6cEkyZnhJb2pjN0YwVy9aMzB0bkM1NjNKLzV0WTk4eVJzQ3lISXpRTXQvOTMzUVRLU2pGaktBcwp1ZCtKbDR6Q25yWUpnVitrTGV6V1R4c1ptd0tCZ1FEbXNmaGZPOUF6V3diQS9IS09aL01ZaTRjcWE5disyN2xSCktmYStZQ3ZMRUE0UWhJRTZXVFA2ZGFtTnpwZytQMW9QcmdmSVBpNVJOelRmdlFoSzlMaW56dDdxVTJYbWJYVXUKNDJpR2p3UklwY1hLaGxYeFNCTTFQVGZ5dW5GaXlORW1qVlR2SWdudW9vNmdJNUp0RVNLQ2hGZy95YWIwRm9ONQpVRnV1MGp2bHN3S0JnRUpKWUZ3ZVNqZkFDRmdoWlNKbEZNOGRqa1paQStuSEtxQStoZmY3SEdUMFdBcnF3TFpHCjhReHVKZmJBY0RyUXNrT0lFUjJWcEg5akZ3blpaMjhHMXlzTnpHTWhhQWdJeFFWVnA4eTB5Vk1vNXdXT28vaC8KejdsbjNyVmwxSVh0NXkwdW9vV25vN2ZWL25zRks5bkN0MmlUdzg2VmZ6OTBVczNKT1Q3cSsyajdBb0dBUVFpTQp0dlFhcGsrVDROV0p5Y0ZlRTE1S0ZWaGdwVUQxeGY2cGMxT1RKT1I2d29kSUV0WFF4RnRsRi9mVWpUKzR1TkRiCm1zU0V0QnAzQ2xlMHZjU3RSWWtZNkQvb2F3UVNVOHlCeStVSFZSOStXYkJ6QzlqQXFYSi9raXFqQ2pFSVhQRGMKcjZrTjJicnpzQXMzSFE0R2gzcWRraVhicmRXbTdJME51NFBDcE9jQ2dZRUFzNUh1aFZ3Q0lrL0IrY0I0Um5RbwpXWTJOQjVPd1FpbmVmd3RVVlJJTWxGTkhWeWljTmhyME5wQkJ0TGF0RFRZOTlYRmx3eHh3LzMrM0hBbUdxTjVvCmNvVTVkQ3dNRWo0RmZ6V3ZIUTBWa0VsRVRkZ3ZnVFluejFYU015alJXZjZweTRaTXpBZ0xJL2pDQXlGMnQvMVMKZ1ZIR01LRFV0YjdNRHIzamg3ZmxoUG89Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K") ) + +const OldPrivateKeyEncoded = "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2d0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktrd2dnU2xBZ0VBQW9JQkFRRHBTaUdjSGdxaEJPYUgKVzZ4NFBZaWdnVUhBYW5nVXVNNEkxWlFFZkZleDZCMXMvYWVzUUdVckJMNGNlRnBBd0JMWTY4d2IwR1JsQTFCZgo2eVVpc2FhRXAxL0J4OVR2VUVhd2E1TlprV0pvVVV5TTM2MXBlMXF5bExJcVd0aEdGa3Q1dStGRGJjVFFHcjV1CjBQYzVDMEN4V28rSCsxVU5IdW9sZEo4Zk5adHZLMEpFcm4zWmFsRjgwVVRzbjdpVW1SeWFlQVplTGpiOHZWcWwKSlU2NVpnVzZldThKWk1yUnA4T283T0drZnFrR2lLdWtSVWtValZNNG91eUNERkprYVRJUzB1RnJ6N1JYSlRUbQo0eXBaQnNKeXp5OHhsRHZtbFMwZ3phSHdqOHVPK2pLa3d0bjd1TDk2am1JaVFtbFhkK3h1M0NoeFpJWEpmaTgzCjZpdFc1VjdaQWdNQkFBRUNnZ0VCQUpNcXg3OFRtSUx4YzNnS1ZlZlljWnRIVHpKU09BUmlmTjlIMU1OcnFXcTYKMGUxU3F2YlgvTHBCbUtpZko5aFhFc3l6RzZTa051RWVVUkxoWlNEWXp3STZFQWRQeDcxY2QrdU5RWHdzWWRjTApDbTZJSUg0OWFmN2tIT3pwT0N3bW5tQmlMSDM3L2orRno0SmE0c3FpbGFJTVRpVnJZTUVSTW9hRVpta3F5UzQ3CitHb2FhcDFGMkFoTjVaVTRKeFlMV0ZqejhBWVJSSGRnWDZJTk1paWxmTDJNT0Rld3V5TEpaaXFScTByMFVGcUIKdElia25JcE02azgrczd2VkVXVXY1cVlibkU3TjQzSWIxd2lYbnZQY2orMzR5ZEhadkpWcVprWXdsQ2xWWEVOQgpyeVpkMjBySTc2aTgxTk9Wd1RGaUNRazNZcjNJTWhWTmtRSTF4Nzdvc0lFQ2dZRUEvRVFyZXh4emh5QTVlbkRRCmVIaEh2T042WU54Y1h6VHFhVk16dHRxa0JwbEZ3aENIdzA2c3hZSmJUN3g5UnB3MzZYWS9FaFBwdG9lSVhUWU0Kc1ZaMkljUVorQXN6ejYzK2JYVmJ2VXJjUGRpb0U3bEJadGpTVHlUMnVlYm1Zck52N3ZNNEJOb0tzOUczd2U1bAo2d1BHR0tkdmJuWDhUcVdDNE54LzFUM2w2VEVDZ1lFQTdMNFBKdTA4Ry9FUzROTHlTaVdVSGJsSHRkcXVSQmE3CkhZcWIwejJ3NnBpei8xNHNNOTVmWGZSODZmai92RVVjNndUb2FuRFplc1UvSDg0SEZ0VTFuSGpLTW9qVFQ1ckMKWDQvblJTZ2FBdGwrVmpLNGphb0Jyb1NFeEJsdUI2VGJwUW9LTG0rdUtxakJQYkNjSllORitIMkxUYWdMRVliUwpkNTNPOGlKaDVpa0NnWUJJZ2Z1UmJqTVNrc09TbXR5QTArbWl0Q3VYclo3clNwVlo0cTFKa0h4MjNSVTgyMjE2ClNLSEdQMXFwaDM3bWpiNVFYMGx2azhPb1VEcDB1RFZidjROQzMwK3JpT1RDZTd0V2tOWG1pWjdXTS9EVGducjIKNmJsQlFGbWVRMnpTejhxTGZ1TUtHZlhiaTVycXBmQXJaYkZKb3M2WGpGZ1I3dWE0WlFobExWNW84UUtCZ1FEUgpMRWlVKzAxOTNxM3dhVkhjZzRGd0ZkR3ZjeTFBU2RsQUM4VU1pdGh6SDBNQ29nRnFQdE9DWDArekp1ZEdRTWFCClBNL2hwQjN6NUsyV2UySTJJV0lDQTVPYnZOci8zZHhadFBzQlZxSk0zRUJOQnZtYmFaZWN5OGZHd0RWQW1iL2IKL1pmcldZL0liMXgyRmtLUXZvRW5RajIvK25iMUlHdDdkcnB2cEVOZHFRS0JnUUNLSUFweVRLTXVWNjlPc3U2NAoranRXNG51RkYreDRlQjU1Wk1CYUxGY3ZpWElIUjVWUzlnOUlTTEROZHdJT2V5THlhcDE4UkZWY0xVT1IzOUFICmZodWJXSjhBSjJ4cUFJajBiNmYzeUVBRklHdWE2UnRKcXpUeElFVlFPMFdBS1VuUElBR1UxdkhNSDFGRDZsc3MKRkU4Q1o4enN1dlBRaXRqd0Z2NFJNV0JCMnc9PQotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==" +const OldCertificateEncoded = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVyRENDQXhTZ0F3SUJBZ0lVUFdUaGxyU1IyRXFwemRpVjZJUU1sOEo1ZVpBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1V6RVZNQk1HQ2dtU0pvbVQ4aXhrQVFFTUJURXlNelExTVJVd0V3WURWUVFEREF4TllXNWhaMlZ0Wlc1MApRMEV4SXpBaEJnTlZCQW9NR2tWS1FrTkJJRU52Ym5SaGFXNWxjaUJSZFdsamEzTjBZWEowTUI0WERUSXhNRGN3Ck56RXlNRGMxTVZvWERUSXpNRGN3TnpFeU1EYzFNRm93ZHpFUk1BOEdBMVVFQXd3SWIyNWhjQzV2Y21jeERUQUwKQmdOVkJBc01CRTlPUVZBeEdUQVhCZ05WQkFvTUVFeHBiblY0TFVadmRXNWtZWFJwYjI0eEZqQVVCZ05WQkFjTQpEVk5oYmkxR2NtRnVZMmx6WTI4eEV6QVJCZ05WQkFnTUNrTmhiR2xtYjNKdWFXRXhDekFKQmdOVkJBWVRBbFZUCk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBNDJ2QmZpeCtCb3NwblRXVTN0REQKY0FHSjZGU010YVJyS3pPTllQWGhyTE9TNU9BZmpNYkNLbGxrcmErWVlMSGZPTzdTajcwNWVEUi8zVVlPWEtiSQo3eERLL0JvamZwVG1YbWVrcmVONXFmazNmV2hOdUEvS054anJybHpIbDdza0t3UW55QVBWVG03ekh2a01sZEFlCjIrTVp1RHNDcXA0NVpEa3RER241NTBpNFQyRlAwdnVoRDVzWFZ5dUkzQVZxbVkySGJYMmE3MVgxT1lZSEthcE4KWE50RVpIYXN2K0w1ZWw2NUM3Qk5BMEpiNGdRK2kzRnJuMFJoNXFuWVZ3QS85MkIxa2FwMC9FQS95dEl1aGdwMAo5R29rNlhGQkc0TGNzbmlHR29WU2dxUHpmd0w0Tm90Mk5FSDlmWC9vSC9LbnEyRjMxTGpodGI0T0p2VG5KTENYCnB3SURBUUFCbzRIVE1JSFFNQXdHQTFVZEV3RUIvd1FDTUFBd0h3WURWUjBqQkJnd0ZvQVUveDhMN2tXWGhDcG8KOVZrSGVaYnlna04wbzJ3d1J3WURWUjBSQkVBd1BvRU5kR1Z6ZEVCdmJtRndMbTl5WjRJSWIyNWhjQzV2Y21lQwpEWFJsYzNRdWIyNWhjQzV2Y21lR0RtWjBjRG92TDNSbGMzUXViM0puaHdSL0FBQUJNQ2NHQTFVZEpRUWdNQjRHCkNDc0dBUVVGQndNQ0JnZ3JCZ0VGQlFjREJBWUlLd1lCQlFVSEF3RXdIUVlEVlIwT0JCWUVGS3ZUR2Rtc3JCUmUKSTlzcFIrYlExWGdVVlBSSE1BNEdBMVVkRHdFQi93UUVBd0lGNERBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVlFQQpoWE9HWU1OUjJzcTNreUVhWG9KL3BYWlJiRW1jWlNYZ2p1dXVES0U4bjh3WlArY2Izd0FDZWU3MmFtZ2dJODR6CmtJeGlkU2ZNZWgvdURZTVBGR2pBQUFyQ1kydTdxcnZsMzBmaVU1OG9qZmhsbUwzbHYyalZBSnRyWksvVnVrWnUKajB6ZG5TU2d6ZyszN0NhL1BHeE1nY3pDaHdhZVEvU0ZpZHhuYWczdHhmUFZjYUdXa25pTkljVER5ZlRUQ3J0YQpjU0JPQ3B1S1doOWRCZk15dTg3VjhNc2N2dGh0WDNIWFhEQStVSXN4VzJlekxOS25UYmM1SURHL3NqOGVteXNmCnA1aDE3alQxblZ1eEY3QWluWC96Um84YzBBK20zVUdLQVdxM1NKU3k1RDdDRkVzTWtRRUhiNWQ3WGtZR3pRNWkKNmZPZURuZlpZZjV0R2tYSTdaZmZXZjduRkprVEhmU25xNkxUaE9SbDAyRWliMXJoZXFCR2xSR0hhTFNIWTh4OApZb0trK2dZbkI3a2MzSzRuV3NMNGpTWW5oUlBaMmpJMTM1RWxwckFtaGlBQ2E3Zk5wMThLbitsQzZvWGZ6b1FqCmJPMlFhUENCdU1NMFFhLzZzb2NwN1lnZkRXZjdUR3llYi9rV2pIWEpXaUUzSk5FcjBhN28ycGVFUHQvSEY4WTAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQoK" |