From 9879e0147fc076114c7226bd6130d25c14770639 Mon Sep 17 00:00:00 2001 From: Remigiusz Janeczek Date: Thu, 29 Oct 2020 14:03:25 +0100 Subject: [OOM-K8S-CERT-EXTERNAL-PROVIDER] Filter not supported CSR properties Align EJBCA config with OOM Issue-ID: OOM-2559 Signed-off-by: Remigiusz Janeczek Change-Id: I8ab73c84415e1ea1b09b6210ffbf84386315f9eb --- .../src/cmpv2provisioner/csr/csr.go | 62 ++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 certServiceK8sExternalProvider/src/cmpv2provisioner/csr/csr.go (limited to 'certServiceK8sExternalProvider/src/cmpv2provisioner/csr/csr.go') diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/csr/csr.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/csr/csr.go new file mode 100644 index 00000000..1a86866b --- /dev/null +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/csr/csr.go @@ -0,0 +1,62 @@ +/* + * ============LICENSE_START======================================================= + * oom-certservice-k8s-external-provider + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package csr + +import ( + "crypto/rand" + "crypto/x509" + "crypto/x509/pkix" + "encoding/pem" + + x509utils "onap.org/oom-certservice/k8s-external-provider/src/x509" +) + +func FilterFieldsFromCSR(csrBytes []byte, privateKeyBytes []byte) ([]byte, error) { + csr, err := x509utils.DecodeCSR(csrBytes) + if err != nil { + return nil, err + } + + key, err := x509utils.DecodePrivateKey(privateKeyBytes) + if err != nil { + return nil, err + } + + filteredSubject := filterFieldsFromSubject(csr.Subject) + + filteredCsr, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{ + Subject: filteredSubject, + DNSNames: csr.DNSNames, + }, key) + if err != nil { + return nil, err + } + + csrBytes = pem.EncodeToMemory(&pem.Block{Type: x509utils.PemCsrType, Bytes: filteredCsr}) + return csrBytes, nil +} + +func filterFieldsFromSubject(subject pkix.Name) pkix.Name { + subject.StreetAddress = []string{} + subject.SerialNumber = "" + subject.PostalCode = []string{} + return subject +} -- cgit 1.2.3-korg