Skip to content

Commit

Permalink
Merge pull request #375 from arsenalzp/multipleDecode
Browse files Browse the repository at this point in the history
Introduce certificate pool structure and remove multiple encode/decode process
  • Loading branch information
cert-manager-prow[bot] authored Jul 19, 2024
2 parents db4471f + 1bbbe3b commit 51f1e51
Show file tree
Hide file tree
Showing 12 changed files with 224 additions and 291 deletions.
8 changes: 7 additions & 1 deletion pkg/bundle/bundle_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,14 +42,20 @@ import (
trustapi "github.com/cert-manager/trust-manager/pkg/apis/trust/v1alpha1"
"github.com/cert-manager/trust-manager/pkg/bundle/internal/truststore"
"github.com/cert-manager/trust-manager/pkg/fspkg"
"github.com/cert-manager/trust-manager/pkg/util"
"github.com/cert-manager/trust-manager/test/dummy"
"github.com/cert-manager/trust-manager/test/gen"
)

func testEncodeJKS(t *testing.T, data string) []byte {
t.Helper()

encoded, err := truststore.NewJKSEncoder(trustapi.DefaultJKSPassword).Encode(data)
certPool := util.NewCertPool()
if err := certPool.AddCertsFromPEM([]byte(data)); err != nil {
t.Fatal(err)
}

encoded, err := truststore.NewJKSEncoder(trustapi.DefaultJKSPassword).Encode(certPool)
if err != nil {
t.Error(err)
}
Expand Down
29 changes: 8 additions & 21 deletions pkg/bundle/internal/truststore/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ import (
)

type Encoder interface {
Encode(trustBundle string) ([]byte, error)
Encode(trustBundle *util.CertPool) ([]byte, error)
}

func NewJKSEncoder(password string) Encoder {
Expand All @@ -43,17 +43,12 @@ type jksEncoder struct {
// Encode creates a binary JKS file from the given PEM-encoded trust bundle and Password.
// Note that the Password is not treated securely; JKS files generally seem to expect a Password
// to exist and so we have the option for one.
func (e jksEncoder) Encode(trustBundle string) ([]byte, error) {
cas, err := util.DecodeX509CertificateChainBytes([]byte(trustBundle))
if err != nil {
return nil, fmt.Errorf("failed to decode trust bundle: %w", err)
}

func (e jksEncoder) Encode(trustBundle *util.CertPool) ([]byte, error) {
// WithOrderedAliases ensures that trusted certs are added to the JKS file in order,
// which makes the files appear to be reliably deterministic.
ks := keystore.New(keystore.WithOrderedAliases())

for _, c := range cas {
for _, c := range trustBundle.Certificates() {
alias := certAlias(c.Raw, c.Subject.String())

// Note on CreationTime:
Expand All @@ -65,24 +60,21 @@ func (e jksEncoder) Encode(trustBundle string) ([]byte, error) {
// - Using a fixed time (i.e. unix epoch)
// We use NotBefore here, arbitrarily.

err = ks.SetTrustedCertificateEntry(alias, keystore.TrustedCertificateEntry{
if err := ks.SetTrustedCertificateEntry(alias, keystore.TrustedCertificateEntry{
CreationTime: c.NotBefore,
Certificate: keystore.Certificate{
Type: "X509",
Content: c.Raw,
},
})

if err != nil {
}); err != nil {
// this error should never happen if we set jks.Certificate correctly
return nil, fmt.Errorf("failed to add cert with alias %q to trust store: %w", alias, err)
}
}

buf := &bytes.Buffer{}

err = ks.Store(buf, []byte(e.password))
if err != nil {
if err := ks.Store(buf, []byte(e.password)); err != nil {
return nil, fmt.Errorf("failed to create JKS file: %w", err)
}

Expand All @@ -97,14 +89,9 @@ type pkcs12Encoder struct {
password string
}

func (e pkcs12Encoder) Encode(trustBundle string) ([]byte, error) {
cas, err := util.DecodeX509CertificateChainBytes([]byte(trustBundle))
if err != nil {
return nil, fmt.Errorf("failed to decode trust bundle: %w", err)
}

func (e pkcs12Encoder) Encode(trustBundle *util.CertPool) ([]byte, error) {
var entries []pkcs12.TrustStoreEntry
for _, c := range cas {
for _, c := range trustBundle.Certificates() {
entries = append(entries, pkcs12.TrustStoreEntry{
Cert: c,
FriendlyName: certAlias(c.Raw, c.Subject.String()),
Expand Down
8 changes: 7 additions & 1 deletion pkg/bundle/internal/truststore/types_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ import (
"github.com/pavlo-v-chernykh/keystore-go/v4"

"github.com/cert-manager/trust-manager/pkg/apis/trust/v1alpha1"
"github.com/cert-manager/trust-manager/pkg/util"
"github.com/cert-manager/trust-manager/test/dummy"
)

Expand All @@ -36,7 +37,12 @@ func Test_encodeJKSAliases(t *testing.T) {
// Using different dummy certs would allow this test to pass but wouldn't actually test anything useful!
bundle := dummy.JoinCerts(dummy.TestCertificate1, dummy.TestCertificate2)

jksFile, err := jksEncoder{password: v1alpha1.DefaultJKSPassword}.Encode(bundle)
certPool := util.NewCertPool()
if err := certPool.AddCertsFromPEM([]byte(bundle)); err != nil {
t.Fatal(err)
}

jksFile, err := jksEncoder{password: v1alpha1.DefaultJKSPassword}.Encode(certPool)
if err != nil {
t.Fatalf("didn't expect an error but got: %s", err)
}
Expand Down
75 changes: 8 additions & 67 deletions pkg/bundle/source.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,8 @@ limitations under the License.
package bundle

import (
"bytes"
"context"
"crypto/sha256"
"encoding/pem"
"fmt"
"slices"
"strings"

corev1 "k8s.io/api/core/v1"
Expand Down Expand Up @@ -52,7 +48,7 @@ type bundleData struct {
// is each bundle is concatenated together with a new line character.
func (b *bundle) buildSourceBundle(ctx context.Context, sources []trustapi.BundleSource, formats *trustapi.AdditionalFormats) (bundleData, error) {
var resolvedBundle bundleData
var bundles []string
certPool := util.NewCertPool(util.WithFilteredExpiredCerts(b.FilterExpiredCerts))

for _, source := range sources {
var (
Expand Down Expand Up @@ -87,27 +83,17 @@ func (b *bundle) buildSourceBundle(ctx context.Context, sources []trustapi.Bundl
return bundleData{}, fmt.Errorf("failed to retrieve bundle from source: %w", err)
}

opts := util.ValidateAndSanitizeOptions{FilterExpired: b.Options.FilterExpiredCerts}
sanitizedBundle, err := util.ValidateAndSanitizePEMBundleWithOptions([]byte(sourceData), opts)
if err != nil {
if err := certPool.AddCertsFromPEM([]byte(sourceData)); err != nil {
return bundleData{}, fmt.Errorf("invalid PEM data in source: %w", err)
}

bundles = append(bundles, string(sanitizedBundle))
}

// NB: empty bundles are not valid so check and return an error if one somehow snuck through.

if len(bundles) == 0 {
if certPool.Size() == 0 {
return bundleData{}, fmt.Errorf("couldn't find any valid certificates in bundle")
}

deduplicatedBundles, err := deduplicateAndSortBundles(bundles)
if err != nil {
return bundleData{}, err
}

if err := resolvedBundle.populateData(deduplicatedBundles, formats); err != nil {
if err := resolvedBundle.populateData(certPool, formats); err != nil {
return bundleData{}, err
}

Expand Down Expand Up @@ -208,22 +194,22 @@ func (b *bundle) secretBundle(ctx context.Context, ref *trustapi.SourceObjectKey
return results.String(), nil
}

func (b *bundleData) populateData(bundles []string, formats *trustapi.AdditionalFormats) error {
b.data = strings.Join(bundles, "\n") + "\n"
func (b *bundleData) populateData(pool *util.CertPool, formats *trustapi.AdditionalFormats) error {
b.data = pool.PEM()

if formats != nil {
b.binaryData = make(map[string][]byte)

if formats.JKS != nil {
encoded, err := truststore.NewJKSEncoder(*formats.JKS.Password).Encode(b.data)
encoded, err := truststore.NewJKSEncoder(*formats.JKS.Password).Encode(pool)
if err != nil {
return fmt.Errorf("failed to encode JKS: %w", err)
}
b.binaryData[formats.JKS.Key] = encoded
}

if formats.PKCS12 != nil {
encoded, err := truststore.NewPKCS12Encoder(*formats.PKCS12.Password).Encode(b.data)
encoded, err := truststore.NewPKCS12Encoder(*formats.PKCS12.Password).Encode(pool)
if err != nil {
return fmt.Errorf("failed to encode PKCS12: %w", err)
}
Expand All @@ -232,48 +218,3 @@ func (b *bundleData) populateData(bundles []string, formats *trustapi.Additional
}
return nil
}

// remove duplicate certificates from bundles and sort certificates by hash
func deduplicateAndSortBundles(bundles []string) ([]string, error) {
var block *pem.Block

var certificatesHashes = make(map[[32]byte]string)

for _, cert := range bundles {
certBytes := []byte(cert)

for {
block, certBytes = pem.Decode(certBytes)
if block == nil {
break
}

if block.Type != "CERTIFICATE" {
return nil, fmt.Errorf("couldn't decode PEM block containing certificate")
}

// calculate hash sum of the given certificate
hash := sha256.Sum256(block.Bytes)
// check existence of the hash
if _, ok := certificatesHashes[hash]; !ok {
// neew to trim a newline which is added by Encoder
certificatesHashes[hash] = string(bytes.Trim(pem.EncodeToMemory(block), "\n"))
}
}
}

var orderedKeys [][32]byte
for key := range certificatesHashes {
orderedKeys = append(orderedKeys, key)
}
slices.SortFunc(orderedKeys, func(a, b [32]byte) int {
return bytes.Compare(a[:], b[:])
})

var sortedDeduplicatedCerts []string
for _, key := range orderedKeys {
sortedDeduplicatedCerts = append(sortedDeduplicatedCerts, certificatesHashes[key])
}

return sortedDeduplicatedCerts, nil
}
16 changes: 14 additions & 2 deletions pkg/bundle/source_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import (
"context"
"encoding/pem"
"errors"
"strings"
"testing"

jks "github.com/pavlo-v-chernykh/keystore-go/v4"
Expand All @@ -34,6 +35,7 @@ import (

trustapi "github.com/cert-manager/trust-manager/pkg/apis/trust/v1alpha1"
"github.com/cert-manager/trust-manager/pkg/fspkg"
"github.com/cert-manager/trust-manager/pkg/util"
"github.com/cert-manager/trust-manager/test/dummy"
)

Expand Down Expand Up @@ -393,6 +395,7 @@ func TestBundlesDeduplication(t *testing.T) {
tests := map[string]struct {
name string
bundle []string
expError string
testBundle []string
}{
"single, different cert per source": {
Expand All @@ -408,6 +411,7 @@ func TestBundlesDeduplication(t *testing.T) {
"no certs in sources": {
bundle: []string{},
testBundle: nil,
expError: "no non-expired certificates found in input bundle",
},
"single cert in the first source, joined certs in the second source": {
bundle: []string{
Expand Down Expand Up @@ -456,9 +460,17 @@ func TestBundlesDeduplication(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Parallel()

resultBundle, err := deduplicateAndSortBundles(test.bundle)
certPool := util.NewCertPool()
err := certPool.AddCertsFromPEM([]byte(strings.Join(test.bundle, "\n")))
if test.expError != "" {
assert.NotNil(t, err)
assert.Equal(t, err.Error(), test.expError)
return
} else {
assert.Nil(t, err)
}

assert.Nil(t, err)
resultBundle := certPool.PEMSplit()

// check certificates bundle for duplicated certificates
assert.Equal(t, test.testBundle, resultBundle)
Expand Down
6 changes: 4 additions & 2 deletions pkg/fspkg/package.go
Original file line number Diff line number Diff line change
Expand Up @@ -64,8 +64,10 @@ func (p *Package) Clone() *Package {
func (p *Package) Validate() error {
// Ignore the sanitized bundle here and preserve the bundle as-is.
// We'll sanitize later, when building a bundle on a reconcile.
_, err := util.ValidateAndSanitizePEMBundle([]byte(p.Bundle))
if err != nil {

certPool := util.NewCertPool(util.WithFilteredExpiredCerts(false))

if err := certPool.AddCertsFromPEM([]byte(p.Bundle)); err != nil {
return fmt.Errorf("package bundle failed validation: %w", err)
}

Expand Down
Loading

0 comments on commit 51f1e51

Please sign in to comment.