g3fcgen: default to append ca cert content

bytedance · Aug 16, 2023 · c54a0ef · c54a0ef
1 parent 44ab0a3
commit c54a0ef
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 4 deletions.
diff --git a/g3fcgen/CHANGELOG b/g3fcgen/CHANGELOG
@@ -1,4 +1,8 @@
 
+v0.6.0:
+ - Feature: add config file and reduce command line options
+ - Feature: default to append ca cert to cert content
+
 v0.5.1:
  - Feature: allow to run multiple systemd instances
 

diff --git a/g3fcgen/src/backend/mod.rs b/g3fcgen/src/backend/mod.rs
@@ -51,9 +51,12 @@ impl OpensslBackend {
         let cert =
             self.builder
                 .build_fake(&host, &self.config.ca_cert, &self.config.ca_key, None)?;
-        let cert_pem = cert
+        let mut cert_pem = cert
             .to_pem()
             .map_err(|e| anyhow!("failed to encode cert: {e}"))?;
+        if !self.config.ca_cert_pem.is_empty() {
+            cert_pem.extend_from_slice(&self.config.ca_cert_pem);
+        }
         let key_pem = self
             .builder
             .pkey()

diff --git a/g3fcgen/src/config/backend.rs b/g3fcgen/src/config/backend.rs
@@ -31,18 +31,29 @@ pub(crate) fn get_config() -> Option<Arc<OpensslBackendConfig>> {
 pub(crate) struct OpensslBackendConfig {
     pub(crate) ca_cert: X509,
     pub(crate) ca_key: PKey<Private>,
+    pub(crate) ca_cert_pem: Vec<u8>,
 }
 
 pub(super) fn load_config(value: &Yaml) -> anyhow::Result<()> {
     if let Yaml::Hash(map) = value {
+        let mut no_append_ca_cert = false;
+        let mut ca_cert_pem = Vec::new();
         let mut ca_cert: Option<X509> = None;
         let mut ca_key: Option<PKey<Private>> = None;
         let lookup_dir = g3_daemon::config::get_lookup_dir(None)?;
 
         g3_yaml::foreach_kv(map, |k, v| match g3_yaml::key::normalize(k).as_str() {
             "ca_certificate" => {
-                let cert = g3_yaml::value::as_openssl_certificates(v, Some(lookup_dir))
-                    .context(format!("invalid openssl certificate value for key {k}"))?
+                let mut certs = g3_yaml::value::as_openssl_certificates(v, Some(lookup_dir))
+                    .context(format!("invalid openssl certificate value for key {k}"))?;
+                for (i, cert) in certs.iter().enumerate() {
+                    let pem = cert.to_pem().map_err(|e| {
+                        anyhow!("failed to convert cert {i} back to pem format: {e}")
+                    })?;
+                    ca_cert_pem.extend(pem);
+                }
+
+                let cert = certs
                     .pop()
                     .ok_or_else(|| anyhow!("no valid openssl certificate key found"))?;
                 ca_cert = Some(cert);
@@ -54,6 +65,10 @@ pub(super) fn load_config(value: &Yaml) -> anyhow::Result<()> {
                 ca_key = Some(key);
                 Ok(())
             }
+            "no_append_ca_cert" => {
+                no_append_ca_cert = g3_yaml::value::as_bool(v)?;
+                Ok(())
+            }
             _ => Err(anyhow!("invalid key {k}")),
         })?;
 
@@ -64,8 +79,15 @@ pub(super) fn load_config(value: &Yaml) -> anyhow::Result<()> {
             return Err(anyhow!("no ca private key set"));
         };
 
+        if no_append_ca_cert {
+            ca_cert_pem.clear();
+        }
         BACKEND_CONFIG_LOCK
-            .set(Arc::new(OpensslBackendConfig { ca_cert, ca_key }))
+            .set(Arc::new(OpensslBackendConfig {
+                ca_cert,
+                ca_key,
+                ca_cert_pem,
+            }))
             .map_err(|_| anyhow!("duplicate backend config"))?;
         Ok(())
     } else {