From c54a0efe4be34d2fcc13cc3c1316382dcae6fcb3 Mon Sep 17 00:00:00 2001 From: Zhang Jingqiang Date: Wed, 16 Aug 2023 15:53:38 +0800 Subject: [PATCH] g3fcgen: default to append ca cert content --- g3fcgen/CHANGELOG | 4 ++++ g3fcgen/src/backend/mod.rs | 5 ++++- g3fcgen/src/config/backend.rs | 28 +++++++++++++++++++++++++--- 3 files changed, 33 insertions(+), 4 deletions(-) diff --git a/g3fcgen/CHANGELOG b/g3fcgen/CHANGELOG index d8f354b4a..7c8771115 100644 --- a/g3fcgen/CHANGELOG +++ b/g3fcgen/CHANGELOG @@ -1,4 +1,8 @@ +v0.6.0: + - Feature: add config file and reduce command line options + - Feature: default to append ca cert to cert content + v0.5.1: - Feature: allow to run multiple systemd instances diff --git a/g3fcgen/src/backend/mod.rs b/g3fcgen/src/backend/mod.rs index bca55bbc1..166d4ed76 100644 --- a/g3fcgen/src/backend/mod.rs +++ b/g3fcgen/src/backend/mod.rs @@ -51,9 +51,12 @@ impl OpensslBackend { let cert = self.builder .build_fake(&host, &self.config.ca_cert, &self.config.ca_key, None)?; - let cert_pem = cert + let mut cert_pem = cert .to_pem() .map_err(|e| anyhow!("failed to encode cert: {e}"))?; + if !self.config.ca_cert_pem.is_empty() { + cert_pem.extend_from_slice(&self.config.ca_cert_pem); + } let key_pem = self .builder .pkey() diff --git a/g3fcgen/src/config/backend.rs b/g3fcgen/src/config/backend.rs index eafdc6d20..945a61a57 100644 --- a/g3fcgen/src/config/backend.rs +++ b/g3fcgen/src/config/backend.rs @@ -31,18 +31,29 @@ pub(crate) fn get_config() -> Option> { pub(crate) struct OpensslBackendConfig { pub(crate) ca_cert: X509, pub(crate) ca_key: PKey, + pub(crate) ca_cert_pem: Vec, } pub(super) fn load_config(value: &Yaml) -> anyhow::Result<()> { if let Yaml::Hash(map) = value { + let mut no_append_ca_cert = false; + let mut ca_cert_pem = Vec::new(); let mut ca_cert: Option = None; let mut ca_key: Option> = None; let lookup_dir = g3_daemon::config::get_lookup_dir(None)?; g3_yaml::foreach_kv(map, |k, v| match g3_yaml::key::normalize(k).as_str() { "ca_certificate" => { - let cert = g3_yaml::value::as_openssl_certificates(v, Some(lookup_dir)) - .context(format!("invalid openssl certificate value for key {k}"))? + let mut certs = g3_yaml::value::as_openssl_certificates(v, Some(lookup_dir)) + .context(format!("invalid openssl certificate value for key {k}"))?; + for (i, cert) in certs.iter().enumerate() { + let pem = cert.to_pem().map_err(|e| { + anyhow!("failed to convert cert {i} back to pem format: {e}") + })?; + ca_cert_pem.extend(pem); + } + + let cert = certs .pop() .ok_or_else(|| anyhow!("no valid openssl certificate key found"))?; ca_cert = Some(cert); @@ -54,6 +65,10 @@ pub(super) fn load_config(value: &Yaml) -> anyhow::Result<()> { ca_key = Some(key); Ok(()) } + "no_append_ca_cert" => { + no_append_ca_cert = g3_yaml::value::as_bool(v)?; + Ok(()) + } _ => Err(anyhow!("invalid key {k}")), })?; @@ -64,8 +79,15 @@ pub(super) fn load_config(value: &Yaml) -> anyhow::Result<()> { return Err(anyhow!("no ca private key set")); }; + if no_append_ca_cert { + ca_cert_pem.clear(); + } BACKEND_CONFIG_LOCK - .set(Arc::new(OpensslBackendConfig { ca_cert, ca_key })) + .set(Arc::new(OpensslBackendConfig { + ca_cert, + ca_key, + ca_cert_pem, + })) .map_err(|_| anyhow!("duplicate backend config"))?; Ok(()) } else {