Skip to content

Commit

Permalink
Merge pull request #1475 from aledbf/ocsp
Browse files Browse the repository at this point in the history
Add OCSP support
  • Loading branch information
aledbf authored Oct 5, 2017
2 parents 1c6ff88 + f6ba3ab commit cd6d90d
Show file tree
Hide file tree
Showing 15 changed files with 1,519 additions and 2 deletions.
9 changes: 9 additions & 0 deletions Godeps/Godeps.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -621,6 +621,11 @@ stream {
# PEM sha: {{ $server.SSLPemChecksum }}
ssl_certificate {{ $server.SSLCertificate }};
ssl_certificate_key {{ $server.SSLCertificate }};
{{ if not (empty $server.SSLFullChainCertificate)}}
ssl_trusted_certificate {{ $server.SSLFullChainCertificate }};
ssl_stapling on;
ssl_stapling_verify on;
{{ end }}
{{ end }}

{{ if (and (not (empty $server.SSLCertificate)) $all.Cfg.HSTS) }}
Expand Down
1 change: 1 addition & 0 deletions core/pkg/ingress/controller/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -1056,6 +1056,7 @@ func (ic *GenericController) createServers(data []*extensions.Ingress,
}

servers[host].SSLCertificate = cert.PemFileName
servers[host].SSLFullChainCertificate = cert.FullChainPemFileName
servers[host].SSLPemChecksum = cert.PemSHA
servers[host].SSLExpireTime = cert.ExpireTime

Expand Down
3 changes: 3 additions & 0 deletions core/pkg/ingress/sort_ingress.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@ type SSLCert struct {
CAFileName string `json:"caFileName"`
// PemFileName contains the path to the file with the certificate and key concatenated
PemFileName string `json:"pemFileName"`
// FullChainPemFileName contains the path to the file with the certificate and key concatenated
// This certificate contains the full chain (ca + intermediates + cert)
FullChainPemFileName string `json:"fullChainPemFileName"`
// PemSHA contains the sha1 of the pem file.
// This is used to detect changes in the secret that contains the certificates
PemSHA string `json:"pemSha"`
Expand Down
3 changes: 3 additions & 0 deletions core/pkg/ingress/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -220,6 +220,9 @@ type Server struct {
SSLPassthrough bool `json:"sslPassthrough"`
// SSLCertificate path to the SSL certificate on disk
SSLCertificate string `json:"sslCertificate"`
// SSLFullChainCertificate path to the SSL certificate on disk
// This certificate contains the full chain (ca + intermediates + cert)
SSLFullChainCertificate string `json:"sslFullChainCertificate"`
// SSLExpireTime has the expire date of this certificate
SSLExpireTime time.Time `json:"sslExpireTime"`
// SSLPemChecksum returns the checksum of the certificate file on disk.
Expand Down
46 changes: 44 additions & 2 deletions core/pkg/net/ssl/ssl.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ import (
"time"

"github.com/golang/glog"
"github.com/zakjan/cert-chain-resolver/certUtil"

"k8s.io/apimachinery/pkg/util/sets"

Expand All @@ -49,6 +50,7 @@ var (
func AddOrUpdateCertAndKey(name string, cert, key, ca []byte) (*ingress.SSLCert, error) {
pemName := fmt.Sprintf("%v.pem", name)
pemFileName := fmt.Sprintf("%v/%v", ingress.DefaultSSLDirectory, pemName)
fullChainPemFileName := fmt.Sprintf("%v/%v-full-chain.pem", ingress.DefaultSSLDirectory, name)

tempPemFile, err := ioutil.TempFile(ingress.DefaultSSLDirectory, pemName)

Expand Down Expand Up @@ -170,13 +172,23 @@ func AddOrUpdateCertAndKey(name string, cert, key, ca []byte) (*ingress.SSLCert,
}, nil
}

return &ingress.SSLCert{
s := &ingress.SSLCert{
Certificate: pemCert,
PemFileName: pemFileName,
PemSHA: file.SHA1(pemFileName),
CN: cn.List(),
ExpireTime: pemCert.NotAfter,
}, nil
}

err = fullChainCert(pemFileName, fullChainPemFileName)
if err != nil {
glog.Errorf("unexpected error generating SSL certificate with full chain: %v", err)
return s, nil
}

s.FullChainPemFileName = fullChainPemFileName

return s, nil
}

func getExtension(c *x509.Certificate, id asn1.ObjectIdentifier) []pkix.Extension {
Expand Down Expand Up @@ -376,3 +388,33 @@ func GetFakeSSLCert() ([]byte, []byte) {

return cert, key
}

func fullChainCert(in, out string) error {
inputFile, err := os.Open(in)
if err != nil {
return err
}

data, err := ioutil.ReadAll(inputFile)
if err != nil {
return err
}

cert, err := certUtil.DecodeCertificate(data)
if err != nil {
return err
}

certs, err := certUtil.FetchCertificateChain(cert)
if err != nil {
return err
}

certs, err = certUtil.AddRootCA(certs)
if err != nil {
return err
}

data = certUtil.EncodeCertificates(certs)
return ioutil.WriteFile(out, data, 0644)
}
24 changes: 24 additions & 0 deletions vendor/github.com/fullsailor/pkcs7/.gitignore

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions vendor/github.com/fullsailor/pkcs7/.travis.yml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

22 changes: 22 additions & 0 deletions vendor/github.com/fullsailor/pkcs7/LICENSE

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 8 additions & 0 deletions vendor/github.com/fullsailor/pkcs7/README.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit cd6d90d

Please sign in to comment.