修复证书写法

2022-11-08 18:45:04 +08:00
parent 4668737c2c
commit 58a02d6adc
7 changed files with 54 additions and 99 deletions
--- a/app/apinto/config.yml
+++ b/app/apinto/config.yml
@@ -1,3 +1,4 @@
+version: 2
 listen:
  - 8099
 ssl:
@@ -18,30 +19,26 @@ certificate: # 证书默认目录
    dir: /etc/apinto/cert

 ## 下面为新配置
-cluster:
-  listen:
-     peer:
-       urls:
-         - "http://0.0.0.0:9401"
-      cert: apinto.crt
-      key: apinto.key
-    client:
-      urls:
-        - "http://0.0.0.0:9400"
-      cert: apinto-node1.crt
-      key: apinto.key
+peer:
+  listens:
+    - "http://0.0.0.0:9401"
+  cert: apinto.crt
+  key: apinto.key
  advertise:
-    peers:
-      - "http://10.1.0.1:9401"
-    clients:
-      - "http://10.1.0.1:9400"
-server:
-  listen:
-    urls:
+    - "http://10.1.0.1:9401"
+client:
+  listens:
+    - "http://0.0.0.0:9400"
+  cert: apinto-node1.crt
+  key: apinto.key
+  advertise:
+    - "http://10.1.0.1:9400"
+gateway:
+  listens:
      - "http://10.0.0.1:8099"
      - "http://0.0.0.0:8099"
      - "http://:8099"
    cert: apinto.demo.crt
    key: apinto.demo.key
-  advertise:
-    - "http://"
+    advertise:
+      - "http://"
--- a/certs/cert.go
+++ b/certs/cert.go
@@ -2,7 +2,6 @@ package certs

 import (
 	"crypto/tls"
-	"crypto/x509"
 	"errors"
 	"github.com/eolinker/eosc/config"
 	"sync"
@@ -11,21 +10,16 @@ import (
 var errorCertificateNotExit = errors.New("not exist cert")

 type ICert interface {
-	SaveCert(workerId string, cert *tls.Certificate, certificate *x509.Certificate)
+	SaveCert(workerId string, cert *tls.Certificate)
 	DelCert(workerId string)
 }

 var (
-	workerMaps               = make(map[string]*info)
+	workerMaps               = make(map[string]*tls.Certificate)
 	lock                     = sync.RWMutex{}
 	currentCert *config.Cert = nil
 )

-type info struct {
-	cert        *tls.Certificate
-	certificate *x509.Certificate
-}
-
 func DelCert(workerId string) {
 	lock.Lock()
 	defer lock.Unlock()
@@ -34,22 +28,19 @@ func DelCert(workerId string) {
 	rebuild()
 }

-func SaveCert(workerId string, cert *tls.Certificate, certificate *x509.Certificate) {
+func SaveCert(workerId string, cert *tls.Certificate) {
 	lock.Lock()
 	defer lock.Unlock()
-	workerMaps[workerId] = &info{
-		cert:        cert,
-		certificate: certificate,
-	}
+	workerMaps[workerId] = cert
 	rebuild()

 }
 func rebuild() {
 	certsMap := make(map[string]*tls.Certificate)
 	for _, i := range workerMaps {
-		certsMap[i.certificate.Subject.CommonName] = i.cert
-		for _, dnsName := range i.certificate.DNSNames {
-			certsMap[dnsName] = i.cert
+		certsMap[i.Leaf.Subject.CommonName] = i
+		for _, dnsName := range i.Leaf.DNSNames {
+			certsMap[dnsName] = i
 		}
 	}
 	currentCert = config.NewCert(certsMap)
--- a/drivers/certs/controller.go
+++ b/drivers/certs/controller.go
@@ -53,7 +53,7 @@ func (c *Controller) Check(cfg interface{}) (profession, name, driver, desc stri
 		return
 	}

-	_, _, err = parseCert(conf.Key, conf.Pem)
+	_, err = parseCert(conf.Key, conf.Pem)
 	if err != nil {
 		return "", "", "", "", err
 	}
--- a/drivers/certs/worker.go
+++ b/drivers/certs/worker.go
@@ -2,9 +2,6 @@ package certs

 import (
 	"crypto/tls"
-	"crypto/x509"
-	"encoding/pem"
-	"errors"
 	"github.com/eolinker/apinto/certs"
 	"github.com/eolinker/apinto/drivers"
 	"github.com/eolinker/apinto/utils"
@@ -37,13 +34,13 @@ func (w *Worker) Reset(conf interface{}, _ map[eosc.RequireId]eosc.IWorker) erro

 	config := conf.(*Config)

-	cert, certificate, err := parseCert(config.Key, config.Pem)
+	cert, err := parseCert(config.Key, config.Pem)
 	if err != nil {
 		return err
 	}

 	w.config = config
-	certs.SaveCert(w.Id(), cert, certificate)
+	certs.SaveCert(w.Id(), cert)

 	return nil
 }
@@ -56,56 +53,19 @@ func (w *Worker) CheckSkill(string) bool {
 	return false
 }

-func parseCert(privateKey, pemValue string) (*tls.Certificate, *x509.Certificate, error) {
-	var err error
-	privateKey, err = utils.B64Decode(privateKey)
-	if err != nil {
-		return nil, nil, err
-	}
-	pemValue, err = utils.B64Decode(pemValue)
-	if err != nil {
-		return nil, nil, err
-	}
+func parseCert(privateKey, pemValue string) (*tls.Certificate, error) {

-	var cert tls.Certificate
-	//获取下一个pem格式证书数据 -----BEGIN CERTIFICATE-----   -----END CERTIFICATE-----
-	certDERBlock, restPEMBlock := pem.Decode([]byte(pemValue))
-	if certDERBlock == nil {
-		return nil, nil, errors.New("证书解析失败")
-	}
-	//附加数字证书到返回
-	cert.Certificate = append(cert.Certificate, certDERBlock.Bytes)
-	//继续解析Certificate Chan,这里要明白证书链的概念
-	certDERBlockChain, _ := pem.Decode(restPEMBlock)
-	if certDERBlockChain != nil {
-		//追加证书链证书到返回
-		cert.Certificate = append(cert.Certificate, certDERBlockChain.Bytes)
-	}
-
-	//解码pem格式的私钥------BEGIN RSA PRIVATE KEY-----   -----END RSA PRIVATE KEY-----
-	keyDERBlock, _ := pem.Decode([]byte(privateKey))
-	if keyDERBlock == nil {
-		return nil, nil, errors.New("证书解析失败")
-	}
-	var key interface{}
-	var errParsePK error
-	if keyDERBlock.Type == "RSA PRIVATE KEY" {
-		//RSA PKCS1
-		key, errParsePK = x509.ParsePKCS1PrivateKey(keyDERBlock.Bytes)
-	} else if keyDERBlock.Type == "PRIVATE KEY" {
-		//pkcs8格式的私钥解析
-		key, errParsePK = x509.ParsePKCS8PrivateKey(keyDERBlock.Bytes)
-	}
-
-	if errParsePK != nil {
-		return nil, nil, errors.New("证书解析失败")
-	} else {
-		cert.PrivateKey = key
-	}
-	//第一个叶子证书就是我们https中使用的证书
-	x509Cert, err := x509.ParseCertificate(certDERBlock.Bytes)
+	keydata, err := utils.B64Decode(privateKey)
 	if err != nil {
-		return nil, nil, err
+		return nil, err
 	}
-	return &cert, x509Cert, nil
+	pem, err := utils.B64Decode(pemValue)
+	if err != nil {
+		return nil, err
+	}
+	certificate, err := tls.X509KeyPair(pem, keydata)
+	if err != nil {
+		return nil, err
+	}
+	return &certificate, nil
 }
--- a/drivers/plugins/response-rewrite/driver.go
+++ b/drivers/plugins/response-rewrite/driver.go
@@ -38,7 +38,7 @@ func Create(id, name string, conf *Config, workers map[eosc.RequireId]eosc.IWork

 	//若body非空且需要base64转码
 	if conf.Body != "" && conf.BodyBase64 {
-		conf.Body, err = utils.B64Decode(conf.Body)
+		conf.Body, err = utils.B64DecodeString(conf.Body)
 		if err != nil {
 			return nil, err
 		}
--- a/drivers/plugins/response-rewrite/response-rewrite.go
+++ b/drivers/plugins/response-rewrite/response-rewrite.go
@@ -37,7 +37,7 @@ func (r *ResponseRewrite) Reset(v interface{}, workers map[eosc.RequireId]eosc.I

 	//若body非空且需要base64转码
 	if conf.Body != "" && conf.BodyBase64 {
-		conf.Body, err = utils.B64Decode(conf.Body)
+		conf.Body, err = utils.B64DecodeString(conf.Body)
 		if err != nil {
 			return err
 		}
--- a/utils/encode.go
+++ b/utils/encode.go
@@ -6,8 +6,15 @@ import (
 	"strings"
 )

-//B64Decode base64解密
-func B64Decode(input string) (string, error) {
+// B64Decode base64解密
+func B64DecodeString(input string) (string, error) {
+	data, err := B64Decode(input)
+	if err != nil {
+		return "", err
+	}
+	return string(data), err
+}
+func B64Decode(input string) ([]byte, error) {
 	remainder := len(input) % 4
 	// base64编码需要为4的倍数，如果不是4的倍数，则填充"="号
 	if remainder > 0 {
@@ -17,17 +24,17 @@ func B64Decode(input string) (string, error) {
 	// 将原字符串中的"_","-"分别用"/"和"+"替换
 	input = strings.Replace(strings.Replace(input, "_", "/", -1), "-", "+", -1)
 	result, err := base64.StdEncoding.DecodeString(input)
-	return string(result), err
+	return result, err
 }

-//B64Encode base64加密
+// B64Encode base64加密
 func B64Encode(input string) string {
 	result := base64.StdEncoding.EncodeToString([]byte(input))
 	result = strings.Replace(strings.Replace(strings.Replace(result, "=", "", -1), "/", "_", -1), "+", "-", -1)
 	return result
 }

-//QueryUrlEncode 对query进行url encode
+// QueryUrlEncode 对query进行url encode
 func QueryUrlEncode(rawQuery string) string {
 	queryList := strings.Split(rawQuery, "&")
 	for i, query := range queryList {