From 9aaa387b238f77f203fb2f07edc17597aa329940 Mon Sep 17 00:00:00 2001 From: zhengkunwang <31820853+zhengkunwang223@users.noreply.github.com> Date: Mon, 18 Dec 2023 12:04:12 +0800 Subject: [PATCH] =?UTF-8?q?fix:=20=E8=A7=A3=E5=86=B3=E8=87=AA=E7=AD=BE?= =?UTF-8?q?=E8=AF=81=E4=B9=A6=E5=9C=A8=E5=AF=BC=E5=85=A5=E6=9C=BA=E6=9E=84?= =?UTF-8?q?=20Root=20CA=20=E4=B9=8B=E5=90=8E=E4=BB=8D=E7=84=B6=E6=98=BE?= =?UTF-8?q?=E7=A4=BA=E4=B8=8D=E5=AE=89=E5=85=A8=E7=9A=84=E9=97=AE=E9=A2=98?= =?UTF-8?q?=20(#3366)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Refs https://github.com/1Panel-dev/1Panel/issues/3352 --- backend/app/service/website_ca.go | 29 ++++++++++++++++++----------- backend/app/service/website_ssl.go | 26 ++++++++++++++++++++------ 2 files changed, 38 insertions(+), 17 deletions(-) diff --git a/backend/app/service/website_ca.go b/backend/app/service/website_ca.go index dd267935e..768ec29f0 100644 --- a/backend/app/service/website_ca.go +++ b/backend/app/service/website_ca.go @@ -92,9 +92,6 @@ func (w WebsiteCAService) Create(create request.WebsiteCACreate) (*request.Websi MaxPathLenZero: false, KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign, } - var ( - caPEM = new(bytes.Buffer) - ) interPrivateKey, interPublicKey, privateBytes, err := createPrivateKey(create.KeyType) if err != nil { @@ -102,15 +99,15 @@ func (w WebsiteCAService) Create(create request.WebsiteCACreate) (*request.Websi } ca.PrivateKey = string(privateBytes) - caBytes, err := x509.CreateCertificate(rand.Reader, rootCA, rootCA, interPublicKey, interPrivateKey) + rootDer, err := x509.CreateCertificate(rand.Reader, rootCA, rootCA, interPublicKey, interPrivateKey) if err != nil { return nil, err } + rootCert, err := x509.ParseCertificate(rootDer) certBlock := &pem.Block{ Type: "CERTIFICATE", - Bytes: caBytes, + Bytes: rootCert.Raw, } - _ = pem.Encode(caPEM, certBlock) pemData := pem.EncodeToMemory(certBlock) ca.CSR = string(pemData) @@ -297,15 +294,26 @@ func (w WebsiteCAService) ObtainSSL(req request.WebsiteCAObtain) (*model.Website if err != nil { return nil, err } - + interCertBlock := &pem.Block{ + Type: "CERTIFICATE", + Bytes: interCert.Raw, + } _, publicKey, privateKeyBytes, err := createPrivateKey(websiteSSL.KeyType) if err != nil { return nil, err } - + commonName := "" + if len(domains) > 0 { + commonName = domains[0] + } + if len(ips) > 0 { + commonName = ips[0].String() + } + subject := rootCsr.Subject + subject.CommonName = commonName csr := &x509.Certificate{ SerialNumber: big.NewInt(time.Now().Unix()), - Subject: rootCsr.Subject, + Subject: subject, NotBefore: time.Now(), NotAfter: notAfter, BasicConstraintsValid: true, @@ -329,8 +337,7 @@ func (w WebsiteCAService) ObtainSSL(req request.WebsiteCAObtain) (*model.Website Type: "CERTIFICATE", Bytes: cert.Raw, } - pemData := pem.EncodeToMemory(certBlock) - websiteSSL.Pem = string(pemData) + websiteSSL.Pem = string(pem.EncodeToMemory(certBlock)) + string(pem.EncodeToMemory(rootCertBlock)) + string(pem.EncodeToMemory(interCertBlock)) websiteSSL.PrivateKey = string(privateKeyBytes) websiteSSL.ExpireDate = cert.NotAfter websiteSSL.StartDate = cert.NotBefore diff --git a/backend/app/service/website_ssl.go b/backend/app/service/website_ssl.go index a857363f0..321537f40 100644 --- a/backend/app/service/website_ssl.go +++ b/backend/app/service/website_ssl.go @@ -414,14 +414,28 @@ func (w WebsiteSSLService) Upload(req request.WebsiteSSLUpload) error { return buserr.New("ErrSSLKeyFormat") } - certBlock, _ := pem.Decode([]byte(websiteSSL.Pem)) - if certBlock == nil { - return buserr.New("ErrSSLCertificateFormat") + var ( + cert *x509.Certificate + pemData = []byte(websiteSSL.Pem) + ) + for { + certBlock, reset := pem.Decode(pemData) + if certBlock == nil { + break + } + cert, err = x509.ParseCertificate(certBlock.Bytes) + if err != nil { + return err + } + if len(cert.DNSNames) > 0 || len(cert.IPAddresses) > 0 { + break + } + pemData = reset } - cert, err := x509.ParseCertificate(certBlock.Bytes) - if err != nil { - return err + if pemData == nil { + return buserr.New("ErrSSLCertificateFormat") } + websiteSSL.ExpireDate = cert.NotAfter websiteSSL.StartDate = cert.NotBefore websiteSSL.Type = cert.Issuer.CommonName