evaluate alias from pem common names

bakito · Nov 3, 2021 · e57599c · e57599c
1 parent 3edea89
commit e57599c
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 2 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,5 @@
 .idea
-cacert
+cacerts
 coverage.out
 private.*
 dist

diff --git a/pkg/configmap/jks.go b/pkg/configmap/jks.go
@@ -2,16 +2,19 @@ package configmap
 
 import (
 	"bytes"
+	"crypto/x509"
 	"encoding/pem"
 	"fmt"
 	"github.com/pavel-v-chernykh/keystore-go"
+	"strings"
 	"time"
 )
 
 func exportCerts(pems []*pem.Block, jksPassword string, t time.Time) ([]byte, error) {
 	ks := keystore.KeyStore{}
 
 	for i, p := range pems {
+
 		ce := &keystore.TrustedCertificateEntry{
 			Entry: keystore.Entry{
 				CreationDate: t,
@@ -23,7 +26,7 @@ func exportCerts(pems []*pem.Block, jksPassword string, t time.Time) ([]byte, er
 		}
 		ce.CreationDate = t
 
-		ks[fmt.Sprintf("truststore-injector_%d", +i)] = ce
+		ks[alias(p.Bytes, i)] = ce
 	}
 
 	var buf bytes.Buffer
@@ -33,3 +36,16 @@ func exportCerts(pems []*pem.Block, jksPassword string, t time.Time) ([]byte, er
 	}
 	return buf.Bytes(), nil
 }
+
+func alias(pem []byte, i int) string {
+	c, err := x509.ParseCertificate(pem)
+	if err != nil || c.Subject.CommonName == "" {
+		return fmt.Sprintf("truststore-injector_%d", +i)
+	}
+	// inspired by: https://github.com/kaikramer/keystore-explorer/blob/79600e0e5cb5799dfc700df0989c5ba04f3d1db1/kse/src/org/kse/crypto/x509/X509CertUtil.java#L651
+
+	if c.Issuer.CommonName == "" || c.Subject.CommonName == c.Issuer.CommonName {
+		return strings.ToLower(c.Subject.CommonName)
+	}
+	return strings.ToLower(fmt.Sprintf("%s (%s)", c.Subject.CommonName, c.Issuer.CommonName))
+}
diff --git a/pkg/configmap/webhook_test.go b/pkg/configmap/webhook_test.go
@@ -36,9 +36,12 @@ var _ = Describe("Configmap", func() {
 		})
 		It("should add a cacerts binary entry", func() {
 			cm.Data["a.pem"] = cert
+			// c, _ := ioutil.ReadFile("/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem")
+			// cm.Data["a.pem"] = string(c)
 			wh.Mutate(ctx, admission.Request{}, cm)
 			Ω(cm.BinaryData).Should(HaveLen(1))
 			Ω(cm.BinaryData).Should(HaveKey(configmap.DefaultTruststoreName))
+			// Ω(os.WriteFile("cacerts", cm.BinaryData["java-trust.jks"], 0644)).ShouldNot(HaveOccurred())
 		})
 		It("should add a cacerts binary entry with custom name", func() {
 			cm.Data["a.pem"] = cert