From 8382a86ece1f7f46ab8b7291c7e928f07c3817ea Mon Sep 17 00:00:00 2001 From: Siegfried Weber Date: Fri, 28 Feb 2025 14:37:36 +0100 Subject: [PATCH] fix: Set the issuer in generated TLS certificates to the subject of the issuing certificate --- CHANGELOG.md | 3 + Cargo.nix | 163 ++++++++++++++++++-- rust/operator-binary/src/backend/tls/mod.rs | 2 +- 3 files changed, 152 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 96ba2577..fbd0dad4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,8 @@ All notable changes to this project will be documented in this file. ### Fixed - Underscores are now allowed in Kerberos principal names ([#563]). +- The issuer in generated TLS certificates is set to the subject of the issuing + certificate ([#566]). [#528]: https://github.com/stackabletech/secret-operator/pull/528 [#544]: https://github.com/stackabletech/secret-operator/pull/544 @@ -31,6 +33,7 @@ All notable changes to this project will be documented in this file. [#552]: https://github.com/stackabletech/secret-operator/pull/552 [#563]: https://github.com/stackabletech/secret-operator/pull/563 [#564]: https://github.com/stackabletech/secret-operator/pull/564 +[#566]: https://github.com/stackabletech/secret-operator/pull/566 ## [24.11.1] - 2025-01-10 diff --git a/Cargo.nix b/Cargo.nix index 6decd793..8faf1471 100644 --- a/Cargo.nix +++ b/Cargo.nix @@ -57,6 +57,16 @@ rec { # File a bug if you depend on any for non-debug work! debug = internal.debugCrate { inherit packageId; }; }; + "olm-deployer" = rec { + packageId = "olm-deployer"; + build = internal.buildRustCrateWithFeatures { + packageId = "olm-deployer"; + }; + + # Debug support which might change between releases. + # File a bug if you depend on any for non-debug work! + debug = internal.debugCrate { inherit packageId; }; + }; "stackable-krb5-provision-keytab" = rec { packageId = "stackable-krb5-provision-keytab"; build = internal.buildRustCrateWithFeatures { @@ -2924,7 +2934,7 @@ rec { } { name = "indexmap"; - packageId = "indexmap 2.7.0"; + packageId = "indexmap 2.7.1"; features = [ "std" ]; } { @@ -4301,11 +4311,11 @@ rec { "serde-1" = [ "serde" ]; }; }; - "indexmap 2.7.0" = rec { + "indexmap 2.7.1" = rec { crateName = "indexmap"; - version = "2.7.0"; + version = "2.7.1"; edition = "2021"; - sha256 = "07s7jmdymvd0rm4yswp0j3napx57hkjm9gs9n55lvs2g78vj5y32"; + sha256 = "0lmnm1zbr5gq3wic3d8a76gpvampridzwckfl97ckd5m08mrk74c"; dependencies = [ { name = "equivalent"; @@ -6076,6 +6086,71 @@ rec { }; resolvedDefaultFeatures = [ "archive" "coff" "elf" "macho" "pe" "read_core" "unaligned" "xcoff" ]; }; + "olm-deployer" = rec { + crateName = "olm-deployer"; + version = "0.0.0-dev"; + edition = "2021"; + crateBin = [ + { + name = "olm-deployer"; + path = "src/main.rs"; + requiredFeatures = [ ]; + } + ]; + src = lib.cleanSourceWith { filter = sourceFilter; src = ./rust/olm-deployer; }; + authors = [ + "Stackable GmbH " + ]; + dependencies = [ + { + name = "anyhow"; + packageId = "anyhow"; + } + { + name = "clap"; + packageId = "clap"; + } + { + name = "serde"; + packageId = "serde"; + features = [ "derive" ]; + } + { + name = "serde_json"; + packageId = "serde_json"; + } + { + name = "serde_yaml"; + packageId = "serde_yaml"; + } + { + name = "stackable-operator"; + packageId = "stackable-operator"; + features = [ "time" ]; + } + { + name = "tokio"; + packageId = "tokio"; + features = [ "full" ]; + } + { + name = "tracing"; + packageId = "tracing"; + } + { + name = "walkdir"; + packageId = "walkdir"; + } + ]; + buildDependencies = [ + { + name = "built"; + packageId = "built"; + features = [ "chrono" "git2" ]; + } + ]; + + }; "once_cell" = rec { crateName = "once_cell"; version = "1.20.2"; @@ -6097,9 +6172,9 @@ rec { }; "openssl" = rec { crateName = "openssl"; - version = "0.10.68"; + version = "0.10.70"; edition = "2021"; - sha256 = "1xbiz2bmba2fibg70s462yk2fndp3f9vz11c7iw0ilh2y54bqx31"; + sha256 = "1ij21wa5hzip17v91gl9x3n4h0am10ivq065andqrfx8cvhv9kv1"; authors = [ "Steven Fackler " ]; @@ -6178,10 +6253,10 @@ rec { }; "openssl-sys" = rec { crateName = "openssl-sys"; - version = "0.9.104"; + version = "0.9.105"; edition = "2021"; links = "openssl"; - sha256 = "0hf712xcxmycnlc09r8d446b3mwqchsbfrjv374fp7grrc3g7as5"; + sha256 = "1p59q259h73w58fgajyd588hzaj9r3vp3jy78xlqsnp09fwda8lb"; build = "build/main.rs"; libName = "openssl_sys"; authors = [ @@ -6867,7 +6942,7 @@ rec { } { name = "indexmap"; - packageId = "indexmap 2.7.0"; + packageId = "indexmap 2.7.1"; } ]; features = { @@ -8046,6 +8121,24 @@ rec { "no-panic" = [ "dep:no-panic" ]; }; }; + "same-file" = rec { + crateName = "same-file"; + version = "1.0.6"; + edition = "2018"; + sha256 = "00h5j1w87dmhnvbv9l8bic3y7xxsnjmssvifw2ayvgx9mb1ivz4k"; + libName = "same_file"; + authors = [ + "Andrew Gallant " + ]; + dependencies = [ + { + name = "winapi-util"; + packageId = "winapi-util"; + target = { target, features }: (target."windows" or false); + } + ]; + + }; "schannel" = rec { crateName = "schannel"; version = "0.1.27"; @@ -8323,9 +8416,9 @@ rec { }; "semver" = rec { crateName = "semver"; - version = "1.0.24"; + version = "1.0.25"; edition = "2018"; - sha256 = "1fmvjjkd3f64y5fqr1nakkq371mnwzv09fbz5mbmdxril63ypdiw"; + sha256 = "00sy306qpi7vfand7dxm2vc76nlc8fkh1rrhdy0qh12v50nzx7gp"; authors = [ "David Tolnay " ]; @@ -8456,9 +8549,9 @@ rec { }; "serde_json" = rec { crateName = "serde_json"; - version = "1.0.135"; + version = "1.0.137"; edition = "2021"; - sha256 = "1n9hcsbxpr2lg5kvlksbcy6bkvqv9rn3hy59600i21kli2i7n39b"; + sha256 = "0sql0gndrw2miw440sl0m2lrk6bsxyxrmlnpma52k6dzd9pgn34k"; authors = [ "Erick Tryzelaar " "David Tolnay " @@ -8510,7 +8603,7 @@ rec { dependencies = [ { name = "indexmap"; - packageId = "indexmap 2.7.0"; + packageId = "indexmap 2.7.1"; } { name = "itoa"; @@ -9053,7 +9146,7 @@ rec { } { name = "indexmap"; - packageId = "indexmap 2.7.0"; + packageId = "indexmap 2.7.1"; } { name = "json-patch"; @@ -11608,6 +11701,27 @@ rec { "Sergio Benitez " ]; + }; + "walkdir" = rec { + crateName = "walkdir"; + version = "2.5.0"; + edition = "2018"; + sha256 = "0jsy7a710qv8gld5957ybrnc07gavppp963gs32xk4ag8130jy99"; + authors = [ + "Andrew Gallant " + ]; + dependencies = [ + { + name = "same-file"; + packageId = "same-file"; + } + { + name = "winapi-util"; + packageId = "winapi-util"; + target = { target, features }: (target."windows" or false); + } + ]; + }; "want" = rec { crateName = "want"; @@ -11866,6 +11980,25 @@ rec { "Peter Atashian " ]; + }; + "winapi-util" = rec { + crateName = "winapi-util"; + version = "0.1.9"; + edition = "2021"; + sha256 = "1fqhkcl9scd230cnfj8apfficpf5c9vhwnk4yy9xfc1sw69iq8ng"; + libName = "winapi_util"; + authors = [ + "Andrew Gallant " + ]; + dependencies = [ + { + name = "windows-sys"; + packageId = "windows-sys 0.59.0"; + target = { target, features }: (target."windows" or false); + features = [ "Win32_Foundation" "Win32_Storage_FileSystem" "Win32_System_Console" "Win32_System_SystemInformation" ]; + } + ]; + }; "winapi-x86_64-pc-windows-gnu" = rec { crateName = "winapi-x86_64-pc-windows-gnu"; diff --git a/rust/operator-binary/src/backend/tls/mod.rs b/rust/operator-binary/src/backend/tls/mod.rs index 9ca2bc72..6ffaa38e 100644 --- a/rust/operator-binary/src/backend/tls/mod.rs +++ b/rust/operator-binary/src/backend/tls/mod.rs @@ -273,7 +273,7 @@ impl SecretBackend for TlsGenerate { })? .build(); x509.set_subject_name(&subject_name)?; - x509.set_issuer_name(ca.certificate.issuer_name())?; + x509.set_issuer_name(ca.certificate.subject_name())?; x509.set_not_before(Asn1Time::from_unix(not_before.unix_timestamp())?.as_ref())?; x509.set_not_after(Asn1Time::from_unix(not_after.unix_timestamp())?.as_ref())?; x509.set_pubkey(&pod_key)?;