diff --git a/internal/applicant/applicant.go b/internal/applicant/applicant.go index 17e97cb5..128704b4 100644 --- a/internal/applicant/applicant.go +++ b/internal/applicant/applicant.go @@ -98,7 +98,7 @@ func newApplyUser(ca, email string) (*ApplyUser, error) { if err != nil { return nil, err } - keyStr, err := x509.PrivateKeyToPEM(privateKey) + keyStr, err := x509.ConvertECPrivateKeyToPEM(privateKey) if err != nil { return nil, err } @@ -122,7 +122,7 @@ func (u ApplyUser) GetRegistration() *registration.Resource { } func (u *ApplyUser) GetPrivateKey() crypto.PrivateKey { - rs, _ := x509.ParsePrivateKeyFromPEM(u.key) + rs, _ := x509.ParseECPrivateKeyFromPEM(u.key) return rs } diff --git a/internal/pkg/core/uploader/uploader_aliyun_cas.go b/internal/pkg/core/uploader/uploader_aliyun_cas.go index 64d2e94c..b6a1f792 100644 --- a/internal/pkg/core/uploader/uploader_aliyun_cas.go +++ b/internal/pkg/core/uploader/uploader_aliyun_cas.go @@ -15,9 +15,9 @@ import ( ) type AliyunCASUploaderConfig struct { - Region string `json:"region"` AccessKeyId string `json:"accessKeyId"` AccessKeySecret string `json:"accessKeySecret"` + Region string `json:"region"` } type AliyunCASUploader struct { @@ -28,9 +28,9 @@ type AliyunCASUploader struct { func NewAliyunCASUploader(config *AliyunCASUploaderConfig) (Uploader, error) { client, err := (&AliyunCASUploader{}).createSdkClient( - config.Region, config.AccessKeyId, config.AccessKeySecret, + config.Region, ) if err != nil { return nil, fmt.Errorf("failed to create sdk client: %w", err) @@ -81,12 +81,12 @@ func (u *AliyunCASUploader) Upload(ctx context.Context, certPem string, privkeyP if *getUserCertificateDetailResp.Body.Cert == certPem { isSameCert = true } else { - cert, err := x509.ParseCertificateFromPEM(*getUserCertificateDetailResp.Body.Cert) + oldCertX509, err := x509.ParseCertificateFromPEM(*getUserCertificateDetailResp.Body.Cert) if err != nil { continue } - isSameCert = x509.EqualCertificate(certX509, cert) + isSameCert = x509.EqualCertificate(certX509, oldCertX509) } // 如果已存在相同证书,直接返回已有的证书信息 @@ -133,7 +133,7 @@ func (u *AliyunCASUploader) Upload(ctx context.Context, certPem string, privkeyP }, nil } -func (u *AliyunCASUploader) createSdkClient(region, accessKeyId, accessKeySecret string) (*cas20200407.Client, error) { +func (u *AliyunCASUploader) createSdkClient(accessKeyId, accessKeySecret, region string) (*cas20200407.Client, error) { if region == "" { region = "cn-hangzhou" // CAS 服务默认区域:华东一杭州 } @@ -147,10 +147,6 @@ func (u *AliyunCASUploader) createSdkClient(region, accessKeyId, accessKeySecret switch region { case "cn-hangzhou": endpoint = "cas.aliyuncs.com" - case "ap-southeast-1": - endpoint = "cas.ap-southeast-1.aliyuncs.com" - case "eu-central-1": - endpoint = "cas.eu-central-1.aliyuncs.com" default: endpoint = fmt.Sprintf("cas.%s.aliyuncs.com", region) } diff --git a/internal/pkg/utils/x509/x509.go b/internal/pkg/utils/x509/x509.go index 0239df69..09d67d3a 100644 --- a/internal/pkg/utils/x509/x509.go +++ b/internal/pkg/utils/x509/x509.go @@ -7,6 +7,23 @@ import ( "fmt" ) +// 比较两个 x509.Certificate 对象,判断它们是否是同一张证书。 +// 注意,这不是精确比较,而只是基于证书序列号和数字签名的快速判断,但对于权威 CA 签发的证书来说不会存在误判。 +// +// 入参: +// - a: 待比较的第一个 x509.Certificate 对象。 +// - b: 待比较的第二个 x509.Certificate 对象。 +// +// 出参: +// - 是否相同。 +func EqualCertificate(a, b *x509.Certificate) bool { + return string(a.Signature) == string(b.Signature) && + a.SignatureAlgorithm == b.SignatureAlgorithm && + a.SerialNumber.String() == b.SerialNumber.String() && + a.Issuer.SerialNumber == b.Issuer.SerialNumber && + a.Subject.SerialNumber == b.Subject.SerialNumber +} + // 从 PEM 编码的证书字符串解析并返回一个 x509.Certificate 对象。 // // 入参: @@ -31,26 +48,40 @@ func ParseCertificateFromPEM(certPem string) (cert *x509.Certificate, err error) return cert, nil } -// 比较两个 x509.Certificate 对象,判断它们是否是同一张证书。 -// 注意,这不是精确比较,而只是基于证书序列号和数字签名的快速判断,但对于权威 CA 签发的证书来说不会存在误判。 +// 从 PEM 编码的私钥字符串解析并返回一个 ECDSA 私钥对象。 // // 入参: -// - a: 待比较的第一个 x509.Certificate 对象。 -// - b: 待比较的第二个 x509.Certificate 对象。 +// - privkeyPem: 私钥 PEM 内容。 // // 出参: -// - 是否相同。 -func EqualCertificate(a, b *x509.Certificate) bool { - return string(a.Signature) == string(b.Signature) && - a.SignatureAlgorithm == b.SignatureAlgorithm && - a.SerialNumber.String() == b.SerialNumber.String() && - a.Issuer.SerialNumber == b.Issuer.SerialNumber && - a.Subject.SerialNumber == b.Subject.SerialNumber +// - privkey: ecdsa.PrivateKey 对象。 +// - err: 错误。 +func ParseECPrivateKeyFromPEM(privkeyPem string) (privkey *ecdsa.PrivateKey, err error) { + pemData := []byte(privkeyPem) + + block, _ := pem.Decode(pemData) + if block == nil { + return nil, fmt.Errorf("failed to decode PEM block") + } + + privkey, err = x509.ParseECPrivateKey(block.Bytes) + if err != nil { + return nil, fmt.Errorf("failed to parse private key: %w", err) + } + + return privkey, nil } -// 将 ECDSA 私钥转换为 PEM 格式的字符串。 -func PrivateKeyToPEM(privateKey *ecdsa.PrivateKey) (string, error) { - data, err := x509.MarshalECPrivateKey(privateKey) +// 将 ECDSA 私钥转换为 PEM 编码的字符串。 +// +// 入参: +// - privkey: ecdsa.PrivateKey 对象。 +// +// 出参: +// - privkeyPem: 私钥 PEM 内容。 +// - err: 错误。 +func ConvertECPrivateKeyToPEM(privkey *ecdsa.PrivateKey) (privkeyPem string, err error) { + data, err := x509.MarshalECPrivateKey(privkey) if err != nil { return "", fmt.Errorf("failed to marshal EC private key: %w", err) } @@ -62,20 +93,3 @@ func PrivateKeyToPEM(privateKey *ecdsa.PrivateKey) (string, error) { return string(pem.EncodeToMemory(block)), nil } - -// 从 PEM 编码的私钥字符串解析并返回一个 ECDSA 私钥对象。 -func ParsePrivateKeyFromPEM(privateKeyPem string) (*ecdsa.PrivateKey, error) { - pemData := []byte(privateKeyPem) - - block, _ := pem.Decode(pemData) - if block == nil { - return nil, fmt.Errorf("failed to decode PEM block") - } - - privateKey, err := x509.ParseECPrivateKey(block.Bytes) - if err != nil { - return nil, fmt.Errorf("failed to parse private key: %w", err) - } - - return privateKey, nil -}