Merge branch 'main' into feat/multiple-certificate-formats

2025-10-05 14:04:54 +00:00 · 2024-10-27 20:17:04 +08:00
parent adad5d86ba ffacfe0f42
commit 305f3de50f
39 changed files with 2381 additions and 120 deletions
--- a/internal/pkg/core/uploader/uploader_aliyun_cas.go
+++ b/internal/pkg/core/uploader/uploader_aliyun_cas.go
@@ -15,9 +15,9 @@ import (
 )

 type AliyunCASUploaderConfig struct {
-	Region          string `json:"region"`
 	AccessKeyId     string `json:"accessKeyId"`
 	AccessKeySecret string `json:"accessKeySecret"`
+	Region          string `json:"region"`
 }

 type AliyunCASUploader struct {
@@ -28,9 +28,9 @@ type AliyunCASUploader struct {

 func NewAliyunCASUploader(config *AliyunCASUploaderConfig) (Uploader, error) {
 	client, err := (&AliyunCASUploader{}).createSdkClient(
-		config.Region,
 		config.AccessKeyId,
 		config.AccessKeySecret,
+		config.Region,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create sdk client: %w", err)
@@ -81,12 +81,12 @@ func (u *AliyunCASUploader) Upload(ctx context.Context, certPem string, privkeyP
 					if *getUserCertificateDetailResp.Body.Cert == certPem {
 						isSameCert = true
 					} else {
-						cert, err := x509.ParseCertificateFromPEM(*getUserCertificateDetailResp.Body.Cert)
+						oldCertX509, err := x509.ParseCertificateFromPEM(*getUserCertificateDetailResp.Body.Cert)
 						if err != nil {
 							continue
 						}

-						isSameCert = x509.EqualCertificate(certX509, cert)
+						isSameCert = x509.EqualCertificate(certX509, oldCertX509)
 					}

 					// 如果已存在相同证书，直接返回已有的证书信息
@@ -133,7 +133,7 @@ func (u *AliyunCASUploader) Upload(ctx context.Context, certPem string, privkeyP
 	}, nil
 }

-func (u *AliyunCASUploader) createSdkClient(region, accessKeyId, accessKeySecret string) (*cas20200407.Client, error) {
+func (u *AliyunCASUploader) createSdkClient(accessKeyId, accessKeySecret, region string) (*cas20200407.Client, error) {
 	if region == "" {
 		region = "cn-hangzhou" // CAS 服务默认区域：华东一杭州
 	}
@@ -147,10 +147,6 @@ func (u *AliyunCASUploader) createSdkClient(region, accessKeyId, accessKeySecret
 	switch region {
 	case "cn-hangzhou":
 		endpoint = "cas.aliyuncs.com"
-	case "ap-southeast-1":
-		endpoint = "cas.ap-southeast-1.aliyuncs.com"
-	case "eu-central-1":
-		endpoint = "cas.eu-central-1.aliyuncs.com"
 	default:
 		endpoint = fmt.Sprintf("cas.%s.aliyuncs.com", region)
 	}
--- a/internal/pkg/core/uploader/uploader_aliyun_slb.go
+++ b/internal/pkg/core/uploader/uploader_aliyun_slb.go
@@ -0,0 +1,134 @@
+package uploader
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"strings"
+	"time"
+
+	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
+	slb20140515 "github.com/alibabacloud-go/slb-20140515/v4/client"
+	util "github.com/alibabacloud-go/tea-utils/v2/service"
+	"github.com/alibabacloud-go/tea/tea"
+
+	"github.com/usual2970/certimate/internal/pkg/utils/x509"
+)
+
+type AliyunSLBUploaderConfig struct {
+	AccessKeyId     string `json:"accessKeyId"`
+	AccessKeySecret string `json:"accessKeySecret"`
+	Region          string `json:"region"`
+}
+
+type AliyunSLBUploader struct {
+	config     *AliyunSLBUploaderConfig
+	sdkClient  *slb20140515.Client
+	sdkRuntime *util.RuntimeOptions
+}
+
+func NewAliyunSLBUploader(config *AliyunSLBUploaderConfig) (Uploader, error) {
+	client, err := (&AliyunSLBUploader{}).createSdkClient(
+		config.AccessKeyId,
+		config.AccessKeySecret,
+		config.Region,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create sdk client: %w", err)
+	}
+
+	return &AliyunSLBUploader{
+		config:     config,
+		sdkClient:  client,
+		sdkRuntime: &util.RuntimeOptions{},
+	}, nil
+}
+
+func (u *AliyunSLBUploader) Upload(ctx context.Context, certPem string, privkeyPem string) (res *UploadResult, err error) {
+	// 解析证书内容
+	certX509, err := x509.ParseCertificateFromPEM(certPem)
+	if err != nil {
+		return nil, err
+	}
+
+	// 查询证书列表，避免重复上传
+	// REF: https://help.aliyun.com/zh/slb/classic-load-balancer/developer-reference/api-slb-2014-05-15-describeservercertificates
+	describeServerCertificatesReq := &slb20140515.DescribeServerCertificatesRequest{
+		RegionId: tea.String(u.config.Region),
+	}
+	describeServerCertificatesResp, err := u.sdkClient.DescribeServerCertificatesWithOptions(describeServerCertificatesReq, u.sdkRuntime)
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute sdk request 'slb.DescribeServerCertificates': %w", err)
+	}
+
+	if describeServerCertificatesResp.Body.ServerCertificates != nil && describeServerCertificatesResp.Body.ServerCertificates.ServerCertificate != nil {
+		fingerprint := sha256.Sum256(certX509.Raw)
+		fingerprintHex := hex.EncodeToString(fingerprint[:])
+		for _, certDetail := range describeServerCertificatesResp.Body.ServerCertificates.ServerCertificate {
+			isSameCert := *certDetail.IsAliCloudCertificate == 0 &&
+				strings.EqualFold(fingerprintHex, strings.ReplaceAll(*certDetail.Fingerprint, ":", "")) &&
+				strings.EqualFold(certX509.Subject.CommonName, *certDetail.CommonName)
+			// 如果已存在相同证书，直接返回已有的证书信息
+			if isSameCert {
+				return &UploadResult{
+					CertId:   *certDetail.ServerCertificateId,
+					CertName: *certDetail.ServerCertificateName,
+				}, nil
+			}
+		}
+	}
+
+	// 生成新证书名（需符合阿里云命名规则）
+	var certId, certName string
+	certName = fmt.Sprintf("certimate_%d", time.Now().UnixMilli())
+
+	// 上传新证书
+	// REF: https://help.aliyun.com/zh/slb/classic-load-balancer/developer-reference/api-slb-2014-05-15-uploadservercertificate
+	uploadServerCertificateReq := &slb20140515.UploadServerCertificateRequest{
+		RegionId:              tea.String(u.config.Region),
+		ServerCertificateName: tea.String(certName),
+		ServerCertificate:     tea.String(certPem),
+		PrivateKey:            tea.String(privkeyPem),
+	}
+	uploadServerCertificateResp, err := u.sdkClient.UploadServerCertificateWithOptions(uploadServerCertificateReq, u.sdkRuntime)
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute sdk request 'slb.UploadServerCertificate': %w", err)
+	}
+
+	certId = *uploadServerCertificateResp.Body.ServerCertificateId
+	return &UploadResult{
+		CertId:   certId,
+		CertName: certName,
+	}, nil
+}
+
+func (u *AliyunSLBUploader) createSdkClient(accessKeyId, accessKeySecret, region string) (*slb20140515.Client, error) {
+	if region == "" {
+		region = "cn-hangzhou" // SLB 服务默认区域：华东一杭州
+	}
+
+	aConfig := &openapi.Config{
+		AccessKeyId:     tea.String(accessKeyId),
+		AccessKeySecret: tea.String(accessKeySecret),
+	}
+
+	var endpoint string
+	switch region {
+	case "cn-hangzhou":
+	case "cn-hangzhou-finance":
+	case "cn-shanghai-finance-1":
+	case "cn-shenzhen-finance-1":
+		endpoint = "slb.aliyuncs.com"
+	default:
+		endpoint = fmt.Sprintf("slb.%s.aliyuncs.com", region)
+	}
+	aConfig.Endpoint = tea.String(endpoint)
+
+	client, err := slb20140515.NewClient(aConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return client, nil
+}
--- a/internal/pkg/utils/x509/x509.go
+++ b/internal/pkg/utils/x509/x509.go
@@ -7,6 +7,23 @@ import (
 	"fmt"
 )

+// 比较两个 x509.Certificate 对象，判断它们是否是同一张证书。
+// 注意，这不是精确比较，而只是基于证书序列号和数字签名的快速判断，但对于权威 CA 签发的证书来说不会存在误判。
+//
+// 入参:
+//   - a: 待比较的第一个 x509.Certificate 对象。
+//   - b: 待比较的第二个 x509.Certificate 对象。
+//
+// 出参:
+//   - 是否相同。
+func EqualCertificate(a, b *x509.Certificate) bool {
+	return string(a.Signature) == string(b.Signature) &&
+		a.SignatureAlgorithm == b.SignatureAlgorithm &&
+		a.SerialNumber.String() == b.SerialNumber.String() &&
+		a.Issuer.SerialNumber == b.Issuer.SerialNumber &&
+		a.Subject.SerialNumber == b.Subject.SerialNumber
+}
+
 // 从 PEM 编码的证书字符串解析并返回一个 x509.Certificate 对象。
 //
 // 入参:
@@ -31,26 +48,40 @@ func ParseCertificateFromPEM(certPem string) (cert *x509.Certificate, err error)
 	return cert, nil
 }

-// 比较两个 x509.Certificate 对象，判断它们是否是同一张证书。
-// 注意，这不是精确比较，而只是基于证书序列号和数字签名的快速判断，但对于权威 CA 签发的证书来说不会存在误判。
+// 从 PEM 编码的私钥字符串解析并返回一个 ECDSA 私钥对象。
 //
 // 入参:
-//   - a: 待比较的第一个 x509.Certificate 对象。
-//   - b: 待比较的第二个 x509.Certificate 对象。
+//   - privkeyPem: 私钥 PEM 内容。
 //
 // 出参:
-//   - 是否相同。
-func EqualCertificate(a, b *x509.Certificate) bool {
-	return string(a.Signature) == string(b.Signature) &&
-		a.SignatureAlgorithm == b.SignatureAlgorithm &&
-		a.SerialNumber.String() == b.SerialNumber.String() &&
-		a.Issuer.SerialNumber == b.Issuer.SerialNumber &&
-		a.Subject.SerialNumber == b.Subject.SerialNumber
+//   - privkey: ecdsa.PrivateKey 对象。
+//   - err: 错误。
+func ParseECPrivateKeyFromPEM(privkeyPem string) (privkey *ecdsa.PrivateKey, err error) {
+	pemData := []byte(privkeyPem)
+
+	block, _ := pem.Decode(pemData)
+	if block == nil {
+		return nil, fmt.Errorf("failed to decode PEM block")
+	}
+
+	privkey, err = x509.ParseECPrivateKey(block.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse private key: %w", err)
+	}
+
+	return privkey, nil
 }

-// 将 ECDSA 私钥转换为 PEM 格式的字符串。
-func PrivateKeyToPEM(privateKey *ecdsa.PrivateKey) (string, error) {
-	data, err := x509.MarshalECPrivateKey(privateKey)
+// 将 ECDSA 私钥转换为 PEM 编码的字符串。
+//
+// 入参:
+//   - privkey: ecdsa.PrivateKey 对象。
+//
+// 出参:
+//   - privkeyPem: 私钥 PEM 内容。
+//   - err: 错误。
+func ConvertECPrivateKeyToPEM(privkey *ecdsa.PrivateKey) (privkeyPem string, err error) {
+	data, err := x509.MarshalECPrivateKey(privkey)
 	if err != nil {
 		return "", fmt.Errorf("failed to marshal EC private key: %w", err)
 	}
@@ -62,20 +93,3 @@ func PrivateKeyToPEM(privateKey *ecdsa.PrivateKey) (string, error) {

 	return string(pem.EncodeToMemory(block)), nil
 }
-
-// 从 PEM 编码的私钥字符串解析并返回一个 ECDSA 私钥对象。
-func ParsePrivateKeyFromPEM(privateKeyPem string) (*ecdsa.PrivateKey, error) {
-	pemData := []byte(privateKeyPem)
-
-	block, _ := pem.Decode(pemData)
-	if block == nil {
-		return nil, fmt.Errorf("failed to decode PEM block")
-	}
-
-	privateKey, err := x509.ParseECPrivateKey(block.Bytes)
-	if err != nil {
-		return nil, fmt.Errorf("failed to parse private key: %w", err)
-	}
-
-	return privateKey, nil
-}