kubeadm: fix the bug that kubeadm only uses the first hash in caCertHashes to verify the root CA

2025-07-24 12:15:52 +00:00 · 2021-05-13 19:37:28 +08:00 · 2021-05-13 19:37:28 +08:00 · 25d845c3b5
commit 25d845c3b5
parent 8634bc61c6
2 changed files with 14 additions and 1 deletions
--- a/cmd/kubeadm/app/util/pubkeypin/pubkeypin.go
+++ b/cmd/kubeadm/app/util/pubkeypin/pubkeypin.go
@ -59,7 +59,9 @@ func (s *Set) Allow(pubKeyHashes ...string) error {

 		switch strings.ToLower(format) {
 		case "sha256":
-			return s.allowSHA256(value)
+			if err := s.allowSHA256(value); err != nil {
+				return errors.Errorf("invalid hash %q, %v", pubKeyHash, err)
+			}
 		default:
 			return errors.Errorf("unknown hash format %q. Known format(s) are: %s", format, supportedFormats)
 		}
--- a/cmd/kubeadm/app/util/pubkeypin/pubkeypin_test.go
+++ b/cmd/kubeadm/app/util/pubkeypin/pubkeypin_test.go
@ -143,6 +143,17 @@ func TestSet(t *testing.T) {
 		t.Error("expected the second test cert to be disallowed")
 		return
 	}
+
+	s = NewSet() // keep set empty
+	hashes := []string{
+		`sha256:0000000000000000000000000000000000000000000000000000000000000000`,
+		`sha256:0000000000000000000000000000000000000000000000000000000000000001`,
+	}
+	err = s.Allow(hashes...)
+	if err != nil || len(s.sha256Hashes) != 2 {
+		t.Error("expected allowing multiple hashes to succeed")
+		return
+	}
 }

 func TestHash(t *testing.T) {