From 25d845c3b5c86bdd1db12caf9bc9621191375ae7 Mon Sep 17 00:00:00 2001
From: SataQiu <shidaqiu2018@gmail.com>
Date: Thu, 13 May 2021 19:37:28 +0800
Subject: [PATCH] kubeadm: fix the bug that kubeadm only uses the first hash in
 caCertHashes to verify the root CA

---
 cmd/kubeadm/app/util/pubkeypin/pubkeypin.go      |  4 +++-
 cmd/kubeadm/app/util/pubkeypin/pubkeypin_test.go | 11 +++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/cmd/kubeadm/app/util/pubkeypin/pubkeypin.go b/cmd/kubeadm/app/util/pubkeypin/pubkeypin.go
index 9bef3f9cf58..01999d29497 100644
--- a/cmd/kubeadm/app/util/pubkeypin/pubkeypin.go
+++ b/cmd/kubeadm/app/util/pubkeypin/pubkeypin.go
@@ -59,7 +59,9 @@ func (s *Set) Allow(pubKeyHashes ...string) error {
 
 		switch strings.ToLower(format) {
 		case "sha256":
-			return s.allowSHA256(value)
+			if err := s.allowSHA256(value); err != nil {
+				return errors.Errorf("invalid hash %q, %v", pubKeyHash, err)
+			}
 		default:
 			return errors.Errorf("unknown hash format %q. Known format(s) are: %s", format, supportedFormats)
 		}
diff --git a/cmd/kubeadm/app/util/pubkeypin/pubkeypin_test.go b/cmd/kubeadm/app/util/pubkeypin/pubkeypin_test.go
index 8ca2c6cf776..af726ea9bc5 100644
--- a/cmd/kubeadm/app/util/pubkeypin/pubkeypin_test.go
+++ b/cmd/kubeadm/app/util/pubkeypin/pubkeypin_test.go
@@ -143,6 +143,17 @@ func TestSet(t *testing.T) {
 		t.Error("expected the second test cert to be disallowed")
 		return
 	}
+
+	s = NewSet() // keep set empty
+	hashes := []string{
+		`sha256:0000000000000000000000000000000000000000000000000000000000000000`,
+		`sha256:0000000000000000000000000000000000000000000000000000000000000001`,
+	}
+	err = s.Allow(hashes...)
+	if err != nil || len(s.sha256Hashes) != 2 {
+		t.Error("expected allowing multiple hashes to succeed")
+		return
+	}
 }
 
 func TestHash(t *testing.T) {