背景与价值服务间通信需要双向认证与可追溯身份。结合mTLS、Issuer白名单与轮换窗口,可以在不中断的情况下安全更新证书。统一规范Issuer白名单与SAN校验:仅接受受控CA签发,主体与服务标识一致。有效期窗口:在新旧证书共存窗口内允许双签并逐步切换。通道凭证:携带额外的租户或角色信息用于授权与审计。核心实现证书与Issuer校验type Cert = { issuer: string; subject: string; notBefore: number; notAfter: number; san: string[] }
const allowIssuers = new Set(['CN=Corp-CA','CN=Mesh-CA'])
function timeNow(): number { return Date.now() }
function certAllowed(c: Cert): boolean {
if (!allowIssuers.has(c.issuer)) return false
if (c.notBefore > timeNow() || c.notAfter < timeNow()) return false
return c.san.some(s => s.startsWith('spiffe://') || s.startsWith('dns:'))
}
轮换窗口策略type Pair = { current: Cert; next?: Cert; windowMs: number }
function withinWindow(p: Pair): boolean {
if (!p.next) return false
const start = p.current.notAfter - p.windowMs
return timeNow() >= start && timeNow() <= p.current.notAfter
}
function acceptCert(p: Pair, presented: Cert): boolean {
if (certAllowed(presented)) return true
if (withinWindow(p) && p.next && presented.subject === p.next.subject && allowIssuers.has(presented.issuer)) return true
return false
}
通道凭证校验type ChannelCred = { tenant: string; role: string }
function validTenant(t: string): boolean { return /^[a-z0-9-]{3,32}$/.test(t) }
function validRole(r: string): boolean { return /^[A-Z_]{3,32}$/.test(r) }
function credAllowed(c: ChannelCred): boolean { return validTenant(c.tenant) && validRole(c.role) }
落地建议仅接受受控Issuer签发的证书,并校验SAN包含服务标识(如SPIFFE或DNS)。在轮换窗口内同时接受新旧证书,确保平滑切换并记录审计。在通道中携带租户与角色凭证,用于细粒度授权与追踪。验证清单Issuer是否命中白名单、有效期是否覆盖当前时间。SAN是否包含受控标识,主体是否匹配服务身份。轮换窗口策略是否生效并记录切换日志。
发表评论 取消回复