Merge branch 'usual2970:main' into feat-tencent-cos-support

2024-10-22 21:22:45 +08:00
parent f7972d5b68 b1a0d84033
commit 7b129c11e9
66 changed files with 3472 additions and 2400 deletions
--- a/internal/applicant/huaweicloud.go
+++ b/internal/applicant/huaweicloud.go
@@ -24,7 +24,12 @@ func (t *huaweicloud) Apply() (*Certificate, error) {
 	access := &domain.HuaweiCloudAccess{}
 	json.Unmarshal([]byte(t.option.Access), access)

-	os.Setenv("HUAWEICLOUD_REGION", access.Region) // 华为云的 SDK 要求必须传一个区域，实际上 DNS-01 流程里用不到，但不传会报错
+	region := access.Region
+	if region == "" {
+		region = "cn-north-1"
+	}
+
+	os.Setenv("HUAWEICLOUD_REGION", region) // 华为云的 SDK 要求必须传一个区域，实际上 DNS-01 流程里用不到，但不传会报错
 	os.Setenv("HUAWEICLOUD_ACCESS_KEY_ID", access.AccessKeyId)
 	os.Setenv("HUAWEICLOUD_SECRET_ACCESS_KEY", access.SecretAccessKey)
 	os.Setenv("HUAWEICLOUD_PROPAGATION_TIMEOUT", fmt.Sprintf("%d", t.option.Timeout))
--- a/internal/deployer/huaweicloud_cdn.go
+++ b/internal/deployer/huaweicloud_cdn.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"time"

 	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/global"
 	cdn "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/cdn/v2"
@@ -11,7 +12,8 @@ import (
 	cdnRegion "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/cdn/v2/region"

 	"github.com/usual2970/certimate/internal/domain"
-	"github.com/usual2970/certimate/internal/utils/rand"
+	uploader "github.com/usual2970/certimate/internal/pkg/core/uploader"
+	"github.com/usual2970/certimate/internal/pkg/utils/cast"
 )

 type HuaweiCloudCDNDeployer struct {
@@ -40,16 +42,18 @@ func (d *HuaweiCloudCDNDeployer) Deploy(ctx context.Context) error {
 		return err
 	}

-	client, err := d.createClient(access)
+	// TODO: CDN 服务与 DNS 服务所支持的区域可能不一致，这里暂时不传而是使用默认值，仅支持华为云国内版
+	client, err := d.createClient("", access.AccessKeyId, access.SecretAccessKey)
 	if err != nil {
 		return err
 	}

-	d.infos = append(d.infos, toStr("HuaweiCloudCdnClient 创建成功", nil))
+	d.infos = append(d.infos, toStr("SDK 客户端创建成功", nil))

 	// 查询加速域名配置
+	// REF: https://support.huaweicloud.com/api-cdn/ShowDomainFullConfig.html
 	showDomainFullConfigReq := &cdnModel.ShowDomainFullConfigRequest{
-		DomainName: getDeployString(d.option.DeployConfig, "domain"),
+		DomainName: d.option.DeployConfig.GetConfigAsString("domain"),
 	}
 	showDomainFullConfigResp, err := client.ShowDomainFullConfig(showDomainFullConfigReq)
 	if err != nil {
@@ -59,19 +63,46 @@ func (d *HuaweiCloudCDNDeployer) Deploy(ctx context.Context) error {
 	d.infos = append(d.infos, toStr("已查询到加速域名配置", showDomainFullConfigResp))

 	// 更新加速域名配置
-	certName := fmt.Sprintf("%s-%s", d.option.DomainId, rand.RandStr(12))
-	updateDomainMultiCertificatesReq := &cdnModel.UpdateDomainMultiCertificatesRequest{
-		Body: &cdnModel.UpdateDomainMultiCertificatesRequestBody{
-			Https: mergeHuaweiCloudCDNConfig(showDomainFullConfigResp.Configs, &cdnModel.UpdateDomainMultiCertificatesRequestBodyContent{
-				DomainName:  getDeployString(d.option.DeployConfig, "domain"),
-				HttpsSwitch: 1,
-				CertName:    &certName,
-				Certificate: &d.option.Certificate.Certificate,
-				PrivateKey:  &d.option.Certificate.PrivateKey,
-			}),
+	// REF: https://support.huaweicloud.com/api-cdn/UpdateDomainMultiCertificates.html
+	// REF: https://support.huaweicloud.com/usermanual-cdn/cdn_01_0306.html
+	updateDomainMultiCertificatesReqBodyContent := &huaweicloudCDNUpdateDomainMultiCertificatesRequestBodyContent{}
+	updateDomainMultiCertificatesReqBodyContent.DomainName = d.option.DeployConfig.GetConfigAsString("domain")
+	updateDomainMultiCertificatesReqBodyContent.HttpsSwitch = 1
+	var updateDomainMultiCertificatesResp *cdnModel.UpdateDomainMultiCertificatesResponse
+	if d.option.DeployConfig.GetConfigAsBool("useSCM") {
+		uploader, err := uploader.NewHuaweiCloudSCMUploader(&uploader.HuaweiCloudSCMUploaderConfig{
+			Region:          "", // TODO: SCM 服务与 DNS 服务所支持的区域可能不一致，这里暂时不传而是使用默认值，仅支持华为云国内版
+			AccessKeyId:     access.AccessKeyId,
+			SecretAccessKey: access.SecretAccessKey,
+		})
+		if err != nil {
+			return err
+		}
+
+		// 上传证书到 SCM
+		uploadResult, err := uploader.Upload(ctx, d.option.Certificate.Certificate, d.option.Certificate.PrivateKey)
+		if err != nil {
+			return err
+		}
+
+		d.infos = append(d.infos, toStr("已上传证书", uploadResult))
+
+		updateDomainMultiCertificatesReqBodyContent.CertificateType = cast.Int32Ptr(2)
+		updateDomainMultiCertificatesReqBodyContent.SCMCertificateId = cast.StringPtr(uploadResult.CertId)
+		updateDomainMultiCertificatesReqBodyContent.CertName = cast.StringPtr(uploadResult.CertName)
+	} else {
+		updateDomainMultiCertificatesReqBodyContent.CertificateType = cast.Int32Ptr(0)
+		updateDomainMultiCertificatesReqBodyContent.CertName = cast.StringPtr(fmt.Sprintf("certimate-%d", time.Now().UnixMilli()))
+		updateDomainMultiCertificatesReqBodyContent.Certificate = cast.StringPtr(d.option.Certificate.Certificate)
+		updateDomainMultiCertificatesReqBodyContent.PrivateKey = cast.StringPtr(d.option.Certificate.PrivateKey)
+	}
+	updateDomainMultiCertificatesReqBodyContent = mergeHuaweiCloudCDNConfig(showDomainFullConfigResp.Configs, updateDomainMultiCertificatesReqBodyContent)
+	updateDomainMultiCertificatesReq := &huaweicloudCDNUpdateDomainMultiCertificatesRequest{
+		Body: &huaweicloudCDNUpdateDomainMultiCertificatesRequestBody{
+			Https: updateDomainMultiCertificatesReqBodyContent,
 		},
 	}
-	updateDomainMultiCertificatesResp, err := client.UpdateDomainMultiCertificates(updateDomainMultiCertificatesReq)
+	updateDomainMultiCertificatesResp, err = executeHuaweiCloudCDNUploadDomainMultiCertificates(client, updateDomainMultiCertificatesReq)
 	if err != nil {
 		return err
 	}
@@ -81,22 +112,26 @@ func (d *HuaweiCloudCDNDeployer) Deploy(ctx context.Context) error {
 	return nil
 }

-func (d *HuaweiCloudCDNDeployer) createClient(access *domain.HuaweiCloudAccess) (*cdn.CdnClient, error) {
+func (d *HuaweiCloudCDNDeployer) createClient(region, accessKeyId, secretAccessKey string) (*cdn.CdnClient, error) {
 	auth, err := global.NewCredentialsBuilder().
-		WithAk(access.AccessKeyId).
-		WithSk(access.SecretAccessKey).
+		WithAk(accessKeyId).
+		WithSk(secretAccessKey).
 		SafeBuild()
 	if err != nil {
 		return nil, err
 	}

-	region, err := cdnRegion.SafeValueOf(access.Region)
+	if region == "" {
+		region = "cn-north-1" // CDN 服务默认区域：华北一北京
+	}
+
+	hcRegion, err := cdnRegion.SafeValueOf(region)
 	if err != nil {
 		return nil, err
 	}

 	hcClient, err := cdn.CdnClientBuilder().
-		WithRegion(region).
+		WithRegion(hcRegion).
 		WithCredential(auth).
 		SafeBuild()
 	if err != nil {
@@ -107,25 +142,47 @@ func (d *HuaweiCloudCDNDeployer) createClient(access *domain.HuaweiCloudAccess)
 	return client, nil
 }

-func mergeHuaweiCloudCDNConfig(src *cdnModel.ConfigsGetBody, dest *cdnModel.UpdateDomainMultiCertificatesRequestBodyContent) *cdnModel.UpdateDomainMultiCertificatesRequestBodyContent {
+type huaweicloudCDNUpdateDomainMultiCertificatesRequestBodyContent struct {
+	cdnModel.UpdateDomainMultiCertificatesRequestBodyContent `json:",inline"`
+
+	SCMCertificateId *string `json:"scm_certificate_id,omitempty"`
+}
+
+type huaweicloudCDNUpdateDomainMultiCertificatesRequestBody struct {
+	Https *huaweicloudCDNUpdateDomainMultiCertificatesRequestBodyContent `json:"https,omitempty"`
+}
+
+type huaweicloudCDNUpdateDomainMultiCertificatesRequest struct {
+	Body *huaweicloudCDNUpdateDomainMultiCertificatesRequestBody `json:"body,omitempty"`
+}
+
+func executeHuaweiCloudCDNUploadDomainMultiCertificates(client *cdn.CdnClient, request *huaweicloudCDNUpdateDomainMultiCertificatesRequest) (*cdnModel.UpdateDomainMultiCertificatesResponse, error) {
+	// 华为云官方 SDK 中目前提供的字段缺失，这里暂时先需自定义请求
+	// 可能需要等之后 SDK 更新
+
+	requestDef := cdn.GenReqDefForUpdateDomainMultiCertificates()
+
+	if resp, err := client.HcClient.Sync(request, requestDef); err != nil {
+		return nil, err
+	} else {
+		return resp.(*cdnModel.UpdateDomainMultiCertificatesResponse), nil
+	}
+}
+
+func mergeHuaweiCloudCDNConfig(src *cdnModel.ConfigsGetBody, dest *huaweicloudCDNUpdateDomainMultiCertificatesRequestBodyContent) *huaweicloudCDNUpdateDomainMultiCertificatesRequestBodyContent {
 	if src == nil {
 		return dest
 	}

 	// 华为云 API 中不传的字段表示使用默认值、而非保留原值，因此这里需要把原配置中的参数重新赋值回去
 	// 而且蛋疼的是查询接口返回的数据结构和更新接口传入的参数结构不一致，需要做很多转化
-	// REF: https://support.huaweicloud.com/api-cdn/ShowDomainFullConfig.html
-	// REF: https://support.huaweicloud.com/api-cdn/UpdateDomainMultiCertificates.html

 	if *src.OriginProtocol == "follow" {
-		accessOriginWay := int32(1)
-		dest.AccessOriginWay = &accessOriginWay
+		dest.AccessOriginWay = cast.Int32Ptr(1)
 	} else if *src.OriginProtocol == "http" {
-		accessOriginWay := int32(2)
-		dest.AccessOriginWay = &accessOriginWay
+		dest.AccessOriginWay = cast.Int32Ptr(2)
 	} else if *src.OriginProtocol == "https" {
-		accessOriginWay := int32(3)
-		dest.AccessOriginWay = &accessOriginWay
+		dest.AccessOriginWay = cast.Int32Ptr(3)
 	}

 	if src.ForceRedirect != nil {
@@ -141,8 +198,7 @@ func mergeHuaweiCloudCDNConfig(src *cdnModel.ConfigsGetBody, dest *cdnModel.Upda

 	if src.Https != nil {
 		if *src.Https.Http2Status == "on" {
-			http2 := int32(1)
-			dest.Http2 = &http2
+			dest.Http2 = cast.Int32Ptr(1)
 		}
 	}

--- a/internal/deployer/qiniu_cdn.go
+++ b/internal/deployer/qiniu_cdn.go
@@ -76,7 +76,8 @@ func (d *QiniuCDNDeployer) Deploy(ctx context.Context) error {
 }

 func (d *QiniuCDNDeployer) enableHttps(certId string) error {
-	path := fmt.Sprintf("/domain/%s/sslize", getDeployString(d.option.DeployConfig, "domain"))
+	domain := d.option.DeployConfig.GetDomain()
+	path := fmt.Sprintf("/domain/%s/sslize", domain)

 	body := &qiniuModifyDomainCertReq{
 		CertID:      certId,
@@ -102,7 +103,9 @@ type qiniuDomainInfo struct {
 }

 func (d *QiniuCDNDeployer) getDomainInfo() (*qiniuDomainInfo, error) {
-	path := fmt.Sprintf("/domain/%s", getDeployString(d.option.DeployConfig, "domain"))
+	domain := d.option.DeployConfig.GetDomain()
+
+	path := fmt.Sprintf("/domain/%s", domain)

 	res, err := d.req(qiniuGateway+path, http.MethodGet, nil)
 	if err != nil {
@@ -164,7 +167,8 @@ type qiniuModifyDomainCertReq struct {
 }

 func (d *QiniuCDNDeployer) modifyDomainCert(certId string) error {
-	path := fmt.Sprintf("/domain/%s/httpsconf", getDeployString(d.option.DeployConfig, "domain"))
+	domain := d.option.DeployConfig.GetDomain()
+	path := fmt.Sprintf("/domain/%s/httpsconf", domain)

 	body := &qiniuModifyDomainCertReq{
 		CertID:      certId,
--- a/internal/domain/domains.go
+++ b/internal/domain/domains.go
@@ -1,5 +1,7 @@
 package domain

+import "strings"
+
 type ApplyConfig struct {
 	Email              string `json:"email"`
 	Access             string `json:"access"`
@@ -16,6 +18,92 @@ type DeployConfig struct {
 	Config map[string]any `json:"config"`
 }

+
+// 以字符串形式获取配置项。
+//
+// 入参：
+//   - key: 配置项的键。
+//
+// 出参：
+//   - 配置项的值。如果配置项不存在或者类型不是字符串，则返回空字符串。
+func (dc *DeployConfig) GetConfigAsString(key string) string {
+	return dc.GetConfigOrDefaultAsString(key, "")
+}
+
+// 以字符串形式获取配置项。
+//
+// 入参：
+//   - key: 配置项的键。
+//   - defaultValue: 默认值。
+//
+// 出参：
+//   - 配置项的值。如果配置项不存在或者类型不是字符串，则返回默认值。
+func (dc *DeployConfig) GetConfigOrDefaultAsString(key string, defaultValue string) string {
+	if dc.Config == nil {
+		return defaultValue
+	}
+
+	if value, ok := dc.Config[key]; ok {
+		if result, ok := value.(string); ok {
+			return result
+		}
+	}
+
+	return defaultValue
+}
+
+// 以布尔形式获取配置项。
+//
+// 入参：
+//   - key: 配置项的键。
+//
+// 出参：
+//   - 配置项的值。如果配置项不存在或者类型不是布尔，则返回 false。
+func (dc *DeployConfig) GetConfigAsBool(key string) bool {
+	return dc.GetConfigOrDefaultAsBool(key, false)
+}
+
+// 以布尔形式获取配置项。
+//
+// 入参：
+//   - key: 配置项的键。
+//   - defaultValue: 默认值。
+//
+// 出参：
+//   - 配置项的值。如果配置项不存在或者类型不是布尔，则返回默认值。
+func (dc *DeployConfig) GetConfigOrDefaultAsBool(key string, defaultValue bool) bool {
+	if dc.Config == nil {
+		return defaultValue
+	}
+
+	if value, ok := dc.Config[key]; ok {
+		if result, ok := value.(bool); ok {
+			return result
+		}
+	}
+
+	return defaultValue
+}
+
+// GetDomain returns the domain from the deploy config
+// if the domain is a wildcard domain, and wildcard is true, return the wildcard domain
+func (dc *DeployConfig) GetDomain(wildcard ...bool) string {
+	val := dc.GetConfigAsString("domain")
+	if val == "" {
+		return ""
+	}
+
+	if !strings.HasPrefix(val, "*") {
+		return val
+	}
+
+	if len(wildcard) > 0 && wildcard[0] {
+		return val
+	}
+
+	return strings.TrimPrefix(val, "*")
+}
+
 type KV struct {
 	Key   string `json:"key"`
 	Value string `json:"value"`
--- a/internal/pkg/core/uploader/uploader.go
+++ b/internal/pkg/core/uploader/uploader.go
@@ -0,0 +1,27 @@
+package uploader
+
+import "context"
+
+// 表示定义证书上传者的抽象类型接口。
+// 云服务商通常会提供 SSL 证书管理服务，可供用户集中管理证书。
+// 注意与 `Deployer` 区分，“上传”通常为“部署”的前置操作。
+type Uploader interface {
+	// 上传证书。
+	//
+	// 入参：
+	//   - ctx：
+	//   - certPem：证书 PEM 内容
+	//   - privkeyPem：私钥 PEM 内容
+	//
+	// 出参：
+	//   - res：
+	//   - err：
+	Upload(ctx context.Context, certPem string, privkeyPem string) (res *UploadResult, err error)
+}
+
+// 表示证书上传结果的数据结构，包含上传后的证书 ID、名称和其他数据。
+type UploadResult struct {
+	CertId   string         `json:"certId"`
+	CertName string         `json:"certName"`
+	CertData map[string]any `json:"certData,omitempty"`
+}
--- a/internal/pkg/core/uploader/uploader_aliyun_cas.go
+++ b/internal/pkg/core/uploader/uploader_aliyun_cas.go
@@ -0,0 +1,164 @@
+package uploader
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	cas20200407 "github.com/alibabacloud-go/cas-20200407/v3/client"
+	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
+	util "github.com/alibabacloud-go/tea-utils/v2/service"
+	"github.com/alibabacloud-go/tea/tea"
+
+	"github.com/usual2970/certimate/internal/pkg/utils/x509"
+)
+
+type AliyunCASUploaderConfig struct {
+	Region          string `json:"region"`
+	AccessKeyId     string `json:"accessKeyId"`
+	AccessKeySecret string `json:"accessKeySecret"`
+}
+
+type AliyunCASUploader struct {
+	config     *AliyunCASUploaderConfig
+	sdkClient  *cas20200407.Client
+	sdkRuntime *util.RuntimeOptions
+}
+
+func NewAliyunCASUploader(config *AliyunCASUploaderConfig) (*AliyunCASUploader, error) {
+	client, err := (&AliyunCASUploader{config: config}).createSdkClient()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create sdk client: %w", err)
+	}
+
+	return &AliyunCASUploader{
+		config:     config,
+		sdkClient:  client,
+		sdkRuntime: &util.RuntimeOptions{},
+	}, nil
+}
+
+func (u *AliyunCASUploader) Upload(ctx context.Context, certPem string, privkeyPem string) (res *UploadResult, err error) {
+	// 解析证书内容
+	certX509, err := x509.ParseCertificateFromPEM(certPem)
+	if err != nil {
+		return nil, err
+	}
+
+	// 查询证书列表，避免重复上传
+	// REF: https://help.aliyun.com/zh/ssl-certificate/developer-reference/api-cas-2020-04-07-listusercertificateorder
+	// REF: https://help.aliyun.com/zh/ssl-certificate/developer-reference/api-cas-2020-04-07-getusercertificatedetail
+	listUserCertificateOrderPage := int64(1)
+	listUserCertificateOrderLimit := int64(50)
+	for {
+		listUserCertificateOrderReq := &cas20200407.ListUserCertificateOrderRequest{
+			CurrentPage: tea.Int64(listUserCertificateOrderPage),
+			ShowSize:    tea.Int64(listUserCertificateOrderLimit),
+			OrderType:   tea.String("CERT"),
+		}
+		listUserCertificateOrderResp, err := u.sdkClient.ListUserCertificateOrderWithOptions(listUserCertificateOrderReq, u.sdkRuntime)
+		if err != nil {
+			return nil, fmt.Errorf("failed to execute sdk request 'cas.ListUserCertificateOrder': %w", err)
+		}
+
+		if listUserCertificateOrderResp.Body.CertificateOrderList != nil {
+			for _, certDetail := range listUserCertificateOrderResp.Body.CertificateOrderList {
+				if strings.EqualFold(certX509.SerialNumber.Text(16), *certDetail.SerialNo) {
+					getUserCertificateDetailReq := &cas20200407.GetUserCertificateDetailRequest{
+						CertId: certDetail.CertificateId,
+					}
+					getUserCertificateDetailResp, err := u.sdkClient.GetUserCertificateDetailWithOptions(getUserCertificateDetailReq, u.sdkRuntime)
+					if err != nil {
+						return nil, fmt.Errorf("failed to execute sdk request 'cas.GetUserCertificateDetail': %w", err)
+					}
+
+					var isSameCert bool
+					if *getUserCertificateDetailResp.Body.Cert == certPem {
+						isSameCert = true
+					} else {
+						cert, err := x509.ParseCertificateFromPEM(*getUserCertificateDetailResp.Body.Cert)
+						if err != nil {
+							continue
+						}
+
+						isSameCert = x509.EqualCertificate(certX509, cert)
+					}
+
+					// 如果已存在相同证书，直接返回已有的证书信息
+					if isSameCert {
+						return &UploadResult{
+							CertId:   fmt.Sprintf("%d", tea.Int64Value(certDetail.CertificateId)),
+							CertName: *certDetail.Name,
+						}, nil
+					}
+				}
+			}
+		}
+
+		if listUserCertificateOrderResp.Body.CertificateOrderList == nil || len(listUserCertificateOrderResp.Body.CertificateOrderList) < int(listUserCertificateOrderLimit) {
+			break
+		}
+
+		listUserCertificateOrderPage += 1
+		if listUserCertificateOrderPage > 99 { // 避免死循环
+			break
+		}
+	}
+
+	// 生成新证书名（需符合阿里云命名规则）
+	var certId, certName string
+	certName = fmt.Sprintf("certimate_%d", time.Now().UnixMilli())
+
+	// 上传新证书
+	// REF: https://help.aliyun.com/zh/ssl-certificate/developer-reference/api-cas-2020-04-07-uploadusercertificate
+	uploadUserCertificateReq := &cas20200407.UploadUserCertificateRequest{
+		Name: tea.String(certName),
+		Cert: tea.String(certPem),
+		Key:  tea.String(privkeyPem),
+	}
+	uploadUserCertificateResp, err := u.sdkClient.UploadUserCertificateWithOptions(uploadUserCertificateReq, u.sdkRuntime)
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute sdk request 'cas.UploadUserCertificate': %w", err)
+	}
+
+	certId = fmt.Sprintf("%d", tea.Int64Value(uploadUserCertificateResp.Body.CertId))
+	return &UploadResult{
+		CertId:   certId,
+		CertName: certName,
+	}, nil
+}
+
+func (u *AliyunCASUploader) createSdkClient() (*cas20200407.Client, error) {
+	region := u.config.Region
+	accessKeyId := u.config.AccessKeyId
+	accessKeySecret := u.config.AccessKeySecret
+	if region == "" {
+		region = "cn-hangzhou" // CAS 服务默认区域：华东一杭州
+	}
+
+	aConfig := &openapi.Config{
+		AccessKeyId:     tea.String(accessKeyId),
+		AccessKeySecret: tea.String(accessKeySecret),
+	}
+
+	var endpoint string
+	switch region {
+	case "cn-hangzhou":
+		endpoint = "cas.aliyuncs.com"
+	case "ap-southeast-1":
+		endpoint = "cas.ap-southeast-1.aliyuncs.com"
+	case "eu-central-1":
+		endpoint = "cas.eu-central-1.aliyuncs.com"
+	default:
+		endpoint = fmt.Sprintf("cas.%s.aliyuncs.com", region)
+	}
+	aConfig.Endpoint = tea.String(endpoint)
+
+	client, err := cas20200407.NewClient(aConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return client, nil
+}
--- a/internal/pkg/core/uploader/uploader_huaweicloud_elb.go
+++ b/internal/pkg/core/uploader/uploader_huaweicloud_elb.go
@@ -0,0 +1,159 @@
+package uploader
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
+	hcElb "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/elb/v3"
+	hcElbModel "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/elb/v3/model"
+	hcElbRegion "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/elb/v3/region"
+
+	"github.com/usual2970/certimate/internal/pkg/utils/cast"
+	"github.com/usual2970/certimate/internal/pkg/utils/x509"
+)
+
+type HuaweiCloudELBUploaderConfig struct {
+	Region          string `json:"region"`
+	ProjectId       string `json:"projectId"`
+	AccessKeyId     string `json:"accessKeyId"`
+	SecretAccessKey string `json:"secretAccessKey"`
+}
+
+type HuaweiCloudELBUploader struct {
+	config    *HuaweiCloudELBUploaderConfig
+	sdkClient *hcElb.ElbClient
+}
+
+func NewHuaweiCloudELBUploader(config *HuaweiCloudELBUploaderConfig) (*HuaweiCloudELBUploader, error) {
+	client, err := (&HuaweiCloudELBUploader{config: config}).createSdkClient()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create sdk client: %w", err)
+	}
+
+	return &HuaweiCloudELBUploader{
+		config:    config,
+		sdkClient: client,
+	}, nil
+}
+
+func (u *HuaweiCloudELBUploader) Upload(ctx context.Context, certPem string, privkeyPem string) (res *UploadResult, err error) {
+	// 解析证书内容
+	newCert, err := x509.ParseCertificateFromPEM(certPem)
+	if err != nil {
+		return nil, err
+	}
+
+	// 遍历查询已有证书，避免重复上传
+	// REF: https://support.huaweicloud.com/api-elb/ListCertificates.html
+	listCertificatesPage := 1
+	listCertificatesLimit := int32(2000)
+	var listCertificatesMarker *string = nil
+	for {
+		listCertificatesReq := &hcElbModel.ListCertificatesRequest{
+			Limit:  cast.Int32Ptr(listCertificatesLimit),
+			Marker: listCertificatesMarker,
+			Type:   &[]string{"server"},
+		}
+		listCertificatesResp, err := u.sdkClient.ListCertificates(listCertificatesReq)
+		if err != nil {
+			return nil, fmt.Errorf("failed to execute sdk request 'elb.ListCertificates': %w", err)
+		}
+
+		if listCertificatesResp.Certificates != nil {
+			for _, certDetail := range *listCertificatesResp.Certificates {
+				var isSameCert bool
+				if certDetail.Certificate == certPem {
+					isSameCert = true
+				} else {
+					cert, err := x509.ParseCertificateFromPEM(certDetail.Certificate)
+					if err != nil {
+						continue
+					}
+
+					isSameCert = x509.EqualCertificate(cert, newCert)
+				}
+
+				// 如果已存在相同证书，直接返回已有的证书信息
+				if isSameCert {
+					return &UploadResult{
+						CertId:   certDetail.Id,
+						CertName: certDetail.Name,
+					}, nil
+				}
+			}
+		}
+
+		if listCertificatesResp.Certificates == nil || len(*listCertificatesResp.Certificates) < int(listCertificatesLimit) {
+			break
+		}
+
+		listCertificatesMarker = listCertificatesResp.PageInfo.NextMarker
+		listCertificatesPage++
+		if listCertificatesPage >= 9 { // 避免死循环
+			break
+		}
+	}
+
+	// 生成新证书名（需符合华为云命名规则）
+	var certId, certName string
+	certName = fmt.Sprintf("certimate-%d", time.Now().UnixMilli())
+
+	// 创建新证书
+	// REF: https://support.huaweicloud.com/api-elb/CreateCertificate.html
+	createCertificateReq := &hcElbModel.CreateCertificateRequest{
+		Body: &hcElbModel.CreateCertificateRequestBody{
+			Certificate: &hcElbModel.CreateCertificateOption{
+				ProjectId:   cast.StringPtr(u.config.ProjectId),
+				Name:        cast.StringPtr(certName),
+				Certificate: cast.StringPtr(certPem),
+				PrivateKey:  cast.StringPtr(privkeyPem),
+			},
+		},
+	}
+	createCertificateResp, err := u.sdkClient.CreateCertificate(createCertificateReq)
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute sdk request 'elb.CreateCertificate': %w", err)
+	}
+
+	certId = createCertificateResp.Certificate.Id
+	certName = createCertificateResp.Certificate.Name
+	return &UploadResult{
+		CertId:   certId,
+		CertName: certName,
+	}, nil
+}
+
+func (u *HuaweiCloudELBUploader) createSdkClient() (*hcElb.ElbClient, error) {
+	region := u.config.Region
+	accessKeyId := u.config.AccessKeyId
+	secretAccessKey := u.config.SecretAccessKey
+	if region == "" {
+		region = "cn-north-4" // ELB 服务默认区域：华北四北京
+	}
+
+	auth, err := basic.NewCredentialsBuilder().
+		WithAk(accessKeyId).
+		WithSk(secretAccessKey).
+		SafeBuild()
+	if err != nil {
+		return nil, err
+	}
+
+	hcRegion, err := hcElbRegion.SafeValueOf(region)
+	if err != nil {
+		return nil, err
+	}
+
+	hcClient, err := hcElb.ElbClientBuilder().
+		WithRegion(hcRegion).
+		WithCredential(auth).
+		SafeBuild()
+	if err != nil {
+		return nil, err
+	}
+
+	client := hcElb.NewElbClient(hcClient)
+	return client, nil
+}
--- a/internal/pkg/core/uploader/uploader_huaweicloud_scm.go
+++ b/internal/pkg/core/uploader/uploader_huaweicloud_scm.go
@@ -0,0 +1,167 @@
+package uploader
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
+	hcScm "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/scm/v3"
+	hcScmModel "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/scm/v3/model"
+	hcScmRegion "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/scm/v3/region"
+
+	"github.com/usual2970/certimate/internal/pkg/utils/cast"
+	"github.com/usual2970/certimate/internal/pkg/utils/x509"
+)
+
+type HuaweiCloudSCMUploaderConfig struct {
+	Region          string `json:"region"`
+	AccessKeyId     string `json:"accessKeyId"`
+	SecretAccessKey string `json:"secretAccessKey"`
+}
+
+type HuaweiCloudSCMUploader struct {
+	config    *HuaweiCloudSCMUploaderConfig
+	sdkClient *hcScm.ScmClient
+}
+
+func NewHuaweiCloudSCMUploader(config *HuaweiCloudSCMUploaderConfig) (*HuaweiCloudSCMUploader, error) {
+	client, err := (&HuaweiCloudSCMUploader{config: config}).createSdkClient()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create sdk client: %w", err)
+	}
+
+	return &HuaweiCloudSCMUploader{
+		config:    config,
+		sdkClient: client,
+	}, nil
+}
+
+func (u *HuaweiCloudSCMUploader) Upload(ctx context.Context, certPem string, privkeyPem string) (res *UploadResult, err error) {
+	// 解析证书内容
+	certX509, err := x509.ParseCertificateFromPEM(certPem)
+	if err != nil {
+		return nil, err
+	}
+
+	// 遍历查询已有证书，避免重复上传
+	// REF: https://support.huaweicloud.com/api-ccm/ListCertificates.html
+	// REF: https://support.huaweicloud.com/api-ccm/ExportCertificate_0.html
+	listCertificatesPage := 1
+	listCertificatesLimit := int32(50)
+	listCertificatesOffset := int32(0)
+	for {
+		listCertificatesReq := &hcScmModel.ListCertificatesRequest{
+			Limit:   cast.Int32Ptr(listCertificatesLimit),
+			Offset:  cast.Int32Ptr(listCertificatesOffset),
+			SortDir: cast.StringPtr("DESC"),
+			SortKey: cast.StringPtr("certExpiredTime"),
+		}
+		listCertificatesResp, err := u.sdkClient.ListCertificates(listCertificatesReq)
+		if err != nil {
+			return nil, fmt.Errorf("failed to execute sdk request 'scm.ListCertificates': %w", err)
+		}
+
+		if listCertificatesResp.Certificates != nil {
+			for _, certDetail := range *listCertificatesResp.Certificates {
+				exportCertificateReq := &hcScmModel.ExportCertificateRequest{
+					CertificateId: certDetail.Id,
+				}
+				exportCertificateResp, err := u.sdkClient.ExportCertificate(exportCertificateReq)
+				if err != nil {
+					if exportCertificateResp != nil && exportCertificateResp.HttpStatusCode == 404 {
+						continue
+					}
+					return nil, fmt.Errorf("failed to execute sdk request 'scm.ExportCertificate': %w", err)
+				}
+
+				var isSameCert bool
+				if *exportCertificateResp.Certificate == certPem {
+					isSameCert = true
+				} else {
+					cert, err := x509.ParseCertificateFromPEM(*exportCertificateResp.Certificate)
+					if err != nil {
+						continue
+					}
+
+					isSameCert = x509.EqualCertificate(certX509, cert)
+				}
+
+				// 如果已存在相同证书，直接返回已有的证书信息
+				if isSameCert {
+					return &UploadResult{
+						CertId:   certDetail.Id,
+						CertName: certDetail.Name,
+					}, nil
+				}
+			}
+		}
+
+		if listCertificatesResp.Certificates == nil || len(*listCertificatesResp.Certificates) < int(listCertificatesLimit) {
+			break
+		}
+
+		listCertificatesOffset += listCertificatesLimit
+		listCertificatesPage += 1
+		if listCertificatesPage > 99 { // 避免死循环
+			break
+		}
+	}
+
+	// 生成新证书名（需符合华为云命名规则）
+	var certId, certName string
+	certName = fmt.Sprintf("certimate-%d", time.Now().UnixMilli())
+
+	// 上传新证书
+	// REF: https://support.huaweicloud.com/api-ccm/ImportCertificate.html
+	importCertificateReq := &hcScmModel.ImportCertificateRequest{
+		Body: &hcScmModel.ImportCertificateRequestBody{
+			Name:        certName,
+			Certificate: certPem,
+			PrivateKey:  privkeyPem,
+		},
+	}
+	importCertificateResp, err := u.sdkClient.ImportCertificate(importCertificateReq)
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute sdk request 'scm.ImportCertificate': %w", err)
+	}
+
+	certId = *importCertificateResp.CertificateId
+	return &UploadResult{
+		CertId:   certId,
+		CertName: certName,
+	}, nil
+}
+
+func (u *HuaweiCloudSCMUploader) createSdkClient() (*hcScm.ScmClient, error) {
+	region := u.config.Region
+	accessKeyId := u.config.AccessKeyId
+	secretAccessKey := u.config.SecretAccessKey
+	if region == "" {
+		region = "cn-north-4" // SCM 服务默认区域：华北四北京
+	}
+
+	auth, err := basic.NewCredentialsBuilder().
+		WithAk(accessKeyId).
+		WithSk(secretAccessKey).
+		SafeBuild()
+	if err != nil {
+		return nil, err
+	}
+
+	hcRegion, err := hcScmRegion.SafeValueOf(region)
+	if err != nil {
+		return nil, err
+	}
+
+	hcClient, err := hcScm.ScmClientBuilder().
+		WithRegion(hcRegion).
+		WithCredential(auth).
+		SafeBuild()
+	if err != nil {
+		return nil, err
+	}
+
+	client := hcScm.NewScmClient(hcClient)
+	return client, nil
+}
--- a/internal/pkg/core/uploader/uploader_tencentcloud_ssl.go
+++ b/internal/pkg/core/uploader/uploader_tencentcloud_ssl.go
@@ -0,0 +1,91 @@
+package uploader
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common"
+	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/profile"
+	tcSsl "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/ssl/v20191205"
+
+	"github.com/usual2970/certimate/internal/pkg/utils/cast"
+)
+
+type TencentCloudSSLUploaderConfig struct {
+	Region    string `json:"region"`
+	SecretId  string `json:"secretId"`
+	SecretKey string `json:"secretKey"`
+}
+
+type TencentCloudSSLUploader struct {
+	config    *TencentCloudSSLUploaderConfig
+	sdkClient *tcSsl.Client
+}
+
+func NewTencentCloudSSLUploader(config *TencentCloudSSLUploaderConfig) (*TencentCloudSSLUploader, error) {
+	client, err := (&TencentCloudSSLUploader{config: config}).createSdkClient()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create sdk client: %w", err)
+	}
+
+	return &TencentCloudSSLUploader{
+		config:    config,
+		sdkClient: client,
+	}, nil
+}
+
+func (u *TencentCloudSSLUploader) Upload(ctx context.Context, certPem string, privkeyPem string) (res *UploadResult, err error) {
+	// 生成新证书名（需符合腾讯云命名规则）
+	var certId, certName string
+	certName = fmt.Sprintf("certimate-%d", time.Now().UnixMilli())
+
+	// 上传新证书
+	// REF: https://cloud.tencent.com/document/product/400/41665
+	uploadCertificateReq := &tcSsl.UploadCertificateRequest{
+		Alias:                 cast.StringPtr(certName),
+		CertificatePublicKey:  cast.StringPtr(certPem),
+		CertificatePrivateKey: cast.StringPtr(privkeyPem),
+		Repeatable:            cast.BoolPtr(false),
+	}
+	uploadCertificateResp, err := u.sdkClient.UploadCertificate(uploadCertificateReq)
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute sdk request 'ssl.UploadCertificate': %w", err)
+	}
+
+	// 获取证书详情
+	// REF: https://cloud.tencent.com/document/api/400/41673
+	//
+	// P.S. 上传重复证书会返回上一次的证书 ID，这里需要重新获取一遍证书名（https://github.com/usual2970/certimate/pull/227）
+	describeCertificateDetailReq := &tcSsl.DescribeCertificateDetailRequest{
+		CertificateId: uploadCertificateResp.Response.CertificateId,
+	}
+	describeCertificateDetailResp, err := u.sdkClient.DescribeCertificateDetail(describeCertificateDetailReq)
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute sdk request 'ssl.DescribeCertificateDetail': %w", err)
+	}
+
+	certId = *describeCertificateDetailResp.Response.CertificateId
+	certName = *describeCertificateDetailResp.Response.Alias
+	return &UploadResult{
+		CertId:   certId,
+		CertName: certName,
+	}, nil
+}
+
+func (u *TencentCloudSSLUploader) createSdkClient() (*tcSsl.Client, error) {
+	region := u.config.Region
+	secretId := u.config.SecretId
+	secretKey := u.config.SecretKey
+	if region == "" {
+		region = "ap-guangzhou" // SSL 服务默认区域：广州
+	}
+
+	credential := common.NewCredential(secretId, secretKey)
+	client, err := tcSsl.NewClient(credential, region, profile.NewClientProfile())
+	if err != nil {
+		return nil, err
+	}
+
+	return client, nil
+}
--- a/internal/pkg/utils/cast/cast.go
+++ b/internal/pkg/utils/cast/cast.go
@@ -0,0 +1,25 @@
+package cast
+
+func Int32Ptr(i int32) *int32 {
+	return &i
+}
+
+func Int64Ptr(i int64) *int64 {
+	return &i
+}
+
+func UInt32Ptr(i uint32) *uint32 {
+	return &i
+}
+
+func UInt64Ptr(i uint64) *uint64 {
+	return &i
+}
+
+func StringPtr(s string) *string {
+	return &s
+}
+
+func BoolPtr(b bool) *bool {
+	return &b
+}
--- a/internal/pkg/utils/x509/x509.go
+++ b/internal/pkg/utils/x509/x509.go
@@ -0,0 +1,48 @@
+package x509
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+)
+
+// 从 PEM 编码的证书字符串解析并返回一个 x509.Certificate 对象。
+//
+// 入参:
+//   - certPem: 证书 PEM 内容。
+//
+// 出参:
+//   - cert:
+//   - err:
+func ParseCertificateFromPEM(certPem string) (cert *x509.Certificate, err error) {
+	pemData := []byte(certPem)
+
+	block, _ := pem.Decode(pemData)
+	if block == nil {
+		return nil, fmt.Errorf("failed to decode PEM block")
+	}
+
+	cert, err = x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse certificate: %w", err)
+	}
+
+	return cert, nil
+}
+
+// 比较两个 x509.Certificate 对象，判断它们是否是同一张证书。
+// 注意，这不是精确比较，而只是基于证书序列号和数字签名的快速判断，但对于权威 CA 签发的证书来说不会存在误判。
+//
+// 入参:
+//   - a: 待比较的第一个 x509.Certificate 对象。
+//   - b: 待比较的第二个 x509.Certificate 对象。
+//
+// 出参:
+//   - 是否相同。
+func EqualCertificate(a, b *x509.Certificate) bool {
+	return string(a.Signature) == string(b.Signature) &&
+		a.SignatureAlgorithm == b.SignatureAlgorithm &&
+		a.SerialNumber.String() == b.SerialNumber.String() &&
+		a.Issuer.SerialNumber == b.Issuer.SerialNumber &&
+		a.Subject.SerialNumber == b.Subject.SerialNumber
+}