tog-pegasus/pegasus-2.13.0-SSLGeneration.patch

From 75b27360143b05626e3962a74b17ddba919c080b Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Mon, 18 Aug 2014 16:40:46 -0400
Subject: [PATCH] Update SSL certificate generation

We will now generate x509v3 certificates with the CA:FALSE
constraint. This will allow us to automatically load it into a
local trust store safely. In order to do this, instead of creating
a true self-signed certificate, we will generate a private CA
certificate and sign the service with that.
---
 rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec | 136 +++++++++++++++++++------
 1 file changed, 107 insertions(+), 29 deletions(-)

diff --git a/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec b/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
index 81e6635936b77ddc486b217260fba59b23cf2a20..377b82d7a0bd3f42b1e58b0a795b2e628365dd36 100644
--- a/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
+++ b/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
@@ -4,22 +4,31 @@
 #  Creates a default ssl.cnf file.
 #  Generates a self-signed certificate for use by the cimserver.
 #
-cnfChanged=0;
-if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
-    mkdir -p ${PEGASUS_INSTALL_LOG%/*}
-    mkdir -p $PEGASUS_CONFIG_DIR
-    echo "[ req ]" > $PEGASUS_CONFIG_DIR/ssl.cnf
+
+function create_ssl_cnf #(config_file, CN)
+{
+    SSL_CFG=$1
+    CA=$2 # Add a second argument to differentiate issuer from subject
+
+    # Create OpenSSL configuration files for generating certificates
+    echo "[ req ]" > $PEGASUS_CONFIG_DIR/$SSL_CFG
     echo "distinguished_name     = req_distinguished_name"  >> \
-            $PEGASUS_CONFIG_DIR/ssl.cnf
-    echo "prompt                 = no"  >> $PEGASUS_CONFIG_DIR/ssl.cnf
-    echo "[ req_distinguished_name ]" >> $PEGASUS_CONFIG_DIR/ssl.cnf
-    echo "C                      = UK" >> $PEGASUS_CONFIG_DIR/ssl.cnf
-    echo "ST                     = Berkshire" >> $PEGASUS_CONFIG_DIR/ssl.cnf
-    echo "L                      = Reading" >> $PEGASUS_CONFIG_DIR/ssl.cnf
+            $PEGASUS_CONFIG_DIR/$SSL_CFG
+    echo "prompt                 = no"  >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+
+    # Include support for x509v3 so we can differentiate CA certificates
+    # from service certificates
+    echo "req_extensions         = v3_req" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+    echo "x509_extensions        = v3_ca" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+
+    echo "[ req_distinguished_name ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+    echo "C                      = UK" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+    echo "ST                     = Berkshire" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+    echo "L                      = Reading" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
     echo "O                      = The Open Group" >> \
-            $PEGASUS_CONFIG_DIR/ssl.cnf
+            $PEGASUS_CONFIG_DIR/$SSL_CFG
     echo "OU                     = The OpenPegasus Project" >> \
-            $PEGASUS_CONFIG_DIR/ssl.cnf
+            $PEGASUS_CONFIG_DIR/$SSL_CFG
     DN=`hostname`;
     if [ -z "$DN" ] || [ "$DN" = "(none)" ]; then
             DN='localhost.localdomain';
@@ -30,30 +39,99 @@ if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
         FQDN="$DN";
     fi;
     # cannot use 'hostname --fqdn' because this can hang indefinitely
-    echo "CN                     = $FQDN"  >> $PEGASUS_CONFIG_DIR/ssl.cnf
-    chmod 400 $PEGASUS_CONFIG_DIR/ssl.cnf
-    chown root $PEGASUS_CONFIG_DIR/ssl.cnf
-    chgrp root $PEGASUS_CONFIG_DIR/ssl.cnf
+    # Hack the $CA onto the end of the CN so we differentiate the issuer
+    # of the signature from the subject
+    echo "CN                     = $FQDN$CA"  >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+
+    # Add x509v3 extensions
+    echo "[ v3_req ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+    echo "basicConstraints       = CA:FALSE" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+    echo "[ v3_ca ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+    echo "subjectKeyIdentifier=hash" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+    echo "authorityKeyIdentifier=keyid:always,issuer" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+    echo "basicConstraints = CA:TRUE" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+}
+
+cnfChanged=0;
+if [ ! -e $PEGASUS_CONFIG_DIR/ssl-ca.cnf ] ||
+   [ ! -e $PEGASUS_CONFIG_DIR/ssl-service.cnf ] ||
+   [ ! -e $PEGASUS_CONFIG_DIR/server.pem ] ||
+   [ ! -e $PEGASUS_CONFIG_DIR/file.pem ]  ||
+   [ ! -e $PEGASUS_CONFIG_DIR/client.pem ]; then
+
+    mkdir -p ${PEGASUS_INSTALL_LOG%/*}
+    mkdir -p $PEGASUS_CONFIG_DIR
+
+    create_ssl_cnf ssl-ca.cnf CA
+    create_ssl_cnf ssl-service.cnf
+
+    chmod 400 $PEGASUS_CONFIG_DIR/ssl-*.cnf
+    chown root $PEGASUS_CONFIG_DIR/ssl-*.cnf
+    chgrp root $PEGASUS_CONFIG_DIR/ssl-*.cnf
     cnfChanged=1;
 fi
 if [ $cnfChanged -eq 1 ] || \
          [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE ] || \
          [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE ]; then
-    /usr/bin/openssl req -x509 -days 3650 -newkey rsa:2048 \
-         -nodes -config $PEGASUS_CONFIG_DIR/ssl.cnf   \
-         -keyout $PEGASUS_PEM_DIR/key.pem \
-         -out $PEGASUS_PEM_DIR/cert.pem 2>>$PEGASUS_INSTALL_LOG
-    chmod 700 $PEGASUS_PEM_DIR/*.pem
-    cp -fp $PEGASUS_PEM_DIR/cert.pem \
-        $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE
-    cp -fp $PEGASUS_PEM_DIR/key.pem \
-        $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE
+
+    # Restrict access of the key to root
+    OLDUMASK=`umask`
+    umask 0077
+
+    # Create private key for the CA certificate
+    TMPKEY=`mktemp --tmpdir=$PEGASUS_PEM_DIR XXXXXXXXXXXX`
+
+    /usr/bin/openssl genrsa -out $TMPKEY 2048
+
+    # Restore the umask for the other files
+    umask $OLDUMASK
+
+    # Create CA certificate:
+    /usr/bin/openssl req -new -x509 -days 3650 \
+                         -config $PEGASUS_CONFIG_DIR/ssl-ca.cnf \
+                         -key $TMPKEY \
+                         -out $PEGASUS_PEM_DIR/ca.crt \
+
+    # Create private key for the service certificate
+    /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE 2048
+
+    # Create a signing request for the service certificate
+    /usr/bin/openssl req -new \
+                         -config $PEGASUS_CONFIG_DIR/ssl-service.cnf \
+                         -key $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE \
+                         -out $PEGASUS_PEM_DIR/server.csr
+
+    # Sign the request with the CA certificate
+    /usr/bin/openssl x509 -req -days 3650 \
+                          -in $PEGASUS_PEM_DIR/server.csr \
+                          -CA $PEGASUS_PEM_DIR/ca.crt \
+                          -CAkey $TMPKEY \
+                          -CAcreateserial \
+                          -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE \
+                          -extfile $PEGASUS_CONFIG_DIR/ssl-ca.cnf
+
+    # Set file permissions appropriately
     chmod 400 $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE
-    chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE 
-    rm -f $PEGASUS_PEM_DIR/key.pem $PEGASUS_PEM_DIR/cert.pem
+    chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE
+
+    # Remove the certificate signing request
+    # It is not needed after the signature is complete
+    rm -f $PEGASUS_PEM_DIR/server.csr
+
+    # Remove the private key for the CA certificate
+    # This will ensure that it cannot be used to sign any other
+    # (possibly suspicious) certificates
+    # This does mean that generating a new certificate for this
+    # service will need a new CA cert, but most real deployments
+    # will use real infrastructure.
+    # This does not impart perfect security; there is a fairly
+    # long race here between the key generation and its deletion.
+    # The random filename should significantly mitigate this.
+    rm -f $TMPKEY
+
 fi;
 if [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE ]; then
-    cp -fp $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE \
+    cp -fp $PEGASUS_PEM_DIR/ca.crt \
         $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE
     chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE;
 fi;
-- 
2.1.0