Update OpenSSL certificates set up

Resolves: RHEL-81721
2025-04-11 08:08:18 +02:00 · 2025-04-11 08:08:18 +02:00 · 7fa1ece915
commit 7fa1ece915
parent d71a31ac6d
2 changed files with 181 additions and 0 deletions
--- a/pegasus-2.14.1-ssl-certs-gen-changes.patch
+++ b/pegasus-2.14.1-ssl-certs-gen-changes.patch
@ -0,0 +1,175 @@
+diff -up pegasus/Makefile.Release.orig pegasus/Makefile.Release
+--- pegasus/Makefile.Release.orig	2025-04-02 09:41:58.144585088 +0200
+++ pegasus/Makefile.Release	2025-04-02 09:50:05.938271446 +0200
+@@ -446,6 +446,10 @@ stage_genOpenPegasusSSLCertsFile: FORCE
+              $(PEGASUS_STAGING_DIR)$(PEGASUS_SCRIPT_DIR)/genOpenPegasusSSLCerts
+ 	@$(ECHO-E) "#" >> \
+              $(PEGASUS_STAGING_DIR)$(PEGASUS_SCRIPT_DIR)/genOpenPegasusSSLCerts
+	@$(ECHO-E) "set -e" >> \
+             $(PEGASUS_STAGING_DIR)$(PEGASUS_SCRIPT_DIR)/genOpenPegasusSSLCerts
+	@$(ECHO-E) "#" >> \
+             $(PEGASUS_STAGING_DIR)$(PEGASUS_SCRIPT_DIR)/genOpenPegasusSSLCerts
+ 	@$(ECHO-E) "PEGASUS_PEM_DIR=$(PEGASUS_PEM_DIR)" >> \
+              $(PEGASUS_STAGING_DIR)$(PEGASUS_SCRIPT_DIR)/genOpenPegasusSSLCerts
+ 	@$(ECHO-E) "PEGASUS_CONFIG_DIR=$(PEGASUS_CONFIG_DIR)" >> \
+@@ -458,6 +462,8 @@ stage_genOpenPegasusSSLCertsFile: FORCE
+              $(PEGASUS_STAGING_DIR)$(PEGASUS_SCRIPT_DIR)/genOpenPegasusSSLCerts
+ 	@$(ECHO-E) "PEGASUS_SSL_TRUSTSTORE=$(PEGASUS_SSL_TRUSTSTORE)" >> \
+              $(PEGASUS_STAGING_DIR)$(PEGASUS_SCRIPT_DIR)/genOpenPegasusSSLCerts
+	@$(ECHO-E) "DAYS=3650" >> \
+             $(PEGASUS_STAGING_DIR)$(PEGASUS_SCRIPT_DIR)/genOpenPegasusSSLCerts
+ 	@$(CAT) $(ROOT)/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec >> \
+              $(PEGASUS_STAGING_DIR)$(PEGASUS_SCRIPT_DIR)/genOpenPegasusSSLCerts
+ 
+diff -up pegasus/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec.orig pegasus/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
+--- pegasus/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec.orig	2014-09-10 18:15:40.000000000 +0200
+++ pegasus/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec	2025-04-02 09:54:27.678967236 +0200
+@@ -29,16 +29,6 @@ function create_ssl_cnf #(config_file, C
+             $PEGASUS_CONFIG_DIR/$SSL_CFG
+     echo "OU                     = The OpenPegasus Project" >> \
+             $PEGASUS_CONFIG_DIR/$SSL_CFG
+-    DN=`hostname`;
+-    if [ -z "$DN" ] || [ "$DN" = "(none)" ]; then
+-            DN='localhost.localdomain';
+-    fi;
+-    FQDN=`{ host -W1 $DN 2>/dev/null || echo "$DN has address "; } |\
+-            grep 'has address' | head -1 | sed 's/\ .*$//'`;
+-    if [ -z "$FQDN" ] ; then
+-        FQDN="$DN";
+-    fi;
+-    # cannot use 'hostname --fqdn' because this can hang indefinitely
+     # Hack the $CA onto the end of the CN so we differentiate the issuer
+     # of the signature from the subject
+     echo "CN                     = $FQDN$CA"  >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+@@ -52,27 +42,26 @@ function create_ssl_cnf #(config_file, C
+     echo "basicConstraints = CA:TRUE" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+ }
+ 
+-cnfChanged=0;
+-if [ ! -e $PEGASUS_CONFIG_DIR/ssl-ca.cnf ] ||
+-   [ ! -e $PEGASUS_CONFIG_DIR/ssl-service.cnf ] ||
+-   [ ! -e $PEGASUS_CONFIG_DIR/server.pem ] ||
+-   [ ! -e $PEGASUS_CONFIG_DIR/file.pem ]  ||
+-   [ ! -e $PEGASUS_CONFIG_DIR/client.pem ]; then
+-
+-    mkdir -p ${PEGASUS_INSTALL_LOG%/*}
+-    mkdir -p $PEGASUS_CONFIG_DIR
+function selfsign_sscg()
+{
+    sscg --quiet \
+         --lifetime "${DAYS}" \
+         --cert-key-file "${PEGASUS_PEM_DIR}"/"${PEGASUS_SSL_KEY_FILE}" \
+         --cert-file "${PEGASUS_PEM_DIR}/${PEGASUS_SSL_CERT_FILE}" \
+         --ca-file "${PEGASUS_PEM_DIR}"/ca.crt \
+         --hostname "${FQDN}" \
+         --country "UK" \
+         --state "Berkshire" \
+         --locality "Reading" \
+         --organization "The Open Group" \
+         --organizational-unit "The OpenPegasus Project"
+}
+ 
+-    create_ssl_cnf ssl-ca.cnf CA
+-    create_ssl_cnf ssl-service.cnf
+-
+-    chmod 400 $PEGASUS_CONFIG_DIR/ssl-*.cnf
+-    chown root $PEGASUS_CONFIG_DIR/ssl-*.cnf
+-    chgrp root $PEGASUS_CONFIG_DIR/ssl-*.cnf
+-    cnfChanged=1;
+-fi
+-if [ $cnfChanged -eq 1 ] || \
+-         [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE ] || \
+-         [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE ]; then
+function selfsign_openssl()
+{
+    # Get minimum RSA key length at current security level
+    # This workarounds openssl not enforcing min. key length enforced by current security level
+    KEYSIZE=`grep min_rsa_size /etc/crypto-policies/state/CURRENT.pol | cut -d ' ' -f 3`
+ 
+     # Restrict access of the key to root
+     OLDUMASK=`umask`
+@@ -81,28 +70,34 @@ if [ $cnfChanged -eq 1 ] || \
+     # Create private key for the CA certificate
+     TMPKEY=`mktemp --tmpdir=$PEGASUS_PEM_DIR XXXXXXXXXXXX`
+ 
+-    /usr/bin/openssl genrsa -out $TMPKEY 2048
+    /usr/bin/openssl genrsa -out $TMPKEY $KEYSIZE
+ 
+     # Restore the umask for the other files
+     umask $OLDUMASK
+ 
+     # Create CA certificate:
+-    /usr/bin/openssl req -new -x509 -days 3650 \
+-                         -config $PEGASUS_CONFIG_DIR/ssl-ca.cnf \
+    # Hack the $CA onto the end of the CN so we differentiate the issuer
+    # of the signature from the subject
+    /usr/bin/openssl req -new -x509 -days $DAYS \
+                         -subj "/C=UK/ST=Berkshire/L=Reading/O=The Open Group/OU=The OpenPegasus Project/CN=${FQDN}CA" \
+                         -addext "subjectKeyIdentifier = hash" \
+                         -addext "authorityKeyIdentifier = keyid:always,issuer" \
+                         -addext "basicConstraints = CA:TRUE" \
+                          -key $TMPKEY \
+                          -out $PEGASUS_PEM_DIR/ca.crt \
+ 
+     # Create private key for the service certificate
+-    /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE 2048
+    /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE $KEYSIZE
+ 
+     # Create a signing request for the service certificate
+     /usr/bin/openssl req -new \
+-                         -config $PEGASUS_CONFIG_DIR/ssl-service.cnf \
+                         -subj "/C=UK/ST=Berkshire/L=Reading/O=The Open Group/OU=The OpenPegasus Project/CN=$FQDN" \
+                         -addext "basicConstraints = CA:FALSE" \
+                          -key $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE \
+                          -out $PEGASUS_PEM_DIR/server.csr
+ 
+     # Sign the request with the CA certificate
+-    /usr/bin/openssl x509 -req -days 3650 \
+    /usr/bin/openssl x509 -req -days $DAYS \
+                           -in $PEGASUS_PEM_DIR/server.csr \
+                           -CA $PEGASUS_PEM_DIR/ca.crt \
+                           -CAkey $TMPKEY \
+@@ -128,6 +123,43 @@ if [ $cnfChanged -eq 1 ] || \
+     # long race here between the key generation and its deletion.
+     # The random filename should significantly mitigate this.
+     rm -f $TMPKEY
+}
+
+cnfChanged=0;
+if [ ! -e $PEGASUS_CONFIG_DIR/ssl-ca.cnf ] ||
+   [ ! -e $PEGASUS_CONFIG_DIR/ssl-service.cnf ] ||
+   [ ! -e $PEGASUS_CONFIG_DIR/server.pem ] ||
+   [ ! -e $PEGASUS_CONFIG_DIR/file.pem ]  ||
+   [ ! -e $PEGASUS_CONFIG_DIR/client.pem ]; then
+
+    mkdir -p ${PEGASUS_INSTALL_LOG%/*}
+    mkdir -p $PEGASUS_CONFIG_DIR
+
+    DN=`hostname`;
+    if [ -z "$DN" ] || [ "$DN" = "(none)" ]; then
+            DN='localhost.localdomain';
+    fi;
+    FQDN=`{ host -W1 $DN 2>/dev/null || echo "$DN has address "; } |\
+            grep 'has address' | head -1 | sed 's/\ .*$//'`;
+    if [ -z "$FQDN" ] ; then
+        FQDN="$DN";
+    fi;
+    # cannot use 'hostname --fqdn' because this can hang indefinitely
+
+    create_ssl_cnf ssl-ca.cnf CA
+    create_ssl_cnf ssl-service.cnf
+
+    chmod 400 $PEGASUS_CONFIG_DIR/ssl-*.cnf
+    chown root $PEGASUS_CONFIG_DIR/ssl-*.cnf
+    chgrp root $PEGASUS_CONFIG_DIR/ssl-*.cnf
+    cnfChanged=1;
+fi
+if [ $cnfChanged -eq 1 ] || \
+         [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE ] || \
+         [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE ]; then
+
+    # If sscg fails, try openssl
+    selfsign_sscg || selfsign_openssl
+ 
+ fi;
+ if [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE ]; then
--- a/tog-pegasus.spec
+++ b/tog-pegasus.spec
@ -106,6 +106,9 @@ Patch44:        pegasus-2.14.1-crypto-policy-compliance.patch
 Patch45:        pegasus-2.14.1-add-pegwsmserver-to-ldd-libs.patch
 # 46: Remove DES support.
 Patch46:        pegasus-snmp-disable-des.patch
+# 47: use sscg to generate cert, openssl as fallback, obtain correct key length
+#  based upon crypto policy level
+Patch47:        pegasus-2.14.1-ssl-certs-gen-changes.patch

 BuildRequires:  procps, libstdc++, pam-devel
 BuildRequires:  openssl, openssl-devel
@ -260,6 +263,7 @@ yes | mak/CreateDmtfSchema 238 %{SOURCE9} cim_schema_2.38.0
 %patch -P44 -p1 -b .crypto-policy-compliance
 %patch -P45 -p1 -b .add-pegwsmserver-to-ldd-libs
 %patch -P46 -p1 -b .snmp-disable-des
+%patch -P47 -p1 -b .ssl-certs-gen-changes


 %build
@ -562,6 +566,8 @@ fi

 %changelog
 * Fri Apr 11 2025 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.14.1-65
+- Update OpenSSL certificates set up
+  Resolves: RHEL-81721
 - Remove deprecated path from systemd service file
  Resolves: RHEL-81716