rpms/tog-pegasus
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Create self-signed certificates with x509v3 extensions

Browse Source 
This will allow us to use the CA:FALSE extension, enabling us to
safely store the generated certificates into the trust store
automatically.
This commit is contained in:
Stephen Gallagher 2013-12-10 09:18:59 -05:00
parent 6a27df9f05
commit d21c1baf70
2 changed files with 196 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

167
pegasus-2.13.0-SSLGeneration.patch Normal file
View File

@ -0,0 +1,167 @@
From 3a3e6ecb1ab65513625732e11a0da2b42328107b Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 10 Dec 2013 09:09:58 -0500
Subject: [PATCH] Update SSL certificate generation
We will now generate x509v3 certificates with the CA:FALSE
constraint. This will allow us to automatically load it into a
local trust store safely. In order to do this, instead of creating
a true self-signed certificate, we will generate a private CA
certificate and sign the service with that.
---
rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec | 118 +++++++++++++++++++------
1 file changed, 89 insertions(+), 29 deletions(-)
mode change 100644 => 100755 rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
diff --git a/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec b/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
old mode 100644
new mode 100755
index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77bda15278e
--- a/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
+++ b/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
@@ -4,22 +4,31 @@
# Creates a default ssl.cnf file.
# Generates a self-signed certificate for use by the cimserver.
#
-cnfChanged=0;
-if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
- mkdir -p ${PEGASUS_INSTALL_LOG%/*}
- mkdir -p $PEGASUS_CONFIG_DIR
- echo "[ req ]" > $PEGASUS_CONFIG_DIR/ssl.cnf
+
+function create_ssl_cnf #(config_file, CN)
+{
+ SSL_CFG=$1
+ CA=$2 # Add a second argument to differentiate issuer from subject
+
+ # Create OpenSSL configuration files for generating certificates
+ echo "[ req ]" > $PEGASUS_CONFIG_DIR/$SSL_CFG
echo "distinguished_name = req_distinguished_name" >> \
- $PEGASUS_CONFIG_DIR/ssl.cnf
- echo "prompt = no" >> $PEGASUS_CONFIG_DIR/ssl.cnf
- echo "[ req_distinguished_name ]" >> $PEGASUS_CONFIG_DIR/ssl.cnf
- echo "C = UK" >> $PEGASUS_CONFIG_DIR/ssl.cnf
- echo "ST = Berkshire" >> $PEGASUS_CONFIG_DIR/ssl.cnf
- echo "L = Reading" >> $PEGASUS_CONFIG_DIR/ssl.cnf
+ $PEGASUS_CONFIG_DIR/$SSL_CFG
+ echo "prompt = no" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+
+ # Include support for x509v3 so we can differentiate CA certificates
+ # from service certificates
+ echo "req_extensions = v3_req" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+ echo "x509_extensions = v3_ca" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+
+ echo "[ req_distinguished_name ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+ echo "C = UK" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+ echo "ST = Berkshire" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+ echo "L = Reading" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
echo "O = The Open Group" >> \
- $PEGASUS_CONFIG_DIR/ssl.cnf
+ $PEGASUS_CONFIG_DIR/$SSL_CFG
echo "OU = The OpenPegasus Project" >> \
- $PEGASUS_CONFIG_DIR/ssl.cnf
+ $PEGASUS_CONFIG_DIR/$SSL_CFG
DN=`hostname`;
if [ -z "$DN" ] || [ "$DN" = "(none)" ]; then
DN='localhost.localdomain';
@@ -30,30 +39,81 @@ if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
FQDN="$DN";
fi;
# cannot use 'hostname --fqdn' because this can hang indefinitely
- echo "CN = $FQDN" >> $PEGASUS_CONFIG_DIR/ssl.cnf
- chmod 400 $PEGASUS_CONFIG_DIR/ssl.cnf
- chown root $PEGASUS_CONFIG_DIR/ssl.cnf
- chgrp root $PEGASUS_CONFIG_DIR/ssl.cnf
+ # Hack the $CA onto the end of the CN so we differentiate the issuer
+ # of the signature from the subject
+ echo "CN = $FQDN$CA" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+
+ # Add x509v3 extensions
+ echo "[ v3_req ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+ echo "basicConstraints = CA:FALSE" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+ echo "[ v3_ca ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+ echo "subjectKeyIdentifier=hash" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+ echo "authorityKeyIdentifier=keyid:always,issuer" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+ echo "basicConstraints = CA:TRUE" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+}
+
+cnfChanged=0;
+if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
+ mkdir -p ${PEGASUS_INSTALL_LOG%/*}
+ mkdir -p $PEGASUS_CONFIG_DIR
+
+ create_ssl_cnf ssl-ca.cnf CA
+ create_ssl_cnf ssl-service.cnf
+
+ chmod 400 $PEGASUS_CONFIG_DIR/ssl-*.cnf
+ chown root $PEGASUS_CONFIG_DIR/ssl-*.cnf
+ chgrp root $PEGASUS_CONFIG_DIR/ssl-*.cnf
cnfChanged=1;
fi
if [ $cnfChanged -eq 1 ] || \
[ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE ] || \
[ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE ]; then
- /usr/bin/openssl req -x509 -days 3650 -newkey rsa:2048 \
- -nodes -config $PEGASUS_CONFIG_DIR/ssl.cnf \
- -keyout $PEGASUS_PEM_DIR/key.pem \
- -out $PEGASUS_PEM_DIR/cert.pem 2>>$PEGASUS_INSTALL_LOG
- chmod 700 $PEGASUS_PEM_DIR/*.pem
- cp -fp $PEGASUS_PEM_DIR/cert.pem \
- $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE
- cp -fp $PEGASUS_PEM_DIR/key.pem \
- $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE
+ # Create private key for the CA certificate
+ /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/ca-key.pem 2048
+
+ # Create CA certificate:
+ /usr/bin/openssl req -new -x509 -days 3650 \
+ -key $PEGASUS_PEM_DIR/ca-key.pem \
+ -out $PEGASUS_PEM_DIR/ca.crt \
+ -config $PEGASUS_CONFIG_DIR/ssl-ca.cnf
+
+ # Create private key for the service certificate
+ /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE 2048
+
+ # Create a signing request for the service certificate
+ /usr/bin/openssl req -new \
+ -config $PEGASUS_CONFIG_DIR/ssl-service.cnf \
+ -key $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE \
+ -out $PEGASUS_PEM_DIR/server.csr
+
+ # Sign the request with the CA certificate
+ /usr/bin/openssl x509 -req -days 3650 \
+ -in $PEGASUS_PEM_DIR/server.csr \
+ -CA $PEGASUS_PEM_DIR/ca.crt \
+ -CAkey $PEGASUS_PEM_DIR/ca-key.pem \
+ -CAcreateserial \
+ -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE \
+ -extfile $PEGASUS_CONFIG_DIR/ssl-ca.cnf
+
+ # Set file permissions appropriately
chmod 400 $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE
- chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE
- rm -f $PEGASUS_PEM_DIR/key.pem $PEGASUS_PEM_DIR/cert.pem
+ chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE
+
+ # Remove the certificate signing request
+ # It is not needed after the signature is complete
+ rm -f $PEGASUS_PEM_DIR/server.csr
+
+ # Remove the private key for the CA certificate
+ # This will ensure that it cannot be used to sign any other
+ # (possibly suspicious) certificates
+ # This does mean that generating a new certificate for this
+ # service will need a new CA cert, but most real deployments
+ # will use real infrastructure.
+ rm -f $PEGASUS_PEM_DIR/ca-key.pem
+
fi;
if [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE ]; then
- cp -fp $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE \
+ cp -fp $PEGASUS_PEM_DIR/ca.crt \
$PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE
chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE;
fi;
--
1.8.4.2

31
tog-pegasus.spec
View File

@ -8,7 +8,7 @@
Name: tog-pegasus
Version: %{major_ver}.0
Release: 7%{?dist}
Release: 8%{?dist}
Epoch: 2
Summary: OpenPegasus WBEM Services for Linux
@ -81,11 +81,21 @@ Patch29: pegasus-2.13.0-enable-subscriptions-for-nonprivileged-users.patc
BuildRequires: procps, libstdc++, pam-devel
BuildRequires: openssl, openssl-devel
# 30: Create x509v3 self-signed certificates with CA:FALSE
Patch30: pegasus-2.13.0-SSLGeneration.patch
BuildRequires: bash, sed, grep, coreutils, procps, gcc, gcc-c++
BuildRequires: libstdc++, make, pam-devel
BuildRequires: openssl-devel
BuildRequires: net-snmp-devel, openslp-devel
BuildRequires: systemd-units
Requires: net-snmp-libs, openssl
Requires: net-snmp-libs
Requires: %{name}-libs = %{epoch}:%{version}-%{release}
Requires: ca-certificates
Provides: cim-server = 1
Requires(post): /usr/bin/update-ca-trust
Requires(post): /usr/bin/openssl
Requires(post): /sbin/ldconfig
%description
OpenPegasus WBEM Services for Linux enables management solutions that deliver
@ -112,6 +122,7 @@ Group: System Environment/Libraries
Conflicts: libcmpiCppImpl0
Requires(pre): /usr/sbin/useradd
Requires(pre): /usr/sbin/groupadd
Requires(post): /sbin/ldconfig
%description libs
The OpenPegasus libraries.
@ -212,6 +223,7 @@ yes | mak/CreateDmtfSchema 238 %{SOURCE9} cim_schema_2.38.0
%patch27 -p1 -b .build-fix
%patch28 -p0 -b .PG_ComputerSystem.CreationClassName
%patch29 -p1 -b .enable-subscriptions-for-nonprivileged-users
%patch30 -p1 -b .genssl
%build
@ -327,6 +339,12 @@ make prestarttests
%ghost /etc/Pegasus/client.pem
%ghost /etc/Pegasus/server.pem
%ghost /etc/Pegasus/file.pem
%ghost /etc/Pegasus/ca.crt
%ghost /etc/Pegasus/ca.srl
%ghost /etc/Pegasus/client.srl
%ghost /etc/Pegasus/ssl-ca.cnf
%ghost /etc/Pegasus/ssl-service.cnf
%ghost /etc/pki/ca-trust/source/anchors/localhost-pegasus.pem
%ghost %attr(0640, root, pegasus) /etc/Pegasus/cimserver_trust
%ghost %attr(0640, root, pegasus) /etc/Pegasus/indication_trust
%ghost %attr(0640, root, pegasus) /etc/Pegasus/crl
@ -396,7 +414,12 @@ if [ $1 -ge 1 ]; then
if [ ! -e /etc/Pegasus/ssl.cnf ] || [ ! -e /etc/Pegasus/server.pem ] ||
[ ! -e /etc/Pegasus/file.pem ] || [ ! -e /etc/Pegasus/client.pem ]; then
if [ -x /usr/share/Pegasus/scripts/genOpenPegasusSSLCerts ]; then
# Create self-signed certificates for initial usage
/usr/share/Pegasus/scripts/genOpenPegasusSSLCerts
# Add the self-signed certificate to the local trust store
cp /etc/Pegasus/ca.crt \
/etc/pki/ca-trust/source/anchors/localhost-pegasus.pem
/usr/bin/update-ca-trust extract
fi;
fi;
fi
@ -481,6 +504,10 @@ fi
%changelog
* Thu Mar 06 2014 Stephen Gallagher <sgallagh@redhat.com> - 2:2.13.0-8
- Generate SSL certificates with x509v3 and CA:FALSE
- Automatically import self-signed certificates into local trust-store
* Thu Jan 30 2014 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.13.0-7
- Add Platform_LINUX_XSCALE_GNU.h to -devel because of lmiwbem on arm