From d21c1baf70e60ab03b75065cf9946e138660fc53 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 10 Dec 2013 09:18:59 -0500
Subject: [PATCH] Create self-signed certificates with x509v3 extensions

This will allow us to use the CA:FALSE extension, enabling us to
safely store the generated certificates into the trust store
automatically.
---
 pegasus-2.13.0-SSLGeneration.patch | 167 +++++++++++++++++++++++++++++
 tog-pegasus.spec                   |  31 +++++-
 2 files changed, 196 insertions(+), 2 deletions(-)
 create mode 100644 pegasus-2.13.0-SSLGeneration.patch

diff --git a/pegasus-2.13.0-SSLGeneration.patch b/pegasus-2.13.0-SSLGeneration.patch
new file mode 100644
index 0000000..384f521
--- /dev/null
+++ b/pegasus-2.13.0-SSLGeneration.patch
@@ -0,0 +1,167 @@
+From 3a3e6ecb1ab65513625732e11a0da2b42328107b Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Tue, 10 Dec 2013 09:09:58 -0500
+Subject: [PATCH] Update SSL certificate generation
+
+We will now generate x509v3 certificates with the CA:FALSE
+constraint. This will allow us to automatically load it into a
+local trust store safely. In order to do this, instead of creating
+a true self-signed certificate, we will generate a private CA
+certificate and sign the service with that.
+---
+ rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec | 118 +++++++++++++++++++------
+ 1 file changed, 89 insertions(+), 29 deletions(-)
+ mode change 100644 => 100755 rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
+
+diff --git a/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec b/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
+old mode 100644
+new mode 100755
+index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77bda15278e
+--- a/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
++++ b/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
+@@ -4,22 +4,31 @@
+ #  Creates a default ssl.cnf file.
+ #  Generates a self-signed certificate for use by the cimserver.
+ #
+-cnfChanged=0;
+-if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
+-    mkdir -p ${PEGASUS_INSTALL_LOG%/*}
+-    mkdir -p $PEGASUS_CONFIG_DIR
+-    echo "[ req ]" > $PEGASUS_CONFIG_DIR/ssl.cnf
++
++function create_ssl_cnf #(config_file, CN)
++{
++    SSL_CFG=$1
++    CA=$2 # Add a second argument to differentiate issuer from subject
++
++    # Create OpenSSL configuration files for generating certificates
++    echo "[ req ]" > $PEGASUS_CONFIG_DIR/$SSL_CFG
+     echo "distinguished_name     = req_distinguished_name"  >> \
+-            $PEGASUS_CONFIG_DIR/ssl.cnf
+-    echo "prompt                 = no"  >> $PEGASUS_CONFIG_DIR/ssl.cnf
+-    echo "[ req_distinguished_name ]" >> $PEGASUS_CONFIG_DIR/ssl.cnf
+-    echo "C                      = UK" >> $PEGASUS_CONFIG_DIR/ssl.cnf
+-    echo "ST                     = Berkshire" >> $PEGASUS_CONFIG_DIR/ssl.cnf
+-    echo "L                      = Reading" >> $PEGASUS_CONFIG_DIR/ssl.cnf
++            $PEGASUS_CONFIG_DIR/$SSL_CFG
++    echo "prompt                 = no"  >> $PEGASUS_CONFIG_DIR/$SSL_CFG
++
++    # Include support for x509v3 so we can differentiate CA certificates
++    # from service certificates
++    echo "req_extensions         = v3_req" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
++    echo "x509_extensions        = v3_ca" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
++
++    echo "[ req_distinguished_name ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
++    echo "C                      = UK" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
++    echo "ST                     = Berkshire" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
++    echo "L                      = Reading" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+     echo "O                      = The Open Group" >> \
+-            $PEGASUS_CONFIG_DIR/ssl.cnf
++            $PEGASUS_CONFIG_DIR/$SSL_CFG
+     echo "OU                     = The OpenPegasus Project" >> \
+-            $PEGASUS_CONFIG_DIR/ssl.cnf
++            $PEGASUS_CONFIG_DIR/$SSL_CFG
+     DN=`hostname`;
+     if [ -z "$DN" ] || [ "$DN" = "(none)" ]; then
+             DN='localhost.localdomain';
+@@ -30,30 +39,81 @@ if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
+         FQDN="$DN";
+     fi;
+     # cannot use 'hostname --fqdn' because this can hang indefinitely
+-    echo "CN                     = $FQDN"  >> $PEGASUS_CONFIG_DIR/ssl.cnf
+-    chmod 400 $PEGASUS_CONFIG_DIR/ssl.cnf
+-    chown root $PEGASUS_CONFIG_DIR/ssl.cnf
+-    chgrp root $PEGASUS_CONFIG_DIR/ssl.cnf
++    # Hack the $CA onto the end of the CN so we differentiate the issuer
++    # of the signature from the subject
++    echo "CN                     = $FQDN$CA"  >> $PEGASUS_CONFIG_DIR/$SSL_CFG
++
++    # Add x509v3 extensions
++    echo "[ v3_req ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
++    echo "basicConstraints       = CA:FALSE" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
++    echo "[ v3_ca ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
++    echo "subjectKeyIdentifier=hash" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
++    echo "authorityKeyIdentifier=keyid:always,issuer" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
++    echo "basicConstraints = CA:TRUE" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
++}
++
++cnfChanged=0;
++if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
++    mkdir -p ${PEGASUS_INSTALL_LOG%/*}
++    mkdir -p $PEGASUS_CONFIG_DIR
++
++    create_ssl_cnf ssl-ca.cnf CA
++    create_ssl_cnf ssl-service.cnf
++
++    chmod 400 $PEGASUS_CONFIG_DIR/ssl-*.cnf
++    chown root $PEGASUS_CONFIG_DIR/ssl-*.cnf
++    chgrp root $PEGASUS_CONFIG_DIR/ssl-*.cnf
+     cnfChanged=1;
+ fi
+ if [ $cnfChanged -eq 1 ] || \
+          [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE ] || \
+          [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE ]; then
+-    /usr/bin/openssl req -x509 -days 3650 -newkey rsa:2048 \
+-         -nodes -config $PEGASUS_CONFIG_DIR/ssl.cnf   \
+-         -keyout $PEGASUS_PEM_DIR/key.pem \
+-         -out $PEGASUS_PEM_DIR/cert.pem 2>>$PEGASUS_INSTALL_LOG
+-    chmod 700 $PEGASUS_PEM_DIR/*.pem
+-    cp -fp $PEGASUS_PEM_DIR/cert.pem \
+-        $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE
+-    cp -fp $PEGASUS_PEM_DIR/key.pem \
+-        $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE
++    # Create private key for the CA certificate
++    /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/ca-key.pem 2048
++
++    # Create CA certificate:
++    /usr/bin/openssl req -new -x509 -days 3650 \
++                         -key $PEGASUS_PEM_DIR/ca-key.pem \
++                         -out $PEGASUS_PEM_DIR/ca.crt \
++                         -config $PEGASUS_CONFIG_DIR/ssl-ca.cnf
++
++    # Create private key for the service certificate
++    /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE 2048
++
++    # Create a signing request for the service certificate
++    /usr/bin/openssl req -new \
++                          -config $PEGASUS_CONFIG_DIR/ssl-service.cnf \
++                         -key $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE \
++                         -out $PEGASUS_PEM_DIR/server.csr
++
++    # Sign the request with the CA certificate
++    /usr/bin/openssl x509 -req -days 3650 \
++                          -in $PEGASUS_PEM_DIR/server.csr \
++                          -CA $PEGASUS_PEM_DIR/ca.crt \
++                          -CAkey $PEGASUS_PEM_DIR/ca-key.pem \
++                          -CAcreateserial \
++                          -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE \
++                          -extfile $PEGASUS_CONFIG_DIR/ssl-ca.cnf
++
++    # Set file permissions appropriately
+     chmod 400 $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE
+-    chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE 
+-    rm -f $PEGASUS_PEM_DIR/key.pem $PEGASUS_PEM_DIR/cert.pem
++    chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE
++
++    # Remove the certificate signing request
++    # It is not needed after the signature is complete
++    rm -f $PEGASUS_PEM_DIR/server.csr
++
++    # Remove the private key for the CA certificate
++    # This will ensure that it cannot be used to sign any other
++    # (possibly suspicious) certificates
++    # This does mean that generating a new certificate for this
++    # service will need a new CA cert, but most real deployments
++    # will use real infrastructure.
++    rm -f $PEGASUS_PEM_DIR/ca-key.pem
++
+ fi;
+ if [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE ]; then
+-    cp -fp $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE \
++    cp -fp $PEGASUS_PEM_DIR/ca.crt \
+         $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE
+     chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE;
+ fi;
+-- 
+1.8.4.2
+
diff --git a/tog-pegasus.spec b/tog-pegasus.spec
index 29a3f5b..8ccb5ab 100644
--- a/tog-pegasus.spec
+++ b/tog-pegasus.spec
@@ -8,7 +8,7 @@
 
 Name:           tog-pegasus
 Version:        %{major_ver}.0
-Release:        7%{?dist}
+Release:        8%{?dist}
 Epoch:          2
 Summary:        OpenPegasus WBEM Services for Linux
 
@@ -81,11 +81,21 @@ Patch29:        pegasus-2.13.0-enable-subscriptions-for-nonprivileged-users.patc
 
 BuildRequires:  procps, libstdc++, pam-devel
 BuildRequires:  openssl, openssl-devel
+# 30: Create x509v3 self-signed certificates with CA:FALSE
+Patch30:        pegasus-2.13.0-SSLGeneration.patch
+
+BuildRequires:  bash, sed, grep, coreutils, procps, gcc, gcc-c++
+BuildRequires:  libstdc++, make, pam-devel
+BuildRequires:  openssl-devel
 BuildRequires:  net-snmp-devel, openslp-devel
 BuildRequires:  systemd-units
-Requires:       net-snmp-libs, openssl
+Requires:       net-snmp-libs
 Requires:       %{name}-libs = %{epoch}:%{version}-%{release}
+Requires:       ca-certificates
 Provides:       cim-server = 1
+Requires(post): /usr/bin/update-ca-trust
+Requires(post): /usr/bin/openssl
+Requires(post): /sbin/ldconfig
 
 %description
 OpenPegasus WBEM Services for Linux enables management solutions that deliver
@@ -112,6 +122,7 @@ Group:          System Environment/Libraries
 Conflicts:      libcmpiCppImpl0
 Requires(pre):  /usr/sbin/useradd
 Requires(pre):  /usr/sbin/groupadd
+Requires(post): /sbin/ldconfig
 
 %description libs
 The OpenPegasus libraries.
@@ -212,6 +223,7 @@ yes | mak/CreateDmtfSchema 238 %{SOURCE9} cim_schema_2.38.0
 %patch27 -p1 -b .build-fix
 %patch28 -p0 -b .PG_ComputerSystem.CreationClassName
 %patch29 -p1 -b .enable-subscriptions-for-nonprivileged-users
+%patch30 -p1 -b .genssl
 
 
 %build
@@ -327,6 +339,12 @@ make prestarttests
 %ghost /etc/Pegasus/client.pem
 %ghost /etc/Pegasus/server.pem
 %ghost /etc/Pegasus/file.pem
+%ghost /etc/Pegasus/ca.crt
+%ghost /etc/Pegasus/ca.srl
+%ghost /etc/Pegasus/client.srl
+%ghost /etc/Pegasus/ssl-ca.cnf
+%ghost /etc/Pegasus/ssl-service.cnf
+%ghost /etc/pki/ca-trust/source/anchors/localhost-pegasus.pem
 %ghost %attr(0640, root, pegasus) /etc/Pegasus/cimserver_trust
 %ghost %attr(0640, root, pegasus) /etc/Pegasus/indication_trust
 %ghost %attr(0640, root, pegasus) /etc/Pegasus/crl
@@ -396,7 +414,12 @@ if [ $1 -ge 1 ]; then
       if [ ! -e /etc/Pegasus/ssl.cnf ] || [ ! -e /etc/Pegasus/server.pem ] ||                                                                                                                          
          [ ! -e /etc/Pegasus/file.pem ]  || [ ! -e /etc/Pegasus/client.pem ]; then
          if [ -x /usr/share/Pegasus/scripts/genOpenPegasusSSLCerts ]; then
+            # Create self-signed certificates for initial usage
             /usr/share/Pegasus/scripts/genOpenPegasusSSLCerts
+            # Add the self-signed certificate to the local trust store
+            cp /etc/Pegasus/ca.crt \
+               /etc/pki/ca-trust/source/anchors/localhost-pegasus.pem
+            /usr/bin/update-ca-trust extract
          fi;
       fi;
    fi
@@ -481,6 +504,10 @@ fi
 
 
 %changelog
+* Thu Mar 06 2014 Stephen Gallagher <sgallagh@redhat.com> - 2:2.13.0-8
+- Generate SSL certificates with x509v3 and CA:FALSE
+- Automatically import self-signed certificates into local trust-store
+
 * Thu Jan 30 2014 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.13.0-7
 - Add Platform_LINUX_XSCALE_GNU.h to -devel because of lmiwbem on arm