Increase security of generating SSL certificates

2014-09-01 15:55:43 +02:00 · 2014-09-01 15:55:43 +02:00 · df20b47072
commit df20b47072
parent 3788876163
2 changed files with 36 additions and 18 deletions
--- a/pegasus-2.13.0-SSLGeneration.patch
+++ b/pegasus-2.13.0-SSLGeneration.patch
@ -1,6 +1,6 @@
-From 3a3e6ecb1ab65513625732e11a0da2b42328107b Mon Sep 17 00:00:00 2001
+From 75b27360143b05626e3962a74b17ddba919c080b Mon Sep 17 00:00:00 2001
 From: Stephen Gallagher <sgallagh@redhat.com>
-Date: Tue, 10 Dec 2013 09:09:58 -0500
+Date: Mon, 18 Aug 2014 16:40:46 -0400
 Subject: [PATCH] Update SSL certificate generation

 We will now generate x509v3 certificates with the CA:FALSE
@ -9,14 +9,11 @@ local trust store safely. In order to do this, instead of creating
 a true self-signed certificate, we will generate a private CA
 certificate and sign the service with that.
 ---
- rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec | 118 +++++++++++++++++++------
- 1 file changed, 89 insertions(+), 29 deletions(-)
- mode change 100644 => 100755 rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
+ rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec | 136 +++++++++++++++++++------
+ 1 file changed, 107 insertions(+), 29 deletions(-)

 diff --git a/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec b/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
-old mode 100644
-new mode 100755
-index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77bda15278e
+index 81e6635936b77ddc486b217260fba59b23cf2a20..377b82d7a0bd3f42b1e58b0a795b2e628365dd36 100644
 --- a/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
 +++ b/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
@@ -4,22 +4,31 @@
@ -64,7 +61,7 @@ index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77b
     DN=`hostname`;
     if [ -z "$DN" ] || [ "$DN" = "(none)" ]; then
             DN='localhost.localdomain';
-@@ -30,30 +39,81 @@ if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
+@@ -30,30 +39,99 @@ if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
         FQDN="$DN";
     fi;
     # cannot use 'hostname --fqdn' because this can hang indefinitely
@ -86,7 +83,12 @@ index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77b
 +}
 +
 +cnfChanged=0;
-+if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
+if [ ! -e $PEGASUS_CONFIG_DIR/ssl-ca.cnf ] ||
+   [ ! -e $PEGASUS_CONFIG_DIR/ssl-service.cnf ] ||
+   [ ! -e $PEGASUS_CONFIG_DIR/server.pem ] ||
+   [ ! -e $PEGASUS_CONFIG_DIR/file.pem ]  ||
+   [ ! -e $PEGASUS_CONFIG_DIR/client.pem ]; then
+
 +    mkdir -p ${PEGASUS_INSTALL_LOG%/*}
 +    mkdir -p $PEGASUS_CONFIG_DIR
 +
@ -110,21 +112,31 @@ index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77b
 -        $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE
 -    cp -fp $PEGASUS_PEM_DIR/key.pem \
 -        $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE
+
+    # Restrict access of the key to root
+    OLDUMASK=`umask`
+    umask 0077
+
 +    # Create private key for the CA certificate
-+    /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/ca-key.pem 2048
+    TMPKEY=`mktemp --tmpdir=$PEGASUS_PEM_DIR XXXXXXXXXXXX`
+
+    /usr/bin/openssl genrsa -out $TMPKEY 2048
+
+    # Restore the umask for the other files
+    umask $OLDUMASK
 +
 +    # Create CA certificate:
 +    /usr/bin/openssl req -new -x509 -days 3650 \
-+                         -key $PEGASUS_PEM_DIR/ca-key.pem \
+                         -config $PEGASUS_CONFIG_DIR/ssl-ca.cnf \
+                         -key $TMPKEY \
 +                         -out $PEGASUS_PEM_DIR/ca.crt \
-+                         -config $PEGASUS_CONFIG_DIR/ssl-ca.cnf
 +
 +    # Create private key for the service certificate
 +    /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE 2048
 +
 +    # Create a signing request for the service certificate
 +    /usr/bin/openssl req -new \
-+                          -config $PEGASUS_CONFIG_DIR/ssl-service.cnf \
+                         -config $PEGASUS_CONFIG_DIR/ssl-service.cnf \
 +                         -key $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE \
 +                         -out $PEGASUS_PEM_DIR/server.csr
 +
@ -132,7 +144,7 @@ index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77b
 +    /usr/bin/openssl x509 -req -days 3650 \
 +                          -in $PEGASUS_PEM_DIR/server.csr \
 +                          -CA $PEGASUS_PEM_DIR/ca.crt \
-+                          -CAkey $PEGASUS_PEM_DIR/ca-key.pem \
+                          -CAkey $TMPKEY \
 +                          -CAcreateserial \
 +                          -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE \
 +                          -extfile $PEGASUS_CONFIG_DIR/ssl-ca.cnf
@ -153,7 +165,10 @@ index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77b
 +    # This does mean that generating a new certificate for this
 +    # service will need a new CA cert, but most real deployments
 +    # will use real infrastructure.
-+    rm -f $PEGASUS_PEM_DIR/ca-key.pem
+    # This does not impart perfect security; there is a fairly
+    # long race here between the key generation and its deletion.
+    # The random filename should significantly mitigate this.
+    rm -f $TMPKEY
 +
 fi;
 if [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE ]; then
@ -163,5 +178,5 @@ index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77b
     chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE;
 fi;
 -- 
-1.8.4.2
+2.1.0

--- a/tog-pegasus.spec
+++ b/tog-pegasus.spec
@ -8,7 +8,7 @@

 Name:           tog-pegasus
 Version:        %{major_ver}.0
-Release:        17%{?dist}
+Release:        18%{?dist}
 Epoch:          2
 Summary:        OpenPegasus WBEM Services for Linux

@ -511,6 +511,9 @@ fi


 %changelog
+* Mon Sep 01 2014 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.13.0-18
+- Increase security of generating SSL certificates
+
 * Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2:2.13.0-17
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild