From df20b47072e705ade5908a844722ff75a8e0801f Mon Sep 17 00:00:00 2001 From: Vitezslav Crhonek Date: Mon, 1 Sep 2014 15:55:43 +0200 Subject: [PATCH] Increase security of generating SSL certificates --- pegasus-2.13.0-SSLGeneration.patch | 49 +++++++++++++++++++----------- tog-pegasus.spec | 5 ++- 2 files changed, 36 insertions(+), 18 deletions(-) diff --git a/pegasus-2.13.0-SSLGeneration.patch b/pegasus-2.13.0-SSLGeneration.patch index 384f521..db27d9c 100644 --- a/pegasus-2.13.0-SSLGeneration.patch +++ b/pegasus-2.13.0-SSLGeneration.patch @@ -1,6 +1,6 @@ -From 3a3e6ecb1ab65513625732e11a0da2b42328107b Mon Sep 17 00:00:00 2001 +From 75b27360143b05626e3962a74b17ddba919c080b Mon Sep 17 00:00:00 2001 From: Stephen Gallagher -Date: Tue, 10 Dec 2013 09:09:58 -0500 +Date: Mon, 18 Aug 2014 16:40:46 -0400 Subject: [PATCH] Update SSL certificate generation We will now generate x509v3 certificates with the CA:FALSE @@ -9,14 +9,11 @@ local trust store safely. In order to do this, instead of creating a true self-signed certificate, we will generate a private CA certificate and sign the service with that. --- - rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec | 118 +++++++++++++++++++------ - 1 file changed, 89 insertions(+), 29 deletions(-) - mode change 100644 => 100755 rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec + rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec | 136 +++++++++++++++++++------ + 1 file changed, 107 insertions(+), 29 deletions(-) diff --git a/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec b/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec -old mode 100644 -new mode 100755 -index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77bda15278e +index 81e6635936b77ddc486b217260fba59b23cf2a20..377b82d7a0bd3f42b1e58b0a795b2e628365dd36 100644 --- a/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec +++ b/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec @@ -4,22 +4,31 @@ @@ -64,7 +61,7 @@ index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77b DN=`hostname`; if [ -z "$DN" ] || [ "$DN" = "(none)" ]; then DN='localhost.localdomain'; -@@ -30,30 +39,81 @@ if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then +@@ -30,30 +39,99 @@ if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then FQDN="$DN"; fi; # cannot use 'hostname --fqdn' because this can hang indefinitely @@ -86,7 +83,12 @@ index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77b +} + +cnfChanged=0; -+if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then ++if [ ! -e $PEGASUS_CONFIG_DIR/ssl-ca.cnf ] || ++ [ ! -e $PEGASUS_CONFIG_DIR/ssl-service.cnf ] || ++ [ ! -e $PEGASUS_CONFIG_DIR/server.pem ] || ++ [ ! -e $PEGASUS_CONFIG_DIR/file.pem ] || ++ [ ! -e $PEGASUS_CONFIG_DIR/client.pem ]; then ++ + mkdir -p ${PEGASUS_INSTALL_LOG%/*} + mkdir -p $PEGASUS_CONFIG_DIR + @@ -110,21 +112,31 @@ index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77b - $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE - cp -fp $PEGASUS_PEM_DIR/key.pem \ - $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE ++ ++ # Restrict access of the key to root ++ OLDUMASK=`umask` ++ umask 0077 ++ + # Create private key for the CA certificate -+ /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/ca-key.pem 2048 ++ TMPKEY=`mktemp --tmpdir=$PEGASUS_PEM_DIR XXXXXXXXXXXX` ++ ++ /usr/bin/openssl genrsa -out $TMPKEY 2048 ++ ++ # Restore the umask for the other files ++ umask $OLDUMASK + + # Create CA certificate: + /usr/bin/openssl req -new -x509 -days 3650 \ -+ -key $PEGASUS_PEM_DIR/ca-key.pem \ ++ -config $PEGASUS_CONFIG_DIR/ssl-ca.cnf \ ++ -key $TMPKEY \ + -out $PEGASUS_PEM_DIR/ca.crt \ -+ -config $PEGASUS_CONFIG_DIR/ssl-ca.cnf + + # Create private key for the service certificate + /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE 2048 + + # Create a signing request for the service certificate + /usr/bin/openssl req -new \ -+ -config $PEGASUS_CONFIG_DIR/ssl-service.cnf \ ++ -config $PEGASUS_CONFIG_DIR/ssl-service.cnf \ + -key $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE \ + -out $PEGASUS_PEM_DIR/server.csr + @@ -132,7 +144,7 @@ index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77b + /usr/bin/openssl x509 -req -days 3650 \ + -in $PEGASUS_PEM_DIR/server.csr \ + -CA $PEGASUS_PEM_DIR/ca.crt \ -+ -CAkey $PEGASUS_PEM_DIR/ca-key.pem \ ++ -CAkey $TMPKEY \ + -CAcreateserial \ + -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE \ + -extfile $PEGASUS_CONFIG_DIR/ssl-ca.cnf @@ -153,7 +165,10 @@ index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77b + # This does mean that generating a new certificate for this + # service will need a new CA cert, but most real deployments + # will use real infrastructure. -+ rm -f $PEGASUS_PEM_DIR/ca-key.pem ++ # This does not impart perfect security; there is a fairly ++ # long race here between the key generation and its deletion. ++ # The random filename should significantly mitigate this. ++ rm -f $TMPKEY + fi; if [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE ]; then @@ -163,5 +178,5 @@ index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77b chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE; fi; -- -1.8.4.2 +2.1.0 diff --git a/tog-pegasus.spec b/tog-pegasus.spec index e5a8402..bdcb8c6 100644 --- a/tog-pegasus.spec +++ b/tog-pegasus.spec @@ -8,7 +8,7 @@ Name: tog-pegasus Version: %{major_ver}.0 -Release: 17%{?dist} +Release: 18%{?dist} Epoch: 2 Summary: OpenPegasus WBEM Services for Linux @@ -511,6 +511,9 @@ fi %changelog +* Mon Sep 01 2014 Vitezslav Crhonek - 2:2.13.0-18 +- Increase security of generating SSL certificates + * Mon Aug 18 2014 Fedora Release Engineering - 2:2.13.0-17 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild