Increase security of generating SSL certificates
This commit is contained in:
Vitezslav Crhonek
parent
3788876163
commit
df20b47072
@ -1,6 +1,6 @@
|
|||||||
From 3a3e6ecb1ab65513625732e11a0da2b42328107b Mon Sep 17 00:00:00 2001
|
From 75b27360143b05626e3962a74b17ddba919c080b Mon Sep 17 00:00:00 2001
|
||||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
Date: Tue, 10 Dec 2013 09:09:58 -0500
|
Date: Mon, 18 Aug 2014 16:40:46 -0400
|
||||||
Subject: [PATCH] Update SSL certificate generation
|
Subject: [PATCH] Update SSL certificate generation
|
||||||
|
|
||||||
We will now generate x509v3 certificates with the CA:FALSE
|
We will now generate x509v3 certificates with the CA:FALSE
|
||||||
@ -9,14 +9,11 @@ local trust store safely. In order to do this, instead of creating
|
|||||||
a true self-signed certificate, we will generate a private CA
|
a true self-signed certificate, we will generate a private CA
|
||||||
certificate and sign the service with that.
|
certificate and sign the service with that.
|
||||||
---
|
---
|
||||||
rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec | 118 +++++++++++++++++++------
|
rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec | 136 +++++++++++++++++++------
|
||||||
1 file changed, 89 insertions(+), 29 deletions(-)
|
1 file changed, 107 insertions(+), 29 deletions(-)
|
||||||
mode change 100644 => 100755 rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
|
|
||||||
|
|
||||||
diff --git a/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec b/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
|
diff --git a/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec b/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
|
||||||
old mode 100644
|
index 81e6635936b77ddc486b217260fba59b23cf2a20..377b82d7a0bd3f42b1e58b0a795b2e628365dd36 100644
|
||||||
new mode 100755
|
|
||||||
index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77bda15278e
|
|
||||||
--- a/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
|
--- a/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
|
||||||
+++ b/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
|
+++ b/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
|
||||||
@@ -4,22 +4,31 @@
|
@@ -4,22 +4,31 @@
|
||||||
@ -64,7 +61,7 @@ index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77b
|
|||||||
DN=`hostname`;
|
DN=`hostname`;
|
||||||
if [ -z "$DN" ] || [ "$DN" = "(none)" ]; then
|
if [ -z "$DN" ] || [ "$DN" = "(none)" ]; then
|
||||||
DN='localhost.localdomain';
|
DN='localhost.localdomain';
|
||||||
@@ -30,30 +39,81 @@ if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
|
@@ -30,30 +39,99 @@ if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
|
||||||
FQDN="$DN";
|
FQDN="$DN";
|
||||||
fi;
|
fi;
|
||||||
# cannot use 'hostname --fqdn' because this can hang indefinitely
|
# cannot use 'hostname --fqdn' because this can hang indefinitely
|
||||||
@ -86,7 +83,12 @@ index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77b
|
|||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+cnfChanged=0;
|
+cnfChanged=0;
|
||||||
+if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
|
+if [ ! -e $PEGASUS_CONFIG_DIR/ssl-ca.cnf ] ||
|
||||||
|
+ [ ! -e $PEGASUS_CONFIG_DIR/ssl-service.cnf ] ||
|
||||||
|
+ [ ! -e $PEGASUS_CONFIG_DIR/server.pem ] ||
|
||||||
|
+ [ ! -e $PEGASUS_CONFIG_DIR/file.pem ] ||
|
||||||
|
+ [ ! -e $PEGASUS_CONFIG_DIR/client.pem ]; then
|
||||||
|
+
|
||||||
+ mkdir -p ${PEGASUS_INSTALL_LOG%/*}
|
+ mkdir -p ${PEGASUS_INSTALL_LOG%/*}
|
||||||
+ mkdir -p $PEGASUS_CONFIG_DIR
|
+ mkdir -p $PEGASUS_CONFIG_DIR
|
||||||
+
|
+
|
||||||
@ -110,14 +112,24 @@ index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77b
|
|||||||
- $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE
|
- $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE
|
||||||
- cp -fp $PEGASUS_PEM_DIR/key.pem \
|
- cp -fp $PEGASUS_PEM_DIR/key.pem \
|
||||||
- $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE
|
- $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE
|
||||||
|
+
|
||||||
|
+ # Restrict access of the key to root
|
||||||
|
+ OLDUMASK=`umask`
|
||||||
|
+ umask 0077
|
||||||
|
+
|
||||||
+ # Create private key for the CA certificate
|
+ # Create private key for the CA certificate
|
||||||
+ /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/ca-key.pem 2048
|
+ TMPKEY=`mktemp --tmpdir=$PEGASUS_PEM_DIR XXXXXXXXXXXX`
|
||||||
|
+
|
||||||
|
+ /usr/bin/openssl genrsa -out $TMPKEY 2048
|
||||||
|
+
|
||||||
|
+ # Restore the umask for the other files
|
||||||
|
+ umask $OLDUMASK
|
||||||
+
|
+
|
||||||
+ # Create CA certificate:
|
+ # Create CA certificate:
|
||||||
+ /usr/bin/openssl req -new -x509 -days 3650 \
|
+ /usr/bin/openssl req -new -x509 -days 3650 \
|
||||||
+ -key $PEGASUS_PEM_DIR/ca-key.pem \
|
+ -config $PEGASUS_CONFIG_DIR/ssl-ca.cnf \
|
||||||
|
+ -key $TMPKEY \
|
||||||
+ -out $PEGASUS_PEM_DIR/ca.crt \
|
+ -out $PEGASUS_PEM_DIR/ca.crt \
|
||||||
+ -config $PEGASUS_CONFIG_DIR/ssl-ca.cnf
|
|
||||||
+
|
+
|
||||||
+ # Create private key for the service certificate
|
+ # Create private key for the service certificate
|
||||||
+ /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE 2048
|
+ /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE 2048
|
||||||
@ -132,7 +144,7 @@ index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77b
|
|||||||
+ /usr/bin/openssl x509 -req -days 3650 \
|
+ /usr/bin/openssl x509 -req -days 3650 \
|
||||||
+ -in $PEGASUS_PEM_DIR/server.csr \
|
+ -in $PEGASUS_PEM_DIR/server.csr \
|
||||||
+ -CA $PEGASUS_PEM_DIR/ca.crt \
|
+ -CA $PEGASUS_PEM_DIR/ca.crt \
|
||||||
+ -CAkey $PEGASUS_PEM_DIR/ca-key.pem \
|
+ -CAkey $TMPKEY \
|
||||||
+ -CAcreateserial \
|
+ -CAcreateserial \
|
||||||
+ -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE \
|
+ -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE \
|
||||||
+ -extfile $PEGASUS_CONFIG_DIR/ssl-ca.cnf
|
+ -extfile $PEGASUS_CONFIG_DIR/ssl-ca.cnf
|
||||||
@ -153,7 +165,10 @@ index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77b
|
|||||||
+ # This does mean that generating a new certificate for this
|
+ # This does mean that generating a new certificate for this
|
||||||
+ # service will need a new CA cert, but most real deployments
|
+ # service will need a new CA cert, but most real deployments
|
||||||
+ # will use real infrastructure.
|
+ # will use real infrastructure.
|
||||||
+ rm -f $PEGASUS_PEM_DIR/ca-key.pem
|
+ # This does not impart perfect security; there is a fairly
|
||||||
|
+ # long race here between the key generation and its deletion.
|
||||||
|
+ # The random filename should significantly mitigate this.
|
||||||
|
+ rm -f $TMPKEY
|
||||||
+
|
+
|
||||||
fi;
|
fi;
|
||||||
if [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE ]; then
|
if [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE ]; then
|
||||||
@ -163,5 +178,5 @@ index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77b
|
|||||||
chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE;
|
chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE;
|
||||||
fi;
|
fi;
|
||||||
--
|
--
|
||||||
1.8.4.2
|
2.1.0
|
||||||
|
|
||||||
|
|||||||
@ -8,7 +8,7 @@
|
|||||||
|
|
||||||
Name: tog-pegasus
|
Name: tog-pegasus
|
||||||
Version: %{major_ver}.0
|
Version: %{major_ver}.0
|
||||||
Release: 17%{?dist}
|
Release: 18%{?dist}
|
||||||
Epoch: 2
|
Epoch: 2
|
||||||
Summary: OpenPegasus WBEM Services for Linux
|
Summary: OpenPegasus WBEM Services for Linux
|
||||||
|
|
||||||
@ -511,6 +511,9 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Sep 01 2014 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.13.0-18
|
||||||
|
- Increase security of generating SSL certificates
|
||||||
|
|
||||||
* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2:2.13.0-17
|
* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2:2.13.0-17
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user