tog-pegasus/pegasus-2.13.0-SSLGeneration.patch
Stephen Gallagher d21c1baf70 Create self-signed certificates with x509v3 extensions
This will allow us to use the CA:FALSE extension, enabling us to
safely store the generated certificates into the trust store
automatically.
2014-03-06 09:24:01 -05:00

168 lines
7.3 KiB
Diff

From 3a3e6ecb1ab65513625732e11a0da2b42328107b Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 10 Dec 2013 09:09:58 -0500
Subject: [PATCH] Update SSL certificate generation
We will now generate x509v3 certificates with the CA:FALSE
constraint. This will allow us to automatically load it into a
local trust store safely. In order to do this, instead of creating
a true self-signed certificate, we will generate a private CA
certificate and sign the service with that.
---
rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec | 118 +++++++++++++++++++------
1 file changed, 89 insertions(+), 29 deletions(-)
mode change 100644 => 100755 rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
diff --git a/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec b/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
old mode 100644
new mode 100755
index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77bda15278e
--- a/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
+++ b/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
@@ -4,22 +4,31 @@
# Creates a default ssl.cnf file.
# Generates a self-signed certificate for use by the cimserver.
#
-cnfChanged=0;
-if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
- mkdir -p ${PEGASUS_INSTALL_LOG%/*}
- mkdir -p $PEGASUS_CONFIG_DIR
- echo "[ req ]" > $PEGASUS_CONFIG_DIR/ssl.cnf
+
+function create_ssl_cnf #(config_file, CN)
+{
+ SSL_CFG=$1
+ CA=$2 # Add a second argument to differentiate issuer from subject
+
+ # Create OpenSSL configuration files for generating certificates
+ echo "[ req ]" > $PEGASUS_CONFIG_DIR/$SSL_CFG
echo "distinguished_name = req_distinguished_name" >> \
- $PEGASUS_CONFIG_DIR/ssl.cnf
- echo "prompt = no" >> $PEGASUS_CONFIG_DIR/ssl.cnf
- echo "[ req_distinguished_name ]" >> $PEGASUS_CONFIG_DIR/ssl.cnf
- echo "C = UK" >> $PEGASUS_CONFIG_DIR/ssl.cnf
- echo "ST = Berkshire" >> $PEGASUS_CONFIG_DIR/ssl.cnf
- echo "L = Reading" >> $PEGASUS_CONFIG_DIR/ssl.cnf
+ $PEGASUS_CONFIG_DIR/$SSL_CFG
+ echo "prompt = no" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+
+ # Include support for x509v3 so we can differentiate CA certificates
+ # from service certificates
+ echo "req_extensions = v3_req" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+ echo "x509_extensions = v3_ca" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+
+ echo "[ req_distinguished_name ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+ echo "C = UK" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+ echo "ST = Berkshire" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+ echo "L = Reading" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
echo "O = The Open Group" >> \
- $PEGASUS_CONFIG_DIR/ssl.cnf
+ $PEGASUS_CONFIG_DIR/$SSL_CFG
echo "OU = The OpenPegasus Project" >> \
- $PEGASUS_CONFIG_DIR/ssl.cnf
+ $PEGASUS_CONFIG_DIR/$SSL_CFG
DN=`hostname`;
if [ -z "$DN" ] || [ "$DN" = "(none)" ]; then
DN='localhost.localdomain';
@@ -30,30 +39,81 @@ if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
FQDN="$DN";
fi;
# cannot use 'hostname --fqdn' because this can hang indefinitely
- echo "CN = $FQDN" >> $PEGASUS_CONFIG_DIR/ssl.cnf
- chmod 400 $PEGASUS_CONFIG_DIR/ssl.cnf
- chown root $PEGASUS_CONFIG_DIR/ssl.cnf
- chgrp root $PEGASUS_CONFIG_DIR/ssl.cnf
+ # Hack the $CA onto the end of the CN so we differentiate the issuer
+ # of the signature from the subject
+ echo "CN = $FQDN$CA" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+
+ # Add x509v3 extensions
+ echo "[ v3_req ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+ echo "basicConstraints = CA:FALSE" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+ echo "[ v3_ca ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+ echo "subjectKeyIdentifier=hash" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+ echo "authorityKeyIdentifier=keyid:always,issuer" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+ echo "basicConstraints = CA:TRUE" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
+}
+
+cnfChanged=0;
+if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
+ mkdir -p ${PEGASUS_INSTALL_LOG%/*}
+ mkdir -p $PEGASUS_CONFIG_DIR
+
+ create_ssl_cnf ssl-ca.cnf CA
+ create_ssl_cnf ssl-service.cnf
+
+ chmod 400 $PEGASUS_CONFIG_DIR/ssl-*.cnf
+ chown root $PEGASUS_CONFIG_DIR/ssl-*.cnf
+ chgrp root $PEGASUS_CONFIG_DIR/ssl-*.cnf
cnfChanged=1;
fi
if [ $cnfChanged -eq 1 ] || \
[ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE ] || \
[ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE ]; then
- /usr/bin/openssl req -x509 -days 3650 -newkey rsa:2048 \
- -nodes -config $PEGASUS_CONFIG_DIR/ssl.cnf \
- -keyout $PEGASUS_PEM_DIR/key.pem \
- -out $PEGASUS_PEM_DIR/cert.pem 2>>$PEGASUS_INSTALL_LOG
- chmod 700 $PEGASUS_PEM_DIR/*.pem
- cp -fp $PEGASUS_PEM_DIR/cert.pem \
- $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE
- cp -fp $PEGASUS_PEM_DIR/key.pem \
- $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE
+ # Create private key for the CA certificate
+ /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/ca-key.pem 2048
+
+ # Create CA certificate:
+ /usr/bin/openssl req -new -x509 -days 3650 \
+ -key $PEGASUS_PEM_DIR/ca-key.pem \
+ -out $PEGASUS_PEM_DIR/ca.crt \
+ -config $PEGASUS_CONFIG_DIR/ssl-ca.cnf
+
+ # Create private key for the service certificate
+ /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE 2048
+
+ # Create a signing request for the service certificate
+ /usr/bin/openssl req -new \
+ -config $PEGASUS_CONFIG_DIR/ssl-service.cnf \
+ -key $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE \
+ -out $PEGASUS_PEM_DIR/server.csr
+
+ # Sign the request with the CA certificate
+ /usr/bin/openssl x509 -req -days 3650 \
+ -in $PEGASUS_PEM_DIR/server.csr \
+ -CA $PEGASUS_PEM_DIR/ca.crt \
+ -CAkey $PEGASUS_PEM_DIR/ca-key.pem \
+ -CAcreateserial \
+ -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE \
+ -extfile $PEGASUS_CONFIG_DIR/ssl-ca.cnf
+
+ # Set file permissions appropriately
chmod 400 $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE
- chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE
- rm -f $PEGASUS_PEM_DIR/key.pem $PEGASUS_PEM_DIR/cert.pem
+ chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE
+
+ # Remove the certificate signing request
+ # It is not needed after the signature is complete
+ rm -f $PEGASUS_PEM_DIR/server.csr
+
+ # Remove the private key for the CA certificate
+ # This will ensure that it cannot be used to sign any other
+ # (possibly suspicious) certificates
+ # This does mean that generating a new certificate for this
+ # service will need a new CA cert, but most real deployments
+ # will use real infrastructure.
+ rm -f $PEGASUS_PEM_DIR/ca-key.pem
+
fi;
if [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE ]; then
- cp -fp $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE \
+ cp -fp $PEGASUS_PEM_DIR/ca.crt \
$PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE
chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE;
fi;
--
1.8.4.2