183 lines
7.7 KiB
Diff
183 lines
7.7 KiB
Diff
From 75b27360143b05626e3962a74b17ddba919c080b Mon Sep 17 00:00:00 2001
|
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
|
Date: Mon, 18 Aug 2014 16:40:46 -0400
|
|
Subject: [PATCH] Update SSL certificate generation
|
|
|
|
We will now generate x509v3 certificates with the CA:FALSE
|
|
constraint. This will allow us to automatically load it into a
|
|
local trust store safely. In order to do this, instead of creating
|
|
a true self-signed certificate, we will generate a private CA
|
|
certificate and sign the service with that.
|
|
---
|
|
rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec | 136 +++++++++++++++++++------
|
|
1 file changed, 107 insertions(+), 29 deletions(-)
|
|
|
|
diff --git a/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec b/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
|
|
index 81e6635936b77ddc486b217260fba59b23cf2a20..377b82d7a0bd3f42b1e58b0a795b2e628365dd36 100644
|
|
--- a/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
|
|
+++ b/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
|
|
@@ -4,22 +4,31 @@
|
|
# Creates a default ssl.cnf file.
|
|
# Generates a self-signed certificate for use by the cimserver.
|
|
#
|
|
-cnfChanged=0;
|
|
-if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
|
|
- mkdir -p ${PEGASUS_INSTALL_LOG%/*}
|
|
- mkdir -p $PEGASUS_CONFIG_DIR
|
|
- echo "[ req ]" > $PEGASUS_CONFIG_DIR/ssl.cnf
|
|
+
|
|
+function create_ssl_cnf #(config_file, CN)
|
|
+{
|
|
+ SSL_CFG=$1
|
|
+ CA=$2 # Add a second argument to differentiate issuer from subject
|
|
+
|
|
+ # Create OpenSSL configuration files for generating certificates
|
|
+ echo "[ req ]" > $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
echo "distinguished_name = req_distinguished_name" >> \
|
|
- $PEGASUS_CONFIG_DIR/ssl.cnf
|
|
- echo "prompt = no" >> $PEGASUS_CONFIG_DIR/ssl.cnf
|
|
- echo "[ req_distinguished_name ]" >> $PEGASUS_CONFIG_DIR/ssl.cnf
|
|
- echo "C = UK" >> $PEGASUS_CONFIG_DIR/ssl.cnf
|
|
- echo "ST = Berkshire" >> $PEGASUS_CONFIG_DIR/ssl.cnf
|
|
- echo "L = Reading" >> $PEGASUS_CONFIG_DIR/ssl.cnf
|
|
+ $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+ echo "prompt = no" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+
|
|
+ # Include support for x509v3 so we can differentiate CA certificates
|
|
+ # from service certificates
|
|
+ echo "req_extensions = v3_req" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+ echo "x509_extensions = v3_ca" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+
|
|
+ echo "[ req_distinguished_name ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+ echo "C = UK" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+ echo "ST = Berkshire" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+ echo "L = Reading" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
echo "O = The Open Group" >> \
|
|
- $PEGASUS_CONFIG_DIR/ssl.cnf
|
|
+ $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
echo "OU = The OpenPegasus Project" >> \
|
|
- $PEGASUS_CONFIG_DIR/ssl.cnf
|
|
+ $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
DN=`hostname`;
|
|
if [ -z "$DN" ] || [ "$DN" = "(none)" ]; then
|
|
DN='localhost.localdomain';
|
|
@@ -30,30 +39,99 @@ if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
|
|
FQDN="$DN";
|
|
fi;
|
|
# cannot use 'hostname --fqdn' because this can hang indefinitely
|
|
- echo "CN = $FQDN" >> $PEGASUS_CONFIG_DIR/ssl.cnf
|
|
- chmod 400 $PEGASUS_CONFIG_DIR/ssl.cnf
|
|
- chown root $PEGASUS_CONFIG_DIR/ssl.cnf
|
|
- chgrp root $PEGASUS_CONFIG_DIR/ssl.cnf
|
|
+ # Hack the $CA onto the end of the CN so we differentiate the issuer
|
|
+ # of the signature from the subject
|
|
+ echo "CN = $FQDN$CA" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+
|
|
+ # Add x509v3 extensions
|
|
+ echo "[ v3_req ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+ echo "basicConstraints = CA:FALSE" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+ echo "[ v3_ca ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+ echo "subjectKeyIdentifier=hash" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+ echo "authorityKeyIdentifier=keyid:always,issuer" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+ echo "basicConstraints = CA:TRUE" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
|
|
+}
|
|
+
|
|
+cnfChanged=0;
|
|
+if [ ! -e $PEGASUS_CONFIG_DIR/ssl-ca.cnf ] ||
|
|
+ [ ! -e $PEGASUS_CONFIG_DIR/ssl-service.cnf ] ||
|
|
+ [ ! -e $PEGASUS_CONFIG_DIR/server.pem ] ||
|
|
+ [ ! -e $PEGASUS_CONFIG_DIR/file.pem ] ||
|
|
+ [ ! -e $PEGASUS_CONFIG_DIR/client.pem ]; then
|
|
+
|
|
+ mkdir -p ${PEGASUS_INSTALL_LOG%/*}
|
|
+ mkdir -p $PEGASUS_CONFIG_DIR
|
|
+
|
|
+ create_ssl_cnf ssl-ca.cnf CA
|
|
+ create_ssl_cnf ssl-service.cnf
|
|
+
|
|
+ chmod 400 $PEGASUS_CONFIG_DIR/ssl-*.cnf
|
|
+ chown root $PEGASUS_CONFIG_DIR/ssl-*.cnf
|
|
+ chgrp root $PEGASUS_CONFIG_DIR/ssl-*.cnf
|
|
cnfChanged=1;
|
|
fi
|
|
if [ $cnfChanged -eq 1 ] || \
|
|
[ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE ] || \
|
|
[ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE ]; then
|
|
- /usr/bin/openssl req -x509 -days 3650 -newkey rsa:2048 \
|
|
- -nodes -config $PEGASUS_CONFIG_DIR/ssl.cnf \
|
|
- -keyout $PEGASUS_PEM_DIR/key.pem \
|
|
- -out $PEGASUS_PEM_DIR/cert.pem 2>>$PEGASUS_INSTALL_LOG
|
|
- chmod 700 $PEGASUS_PEM_DIR/*.pem
|
|
- cp -fp $PEGASUS_PEM_DIR/cert.pem \
|
|
- $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE
|
|
- cp -fp $PEGASUS_PEM_DIR/key.pem \
|
|
- $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE
|
|
+
|
|
+ # Restrict access of the key to root
|
|
+ OLDUMASK=`umask`
|
|
+ umask 0077
|
|
+
|
|
+ # Create private key for the CA certificate
|
|
+ TMPKEY=`mktemp --tmpdir=$PEGASUS_PEM_DIR XXXXXXXXXXXX`
|
|
+
|
|
+ /usr/bin/openssl genrsa -out $TMPKEY 2048
|
|
+
|
|
+ # Restore the umask for the other files
|
|
+ umask $OLDUMASK
|
|
+
|
|
+ # Create CA certificate:
|
|
+ /usr/bin/openssl req -new -x509 -days 3650 \
|
|
+ -config $PEGASUS_CONFIG_DIR/ssl-ca.cnf \
|
|
+ -key $TMPKEY \
|
|
+ -out $PEGASUS_PEM_DIR/ca.crt \
|
|
+
|
|
+ # Create private key for the service certificate
|
|
+ /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE 2048
|
|
+
|
|
+ # Create a signing request for the service certificate
|
|
+ /usr/bin/openssl req -new \
|
|
+ -config $PEGASUS_CONFIG_DIR/ssl-service.cnf \
|
|
+ -key $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE \
|
|
+ -out $PEGASUS_PEM_DIR/server.csr
|
|
+
|
|
+ # Sign the request with the CA certificate
|
|
+ /usr/bin/openssl x509 -req -days 3650 \
|
|
+ -in $PEGASUS_PEM_DIR/server.csr \
|
|
+ -CA $PEGASUS_PEM_DIR/ca.crt \
|
|
+ -CAkey $TMPKEY \
|
|
+ -CAcreateserial \
|
|
+ -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE \
|
|
+ -extfile $PEGASUS_CONFIG_DIR/ssl-ca.cnf
|
|
+
|
|
+ # Set file permissions appropriately
|
|
chmod 400 $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE
|
|
- chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE
|
|
- rm -f $PEGASUS_PEM_DIR/key.pem $PEGASUS_PEM_DIR/cert.pem
|
|
+ chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE
|
|
+
|
|
+ # Remove the certificate signing request
|
|
+ # It is not needed after the signature is complete
|
|
+ rm -f $PEGASUS_PEM_DIR/server.csr
|
|
+
|
|
+ # Remove the private key for the CA certificate
|
|
+ # This will ensure that it cannot be used to sign any other
|
|
+ # (possibly suspicious) certificates
|
|
+ # This does mean that generating a new certificate for this
|
|
+ # service will need a new CA cert, but most real deployments
|
|
+ # will use real infrastructure.
|
|
+ # This does not impart perfect security; there is a fairly
|
|
+ # long race here between the key generation and its deletion.
|
|
+ # The random filename should significantly mitigate this.
|
|
+ rm -f $TMPKEY
|
|
+
|
|
fi;
|
|
if [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE ]; then
|
|
- cp -fp $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE \
|
|
+ cp -fp $PEGASUS_PEM_DIR/ca.crt \
|
|
$PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE
|
|
chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE;
|
|
fi;
|
|
--
|
|
2.1.0
|
|
|