Attachment 836377 Details for Bug 1032849 – Patch to generate a mini-CA and save that CA to the shared trust store

[patch] Patch to generate a mini-CA and save that CA to the shared trust store

0001-Create-self-signed-certificates-with-x509v3-extensio.patch (text/plain), 11.91 KB, created by Stephen Gallagher on 2013-12-13 16:22:57 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Stephen Gallagher

Created: 2013-12-13 16:22:57 UTC

Size: 11.91 KB

patch

obsolete

>From 2cc95da78680585d18b62138ee7ad343bc93b9d9 Mon Sep 17 00:00:00 2001
>From: Stephen Gallagher <sgallagh@redhat.com>
>Date: Tue, 10 Dec 2013 09:18:59 -0500
>Subject: [PATCH 1/2] Create self-signed certificates with x509v3 extensions
>
>This will allow us to use the CA:FALSE extension, enabling us to
>safely store the generated certificates into the trust store
>automatically.
>---
> pegasus-2.13.0-SSLGeneration.patch | 167 +++++++++++++++++++++++++++++++++++++
> tog-pegasus.spec                   |  29 ++++++-
> 2 files changed, 193 insertions(+), 3 deletions(-)
> create mode 100644 pegasus-2.13.0-SSLGeneration.patch
>
>diff --git a/pegasus-2.13.0-SSLGeneration.patch b/pegasus-2.13.0-SSLGeneration.patch
>new file mode 100644
>index 0000000000000000000000000000000000000000..384f521a6e5a2ea4812dffff8abf4795b69fbfcb
>--- /dev/null
>+++ b/pegasus-2.13.0-SSLGeneration.patch
>@@ -0,0 +1,167 @@
>+From 3a3e6ecb1ab65513625732e11a0da2b42328107b Mon Sep 17 00:00:00 2001
>+From: Stephen Gallagher <sgallagh@redhat.com>
>+Date: Tue, 10 Dec 2013 09:09:58 -0500
>+Subject: [PATCH] Update SSL certificate generation
>+
>+We will now generate x509v3 certificates with the CA:FALSE
>+constraint. This will allow us to automatically load it into a
>+local trust store safely. In order to do this, instead of creating
>+a true self-signed certificate, we will generate a private CA
>+certificate and sign the service with that.
>+---
>+ rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec | 118 +++++++++++++++++++------
>+ 1 file changed, 89 insertions(+), 29 deletions(-)
>+ mode change 100644 => 100755 rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
>+
>+diff --git a/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec b/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
>+old mode 100644
>+new mode 100755
>+index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77bda15278e
>+--- a/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
>++++ b/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec
>+@@ -4,22 +4,31 @@
>+ #  Creates a default ssl.cnf file.
>+ #  Generates a self-signed certificate for use by the cimserver.
>+ #
>+-cnfChanged=0;
>+-if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
>+-    mkdir -p ${PEGASUS_INSTALL_LOG%/*}
>+-    mkdir -p $PEGASUS_CONFIG_DIR
>+-    echo "[ req ]" > $PEGASUS_CONFIG_DIR/ssl.cnf
>++
>++function create_ssl_cnf #(config_file, CN)
>++{
>++    SSL_CFG=$1
>++    CA=$2 # Add a second argument to differentiate issuer from subject
>++
>++    # Create OpenSSL configuration files for generating certificates
>++    echo "[ req ]" > $PEGASUS_CONFIG_DIR/$SSL_CFG
>+     echo "distinguished_name     = req_distinguished_name"  >> \
>+-            $PEGASUS_CONFIG_DIR/ssl.cnf
>+-    echo "prompt                 = no"  >> $PEGASUS_CONFIG_DIR/ssl.cnf
>+-    echo "[ req_distinguished_name ]" >> $PEGASUS_CONFIG_DIR/ssl.cnf
>+-    echo "C                      = UK" >> $PEGASUS_CONFIG_DIR/ssl.cnf
>+-    echo "ST                     = Berkshire" >> $PEGASUS_CONFIG_DIR/ssl.cnf
>+-    echo "L                      = Reading" >> $PEGASUS_CONFIG_DIR/ssl.cnf
>++            $PEGASUS_CONFIG_DIR/$SSL_CFG
>++    echo "prompt                 = no"  >> $PEGASUS_CONFIG_DIR/$SSL_CFG
>++
>++    # Include support for x509v3 so we can differentiate CA certificates
>++    # from service certificates
>++    echo "req_extensions         = v3_req" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
>++    echo "x509_extensions        = v3_ca" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
>++
>++    echo "[ req_distinguished_name ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
>++    echo "C                      = UK" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
>++    echo "ST                     = Berkshire" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
>++    echo "L                      = Reading" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
>+     echo "O                      = The Open Group" >> \
>+-            $PEGASUS_CONFIG_DIR/ssl.cnf
>++            $PEGASUS_CONFIG_DIR/$SSL_CFG
>+     echo "OU                     = The OpenPegasus Project" >> \
>+-            $PEGASUS_CONFIG_DIR/ssl.cnf
>++            $PEGASUS_CONFIG_DIR/$SSL_CFG
>+     DN=`hostname`;
>+     if [ -z "$DN" ] || [ "$DN" = "(none)" ]; then
>+             DN='localhost.localdomain';
>+@@ -30,30 +39,81 @@ if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
>+         FQDN="$DN";
>+     fi;
>+     # cannot use 'hostname --fqdn' because this can hang indefinitely
>+-    echo "CN                     = $FQDN"  >> $PEGASUS_CONFIG_DIR/ssl.cnf
>+-    chmod 400 $PEGASUS_CONFIG_DIR/ssl.cnf
>+-    chown root $PEGASUS_CONFIG_DIR/ssl.cnf
>+-    chgrp root $PEGASUS_CONFIG_DIR/ssl.cnf
>++    # Hack the $CA onto the end of the CN so we differentiate the issuer
>++    # of the signature from the subject
>++    echo "CN                     = $FQDN$CA"  >> $PEGASUS_CONFIG_DIR/$SSL_CFG
>++
>++    # Add x509v3 extensions
>++    echo "[ v3_req ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
>++    echo "basicConstraints       = CA:FALSE" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
>++    echo "[ v3_ca ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
>++    echo "subjectKeyIdentifier=hash" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
>++    echo "authorityKeyIdentifier=keyid:always,issuer" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
>++    echo "basicConstraints = CA:TRUE" >> $PEGASUS_CONFIG_DIR/$SSL_CFG
>++}
>++
>++cnfChanged=0;
>++if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
>++    mkdir -p ${PEGASUS_INSTALL_LOG%/*}
>++    mkdir -p $PEGASUS_CONFIG_DIR
>++
>++    create_ssl_cnf ssl-ca.cnf CA
>++    create_ssl_cnf ssl-service.cnf
>++
>++    chmod 400 $PEGASUS_CONFIG_DIR/ssl-*.cnf
>++    chown root $PEGASUS_CONFIG_DIR/ssl-*.cnf
>++    chgrp root $PEGASUS_CONFIG_DIR/ssl-*.cnf
>+     cnfChanged=1;
>+ fi
>+ if [ $cnfChanged -eq 1 ] || \
>+          [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE ] || \
>+          [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE ]; then
>+-    /usr/bin/openssl req -x509 -days 3650 -newkey rsa:2048 \
>+-         -nodes -config $PEGASUS_CONFIG_DIR/ssl.cnf   \
>+-         -keyout $PEGASUS_PEM_DIR/key.pem \
>+-         -out $PEGASUS_PEM_DIR/cert.pem 2>>$PEGASUS_INSTALL_LOG
>+-    chmod 700 $PEGASUS_PEM_DIR/*.pem
>+-    cp -fp $PEGASUS_PEM_DIR/cert.pem \
>+-        $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE
>+-    cp -fp $PEGASUS_PEM_DIR/key.pem \
>+-        $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE
>++    # Create private key for the CA certificate
>++    /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/ca-key.pem 2048
>++
>++    # Create CA certificate:
>++    /usr/bin/openssl req -new -x509 -days 3650 \
>++                         -key $PEGASUS_PEM_DIR/ca-key.pem \
>++                         -out $PEGASUS_PEM_DIR/ca.crt \
>++                         -config $PEGASUS_CONFIG_DIR/ssl-ca.cnf
>++
>++    # Create private key for the service certificate
>++    /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE 2048
>++
>++    # Create a signing request for the service certificate
>++    /usr/bin/openssl req -new \
>++                          -config $PEGASUS_CONFIG_DIR/ssl-service.cnf \
>++                         -key $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE \
>++                         -out $PEGASUS_PEM_DIR/server.csr
>++
>++    # Sign the request with the CA certificate
>++    /usr/bin/openssl x509 -req -days 3650 \
>++                          -in $PEGASUS_PEM_DIR/server.csr \
>++                          -CA $PEGASUS_PEM_DIR/ca.crt \
>++                          -CAkey $PEGASUS_PEM_DIR/ca-key.pem \
>++                          -CAcreateserial \
>++                          -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE \
>++                          -extfile $PEGASUS_CONFIG_DIR/ssl-ca.cnf
>++
>++    # Set file permissions appropriately
>+     chmod 400 $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE
>+-    chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE 
>+-    rm -f $PEGASUS_PEM_DIR/key.pem $PEGASUS_PEM_DIR/cert.pem
>++    chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE
>++
>++    # Remove the certificate signing request
>++    # It is not needed after the signature is complete
>++    rm -f $PEGASUS_PEM_DIR/server.csr
>++
>++    # Remove the private key for the CA certificate
>++    # This will ensure that it cannot be used to sign any other
>++    # (possibly suspicious) certificates
>++    # This does mean that generating a new certificate for this
>++    # service will need a new CA cert, but most real deployments
>++    # will use real infrastructure.
>++    rm -f $PEGASUS_PEM_DIR/ca-key.pem
>++
>+ fi;
>+ if [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE ]; then
>+-    cp -fp $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE \
>++    cp -fp $PEGASUS_PEM_DIR/ca.crt \
>+         $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE
>+     chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE;
>+ fi;
>+-- 
>+1.8.4.2
>+
>diff --git a/tog-pegasus.spec b/tog-pegasus.spec
>index fd17fe0c63e7400fd0b27464971ffadefb401790..c9223d77117194ecaec37ebb830774c5ad677af7 100644
>--- a/tog-pegasus.spec
>+++ b/tog-pegasus.spec
>@@ -8,7 +8,7 @@
> 
> Name:           tog-pegasus
> Version:        %{major_ver}.0
>-Release:        5%{?dist}
>+Release:        6%{?dist}
> Epoch:          2
> Summary:        OpenPegasus WBEM Services for Linux
> 
>@@ -76,15 +76,21 @@ Patch27:        pegasus-2.13.0-build-fix.patch
> # 28: PG_ComputerSystem having CreationClassName="CIM_ComputerSystem"
> # http://bugzilla.openpegasus.org/show_bug.cgi?id=9795
> Patch28:        pegasus-2.13.0-PG_ComputerSystem.CreationClassName.patch
>+# 29: Create x509v3 self-signed certificates with CA:FALSE
>+Patch29:        pegasus-2.13.0-SSLGeneration.patch
> 
> BuildRequires:  bash, sed, grep, coreutils, procps, gcc, gcc-c++
> BuildRequires:  libstdc++, make, pam-devel
>-BuildRequires:  openssl, openssl-devel
>+BuildRequires:  openssl-devel
> BuildRequires:  net-snmp-devel, openslp-devel
> BuildRequires:  systemd-units
>-Requires:       net-snmp-libs, openssl
>+Requires:       net-snmp-libs
> Requires:       %{name}-libs = %{epoch}:%{version}-%{release}
>+Requires:       ca-certificates
> Provides:       cim-server = 1
>+Requires(post): /usr/bin/update-ca-trust
>+Requires(post): /usr/bin/openssl
>+Requires(post): /sbin/ldconfig
> 
> %description
> OpenPegasus WBEM Services for Linux enables management solutions that deliver
>@@ -111,6 +117,7 @@ Group:          System Environment/Libraries
> Conflicts:      libcmpiCppImpl0
> Requires(pre):  /usr/sbin/useradd
> Requires(pre):  /usr/sbin/groupadd
>+Requires(post): /sbin/ldconfig
> 
> %description libs
> The OpenPegasus libraries.
>@@ -210,6 +217,7 @@ yes | mak/CreateDmtfSchema 238 %{SOURCE9} cim_schema_2.38.0
> %patch26 -p1 -b .schema-version-and-includes
> %patch27 -p1 -b .build-fix
> %patch28 -p0 -b .PG_ComputerSystem.CreationClassName
>+%patch29 -p1 -b .genssl
> 
> 
> %build
>@@ -323,6 +331,12 @@ make prestarttests
> %ghost /etc/Pegasus/client.pem
> %ghost /etc/Pegasus/server.pem
> %ghost /etc/Pegasus/file.pem
>+%ghost /etc/Pegasus/ca.crt
>+%ghost /etc/Pegasus/ca.srl
>+%ghost /etc/Pegasus/client.srl
>+%ghost /etc/Pegasus/ssl-ca.cnf
>+%ghost /etc/Pegasus/ssl-service.cnf
>+%ghost /etc/pki/ca-trust/source/anchors/localhost-pegasus.pem
> %ghost %attr(0640, root, pegasus) /etc/Pegasus/cimserver_trust
> %ghost %attr(0640, root, pegasus) /etc/Pegasus/indication_trust
> %ghost %attr(0640, root, pegasus) /etc/Pegasus/crl
>@@ -392,7 +406,12 @@ if [ $1 -ge 1 ]; then
>       if [ ! -e /etc/Pegasus/ssl.cnf ] || [ ! -e /etc/Pegasus/server.pem ] ||                                                                                                                          
>          [ ! -e /etc/Pegasus/file.pem ]  || [ ! -e /etc/Pegasus/client.pem ]; then
>          if [ -x /usr/share/Pegasus/scripts/genOpenPegasusSSLCerts ]; then
>+            # Create self-signed certificates for initial usage
>             /usr/share/Pegasus/scripts/genOpenPegasusSSLCerts
>+            # Add the self-signed certificate to the local trust store
>+            cp /etc/Pegasus/ca.crt \
>+               /etc/pki/ca-trust/source/anchors/localhost-pegasus.pem
>+            /usr/bin/update-ca-trust extract
>          fi;
>       fi;
>    fi
>@@ -477,6 +496,10 @@ fi
> 
> 
> %changelog
>+* Tue Dec 10 2013 Stephen Gallagher <sgallagh@redhat.com> - 2:2.13.0-6
>+- Generate SSL certificates with x509v3 and CA:FALSE
>+- Automatically import self-signed certificates into local trust-store
>+
> * Mon Nov 04 2013 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.13.0-5
> - Fix missing openssl dependency
>   Resolves: #1022056
>-- 
>1.8.4.2
>

Actions: View | Diff

Attachments on bug 1032849: 836377