ci: rework ssl cert generation (SAN usage)

Rework the generation of certificates, in order to make use of the SubjectAltName (SAN) extension, that is required for modern usage of TLS (see RFC 2818, or [1]) and now enforced by default for go version 1.15[2] (Fedora 33). For this a different config file is used, originally written by Lars, and assign SANs to the server and client certificates. Additionally, the correct extensions are used for each of those, so that their usage is limited to the server or client use case. The client certificate is renamed from "worker" to "client". The lifetime of the certificates is increased, as a side effect of the new config file. [1] https://github.com/urllib3/urllib3/issues/497 [2] https://golang.org/doc/go1.15#commonname Co-authored-by: Lars Karlitski <lars@karlitski.net>
2020-11-11 16:40:56 +01:00 · 2020-11-11 16:40:56 +01:00 · 6f439dc34f
commit 6f439dc34f
parent f529ffe394
6 changed files with 107 additions and 48 deletions
--- a/test/container/builder/osbuild-koji.conf
+++ b/test/container/builder/osbuild-koji.conf
@ -1,7 +1,7 @@
 [composer]
 server = https://composer/
-ssl_cert = /share/worker-crt.pem, /share/worker-key.pem
-ssl_verify = /share/worker-ca.pem
+ssl_cert = /share/client-crt.pem, /share/client-key.pem
+ssl_verify = /share/client-ca.pem

 [koji]
 server = https://localhost:4343/kojihub/
--- a/test/copy-creds.sh
+++ b/test/copy-creds.sh
@ -10,12 +10,12 @@ fi
 TEST_DATA=${TEST_DATA:-test/data}
 SHARE_DIR=${SHARE_DIR:-/tmp/osbuild-composer-koji-test}

-if [[ -f "/etc/osbuild-composer/worker-key.pem" ]]; then
-  echo "Copying worker certificates"
+if [[ -f "/etc/osbuild-composer/client-key.pem" ]]; then
+  echo "Copying client certificates"

-  cp /etc/osbuild-composer/worker-key.pem ${SHARE_DIR}
-  cp /etc/osbuild-composer/worker-crt.pem ${SHARE_DIR}
-  cp /etc/osbuild-composer/ca-crt.pem ${SHARE_DIR}/worker-ca.pem
+  cp /etc/osbuild-composer/client-key.pem ${SHARE_DIR}
+  cp /etc/osbuild-composer/client-crt.pem ${SHARE_DIR}
+  cp /etc/osbuild-composer/ca-crt.pem ${SHARE_DIR}/client-ca.pem
 fi

 mkdir -p /etc/osbuild-composer
--- a/test/data/composer.ssl.conf
+++ b/test/data/composer.ssl.conf
@ -1,17 +0,0 @@
-[req]
-distinguished_name = req_distinguished_name
-req_extensions = v3_req
-prompt = no
-
-[req_distinguished_name]
-CN = localhost
-
-[v3_req]
-keyUsage = critical,keyEncipherment, dataEncipherment, digitalSignature
-extendedKeyUsage = critical,serverAuth,clientAuth,emailProtection
-basicConstraints = critical,CA:FALSE
-subjectAltName = @alt_names
-
-[alt_names]
-DNS.1 = localhost
-DNS.2 = composer
--- a/test/data/openssl.conf
+++ b/test/data/openssl.conf
@ -0,0 +1,70 @@
+#
+# ca options
+#
+
+[ca]
+default_ca = osbuild_ca
+
+[osbuild_ca]
+database        = /etc/osbuild-composer/index.txt
+new_certs_dir   = /etc/osbuild-composer
+rand_serial     = yes
+
+certificate     = /etc/osbuild-composer/ca-crt.pem
+private_key     = /etc/osbuild-composer/ca-key.pem
+
+default_days    = 3650
+default_md      = sha256
+
+x509_extensions = osbuild_ca_ext
+
+# See WARNINGS in `man openssl ca`. This is ok, because it only copies
+# extensions that are not already specified in `osbuild_ca_ext`.
+copy_extensions = copy
+
+preserve        = no
+policy          = osbuild_ca_policy
+
+
+[req]
+distinguished_name = req_distinguished_name
+prompt = no
+
+
+[req_distinguished_name]
+CN = localhost
+
+
+[osbuild_ca_ext]
+basicConstraints       = critical, CA:TRUE
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always, issuer:always
+keyUsage               = critical, digitalSignature, cRLSign, keyCertSign
+
+
+[osbuild_ca_policy]
+emailAddress = optional
+
+
+#
+# Extensions for server certificates
+#
+
+[osbuild_server_ext]
+basicConstraints       = critical, CA:FALSE
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid, issuer:always
+keyUsage               = critical, digitalSignature, keyEncipherment
+extendedKeyUsage       = serverAuth
+
+
+#
+# Extensions for client certificates
+#
+
+[osbuild_client_ext]
+basicConstraints       = CA:FALSE
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage               = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage       = clientAuth
--- a/test/data/osbuild-composer.toml
+++ b/test/data/osbuild-composer.toml
@ -1,5 +1,5 @@
 [koji]
-allowed_domains = ["localhost", "composer", "::1"]
+allowed_domains = ["client.osbuild.local", "localhost", "::1"]
 ca = "/etc/osbuild-composer/ca-crt.pem"

 [koji.servers.localhost.kerberos]
@ -7,5 +7,5 @@ principal = "osbuild-krb@LOCAL"
 keytab = "/etc/osbuild-composer/client.keytab"

 [worker]
-allowed_domains = ["localhost", "composer"]
+allowed_domains = ["localhost", "client.osbuild.local"]
 ca = "/etc/osbuild-composer/ca-crt.pem"
--- a/test/make-certs.sh
+++ b/test/make-certs.sh
@ -13,41 +13,47 @@ CA_DIR="/etc/osbuild-composer"
 echo "Generating certificates"
 mkdir -p ${CA_DIR}

+CONFIG="${TEST_DATA}/openssl.conf"
+
 # The CA
-openssl req -new -nodes -x509 -days 365 \
+echo "-=[ CA"
+touch "${CA_DIR}/index.txt"
+openssl req -new -nodes -x509 \
+        -config "${CONFIG}" \
+        -extensions osbuild_ca_ext \
        -keyout "${CA_DIR}/ca-key.pem" \
        -out "${CA_DIR}/ca-crt.pem" \
        -subj "/CN=osbuild.org"
-openssl genrsa -out "${CA_DIR}/key.pem" 2048

 # composer
+echo "-=[ composer"
 openssl genrsa -out ${CA_DIR}/composer-key.pem 2048
 openssl req -new -sha256 \
+        -config "${CONFIG}" \
        -key ${CA_DIR}/composer-key.pem	\
        -out ${CA_DIR}/composer-csr.pem \
-        -config ${TEST_DATA}/composer.ssl.conf
-openssl x509 -req \
-        -in ${CA_DIR}/composer-csr.pem \
-        -CA ${CA_DIR}/ca-crt.pem \
-        -CAkey ${CA_DIR}/ca-key.pem \
-        -CAcreateserial \
-        -out ${CA_DIR}/composer-crt.pem \
-        -extfile ${TEST_DATA}/composer.ssl.conf \
-        -extensions v3_req
+        -subj "/CN=composer" \
+        -addext "subjectAltName=DNS.1:localhost,DNS.2:composer"

-# worker
-openssl genrsa -out ${CA_DIR}/worker-key.pem 2048
+openssl ca -config "$CONFIG" -batch \
+        -extensions osbuild_server_ext \
+        -in "${CA_DIR}/composer-csr.pem" \
+        -out "${CA_DIR}/composer-crt.pem"
+
+# client
+echo "-=[ client"
+openssl genrsa -out ${CA_DIR}/client-key.pem 2048
 openssl req -new -sha256 \
-        -key ${CA_DIR}/worker-key.pem	\
-        -out ${CA_DIR}/worker-csr.pem \
-        -subj "/CN=localhost"
+        -config "${CONFIG}" \
+        -key ${CA_DIR}/client-key.pem	\
+        -out ${CA_DIR}/client-csr.pem \
+        -subj "/CN=client.osbuild.local" \
+        -addext "subjectAltName=DNS:client.osbuild.local"

-openssl x509 -req \
-        -in ${CA_DIR}/worker-csr.pem \
-        -CA ${CA_DIR}/ca-crt.pem \
-        -CAkey ${CA_DIR}/ca-key.pem \
-        -CAcreateserial \
-        -out ${CA_DIR}/worker-crt.pem
+openssl ca -config "$CONFIG" -batch \
+        -extensions osbuild_client_ext \
+        -in "${CA_DIR}/client-csr.pem" \
+        -out "${CA_DIR}/client-crt.pem"

 # fix permissions for composer
 chown _osbuild-composer:_osbuild-composer ${CA_DIR}/composer-*