From 6f439dc34f37c538f87ed3d8b34f523f33cc5d77 Mon Sep 17 00:00:00 2001 From: Christian Kellner Date: Wed, 11 Nov 2020 16:40:56 +0100 Subject: [PATCH] ci: rework ssl cert generation (SAN usage) Rework the generation of certificates, in order to make use of the SubjectAltName (SAN) extension, that is required for modern usage of TLS (see RFC 2818, or [1]) and now enforced by default for go version 1.15[2] (Fedora 33). For this a different config file is used, originally written by Lars, and assign SANs to the server and client certificates. Additionally, the correct extensions are used for each of those, so that their usage is limited to the server or client use case. The client certificate is renamed from "worker" to "client". The lifetime of the certificates is increased, as a side effect of the new config file. [1] https://github.com/urllib3/urllib3/issues/497 [2] https://golang.org/doc/go1.15#commonname Co-authored-by: Lars Karlitski --- test/container/builder/osbuild-koji.conf | 4 +- test/copy-creds.sh | 10 ++-- test/data/composer.ssl.conf | 17 ------ test/data/openssl.conf | 70 ++++++++++++++++++++++++ test/data/osbuild-composer.toml | 4 +- test/make-certs.sh | 50 +++++++++-------- 6 files changed, 107 insertions(+), 48 deletions(-) delete mode 100644 test/data/composer.ssl.conf create mode 100644 test/data/openssl.conf diff --git a/test/container/builder/osbuild-koji.conf b/test/container/builder/osbuild-koji.conf index cfd090a..9f85743 100644 --- a/test/container/builder/osbuild-koji.conf +++ b/test/container/builder/osbuild-koji.conf @@ -1,7 +1,7 @@ [composer] server = https://composer/ -ssl_cert = /share/worker-crt.pem, /share/worker-key.pem -ssl_verify = /share/worker-ca.pem +ssl_cert = /share/client-crt.pem, /share/client-key.pem +ssl_verify = /share/client-ca.pem [koji] server = https://localhost:4343/kojihub/ diff --git a/test/copy-creds.sh b/test/copy-creds.sh index 832978e..ec387ca 100755 --- a/test/copy-creds.sh +++ b/test/copy-creds.sh @@ -10,12 +10,12 @@ fi TEST_DATA=${TEST_DATA:-test/data} SHARE_DIR=${SHARE_DIR:-/tmp/osbuild-composer-koji-test} -if [[ -f "/etc/osbuild-composer/worker-key.pem" ]]; then - echo "Copying worker certificates" +if [[ -f "/etc/osbuild-composer/client-key.pem" ]]; then + echo "Copying client certificates" - cp /etc/osbuild-composer/worker-key.pem ${SHARE_DIR} - cp /etc/osbuild-composer/worker-crt.pem ${SHARE_DIR} - cp /etc/osbuild-composer/ca-crt.pem ${SHARE_DIR}/worker-ca.pem + cp /etc/osbuild-composer/client-key.pem ${SHARE_DIR} + cp /etc/osbuild-composer/client-crt.pem ${SHARE_DIR} + cp /etc/osbuild-composer/ca-crt.pem ${SHARE_DIR}/client-ca.pem fi mkdir -p /etc/osbuild-composer diff --git a/test/data/composer.ssl.conf b/test/data/composer.ssl.conf deleted file mode 100644 index 90896a7..0000000 --- a/test/data/composer.ssl.conf +++ /dev/null @@ -1,17 +0,0 @@ -[req] -distinguished_name = req_distinguished_name -req_extensions = v3_req -prompt = no - -[req_distinguished_name] -CN = localhost - -[v3_req] -keyUsage = critical,keyEncipherment, dataEncipherment, digitalSignature -extendedKeyUsage = critical,serverAuth,clientAuth,emailProtection -basicConstraints = critical,CA:FALSE -subjectAltName = @alt_names - -[alt_names] -DNS.1 = localhost -DNS.2 = composer diff --git a/test/data/openssl.conf b/test/data/openssl.conf new file mode 100644 index 0000000..a1bdba2 --- /dev/null +++ b/test/data/openssl.conf @@ -0,0 +1,70 @@ +# +# ca options +# + +[ca] +default_ca = osbuild_ca + +[osbuild_ca] +database = /etc/osbuild-composer/index.txt +new_certs_dir = /etc/osbuild-composer +rand_serial = yes + +certificate = /etc/osbuild-composer/ca-crt.pem +private_key = /etc/osbuild-composer/ca-key.pem + +default_days = 3650 +default_md = sha256 + +x509_extensions = osbuild_ca_ext + +# See WARNINGS in `man openssl ca`. This is ok, because it only copies +# extensions that are not already specified in `osbuild_ca_ext`. +copy_extensions = copy + +preserve = no +policy = osbuild_ca_policy + + +[req] +distinguished_name = req_distinguished_name +prompt = no + + +[req_distinguished_name] +CN = localhost + + +[osbuild_ca_ext] +basicConstraints = critical, CA:TRUE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always, issuer:always +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + + +[osbuild_ca_policy] +emailAddress = optional + + +# +# Extensions for server certificates +# + +[osbuild_server_ext] +basicConstraints = critical, CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth + + +# +# Extensions for client certificates +# + +[osbuild_client_ext] +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth diff --git a/test/data/osbuild-composer.toml b/test/data/osbuild-composer.toml index 567f5b4..a1b7c7a 100644 --- a/test/data/osbuild-composer.toml +++ b/test/data/osbuild-composer.toml @@ -1,5 +1,5 @@ [koji] -allowed_domains = ["localhost", "composer", "::1"] +allowed_domains = ["client.osbuild.local", "localhost", "::1"] ca = "/etc/osbuild-composer/ca-crt.pem" [koji.servers.localhost.kerberos] @@ -7,5 +7,5 @@ principal = "osbuild-krb@LOCAL" keytab = "/etc/osbuild-composer/client.keytab" [worker] -allowed_domains = ["localhost", "composer"] +allowed_domains = ["localhost", "client.osbuild.local"] ca = "/etc/osbuild-composer/ca-crt.pem" diff --git a/test/make-certs.sh b/test/make-certs.sh index 3122cfc..96e4287 100755 --- a/test/make-certs.sh +++ b/test/make-certs.sh @@ -13,41 +13,47 @@ CA_DIR="/etc/osbuild-composer" echo "Generating certificates" mkdir -p ${CA_DIR} +CONFIG="${TEST_DATA}/openssl.conf" + # The CA -openssl req -new -nodes -x509 -days 365 \ +echo "-=[ CA" +touch "${CA_DIR}/index.txt" +openssl req -new -nodes -x509 \ + -config "${CONFIG}" \ + -extensions osbuild_ca_ext \ -keyout "${CA_DIR}/ca-key.pem" \ -out "${CA_DIR}/ca-crt.pem" \ -subj "/CN=osbuild.org" -openssl genrsa -out "${CA_DIR}/key.pem" 2048 # composer +echo "-=[ composer" openssl genrsa -out ${CA_DIR}/composer-key.pem 2048 openssl req -new -sha256 \ + -config "${CONFIG}" \ -key ${CA_DIR}/composer-key.pem \ -out ${CA_DIR}/composer-csr.pem \ - -config ${TEST_DATA}/composer.ssl.conf -openssl x509 -req \ - -in ${CA_DIR}/composer-csr.pem \ - -CA ${CA_DIR}/ca-crt.pem \ - -CAkey ${CA_DIR}/ca-key.pem \ - -CAcreateserial \ - -out ${CA_DIR}/composer-crt.pem \ - -extfile ${TEST_DATA}/composer.ssl.conf \ - -extensions v3_req + -subj "/CN=composer" \ + -addext "subjectAltName=DNS.1:localhost,DNS.2:composer" -# worker -openssl genrsa -out ${CA_DIR}/worker-key.pem 2048 +openssl ca -config "$CONFIG" -batch \ + -extensions osbuild_server_ext \ + -in "${CA_DIR}/composer-csr.pem" \ + -out "${CA_DIR}/composer-crt.pem" + +# client +echo "-=[ client" +openssl genrsa -out ${CA_DIR}/client-key.pem 2048 openssl req -new -sha256 \ - -key ${CA_DIR}/worker-key.pem \ - -out ${CA_DIR}/worker-csr.pem \ - -subj "/CN=localhost" + -config "${CONFIG}" \ + -key ${CA_DIR}/client-key.pem \ + -out ${CA_DIR}/client-csr.pem \ + -subj "/CN=client.osbuild.local" \ + -addext "subjectAltName=DNS:client.osbuild.local" -openssl x509 -req \ - -in ${CA_DIR}/worker-csr.pem \ - -CA ${CA_DIR}/ca-crt.pem \ - -CAkey ${CA_DIR}/ca-key.pem \ - -CAcreateserial \ - -out ${CA_DIR}/worker-crt.pem +openssl ca -config "$CONFIG" -batch \ + -extensions osbuild_client_ext \ + -in "${CA_DIR}/client-csr.pem" \ + -out "${CA_DIR}/client-crt.pem" # fix permissions for composer chown _osbuild-composer:_osbuild-composer ${CA_DIR}/composer-*