[Engine-patches] Change in ovirt-engine[master]: pki: use PKCS#12 format to store keys

[juan . hernandez]

Juan Hernandez has posted comments on this change.

Change subject: pki: use PKCS#12 format to store keys
......................................................................


Patch Set 5: (6 inline comments)

This looks like a great simplification. It could be even better if you preserve 
the "alias" concept (it as an integral part of the Java key store concept, 
regardless of the implementation) and just change the default value to "1".

Please take into account that the engine private key is used by the 
log-colloector, changing the name of the file will break it.

The key material is used a lot by support people and users, so I would also 
suggest that you submit a summary of the change to the users and devel lists 
for comments.

....................................................
File backend/manager/conf/ca/CreateCA.sh
Line 27: echo O = $2 >> cacert.conf
Line 28: echo CN = $3 >> cacert.conf
Line 29: cp cert.template cert.conf
Line 30: 
Line 31: openssl genrsa -out private/ca.pem 2048 && openssl req -new -key 
private/ca.pem -config cacert.conf -out requests/ca.csr && openssl ca -selfsign 
-out ca.pem -in requests/ca.csr -keyfile private/ca.pem -days 3650 -startdate 
$4 -config openssl.conf -extfile cacert.conf -extensions v3_ca -batch && 
openssl x509 -in ca.pem -out certs/ca.der
Can you split this looong line?
Line 32: 
Line 33: exit $?


....................................................
File backend/manager/conf/ca/generate-ssh-keys
Line 70
Line 71
Line 72
Line 73
Line 74
The SSH private key file is needed by the log-collector, otherwise it will not 
be able to connect to hypervisors.


....................................................
File packaging/fedora/setup/basedefs.py
Line 81: FILE_IPTABLES_BACKUP="%s/ovirt-engine/conf/iptables.backup" % 
DIR_USR_SHARE
Line 82: FILE_NFS_SYSCONFIG="%s/ovirt-engine/conf/nfs.sysconfig" % DIR_USR_SHARE
Line 83: FILE_NFS_BACKUP="%s/ovirt-engine/conf/nfs.backup" % DIR_USR_SHARE
Line 84: FILE_ETC_EXPORTS="/etc/exports"
Line 85: FILE_PRIVATE_KEY="%s/keys/engine.key.nopass"%(DIR_OVIRT_PKI)
This breaks the log-collector. You will need to coordinate with Keith Robertson 
so that both this and the log-collector are changed in sync.
Line 86: FILE_YUM_VERSION_LOCK="/etc/yum/pluginconf.d/versionlock.list"
Line 87: FILE_ISOUPLOADER_CONF="/etc/ovirt-engine/isouploader.conf"
Line 88: FILE_LOGCOLLECTOR_CONF="/etc/ovirt-engine/logcollector.conf"
Line 89: FILE_PSQL_CONF="/var/lib/pgsql/data/postgresql.conf"


....................................................
File packaging/fedora/setup/engine-setup.py
Line 780: def _createCA():
Line 781: 
Line 782:     try:
Line 783:         # Create new CA only if none available
Line 784:         ksPath = os.path.join(basedefs.DIR_OVIRT_PKI, "ca.pem")
This variable should no longer be "ksPath" but "caPemPath" or something like 
that.
Line 785:         if not os.path.exists(ksPath):
Line 786:             _updateCaCrtTemplate()
Line 787: 
Line 788:             # time.timezone is in seconds


Line 834:               "-in", os.path.join(basedefs.DIR_OVIRT_PKI, "keys", 
"engine.p12"),
Line 835:               "-passin", "pass:" + basedefs.CONST_KEY_PASS,
Line 836:               "-nodes",
Line 837:               "-nocerts",
Line 838:               "-out", os.path.join(basedefs.DIR_OVIRT_PKI, "keys", 
basedefs.FILE_PRIVATE_KEY),
Replace tabs with spaces.

Take into account that the "engine_id_rsa" file is required by the 
log-collector.
Line 839:             ]
Line 840: 
Line 841:             out, rc = utils.execCmd(cmdList=cmd, failOnError=True, 
msg=output_messages.ERR_RC_CODE, maskList=[basedefs.CONST_CA_PASS])
Line 842: 


Line 864:         logging.error(traceback.format_exc())
Line 865:         raise Exception(output_messages.ERR_EXP_CREATE_CA)
Line 866: 
Line 867: def _changeCaPermissions(pkiDir):
Line 868:     changeList = [os.path.join(pkiDir, "private")]
A dictionary is probably better here:

  permissionsMap = {
    "private": 0750,
    "ca.pem": 0640,
    "keys/engine.p12": 0640,
    ...
  }

  for fileName, filePermissions in permissionsMap.items():
    filePath = os.path.join(pkiDir, fileName)
    utils.chownToEngine(filePath)
    logging.debug(...)
    os.chmod(filePath, filePermissions)
Line 869:     for item in changeList:
Line 870:         utils.chownToEngine(item)
Line 871:         logging.debug("changing file permissions for %s to 0750" % 
(item))
Line 872:         os.chmod(item, 0750)


--
To view, visit http://gerrit.ovirt.org/6883
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I2abda5778477faff09798a43cf3dc96435efb272
Gerrit-PatchSet: 5
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Alon Bar-Lev <alo...@redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alo...@redhat.com>
Gerrit-Reviewer: Barak Azulay <bazu...@redhat.com>
Gerrit-Reviewer: Doron Fediuck <dfedi...@redhat.com>
Gerrit-Reviewer: Itamar Heim <ih...@redhat.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernan...@redhat.com>
Gerrit-Reviewer: Ofer Schreiber <oschr...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches