[Engine-patches] Change in ovirt-engine[master]: pki: accept subject name for certificate

Sun, 11 Nov 2012 16:03:19 -0800 

Alon Bar-Lev has uploaded a new change for review.

Change subject: pki: accept subject name for certificate
......................................................................

pki: accept subject name for certificate

This enables generating a completely empty certificate request, setting
subject at engine machine.

This much safer (security wise) and much easier to handle at host during
bootstrap.

Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=875528
Change-Id: I9798deff39a69f9fd25c0ab9e998b5a7b206daeb
Signed-off-by: Alon Bar-Lev <[email protected]>
---
M backend/manager/conf/ca/SignReq.sh
M 
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/VdsInstaller.java
M 
backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/hostinstall/OpenSslCAWrapper.java
3 files changed, 37 insertions(+), 13 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/63/9163/1

diff --git a/backend/manager/conf/ca/SignReq.sh 
b/backend/manager/conf/ca/SignReq.sh
index c58ce6f..20e0981 100755
--- a/backend/manager/conf/ca/SignReq.sh
+++ b/backend/manager/conf/ca/SignReq.sh
@@ -16,6 +16,8 @@
         printf "\tCA Directory                = Full path to CA directory\n"
         printf "\tstartdate                   = in YYMMDDHHMMSSZ ANS1 format\n"
         printf "\tPass                        = Certificate password\n"
+        printf "\tHost                        = CN\n"
+        printf "\tOrganization                = O\n"
         printf "\tlock file                   = Name of file to be used for 
locking\n"
         printf "\tlocking timeout             = Amount of seconds to wait for 
locking\n"
         return 0
@@ -28,15 +30,15 @@
 sign () {
       cd $ca_dir
 
-      openssl x509 -text -in ca.pem | grep "Subject Key Identifier"
-      if [ "$?" -eq 0 ]; then
-            openssl ca -batch -policy policy_match -config openssl.conf 
-extfile cert.conf -extensions v3_ca -cert ca.pem \
-             -in requests/$req_file -keyfile private/ca.pem -passin 
pass:$cert_pass -days $exp_time -out certs/$out_file -startdate $start_time
-      else
-            openssl ca -batch -policy policy_match -config openssl.conf -cert 
ca.pem -in requests/$req_file -keyfile private/ca.pem \
-             -passin pass:$cert_pass -days $exp_time -out certs/$out_file 
-startdate $start_time
+      if openssl x509 -text -in ca.pem | grep "Subject Key Identifier" > 
/dev/null; then
+          EXTRA_COMMAND="-extfile cert.conf -extensions v3_ca"
       fi
-      return $?
+      openssl ca \
+        -batch -policy policy_match -config openssl.conf -cert ca.pem \
+        -in requests/$req_file -keyfile private/ca.pem -passin pass:$cert_pass 
\
+        -days $exp_time -out certs/$out_file -startdate $start_time \
+        ${req_name:+-subj "/O=$req_org/CN=$req_name"} \
+        ${EXTRA_COMMAND}
 }
 
 if [ "$#" -lt 6 ]; then
@@ -52,11 +54,16 @@
 ca_dir=$4
 start_time=$5
 cert_pass=$6
-lock_file=$7
+req_name=$7
+req_org=$8
+
+shift
+lock_file=$8
 if [ -z "$lock_file" ]; then
         lock_file=/var/lock/ovirt-engine/.openssl.exclusivelock
 fi
 
+shift
 timeout=$8
 if [ -z "$timeout" ]; then
         timeout=20
diff --git 
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/VdsInstaller.java
 
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/VdsInstaller.java
index 840c899..d8cd68d 100644
--- 
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/VdsInstaller.java
+++ 
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/VdsInstaller.java
@@ -371,6 +371,7 @@
             try {
                 _certificate = OpenSslCAWrapper.SignCertificateRequest(
                     _request,
+                    _vds.gethost_name(),
                     _vds.gethost_name()
                 );
 
diff --git 
a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/hostinstall/OpenSslCAWrapper.java
 
b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/hostinstall/OpenSslCAWrapper.java
index 2ab9c1e..d68e17f 100644
--- 
a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/hostinstall/OpenSslCAWrapper.java
+++ 
b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/hostinstall/OpenSslCAWrapper.java
@@ -20,7 +20,11 @@
 
 public class OpenSslCAWrapper {
 
-    public static String SignCertificateRequest(String request, String label)
+    public static String SignCertificateRequest(
+        String request,
+        String label,
+        String hostname
+    )
     throws FileNotFoundException, UnsupportedEncodingException, IOException {
 
         File pkicertdir = new File(Config.resolveCABasePath(), "certs");
@@ -52,6 +56,7 @@
         if (
             !new OpenSslCAWrapper().SignCertificateRequest(
                 reqFileName,
+                hostname,
                 Config.<Integer> 
GetValue(ConfigValues.VdsCertificateValidityInYears) * 365,
                 certFileName
             )
@@ -62,14 +67,21 @@
         return FileUtil.readAllText(new File(pkicertdir, 
certFileName).getPath());
     }
 
-    public final boolean SignCertificateRequest(String requestFileName, int 
days, String signedCertificateFileName) {
+    public final boolean SignCertificateRequest(
+        String requestFileName,
+        String hostname,
+        int days,
+        String signedCertificateFileName
+    ) {
         log.debug("Entered SignCertificateRequest");
         boolean returnValue = true;
         String signRequestBatch = Config.resolveSignScriptPath();
         if (FileUtil.fileExists(signRequestBatch)) {
+            String organization = Config.<String> 
GetValue(ConfigValues.OrganizationName);
             Integer signatureTimeout = Config.<Integer> 
GetValue(ConfigValues.SignCertTimeoutInSeconds);
             String[] command_array =
-                    createCommandArray(signatureTimeout, signRequestBatch, 
requestFileName, days,
+                    createCommandArray(signatureTimeout, signRequestBatch, 
requestFileName,
+                            hostname, organization, days,
                             signedCertificateFileName);
             returnValue = runCommandArray(command_array, signatureTimeout);
         } else {
@@ -175,6 +187,8 @@
     private String[] createCommandArray(Integer signatureTimeout,
             String signRequestBatch,
             String requestFileName,
+            String hostname,
+            String organization,
             int days,
             String signedCertificateFileName) {
         log.debug("Building command array for Sign Certificate request 
script");
@@ -186,7 +200,9 @@
         SimpleDateFormat format = new SimpleDateFormat("yyMMddHHmmssZ");
         format.setTimeZone(TimeZone.getTimeZone("UTC"));
         String[] command_array = { signRequestBatch, requestFileName, 
signedCertificateFileName, "" + days,
-                baseDirectoryPath, format.format(yesterday.getTime()), 
keystorePass, lockfileName, "" + (signatureTimeout / 2) };
+                baseDirectoryPath, format.format(yesterday.getTime()), 
keystorePass,
+                hostname, organization,
+                lockfileName, "" + (signatureTimeout / 2) };
         log.debug("Finished building command array for Sign Certificate 
request script");
         return command_array;
     }


--
To view, visit http://gerrit.ovirt.org/9163
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I9798deff39a69f9fd25c0ab9e998b5a7b206daeb
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Alon Bar-Lev <[email protected]>
_______________________________________________
Engine-patches mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-patches

Reply via email to