Merge pull request #606 from hussamnasir/slice_expiry_fix

Slice expiry fix
GENI-NSF · Sep 27, 2018 · afe2fdb · afe2fdb
2 parents 6ae51e4 + 704c2bf
commit afe2fdb
Show file tree

Hide file tree

Showing 7 changed files with 13 additions and 10 deletions.
diff --git a/bin/geni-init-ca b/bin/geni-init-ca
@@ -124,7 +124,7 @@ def init_ca(config, options):
     cmd = ['/usr/bin/openssl', 'req', '-x509', '-nodes',
            '-days', '1825',
            '-subj', '/CN=%s' % (config.authority),
-           '-newkey', 'rsa:1024',
+           '-newkey', 'rsa:2048',
            '-keyout', config.key,
            '-out', config.cert,
            '-config', ca_conf,

diff --git a/bin/geni-init-services b/bin/geni-init-services
@@ -236,7 +236,7 @@ def init_ca(config, options):
     cmd = ['/usr/bin/openssl', 'req', '-x509', '-nodes',
            '-days', '1825',
            '-subj', '/CN=%s' % (config.authority),
-           '-newkey', 'rsa:1024',
+           '-newkey', 'rsa:2048',
            '-keyout', config.key,
            '-out', config.cert,
            '-config', ca_conf,

diff --git a/bin/init-ca b/bin/init-ca
@@ -32,7 +32,7 @@ EOF
 
 # Create the root certificate
 /usr/bin/openssl req -x509 -nodes -days 365 -subj "/CN=${FQDN}" \
-                     -newkey rsa:1024 -keyout "${CAKEY}" -out "${CACERT}" \
+                     -newkey rsa:2048 -keyout "${CAKEY}" -out "${CACERT}" \
                      -config "${EXT_FILE}" -extensions "${EXT_NAME}"
 
 /bin/rm "${EXT_FILE}"
diff --git a/bin/mk-auth-req b/bin/mk-auth-req
@@ -16,7 +16,7 @@ OPENSSL=/usr/bin/openssl
 UUID=`/usr/bin/uuidgen -t`
 SUBJECT="/O=${SHORT_HOST}/OU=authority/OU=${AUTHORITY}/CN=${UUID}/emailAddress=${EMAIL}"
 
-"${OPENSSL}" req -new -newkey rsa:1024 -nodes \
+"${OPENSSL}" req -new -newkey rsa:2048 -nodes \
                  -subj "${SUBJECT}" \
                  -keyout "${KEYFILE}" \
                  -out "${REQFILE}"

diff --git a/plugins/sarm/SAv1PersistentImplementation.py b/plugins/sarm/SAv1PersistentImplementation.py
@@ -662,11 +662,12 @@ def create_slice(self, client_cert, credentials, options, session):
         slice.slice_id = str(uuid.uuid4())
         slice.owner_id = client_uuid
         slice.slice_urn = urn_for_slice(slice.slice_name, project_name)
-        # FIXME: Why is the cert lifeDays 365 days more than the diff between slice expiration and creation?
+        # Slice Certs now set to expire with slice expiry time . +1 added to offset the hours roundoff during cert generation
         cert, k = cert_util.create_cert(slice.slice_urn, \
             issuer_key = self.key, issuer_cert = self.cert, \
-            lifeDays = (slice.expiration - slice.creation).days + \
-                       SA.SLICE_CERT_LIFETIME, \
+            lifeDays = (slice.expiration - dt.datetime.utcnow()).days + 1,\
+  #          lifeDays = (slice.expiration - slice.creation).days + \
+  #                     SA.SLICE_CERT_LIFETIME, \
             email = slice.slice_email, uuidarg=slice.slice_id)
         slice.certificate = cert.save_to_string()
 
@@ -790,7 +791,8 @@ def update_slice(self, client_cert, slice_urn, credentials, options,
                 if (cert_exp < new_exp):
                     cert, k = cert_util.create_cert(slice_urn, \
                                                         issuer_key = self.key, issuer_cert = self.cert, \
-                                                        lifeDays = (new_exp - slice_info.creation).days + SA.SLICE_CERT_LIFETIME, \
+                                                        #lifeDays = (new_exp - slice_info.creation).days + SA.SLICE_CERT_LIFETIME, \
+                                                        lifeDays = (new_exp - dt.datetime.utcnow()).days + 1, \
                                                         email = slice_info.slice_email, uuidarg=slice_info.slice_id)
                     # FIXME: Ticket #149: Save the slice key and
                     # re-use it when re-generating the slice certifate

diff --git a/templates/openssl.cnf.tmpl b/templates/openssl.cnf.tmpl
@@ -98,7 +98,7 @@ emailAddress		= optional
 
 ####################################################################
 [ req ]
-default_bits		= 1024
+default_bits		= 2048
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes

diff --git a/tools/cert_utils.py b/tools/cert_utils.py
@@ -125,7 +125,7 @@ def make_csr():
     (key_fd, key_file) = tempfile.mkstemp()
     os.close(key_fd)
     csr_request_args = ['/usr/bin/openssl', 'req', '-new', \
-                            '-newkey', 'rsa:1024', \
+                            '-newkey', 'rsa:2048', \
                             '-nodes', \
                             '-keyout', key_file, \
                             '-out', csr_file, '-batch']
@@ -174,6 +174,7 @@ def make_cert(uuid, email, urn, signer_cert_file, signer_key_file, csr_file,
     extdata_template = "[ %s ]\n" + \
         "subjectKeyIdentifier=hash\n" + \
         "authorityKeyIdentifier=keyid:always,issuer:always\n" + \
+        "extendedKeyUsage=serverAuth, clientAuth, timeStamping, codeSigning, emailProtection\n" + \
         "basicConstraints = CA:false\n"
     extdata = extdata_template % extname