From 53a1191ee3ee8e0f59f906f6f53511fcda3a8d95 Mon Sep 17 00:00:00 2001 From: Hussamuddin Nasir Date: Thu, 26 Jul 2018 12:42:08 -0400 Subject: [PATCH 1/4] This patch now sets the slice certificate expiry time to be whatever the slice's actual expiry time is. --- plugins/sarm/SAv1PersistentImplementation.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/plugins/sarm/SAv1PersistentImplementation.py b/plugins/sarm/SAv1PersistentImplementation.py index 4e82f80..05906a5 100644 --- a/plugins/sarm/SAv1PersistentImplementation.py +++ b/plugins/sarm/SAv1PersistentImplementation.py @@ -665,8 +665,9 @@ def create_slice(self, client_cert, credentials, options, session): # FIXME: Why is the cert lifeDays 365 days more than the diff between slice expiration and creation? cert, k = cert_util.create_cert(slice.slice_urn, \ issuer_key = self.key, issuer_cert = self.cert, \ - lifeDays = (slice.expiration - slice.creation).days + \ - SA.SLICE_CERT_LIFETIME, \ + lifeDays = (slice.expiration - dt.datetime.utcnow()).days,\ + # lifeDays = (slice.expiration - slice.creation).days + \ + # SA.SLICE_CERT_LIFETIME, \ email = slice.slice_email, uuidarg=slice.slice_id) slice.certificate = cert.save_to_string() @@ -790,7 +791,8 @@ def update_slice(self, client_cert, slice_urn, credentials, options, if (cert_exp < new_exp): cert, k = cert_util.create_cert(slice_urn, \ issuer_key = self.key, issuer_cert = self.cert, \ - lifeDays = (new_exp - slice_info.creation).days + SA.SLICE_CERT_LIFETIME, \ + #lifeDays = (new_exp - slice_info.creation).days + SA.SLICE_CERT_LIFETIME, \ + lifeDays = (new_exp - dt.datetime.utcnow()).days , \ email = slice_info.slice_email, uuidarg=slice_info.slice_id) # FIXME: Ticket #149: Save the slice key and # re-use it when re-generating the slice certifate From 274f64496a07f7d3fc1a84441e64478bfbe784cc Mon Sep 17 00:00:00 2001 From: Hussamuddin Nasir Date: Thu, 26 Jul 2018 12:49:05 -0400 Subject: [PATCH 2/4] +1 added to offset the hours roundoff during cert generation --- plugins/sarm/SAv1PersistentImplementation.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/sarm/SAv1PersistentImplementation.py b/plugins/sarm/SAv1PersistentImplementation.py index 05906a5..551e4b2 100644 --- a/plugins/sarm/SAv1PersistentImplementation.py +++ b/plugins/sarm/SAv1PersistentImplementation.py @@ -662,10 +662,10 @@ def create_slice(self, client_cert, credentials, options, session): slice.slice_id = str(uuid.uuid4()) slice.owner_id = client_uuid slice.slice_urn = urn_for_slice(slice.slice_name, project_name) - # FIXME: Why is the cert lifeDays 365 days more than the diff between slice expiration and creation? + # Slice Certs now set to expire with slice expiry time . +1 added to offset the hours roundoff during cert generation cert, k = cert_util.create_cert(slice.slice_urn, \ issuer_key = self.key, issuer_cert = self.cert, \ - lifeDays = (slice.expiration - dt.datetime.utcnow()).days,\ + lifeDays = (slice.expiration - dt.datetime.utcnow()).days + 1,\ # lifeDays = (slice.expiration - slice.creation).days + \ # SA.SLICE_CERT_LIFETIME, \ email = slice.slice_email, uuidarg=slice.slice_id) @@ -792,7 +792,7 @@ def update_slice(self, client_cert, slice_urn, credentials, options, cert, k = cert_util.create_cert(slice_urn, \ issuer_key = self.key, issuer_cert = self.cert, \ #lifeDays = (new_exp - slice_info.creation).days + SA.SLICE_CERT_LIFETIME, \ - lifeDays = (new_exp - dt.datetime.utcnow()).days , \ + lifeDays = (new_exp - dt.datetime.utcnow()).days + 1, \ email = slice_info.slice_email, uuidarg=slice_info.slice_id) # FIXME: Ticket #149: Save the slice key and # re-use it when re-generating the slice certifate From 07044dfc7ead3c9763603cd1f9a8dd20444bb685 Mon Sep 17 00:00:00 2001 From: Hussamuddin Nasir Date: Fri, 17 Aug 2018 15:40:18 -0400 Subject: [PATCH 3/4] Change all keygen code to use 2048 bit key instead of 1024 --- bin/geni-init-ca | 2 +- bin/geni-init-services | 2 +- bin/init-ca | 2 +- bin/mk-auth-req | 2 +- templates/openssl.cnf.tmpl | 2 +- tools/cert_utils.py | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/bin/geni-init-ca b/bin/geni-init-ca index 850bcaf..073d9a5 100755 --- a/bin/geni-init-ca +++ b/bin/geni-init-ca @@ -124,7 +124,7 @@ def init_ca(config, options): cmd = ['/usr/bin/openssl', 'req', '-x509', '-nodes', '-days', '1825', '-subj', '/CN=%s' % (config.authority), - '-newkey', 'rsa:1024', + '-newkey', 'rsa:2048', '-keyout', config.key, '-out', config.cert, '-config', ca_conf, diff --git a/bin/geni-init-services b/bin/geni-init-services index 82bf4c2..184cb78 100755 --- a/bin/geni-init-services +++ b/bin/geni-init-services @@ -236,7 +236,7 @@ def init_ca(config, options): cmd = ['/usr/bin/openssl', 'req', '-x509', '-nodes', '-days', '1825', '-subj', '/CN=%s' % (config.authority), - '-newkey', 'rsa:1024', + '-newkey', 'rsa:2048', '-keyout', config.key, '-out', config.cert, '-config', ca_conf, diff --git a/bin/init-ca b/bin/init-ca index 891ecca..8019275 100755 --- a/bin/init-ca +++ b/bin/init-ca @@ -32,7 +32,7 @@ EOF # Create the root certificate /usr/bin/openssl req -x509 -nodes -days 365 -subj "/CN=${FQDN}" \ - -newkey rsa:1024 -keyout "${CAKEY}" -out "${CACERT}" \ + -newkey rsa:2048 -keyout "${CAKEY}" -out "${CACERT}" \ -config "${EXT_FILE}" -extensions "${EXT_NAME}" /bin/rm "${EXT_FILE}" diff --git a/bin/mk-auth-req b/bin/mk-auth-req index cfd1c99..3b60687 100755 --- a/bin/mk-auth-req +++ b/bin/mk-auth-req @@ -16,7 +16,7 @@ OPENSSL=/usr/bin/openssl UUID=`/usr/bin/uuidgen -t` SUBJECT="/O=${SHORT_HOST}/OU=authority/OU=${AUTHORITY}/CN=${UUID}/emailAddress=${EMAIL}" -"${OPENSSL}" req -new -newkey rsa:1024 -nodes \ +"${OPENSSL}" req -new -newkey rsa:2048 -nodes \ -subj "${SUBJECT}" \ -keyout "${KEYFILE}" \ -out "${REQFILE}" diff --git a/templates/openssl.cnf.tmpl b/templates/openssl.cnf.tmpl index 18345de..a9895b8 100644 --- a/templates/openssl.cnf.tmpl +++ b/templates/openssl.cnf.tmpl @@ -98,7 +98,7 @@ emailAddress = optional #################################################################### [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes diff --git a/tools/cert_utils.py b/tools/cert_utils.py index ae6529f..45dd612 100644 --- a/tools/cert_utils.py +++ b/tools/cert_utils.py @@ -125,7 +125,7 @@ def make_csr(): (key_fd, key_file) = tempfile.mkstemp() os.close(key_fd) csr_request_args = ['/usr/bin/openssl', 'req', '-new', \ - '-newkey', 'rsa:1024', \ + '-newkey', 'rsa:2048', \ '-nodes', \ '-keyout', key_file, \ '-out', csr_file, '-batch'] From 704c2bfb92222966185358b7efeab3a8990d226b Mon Sep 17 00:00:00 2001 From: Hussamuddin Nasir Date: Thu, 27 Sep 2018 16:14:08 -0400 Subject: [PATCH 4/4] Added option to generate EKU in a certificate for users --- tools/cert_utils.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/cert_utils.py b/tools/cert_utils.py index 45dd612..752aa25 100644 --- a/tools/cert_utils.py +++ b/tools/cert_utils.py @@ -174,6 +174,7 @@ def make_cert(uuid, email, urn, signer_cert_file, signer_key_file, csr_file, extdata_template = "[ %s ]\n" + \ "subjectKeyIdentifier=hash\n" + \ "authorityKeyIdentifier=keyid:always,issuer:always\n" + \ + "extendedKeyUsage=serverAuth, clientAuth, timeStamping, codeSigning, emailProtection\n" + \ "basicConstraints = CA:false\n" extdata = extdata_template % extname