lib/tls - devstack - Gitiles

 # lib/tls
 # Functions to control the configuration and operation of the TLS proxy service

 # !! source _before_ any services that use ``SERVICE_HOST``
 #
 # Dependencies:
 #
 # - ``functions`` file
 # - ``DEST``, ``DATA_DIR`` must be defined
 # - ``HOST_IP``, ``SERVICE_HOST``
 # - ``KEYSTONE_TOKEN_FORMAT`` must be defined

 # Entry points:
 #
 # - configure_CA
 # - init_CA

 # - configure_proxy
 # - start_tls_proxy

 # - make_root_ca
 # - make_int_ca
 # - new_cert $INT_CA_DIR int-server "abc"
 # - start_tls_proxy HOST_IP 5000 localhost 5000


 # Defaults
 # --------

 if is_service_enabled tls-proxy; then
     # TODO(dtroyer): revisit this below after the search for HOST_IP has been done
     TLS_IP=${TLS_IP:-$SERVICE_IP}

     # Set the default ``SERVICE_PROTOCOL`` for TLS
     SERVICE_PROTOCOL=https
 fi

 # Make up a hostname for cert purposes
 # will be added to /etc/hosts?
 DEVSTACK_HOSTNAME=secure.devstack.org
 DEVSTACK_CERT_NAME=devstack-cert
 DEVSTACK_CERT=$DATA_DIR/$DEVSTACK_CERT_NAME.pem

 # CA configuration
 ROOT_CA_DIR=${ROOT_CA_DIR:-$DATA_DIR/CA/root-ca}
 INT_CA_DIR=${INT_CA_DIR:-$DATA_DIR/CA/int-ca}

 ORG_NAME="OpenStack"
 ORG_UNIT_NAME="DevStack"

 # Stud configuration
 STUD_PROTO="--tls"
 STUD_CIPHERS='TLSv1+HIGH:!DES:!aNULL:!eNULL:@STRENGTH'


 # CA Functions
 # ============

 # There may be more than one, get specific
 OPENSSL=${OPENSSL:-/usr/bin/openssl}

 # Do primary CA configuration
 function configure_CA() {
     # build common config file

     # Verify ``TLS_IP`` is good
     if [[ -n "$HOST_IP" && "$HOST_IP" != "$TLS_IP" ]]; then
         # auto-discover has changed the IP
         TLS_IP=$HOST_IP
     fi
 }

 # Creates a new CA directory structure
 # create_CA_base ca-dir
 function create_CA_base() {
     local ca_dir=$1

     if [[ -d $ca_dir ]]; then
         # Bail out it exists
         return 0
     fi

     for i in certs crl newcerts private; do
         mkdir -p $ca_dir/$i
     done
     chmod 710 $ca_dir/private
     echo "01" >$ca_dir/serial
     cp /dev/null $ca_dir/index.txt
 }


 # Create a new CA configuration file
 # create_CA_config ca-dir common-name
 function create_CA_config() {
     local ca_dir=$1
     local common_name=$2

     echo "
 [ ca ]
 default_ca = CA_default

 [ CA_default ]
 dir                     = $ca_dir
 policy                  = policy_match
 database                = \$dir/index.txt
 serial                  = \$dir/serial
 certs                   = \$dir/certs
 crl_dir                 = \$dir/crl
 new_certs_dir           = \$dir/newcerts
 certificate             = \$dir/cacert.pem
 private_key             = \$dir/private/cacert.key
 RANDFILE                = \$dir/private/.rand
 default_md              = default

 [ req ]
 default_bits            = 1024
 default_md              = sha1

 prompt                  = no
 distinguished_name      = ca_distinguished_name

 x509_extensions         = ca_extensions

 [ ca_distinguished_name ]
 organizationName        = $ORG_NAME
 organizationalUnitName  = $ORG_UNIT_NAME Certificate Authority
 commonName              = $common_name

 [ policy_match ]
 countryName             = optional
 stateOrProvinceName     = optional
 organizationName        = match
 organizationalUnitName  = optional
 commonName              = supplied

 [ ca_extensions ]
 basicConstraints        = critical,CA:true
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid:always, issuer
 keyUsage                = cRLSign, keyCertSign

 " >$ca_dir/ca.conf
 }

 # Create a new signing configuration file
 # create_signing_config ca-dir
 function create_signing_config() {
     local ca_dir=$1

     echo "
 [ ca ]
 default_ca = CA_default

 [ CA_default ]
 dir                     = $ca_dir
 policy                  = policy_match
 database                = \$dir/index.txt
 serial                  = \$dir/serial
 certs                   = \$dir/certs
 crl_dir                 = \$dir/crl
 new_certs_dir           = \$dir/newcerts
 certificate             = \$dir/cacert.pem
 private_key             = \$dir/private/cacert.key
 RANDFILE                = \$dir/private/.rand
 default_md              = default

 [ req ]
 default_bits            = 1024
 default_md              = sha1

 prompt                  = no
 distinguished_name      = req_distinguished_name

 x509_extensions         = req_extensions

 [ req_distinguished_name ]
 organizationName        = $ORG_NAME
 organizationalUnitName  = $ORG_UNIT_NAME Server Farm

 [ policy_match ]
 countryName             = optional
 stateOrProvinceName     = optional
 organizationName        = match
 organizationalUnitName  = optional
 commonName              = supplied

 [ req_extensions ]
 basicConstraints        = CA:false
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid:always, issuer
 keyUsage                = digitalSignature, keyEncipherment, keyAgreement
 extendedKeyUsage        = serverAuth, clientAuth
 subjectAltName          = \$ENV::SUBJECT_ALT_NAME

 " >$ca_dir/signing.conf
 }

 # Create root and intermediate CAs
 # init_CA
 function init_CA {
     # Ensure CAs are built
     make_root_CA $ROOT_CA_DIR
     make_int_CA $INT_CA_DIR $ROOT_CA_DIR

     # Create the CA bundle
     cat $ROOT_CA_DIR/cacert.pem $INT_CA_DIR/cacert.pem >>$INT_CA_DIR/ca-chain.pem
 }

 # Create an initial server cert
 # init_cert
 function init_cert {
     if [[ ! -r $DEVSTACK_CERT ]]; then
         if [[ -n "$TLS_IP" ]]; then
             # Lie to let incomplete match routines work
             TLS_IP="DNS:$TLS_IP"
         fi
         make_cert $INT_CA_DIR $DEVSTACK_CERT_NAME $DEVSTACK_HOSTNAME "$TLS_IP"

         # Create a cert bundle
         cat $INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key $INT_CA_DIR/$DEVSTACK_CERT_NAME.crt $INT_CA_DIR/cacert.pem >$DEVSTACK_CERT
     fi
 }


 # make_cert creates and signs a new certificate with the given commonName and CA
 # make_cert ca-dir cert-name "common-name" ["alt-name" ...]
 function make_cert() {
     local ca_dir=$1
     local cert_name=$2
     local common_name=$3
     local alt_names=$4

     # Generate a signing request
     $OPENSSL req \
         -sha1 \
         -newkey rsa \
         -nodes \
         -keyout $ca_dir/private/$cert_name.key \
         -out $ca_dir/$cert_name.csr \
         -subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}"

     if [[ -z "$alt_names" ]]; then
         alt_names="DNS:${common_name}"
     else
         alt_names="DNS:${common_name},${alt_names}"
     fi

     # Sign the request valid for 1 year
     SUBJECT_ALT_NAME="$alt_names" \
     $OPENSSL ca -config $ca_dir/signing.conf \
         -extensions req_extensions \
         -days 365 \
         -notext \
         -in $ca_dir/$cert_name.csr \
         -out $ca_dir/$cert_name.crt \
         -subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}" \
         -batch
 }


 # Make an intermediate CA to sign everything else
 # make_int_CA ca-dir signing-ca-dir
 function make_int_CA() {
     local ca_dir=$1
     local signing_ca_dir=$2

     # Create the root CA
     create_CA_base $ca_dir
     create_CA_config $ca_dir 'Intermediate CA'
     create_signing_config $ca_dir

     # Create a signing certificate request
     $OPENSSL req -config $ca_dir/ca.conf \
         -sha1 \
         -newkey rsa \
         -nodes \
         -keyout $ca_dir/private/cacert.key \
         -out $ca_dir/cacert.csr \
         -outform PEM

     # Sign the intermediate request valid for 1 year
     $OPENSSL ca -config $signing_ca_dir/ca.conf \
         -extensions ca_extensions \
         -days 365 \
         -notext \
         -in $ca_dir/cacert.csr \
         -out $ca_dir/cacert.pem \
         -batch
 }

 # Make a root CA to sign other CAs
 # make_root_CA ca-dir
 function make_root_CA() {
     local ca_dir=$1

     # Create the root CA
     create_CA_base $ca_dir
     create_CA_config $ca_dir 'Root CA'

     # Create a self-signed certificate valid for 5 years
     $OPENSSL req -config $ca_dir/ca.conf \
         -x509 \
         -nodes \
         -newkey rsa \
         -days 21360 \
         -keyout $ca_dir/private/cacert.key \
         -out $ca_dir/cacert.pem \
         -outform PEM
 }


 # Proxy Functions
 # ===============

 # Starts the TLS proxy for the given IP/ports
 # start_tls_proxy front-host front-port back-host back-port
 function start_tls_proxy() {
     local f_host=$1
     local f_port=$2
     local b_host=$3
     local b_port=$4

     stud $STUD_PROTO -f $f_host,$f_port -b $b_host,$b_port $DEVSTACK_CERT 2>/dev/null
 }


 # Tell emacs to use shell-script-mode
 ## Local variables:
 ## mode: shell-script
 ## End:
	# lib/tls
	# Functions to control the configuration and operation of the TLS proxy service

	# !! source _before_ any services that use ``SERVICE_HOST``
	#
	# Dependencies:
	#
	# - ``functions`` file
	# - ``DEST``, ``DATA_DIR`` must be defined
	# - ``HOST_IP``, ``SERVICE_HOST``
	# - ``KEYSTONE_TOKEN_FORMAT`` must be defined

	# Entry points:
	#
	# - configure_CA
	# - init_CA

	# - configure_proxy
	# - start_tls_proxy

	# - make_root_ca
	# - make_int_ca
	# - new_cert $INT_CA_DIR int-server "abc"
	# - start_tls_proxy HOST_IP 5000 localhost 5000


	# Defaults
	# --------

	if is_service_enabled tls-proxy; then
	# TODO(dtroyer): revisit this below after the search for HOST_IP has been done
	TLS_IP=${TLS_IP:-$SERVICE_IP}

	# Set the default ``SERVICE_PROTOCOL`` for TLS
	SERVICE_PROTOCOL=https
	fi

	# Make up a hostname for cert purposes
	# will be added to /etc/hosts?
	DEVSTACK_HOSTNAME=secure.devstack.org
	DEVSTACK_CERT_NAME=devstack-cert
	DEVSTACK_CERT=$DATA_DIR/$DEVSTACK_CERT_NAME.pem

	# CA configuration
	ROOT_CA_DIR=${ROOT_CA_DIR:-$DATA_DIR/CA/root-ca}
	INT_CA_DIR=${INT_CA_DIR:-$DATA_DIR/CA/int-ca}

	ORG_NAME="OpenStack"
	ORG_UNIT_NAME="DevStack"

	# Stud configuration
	STUD_PROTO="--tls"
	STUD_CIPHERS='TLSv1+HIGH:!DES:!aNULL:!eNULL:@STRENGTH'


	# CA Functions
	# ============

	# There may be more than one, get specific
	OPENSSL=${OPENSSL:-/usr/bin/openssl}

	# Do primary CA configuration
	function configure_CA() {
	# build common config file

	# Verify ``TLS_IP`` is good
	if [[ -n "$HOST_IP" && "$HOST_IP" != "$TLS_IP" ]]; then
	# auto-discover has changed the IP
	TLS_IP=$HOST_IP
	fi
	}

	# Creates a new CA directory structure
	# create_CA_base ca-dir
	function create_CA_base() {
	local ca_dir=$1

	if [[ -d $ca_dir ]]; then
	# Bail out it exists
	return 0
	fi

	for i in certs crl newcerts private; do
	mkdir -p $ca_dir/$i
	done
	chmod 710 $ca_dir/private
	echo "01" >$ca_dir/serial
	cp /dev/null $ca_dir/index.txt
	}


	# Create a new CA configuration file
	# create_CA_config ca-dir common-name
	function create_CA_config() {
	local ca_dir=$1
	local common_name=$2

	echo "
	[ ca ]
	default_ca = CA_default

	[ CA_default ]
	dir = $ca_dir
	policy = policy_match
	database = \$dir/index.txt
	serial = \$dir/serial
	certs = \$dir/certs
	crl_dir = \$dir/crl
	new_certs_dir = \$dir/newcerts
	certificate = \$dir/cacert.pem
	private_key = \$dir/private/cacert.key
	RANDFILE = \$dir/private/.rand
	default_md = default

	[ req ]
	default_bits = 1024
	default_md = sha1

	prompt = no
	distinguished_name = ca_distinguished_name

	x509_extensions = ca_extensions

	[ ca_distinguished_name ]
	organizationName = $ORG_NAME
	organizationalUnitName = $ORG_UNIT_NAME Certificate Authority
	commonName = $common_name

	[ policy_match ]
	countryName = optional
	stateOrProvinceName = optional
	organizationName = match
	organizationalUnitName = optional
	commonName = supplied

	[ ca_extensions ]
	basicConstraints = critical,CA:true
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always, issuer
	keyUsage = cRLSign, keyCertSign

	" >$ca_dir/ca.conf
	}

	# Create a new signing configuration file
	# create_signing_config ca-dir
	function create_signing_config() {
	local ca_dir=$1

	echo "
	[ ca ]
	default_ca = CA_default

	[ CA_default ]
	dir = $ca_dir
	policy = policy_match
	database = \$dir/index.txt
	serial = \$dir/serial
	certs = \$dir/certs
	crl_dir = \$dir/crl
	new_certs_dir = \$dir/newcerts
	certificate = \$dir/cacert.pem
	private_key = \$dir/private/cacert.key
	RANDFILE = \$dir/private/.rand
	default_md = default

	[ req ]
	default_bits = 1024
	default_md = sha1

	prompt = no
	distinguished_name = req_distinguished_name

	x509_extensions = req_extensions

	[ req_distinguished_name ]
	organizationName = $ORG_NAME
	organizationalUnitName = $ORG_UNIT_NAME Server Farm

	[ policy_match ]
	countryName = optional
	stateOrProvinceName = optional
	organizationName = match
	organizationalUnitName = optional
	commonName = supplied

	[ req_extensions ]
	basicConstraints = CA:false
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always, issuer
	keyUsage = digitalSignature, keyEncipherment, keyAgreement
	extendedKeyUsage = serverAuth, clientAuth
	subjectAltName = \$ENV::SUBJECT_ALT_NAME

	" >$ca_dir/signing.conf
	}

	# Create root and intermediate CAs
	# init_CA
	function init_CA {
	# Ensure CAs are built
	make_root_CA $ROOT_CA_DIR
	make_int_CA $INT_CA_DIR $ROOT_CA_DIR

	# Create the CA bundle
	cat $ROOT_CA_DIR/cacert.pem $INT_CA_DIR/cacert.pem >>$INT_CA_DIR/ca-chain.pem
	}

	# Create an initial server cert
	# init_cert
	function init_cert {
	if [[ ! -r $DEVSTACK_CERT ]]; then
	if [[ -n "$TLS_IP" ]]; then
	# Lie to let incomplete match routines work
	TLS_IP="DNS:$TLS_IP"
	fi
	make_cert $INT_CA_DIR $DEVSTACK_CERT_NAME $DEVSTACK_HOSTNAME "$TLS_IP"

	# Create a cert bundle
	cat $INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key $INT_CA_DIR/$DEVSTACK_CERT_NAME.crt $INT_CA_DIR/cacert.pem >$DEVSTACK_CERT
	fi
	}


	# make_cert creates and signs a new certificate with the given commonName and CA
	# make_cert ca-dir cert-name "common-name" ["alt-name" ...]
	function make_cert() {
	local ca_dir=$1
	local cert_name=$2
	local common_name=$3
	local alt_names=$4

	# Generate a signing request
	$OPENSSL req \
	-sha1 \
	-newkey rsa \
	-nodes \
	-keyout $ca_dir/private/$cert_name.key \
	-out $ca_dir/$cert_name.csr \
	-subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}"

	if [[ -z "$alt_names" ]]; then
	alt_names="DNS:${common_name}"
	else
	alt_names="DNS:${common_name},${alt_names}"
	fi

	# Sign the request valid for 1 year
	SUBJECT_ALT_NAME="$alt_names" \
	$OPENSSL ca -config $ca_dir/signing.conf \
	-extensions req_extensions \
	-days 365 \
	-notext \
	-in $ca_dir/$cert_name.csr \
	-out $ca_dir/$cert_name.crt \
	-subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}" \
	-batch
	}


	# Make an intermediate CA to sign everything else
	# make_int_CA ca-dir signing-ca-dir
	function make_int_CA() {
	local ca_dir=$1
	local signing_ca_dir=$2

	# Create the root CA
	create_CA_base $ca_dir
	create_CA_config $ca_dir 'Intermediate CA'
	create_signing_config $ca_dir

	# Create a signing certificate request
	$OPENSSL req -config $ca_dir/ca.conf \
	-sha1 \
	-newkey rsa \
	-nodes \
	-keyout $ca_dir/private/cacert.key \
	-out $ca_dir/cacert.csr \
	-outform PEM

	# Sign the intermediate request valid for 1 year
	$OPENSSL ca -config $signing_ca_dir/ca.conf \
	-extensions ca_extensions \
	-days 365 \
	-notext \
	-in $ca_dir/cacert.csr \
	-out $ca_dir/cacert.pem \
	-batch
	}

	# Make a root CA to sign other CAs
	# make_root_CA ca-dir
	function make_root_CA() {
	local ca_dir=$1

	# Create the root CA
	create_CA_base $ca_dir
	create_CA_config $ca_dir 'Root CA'

	# Create a self-signed certificate valid for 5 years
	$OPENSSL req -config $ca_dir/ca.conf \
	-x509 \
	-nodes \
	-newkey rsa \
	-days 21360 \
	-keyout $ca_dir/private/cacert.key \
	-out $ca_dir/cacert.pem \
	-outform PEM
	}


	# Proxy Functions
	# ===============

	# Starts the TLS proxy for the given IP/ports
	# start_tls_proxy front-host front-port back-host back-port
	function start_tls_proxy() {
	local f_host=$1
	local f_port=$2
	local b_host=$3
	local b_port=$4

	stud $STUD_PROTO -f $f_host,$f_port -b $b_host,$b_port $DEVSTACK_CERT 2>/dev/null
	}


	# Tell emacs to use shell-script-mode
	## Local variables:
	## mode: shell-script
	## End: