Blame - lib/tls - devstack

blob: 202edeffbfc060ab748d23892f4812cc76388129 [file] [log] [blame]

Dean Troyer	c83a7e1	2012-11-29 11:47:58 -0600	[diff] [blame]	1	# lib/tls
				2	# Functions to control the configuration and operation of the TLS proxy service
				3
				4	# Dependencies:
				5	# !! source _before_ any services that use ``SERVICE_HOST``
				6	# ``functions`` file
				7	# ``DEST``, ``DATA_DIR`` must be defined
				8	# ``HOST_IP``, ``SERVICE_HOST``
				9	# ``KEYSTONE_TOKEN_FORMAT`` must be defined
				10
				11	# Entry points:
				12	# configure_CA
				13	# init_CA
				14
				15	# configure_proxy
				16	# start_tls_proxy
				17
				18	# make_root_ca
				19	# make_int_ca
				20	# new_cert $INT_CA_DIR int-server "abc"
				21	# start_tls_proxy HOST_IP 5000 localhost 5000
				22
				23
				24	if is_service_enabled tls-proxy; then
				25	# TODO(dtroyer): revisit this below after the search for HOST_IP has been done
				26	TLS_IP=${TLS_IP:-$SERVICE_IP}
				27
				28	# Set the default ``SERVICE_PROTOCOL`` for TLS
				29	SERVICE_PROTOCOL=https
				30	fi
				31
				32	# Make up a hostname for cert purposes
				33	# will be added to /etc/hosts?
				34	DEVSTACK_HOSTNAME=secure.devstack.org
				35	DEVSTACK_CERT_NAME=devstack-cert
				36	DEVSTACK_CERT=$DATA_DIR/$DEVSTACK_CERT_NAME.pem
				37
				38	# CA configuration
				39	ROOT_CA_DIR=${ROOT_CA_DIR:-$DATA_DIR/CA/root-ca}
				40	INT_CA_DIR=${INT_CA_DIR:-$DATA_DIR/CA/int-ca}
				41
				42	ORG_NAME="OpenStack"
				43	ORG_UNIT_NAME="DevStack"
				44
				45	# Stud configuration
				46	STUD_PROTO="--tls"
				47	STUD_CIPHERS='TLSv1+HIGH:!DES:!aNULL:!eNULL:@STRENGTH'
				48
				49
				50	# CA Functions
				51	# ============
				52
				53	# There may be more than one, get specific
				54	OPENSSL=${OPENSSL:-/usr/bin/openssl}
				55
				56	# Do primary CA configuration
				57	function configure_CA() {
				58	# build common config file
				59
				60	# Verify ``TLS_IP`` is good
				61	if [[ -n "$HOST_IP" && "$HOST_IP" != "$TLS_IP" ]]; then
				62	# auto-discover has changed the IP
				63	TLS_IP=$HOST_IP
				64	fi
				65	}
				66
				67	# Creates a new CA directory structure
				68	# create_CA_base ca-dir
				69	function create_CA_base() {
				70	local ca_dir=$1
				71
				72	if [[ -d $ca_dir ]]; then
				73	# Bail out it exists
				74	return 0
				75	fi
				76
				77	for i in certs crl newcerts private; do
				78	mkdir -p $ca_dir/$i
				79	done
				80	chmod 710 $ca_dir/private
				81	echo "01" >$ca_dir/serial
				82	cp /dev/null $ca_dir/index.txt
				83	}
				84
				85
				86	# Create a new CA configuration file
				87	# create_CA_config ca-dir common-name
				88	function create_CA_config() {
				89	local ca_dir=$1
				90	local common_name=$2
				91
				92	echo "
				93	[ ca ]
				94	default_ca = CA_default
				95
				96	[ CA_default ]
				97	dir = $ca_dir
				98	policy = policy_match
				99	database = \$dir/index.txt
				100	serial = \$dir/serial
				101	certs = \$dir/certs
				102	crl_dir = \$dir/crl
				103	new_certs_dir = \$dir/newcerts
				104	certificate = \$dir/cacert.pem
				105	private_key = \$dir/private/cacert.key
				106	RANDFILE = \$dir/private/.rand
				107	default_md = default
				108
				109	[ req ]
				110	default_bits = 1024
				111	default_md = sha1
				112
				113	prompt = no
				114	distinguished_name = ca_distinguished_name
				115
				116	x509_extensions = ca_extensions
				117
				118	[ ca_distinguished_name ]
				119	organizationName = $ORG_NAME
				120	organizationalUnitName = $ORG_UNIT_NAME Certificate Authority
				121	commonName = $common_name
				122
				123	[ policy_match ]
				124	countryName = optional
				125	stateOrProvinceName = optional
				126	organizationName = match
				127	organizationalUnitName = optional
				128	commonName = supplied
				129
				130	[ ca_extensions ]
				131	basicConstraints = critical,CA:true
				132	subjectKeyIdentifier = hash
				133	authorityKeyIdentifier = keyid:always, issuer
				134	keyUsage = cRLSign, keyCertSign
				135
				136	" >$ca_dir/ca.conf
				137	}
				138
				139	# Create a new signing configuration file
				140	# create_signing_config ca-dir
				141	function create_signing_config() {
				142	local ca_dir=$1
				143
				144	echo "
				145	[ ca ]
				146	default_ca = CA_default
				147
				148	[ CA_default ]
				149	dir = $ca_dir
				150	policy = policy_match
				151	database = \$dir/index.txt
				152	serial = \$dir/serial
				153	certs = \$dir/certs
				154	crl_dir = \$dir/crl
				155	new_certs_dir = \$dir/newcerts
				156	certificate = \$dir/cacert.pem
				157	private_key = \$dir/private/cacert.key
				158	RANDFILE = \$dir/private/.rand
				159	default_md = default
				160
				161	[ req ]
				162	default_bits = 1024
				163	default_md = sha1
				164
				165	prompt = no
				166	distinguished_name = req_distinguished_name
				167
				168	x509_extensions = req_extensions
				169
				170	[ req_distinguished_name ]
				171	organizationName = $ORG_NAME
				172	organizationalUnitName = $ORG_UNIT_NAME Server Farm
				173
				174	[ policy_match ]
				175	countryName = optional
				176	stateOrProvinceName = optional
				177	organizationName = match
				178	organizationalUnitName = optional
				179	commonName = supplied
				180
				181	[ req_extensions ]
				182	basicConstraints = CA:false
				183	subjectKeyIdentifier = hash
				184	authorityKeyIdentifier = keyid:always, issuer
				185	keyUsage = digitalSignature, keyEncipherment, keyAgreement
				186	extendedKeyUsage = serverAuth, clientAuth
				187	subjectAltName = \$ENV::SUBJECT_ALT_NAME
				188
				189	" >$ca_dir/signing.conf
				190	}
				191
Dean Troyer	ca80217	2013-01-09 19:08:02 -0600	[diff] [blame]	192	# Create root and intermediate CAs
Dean Troyer	c83a7e1	2012-11-29 11:47:58 -0600	[diff] [blame]	193	# init_CA
				194	function init_CA {
				195	# Ensure CAs are built
				196	make_root_CA $ROOT_CA_DIR
				197	make_int_CA $INT_CA_DIR $ROOT_CA_DIR
				198
				199	# Create the CA bundle
				200	cat $ROOT_CA_DIR/cacert.pem $INT_CA_DIR/cacert.pem >>$INT_CA_DIR/ca-chain.pem
Dean Troyer	ca80217	2013-01-09 19:08:02 -0600	[diff] [blame]	201	}
Dean Troyer	c83a7e1	2012-11-29 11:47:58 -0600	[diff] [blame]	202
Dean Troyer	ca80217	2013-01-09 19:08:02 -0600	[diff] [blame]	203	# Create an initial server cert
				204	# init_cert
				205	function init_cert {
Dean Troyer	c83a7e1	2012-11-29 11:47:58 -0600	[diff] [blame]	206	if [[ ! -r $DEVSTACK_CERT ]]; then
				207	if [[ -n "$TLS_IP" ]]; then
				208	# Lie to let incomplete match routines work
				209	TLS_IP="DNS:$TLS_IP"
				210	fi
				211	make_cert $INT_CA_DIR $DEVSTACK_CERT_NAME $DEVSTACK_HOSTNAME "$TLS_IP"
				212
				213	# Create a cert bundle
				214	cat $INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key $INT_CA_DIR/$DEVSTACK_CERT_NAME.crt $INT_CA_DIR/cacert.pem >$DEVSTACK_CERT
				215	fi
				216	}
				217
				218
				219	# make_cert creates and signs a new certificate with the given commonName and CA
				220	# make_cert ca-dir cert-name "common-name" ["alt-name" ...]
				221	function make_cert() {
				222	local ca_dir=$1
				223	local cert_name=$2
				224	local common_name=$3
				225	local alt_names=$4
				226
				227	# Generate a signing request
				228	$OPENSSL req \
				229	-sha1 \
				230	-newkey rsa \
				231	-nodes \
				232	-keyout $ca_dir/private/$cert_name.key \
				233	-out $ca_dir/$cert_name.csr \
				234	-subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}"
				235
				236	if [[ -z "$alt_names" ]]; then
				237	alt_names="DNS:${common_name}"
				238	else
				239	alt_names="DNS:${common_name},${alt_names}"
				240	fi
				241
				242	# Sign the request valid for 1 year
				243	SUBJECT_ALT_NAME="$alt_names" \
				244	$OPENSSL ca -config $ca_dir/signing.conf \
				245	-extensions req_extensions \
				246	-days 365 \
				247	-notext \
				248	-in $ca_dir/$cert_name.csr \
				249	-out $ca_dir/$cert_name.crt \
				250	-subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}" \
				251	-batch
				252	}
				253
				254
				255	# Make an intermediate CA to sign everything else
				256	# make_int_CA ca-dir signing-ca-dir
				257	function make_int_CA() {
				258	local ca_dir=$1
				259	local signing_ca_dir=$2
				260
				261	# Create the root CA
				262	create_CA_base $ca_dir
				263	create_CA_config $ca_dir 'Intermediate CA'
				264	create_signing_config $ca_dir
				265
				266	# Create a signing certificate request
				267	$OPENSSL req -config $ca_dir/ca.conf \
				268	-sha1 \
				269	-newkey rsa \
				270	-nodes \
				271	-keyout $ca_dir/private/cacert.key \
				272	-out $ca_dir/cacert.csr \
				273	-outform PEM
				274
				275	# Sign the intermediate request valid for 1 year
				276	$OPENSSL ca -config $signing_ca_dir/ca.conf \
				277	-extensions ca_extensions \
				278	-days 365 \
				279	-notext \
				280	-in $ca_dir/cacert.csr \
				281	-out $ca_dir/cacert.pem \
				282	-batch
				283	}
				284
				285	# Make a root CA to sign other CAs
				286	# make_root_CA ca-dir
				287	function make_root_CA() {
				288	local ca_dir=$1
				289
				290	# Create the root CA
				291	create_CA_base $ca_dir
				292	create_CA_config $ca_dir 'Root CA'
				293
				294	# Create a self-signed certificate valid for 5 years
				295	$OPENSSL req -config $ca_dir/ca.conf \
				296	-x509 \
				297	-nodes \
				298	-newkey rsa \
				299	-days 21360 \
				300	-keyout $ca_dir/private/cacert.key \
				301	-out $ca_dir/cacert.pem \
				302	-outform PEM
				303	}
				304
				305
				306	# Proxy Functions
				307	# ===============
				308
				309	# Starts the TLS proxy for the given IP/ports
				310	# start_tls_proxy front-host front-port back-host back-port
				311	function start_tls_proxy() {
				312	local f_host=$1
				313	local f_port=$2
				314	local b_host=$3
				315	local b_port=$4
				316
				317	stud $STUD_PROTO -f $f_host,$f_port -b $b_host,$b_port $DEVSTACK_CERT 2>/dev/null
				318	}