[lxc-devel] [lxd/master] Make the inclusion of IP/hosts in cert optional
stgraber on Github
lxc-bot at linuxcontainers.org
Wed Nov 13 23:12:33 UTC 2019
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20191113/9c1d670f/attachment-0001.bin>
-------------- next part --------------
From 9b1d7b0630cdbbfa5a09139e3067323ed64feba7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 13 Nov 2019 14:13:38 -0800
Subject: [PATCH 1/5] shared/cert: Make adding of ip/names optional
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
shared/cert.go | 40 ++++++++++++++++++++++------------------
1 file changed, 22 insertions(+), 18 deletions(-)
diff --git a/shared/cert.go b/shared/cert.go
index 35ec3be8bc..5388628ea3 100644
--- a/shared/cert.go
+++ b/shared/cert.go
@@ -42,13 +42,13 @@ import (
//
// If a CA certificate is found, it will be returned as well as second return
// value (otherwise it will be nil).
-func KeyPairAndCA(dir, prefix string, kind CertKind) (*CertInfo, error) {
+func KeyPairAndCA(dir, prefix string, kind CertKind, addHosts bool) (*CertInfo, error) {
certFilename := filepath.Join(dir, prefix+".crt")
keyFilename := filepath.Join(dir, prefix+".key")
// Ensure that the certificate exists, or create a new one if it does
// not.
- err := FindOrGenCert(certFilename, keyFilename, kind == CertClient)
+ err := FindOrGenCert(certFilename, keyFilename, kind == CertClient, addHosts)
if err != nil {
return nil, err
}
@@ -212,14 +212,14 @@ func mynames() ([]string, error) {
// FindOrGenCert generates a keypair if needed.
// The type argument is false for server, true for client.
-func FindOrGenCert(certf string, keyf string, certtype bool) error {
+func FindOrGenCert(certf string, keyf string, certtype bool, addHosts bool) error {
if PathExists(certf) && PathExists(keyf) {
return nil
}
/* If neither stat succeeded, then this is our first run and we
* need to generate cert and privkey */
- err := GenCert(certf, keyf, certtype)
+ err := GenCert(certf, keyf, certtype, addHosts)
if err != nil {
return err
}
@@ -228,7 +228,7 @@ func FindOrGenCert(certf string, keyf string, certtype bool) error {
}
// GenCert will create and populate a certificate file and a key file
-func GenCert(certf string, keyf string, certtype bool) error {
+func GenCert(certf string, keyf string, certtype bool, addHosts bool) error {
/* Create the basenames if needed */
dir := path.Dir(certf)
err := os.MkdirAll(dir, 0750)
@@ -241,7 +241,7 @@ func GenCert(certf string, keyf string, certtype bool) error {
return err
}
- certBytes, keyBytes, err := GenerateMemCert(certtype)
+ certBytes, keyBytes, err := GenerateMemCert(certtype, addHosts)
if err != nil {
return err
}
@@ -264,17 +264,12 @@ func GenCert(certf string, keyf string, certtype bool) error {
// GenerateMemCert creates client or server certificate and key pair,
// returning them as byte arrays in memory.
-func GenerateMemCert(client bool) ([]byte, []byte, error) {
+func GenerateMemCert(client bool, addHosts bool) ([]byte, []byte, error) {
privk, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
if err != nil {
return nil, nil, fmt.Errorf("Failed to generate key: %v", err)
}
- hosts, err := mynames()
- if err != nil {
- return nil, nil, fmt.Errorf("Failed to get my hostname: %v", err)
- }
-
validFrom := time.Now()
validTo := validFrom.Add(10 * 365 * 24 * time.Hour)
@@ -319,14 +314,23 @@ func GenerateMemCert(client bool) ([]byte, []byte, error) {
template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
}
- for _, h := range hosts {
- if ip, _, err := net.ParseCIDR(h); err == nil {
- if !ip.IsLinkLocalUnicast() && !ip.IsLinkLocalMulticast() {
- template.IPAddresses = append(template.IPAddresses, ip)
+ if addHosts {
+ hosts, err := mynames()
+ if err != nil {
+ return nil, nil, fmt.Errorf("Failed to get my hostname: %v", err)
+ }
+
+ for _, h := range hosts {
+ if ip, _, err := net.ParseCIDR(h); err == nil {
+ if !ip.IsLinkLocalUnicast() && !ip.IsLinkLocalMulticast() {
+ template.IPAddresses = append(template.IPAddresses, ip)
+ }
+ } else {
+ template.DNSNames = append(template.DNSNames, h)
}
- } else {
- template.DNSNames = append(template.DNSNames, h)
}
+ } else if !client {
+ template.DNSNames = []string{"unspecified"}
}
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &privk.PublicKey, privk)
From 92835fdb85fdf934140fbeadddb9a51df5d8838b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 13 Nov 2019 14:13:57 -0800
Subject: [PATCH 2/5] lxc/config: Update to changed cert functions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
lxc/config/cert.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lxc/config/cert.go b/lxc/config/cert.go
index 17b3f426a3..42ccf8312a 100644
--- a/lxc/config/cert.go
+++ b/lxc/config/cert.go
@@ -24,5 +24,5 @@ func (c *Config) GenerateClientCertificate() error {
certf := c.ConfigPath("client.crt")
keyf := c.ConfigPath("client.key")
- return shared.FindOrGenCert(certf, keyf, true)
+ return shared.FindOrGenCert(certf, keyf, true, false)
}
From 559322511e8cd50ced5ac55d0247ca269a3726cb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 13 Nov 2019 14:14:06 -0800
Subject: [PATCH 3/5] lxd/util: Update to changed cert functions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
lxd/util/encryption.go | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/lxd/util/encryption.go b/lxd/util/encryption.go
index 968d9ed044..8317f8de37 100644
--- a/lxd/util/encryption.go
+++ b/lxd/util/encryption.go
@@ -47,10 +47,12 @@ func LoadCert(dir string) (*shared.CertInfo, error) {
if shared.PathExists(filepath.Join(dir, "cluster.crt")) {
prefix = "cluster"
}
- cert, err := shared.KeyPairAndCA(dir, prefix, shared.CertServer)
+
+ cert, err := shared.KeyPairAndCA(dir, prefix, shared.CertServer, true)
if err != nil {
return nil, errors.Wrap(err, "failed to load TLS certificate")
}
+
return cert, nil
}
From c989d20383a78296bb1099cf366e8ad208a92fcf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 13 Nov 2019 15:08:45 -0800
Subject: [PATCH 4/5] lxd/vm: Update to changed cert functions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
lxd/vm_qemu.go | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lxd/vm_qemu.go b/lxd/vm_qemu.go
index 043fa4d74d..4f75feb046 100644
--- a/lxd/vm_qemu.go
+++ b/lxd/vm_qemu.go
@@ -292,13 +292,13 @@ func (vm *vmQemu) generateAgentCert() (string, string, string, string, error) {
clientKeyFile := filepath.Join(vm.Path(), "agent-client.key")
// Create server certificate.
- err := shared.FindOrGenCert(agentCertFile, agentKeyFile, false)
+ err := shared.FindOrGenCert(agentCertFile, agentKeyFile, false, false)
if err != nil {
return "", "", "", "", err
}
// Create client certificate.
- err = shared.FindOrGenCert(clientCertFile, clientKeyFile, true)
+ err = shared.FindOrGenCert(clientCertFile, clientKeyFile, true, false)
if err != nil {
return "", "", "", "", err
}
From 1bb508b53e3263ed5a6a17bb9fa7c5d97f165f3c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 13 Nov 2019 14:17:51 -0800
Subject: [PATCH 5/5] lxd-agent: Update to changed cert functions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
lxd-agent/network.go | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/lxd-agent/network.go b/lxd-agent/network.go
index 07b5648ebc..e018493764 100644
--- a/lxd-agent/network.go
+++ b/lxd-agent/network.go
@@ -3,7 +3,6 @@ package main
import (
"crypto/tls"
"net"
- "path/filepath"
"sync"
"time"
@@ -57,7 +56,7 @@ func (l *networkListener) Accept() (net.Conn, error) {
}
func serverTLSConfig() (*tls.Config, error) {
- certInfo, err := shared.KeyPairAndCA(filepath.Join("/", "media", "lxd_config"), "agent", shared.CertServer)
+ certInfo, err := shared.KeyPairAndCA(".", "agent", shared.CertServer, false)
if err != nil {
return nil, err
}
More information about the lxc-devel
mailing list