[lxc-devel] [lxd/master] Make the inclusion of IP/hosts in cert optional

stgraber on Github lxc-bot at linuxcontainers.org
Wed Nov 13 23:12:33 UTC 2019


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20191113/9c1d670f/attachment-0001.bin>
-------------- next part --------------
From 9b1d7b0630cdbbfa5a09139e3067323ed64feba7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 13 Nov 2019 14:13:38 -0800
Subject: [PATCH 1/5] shared/cert: Make adding of ip/names optional
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 shared/cert.go | 40 ++++++++++++++++++++++------------------
 1 file changed, 22 insertions(+), 18 deletions(-)

diff --git a/shared/cert.go b/shared/cert.go
index 35ec3be8bc..5388628ea3 100644
--- a/shared/cert.go
+++ b/shared/cert.go
@@ -42,13 +42,13 @@ import (
 //
 // If a CA certificate is found, it will be returned as well as second return
 // value (otherwise it will be nil).
-func KeyPairAndCA(dir, prefix string, kind CertKind) (*CertInfo, error) {
+func KeyPairAndCA(dir, prefix string, kind CertKind, addHosts bool) (*CertInfo, error) {
 	certFilename := filepath.Join(dir, prefix+".crt")
 	keyFilename := filepath.Join(dir, prefix+".key")
 
 	// Ensure that the certificate exists, or create a new one if it does
 	// not.
-	err := FindOrGenCert(certFilename, keyFilename, kind == CertClient)
+	err := FindOrGenCert(certFilename, keyFilename, kind == CertClient, addHosts)
 	if err != nil {
 		return nil, err
 	}
@@ -212,14 +212,14 @@ func mynames() ([]string, error) {
 
 // FindOrGenCert generates a keypair if needed.
 // The type argument is false for server, true for client.
-func FindOrGenCert(certf string, keyf string, certtype bool) error {
+func FindOrGenCert(certf string, keyf string, certtype bool, addHosts bool) error {
 	if PathExists(certf) && PathExists(keyf) {
 		return nil
 	}
 
 	/* If neither stat succeeded, then this is our first run and we
 	 * need to generate cert and privkey */
-	err := GenCert(certf, keyf, certtype)
+	err := GenCert(certf, keyf, certtype, addHosts)
 	if err != nil {
 		return err
 	}
@@ -228,7 +228,7 @@ func FindOrGenCert(certf string, keyf string, certtype bool) error {
 }
 
 // GenCert will create and populate a certificate file and a key file
-func GenCert(certf string, keyf string, certtype bool) error {
+func GenCert(certf string, keyf string, certtype bool, addHosts bool) error {
 	/* Create the basenames if needed */
 	dir := path.Dir(certf)
 	err := os.MkdirAll(dir, 0750)
@@ -241,7 +241,7 @@ func GenCert(certf string, keyf string, certtype bool) error {
 		return err
 	}
 
-	certBytes, keyBytes, err := GenerateMemCert(certtype)
+	certBytes, keyBytes, err := GenerateMemCert(certtype, addHosts)
 	if err != nil {
 		return err
 	}
@@ -264,17 +264,12 @@ func GenCert(certf string, keyf string, certtype bool) error {
 
 // GenerateMemCert creates client or server certificate and key pair,
 // returning them as byte arrays in memory.
-func GenerateMemCert(client bool) ([]byte, []byte, error) {
+func GenerateMemCert(client bool, addHosts bool) ([]byte, []byte, error) {
 	privk, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
 	if err != nil {
 		return nil, nil, fmt.Errorf("Failed to generate key: %v", err)
 	}
 
-	hosts, err := mynames()
-	if err != nil {
-		return nil, nil, fmt.Errorf("Failed to get my hostname: %v", err)
-	}
-
 	validFrom := time.Now()
 	validTo := validFrom.Add(10 * 365 * 24 * time.Hour)
 
@@ -319,14 +314,23 @@ func GenerateMemCert(client bool) ([]byte, []byte, error) {
 		template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
 	}
 
-	for _, h := range hosts {
-		if ip, _, err := net.ParseCIDR(h); err == nil {
-			if !ip.IsLinkLocalUnicast() && !ip.IsLinkLocalMulticast() {
-				template.IPAddresses = append(template.IPAddresses, ip)
+	if addHosts {
+		hosts, err := mynames()
+		if err != nil {
+			return nil, nil, fmt.Errorf("Failed to get my hostname: %v", err)
+		}
+
+		for _, h := range hosts {
+			if ip, _, err := net.ParseCIDR(h); err == nil {
+				if !ip.IsLinkLocalUnicast() && !ip.IsLinkLocalMulticast() {
+					template.IPAddresses = append(template.IPAddresses, ip)
+				}
+			} else {
+				template.DNSNames = append(template.DNSNames, h)
 			}
-		} else {
-			template.DNSNames = append(template.DNSNames, h)
 		}
+	} else if !client {
+		template.DNSNames = []string{"unspecified"}
 	}
 
 	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &privk.PublicKey, privk)

From 92835fdb85fdf934140fbeadddb9a51df5d8838b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 13 Nov 2019 14:13:57 -0800
Subject: [PATCH 2/5] lxc/config: Update to changed cert functions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxc/config/cert.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lxc/config/cert.go b/lxc/config/cert.go
index 17b3f426a3..42ccf8312a 100644
--- a/lxc/config/cert.go
+++ b/lxc/config/cert.go
@@ -24,5 +24,5 @@ func (c *Config) GenerateClientCertificate() error {
 	certf := c.ConfigPath("client.crt")
 	keyf := c.ConfigPath("client.key")
 
-	return shared.FindOrGenCert(certf, keyf, true)
+	return shared.FindOrGenCert(certf, keyf, true, false)
 }

From 559322511e8cd50ced5ac55d0247ca269a3726cb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 13 Nov 2019 14:14:06 -0800
Subject: [PATCH 3/5] lxd/util: Update to changed cert functions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/util/encryption.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lxd/util/encryption.go b/lxd/util/encryption.go
index 968d9ed044..8317f8de37 100644
--- a/lxd/util/encryption.go
+++ b/lxd/util/encryption.go
@@ -47,10 +47,12 @@ func LoadCert(dir string) (*shared.CertInfo, error) {
 	if shared.PathExists(filepath.Join(dir, "cluster.crt")) {
 		prefix = "cluster"
 	}
-	cert, err := shared.KeyPairAndCA(dir, prefix, shared.CertServer)
+
+	cert, err := shared.KeyPairAndCA(dir, prefix, shared.CertServer, true)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to load TLS certificate")
 	}
+
 	return cert, nil
 }
 

From c989d20383a78296bb1099cf366e8ad208a92fcf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 13 Nov 2019 15:08:45 -0800
Subject: [PATCH 4/5] lxd/vm: Update to changed cert functions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/vm_qemu.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lxd/vm_qemu.go b/lxd/vm_qemu.go
index 043fa4d74d..4f75feb046 100644
--- a/lxd/vm_qemu.go
+++ b/lxd/vm_qemu.go
@@ -292,13 +292,13 @@ func (vm *vmQemu) generateAgentCert() (string, string, string, string, error) {
 	clientKeyFile := filepath.Join(vm.Path(), "agent-client.key")
 
 	// Create server certificate.
-	err := shared.FindOrGenCert(agentCertFile, agentKeyFile, false)
+	err := shared.FindOrGenCert(agentCertFile, agentKeyFile, false, false)
 	if err != nil {
 		return "", "", "", "", err
 	}
 
 	// Create client certificate.
-	err = shared.FindOrGenCert(clientCertFile, clientKeyFile, true)
+	err = shared.FindOrGenCert(clientCertFile, clientKeyFile, true, false)
 	if err != nil {
 		return "", "", "", "", err
 	}

From 1bb508b53e3263ed5a6a17bb9fa7c5d97f165f3c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 13 Nov 2019 14:17:51 -0800
Subject: [PATCH 5/5] lxd-agent: Update to changed cert functions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd-agent/network.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lxd-agent/network.go b/lxd-agent/network.go
index 07b5648ebc..e018493764 100644
--- a/lxd-agent/network.go
+++ b/lxd-agent/network.go
@@ -3,7 +3,6 @@ package main
 import (
 	"crypto/tls"
 	"net"
-	"path/filepath"
 	"sync"
 	"time"
 
@@ -57,7 +56,7 @@ func (l *networkListener) Accept() (net.Conn, error) {
 }
 
 func serverTLSConfig() (*tls.Config, error) {
-	certInfo, err := shared.KeyPairAndCA(filepath.Join("/", "media", "lxd_config"), "agent", shared.CertServer)
+	certInfo, err := shared.KeyPairAndCA(".", "agent", shared.CertServer, false)
 	if err != nil {
 		return nil, err
 	}


More information about the lxc-devel mailing list