From 6a3f20596b65b24479570d2fc67288bf833c8fbe Mon Sep 17 00:00:00 2001 From: "o.omahony" Date: Tue, 30 Aug 2022 13:49:11 +0100 Subject: [PATCH 1/5] fixing certs --- .gitignore | 1 - .srl | 1 + Makefile | 33 +++++++++++++++++---------------- scripts/mtls/gen_cert.sh | 3 ++- 4 files changed, 20 insertions(+), 18 deletions(-) create mode 100644 .srl diff --git a/.gitignore b/.gitignore index b7627c3f6..ccf8b8e1f 100644 --- a/.gitignore +++ b/.gitignore @@ -6,7 +6,6 @@ whitesource/ *.log *.test *.orig -certs/* sdk/certs/** __debug_bin diff --git a/.srl b/.srl new file mode 100644 index 000000000..4ccc62a09 --- /dev/null +++ b/.srl @@ -0,0 +1 @@ +9AAF95978EAA2C49 diff --git a/Makefile b/Makefile index 41b5eaf04..0ae97b402 100644 --- a/Makefile +++ b/Makefile @@ -38,6 +38,7 @@ FREEBSD_DISTROS?="FreeBSD:12:amd64" "FreeBSD:13:amd64" APK_VERSIONS?=3.13 3.14 3.15 3.16 APK_ARCHS?=aarch64 x86_64 +CERTS_DIR := ./build/certs PACKAGE_PREFIX := nginx-agent PACKAGES_DIR := ./build/packages PACKAGES_REPO := "pkgs-test.nginx.com" @@ -258,29 +259,29 @@ test-install: ## Run agent install test # Cert Generation # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # certs: ## Generate TLS certificates - scripts/mtls/gen_cnf.sh ca --cn 'client-ca.local' --state Cork --locality Cork --org NGINX --country IE --out certs/client/conf - scripts/mtls/gen_cert.sh ca --config certs/client/conf/ca.cnf --out certs/client + scripts/mtls/gen_cnf.sh ca --cn 'client-ca.local' --state Cork --locality Cork --org NGINX --country IE --out ${CERTS_DIR}/client/conf + scripts/mtls/gen_cert.sh ca --config ${CERTS_DIR}/client/conf/ca.cnf --out ${CERTS_DIR}/client - scripts/mtls/gen_cnf.sh intermediate --cn 'client-int.local' --org NGINX --locality Cork --out certs/client/conf - scripts/mtls/gen_cert.sh intermediate --config certs/client/conf/int.cnf --ca-cert certs/client/ca.crt --ca-key certs/client/ca.key --out certs/client + scripts/mtls/gen_cnf.sh intermediate --cn 'client-int.local' --org NGINX --locality Cork --out ${CERTS_DIR}/client/conf + scripts/mtls/gen_cert.sh intermediate --config ${CERTS_DIR}/client/conf/int.cnf --ca-cert ${CERTS_DIR}/client/ca.crt --ca-key ${CERTS_DIR}/client/ca.key --out ${CERTS_DIR}/client - scripts/mtls/gen_cnf.sh end-entity --cn 'client.local' --san 'DNS.1=client.local' --out certs/client/conf - scripts/mtls/gen_cert.sh end-entity --config certs/client/conf/ee.cnf --ca-cert certs/client/int.crt --ca-key certs/client/int.key --out certs/client + scripts/mtls/gen_cnf.sh end-entity --cn 'client.local' --san 'DNS.1=client.local' --out ${CERTS_DIR}/client/conf + scripts/mtls/gen_cert.sh end-entity --config ${CERTS_DIR}/client/conf/ee.cnf --ca-cert ${CERTS_DIR}/client/int.crt --ca-key ${CERTS_DIR}/client/int.key --out ${CERTS_DIR}/client - cp certs/client/ee.crt certs/client.crt - cp certs/client/ee.key certs/client.key + cp ${CERTS_DIR}/client/ee.crt ${CERTS_DIR}/client.crt + cp ${CERTS_DIR}/client/ee.key ${CERTS_DIR}/client.key - scripts/mtls/gen_cnf.sh ca --cn 'server-ca.local' --state Cork --locality Cork --org NGINX --country IE --out certs/server/conf - scripts/mtls/gen_cert.sh ca --config certs/server/conf/ca.cnf --out certs/server + scripts/mtls/gen_cnf.sh ca --cn 'server-ca.local' --state Cork --locality Cork --org NGINX --country IE --out ${CERTS_DIR}/server/conf + scripts/mtls/gen_cert.sh ca --config ${CERTS_DIR}/server/conf/ca.cnf --out ${CERTS_DIR}/server - scripts/mtls/gen_cnf.sh intermediate --cn 'server-int.local' --org NGINX --locality Cork --out certs/server/conf - scripts/mtls/gen_cert.sh intermediate --config certs/server/conf/int.cnf --ca-cert certs/server/ca.crt --ca-key certs/server/ca.key --out certs/server + scripts/mtls/gen_cnf.sh intermediate --cn 'server-int.local' --org NGINX --locality Cork --out ${CERTS_DIR}/server/conf + scripts/mtls/gen_cert.sh intermediate --config ${CERTS_DIR}/server/conf/int.cnf --ca-cert ${CERTS_DIR}/server/ca.crt --ca-key ${CERTS_DIR}/server/ca.key --out ${CERTS_DIR}/server - scripts/mtls/gen_cnf.sh end-entity --cn 'tls.example.com' --san 'DNS.1=tls.example.com' --out certs/server/conf - scripts/mtls/gen_cert.sh end-entity --config certs/server/conf/ee.cnf --ca-cert certs/server/int.crt --ca-key certs/server/int.key --out certs/server + scripts/mtls/gen_cnf.sh end-entity --cn 'tls.example.com' --san 'DNS.1=tls.example.com' --out ${CERTS_DIR}/server/conf + scripts/mtls/gen_cert.sh end-entity --config ${CERTS_DIR}/server/conf/ee.cnf --ca-cert ${CERTS_DIR}/server/int.crt --ca-key ${CERTS_DIR}/server/int.key --out ${CERTS_DIR}/server - cp certs/server/ee.crt certs/server.crt - cp certs/server/ee.key certs/server.key + cp ${CERTS_DIR}/server/ee.crt ${CERTS_DIR}/server.crt + cp ${CERTS_DIR}/server/ee.key ${CERTS_DIR}/server.key # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # Docker Helper Targets # diff --git a/scripts/mtls/gen_cert.sh b/scripts/mtls/gen_cert.sh index ef2102316..d16f9fbfc 100755 --- a/scripts/mtls/gen_cert.sh +++ b/scripts/mtls/gen_cert.sh @@ -82,6 +82,7 @@ create_self_signed() { -new \ -nodes \ -x509 \ + -sha256 \ -keyout "$OUT/$1.key" \ -out "$OUT/$1.crt" \ -config "$CONFIG" \ @@ -171,4 +172,4 @@ case $1 in help "$0" exit 1 ;; -esac \ No newline at end of file +esac From 627a55b9b487b319c0788dd27d3525114118920c Mon Sep 17 00:00:00 2001 From: "o.omahony" Date: Tue, 30 Aug 2022 13:51:08 +0100 Subject: [PATCH 2/5] remove .srl --- .srl | 1 - 1 file changed, 1 deletion(-) delete mode 100644 .srl diff --git a/.srl b/.srl deleted file mode 100644 index 4ccc62a09..000000000 --- a/.srl +++ /dev/null @@ -1 +0,0 @@ -9AAF95978EAA2C49 From 3dec38251b3666cd9bdf69cbf914b09d0b34f65e Mon Sep 17 00:00:00 2001 From: "o.omahony" Date: Tue, 30 Aug 2022 13:52:25 +0100 Subject: [PATCH 3/5] remove .srl --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index ccf8b8e1f..9b8fdb9a3 100644 --- a/.gitignore +++ b/.gitignore @@ -11,6 +11,7 @@ sdk/certs/** __debug_bin .key .key.* +.srl .next-version .devops-utils/ From 3a9fc66ea40698a9fe925ec63f5339cab1fb761c Mon Sep 17 00:00:00 2001 From: "o.omahony" Date: Tue, 30 Aug 2022 16:53:34 +0100 Subject: [PATCH 4/5] bumped the encryption --- scripts/mtls/gen_cert.sh | 7 ++++--- scripts/mtls/gen_cnf.sh | 6 +++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/scripts/mtls/gen_cert.sh b/scripts/mtls/gen_cert.sh index d16f9fbfc..82926b12f 100755 --- a/scripts/mtls/gen_cert.sh +++ b/scripts/mtls/gen_cert.sh @@ -79,10 +79,10 @@ parse_args() { create_self_signed() { if ! openssl req \ - -new \ + -newkey rsa:4096 \ -nodes \ -x509 \ - -sha256 \ + -sha512 \ -keyout "$OUT/$1.key" \ -out "$OUT/$1.crt" \ -config "$CONFIG" \ @@ -96,8 +96,9 @@ create_self_signed() { create_csr() { if ! openssl req \ - -new \ + -newkey rsa:4096 \ -nodes \ + -sha512 \ -keyout "$OUT/$1.key" \ -out "$OUT/$1.csr" \ -config "$CONFIG" \ diff --git a/scripts/mtls/gen_cnf.sh b/scripts/mtls/gen_cnf.sh index 782ac291e..ce28978ec 100755 --- a/scripts/mtls/gen_cnf.sh +++ b/scripts/mtls/gen_cnf.sh @@ -120,7 +120,7 @@ default_bits = ${KEY_SIZE:-"4096"} default_days = ${DAYS:-"365"} distinguished_name = req_distinguished_name prompt = no -default_md = sha256 +default_md = sha512 req_extensions = v3_req policy = policy @@ -158,7 +158,7 @@ default_bits = ${KEY_SIZE:-"4096"} default_days = ${DAYS:-"365"} distinguished_name = req_distinguished_name prompt = no -default_md = sha256 +default_md = sha512 req_extensions = v3_req policy = policy @@ -205,4 +205,4 @@ case $1 in help "$0" exit 1 ;; -esac \ No newline at end of file +esac From 3768cfa9c830016a4f61bed1ae22db3ff544f867 Mon Sep 17 00:00:00 2001 From: "o.omahony" Date: Tue, 30 Aug 2022 17:16:40 +0100 Subject: [PATCH 5/5] fix sdk tests --- sdk/config_helpers_test.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/sdk/config_helpers_test.go b/sdk/config_helpers_test.go index c577f8adb..ccd56caf5 100644 --- a/sdk/config_helpers_test.go +++ b/sdk/config_helpers_test.go @@ -231,11 +231,11 @@ var tests = []struct { Mtime: &types.Timestamp{Seconds: 1633343804, Nanos: 15240107}, SubjAltNames: nil, PublicKeyAlgorithm: "RSA", - SignatureAlgorithm: "SHA256-RSA", + SignatureAlgorithm: "SHA512-RSA", SerialNumber: "12554968962670027276", SubjectKeyIdentifier: "75:50:E2:24:8F:6F:13:1D:81:20:E1:01:0B:57:2B:98:39:E5:2E:C3", Fingerprint: "48:6D:05:D4:78:10:91:15:69:74:9C:6A:54:F7:F2:FC:C8:93:46:E8:28:42:24:41:68:41:51:1E:1E:43:E0:12", - FingerprintAlgorithm: "SHA256-RSA", + FingerprintAlgorithm: "SHA512-RSA", AuthorityKeyIdentifier: "3A:79:E0:3E:61:CD:94:29:1D:BB:45:37:0B:E9:78:E9:2F:40:67:CA", Version: 3, }, @@ -372,12 +372,12 @@ var tests = []struct { Mtime: &types.Timestamp{Seconds: 1633343804, Nanos: 15240107}, SubjAltNames: nil, PublicKeyAlgorithm: "RSA", - SignatureAlgorithm: "SHA256-RSA", + SignatureAlgorithm: "SHA512-RSA", SerialNumber: "12554968962670027276", SubjectKeyIdentifier: "75:50:E2:24:8F:6F:13:1D:81:20:E1:01:0B:57:2B:98:39:E5:2E:C3", Fingerprint: "48:6D:05:D4:78:10:91:15:69:74:9C:6A:54:F7:F2:FC:C8:93:46:E8:28:42:24:41:68:41:51:1E:1E:43:E0:12", AuthorityKeyIdentifier: "3A:79:E0:3E:61:CD:94:29:1D:BB:45:37:0B:E9:78:E9:2F:40:67:CA", - FingerprintAlgorithm: "SHA256-RSA", + FingerprintAlgorithm: "SHA512-RSA", Version: 3, }, },