Add a tool to generate X509 certificates

[antoniomanuelfr]

Related issue
#11295

Description

Hello team!

This PR aims to add a tool to generate X509 certificates using the downloaded openssl lib instead of using the CLI. This will avoid unsuccessful manager installations if openssl isn't installed.

Closes #11295

Usage of the tool

The tool is embedded into wazuh-authd:

wazuh-authd -C 265 -B 2048 -K /var/ossec/etc/sslmanager.key -X /var/ossec/etc/sslmanager.cert -S "/C=US/ST=California/CN=wazuh/"

• -C Specify the certificate validity in days.
• -B Specify the certificate key size in bits.
• -K Specify the path to store the certificate key.
• -X Specify the path to store the certificate.
• -S Specify the certificate subject.

root@ubuntumanager:~# pkill -f wazuh-authd
root@ubuntumanager:~# wazuh-authd -f
2022/07/11 11:08:02 wazuh-authd: INFO: Started (pid: 76558).
2022/07/11 11:08:02 wazuh-authd: ERROR: Unable to read certificate file (not found): etc/sslmanager.cert
2022/07/11 11:08:02 wazuh-authd: ERROR: SSL error. Exiting.
root@ubuntumanager:~# wazuh-authd -C 265 -B 2048 -K /var/ossec/etc/sslmanager.key -X /var/ossec/etc/sslmanager.cert -S "/C=US/ST=California/CN=wazuh/"
root@ubuntumanager:~# wazuh-authd -f
2022/07/11 11:08:10 wazuh-authd: INFO: Started (pid: 76560).
2022/07/11 11:08:10 wazuh-authd: INFO: Accepting connections on port 1515. No password required.
2022/07/11 11:08:10 wazuh-authd: INFO: Setting network timeout to 1.000000 sec.
^C2022/07/11 11:08:14 wazuh-authd: INFO: (1225): SIGNAL [(2)-(Interrupt)] Received. Exit Cleaning...
2022/07/11 11:08:15 wazuh-authd: INFO: Exiting...

Cert created with the tool

• Executed the following command to generate the certificate: wazuh-authd -C 265 -B 2048 -K /var/ossec/etc/sslmanager.key -X /var/ossec/etc/sslmanager.cert -S "/C=US/ST=California/CN=wazuh/"
• Exected the following command to get the certificate info: openssl x509 -text -in sslmanager.cert -nout > cert_tool.txt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            40:43:1a:57:38:14:75:2d:a3:61:11:5f:3d:bc:7a:4f:38:82:06:5c
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = California, CN = wazuh
        Validity
            Not Before: Jul 11 11:08:08 2022 GMT
            Not After : Apr  2 11:08:08 2023 GMT
        Subject: C = US, ST = California, CN = wazuh
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:da:14:f0:e0:d3:93:ae:5e:8b:e6:a3:ce:5e:e7:
                    45:06:e3:36:e5:9f:93:ad:7b:2f:19:80:c1:99:85:
                    d9:97:03:bf:e6:c7:10:f1:0a:f0:6a:81:1c:68:98:
                    15:cb:34:11:16:d8:01:98:0a:d4:72:a3:08:05:65:
                    b0:46:fc:a5:b5:20:69:fd:80:44:25:b8:ac:17:54:
                    c3:42:bf:24:2c:c5:f5:00:76:99:5a:f4:6e:33:3e:
                    7b:3f:2d:47:2b:ea:56:2c:27:ad:d3:ba:f4:7e:81:
                    2c:56:89:ef:73:d8:01:89:47:fc:a9:68:fb:74:40:
                    99:5a:1d:2f:1d:ee:9e:ba:45:44:d6:03:ff:21:0d:
                    e0:70:70:8a:9e:3b:9c:be:50:73:0c:e2:b3:ad:47:
                    ad:89:dd:7f:61:86:64:48:63:d5:94:d5:cb:b7:49:
                    69:69:c8:0f:4c:4f:dd:c1:04:22:03:d5:ec:4b:22:
                    93:6e:3a:24:b2:a1:8a:21:ba:b9:08:f1:c6:54:65:
                    66:52:7d:24:37:d1:0a:1f:57:c6:9c:dc:d5:40:5e:
                    04:5f:cd:6f:e2:95:87:40:4d:ac:e1:c7:b2:ea:b2:
                    4a:fb:cb:c0:4b:55:7d:e1:02:45:20:5e:98:49:90:
                    03:b4:cf:94:d5:78:a7:fd:a6:f9:53:e0:f9:b1:e4:
                    8b:17
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                9B:FA:25:5C:79:CD:28:4C:44:CF:84:C7:70:6A:58:AE:75:AA:DB:48
            X509v3 Authority Key Identifier: 
                9B:FA:25:5C:79:CD:28:4C:44:CF:84:C7:70:6A:58:AE:75:AA:DB:48
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        59:f7:f2:a7:6e:ca:f7:14:89:5a:a4:3a:f8:71:82:93:79:3b:
        62:ee:2e:4e:7c:4d:68:6c:4f:e6:56:5f:f3:73:0c:73:fc:44:
        87:8e:37:9e:4f:24:41:0e:53:14:bc:08:14:65:29:c6:80:9a:
        74:e8:a4:3d:82:3c:dc:0b:74:d5:33:d2:b7:5b:b0:d3:67:d4:
        b1:a9:a4:ed:2e:de:1a:49:ae:32:5a:a5:b9:89:7c:5a:7b:9b:
        98:b0:71:b2:dc:70:af:a3:96:e7:d4:15:9e:0c:81:03:a1:77:
        59:62:5b:9b:18:6d:62:fd:f8:88:d3:99:a6:7b:75:47:a4:1a:
        18:e2:39:97:4b:88:09:3f:bf:ab:71:01:77:e4:2c:ec:d4:97:
        b0:b3:4f:9c:e0:7b:c0:32:9b:2d:b3:44:a0:96:31:c9:f4:fe:
        af:10:77:1b:69:0a:ec:b9:fd:8f:83:11:52:2b:2f:ac:a9:db:
        d0:52:8b:29:9e:86:74:36:7b:27:d2:d9:84:4f:75:8d:bf:6a:
        ab:3d:1e:47:9b:d3:78:b5:5f:9c:22:3d:3d:3a:47:94:08:91:
        aa:38:3f:59:bf:d2:cb:a6:4b:4f:da:a6:d7:b1:67:c8:7e:6e:
        f0:e1:43:24:dd:4a:86:e8:83:80:29:4c:95:b0:4e:4d:1b:bf:
        70:c1:7d:59
-----BEGIN CERTIFICATE-----
MIIDRTCCAi2gAwIBAgIUQEMaVzgUdS2jYRFfPbx6TziCBlwwDQYJKoZIhvcNAQEL
BQAwMjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExDjAMBgNVBAMM
BXdhenVoMB4XDTIyMDcxMTExMDgwOFoXDTIzMDQwMjExMDgwOFowMjELMAkGA1UE
BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExDjAMBgNVBAMMBXdhenVoMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2hTw4NOTrl6L5qPOXudFBuM25Z+T
rXsvGYDBmYXZlwO/5scQ8QrwaoEcaJgVyzQRFtgBmArUcqMIBWWwRvyltSBp/YBE
JbisF1TDQr8kLMX1AHaZWvRuMz57Py1HK+pWLCet07r0foEsVonvc9gBiUf8qWj7
dECZWh0vHe6eukVE1gP/IQ3gcHCKnjucvlBzDOKzrUetid1/YYZkSGPVlNXLt0lp
acgPTE/dwQQiA9XsSyKTbjoksqGKIbq5CPHGVGVmUn0kN9EKH1fGnNzVQF4EX81v
4pWHQE2s4cey6rJK+8vAS1V94QJFIF6YSZADtM+U1Xin/ab5U+D5seSLFwIDAQAB
o1MwUTAdBgNVHQ4EFgQUm/olXHnNKExEz4THcGpYrnWq20gwHwYDVR0jBBgwFoAU
m/olXHnNKExEz4THcGpYrnWq20gwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
AQsFAAOCAQEAWffyp27K9xSJWqQ6+HGCk3k7Yu4uTnxNaGxP5lZf83MMc/xEh443
nk8kQQ5TFLwIFGUpxoCadOikPYI83At01TPSt1uw02fUsamk7S7eGkmuMlqluYl8
WnubmLBxstxwr6OW59QVngyBA6F3WWJbmxhtYv34iNOZpnt1R6QaGOI5l0uICT+/
q3EBd+Qs7NSXsLNPnOB7wDKbLbNEoJYxyfT+rxB3G2kK7Ln9j4MRUisvrKnb0FKL
KZ6GdDZ7J9LZhE91jb9qqz0eR5vTeLVfnCI9PTpHlAiRqjg/Wb/Sy6ZLT9qm17Fn
yH5u8OFDJN1KhuiDgClMlbBOTRu/cMF9WQ==
-----END CERTIFICATE-----

Cert created using OpenSSL CLI.

• Using the following command to generate the certificate: openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -subj "/C=US/ST=California/CN=Wazuh/" -keyout /tmp/sslmanager_orig.key -out /tmp/sslmanager_orig.cert
• Extracted information using the following command: openssl x509 -text -in /tmp/sslmanager_orig.cert -nout > cert_openssl.txt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3f:a5:c9:86:71:06:0f:d5:c6:a8:5e:eb:3a:1f:f7:be:a3:cd:d0:6f
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = California, CN = Wazuh
        Validity
            Not Before: May 24 08:22:03 2022 GMT
            Not After : May 24 08:22:03 2023 GMT
        Subject: C = US, ST = California, CN = Wazuh
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:90:89:ea:c9:05:39:49:b9:81:a0:81:9a:5c:f3:
                    66:0e:3d:d9:ad:d5:66:9c:f3:0c:42:89:94:69:f2:
                    09:d7:61:ed:ae:6a:4a:a8:89:cc:e6:06:9b:21:8f:
                    f9:cc:65:ac:dc:47:81:d9:87:43:4f:c2:58:78:60:
                    0b:8b:d5:c3:a8:14:47:a9:fa:46:b1:2f:5a:33:59:
                    36:23:59:49:a8:45:72:0b:f1:59:61:f4:8a:0d:7c:
                    9b:81:02:a3:a9:32:7a:ad:7f:75:fe:7a:2f:75:e1:
                    c3:16:d8:b5:3a:8e:39:ff:0b:38:ac:df:5d:b6:b2:
                    5b:c0:e0:dd:be:7f:7b:e6:c2:6b:31:d0:ab:ed:9b:
                    7b:05:af:a4:00:c7:78:ce:3c:df:1e:a9:c2:c7:7f:
                    5d:2c:48:08:cb:87:d4:0c:de:b1:ca:3a:64:f9:64:
                    3d:dc:52:d8:5c:9c:2c:09:34:53:27:31:82:b9:19:
                    5d:37:38:eb:ae:f3:eb:aa:e4:be:ec:cd:6a:cb:59:
                    ed:2a:f2:89:1e:b1:c2:0b:72:18:9c:ee:30:fb:e8:
                    48:43:0d:68:bf:87:44:d0:2c:27:02:4b:c4:4b:1b:
                    40:24:07:58:8d:d7:85:41:a3:d4:a9:4f:3e:46:1b:
                    cb:d7:55:7f:1a:4f:89:3d:6e:93:12:3c:90:dc:67:
                    3b:99
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                24:1D:2B:C0:91:6E:51:FB:A8:69:38:6C:AF:85:E7:05:29:54:AC:8A
            X509v3 Authority Key Identifier: 
                24:1D:2B:C0:91:6E:51:FB:A8:69:38:6C:AF:85:E7:05:29:54:AC:8A
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        87:2b:a7:6e:8a:55:14:40:1c:37:5b:c3:38:b7:a5:a1:70:73:
        6d:fc:db:cb:dc:0d:15:46:41:25:da:6d:45:a3:8a:fb:f7:17:
        7f:2a:2c:e1:d3:50:9b:ea:fd:08:1e:3f:17:c8:03:10:d0:a6:
        f8:0d:79:28:83:7c:dd:8f:d3:24:14:d7:ed:97:56:4d:2b:02:
        d4:fc:39:36:86:1b:19:b6:de:d0:5a:d7:e3:31:7b:2a:8e:d8:
        9f:6f:97:60:b9:e0:ac:65:7a:fb:69:89:e4:02:9a:48:c8:b8:
        88:c1:f4:22:8a:89:25:2a:3d:07:0e:78:ac:04:cd:32:63:9a:
        49:4f:e9:73:f5:e4:f6:d2:9a:07:e5:b5:53:f1:2f:4a:2b:9f:
        0b:97:f9:59:23:2d:b6:24:e9:26:a6:99:e3:39:9b:92:97:7e:
        0f:6d:82:c6:c8:3d:bc:8f:98:8b:31:78:ef:e5:b1:1e:67:6b:
        1d:79:5a:5a:f1:63:c0:52:0f:85:e0:65:03:fe:7d:86:95:68:
        82:3c:d9:4f:22:da:b2:43:55:a4:d3:4c:72:b2:7e:bc:07:cd:
        3b:25:12:83:2f:31:c1:bb:9b:c3:bb:1a:06:c2:e0:09:fb:37:
        eb:c2:84:d2:3c:26:15:67:9c:7b:36:4a:99:1f:c1:e8:d6:82:
        d9:e1:79:79

Tests

• Compilation without warnings in every supported platform
  • Linux
• Source installation
• Source upgrade

• Memory tests for Linux
  • Scan-build report
  • Coverity
  • Valgrind (memcheck and descriptor leaks check)

[antoniomanuelfr]

Scan build didn't find any errors.

➜  build git:(11295-add-openssl-cert-tool) scan-build make
scan-build: Using '/usr/bin/clang-14' for static analysis
[ 50%] Building CXX object CMakeFiles/cert-creator.dir/cert-creator.cpp.o
[100%] Linking CXX executable cert-creator
[100%] Built target cert-creator
scan-build: Analysis run complete.
scan-build: Removing directory '/tmp/scan-build-2022-05-23-135500-84659-1' because it contains no reports.
scan-build: No bugs found.

[antoniomanuelfr]

The authd IT check fail due to wazuh/wazuh-qa#2922

[chemamartinez]

Please include a coverage report of the added functions.

[antoniomanuelfr]

Coverage report
coverage.zip

[chemamartinez]

Coverage report coverage.zip

Reached 100% coverage, GJ!

[chemamartinez]

LGTM!

[jmv74211]

QA review

• Type: Manual testing.
• Status: Approved 🟢
• Testing issue: QA testing - Add tool to generate X509 certificates wazuh-qa#3143
• Comments: Everything seems to be working properly