Skip to content

Commit

Permalink
Merge pull request #3 from SUSE/secure-ssl-ca-password
Browse files Browse the repository at this point in the history 
Pass SSL password to Cheetah securely
  • Loading branch information
@Sergeykot
Sergeykot committed Feb 18, 2019
2 parents 1c4186e + 23dc67d commit 31e6689
Show file tree
Hide file tree
Showing 4 changed files with 31 additions and 11 deletions.
6 changes: 6 additions & 0 deletions package/yast2-rmt.changes
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
-------------------------------------------------------------------
Tue Feb 12 15:51:18 UTC 2019 - skotov@suse.com

- Release version 1.2.2
- Pass SSL password to Cheetah CLI interface securely (bsc#1119835)

-------------------------------------------------------------------
Fri Feb 1 10:58:34 UTC 2019 - fschueller@suse.com

Expand Down
2 changes: 1 addition & 1 deletion package/yast2-rmt.spec
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@


Name: yast2-rmt
Version: 1.2.1
Version: 1.2.2
Release: 0
BuildArch: noarch

Expand Down
22 changes: 16 additions & 6 deletions spec/rmt/ssl/certificate_generator_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,19 +79,23 @@

context 'with valid password' do
it 'returns true' do
expect_any_instance_of(Cheetah::DefaultRecorder).not_to receive(:record_stdin)
expect(RMT::Execute).to receive(:on_target!).with(
'openssl', 'rsa', '-passin', 'stdin', '-in', ssl_files[:ca_private_key],
stdin: password
stdin: password,
logger: nil
).and_return(true)
expect(method_call).to eq(true)
end
end

context 'with invalid password' do
it 'returns false' do
expect_any_instance_of(Cheetah::DefaultRecorder).not_to receive(:record_stdin)
expect(RMT::Execute).to receive(:on_target!).with(
'openssl', 'rsa', '-passin', 'stdin', '-in', ssl_files[:ca_private_key],
stdin: password
stdin: password,
logger: nil
).and_raise(Cheetah::ExecutionFailed.new('', '', '', ''))
expect(method_call).to eq(false)
end
Expand Down Expand Up @@ -154,10 +158,12 @@
expect(Yast::SCR).to receive(:Write).with(scr_path, ssl_files[:ca_config], ca_config)
expect(Yast::SCR).to receive(:Write).with(scr_path, ssl_files[:server_config], server_config)

expect_any_instance_of(Cheetah::DefaultRecorder).not_to receive(:record_stdin)
expect(RMT::Execute).to receive(:on_target!).with(
'openssl', 'genrsa', '-aes256', '-passout', 'stdin', '-out',
ssl_files[:ca_private_key], described_class::OPENSSL_KEY_BITS,
stdin: ca_password
stdin: ca_password,
logger: nil
)

expect(RMT::Execute).to receive(:on_target!).with(
Expand All @@ -169,7 +175,8 @@
'openssl', 'req', '-x509', '-new', '-nodes',
'-key', ssl_files[:ca_private_key], '-sha256', '-days', described_class::OPENSSL_CA_VALIDITY_DAYS,
'-out', ssl_files[:ca_certificate], '-passin', 'stdin', '-config', ssl_files[:ca_config],
stdin: ca_password
stdin: ca_password,
logger: nil
)

expect(RMT::Execute).to receive(:on_target!).with(
Expand All @@ -183,7 +190,8 @@
'-CAkey', ssl_files[:ca_private_key], '-passin', 'stdin', '-days', described_class::OPENSSL_SERVER_CERT_VALIDITY_DAYS,
'-sha256', '-CAcreateserial', '-extensions', 'v3_server_sign',
'-extfile', ssl_files[:server_config],
stdin: ca_password
stdin: ca_password,
logger: nil
)

expect(Yast::SCR).to receive(:Read).with(scr_path, ssl_files[:server_certificate]).and_return(server_cert)
Expand Down Expand Up @@ -258,13 +266,15 @@
'-out', ssl_files[:server_csr], '-config', ssl_files[:server_config]
)

expect_any_instance_of(Cheetah::DefaultRecorder).not_to receive(:record_stdin)
expect(RMT::Execute).to receive(:on_target!).with(
'openssl', 'x509', '-req', '-in', ssl_files[:server_csr],
'-out', ssl_files[:server_certificate], '-CA', ssl_files[:ca_certificate],
'-CAkey', ssl_files[:ca_private_key], '-passin', 'stdin', '-days', described_class::OPENSSL_SERVER_CERT_VALIDITY_DAYS,
'-sha256', '-CAcreateserial', '-extensions', 'v3_server_sign',
'-extfile', ssl_files[:server_config],
stdin: ca_password
stdin: ca_password,
logger: nil
)

expect(Yast::SCR).to receive(:Read).with(scr_path, ssl_files[:server_certificate]).and_return(server_cert)
Expand Down
12 changes: 8 additions & 4 deletions src/lib/rmt/ssl/certificate_generator.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,8 @@ def ca_encrypted?
def valid_password?(password)
RMT::Execute.on_target!(
'openssl', 'rsa', '-passin', 'stdin', '-in', @ssl_paths[:ca_private_key],
stdin: password
stdin: password,
logger: nil # do not log in order to securely pass password
)
true
rescue Cheetah::ExecutionFailed
Expand Down Expand Up @@ -98,13 +99,15 @@ def generate(common_name, alt_names, ca_password)

RMT::Execute.on_target!(
'openssl', 'genrsa', '-aes256', '-passout', 'stdin', '-out', @ssl_paths[:ca_private_key], OPENSSL_KEY_BITS,
stdin: ca_password
stdin: ca_password,
logger: nil # do not log in order to securely pass password
)
RMT::Execute.on_target!(
'openssl', 'req', '-x509', '-new', '-nodes', '-key', @ssl_paths[:ca_private_key],
'-sha256', '-days', OPENSSL_CA_VALIDITY_DAYS, '-out', @ssl_paths[:ca_certificate],
'-passin', 'stdin', '-config', @ssl_paths[:ca_config],
stdin: ca_password
stdin: ca_password,
logger: nil # do not log in order to securely pass password
)
end

Expand All @@ -120,7 +123,8 @@ def generate(common_name, alt_names, ca_password)
'-CA', @ssl_paths[:ca_certificate], '-CAkey', @ssl_paths[:ca_private_key],
'-passin', 'stdin', '-days', OPENSSL_SERVER_CERT_VALIDITY_DAYS, '-sha256',
'-CAcreateserial', '-extensions', 'v3_server_sign', '-extfile', @ssl_paths[:server_config],
stdin: ca_password
stdin: ca_password,
logger: nil # do not log in order to securely pass password
)
else
RMT::Execute.on_target!(
Expand Down

0 comments on commit 31e6689

Please sign in to comment.