2
0
mirror of https://github.com/xcat2/confluent.git synced 2024-11-28 20:39:40 +00:00
confluent/misc/makealtca.py
Jarrod Johnson ed2a8b6f9d Provide an example to name constrain a CA
It's imperfect, and abetter procedure should be written up
for the more security conscious.
2024-09-23 10:45:31 -04:00

104 lines
4.2 KiB
Python

# This creates a locked down variant of a confluent CA
# The confluent CA naturally doesn't have any name constraints, which
# is great for flexibility.
# However, if actually being imported into a web browser, it is likely
# to want to limit the CA to apply to cluster resources rather
# than having a blank check to vouch for any and all subjects.
# This particular approach causes a certificate authority that
# can be imported and vouch for the subset of certificates
# that were issued by the normal CA that match name constraints
# Unfortunately, *ALL* names are checked, whether they are relevant
# to the conversation or not, so we reproduce the logic and the resultant
# CA is fragile to IP addresses.
# The better approach would be to issue a separate, full name only certificate
# and have a simpler alt CA. The same CA can be used to sign both certificates,
# and still import the limited one
import subprocess
import socket
import confluent.certutil as certutil
import sys
def create_alt_ca(certout, permitdomains):
# This is to create a constrained variant of the existing authority
# this will allow a client browser to only trust it for select domains
# while the nodes can more broadly trust it (e.g. to vouch for IP addresses)
sslcfg = certutil.get_openssl_conf_location()
newcfg = '/etc/confluent/tls/ca-alt/openssl-alt.cfg'
subj = subprocess.check_output(
['openssl', 'x509', '-subject', '-noout', '-in', '/etc/confluent/tls/ca/cacert.pem']
).decode().replace('subject=', '')
serial = subprocess.check_output(
['openssl', 'x509', '-serial', '-noout', '-in', '/etc/confluent/tls/ca/cacert.pem']
).decode().replace('serial=', '')
with open('/etc/confluent/tls/ca-alt/serial', 'w') as srl:
srl.write(serial)
settings = {
'dir': '/etc/confluent/tls/ca-alt',
'certificate': '$dir/cacert.pem',
'private_key': '$dir/private/cakey.pem',
'countryName': 'optional',
'stateOrProvinceName': 'optional',
'organizationName': 'optional',
}
keyin = '/etc/confluent/tls/ca/private/cakey.pem'
csrin = '/etc/confluent/tls/ca/ca.csr'
shortname = 'r3u20'
ipaddrs = list(certutil.get_ip_addresses())
san = [] # 'IP:{0}'.format(x) for x in ipaddrs]
# It is incorrect to put IP addresses as DNS type. However
# there exists non-compliant clients that fail with them as IP
# san.extend(['DNS:{0}'.format(x) for x in ipaddrs])
dnsnames = set(ipaddrs)
dnsnames.add(shortname)
for currip in ipaddrs:
dnsnames.add(socket.getnameinfo((currip, 0), 0)[0])
for currname in dnsnames:
san.append('DNS:{0}'.format(currname))
if permitdomains[0] == '':
permitdomains = []
nameconstraints = ['permitted;DNS:{}'.format(x) for x in permitdomains]
nameconstraints.extend(['permitted;{}'.format(x) for x in san])
nameconstraints = ','.join(nameconstraints)
if nameconstraints:
nameconstraints = f'nameConstraints = critical,{nameconstraints}\n'
certutil.mkdirp('/etc/confluent/tls/ca-alt/newcerts')
with open('/etc/confluent/tls/ca-alt/index.txt', 'w') as idx:
pass
with open(sslcfg, 'r') as cfgin:
with open(newcfg, 'w') as cfgfile:
for line in cfgin.readlines():
cfg = line.split('#')[0]
if '=' in cfg:
key, val = cfg.split('=', 1)
for stg in settings:
if certutil.substitute_cfg(stg, key, val, settings[stg], cfgfile, line):
break
else:
cfgfile.write(line.strip() + '\n')
continue
cfgfile.write(line.strip() + '\n')
cfgfile.write(f'\n[CACert]\nbasicConstraints = CA:true\n{nameconstraints}[ca_confluent]\n')
subprocess.check_call(
['openssl', 'ca', '-config', newcfg, '-batch', '-selfsign',
'-extensions', 'CACert', '-extfile', newcfg,
'-notext', '-startdate',
'19700101010101Z', '-enddate', '21000101010101Z', '-keyfile',
keyin, '-out', certout, '-in', csrin]
)
if __name__ == '__main__':
create_alt_ca(sys.argv[1], sys.argv[2].split(','))