openssl: Improve cert generation and generate vpn certs

* use easyrsa for cert generation/management * generate vpn requirements (ca, crt, dh) * remove `node` requirement for generating jwt kid * fix root ca cert generation * fix haproxy certificate generation Signed-off-by: Will Boyce <will@resin.io>
balena-io · Sep 27, 2018 · 8be8bca · 8be8bca
1 parent 3a0bed7
commit 8be8bca
Show file tree

Hide file tree

Showing 12 changed files with 234 additions and 209 deletions.
diff --git a/compose/services.yml b/compose/services.yml
@@ -134,6 +134,10 @@ services:
       SENTRY_DSN: 
       VPN_HAPROXY_USEPROXYPROTOCOL: 'true'
       VPN_SERVICE_API_KEY: ${OPENBALENA_VPN_SERVICE_API_KEY}
+      VPN_OPENVPN_CA_CRT: ${OPENBALENA_VPN_CA}
+      VPN_OPENVPN_SERVER_CRT: ${OPENBALENA_VPN_SERVER_CRT}
+      VPN_OPENVPN_SERVER_KEY: ${OPENBALENA_VPN_SERVER_KEY}
+      VPN_OPENVPN_SERVER_DH: ${OPENBALENA_VPN_SERVER_DH}
       # FIXME: remove all of the following
       API_SERVICE_API_KEY: __unused__
       PROXY_SERVICE_API_KEY: __unused__5
@@ -176,6 +180,8 @@ services:
           - img.${OPENBALENA_HOST_NAME}
     environment:
       BALENA_ROOT_CA: ${OPENBALENA_ROOT_CA}
+      BALENA_HAPROXY_CRT: ${OPENBALENA_ROOT_CRT}
+      BALENA_HAPROXY_KEY: ${OPENBALENA_ROOT_KEY}
       HAPROXY_HOSTNAME: ${OPENBALENA_HOST_NAME}
 
 # FIXME: remove the following

diff --git a/haproxy/entry.sh b/haproxy/entry.sh
@@ -1,9 +1,10 @@
-#!/bin/sh
+#!/bin/bash -eu
 
-CA_B64="$BALENA_ROOT_CA"
-CA_FILE=/etc/ssl/private/root.chain.pem
-
-mkdir -p $(dirname "$CA_FILE")
-echo "$CA_B64" | base64 -d >"$CA_FILE"
-
-exec haproxy -f /usr/local/etc/haproxy/haproxy.cfg
+HAPROXY_CHAIN=/etc/ssl/private/open-balena.pem
+mkdir -p "$(dirname "${HAPROXY_CHAIN}")"
+(
+    echo "${BALENA_HAPROXY_CRT}" | base64 -d
+    echo "${BALENA_HAPROXY_KEY}" | base64 -d
+    echo "${BALENA_ROOT_CA}" | base64 -d
+) > "${HAPROXY_CHAIN}"
+exec haproxy -f /usr/local/etc/haproxy/haproxy.cfg
diff --git a/haproxy/haproxy.cfg b/haproxy/haproxy.cfg
@@ -47,7 +47,7 @@ backend redirect-to-https-in
 frontend https-in
   mode http
   option forwardfor
-  bind 127.0.0.1:444 ssl crt /etc/ssl/private/root.chain.pem accept-proxy
+  bind 127.0.0.1:444 ssl crt /etc/ssl/private/open-balena.pem accept-proxy
   reqadd X-Forwarded-Proto:\ https
 
   acl host_api hdr_dom(host) -i "api.${HAPROXY_HOSTNAME}"

diff --git a/scripts/_keyid.js b/scripts/_keyid.js
diff --git a/scripts/gen-root-ca b/scripts/gen-root-ca
@@ -0,0 +1,32 @@
+#!/bin/bash -eu
+
+usage() {
+  echo "usage: $0 COMMON_NAME [OUT]"
+  echo
+  echo "  COMMON_NAME   the domain name the certificate is valid for, eg. example.com"
+  echo "  OUT         path to output directory generated files will be placed in"
+  echo
+}
+
+if [ -z "$1" ]; then
+  usage
+  exit 1
+fi
+
+CMD="$(realpath "$0")"
+DIR="$(dirname "${CMD}")"
+
+CN="$1"
+OUT="$(realpath "${2:-.}")"
+
+source "${DIR}/ssl-common.sh"
+
+# Create a secret key and CA file for the self-signed CA
+"$easyrsa_bin" --pki-dir="${ROOT_PKI}" init-pki 2>/dev/null
+"$easyrsa_bin" --pki-dir="${ROOT_PKI}" --days="${CA_EXPIRY_DAYS}" --req-cn="ca.${CN}" build-ca nopass 2>/dev/null
+ROOT_CA="${ROOT_PKI}/ca.crt"
+echo "ROOT_CA=${ROOT_CA//$OUT/\$OUT}"
+
+# update indexes and generate CRLs
+"$easyrsa_bin" --pki-dir="${ROOT_PKI}" update-db 2>/dev/null
+"$easyrsa_bin" --pki-dir="${ROOT_PKI}" gen-crl 2>/dev/null
diff --git a/scripts/gen-root-ca-cert b/scripts/gen-root-ca-cert
diff --git a/scripts/gen-root-cert b/scripts/gen-root-cert
@@ -0,0 +1,33 @@
+#!/bin/bash -eu
+
+usage() {
+  echo "usage: $0 COMMON_NAME [OUT]"
+  echo
+  echo "  COMMON_NAME   the domain name the certificate is valid for, eg. example.com"
+  echo "  OUT         path to output directory generated files will be placed in"
+  echo
+}
+
+if [ -z "$1" ]; then
+  usage
+  exit 1
+fi
+
+CMD="$(realpath "$0")"
+DIR="$(dirname "${CMD}")"
+
+CN="$1"
+OUT="$(realpath "${2:-.}")"
+
+source "${DIR}/ssl-common.sh"
+
+# generate default CSR and sign (root + wildcard)
+"$easyrsa_bin" --pki-dir="${ROOT_PKI}" --days="${CRT_EXPIRY_DAYS}" --subject-alt-name="DNS:${CN}" build-server-full "*.${CN}" nopass 2>/dev/null
+ROOT_CRT="${ROOT_PKI}"'/issued/*.'"${CN}"'.crt'
+ROOT_KEY="${ROOT_PKI}"'/private/*.'"${CN}"'.key'
+echo "ROOT_CRT=${ROOT_CRT//$OUT/\$OUT}"
+echo "ROOT_KEY=${ROOT_KEY//$OUT/\$OUT}"
+
+# update indexes and generate CRLs
+"$easyrsa_bin" --pki-dir="${ROOT_PKI}" update-db 2>/dev/null
+"$easyrsa_bin" --pki-dir="${ROOT_PKI}" gen-crl 2>/dev/null
diff --git a/scripts/gen-token-auth-cert b/scripts/gen-token-auth-cert
@@ -1,42 +1,42 @@
-#!/bin/sh
-
-set -e
-
-CMD=$0
-DIR=$(dirname "$CMD")
-
-CN=$1
-OUT=${2:-.}
-
-CERT_FILE="${OUT}/token-auth"
-EXPIRY_DAYS=730
+#!/bin/bash -eu
 
 usage() {
-  echo "usage: $0 HOST_NAME [OUT]"
+  echo "usage: $0 COMMON_NAME [OUT]"
   echo
-  echo "  HOST_NAME   the domain name the certificate is valid for, eg. example.com"
+  echo "  COMMON_NAME   the domain name the certificate is valid for, eg. example.com"
   echo "  OUT         path to output directory generated files will be placed in"
   echo
 }
 
-keyid() {
-  # FIXME: do this in bash or python, not node
-  nodejs "${DIR}/_keyid.js" "$1"
-}
-
-if [ -z "$CN" ]; then
+if [ -z "$1" ]; then
   usage
   exit 1
 fi
 
-openssl ecparam -name prime256v1 -genkey -noout -out "${CERT_FILE}.pem" 2>/dev/null
-openssl req -x509 -new -nodes -days "${EXPIRY_DAYS}" -key "${CERT_FILE}.pem" -subj "/CN=api.${CN}" -out "${CERT_FILE}.crt" 2>/dev/null
-openssl ec -in "${CERT_FILE}.pem" -pubout -outform DER -out "${CERT_FILE}".der 2>/dev/null
-keyid "${CERT_FILE}".der >"${CERT_FILE}".kid
+CMD="$(realpath "$0")"
+DIR="$(dirname "${CMD}")"
+
+CN="$1"
+OUT="$(realpath "${2:-.}")"
+
+source "${DIR}/ssl-common.sh"
+
+keyid() {
+  local sha256="$(openssl ec -in "$1" -pubout -outform DER 2>/dev/null | openssl sha256 -binary)"
+  python -c "from base64 import b32encode as b32; import sys; s=b32(sys.argv[1][:30]); sys.stdout.write(':'.join([s[i:i+4] for i in range(0, len(s), 4)]))" "${sha256}"
+}
+
+# generate api CSR and sign
+"$easyrsa_bin" --pki-dir="${ROOT_PKI}" --days=730 --use-algo=ec --curve=prime256v1 build-server-full "api.${CN}" nopass 2>/dev/null
+JWT_CRT="${ROOT_PKI}/issued/api.${CN}.crt"
+JWT_KEY="${ROOT_PKI}/private/api.${CN}.key"
+echo "JWT_CRT=${JWT_CRT//$OUT/\$OUT}"
+echo "JWT_KEY=${JWT_KEY//$OUT/\$OUT}"
 
-# Cleanup
-rm "${CERT_FILE}.der"
+# update indexes and generate CRLs
+"$easyrsa_bin" --pki-dir="${ROOT_PKI}" update-db 2>/dev/null
+"$easyrsa_bin" --pki-dir="${ROOT_PKI}" gen-crl 2>/dev/null
 
-echo "PUB=${CERT_FILE}.crt"
-echo "KEY=${CERT_FILE}.pem"
-echo "KID=${CERT_FILE}.kid"
+# generate key ID
+JWT_KID="$(keyid "${JWT_CRT}")"
+echo "JWT_KID=${JWT_KID//$OUT/\$OUT}"
diff --git a/scripts/gen-vpn-certs b/scripts/gen-vpn-certs
@@ -0,0 +1,52 @@
+#!/bin/bash -eu
+
+usage() {
+  echo "usage: $0 COMMON_NAME [OUT]"
+  echo
+  echo "  COMMON_NAME   the domain name the certificate is valid for, eg. example.com"
+  echo "  OUT         path to output directory generated files will be placed in"
+  echo
+}
+
+if [ -z "$1" ]; then
+  usage
+  exit 1
+fi
+
+CMD="$(realpath "$0")"
+DIR="$(dirname "${CMD}")"
+
+CN="$1"
+OUT="$(realpath "${2:-.}")"
+
+source "${DIR}/ssl-common.sh"
+VPN_PKI="$(realpath "${OUT}/vpn")"
+
+# generate VPN sub-CA
+"$easyrsa_bin" --pki-dir="${VPN_PKI}" init-pki 2>/dev/null
+"$easyrsa_bin" --pki-dir="${VPN_PKI}" --days="${CA_EXPIRY_DAYS}" --req-cn="vpn-ca.${CN}" build-ca nopass subca 2>/dev/null
+
+# import sub-CA CSR into root PKI, sign, and copy back to vpn PKI
+"$easyrsa_bin" --pki-dir="${ROOT_PKI}" import-req "${VPN_PKI}/reqs/ca.req" "vpn-ca" 2>/dev/null
+"$easyrsa_bin" --pki-dir="${ROOT_PKI}" sign-req ca "vpn-ca" 2>/dev/null
+cp "${ROOT_PKI}/issued/vpn-ca.crt" "${VPN_PKI}/ca.crt"
+VPN_CA="${VPN_PKI}/ca.crt"
+echo "VPN_CA=${VPN_CA//$OUT/\$OUT}"
+
+# generate and sign vpn server certificate
+"$easyrsa_bin" --pki-dir="${VPN_PKI}" --days="${CRT_EXPIRY_DAYS}" build-server-full "vpn.${CN}" nopass 2>/dev/null
+VPN_CRT="${VPN_PKI}/issued/vpn.${CN}.crt"
+VPN_KEY="${VPN_PKI}/private/vpn.${CN}.key"
+echo "VPN_CRT=${VPN_CRT//$OUT/\$OUT}"
+echo "VPN_KEY=${VPN_KEY//$OUT/\$OUT}"
+
+# generate vpn dhparams
+"$easyrsa_bin" --pki-dir="${VPN_PKI}" gen-dh 2>/dev/null
+VPN_DH="${VPN_PKI}/dh.pem"
+echo "VPN_DH=${VPN_DH//$OUT/\$OUT}"
+
+# update indexes and generate CRLs
+"$easyrsa_bin" --pki-dir="${ROOT_PKI}" update-db 2>/dev/null
+"$easyrsa_bin" --pki-dir="${VPN_PKI}" update-db 2>/dev/null
+"$easyrsa_bin" --pki-dir="${ROOT_PKI}" gen-crl 2>/dev/null
+"$easyrsa_bin" --pki-dir="${VPN_PKI}" gen-crl 2>/dev/null