From patchwork Tue Jul 31 21:08:52 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Qiuyu Xiao X-Patchwork-Id: 951832 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="VK/HJvz9"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 41g8Ld3R90z9rxx for ; Wed, 1 Aug 2018 07:13:45 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 6D7B5105B; Tue, 31 Jul 2018 21:09:44 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 80C0F102E for ; Tue, 31 Jul 2018 21:09:42 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pg1-f170.google.com (mail-pg1-f170.google.com [209.85.215.170]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 075977AA for ; Tue, 31 Jul 2018 21:09:41 +0000 (UTC) Received: by mail-pg1-f170.google.com with SMTP id y4-v6so9670371pgp.9 for ; Tue, 31 Jul 2018 14:09:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=ocPAXppxG4EmUIHxPCVORJHpou3IRhKM0mxYCMQG10o=; b=VK/HJvz9k/y846qxqLDGDYygqCbarwCvgfpWcvFcyvS0N3vetI6i1Zxue4BPZY/Pvk 7rK+YxeG5VGn1FPsVRoxRiC3fiKvL1yu4QC59wKccq0UpVHutQ+IG15vwMS3rpr7cnrT HbrLM/Y87skPbsb7eyjx/Jc3CJCBx3uFws21aPdL675OsYRQGTjupnPoCJPhJaWXPkqD 9Nk3+LI9VJoW2ET7X/a2gk04fwdKDDwIbqBDsWvLSFZER1JzM4Nb7/PMEcGc8SMQdWLe rTJd7XBHcOQbtQwYAoE5o+OPRi3A9OjDcDZL8dANMbvdHtDUoAFEu3/JMfmZwsyxAvH2 QBlg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=ocPAXppxG4EmUIHxPCVORJHpou3IRhKM0mxYCMQG10o=; b=fzevaAlqFxnpNT2MqXWFqw2YNUu3YrZp9BDnT99ppUchq74wVk3Wqy6SeUuYcrMlsz c/jGc+el1Pby3UJEu0eFXLxMsO/Q0yhtW+nz89uNxGnebBiuvFZJtxADrmKakhss4Fm/ R5lat6hexg2DfCDKd4YtVcR2bwxbZ9adVSdbRUs4z2n0kG0R6JdnaD6YdLg0ScfYuP4U n32bO2ZJcAY2CjBtSyokZgELumoemmDQyfS0zWEb1vus5+I5CqFrAHPTg55umeaoLyj2 7Ekc5uh6/pyxNUttnMZjVLf7VmJwhSsWxhni0vW6CRFcOBMRdSkr524uSM4aLrujZ3NL fdQw== X-Gm-Message-State: AOUpUlFSoIUZAjJZHIUmdIRbpgrbc7W9zGDwAGX1EtjOCZAnjoJ9KKd4 +iDP2k+dZHWJVI21QdVqe/Vgsj+H X-Google-Smtp-Source: AAOMgpcOzfkJONfFimJmqNAnPA9Ro21KZPH2Kak6QY5vQVLUPS/wVW74C4O6Pe8vieFm2UdRc3IzkQ== X-Received: by 2002:a62:9f1d:: with SMTP id g29-v6mr23416198pfe.207.1533071381020; Tue, 31 Jul 2018 14:09:41 -0700 (PDT) Received: from vm1.eng.vmware.com ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id s66-v6sm40894996pfe.53.2018.07.31.14.09.40 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 31 Jul 2018 14:09:40 -0700 (PDT) From: Qiuyu Xiao To: ovs-dev@openvswitch.org Date: Tue, 31 Jul 2018 14:08:52 -0700 Message-Id: <20180731210854.31682-8-qiuyu.xiao.qyx@gmail.com> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180731210854.31682-1-qiuyu.xiao.qyx@gmail.com> References: <20180731210854.31682-1-qiuyu.xiao.qyx@gmail.com> X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH v4 7/9] ovs-pki: generate x.509 v3 certificate X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org This patch modifies ovs-pki to generate x.509 version 3 certificate. Compared with the x.509 v1 certificate generated by ovs-pki, version 3 certificate adds subjectAltName field and sets its value the same as common name (CN). The main reason for this change is to enable strongSwan IKE daemon to extract certificate identity string from the subjectAltName field, which makes OVN IPsec implementation easier. Signed-off-by: Qiuyu Xiao --- NEWS | 3 +++ utilities/ovs-pki.in | 25 +++++++++++++++++++++---- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index f05a6e976..27ef12d59 100644 --- a/NEWS +++ b/NEWS @@ -59,6 +59,9 @@ v2.10.0 - xx xxx xxxx both kernel datapath and userspace datapath. * Added port-based and flow-based ERSPAN tunnel port support, added OpenFlow rules matching ERSPAN fields. See ovs-fields(7). + - ovs-pki + * ovs-pki now generates x.509 version 3 certificate. The new format adds + subjectAltName field and sets its value the same as common name (CN). v2.9.0 - 19 Feb 2018 -------------------- diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in index 4f6941865..e0ba910f9 100755 --- a/utilities/ovs-pki.in +++ b/utilities/ovs-pki.in @@ -284,7 +284,7 @@ policy = policy # default policy email_in_dn = no # Don't add the email into cert DN name_opt = ca_default # Subject name display option cert_opt = ca_default # Certificate display option -copy_extensions = none # Don't copy extensions from request +copy_extensions = copy # Copy extensions from request unique_subject = no # Allow certs with duplicate subjects # For the CA policy @@ -295,6 +295,13 @@ organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional + +# For the x509v3 extension +[ ca_cert ] +basicConstraints=CA:true + +[ usr_cert ] +basicConstraints=CA:false EOF fi @@ -307,7 +314,8 @@ EOF openssl req -config ca.cnf -nodes \ -newkey $newkey -keyout private/cakey.pem -out careq.pem \ 1>&3 2>&3 - openssl ca -config ca.cnf -create_serial -out cacert.pem \ + openssl ca -config ca.cnf -create_serial \ + -extensions ca_cert -out cacert.pem \ -days 3650 -batch -keyfile private/cakey.pem -selfsign \ -infiles careq.pem 1>&3 2>&3 chmod 0700 private/cakey.pem @@ -445,6 +453,7 @@ make_request() { [ req ] prompt = no distinguished_name = req_distinguished_name +req_extensions = v3_req [ req_distinguished_name ] C = US @@ -453,6 +462,9 @@ L = Palo Alto O = Open vSwitch OU = Open vSwitch certifier CN = $cn + +[ v3_req ] +subjectAltName = DNS:$cn EOF if test $keytype = rsa; then (umask 077 && openssl genrsa -out "$1-privkey.pem" $bits) 1>&3 2>&3 \ @@ -481,7 +493,7 @@ sign_request() { esac (cd "$pkidir/${type}ca" && - openssl ca -config ca.cnf -batch -in "$request_file") \ + openssl ca -config ca.cnf -extensions usr_cert -batch -in "$request_file") \ > "$2.tmp$$" 2>&3 mv "$2.tmp$$" "$2" } @@ -529,11 +541,16 @@ elif test "$command" = self-sign; then must_exist "$arg1-req.pem" must_exist "$arg1-privkey.pem" must_not_exist "$arg1-cert.pem" + make_tmpdir + cat > "$TMP/v3.ext" <&3 || exit $? + -signkey "$arg1-privkey.pem" -req -days 3650 -text \ + -extfile $TMP/v3.ext) 2>&3 || exit $? # Reset the permissions on the certificate to the user's default. cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem"