From patchwork Mon Aug 6 18:04:37 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Qiuyu Xiao X-Patchwork-Id: 954132 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="aBJHkO1L"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 41klxd4Js5z9rvt for ; Tue, 7 Aug 2018 04:08:05 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 69F7ACED; Mon, 6 Aug 2018 18:05:19 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 2E79BCE6 for ; Mon, 6 Aug 2018 18:05:18 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pl0-f49.google.com (mail-pl0-f49.google.com [209.85.160.49]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 38D037C9 for ; Mon, 6 Aug 2018 18:05:17 +0000 (UTC) Received: by mail-pl0-f49.google.com with SMTP id g6-v6so2410683plq.9 for ; Mon, 06 Aug 2018 11:05:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=ocPAXppxG4EmUIHxPCVORJHpou3IRhKM0mxYCMQG10o=; b=aBJHkO1LgaRE2MDAABMYUc96YkBnaPxfd9g/2Dh528kWMhBhEJ1ab0CqZm18jpO5c5 Fau1Nqva8NO+9LBMYQln2aQ9EZ4gewU274E4rzAeJkdon/5rHr6+QWVmji+N4xBQrjQT 89DV/LBbZcmlkFCcVd2qzNA9RCrc11QJj3Nitxw7AAZjmqZ3MbU/HMjQ5w3zl9kqjHdU slB6fyc6iig5Wb+SMbuMaDPYn0wDCqIqI2rdRnr21YWEz7CDrhMQweYDy/g6cXvbmc5L HGGhbPCW4znl+/2xdV2f/dibxUNcAbeSduUzFC2l28aZdZAllC5qxGIXFT17/LnCZjcV E5bA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=ocPAXppxG4EmUIHxPCVORJHpou3IRhKM0mxYCMQG10o=; b=QWFUzP0ycj2b3sQs/bWy+wvLhGKlI/ChebHtcI4+07jPddZxGE3oslsWWkWC6qKrIq MPIc5c1b0xJy70t+uIqhxJRBocJ4vHOlfCalnJp8Ts1v4wxzNnjABexqrMyHySCnJvdn HvzG+MKo26+pjAPSbERxVLaR/ys5hn+tne8PolaMXn3MAAWk6KnZEPpwWrCu0UWhkR+V fgVcfHQ0Z+uTFqdEile0cW045pCq3vkHSYnIaOQLs0k2ABcoqrF3SjYGhtgBjKFTnlV/ PS8yCKNt+0TbxqnK/3lf9mYzqLrGYcmTg/DeYR6ixWujHZGQQGxGHKf9OtdzDmVv6Erw byRw== X-Gm-Message-State: AOUpUlG4rsFwZXGutUOLixDwceMLjLlTH8CDD/aE0fdQkqbHaqGi1jle PapCnabSrHBRr4cnGLKR4eWUowKX X-Google-Smtp-Source: AAOMgpddKvDSmeqUdIHLH4pGYj0EQgb23sY+aOrNb88OmjssCC0Q4n2YtRUT4S/U+WrGnCUBd+6j8Q== X-Received: by 2002:a17:902:be07:: with SMTP id r7-v6mr15259849pls.124.1533578716615; Mon, 06 Aug 2018 11:05:16 -0700 (PDT) Received: from vm1.eng.vmware.com ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id p64-v6sm23453965pfa.47.2018.08.06.11.05.15 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 06 Aug 2018 11:05:16 -0700 (PDT) From: Qiuyu Xiao To: ovs-dev@openvswitch.org Date: Mon, 6 Aug 2018 11:04:37 -0700 Message-Id: <20180806180439.16559-8-qiuyu.xiao.qyx@gmail.com> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180806180439.16559-1-qiuyu.xiao.qyx@gmail.com> References: <20180806180439.16559-1-qiuyu.xiao.qyx@gmail.com> X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH v5 7/9] ovs-pki: generate x.509 v3 certificate X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org This patch modifies ovs-pki to generate x.509 version 3 certificate. Compared with the x.509 v1 certificate generated by ovs-pki, version 3 certificate adds subjectAltName field and sets its value the same as common name (CN). The main reason for this change is to enable strongSwan IKE daemon to extract certificate identity string from the subjectAltName field, which makes OVN IPsec implementation easier. Signed-off-by: Qiuyu Xiao --- NEWS | 3 +++ utilities/ovs-pki.in | 25 +++++++++++++++++++++---- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index f05a6e976..27ef12d59 100644 --- a/NEWS +++ b/NEWS @@ -59,6 +59,9 @@ v2.10.0 - xx xxx xxxx both kernel datapath and userspace datapath. * Added port-based and flow-based ERSPAN tunnel port support, added OpenFlow rules matching ERSPAN fields. See ovs-fields(7). + - ovs-pki + * ovs-pki now generates x.509 version 3 certificate. The new format adds + subjectAltName field and sets its value the same as common name (CN). v2.9.0 - 19 Feb 2018 -------------------- diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in index 4f6941865..e0ba910f9 100755 --- a/utilities/ovs-pki.in +++ b/utilities/ovs-pki.in @@ -284,7 +284,7 @@ policy = policy # default policy email_in_dn = no # Don't add the email into cert DN name_opt = ca_default # Subject name display option cert_opt = ca_default # Certificate display option -copy_extensions = none # Don't copy extensions from request +copy_extensions = copy # Copy extensions from request unique_subject = no # Allow certs with duplicate subjects # For the CA policy @@ -295,6 +295,13 @@ organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional + +# For the x509v3 extension +[ ca_cert ] +basicConstraints=CA:true + +[ usr_cert ] +basicConstraints=CA:false EOF fi @@ -307,7 +314,8 @@ EOF openssl req -config ca.cnf -nodes \ -newkey $newkey -keyout private/cakey.pem -out careq.pem \ 1>&3 2>&3 - openssl ca -config ca.cnf -create_serial -out cacert.pem \ + openssl ca -config ca.cnf -create_serial \ + -extensions ca_cert -out cacert.pem \ -days 3650 -batch -keyfile private/cakey.pem -selfsign \ -infiles careq.pem 1>&3 2>&3 chmod 0700 private/cakey.pem @@ -445,6 +453,7 @@ make_request() { [ req ] prompt = no distinguished_name = req_distinguished_name +req_extensions = v3_req [ req_distinguished_name ] C = US @@ -453,6 +462,9 @@ L = Palo Alto O = Open vSwitch OU = Open vSwitch certifier CN = $cn + +[ v3_req ] +subjectAltName = DNS:$cn EOF if test $keytype = rsa; then (umask 077 && openssl genrsa -out "$1-privkey.pem" $bits) 1>&3 2>&3 \ @@ -481,7 +493,7 @@ sign_request() { esac (cd "$pkidir/${type}ca" && - openssl ca -config ca.cnf -batch -in "$request_file") \ + openssl ca -config ca.cnf -extensions usr_cert -batch -in "$request_file") \ > "$2.tmp$$" 2>&3 mv "$2.tmp$$" "$2" } @@ -529,11 +541,16 @@ elif test "$command" = self-sign; then must_exist "$arg1-req.pem" must_exist "$arg1-privkey.pem" must_not_exist "$arg1-cert.pem" + make_tmpdir + cat > "$TMP/v3.ext" <&3 || exit $? + -signkey "$arg1-privkey.pem" -req -days 3650 -text \ + -extfile $TMP/v3.ext) 2>&3 || exit $? # Reset the permissions on the certificate to the user's default. cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem"