[Engine-patches] Change in ovirt-engine[master]: pki: support ovirt specific roles within certificate

Alon Bar-Lev Sun, 21 Dec 2014 14:12:45 -0800

Alon Bar-Lev has uploaded a new change for review.

Change subject: pki: support ovirt specific roles within certificate
......................................................................


pki: support ovirt specific roles within certificate

having role within certificate will enable the receiver of signed data
to confirm the identity of the signer per its designated role within the
application.

Change-Id: I32fe2e9ed95f27d75d08f4c8498e8a7b79fe1391
Signed-off-by: Alon Bar-Lev <alo...@redhat.com>
---
M README.oid
M packaging/bin/pki-enroll-pkcs12.sh
M packaging/bin/pki-enroll-request.sh
M packaging/pki/cert.template.in
4 files changed, 24 insertions(+), 4 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/30/36330/1

diff --git a/README.oid b/README.oid
index d81882d..d551750 100644
--- a/README.oid
+++ b/README.oid
@@ -11,3 +11,6 @@
 
 engine = .1
 engine.notifier = .1.1 - see OVIRT-MIB
+engine.x509 = .1.2
+engine.x509.extension = .1.2.1
+engine.x509.extension.ovirtRoles = .1.2.1.1
diff --git a/packaging/bin/pki-enroll-pkcs12.sh 
b/packaging/bin/pki-enroll-pkcs12.sh
index 4a60cba..ab1477c 100755
--- a/packaging/bin/pki-enroll-pkcs12.sh
+++ b/packaging/bin/pki-enroll-pkcs12.sh
@@ -4,7 +4,8 @@
        local name="$1"
        local pass="$2"
        local subj="$3"
-       local keep_key="$4"
+       local ovirt_roles="$4"
+       local keep_key="$5"
 
        local req="${PKIDIR}/requests/${name}.req"
        local cert="${PKIDIR}/certs/${name}.cer"
@@ -45,6 +46,7 @@
        "${BINDIR}/pki-enroll-request.sh" \
                --name="${name}" \
                --subject="${subj}" \
+               --ovirt-roles="${ovirt_roles}" \
                || die "Cannot sign request"
 
        touch "${pkcs12}"
@@ -71,6 +73,7 @@
     --name=prefix         file name without prefix.
     --password=password   password of PKCS#12.
     --subject=subject     X.500 subject name.
+    --ovirt-roles=roles   ovirt specific roles.
     --keep-key            reissue certificate based on previous request.
 __EOF__
 }
@@ -83,6 +86,7 @@
 }
 trap cleanup 0
 
+OVIRT_ROLES=""
 while [ -n "$1" ]; do
        x="$1"
        v="${x#*=}"
@@ -96,6 +100,9 @@
                ;;
                --subject=*)
                        SUBJECT="${v}"
+               ;;
+               --ovirt-roles=*)
+                       OVIRT_ROLES="${v}"
                ;;
                --keep-key)
                        KEEP_KEY="1"
@@ -115,4 +122,4 @@
 [ -n "${PASSWORD}" ] || die "Please specify password"
 [ -n "${SUBJECT}" ] || die "Please specify subject"
 
-enroll "${NAME}" "${PASSWORD}" "${SUBJECT}" "${KEEP_KEY}"
+enroll "${NAME}" "${PASSWORD}" "${SUBJECT}" "${OVIRT_ROLES}" "${KEEP_KEY}"
diff --git a/packaging/bin/pki-enroll-request.sh 
b/packaging/bin/pki-enroll-request.sh
index 5fcad49..8ee8313 100755
--- a/packaging/bin/pki-enroll-request.sh
+++ b/packaging/bin/pki-enroll-request.sh
@@ -4,6 +4,7 @@
        local name="$1"
        local subject="$2"
        local days="$3"
+       local ovirt_roles="$4"
 
        local req="requests/${name}.req"
        local cert="certs/${name}.cer"
@@ -14,7 +15,7 @@
        if openssl x509 -text -in ca.pem | grep "Subject Key Identifier" > 
/dev/null; then
                EXTRA_COMMAND="-extfile cert.conf -extensions v3_ca"
        fi
-       openssl ca \
+       OVIRT_ROLES="${ovirt_roles}" openssl ca \
                -batch \
                -policy policy_match \
                -config openssl.conf \
@@ -42,6 +43,7 @@
     --name=prefix         file name.
     --subject=subject     X.500 subject name.
     --days=n              issue days.
+    --ovirt-roles=roles   ovirt specific roles.
     --timeout=n           lock timeout, default=20
 __EOF__
 }
@@ -55,6 +57,7 @@
 
 TIMEOUT="20"
 DAYS="1800"
+OVIRT_ROLES=""
 while [ -n "$1" ]; do
        x="$1"
        v="${x#*=}"
@@ -68,6 +71,9 @@
                ;;
                --days=*)
                        DAYS="${v}"
+               ;;
+               --ovirt-roles=*)
+                       OVIRT_ROLES="${v}"
                ;;
                --timeout=*)
                        TIMEOUT="${v}"
@@ -124,7 +130,7 @@
 (
        flock -e -w "${TIMEOUT}" 9 || die "Timeout waiting for lock. Giving up"
        cd "${PKIDIR}"
-       sign "${NAME}" "${SUBJECT}" "${DAYS}"
+       sign "${NAME}" "${SUBJECT}" "${DAYS}" "${OVIRT_ROLES}"
 ) 9< "${LOCK}"
 result=$?
 
diff --git a/packaging/pki/cert.template.in b/packaging/pki/cert.template.in
index 260203f..11f1bcb 100644
--- a/packaging/pki/cert.template.in
+++ b/packaging/pki/cert.template.in
@@ -19,4 +19,8 @@
 keyUsage = critical,digitalSignature,keyEncipherment
 extendedKeyUsage = critical,serverAuth,clientAuth
 
+# leading space is required due to openssl bug
+# nothing will be added otherwise if only env
+1.3.6.1.4.1.2312.13.1.2.1.1 =  ASN1:UTF8: ${ENV::OVIRT_ROLES}
+
 [req_distinguished_name]


-- 
To view, visit http://gerrit.ovirt.org/36330
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I32fe2e9ed95f27d75d08f4c8498e8a7b79fe1391
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Alon Bar-Lev <alo...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches

[Engine-patches] Change in ovirt-engine[master]: pki: support ovirt specific roles within certificate

Reply via email to