Remove CA key password from cert setup

Password protection in the current implementation is not actually applied despite the presence of the ca_password config option. Password protection is of marginal benefit because the password must be stored in a file using the same protections afforded to the key file. Password protection currently is not utilized with externally provided keys. Remove the ca_password config option and remove the use of the various password related options to the OpenSSL commands whose net effect was not actually accomplishing anything. See the bug report for a thorough description of the issues. Change-Id: Iaeb97f2338c4d3c6e770b410dee8f1b62778b561 Fixes: Bug #1214016
2013-09-06 13:38:02 -04:00 · 2013-09-06 13:38:02 -04:00 · baa57f3efa
commit baa57f3efa
parent 1ecae3b13d
4 changed files with 3 additions and 11 deletions
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@ -329,7 +329,6 @@ The values that specify where to read the certificates are under the
 * ``ca_key`` - Default is ``/etc/keystone/ssl/certs/cakey.pem``
 * ``key_size`` - Default is ``2048``
 * ``valid_days`` - Default is ``3650``
-* ``ca_password``  - Password required to read the ca_file. Default is None

 Signing Certificate Issued by External CA
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@ -342,7 +341,7 @@ the following conditions:
 * private key files must not be protected by a password

 When using signing certificate issued by an external CA, you do not need to
-specify ``key_size``, ``valid_days``, ``ca_key`` and ``ca_password`` as they
+specify ``key_size``, ``valid_days`` and ``ca_key`` as they
 will be ignored.

 The basic workflow for using a signing certificate issed by an external CA involves:
@ -576,7 +575,6 @@ When generating SSL certificates the following values are read
 * ``key_size``: Key size to create. Defaults to 1024.
 * ``valid_days``: How long the certificate is valid for. Defaults to 3650 (10 years).
 * ``ca_key``: The private key for the CA. Defaults to ``/etc/keystone/ssl/certs/cakey.pem``.
-* ``ca_password``: The password for the CA private key. Defaults to None.
 * ``cert_subject``: The subject to set in the certificate. Defaults to /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost. When setting the subject it is important to set CN to be the address of the server so client validation will succeed. This generally means having the subject be at least /CN=<keystone ip>

 Generating SSL certificates
--- a/etc/keystone.conf.sample
+++ b/etc/keystone.conf.sample
@ -245,7 +245,6 @@
 #ca_key = /etc/keystone/pki/private/cakey.pem
 #key_size = 1024
 #valid_days = 3650
-#ca_password = None
 #cert_required = False
 #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost

@ -260,7 +259,6 @@
 #ca_key = /etc/keystone/pki/private/cakey.pem
 #key_size = 2048
 #valid_days = 3650
-#ca_password = None
 #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com

 [ldap]
--- a/keystone/common/config.py
+++ b/keystone/common/config.py
@ -106,7 +106,6 @@ FILE_OPTIONS = {
        cfg.BoolOpt('cert_required', default=False),
        cfg.IntOpt('key_size', default=1024),
        cfg.IntOpt('valid_days', default=3650),
-        cfg.StrOpt('ca_password', default=None),
        cfg.StrOpt('cert_subject',
                   default='/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost')],
    'signing': [
@ -121,7 +120,6 @@ FILE_OPTIONS = {
                   default="/etc/keystone/ssl/certs/cakey.pem"),
        cfg.IntOpt('key_size', default=2048),
        cfg.IntOpt('valid_days', default=3650),
-        cfg.StrOpt('ca_password', default=None),
        cfg.StrOpt('cert_subject',
                   default=('/C=US/ST=Unset/L=Unset/O=Unset/'
                            'CN=www.example.com'))],
--- a/keystone/common/openssl.py
+++ b/keystone/common/openssl.py
@ -58,8 +58,7 @@ class BaseCertificateConfigure(object):
                               'signing_cert': conf_obj.certfile,
                               'key_size': int(conf_obj.key_size),
                               'valid_days': int(conf_obj.valid_days),
-                               'cert_subject': conf_obj.cert_subject,
-                               'ca_password': conf_obj.ca_password}
+                               'cert_subject': conf_obj.cert_subject}

        try:
            # OpenSSL 1.0 and newer support default_md = default, olders do not
@ -133,7 +132,6 @@ class BaseCertificateConfigure(object):
                        group=self.use_keystone_group, log=LOG)
        if not file_exists(ca_cert):
            self.exec_command('openssl req -new -x509 -extensions v3_ca '
-                              '-passin pass:%(ca_password)s '
                              '-key %(ca_private_key)s -out %(ca_cert)s '
                              '-days %(valid_days)d '
                              '-config %(ssl_config)s '
@ -165,7 +163,7 @@ class BaseCertificateConfigure(object):
                        user=self.use_keystone_user,
                        group=self.use_keystone_group, log=LOG)
        if not file_exists(signing_cert):
-            self.exec_command('openssl req -key %(signing_key)s -new -nodes '
+            self.exec_command('openssl req -key %(signing_key)s -new '
                              '-out %(request_file)s -config %(ssl_config)s '
                              '-subj %(cert_subject)s')