Keep files that don't have private key information

For security reasons, system certificate-install deletes the file passed as parameter after a successful installation. It shows a warning describing what it is doing: 'WARNING: For security reasons, the original certificate, containing the private key, will be removed, once the private key is processed.' The actual behaviour, however, is different than that. It is deleting the file regardless of whether it contains the private key information or not. That is incorrect. If the file does not contain any private key, such as ssl_ca or openstack_ca, it should not delete the file. This change fixes that: If file has a private key, it deletes it, otherwise it is kept. Test cases: PASSED: Verify that a software patch of this change works fine with sw-patch cli PASSED: Verify that files that contain a private key get deleted after a successful installation, by installing a ssl rest api certificate (-m ssl) PASSED: Verify that files that contain a private will be kept if the installation fails, by testing with a bad file PASSED: Verify that files that do not contain a private key are kept after a successful installation, by installing a new Trusted CA certificate (-m ssl_ca) Closes-Bug: 1945818 Change-Id: Ie07548d3bb84dda4a1d9e2a365a28febc941663e Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
2021-10-01 14:41:57 -03:00 · 2021-10-01 14:41:57 -03:00 · 53e32d0723
parent ce5d15b6f4
commit 53e32d0723
1 changed files with 23 additions and 4 deletions
--- a/sysinv/cgts-client/cgts-client/cgtsclient/v1/certificate_shell.py
+++ b/sysinv/cgts-client/cgts-client/cgtsclient/v1/certificate_shell.py
@ -12,6 +12,14 @@ import os
 from cgtsclient.common import utils
 from cgtsclient import exc

+import re
+
+# matches all openssl supported key headers
+PRIVATE_KEY_PATTERN = \
+    "-----BEGIN (\w{2,9} )?PRIVATE KEY-----" \
+    "(.|\n)*" \
+    "-----END (\w{2,9} )?PRIVATE KEY-----"
+

 def _print_certificate_show(certificate):
    fields = ['uuid', 'certtype', 'signature', 'start_date', 'expiry_date']
@ -84,9 +92,19 @@ def do_certificate_install(cc, args):
    data = {'passphrase': args.passphrase,
            'mode': args.mode}

-    print("WARNING: For security reasons, the original certificate, ")
-    print("containing the private key, will be removed, ")
-    print("once the private key is processed.")
+    has_private_key = False
+    try:
+        with open(certificate_file, 'r') as reader:
+            file_contents = reader.read()
+            has_private_key = re.search(PRIVATE_KEY_PATTERN, file_contents)
+    except OSError:
+        raise exc.CommandError('Error: Could not read the '
+                               'certificate %s' % certificate_file)
+
+    if has_private_key:
+        print("WARNING: For security reasons, the original certificate, ")
+        print("containing the private key, will be removed, ")
+        print("once the private key is processed.")

    try:
        response = cc.certificate.certificate_install(sec_file, data=data)
@ -108,7 +126,8 @@ def do_certificate_install(cc, args):
            print(error)
        else:
            try:
-                os.remove(certificate_file)
+                if has_private_key:
+                    os.remove(certificate_file)
            except OSError:
                raise exc.CommandError('Error: Could not remove the '
                                       'certificate %s' % certificate_file)