src/gen_certs.py generates certificates with no subjectKeyIdentifier

[dmargery]

They therefore cannot be used to run tests with speaks_for.

How to reproduce: run

python src/gen-certs.py 
python src/gen-certs.py -u bob --notAll --exp
python src/gcf/geni/util/speaksfor_util.py --tool_cert_file ~/.gcf/alice-cert.pem \
  --user_cert_file ~/.gcf/bob-cert.pem --user_key_file ~/.gcf/bob-key.pem \
  --trusted_roots_directory ~/.gcf/trusted_roots/ --create alice-speaksfor-bob-cred.xml \
  --user_urn urn:publicid:IDN+geni:gpo:gcf+user+bob --ma_cert_file ~/.gcf/ch-cert.pem

The last command will fail because bob and alice's certificates have no subjectKeyIdentifier in their x509 extensions.

[dmargery]

By the way, this is limiting my progress on #890

[tcmitchell]

I'm not 100% certain that the following procedure is a workaround for you, but perhaps you can try it and let us know. This is cobbled together from certificate handling in other related systems and should produce a valid "Alice" certificate. You could then mimic it to create a "Bob" certificate as well if needed.

You may need more than what this example provides. Maybe it will give you a leg up on creating that. If not, let's work together to develop the set of commands needed to get you the certificates you require.

This example assumes a user "alice" who has email address "[email protected]" and whose URN falls in the "example.com" domain.

1. Create a temporary area to work in

   mkdir tmp
   cd tmp
   

2. Create a root key and certificate

   openssl genrsa -out rootCA.key 2048
   openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
   

3. Create a bare bones CA directory. This should match the default CA configuration file installed with openssl on your system

   mkdir demoCA
   mkdir demoCA/newcerts
   touch demoCA/index.txt
   echo 42 > demoCA/serial
   

4. Create a certificate signing request for Alice

   /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout alice-key.pem \
       -out alice-csr.pem -batch
   

5. Create a file extfile.txt with some configuration info, using "v3_user" as the INI section name, contents as follows:

   [v3_user]
   subjectKeyIdentifier=hash
   authorityKeyIdentifier=keyid:always,issuer:always
   basicConstraints=CA:false
   subjectAltName=email:copy,URI:urn:publicid:IDN+example.com+user+alice
   

6. Sign the CSR (step 4) using the root key/cert (steps 1&2), the extension file (step 5), specifying the "v3_user" extensions:

   /usr/bin/openssl ca -extfile extfile.txt -out alice.pem -in alice-csr.pem -extensions v3_user \
       -batch -notext -cert rootCA.pem -keyfile rootCA.key -days 1024 \
       -subj /CN=alice/[email protected] -policy policy_anything
   

This will create a file alice.em with a user certificate that has the SubjectKeyIdentifier which you need. The gen_certs.py script is built on tools that cannot generate some of the fields that are required now in GENI certificates. They worked at one time, some years ago, but no longer. And the underlying tooling would be hard to update. So we switched the Clearinghouse over to use OpenSSL instead for the certificate generation. Those changes did not make it back into the geni-tools repository.

[dmargery]

Thank you for the instructions.