Skip to content

Commit

Permalink
Add check for sha1 CA certificate
Browse files Browse the repository at this point in the history
Signed-off-by: Eric D. Helms <[email protected]>
  • Loading branch information
ehelms committed Nov 26, 2024
1 parent 7c2b542 commit 85380ae
Show file tree
Hide file tree
Showing 7 changed files with 140 additions and 0 deletions.
11 changes: 11 additions & 0 deletions bin/katello-certs-check
Original file line number Diff line number Diff line change
Expand Up @@ -249,6 +249,16 @@ function check-shortname () {
fi
}

function check-ca-signing-algorithm () {
printf "Checking CA signing algorithm for sha1: "
CHECK=$(openssl x509 -noout -text -in $CA_BUNDLE_FILE | grep 'Signature Algorithm: sha1WithRSAEncryption')
if [[ $? == "0" ]]; then
error 4 "The server CA certificate has been signed with sha1 and will break installation."
else
success
fi
}

check-files-exist
check-server-cert-encoding
check-expiration
Expand All @@ -261,6 +271,7 @@ check-ca-bundle-trust-rules
check-cert-san
check-cert-usage-key-encipherment
check-shortname
check-ca-signing-algorithm

if [[ $EXIT_CODE == "0" ]] && ([[ $TARGET == ${SERVER_TARGET} ]] || [[ -z "$TARGET" ]]) ; then
echo -e "${GREEN}Validation succeeded${RESET}\n"
Expand Down
19 changes: 19 additions & 0 deletions spec/fixtures/katello-certs-check/certs/ca-sha1.crt
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDHTCCAgWgAwIBAgIUPeL+OojosANEfXLhjF1xxB5xJiswDQYJKoZIhvcNAQEF
BQAwHjEcMBoGA1UEAwwTVGVzdCBTZWxmLVNpZ25lZCBDQTAeFw0yNDExMjYyMTA1
MDBaFw0zNDExMjQyMTA1MDBaMB4xHDAaBgNVBAMME1Rlc3QgU2VsZi1TaWduZWQg
Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD1kZ84gN6FaBIVweuL
l/ij+ds1LCo0FscxYRC5UFoS+JczlrxRSc1ekqCAVga6YxMrum6ofgKpRRaJ1mHH
IUBTtkAZsh9Fv+e/dGk4AesmWGCzPRckIjuE+LRjoQ4HeGcy3dCxV4i+iYcKlH7L
8YChr/s6DClxj/c3VZXhhZZXKQfbDHQSXt+lpWNQzyYed2PHdvDvumAvdjCaRW4M
iQ/bV1U64ozDmJwf03rhdIvn4C0Nio6pfI0Pg9uQFoTcazABKJHiw3G4jWvjrojX
a11pIHL1uTg/nz2SQR8V6hPZLmOGG40QGTIcGFGdV+YiwpUAxL/gXGuwufVxXcbA
LpixAgMBAAGjUzBRMB0GA1UdDgQWBBQlvTLXD5mnooJwcld7Qc4G9U3AAjAfBgNV
HSMEGDAWgBQlvTLXD5mnooJwcld7Qc4G9U3AAjAPBgNVHRMBAf8EBTADAQH/MA0G
CSqGSIb3DQEBBQUAA4IBAQC1F4HLZgbHQc8EfEhry0lSN6+P0day+xrP+vHdz6nL
d5q3qxDXgQSEPizFJzw/qGy58ndu1Xw+ijkYUUD+nGLu1pN7C1B8gUCdjNQhjLTY
OjBxVerUZiFoLEj/Tx/LUthXa1tmkVXQ34Uno64KkjIyMGZOrGqNKZI2M9z4OzzV
fbu+C3YIdCMWdNiMD9FOGhn5BgoXpmiGQozyTfRBNd5A4RZMI+BinoTxQW3Uof39
IVVG5unisJgIQoCgvRykcfDb4g4zryDu3mXfYObRYpdaZKeohxPsSvrGw1Xaolra
F1YNlIPQwblWDJifmW52wfwY4GbgUuCxVpMiFKHKvadT
-----END CERTIFICATE-----
28 changes: 28 additions & 0 deletions spec/fixtures/katello-certs-check/certs/ca-sha1.key
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQD1kZ84gN6FaBIV
weuLl/ij+ds1LCo0FscxYRC5UFoS+JczlrxRSc1ekqCAVga6YxMrum6ofgKpRRaJ
1mHHIUBTtkAZsh9Fv+e/dGk4AesmWGCzPRckIjuE+LRjoQ4HeGcy3dCxV4i+iYcK
lH7L8YChr/s6DClxj/c3VZXhhZZXKQfbDHQSXt+lpWNQzyYed2PHdvDvumAvdjCa
RW4MiQ/bV1U64ozDmJwf03rhdIvn4C0Nio6pfI0Pg9uQFoTcazABKJHiw3G4jWvj
rojXa11pIHL1uTg/nz2SQR8V6hPZLmOGG40QGTIcGFGdV+YiwpUAxL/gXGuwufVx
XcbALpixAgMBAAECggEAJdBRBUFgLTNzqCKz+PXjf/8x0G6cPRMjhH4Ji4+iSc46
cjjhh17m9It9kuWBpGKB3uJBYfQCyDqZmDYJLmxMsddG6ENeahN9Rc+mLXgA1BHD
KjaGVrZoFeIPh6aS43bt5Tj03CoPe3pFRM14TO1DkneSfENyf53cl9+3nwI+vpgx
+UKCocxzpy219YGwU3/WSHBQXLApav9B7nep1jLMzNdez3s43MqddULD8MFaiGLb
k1/Dgdf/apLhLTPEja0vDrbzoyqvLbpO7Waed0+JHr9rg4QWLJgNUQ1g+QNXM8al
EElZ0CRQ4gku1EUzG6EObdPPJSXdA0l9GOMfdNyU9QKBgQD7LgXwVnHJAWT+Z2S0
bCllYwz79Y1+FXp+g5qYBodgz47Ekfc2nof1MUceKMPlme6OxzFTTLHfCZ/lbi9P
VL3RgzEX53EI7Wu3SpjkwJNJgxuqXAHFuGH1dHSr0xcq96Bja7t7k5ZrPOtTKsQP
pXxvBJDq/X5aNrudrvYBrL2xawKBgQD6SAijxhiqr+LPY/MYLavEDpbNn7F1l6UZ
9VhB2N7C4k/Q+oRi+M/kHOOUMgG3fB6fASvcZ7QuQgmlnTDBbcIiiM6MwlR45lsC
x4kQ+gSjLwVgmHECgVTb2pdOBSXJxxEE22CZNxXU1x/H6bX5DXm146haf2sXI1v/
ieo1hZf5UwKBgAgKdyI0gjv/EW6bfLvR4pleTGIcgEUTBvLZ368SNm9A9b8RNSrI
dG3DABXVFEBbZymm8stJ3z/WnQnJNzaA7fqxCndLb3DruNELUE2yZISr78zKWTwt
JOWorrt5bHpxpu7H2h6goOYZ8yacbd5aW9tp+AGtz8evjN4FZdaz4va1AoGBAICf
JFGGLIcLfPQ32WZDklJfbQCfYQOduytr+r9cRJ7Cz2IGXKLAW5ZPgmVWjatODi6I
25GZee+L4IlMDxJY5bv5sqyD8gVv3LXA9Z/T3S4/q/PIY8t1y7Zwz/E4lALuWsC0
PSCAPqfzJlIGuY4UbsgbBxn7AX4SneTla4e18DQhAoGAWWgwR7igDzZQahlVu0UP
tH/eTBt5jeeUgkIR1Q1tU5mDZPHJKMpTUeuFjG8U5YSmqQ0hODQ03bwZyOFAFhd7
9aYB9pDaGG0rIT4fc/1acLXzB0MsxPY6gp32Qg4njQe/5+pl8xumGetlJ66fFNv7
U8oD5Zgn1puNGWy99mfbN34=
-----END PRIVATE KEY-----
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDVjCCAj6gAwIBAgIUaNApUhw7Brm0D1iyVRBXwmbKhJMwDQYJKoZIhvcNAQEL
BQAwHjEcMBoGA1UEAwwTVGVzdCBTZWxmLVNpZ25lZCBDQTAeFw0yNDExMjYyMTA1
MDBaFw0zNDExMjQyMTA1MDBaMB4xHDAaBgNVBAMME2ZvcmVtYW4uZXhhbXBsZS5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwk5/wLw58vGquJxfK
0pLopiuC58GWfKxAX2Db2X6IwJ3vC5JJHTpwkpskXEXJ2E7X41at9QugtEj/q/NW
0A2ht/al3esecMX7h0+HBP9PILWB7z1r3NroF+KZDp3uYxJ21RClJc6evI4NQyoK
P/swTPgclELWZtr3lFB1q2q1RzTthQHaVSr91vhjwdz9V0hw1ciS1k37DVNjR80I
IFedjLBVug1j/ojWCpe/tgN4RGwSGcjD8tZsRuPuiI5pwB1izOt8bOv18BWYrRXE
Ewjf/S2QLyka5/F4RjmYVEuTdqnoSni4F374fkkfFus/cDtwd4PR6YUp/9El+oCT
oO1lAgMBAAGjgYswgYgwCwYDVR0PBAQDAgUgMDkGA1UdEQQyMDCCE2ZvcmVtYW4u
ZXhhbXBsZS5jb22CGWZvcmVtYW4tZWMzODQuZXhhbXBsZS5jb20wHQYDVR0OBBYE
FADPFLmwGI/ra1iw8DeDfFcLczwMMB8GA1UdIwQYMBaAFCW9MtcPmaeignByV3tB
zgb1TcACMA0GCSqGSIb3DQEBCwUAA4IBAQBuMXoRW5x4Dw7jhR9cediDc8ri21nB
6/VfkIzwXrjNKkE2KCMGVmbhdVBo/OX3hIdgXQ0fHYkyhM701DtJMx2Eahmfhzst
xBusV2l83q6wSdXhJygUpVzAgKN9m904YtqsVGRHKKXrK/VWymto35OGwe3kMUsU
7HcuErGztqd7DY78uOKuheStxxlyP8tUqcwBOFl0bqIYxqPyN2UIsL9KoFbKSZpa
NHeMGDw+FdgN147Hx/cNt7inJubGUQUgeVv4N3db0g7sZuIk0zArXnu6QOmnCBb0
IlhVHBtNas5KrJ45Dzu0HhzHvRp6UTMw8X03V7RM0XHw7/ylRxGxHPXk
-----END CERTIFICATE-----
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCwk5/wLw58vGqu
JxfK0pLopiuC58GWfKxAX2Db2X6IwJ3vC5JJHTpwkpskXEXJ2E7X41at9QugtEj/
q/NW0A2ht/al3esecMX7h0+HBP9PILWB7z1r3NroF+KZDp3uYxJ21RClJc6evI4N
QyoKP/swTPgclELWZtr3lFB1q2q1RzTthQHaVSr91vhjwdz9V0hw1ciS1k37DVNj
R80IIFedjLBVug1j/ojWCpe/tgN4RGwSGcjD8tZsRuPuiI5pwB1izOt8bOv18BWY
rRXEEwjf/S2QLyka5/F4RjmYVEuTdqnoSni4F374fkkfFus/cDtwd4PR6YUp/9El
+oCToO1lAgMBAAECggEAH92USHEFiUcrbWBKr+SOdIPAaHBQhErdfwR3Y1V9u0of
dks9TAqFSFl8u/QW+BUcLWOuedg2D/tZDSLH2EvVmfCsB0TkMGsjn3/Mv04MkQgT
GW7GQ9fofWgKEZsMrz+bzmwnA9at0gGvFP+g75aaSx4ozGeJJE4NiA5w8rtLl4kE
DRsTNyoFlAvdZJDGklpvkN2iH4CIRDYaSImmfnK6u9a6jiRuxAfVaKxb2zVG/dqG
2xB8ixBnVMi2K6l7hu8/3EgGfsBfq2Xyu+ZsWADJ8CvMaJZZWtdZmWoLOmCP1m8b
/6h/CEoybxhOqoraUwk1iIhFjEuK4uv31c2G1CpWhQKBgQDqlzc9BKqH+s8GGlLI
d7t31iiTieGnIREFjp9xEfCGHsuEtYsFT/61nfNUxev0HfZCct7gtMjFqjwYXalY
fLofVWiCLsGV0Na5ws9L/73G0YSmWlM9J/GXs1K4UCQaKgpBFFOrxGQjZxCL/3D/
gttXkEyOIYB37QQg0PtK1ILOYwKBgQDAsQRRspiL+svT4y1tPloUXpAjPVLFWvvs
44eLTEmM/zAz5aTe/DK0MLb+PUbXX/yhda9pE1JGJzCs84R4Fjgru/b6IzQw8QHD
LHzgYIuArXCznk2l1eYg9I6fpC+J/B2LxMep5BxoorUQw8CRt0RV2B606fEcVi55
YRxJpTRblwKBgF8RfvpEbNOEiedgPZIuK5Pp/zGjXAY9+Ub2QJky+vVvf2y9oaQ6
ge+aHiWJvBCHH+hX4wjPWtn4HjiFpH5OtaLDGwI+7obHRm2rjBSxhHgRKp+71SXg
jSC8NFara6YKyXMMSMhAY5CRUPxbPbDemANJYCztWMHBFL4z0tLFgmkfAoGAIw5R
XdejHxxShsr20cAdPUVy7aZTb6o82P0QBMytOOSYTWjDFPpG8zdFo31cbQR+fpVd
gz1Lo42vsldfS0WnlHVO2nUbIqhGDM8ELQIDfzaOoW70a249vtMfO3XwXCcs7Oew
93yTmom3bURfvWLdIMz/0SQahHA9ZkG/lrpiiyMCgYBa/LAI9P+aF2a/yL4gIXyC
D41+VBbVXcnvWx7v4gbm8WdcxCpCa7O42TlsfLU0RggJUWmq6JalE/7PkmoLwK7x
lDw3TgbGCeLW9OzhfjnhXmNqM5XUz6hv2Cb3SePhxo2cvPqY5cm6fK1t0HeJFxVM
knImBPk0Izx2qlaKOCe6sQ==
-----END PRIVATE KEY-----
19 changes: 19 additions & 0 deletions spec/fixtures/katello-certs-check/create_cert.sh
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,25 @@ else
echo "CA certificate bundle with trust rules exists. Skipping."
fi

CA_SHA1_CERT_NAME=ca-sha1
if [[ ! -f "$CERTS_DIR/$CA_SHA1_CERT_NAME.key" || ! -f "$CERTS_DIR/$CA_SHA1_CERT_NAME.crt" ]]; then
echo "Generate CA with sha1 signing algorithm"
openssl genrsa -out $CERTS_DIR/$CA_SHA1_CERT_NAME.key 2048
openssl req -x509 -new -nodes -key $CERTS_DIR/$CA_SHA1_CERT_NAME.key -sha1 -days 3650 -out $CERTS_DIR/$CA_SHA1_CERT_NAME.crt -subj "/CN=Test Self-Signed CA"
else
echo "CA certificate exists. Skipping."
fi

CERT_NAME=foreman-sha1.example.com
if [[ ! -f "$CERTS_DIR/$CERT_NAME.key" || ! -f "$CERTS_DIR/$CERT_NAME.crt" ]]; then
echo "Generate server certificate"
openssl genrsa -out $CERTS_DIR/$CERT_NAME.key 2048
openssl req -new -key $CERTS_DIR/$CERT_NAME.key -out $CERTS_DIR/$CERT_NAME.csr -subj "/CN=foreman.example.com"
openssl x509 -req -in $CERTS_DIR/$CERT_NAME.csr -CA $CERTS_DIR/$CA_SHA1_CERT_NAME.crt -CAkey $CERTS_DIR/$CA_SHA1_CERT_NAME.key -CAcreateserial -out $CERTS_DIR/$CERT_NAME.crt -days 3650 -sha256 -extfile extensions.txt -extensions extensions
else
echo "Server certificate with bad SAN exists. Skipping."
fi

CERT_NAME=foreman-bad-san.example.com
if [[ ! -f "$CERTS_DIR/$CERT_NAME.key" || ! -f "$CERTS_DIR/$CERT_NAME.crt" ]]; then
echo "Generate server certificate"
Expand Down
15 changes: 15 additions & 0 deletions spec/katello_certs_check_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -123,4 +123,19 @@ def fixture(filename)
expect(status.exitstatus).to eq 10
end
end

context 'with sha1 server CA certificate' do
let(:key) { File.join(certs_directory, 'foreman-sha1.example.com.key') }
let(:cert) { File.join(certs_directory, 'foreman-sha1.example.com.crt') }
let(:ca) { File.join(certs_directory, 'ca-sha1.crt') }

it 'fails' do
command_with_certs = "#{command} -b #{ca} -k #{key} -c #{cert}"
_stdout, stderr, status = Open3.capture3(command_with_certs)
puts _stdout
puts stderr
expect(stderr).to include "The server CA certificate has been signed with sha1 and will break installation."
expect(status.exitstatus).to eq 4
end
end
end

0 comments on commit 85380ae

Please sign in to comment.