-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add a hook for populating the principal in rpcauth input (#351)
Many systems have the concept of an entity having an id and a set of groups, so the rpcauth input represents that in a first-class way. Until now, there was no method in this repo to populate the input. For multi-party-authentication, id and group will be an integral part so we'd benefit from having some way to represent them in tests for sansshell. PeerPrincipalFromCertHook populates principal based on common name and organizational units in a cert. This is meant much more as an example of how principal can be populated and not as an endorsement of how it should be populated. I've regenerated certs to have both fields. The upstream project we were using for generating certs has been deleted (a cached version lives on at https://pkg.go.dev/github.com/meterup/generate-cert) so I've switched to generating certs with openssl. This always feels a bit crufty to do but it has the benefit of using an extremely common tool that doesn't hide any of the details. Part of #346 Co-authored-by: Edbert Linardi <[email protected]>
- Loading branch information
1 parent
f8d2ce3
commit be9144e
Showing
9 changed files
with
196 additions
and
69 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
# mtls testdata | ||
|
||
This directory contains some test certificates. | ||
|
||
If you need to regenerate them, here's some helpful commands. Openssl | ||
|
||
## Generating private keys | ||
|
||
These commands will generate new private keys. | ||
|
||
```bash | ||
openssl genrsa -out client.key | ||
openssl genrsa -out leaf.key | ||
openssl genrsa -out root.key | ||
``` | ||
|
||
## Generating certificates | ||
|
||
These commands will generate new certificates. We need to generate certificate signing requests as part of generating certificates, but we can delete them afterwards. | ||
|
||
```bash | ||
# CA cert | ||
openssl req -new -key root.key -out root.csr -subj "/O=Acme Co" | ||
openssl x509 -req -days 30000 -in root.csr -signkey root.key -out root.pem | ||
|
||
# Cert for the client | ||
openssl req -new -key client.key -out client.csr -subj "/O=Acme Co/OU=group1/OU=group2/CN=sanssh" | ||
openssl x509 -req -days 3000 -in client.csr -CA root.pem -CAkey root.key -out client.pem -extensions req_ext -extfile /dev/stdin <<EOF | ||
[req_ext] | ||
keyUsage = critical, digitalSignature | ||
extendedKeyUsage = clientAuth | ||
basicConstraints = critical, CA:FALSE | ||
EOF | ||
|
||
# Cert for the server and/or proxy | ||
openssl req -new -key leaf.key -out leaf.csr -subj "/O=Acme Co/OU=group2/OU=group3/CN=sansshell-server" | ||
openssl x509 -req -days 3000 -in leaf.csr -CA root.pem -CAkey root.key -out leaf.pem -extensions req_ext -extfile /dev/stdin <<EOF | ||
[req_ext] | ||
keyUsage = critical, digitalSignature | ||
extendedKeyUsage = serverAuth | ||
basicConstraints = critical, CA:FALSE | ||
subjectAltName = @alt_names | ||
[alt_names] | ||
DNS.0 = localhost | ||
DNS.1 = bufnet | ||
IP.0 = 127.0.0.1 | ||
IP.1 = ::1 | ||
EOF | ||
|
||
# Cleanup | ||
rm root.csr client.csr leaf.csr | ||
``` | ||
|
||
## Viewing contents | ||
|
||
These commands will print out the information embedded in the certificates. | ||
|
||
```bash | ||
openssl x509 -in client.pem -text -noout | ||
openssl x509 -in leaf.pem -text -noout | ||
openssl x509 -in root.pem -text -noout | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,13 +1,13 @@ | ||
-----BEGIN CERTIFICATE----- | ||
MIIB8jCCAZigAwIBAgIQDeUXahxXBDJOji0oB9CR4zAKBggqhkjOPQQDAjBEMRAw | ||
DgYDVQQKEwdBY21lIENvMTAwLgYDVQQFEycxODMwMjA0MTkxMDE0MDc5MzAxNTAz | ||
MzM0MzkxMzAxMjY4Njk1NjcwIBcNMjIwODI1MTkzNTQ4WhgPMjEyMjA4MDExOTM1 | ||
NDhaMEMxEDAOBgNVBAoTB0FjbWUgQ28xLzAtBgNVBAUTJjE4NDY5NDc0ODI4MTg1 | ||
MjY5MDEzODkwMjkyNDAzNjMwMjgxMTg3MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD | ||
QgAE3eTKb2g1hn/F3DWvihN9hhEAIRqWxE6K/06zPCZpoVv4ueyz0Cs5Zs0GiP2L | ||
a7elGE96EMiiidskXASV8XvSQKNrMGkwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQM | ||
MAoGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwNAYDVR0RBC0wK4IJbG9jYWxob3N0 | ||
ggZidWZuZXSHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwCgYIKoZIzj0EAwIDSAAw | ||
RQIhAPRJYvA6qEaw51SzYMru4Afgr0kRSrbXzCwJvJYUeoYfAiAF+2ke82tpOimS | ||
4V05SsI6xQKwz3R+XsBxV+Xb0mlDdg== | ||
MIIB6DCCAY6gAwIBAgIUBHQ+cVYuTDKVbmtUYhFLhvoARkUwCgYIKoZIzj0EAwIw | ||
EjEQMA4GA1UECgwHQWNtZSBDbzAeFw0yMzEwMTIwNjQ0MTFaFw0zMTEyMjkwNjQ0 | ||
MTFaMEUxEDAOBgNVBAoMB0FjbWUgQ28xDzANBgNVBAsMBmdyb3VwMTEPMA0GA1UE | ||
CwwGZ3JvdXAyMQ8wDQYDVQQDDAZzYW5zc2gwWTATBgcqhkjOPQIBBggqhkjOPQMB | ||
BwNCAATd5MpvaDWGf8XcNa+KE32GEQAhGpbETor/TrM8JmmhW/i57LPQKzlmzQaI | ||
/Ytrt6UYT3oQyKKJ2yRcBJXxe9JAo4GOMIGLMA4GA1UdDwEB/wQEAwIHgDATBgNV | ||
HSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQUALNsaT3z | ||
hJowSYyL6oJuLiV4oTA3BgNVHSMEMDAuoRakFDASMRAwDgYDVQQKDAdBY21lIENv | ||
ghQZhnpcR3ezVjHJSdcE1sQJ85IaXTAKBggqhkjOPQQDAgNIADBFAiEA/Vld9pPP | ||
i97LoCs78GCccyRpS5obPU6us+CmlxBz5YQCIAcKM4GHk0iT8LJUDAAhxlI78DHT | ||
B26YBll73+XzPIQ8 | ||
-----END CERTIFICATE----- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,13 +1,14 @@ | ||
-----BEGIN CERTIFICATE----- | ||
MIIB8zCCAZqgAwIBAgIRANyshotLwGS10UNSQnyNeQ0wCgYIKoZIzj0EAwIwRDEQ | ||
MA4GA1UEChMHQWNtZSBDbzEwMC4GA1UEBRMnMTgzMDIwNDE5MTAxNDA3OTMwMTUw | ||
MzMzNDM5MTMwMTI2ODY5NTY3MCAXDTIyMDgyNTE5MzU0OFoYDzIxMjIwODAxMTkz | ||
NTQ4WjBEMRAwDgYDVQQKEwdBY21lIENvMTAwLgYDVQQFEycyOTMzMjU5NjMwMTEz | ||
OTQ5MjYyODIwNzkzNzI3NDkzMTI5ODEyNjEwWTATBgcqhkjOPQIBBggqhkjOPQMB | ||
BwNCAARG7kHsuuB/ctK1/TWHmgmHA/yUasH9IGr13kjq8t1AuIFykHj/JO9CKs2V | ||
KpGDYlAjQrUJw0Mz97CnBeT6phLAo2swaTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0l | ||
BAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADA0BgNVHREELTArgglsb2NhbGhv | ||
c3SCBmJ1Zm5ldIcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAATAKBggqhkjOPQQDAgNH | ||
ADBEAiAdD/JrMl4cXHVpOBG8XxkFl0pB4ZF0pjB+uDJef/NgDAIgGIbWI8FryVcH | ||
wCjTGsatA4v3P+wPFIQcF6KfBP8s4MQ= | ||
MIICKTCCAc6gAwIBAgIUWx3aT2/T11gDmxyCd3L+QD0Wg78wCgYIKoZIzj0EAwIw | ||
EjEQMA4GA1UECgwHQWNtZSBDbzAeFw0yMzEwMTIwNjQ0MTFaFw0zMTEyMjkwNjQ0 | ||
MTFaME8xEDAOBgNVBAoMB0FjbWUgQ28xDzANBgNVBAsMBmdyb3VwMjEPMA0GA1UE | ||
CwwGZ3JvdXAzMRkwFwYDVQQDDBBzYW5zc2hlbGwtc2VydmVyMFkwEwYHKoZIzj0C | ||
AQYIKoZIzj0DAQcDQgAERu5B7Lrgf3LStf01h5oJhwP8lGrB/SBq9d5I6vLdQLiB | ||
cpB4/yTvQirNlSqRg2JQI0K1CcNDM/ewpwXk+qYSwKOBxDCBwTAOBgNVHQ8BAf8E | ||
BAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADA0BgNVHREE | ||
LTArgglsb2NhbGhvc3SCBmJ1Zm5ldIcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAATAd | ||
BgNVHQ4EFgQUxoF5QgVDWLKmUDHAl42ksrMK8mowNwYDVR0jBDAwLqEWpBQwEjEQ | ||
MA4GA1UECgwHQWNtZSBDb4IUGYZ6XEd3s1YxyUnXBNbECfOSGl0wCgYIKoZIzj0E | ||
AwIDSQAwRgIhAIGxEm8/f2f7lQSVI5TzkISy3jSiOAzDhoqFj4BnMVODAiEAg8MM | ||
yrNmx+4Tloz7eDaYsPriIWWuRbFntRMjwte0uL4= | ||
-----END CERTIFICATE----- |
Oops, something went wrong.