From 7b752b5ff365aa95ca06d2e36a5f0104e9141d28 Mon Sep 17 00:00:00 2001
From: William Douglas <william.douglas@intel.com>
Date: Thu, 11 Jul 2024 03:02:07 -0700
Subject: [PATCH] Update cert generation process

With the latest urllib3 the CN match is no longer used for hostname
verification and instead the use of subjectAltName is required. With
openssl 3.3.1 this is needed to be handled with both an additional
parameter when generating the cert/request and also some new
configuration for the ssl.cnf. It is also necessary to have extensions
copied so the SAN information is preserved down the cert chain.

Signed-off-by: William Douglas <william.douglas@intel.com>
---
 koji-setup/deploy-koji.sh | 20 +++++++++++++-------
 koji-setup/gencert.sh     |  3 ++-
 koji-setup/parameters.sh  |  2 ++
 3 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/koji-setup/deploy-koji.sh b/koji-setup/deploy-koji.sh
index 2a75d57..f87b617 100755
--- a/koji-setup/deploy-koji.sh
+++ b/koji-setup/deploy-koji.sh
@@ -44,6 +44,7 @@ default_crl_days        = 30
 default_md              = sha512
 preserve                = no
 policy                  = policy_match
+copy_extensions         = copy
 
 [policy_match]
 countryName             = match
@@ -90,14 +91,19 @@ authorityKeyIdentifier          = keyid,issuer:always
 [v3_ca]
 subjectKeyIdentifier            = hash
 authorityKeyIdentifier          = keyid:always,issuer:always
-basicConstraints                = CA:true
+basicConstraints                = CA:TRUE
+subjectAltName                  = @alternate_names
+
+[alternate_names]
+DNS.1                           = $KOJI_MASTER_FQDN
+IP.1                            = $KOJI_MASTER_IP
 EOF
 
 # Generate and trust CA
 touch "$KOJI_PKI_DIR"/index.txt
 echo 01 > "$KOJI_PKI_DIR"/serial
 openssl genrsa -out "$KOJI_PKI_DIR"/private/koji_ca_cert.key 2048
-openssl req -subj "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=koji_ca/CN=$KOJI_MASTER_FQDN" -config "$KOJI_PKI_DIR"/ssl.cnf -new -x509 -days 3650 -key "$KOJI_PKI_DIR"/private/koji_ca_cert.key -out "$KOJI_PKI_DIR"/koji_ca_cert.crt -extensions v3_ca
+openssl req -subj "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=koji_ca/CN=$KOJI_MASTER_FQDN" -addext "subjectAltName=DNS:$KOJI_MASTER_FQDN,IP:$KOJI_MASTER_IP" -config "$KOJI_PKI_DIR"/ssl.cnf -new -x509 -days 3650 -key "$KOJI_PKI_DIR"/private/koji_ca_cert.key -out "$KOJI_PKI_DIR"/koji_ca_cert.crt -extensions v3_ca
 mkdir -p /etc/ca-certs/trusted
 cp -a "$KOJI_PKI_DIR"/koji_ca_cert.crt /etc/ca-certs/trusted
 while true; do
@@ -109,10 +115,10 @@ done
 # Generate the koji component certificates and the admin certificate and generate a PKCS12 user certificate (for web browser)
 cp "$SCRIPT_DIR"/gencert.sh "$KOJI_PKI_DIR"
 pushd "$KOJI_PKI_DIR"
-./gencert.sh kojiweb "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=kojiweb/CN=$KOJI_MASTER_FQDN"
-./gencert.sh kojihub "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=kojihub/CN=$KOJI_MASTER_FQDN"
-./gencert.sh kojiadmin "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=$ORG_UNIT/CN=kojiadmin"
-./gencert.sh kojira "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=$ORG_UNIT/CN=kojira"
+./gencert.sh kojiweb "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=kojiweb/CN=$KOJI_MASTER_FQDN" "subjectAltName=DNS:$KOJI_MASTER_FQDN,IP:$KOJI_MASTER_IP"
+./gencert.sh kojihub "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=kojihub/CN=$KOJI_MASTER_FQDN" "subjectAltName=DNS:$KOJI_MASTER_FQDN,IP:$KOJI_MASTER_IP"
+./gencert.sh kojiadmin "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=$ORG_UNIT/CN=kojiadmin" "subjectAltName=DNS:kojiadmin,IP:$KOJI_MASTER_IP"
+./gencert.sh kojira "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=$ORG_UNIT/CN=kojira" "subjectAltName=DNS:kojira,IP:$KOJI_MASTER_IP"
 popd
 
 # Copy certificates into ~/.koji for kojiadmin
@@ -326,7 +332,7 @@ sudo -u kojiadmin koji edit-host --capacity="$KOJID_CAPACITY" "$KOJI_SLAVE_FQDN"
 
 # Generate certificates
 pushd "$KOJI_PKI_DIR"
-./gencert.sh "$KOJI_SLAVE_FQDN" "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/CN=$KOJI_SLAVE_FQDN"
+./gencert.sh "$KOJI_SLAVE_FQDN" "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/CN=$KOJI_SLAVE_FQDN" "subjectAltName=DNS:$KOJI_SLAVE_FQDN,IP:$KOJI_SLAVE_IP"
 popd
 
 if [[ "$KOJI_SLAVE_FQDN" = "$KOJI_MASTER_FQDN" ]]; then
diff --git a/koji-setup/gencert.sh b/koji-setup/gencert.sh
index 9c6c896..ce185cb 100755
--- a/koji-setup/gencert.sh
+++ b/koji-setup/gencert.sh
@@ -4,12 +4,13 @@
 
 KOJI_USER="$1"
 CERT_SUBJECT="$2"
+CERT_EXT="$3"
 
 openssl genrsa -out private/"$KOJI_USER".key 2048
 if [ -z "$CERT_SUBJECT" ]; then
 	openssl req -config ssl.cnf -new -nodes -out certs/"$KOJI_USER".csr -key private/"$KOJI_USER".key
 else
-	openssl req -subj "$CERT_SUBJECT" -config ssl.cnf -new -nodes -out certs/"$KOJI_USER".csr -key private/"$KOJI_USER".key
+	openssl req -subj "$CERT_SUBJECT" -addext "$CERT_EXT" -config ssl.cnf -new -nodes -out certs/"$KOJI_USER".csr -key private/"$KOJI_USER".key
 fi
 openssl ca -batch -config ssl.cnf -keyfile private/koji_ca_cert.key -cert koji_ca_cert.crt -out certs/"$KOJI_USER".crt -outdir certs -infiles certs/"$KOJI_USER".csr
 cat certs/"$KOJI_USER".crt private/"$KOJI_USER".key > "$KOJI_USER".pem
diff --git a/koji-setup/parameters.sh b/koji-setup/parameters.sh
index e5ef4f6..f9eb420 100644
--- a/koji-setup/parameters.sh
+++ b/koji-setup/parameters.sh
@@ -6,7 +6,9 @@
 export KOJI_DIR=/srv/koji
 export KOJI_MOUNT_DIR=/mnt/koji
 export KOJI_MASTER_FQDN="$(hostname -f)"
+export KOJI_MASTER_IP="$(hostname -i)"
 export KOJI_SLAVE_FQDN="$KOJI_MASTER_FQDN"
+export KOJI_SLAVE_IP="$KOJI_MASTER_IP"
 export KOJI_URL=https://"$KOJI_MASTER_FQDN"
 export KOJID_CAPACITY=16
 export TAG_NAME=clear