From 5ea69733aab993c0fe3f2cf731f2d7a3c0328939 Mon Sep 17 00:00:00 2001 From: Paul Wise Date: Wed, 31 Dec 2014 10:32:55 +0800 Subject: [PATCH 1/1] Enforce SSL configuration using puppet, add dirs for debian and global CAs --- modules/buildd/manifests/init.pp | 2 +- modules/samhain/templates/samhainrc.erb | 6 + modules/ssl/files/README.ca-debian | 13 ++ modules/ssl/files/README.ca-global | 13 ++ modules/ssl/files/README.certs | 8 + modules/ssl/files/local-ssl-ca-global | 6 + modules/ssl/files/update-ca-certificates-dsa | 210 +++++++++++++++++++ modules/ssl/manifests/init.pp | 72 +++++++ 8 files changed, 329 insertions(+), 1 deletion(-) create mode 100644 modules/ssl/files/README.ca-debian create mode 100644 modules/ssl/files/README.ca-global create mode 100644 modules/ssl/files/README.certs create mode 100644 modules/ssl/files/local-ssl-ca-global create mode 100755 modules/ssl/files/update-ca-certificates-dsa diff --git a/modules/buildd/manifests/init.pp b/modules/buildd/manifests/init.pp index c4087d28..3c64de2e 100644 --- a/modules/buildd/manifests/init.pp +++ b/modules/buildd/manifests/init.pp @@ -53,7 +53,7 @@ class buildd ($ensure=present) { if ($::lsbmajdistrelease >= 8) { file { '/etc/apt/apt.conf.d/puppet-https-buildd': - content => "Acquire::https::buildd.debian.org::CaInfo \"/usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt\";\n", + content => "Acquire::https::buildd.debian.org::CaInfo \"/etc/ssl/ca-debian/ca-certificates.crt\";\n", } } else { file { '/etc/apt/apt.conf.d/puppet-https-buildd': diff --git a/modules/samhain/templates/samhainrc.erb b/modules/samhain/templates/samhainrc.erb index 9ba82ada..2758d467 100644 --- a/modules/samhain/templates/samhainrc.erb +++ b/modules/samhain/templates/samhainrc.erb @@ -368,6 +368,7 @@ file=/etc/apt/sources.list.d/backports.org.list file=/etc/apt/apt.conf.d/local-compression file=/etc/apt/apt.conf.d/local-recommends file=/etc/apt/apt.conf.d/local-pdiffs +file=/etc/apt/apt.conf.d/local-ssl-ca-global file=/etc/apt/preferences.d/buildd file=/etc/systemd/system/puppet.service file=/etc/puppet/puppet.conf @@ -452,6 +453,11 @@ file=/etc/ferm/conf.d/defs.conf file=/etc/ferm/ferm.conf dir=2/etc/ssl/debian dir=1/etc/ssl/certs +dir=1/etc/ssl/ca-debian +dir=1/etc/ssl/ca-global +file=/etc/ca-certificates.conf +file=/etc/ca-certificates-debian.conf +file=/etc/ca-certificates-global.conf file=/etc/unbound/unbound.conf <% if scope.lookupvar('::fqdn') == "draghi.debian.org" -%> file=/etc/openvpn/deb-mgmt-clients.pool diff --git a/modules/ssl/files/README.ca-debian b/modules/ssl/files/README.ca-debian new file mode 100644 index 00000000..316bd8d3 --- /dev/null +++ b/modules/ssl/files/README.ca-debian @@ -0,0 +1,13 @@ +This directory contains the certificate(s) for the certificate authorities +that have signed current service certificates for debian.org services. + +The purpose of this directory is to allow verification of service certificates +for debian.org services by software that is unable to properly verify service +certificates that are available in the default certificate store. + +Please *do not* use it for verification of debian.org service certificates +unless the software you are using is buggy and there is no other alternative. +Please *file bugs* on any software that you find that needs to use this +directory and usertag those bugs using this bts command: + +bts user debian-admin@lists.debian.org , usertags 123456 + needed-by-DSA-Team diff --git a/modules/ssl/files/README.ca-global b/modules/ssl/files/README.ca-global new file mode 100644 index 00000000..5fb1778f --- /dev/null +++ b/modules/ssl/files/README.ca-global @@ -0,0 +1,13 @@ +This directory contains all of the certificates for certificate authorities +trusted by the ca-certificates Debian package, which is mostly a copy +of the certificates trusted by the Mozilla certificate store. + +The purpose of this directory is to allow verification of certificates from +a wide variety of external services on the global Internet that could +change their certificate at any time and could change their certificate +signing authority at any time. + +Please *do not* use it for verification of debian.org service certificates. + +Please *do not* use it for verification of certificates when pinning to a +specific service certificate or certificate authority is a viable option. diff --git a/modules/ssl/files/README.certs b/modules/ssl/files/README.certs new file mode 100644 index 00000000..edf4cc67 --- /dev/null +++ b/modules/ssl/files/README.certs @@ -0,0 +1,8 @@ +This directory *only* contains the certificate(s) for the current service +certificates for debian.org services. + +The purpose of this directory is to allow verification of service certificates +for debian.org services by software that is able to properly verify service +certificates that are available in the default certificate store. + +Please *use it* in preference to other certificate stores when possible. diff --git a/modules/ssl/files/local-ssl-ca-global b/modules/ssl/files/local-ssl-ca-global new file mode 100644 index 00000000..cb8bb34f --- /dev/null +++ b/modules/ssl/files/local-ssl-ca-global @@ -0,0 +1,6 @@ +DPkg::Pre-Install-Pkgs { + "if grep -q '^ca-certificates_.*\.deb$' ; then touch /run/dsa-ca-certificates-global ; fi"; +}; +DPkg::Post-Invoke { + "if [ -e /run/dsa-ca-certificates-global ]; then /usr/local/sbin/update-ca-certificates-dsa --fresh --default --certsconf /etc/ca-certificates-global.conf --etccertsdir /etc/ssl/ca-global --hooksdir /dev/null ; rm -f /run/dsa-ca-certificates-global ; fi"; +}; diff --git a/modules/ssl/files/update-ca-certificates-dsa b/modules/ssl/files/update-ca-certificates-dsa new file mode 100755 index 00000000..b6d35a1f --- /dev/null +++ b/modules/ssl/files/update-ca-certificates-dsa @@ -0,0 +1,210 @@ +#!/bin/sh -e +# This is a copy of update-ca-certificates from the ca-certificates package in jessie +# with patches applied to allow custom paths and to allow setting to default certs: +# https://bugs.debian.org/774059 +# https://bugs.debian.org/774201 +# +# update-ca-certificates +# +# Copyright (c) 2003 Fumitoshi UKAI +# Copyright (c) 2009 Philipp Kern +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02111-1301, +# USA. +# + +verbose=0 +fresh=0 +default=0 +CERTSCONF=/etc/ca-certificates.conf +CERTSDIR=/usr/share/ca-certificates +LOCALCERTSDIR=/usr/local/share/ca-certificates +CERTBUNDLE=ca-certificates.crt +ETCCERTSDIR=/etc/ssl/certs +HOOKSDIR=/etc/ca-certificates/update.d + +while [ $# -gt 0 ]; +do + case $1 in + --verbose|-v) + verbose=1;; + --fresh|-f) + fresh=1;; + --default|-d) + default=1 + fresh=1;; + --certsconf) + shift + CERTSCONF="$1";; + --certsdir) + shift + CERTSDIR="$1";; + --localcertsdir) + shift + LOCALCERTSDIR="$1";; + --certbundle) + shift + CERTBUNDLE="$1";; + --etccertsdir) + shift + ETCCERTSDIR="$1";; + --hooksdir) + shift + HOOKSDIR="$1";; + --help|-h|*) + echo "$0: [--verbose] [--fresh]" + exit;; + esac + shift +done + +if [ ! -s "$CERTSCONF" ] +then + fresh=1 +fi + +cleanup() { + rm -f "$TEMPBUNDLE" + rm -f "$ADDED" + rm -f "$REMOVED" +} +trap cleanup 0 + +# Helper files. (Some of them are not simple arrays because we spawn +# subshells later on.) +TEMPBUNDLE="$(mktemp -t "${CERTBUNDLE}.tmp.XXXXXX")" +ADDED="$(mktemp -t "ca-certificates.tmp.XXXXXX")" +REMOVED="$(mktemp -t "ca-certificates.tmp.XXXXXX")" + +# Adds a certificate to the list of trusted ones. This includes a symlink +# in /etc/ssl/certs to the certificate file and its inclusion into the +# bundle. +add() { + CERT="$1" + PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \ + -e 's/[()]/=/g' \ + -e 's/,/_/g').pem" + if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "$CERT" ] + then + ln -sf "$CERT" "$PEM" + echo +$PEM >> "$ADDED" + fi + # Add trailing newline to certificate, if it is missing (#635570) + sed -e '$a\' "$CERT" >> "$TEMPBUNDLE" +} + +remove() { + CERT="$1" + PEM="$ETCCERTSDIR/$(basename "$CERT" .crt).pem" + if test -L "$PEM" + then + rm -f "$PEM" + echo -$PEM >> "$REMOVED" + fi +} + +cd $ETCCERTSDIR +if [ "$fresh" = 1 ]; then + echo -n "Clearing symlinks in $ETCCERTSDIR..." + find . -type l -print | while read symlink + do + case $(readlink $symlink) in + $CERTSDIR*) rm -f $symlink;; + esac + done + find . -type l -print | while read symlink + do + test -f $symlink || rm -f $symlink + done + echo "done." +fi + +echo -n "Updating certificates in $ETCCERTSDIR... " + +# Add default certificate authorities if requested +if [ "$default" = 1 ]; then + find -L "$CERTSDIR" -type f -name '*.crt' | sort | while read crt + do + add "$crt" + done +fi + +# Handle certificates that should be removed. This is an explicit act +# by prefixing lines in the configuration files with exclamation marks (!). +sed -n -e '/^$/d' -e 's/^!//p' $CERTSCONF | while read crt +do + remove "$CERTSDIR/$crt" +done + +sed -e '/^$/d' -e '/^#/d' -e '/^!/d' $CERTSCONF | while read crt +do + if ! test -f "$CERTSDIR/$crt" + then + echo "W: $CERTSDIR/$crt not found, but listed in $CERTSCONF." >&2 + continue + fi + add "$CERTSDIR/$crt" +done + +# Now process certificate authorities installed by the local system +# administrator. +if [ -d "$LOCALCERTSDIR" ] +then + find -L "$LOCALCERTSDIR" -type f -name '*.crt' | sort | while read crt + do + add "$crt" + done +fi + +rm -f "$CERTBUNDLE" + +ADDED_CNT=$(wc -l < "$ADDED") +REMOVED_CNT=$(wc -l < "$REMOVED") + +if [ "$ADDED_CNT" -gt 0 ] || [ "$REMOVED_CNT" -gt 0 ] +then + # only run if set of files has changed + if [ "$verbose" = 0 ] + then + c_rehash . > /dev/null + else + c_rehash . + fi +fi + +chmod 0644 "$TEMPBUNDLE" +mv -f "$TEMPBUNDLE" "$CERTBUNDLE" +# Restore proper SELinux label after moving the file +[ -x /sbin/restorecon ] && /sbin/restorecon "$CERTBUNDLE" >/dev/null 2>&1 + +echo "$ADDED_CNT added, $REMOVED_CNT removed; done." + +if [ -d "$HOOKSDIR" ] +then + +echo -n "Running hooks in $HOOKSDIR...." +VERBOSE_ARG= +[ "$verbose" = 0 ] || VERBOSE_ARG=--verbose +eval run-parts $VERBOSE_ARG --test -- $HOOKSDIR | while read hook +do + ( cat $ADDED + cat $REMOVED ) | $hook || echo E: $hook exited with code $?. +done +echo "done." + +fi + +# vim:set et sw=2: + diff --git a/modules/ssl/manifests/init.pp b/modules/ssl/manifests/init.pp index 2d4a140c..127869a0 100644 --- a/modules/ssl/manifests/init.pp +++ b/modules/ssl/manifests/init.pp @@ -11,6 +11,33 @@ class ssl { ensure => installed, } + file { '/etc/ca-certificates.conf': + content => "# This file is under puppet control\n# Only debian.org service certs are trusted, see /etc/ssl/certs/README", + notify => Exec['refresh_normal_hashes'], + } + file { '/etc/ca-certificates-debian.conf': + mode => '0444', + content => "# This file is under puppet control\n# Only the CAs for debian.org are trusted, see /etc/ssl/ca-debian/README\nmozilla/AddTrust_External_Root.crt", + notify => Exec['refresh_ca_debian_hashes'], + } + file { '/etc/ca-certificates-global.conf': + content => "# This file is under puppet control\n# All CAs are trusted, see /etc/ssl/ca-global/README", + notify => Exec['refresh_ca_global_hashes'], + } + + file { '/etc/apt/apt.conf.d/local-ssl-ca-global': + mode => '0444', + source => 'puppet:///modules/ssl/local-ssl-ca-global', + } + + file { '/etc/ssl/certs/ssl-cert-snakeoil.pem': + ensure => absent, + notify => Exec['refresh_normal_hashes'], + } + file { '/etc/ssl/private/ssl-cert-snakeoil.key': + ensure => absent, + } + file { '/etc/ssl/servicecerts': ensure => link, purge => true, @@ -28,6 +55,26 @@ class ssl { force => true, notify => Exec['refresh_normal_hashes'], } + file { '/etc/ssl/certs/README': + mode => '0444', + source => 'puppet:///modules/ssl/README.certs', + } + file { '/etc/ssl/ca-debian': + ensure => directory, + mode => '0755', + } + file { '/etc/ssl/ca-debian/README': + mode => '0444', + source => 'puppet:///modules/ssl/README.ca-debian', + } + file { '/etc/ssl/ca-global': + ensure => directory, + mode => '0755', + } + file { '/etc/ssl/ca-debian/README': + mode => '0444', + source => 'puppet:///modules/ssl/README.ca-global', + } file { '/etc/ssl/debian': ensure => directory, source => 'puppet:///files/empty/', @@ -78,6 +125,11 @@ class ssl { require => Package['ssl-cert'], } + file { '/usr/local/sbin/update-ca-certificates-dsa': + mode => '0555', + source => 'puppet:///modules/ssl/update-ca-certificates-dsa', + } + exec { 'retire_debian_links': command => 'find -lname "../servicecerts/*" -exec rm {} +', cwd => '/etc/ssl/certs', @@ -99,5 +151,25 @@ class ssl { refreshonly => true, require => Package['ca-certificates'], } + exec { 'refresh_ca_debian_hashes': + command => '/usr/local/sbin/update-ca-certificates-dsa --fresh --certsconf /etc/ca-certificates-debian.conf --localcertsdir /dev/null --etccertsdir /etc/ssl/ca-debian --hooksdir /dev/null', + refreshonly => true, + require => [ + Package['ca-certificates'], + File['/etc/ssl/ca-debian'], + File['/etc/ca-certificates-debian.conf'], + File['/usr/local/sbin/update-ca-certificates-dsa'], + ] + } + exec { 'refresh_ca_global_hashes': + command => '/usr/local/sbin/update-ca-certificates-dsa --fresh --default --certsconf /etc/ca-certificates-global.conf --etccertsdir /etc/ssl/ca-global --hooksdir /dev/null', + refreshonly => true, + require => [ + Package['ca-certificates'], + File['/etc/ssl/ca-global'], + File['/etc/ca-certificates-global.conf'], + File['/usr/local/sbin/update-ca-certificates-dsa'], + ] + } } -- 2.39.2