From 23dc67de3fd42c7b04de1e35edb6f23a82c0a09b Mon Sep 17 00:00:00 2001 From: Serhii Kotov Date: Tue, 12 Feb 2019 16:51:13 +0100 Subject: [PATCH] Pass SSL password to Cheetah securely --- package/yast2-rmt.changes | 6 ++++++ package/yast2-rmt.spec | 2 +- spec/rmt/ssl/certificate_generator_spec.rb | 22 ++++++++++++++++------ src/lib/rmt/ssl/certificate_generator.rb | 12 ++++++++---- 4 files changed, 31 insertions(+), 11 deletions(-) diff --git a/package/yast2-rmt.changes b/package/yast2-rmt.changes index 9d44ef4..fd35dbb 100644 --- a/package/yast2-rmt.changes +++ b/package/yast2-rmt.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Feb 12 15:51:18 UTC 2019 - skotov@suse.com + +- Release version 1.2.2 +- Pass SSL password to Cheetah CLI interface securely (bsc#1119835) + ------------------------------------------------------------------- Fri Feb 1 10:58:34 UTC 2019 - fschueller@suse.com diff --git a/package/yast2-rmt.spec b/package/yast2-rmt.spec index 7196b5c..1906cc9 100644 --- a/package/yast2-rmt.spec +++ b/package/yast2-rmt.spec @@ -17,7 +17,7 @@ Name: yast2-rmt -Version: 1.2.1 +Version: 1.2.2 Release: 0 BuildArch: noarch diff --git a/spec/rmt/ssl/certificate_generator_spec.rb b/spec/rmt/ssl/certificate_generator_spec.rb index 407bf8a..cd35d44 100644 --- a/spec/rmt/ssl/certificate_generator_spec.rb +++ b/spec/rmt/ssl/certificate_generator_spec.rb @@ -79,9 +79,11 @@ context 'with valid password' do it 'returns true' do + expect_any_instance_of(Cheetah::DefaultRecorder).not_to receive(:record_stdin) expect(RMT::Execute).to receive(:on_target!).with( 'openssl', 'rsa', '-passin', 'stdin', '-in', ssl_files[:ca_private_key], - stdin: password + stdin: password, + logger: nil ).and_return(true) expect(method_call).to eq(true) end @@ -89,9 +91,11 @@ context 'with invalid password' do it 'returns false' do + expect_any_instance_of(Cheetah::DefaultRecorder).not_to receive(:record_stdin) expect(RMT::Execute).to receive(:on_target!).with( 'openssl', 'rsa', '-passin', 'stdin', '-in', ssl_files[:ca_private_key], - stdin: password + stdin: password, + logger: nil ).and_raise(Cheetah::ExecutionFailed.new('', '', '', '')) expect(method_call).to eq(false) end @@ -154,10 +158,12 @@ expect(Yast::SCR).to receive(:Write).with(scr_path, ssl_files[:ca_config], ca_config) expect(Yast::SCR).to receive(:Write).with(scr_path, ssl_files[:server_config], server_config) + expect_any_instance_of(Cheetah::DefaultRecorder).not_to receive(:record_stdin) expect(RMT::Execute).to receive(:on_target!).with( 'openssl', 'genrsa', '-aes256', '-passout', 'stdin', '-out', ssl_files[:ca_private_key], described_class::OPENSSL_KEY_BITS, - stdin: ca_password + stdin: ca_password, + logger: nil ) expect(RMT::Execute).to receive(:on_target!).with( @@ -169,7 +175,8 @@ 'openssl', 'req', '-x509', '-new', '-nodes', '-key', ssl_files[:ca_private_key], '-sha256', '-days', described_class::OPENSSL_CA_VALIDITY_DAYS, '-out', ssl_files[:ca_certificate], '-passin', 'stdin', '-config', ssl_files[:ca_config], - stdin: ca_password + stdin: ca_password, + logger: nil ) expect(RMT::Execute).to receive(:on_target!).with( @@ -183,7 +190,8 @@ '-CAkey', ssl_files[:ca_private_key], '-passin', 'stdin', '-days', described_class::OPENSSL_SERVER_CERT_VALIDITY_DAYS, '-sha256', '-CAcreateserial', '-extensions', 'v3_server_sign', '-extfile', ssl_files[:server_config], - stdin: ca_password + stdin: ca_password, + logger: nil ) expect(Yast::SCR).to receive(:Read).with(scr_path, ssl_files[:server_certificate]).and_return(server_cert) @@ -258,13 +266,15 @@ '-out', ssl_files[:server_csr], '-config', ssl_files[:server_config] ) + expect_any_instance_of(Cheetah::DefaultRecorder).not_to receive(:record_stdin) expect(RMT::Execute).to receive(:on_target!).with( 'openssl', 'x509', '-req', '-in', ssl_files[:server_csr], '-out', ssl_files[:server_certificate], '-CA', ssl_files[:ca_certificate], '-CAkey', ssl_files[:ca_private_key], '-passin', 'stdin', '-days', described_class::OPENSSL_SERVER_CERT_VALIDITY_DAYS, '-sha256', '-CAcreateserial', '-extensions', 'v3_server_sign', '-extfile', ssl_files[:server_config], - stdin: ca_password + stdin: ca_password, + logger: nil ) expect(Yast::SCR).to receive(:Read).with(scr_path, ssl_files[:server_certificate]).and_return(server_cert) diff --git a/src/lib/rmt/ssl/certificate_generator.rb b/src/lib/rmt/ssl/certificate_generator.rb index 2c288ea..679dbad 100644 --- a/src/lib/rmt/ssl/certificate_generator.rb +++ b/src/lib/rmt/ssl/certificate_generator.rb @@ -65,7 +65,8 @@ def ca_encrypted? def valid_password?(password) RMT::Execute.on_target!( 'openssl', 'rsa', '-passin', 'stdin', '-in', @ssl_paths[:ca_private_key], - stdin: password + stdin: password, + logger: nil # do not log in order to securely pass password ) true rescue Cheetah::ExecutionFailed @@ -98,13 +99,15 @@ def generate(common_name, alt_names, ca_password) RMT::Execute.on_target!( 'openssl', 'genrsa', '-aes256', '-passout', 'stdin', '-out', @ssl_paths[:ca_private_key], OPENSSL_KEY_BITS, - stdin: ca_password + stdin: ca_password, + logger: nil # do not log in order to securely pass password ) RMT::Execute.on_target!( 'openssl', 'req', '-x509', '-new', '-nodes', '-key', @ssl_paths[:ca_private_key], '-sha256', '-days', OPENSSL_CA_VALIDITY_DAYS, '-out', @ssl_paths[:ca_certificate], '-passin', 'stdin', '-config', @ssl_paths[:ca_config], - stdin: ca_password + stdin: ca_password, + logger: nil # do not log in order to securely pass password ) end @@ -120,7 +123,8 @@ def generate(common_name, alt_names, ca_password) '-CA', @ssl_paths[:ca_certificate], '-CAkey', @ssl_paths[:ca_private_key], '-passin', 'stdin', '-days', OPENSSL_SERVER_CERT_VALIDITY_DAYS, '-sha256', '-CAcreateserial', '-extensions', 'v3_server_sign', '-extfile', @ssl_paths[:server_config], - stdin: ca_password + stdin: ca_password, + logger: nil # do not log in order to securely pass password ) else RMT::Execute.on_target!(