Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update x509-parser from 0.9.2 to 0.11.0 #1848

Merged
merged 1 commit into from
Dec 1, 2021
Merged

Update x509-parser from 0.9.2 to 0.11.0 #1848

merged 1 commit into from
Dec 1, 2021

Conversation

arnaldo2792
Copy link
Contributor

Issue number:
#1743

Description of changes:

5edde283  sources: update x509-parser

I tried to update to the latest version (0.12.0), however, there is a problem in a license of one of the dependencies, apparently, the license text doesn't match with the identifier used for the License. I'll dig into that problem later, since I might have to contribute to the library to fix the problem.

Testing done:
In AWS ECS, launched a bootstrap-container with the following definition:

FROM alpine

RUN apk add openssl

ADD ./generate-certificate ./csr.conf ./config.yml ./

ENTRYPOINT ["sh", "generate-certificate"]

And generate-certificate as:

#!/bin/sh

set -xe

PERSISTENT_DIR=/.bottlerocket/rootfs/mnt/certificates

mkdir -p $PERSISTENT_DIR

# Mount certificates as a tmpfs filesystem
mount -t tmpfs none $PERSISTENT_DIR
cp config.yml $PERSISTENT_DIR

# Generate 3 certificates
for i in $(seq 3); do
  # Generate CA Certificate and Key
  openssl genrsa -out $PERSISTENT_DIR/ca-$i.key 2048
  openssl req -x509 -new -nodes -key $PERSISTENT_DIR/ca-$i.key \
    -subj "/CN=bottlerocket/C=US/L=WASHINGTON" -days 1825 -out $PERSISTENT_DIR/ca-$i.crt
done

# Randomly select the CA certificate
TARGET=ca-$(( $RANDOM % 3 + 1 ))
ln -s $PERSISTENT_DIR/$TARGET.crt $PERSISTENT_DIR/ca.crt
ln -s $PERSISTENT_DIR/$TARGET.key $PERSISTENT_DIR/ca.key

# Generate SSL/TLS Certificates
openssl genrsa -out $PERSISTENT_DIR/server.key 2048
openssl req -new -key $PERSISTENT_DIR/server.key -out $PERSISTENT_DIR/server.csr -config csr.conf
openssl x509 -req -in $PERSISTENT_DIR/server.csr -CA $PERSISTENT_DIR/ca.crt -CAkey $PERSISTENT_DIR/ca.key \
  -CAcreateserial -out $PERSISTENT_DIR/server.crt -days 10000 -extensions req_ext \
  -extfile csr.conf

# Save all certificates as a bundle
BUNDLE=$(cat $PERSISTENT_DIR/ca-1.crt $PERSISTENT_DIR/ca-2.crt $PERSISTENT_DIR/ca-3.crt | base64 -w0)
apiclient set pki.local-registry.data=$BUNDLE \
  pki.local-registry.trusted=true

From sheltie, validated that the certificates store has the 3 new certificates:

bash-5.0# grep bottlerocket /etc/pki/tls/certs/ca-bundle.crt
# bottlerocket
# bottlerocket
# bottlerocket

Validated that the certificates store is updated when the bundle is marked as 'distrusted':

bash-5.0# apiclient set pki.local-registry.trusted=false
bash-5.0# grep bottlerocket /etc/pki/tls/certs/ca-bundle.crt
# ^ didn't return any matches

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@arnaldo2792
sources: update x509-parser
5edde28 
Update x509-parser from 0.9.2 to 0.11.0

Signed-off-by: Arnaldo Garcia Rincon <[email protected]>
@arnaldo2792 arnaldo2792 linked an issue Dec 1, 2021 that may be closed by this pull request
Update x509-parser / der-parser #1743
Closed
webern
webern approved these changes Dec 1, 2021
View reviewed changes
Copy link
Contributor

@webern webern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I looked here and nothing jumps out at me. https://github.com/rusticata/x509-parser/blob/master/CHANGELOG.md

zmrow
zmrow approved these changes Dec 1, 2021
View reviewed changes
Copy link
Contributor

@zmrow zmrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🦭

@arnaldo2792 arnaldo2792 merged commit ebf64a5 into bottlerocket-os:develop Dec 1, 2021
@arnaldo2792 arnaldo2792 deleted the x509-parser branch December 1, 2021 23:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webern webern webern approved these changes

@zmrow zmrow zmrow approved these changes

@tjkirch tjkirch Awaiting requested review from tjkirch

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update x509-parser / der-parser
3 participants
@arnaldo2792 @zmrow @webern