Output the SSL Certificate and Key modulus

Provides a simple mechanism to verify the correct certificates landed. A quick and simple way to verify SSL certificates were generated for a given key is by comparing the modulus of the two. By outputing the key modulus and certificate modulus we offer a way to verify that the right cert and key have been deployed without compromising any of the secrets. Change-Id: I882c9840719a09795ba8057a19b0b3985e036c3c
2015-11-04 12:18:22 +01:00 · 2015-11-04 12:18:22 +01:00 · 5bfef1a17c
commit 5bfef1a17c
parent 14c4417e42
3 changed files with 26 additions and 0 deletions
--- a/puppet/controller.yaml
+++ b/puppet/controller.yaml
@ -1396,3 +1396,9 @@ outputs:
          - {get_attr: [NodeTLSData, deploy_stdout]}
          - {get_attr: [ControllerExtraConfigPre, deploy_stdout]}
          - {get_param: UpdateIdentifier}
+  tls_key_modulus_md5:
+    description: MD5 checksum of the TLS Key Modulus
+    value: {get_attr: [NodeTLSData, key_modulus_md5]}
+  tls_cert_modulus_md5:
+    description: MD5 checksum of the TLS Certificate Modulus
+    value: {get_attr: [NodeTLSData, cert_modulus_md5]}
--- a/puppet/extraconfig/tls/no-tls.yaml
+++ b/puppet/extraconfig/tls/no-tls.yaml
@ -26,3 +26,9 @@ outputs:
    value: 'TLS not enabled.'
  deployed_ssl_certificate_path:
    value: ''
+  key_modulus_md5:
+    description: Key SSL Modulus
+    value: ''
+  cert_modulus_md5:
+    description: Certificate SSL Modulus
+    value: ''
--- a/puppet/extraconfig/tls/tls-cert-inject.yaml
+++ b/puppet/extraconfig/tls/tls-cert-inject.yaml
@ -49,6 +49,8 @@ resources:
        - name: cert_chain_content
      outputs:
        - name: chain_md5sum
+        - name: cert_modulus
+        - name: key_modulus
      config: |
        #!/bin/sh
        cat << EOF | tee ${cert_path} > /dev/null
@ -57,6 +59,12 @@ resources:
        chmod 0440 ${cert_path}
        chown root:haproxy ${cert_path}
        md5sum ${cert_path} > ${heat_outputs_path}.chain_md5sum
+        openssl x509 -noout -modulus -in ${cert_path} \
+          | openssl md5 | cut -c 10- \
+          > ${heat_outputs_path}.cert_modulus
+        openssl rsa -noout -modulus -in ${cert_path} \
+          | openssl md5 | cut -c 10- \
+          > ${heat_outputs_path}.key_modulus

  ControllerTLSDeployment:
    type: OS::Heat::SoftwareDeployment
@ -79,3 +87,9 @@ outputs:
  deployed_ssl_certificate_path:
    description: The location that the TLS certificate was deployed to.
    value: {get_param: DeployedSSLCertificatePath}
+  key_modulus_md5:
+    description: MD5 checksum of the Key SSL Modulus
+    value: {get_attr: [ControllerTLSDeployment, key_modulus]}
+  cert_modulus_md5:
+    description: MD5 checksum of the Certificate SSL Modulus
+    value: {get_attr: [ControllerTLSDeployment, cert_modulus]}