Modify cert usage; allow users to manage certs.

Steno's use of certificates for user/group verification initially was designed a
little wonky:

 1) the server cert was used to sign the client cert
 2) certs (both client and server) were recreated from scratch on each run of
    steno

These two issues made it really hard to do anything more complex with certs,
like having a single client cert that works across multiple servers, or using an
organization's central CA for cert management.

This CL changes that:

  1) Certificate creation is now done at install time (stenokeys.sh) with the
     'openssl' command-line tool, not inside Go code.  Thus, keys are no longer
     rewritten on startup.
  2) There is now a CA cert in /etc/stenographer/certs/ca_cert.pem.  This CA
     cert is used to sign both the client and server cert.
     * Users can now overwrite it with their org's CA cert to centrally manage
       certificates.
     * Users can generate multiple client or server certs from a single CA cert
       and manually distribute them.

This is somewhat backwards-incompatible with old installs of steno, which don't
have a ca_cert.  Thus, when install.sh is run now, if it sees that ca_cert is
missing, it'll wipe all certs and reinstall all certs from scratch.

Note, this should also fix Issue google#124, where NSS TLS is more stringent with
certs and doesn't allow a CA cert to also act as a server cert.

Author: gconnell

DESIGN.md

@@ -77,29 +77,36 @@ user requests.
 
 #### Access Control ####
 
-Access to raw packet data is, of course, sensitive.  We wanted to find a way to
-provide and revoke access easily, using simple POSIX permissions.  Here's the
-system we came up with on very short notice:
-
-   * On startup, stenographer creates a server cert/key pair and client cert/key
-     pair in a certificate directory.  The server key is readable only by
-     the analyst running stenographer.  The server cert and client cert/key are
-     readable by the POSIX `stenographer` group.
-   * The server uses the server cert/key as its TLS cert/key when serving data.
-     The client, when issuing TLS requests, verifies the server is valid by
-     checking against the server cert it can read in the cerficates directory.
-   * The server does client verification using the client cert, which it can
-     read from the certificate directory.  In order to create a valid TLS
-     connection, then, the client must have access to the client key, which is
-     only visible to the stenographer POSIX group.
-
-Granting access to stenographer on a local machine is as simple as adding a
-analyst to the `stenographer` POSIX group, thus allowing them read access to the
-client key in the certificate directory.  Revoking access involves removing the
-analyst from the POSIX group, then restarting stenographer in order to generate
-new certs/keys (and thus invalidate any old keys the analyst may have copied to
-other locations).
-
+Access to the server is controlled with client certificates.  On install, a
+script, `stenokeys.sh`, is run to generate a CA certificate and use it to
+create/sign a client and server certificate.  The client and server authenticate
+each other on every request using the CA certificate as a source of truth.
+POSIX permissions are used locally to control access to the certs... the
+`stenographer` user which runs steno has read access to the server key
+(`steno:root -r--------`).  The `stenographer` group as read access to the
+client key (`root:steno ----r-----`).  Key usage extensions specify that the
+server key must be used as a TLS server, and the client key must be used as a
+TLS client.
+
+Due to the file permissions mentioned above, giving steno access to a local user
+simply requires adding that user to the local `stenographer` group, thus giving
+them access to `client_key.pem`.
+
+Once keys are created on install, they're currently NEVER REVOKED.  Thus, if
+someone gets access to a client cert, they'll have access to the server ad
+infinitum.  Should you have problems with a key being released, the current best
+way to handle this is by deleting all data in the `/etc/stenographer/certs`
+directory and rerunning `stenokeys.sh` to generate an entirely new set of keys
+rooted to a new CA.
+
+`stenokeys.sh` will not modify keys/certs that already exist in
+`/etc/stenographer/certs`.  Thus, if you have more complex topologies, you can
+overwrite these values and they'll happily be used by Stenographer.  If, for
+example, you already have a CA in your organization, you can copy its cert into
+the `ca_cert.pem` file, then create `{client,server}_{key,cert}.pem` files
+rooted in that CA and copy them in.  This also allows folks to use a single CA
+cert over multiple stenographer instances, allowing a single client cert to
+access multiple servers over the network.
 
 ### Stenotype ###
 

certs/certs.go

@@ -18,96 +18,13 @@
 package certs
 
 import (
-	"crypto/rand"
-	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
-	"crypto/x509/pkix"
 	"encoding/pem"
 	"fmt"
 	"io/ioutil"
-	"math/big"
-	"net"
-	"os"
-	"time"
 )
 
-const (
-	bits     = 2048
-	validFor = 365 * 24 * time.Hour
-)
-
-// WriteNewCerts generates a self-signed certificate pair for use in
-// locally authorizing clients.  If 'server' is true, it writes out certs
-// which can be used to verify the server, otherwise it writes out certs
-// clients can use to authorize themselves to the server.
-func WriteNewCerts(certFile, keyFile string, server bool) error {
-	// Implementation mostly taken from http://golang.org/src/pkg/crypto/tls/generate_cert.go
-	priv, err := rsa.GenerateKey(rand.Reader, bits)
-	if err != nil {
-		return fmt.Errorf("failed to generate private key: %v", err)
-	}
-
-	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
-	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
-	if err != nil {
-		return fmt.Errorf("failed to generate serial number: %v", err)
-	}
-
-	template := x509.Certificate{
-		SerialNumber: serialNumber,
-		Subject: pkix.Name{
-			Organization: []string{"Stenographer"},
-			CommonName:   "127.0.0.1",
-		},
-		NotBefore: time.Now(),
-		NotAfter:  time.Now().Add(validFor),
-
-		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
-		BasicConstraintsValid: true,
-		DNSNames:              []string{"localhost"},
-		IPAddresses:           []net.IP{net.IPv4(127, 0, 0, 1)},
-		IsCA:                  true, // we're self-signed.
-	}
-	var keyFileMode os.FileMode
-	if server {
-		template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
-		keyFileMode = 0600
-	} else {
-		template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
-		keyFileMode = 0640
-	}
-
-	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
-	if err != nil {
-		return fmt.Errorf("Failed to create certificate: %v", err)
-	}
-
-	// Actually start writing.
-	certOut, err := os.Create(certFile)
-	if err != nil {
-		return fmt.Errorf("failed to open %q for writing: %s", certFile, err)
-	}
-	if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil {
-		return fmt.Errorf("could not encode pem: %v", err)
-	}
-	if err := certOut.Close(); err != nil {
-		return fmt.Errorf("could not close cert file: %v", err)
-	}
-
-	keyOut, err := os.OpenFile(keyFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, keyFileMode)
-	if err != nil {
-		return fmt.Errorf("failed to open %q for writing: %v", keyFile, err)
-	}
-	if err := pem.Encode(keyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil {
-		return fmt.Errorf("could not encode key: %v", err)
-	}
-	if err := keyOut.Close(); err != nil {
-		return fmt.Errorf("could not close key file: %v", err)
-	}
-	return nil
-}
-
 // ClientVerifyingTLSConfig returns a TLS config which verifies that clients
 // have a certificate signed by the CA certificate in the certFile.
 func ClientVerifyingTLSConfig(certFile string) (*tls.Config, error) {

certs/certs_test.go

@@ -49,9 +49,9 @@ var (
 const (
 	fileSyncFrequency = 15 * time.Second
 
-	// These files will be generated in Config.CertPath.
-	clientCertFilename = "client_cert.pem"
-	clientKeyFilename  = "client_key.pem"
+	// These files will be read from Config.CertPath.
+	// Use stenokeys.sh to generate them.
+	caCertFilename     = "ca_cert.pem"
 	serverCertFilename = "server_cert.pem"
 	serverKeyFilename  = "server_key.pem"
 )
@@ -60,18 +60,7 @@ const (
 // requests.  This server will server over TLS, using the certs
 // stored in c.CertPath to verify itself to clients and verify clients.
 func (e *Env) Serve() error {
-	clientCert, clientKey, serverCert, serverKey :=
-		filepath.Join(e.conf.CertPath, clientCertFilename),
-		filepath.Join(e.conf.CertPath, clientKeyFilename),
-		filepath.Join(e.conf.CertPath, serverCertFilename),
-		filepath.Join(e.conf.CertPath, serverKeyFilename)
-	if err := certs.WriteNewCerts(clientCert, clientKey, false); err != nil {
-		return fmt.Errorf("cannot write client certs: %v", err)
-	}
-	if err := certs.WriteNewCerts(serverCert, serverKey, true); err != nil {
-		return fmt.Errorf("cannot write server certs: %v", err)
-	}
-	tlsConfig, err := certs.ClientVerifyingTLSConfig(clientCert)
+	tlsConfig, err := certs.ClientVerifyingTLSConfig(filepath.Join(e.conf.CertPath, caCertFilename))
 	if err != nil {
 		return fmt.Errorf("cannot verify client cert: %v", err)
 	}
@@ -81,7 +70,9 @@ func (e *Env) Serve() error {
 	}
 	http.HandleFunc("/query", e.handleQuery)
 	http.Handle("/debug/stats", stats.S)
-	return server.ListenAndServeTLS(serverCert, serverKey)
+	return server.ListenAndServeTLS(
+		filepath.Join(e.conf.CertPath, serverCertFilename),
+		filepath.Join(e.conf.CertPath, serverKeyFilename))
 }
 
 func (e *Env) handleQuery(w http.ResponseWriter, r *http.Request) {

env/env.go

@@ -27,20 +27,30 @@ source lib.sh
 set -e
 Info "Making sure we have sudo access"
 sudo cat /dev/null
-set +e
-
-Info "Killing aleady-running processes"
-sudo service stenographer stop
-ReallyKill stenographer
-ReallyKill stenotype
 
-set -e
 InstallPackage libaio-dev
 InstallPackage libleveldb-dev
 InstallPackage libsnappy-dev
 InstallPackage g++
 InstallPackage libcap2-bin
 InstallPackage libseccomp-dev
+InstallPackage jq
+InstallPackage openssl
+
+Info "Building stenographer"
+go build
+
+Info "Building stenotype"
+pushd stenotype
+make
+popd
+
+set +e
+Info "Killing aleady-running processes"
+sudo service stenographer stop
+ReallyKill stenographer
+ReallyKill stenotype
+set -e
 
 if ! id stenographer >/dev/null 2>&1; then
   Info "Setting up stenographer user"
@@ -65,7 +75,7 @@ fi
 if [ ! -d /etc/stenographer/certs ]; then
   Info "Setting up stenographer /etc directory"
   sudo mkdir -p /etc/stenographer/certs
-  sudo chown -R stenographer:stenographer /etc/stenographer/certs
+  sudo chown -R root:root /etc/stenographer/certs
   if [ ! -f /etc/stenographer/config ]; then
     sudo cp -vf configs/steno.conf /etc/stenographer/config
     sudo chown root:root /etc/stenographer/config
@@ -80,16 +90,12 @@ if grep -q /path/to /etc/stenographer/config; then
   exit 1
 fi
 
-Info "Building stenographer"
-go build
+sudo ./stenokeys.sh /etc/stenographer/certs stenographer stenographer
+
+Info "Copying stenographer/stenotype"
 sudo cp -vf stenographer "$BINDIR/stenographer"
 sudo chown stenographer:root "$BINDIR/stenographer"
 sudo chmod 0700 "$BINDIR/stenographer"
-
-Info "Building stenotype"
-pushd stenotype
-make
-popd
 sudo cp -vf stenotype/stenotype "$BINDIR/stenotype"
 sudo chown stenographer:root "$BINDIR/stenotype"
 sudo chmod 0500 "$BINDIR/stenotype"

install.sh

@@ -25,7 +25,7 @@
 export KILLCMD=/usr/bin/pkill
 export BINDIR="${BINDIR-/usr/bin}"
 export GOPATH=${HOME}/go
-export PATH=${PATH}/usr/local/go/bin
+export PATH=${PATH}:/usr/local/go/bin
 
 
 # Load support functions
@@ -101,7 +101,7 @@ install_configs () {
 	Info "Setting up stenographer conf directory"
 	if [ ! -d /etc/stenographer/certs ]; then
 		sudo mkdir -p /etc/stenographer/certs
-		sudo chown -R stenographer:stenographer /etc/stenographer/certs
+		sudo chown -R root:root /etc/stenographer/certs
 	fi
 	if [ ! -f /etc/stenographer/config ]; then
 		sudo cp -vf configs/steno.conf /etc/stenographer/config
@@ -117,6 +117,12 @@ install_configs () {
 	fi
 }
 
+install_certs () {
+	cd $_scriptDir
+
+  sudo ./stenokeys.sh /etc/stenographer/certs stenographer stenographer
+}
+
 install_service () {
 	cd $_scriptDir
 
@@ -195,14 +201,15 @@ start_service () {
 }
 
 check_sudo
-stop_processes
 install_packages
 install_golang
+build_stenographer
+build_stenotype
 install_jq
 add_accounts
 install_configs
+install_certs
 install_service
-build_stenographer
-build_stenotype
 install_stenoread
+stop_processes
 start_service

install_el7.sh

@@ -66,9 +66,15 @@ popd
 
 Info "Setting up output directory"
 OUTDIR="$(mktemp -d $BASEDIR/steno.XXXXXXXXXX)"
+/bin/chmod g+rx "$OUTDIR"
 Info "Writing output to directory '$OUTDIR'"
 
 mkdir $OUTDIR/{pkt,idx,certs}
+Info "Setting up certs"
+CURR_USR="$(id -u -n)"
+CURR_GRP="$(id -g -n)"
+../stenokeys.sh $OUTDIR/certs $CURR_USR $CURR_GRP
+
 Info "Setting up $DUMMY interface"
 sudo /sbin/modprobe dummy
 sudo ip link add $DUMMY type dummy || Error "$DUMMY may already exist"
@@ -90,6 +96,7 @@ function CleanUp {
     fi
     Info "Deleting $DUMMY interface"
     Info "Removing $OUTDIR"
+    sudo find $OUTDIR -ls
     rm -rfv $OUTDIR
     sudo ifconfig $DUMMY down
     sudo ip link del dummy0