Make pki_setup work with OpenSSL 0.9.x

Support for "default" in default_md was only added
in "recent" OpenSSL versions. Use sha1 (which is what
"default" maps to anyway) for older openssl versions.

Also sync the generated openssl config file with
the defaults from OpenSSL 1.0 and newer.

Fixes: LP Bug #1209249
Change-Id: I4ba79dbfdfc2df81cfb0f1edde23d3fbc1384637

1 files changed, 24 insertions, 12 deletions

diff --git a/keystone/common/openssl.py b/keystone/common/openssl.py
index fa09e37c..90484505 100644
--- a/keystone/common/openssl.py
+++ b/keystone/common/openssl.py
@@ -51,6 +51,7 @@ class BaseCertificateConfigure(object):
         self.request_file_name = os.path.join(self.conf_dir, "req.pem")
         self.ssl_dictionary = {'conf_dir': self.conf_dir,
                                'ca_cert': conf_obj.ca_certs,
+                               'default_md': 'default',
                                'ssl_config': self.ssl_config_file_name,
                                'ca_private_key': conf_obj.ca_key,
                                'request_file': self.request_file_name,
@@ -60,6 +61,17 @@ class BaseCertificateConfigure(object):
                                'valid_days': int(conf_obj.valid_days),
                                'cert_subject': conf_obj.cert_subject,
                                'ca_password': conf_obj.ca_password}
+
+        try:
+            # OpenSSL 1.0 and newer support default_md = default, olders do not
+            openssl_ver = environment.subprocess.Popen(
+                ['openssl', 'version'],
+                stdout=environment.subprocess.PIPE).stdout.read()
+            if "OpenSSL 0." in openssl_ver:
+                self.ssl_dictionary['default_md'] = 'sha1'
+        except OSError:
+            LOG.warn('Failed to invoke ``openssl version``, '
+                     'assuming is v1.0 or newer')
         self.ssl_dictionary.update(kwargs)
 
     def _make_dirs(self, file_name):
@@ -198,7 +210,7 @@ new_certs_dir     = $dir
 serial            = $dir/serial
 database          = $dir/index.txt
 default_days      = 365
-default_md        = default # use public key default MD
+default_md        = %(default_md)s
 preserve          = no
 email_in_dn       = no
 nameopt           = default_ca
@@ -218,35 +230,35 @@ emailAddress            = optional
 [ req ]
 default_bits       = 2048 # Size of keys
 default_keyfile    = key.pem # name of generated keys
-default_md         = default # message digest algorithm
-string_mask        = nombstr # permitted characters
+string_mask        = utf8only # permitted characters
 distinguished_name = req_distinguished_name
 req_extensions     = v3_req
+x509_extensions = v3_ca
 
 [ req_distinguished_name ]
-0.organizationName          = Organization Name (company)
-organizationalUnitName      = Organizational Unit Name (department, division)
-emailAddress                = Email Address
-emailAddress_max            = 40
-localityName                = Locality Name (city, district)
-stateOrProvinceName         = State or Province Name (full name)
 countryName                 = Country Name (2 letter code)
 countryName_min             = 2
 countryName_max             = 2
+stateOrProvinceName         = State or Province Name (full name)
+localityName                = Locality Name (city, district)
+0.organizationName          = Organization Name (company)
+organizationalUnitName      = Organizational Unit Name (department, division)
 commonName                  = Common Name (hostname, IP, or your name)
 commonName_max              = 64
+emailAddress                = Email Address
+emailAddress_max            = 64
 
 [ v3_ca ]
 basicConstraints       = CA:TRUE
 subjectKeyIdentifier   = hash
-authorityKeyIdentifier = keyid:always,issuer:always
+authorityKeyIdentifier = keyid:always,issuer
 
 [ v3_req ]
 basicConstraints     = CA:FALSE
-subjectKeyIdentifier = hash
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
 [ usr_cert ]
 basicConstraints       = CA:FALSE
 subjectKeyIdentifier   = hash
-authorityKeyIdentifier = keyid:always,issuer:always
+authorityKeyIdentifier = keyid:always
 """