From 5bfef1a17cc2fd7208a3ef95a046a3820561b102 Mon Sep 17 00:00:00 2001
From: Mark Chappell <mchappel@redhat.com>
Date: Wed, 4 Nov 2015 12:18:22 +0100
Subject: Output the SSL Certificate and Key modulus

Provides a simple mechanism to verify the correct certificates
landed.

A quick and simple way to verify SSL certificates were generated for
a given key is by comparing the modulus of the two.  By outputing
the key modulus and certificate modulus we offer a way to verify
that the right cert and key have been deployed without compromising
any of the secrets.

Change-Id: I882c9840719a09795ba8057a19b0b3985e036c3c
---
 puppet/extraconfig/tls/no-tls.yaml          |  6 ++++++
 puppet/extraconfig/tls/tls-cert-inject.yaml | 14 ++++++++++++++
 2 files changed, 20 insertions(+)

(limited to 'puppet/extraconfig')

diff --git a/puppet/extraconfig/tls/no-tls.yaml b/puppet/extraconfig/tls/no-tls.yaml
index d2dfdfa4..2da209cb 100644
--- a/puppet/extraconfig/tls/no-tls.yaml
+++ b/puppet/extraconfig/tls/no-tls.yaml
@@ -26,3 +26,9 @@ outputs:
     value: 'TLS not enabled.'
   deployed_ssl_certificate_path:
     value: ''
+  key_modulus_md5:
+    description: Key SSL Modulus
+    value: ''
+  cert_modulus_md5:
+    description: Certificate SSL Modulus
+    value: ''
diff --git a/puppet/extraconfig/tls/tls-cert-inject.yaml b/puppet/extraconfig/tls/tls-cert-inject.yaml
index b4564fc7..739a51ad 100644
--- a/puppet/extraconfig/tls/tls-cert-inject.yaml
+++ b/puppet/extraconfig/tls/tls-cert-inject.yaml
@@ -49,6 +49,8 @@ resources:
         - name: cert_chain_content
       outputs:
         - name: chain_md5sum
+        - name: cert_modulus
+        - name: key_modulus
       config: |
         #!/bin/sh
         cat << EOF | tee ${cert_path} > /dev/null
@@ -57,6 +59,12 @@ resources:
         chmod 0440 ${cert_path}
         chown root:haproxy ${cert_path}
         md5sum ${cert_path} > ${heat_outputs_path}.chain_md5sum
+        openssl x509 -noout -modulus -in ${cert_path} \
+          | openssl md5 | cut -c 10- \
+          > ${heat_outputs_path}.cert_modulus
+        openssl rsa -noout -modulus -in ${cert_path} \
+          | openssl md5 | cut -c 10- \
+          > ${heat_outputs_path}.key_modulus
 
   ControllerTLSDeployment:
     type: OS::Heat::SoftwareDeployment
@@ -79,3 +87,9 @@ outputs:
   deployed_ssl_certificate_path:
     description: The location that the TLS certificate was deployed to.
     value: {get_param: DeployedSSLCertificatePath}
+  key_modulus_md5:
+    description: MD5 checksum of the Key SSL Modulus
+    value: {get_attr: [ControllerTLSDeployment, key_modulus]}
+  cert_modulus_md5:
+    description: MD5 checksum of the Certificate SSL Modulus
+    value: {get_attr: [ControllerTLSDeployment, cert_modulus]}
-- 
cgit 1.2.3-korg