Merge pull request #1948 from stephenbradshaw/v1.5.x/master

moloch-- · web-flow · commit ca483cf4357c · 2025-05-20T09:24:32.000-05:00
Backport "restrict operator certificates to SHA256 to fix grpcio bugs" to V1.5.x/master
diff --git a/server/certs/ca.go b/server/certs/ca.go
@@ -60,7 +60,7 @@ func GenerateCertificateAuthority(caType string, commonName string) (*x509.Certi
 	certFilePath := filepath.Join(storageDir, fmt.Sprintf("%s-ca-cert.pem", caType))
 	if _, err := os.Stat(certFilePath); os.IsNotExist(err) {
 		certsLog.Infof("Generating certificate authority for '%s'", caType)
-		cert, key := GenerateECCCertificate(caType, commonName, true, false)
+		cert, key := GenerateECCCertificate(caType, commonName, true, false, false)
 		SaveCertificateAuthority(caType, cert, key)
 	}
 	cert, key, err := GetCertificateAuthority(caType)
diff --git a/server/certs/certs.go b/server/certs/certs.go
@@ -135,15 +135,21 @@ func RemoveCertificate(caType string, keyType string, commonName string) error {
 // GenerateECCCertificate - Generate a TLS certificate with the given parameters
 // We choose some reasonable defaults like Curve, Key Size, ValidFor, etc.
 // Returns two strings `cert` and `key` (PEM Encoded).
-func GenerateECCCertificate(caType string, commonName string, isCA bool, isClient bool) ([]byte, []byte) {
+func GenerateECCCertificate(caType string, commonName string, isCA bool, isClient bool, isOperator bool) ([]byte, []byte) {
 
 	certsLog.Infof("Generating TLS certificate (ECC) for '%s' ...", commonName)
 
 	var privateKey interface{}
 	var err error
 
 	// Generate private key
-	curves := []elliptic.Curve{elliptic.P521(), elliptic.P384(), elliptic.P256()}
+	var curves []elliptic.Curve
+	if isOperator {
+		curves = []elliptic.Curve{elliptic.P256()}
+	} else {
+		curves = []elliptic.Curve{elliptic.P521(), elliptic.P384(), elliptic.P256()}
+	}
+
 	curve := curves[randomInt(len(curves))]
 	privateKey, err = ecdsa.GenerateKey(curve, rand.Reader)
 	if err != nil {
diff --git a/server/certs/mtls.go b/server/certs/mtls.go
@@ -26,14 +26,14 @@ const (
 
 // MtlsC2ServerGenerateECCCertificate - Generate a server certificate signed with a given CA
 func MtlsC2ServerGenerateECCCertificate(host string) ([]byte, []byte, error) {
-	cert, key := GenerateECCCertificate(MtlsServerCA, host, false, false)
+	cert, key := GenerateECCCertificate(MtlsServerCA, host, false, false, false)
 	err := saveCertificate(MtlsServerCA, ECCKey, host, cert, key)
 	return cert, key, err
 }
 
 // MtlsC2ImplantGenerateECCCertificate - Generate a server certificate signed with a given CA
 func MtlsC2ImplantGenerateECCCertificate(name string) ([]byte, []byte, error) {
-	cert, key := GenerateECCCertificate(MtlsImplantCA, name, false, true)
+	cert, key := GenerateECCCertificate(MtlsImplantCA, name, false, true, false)
 	err := saveCertificate(MtlsImplantCA, ECCKey, name, cert, key)
 	return cert, key, err
 }
diff --git a/server/certs/operators.go b/server/certs/operators.go
@@ -37,7 +37,7 @@ const (
 
 // OperatorClientGenerateCertificate - Generate a certificate signed with a given CA
 func OperatorClientGenerateCertificate(operator string) ([]byte, []byte, error) {
-	cert, key := GenerateECCCertificate(OperatorCA, operator, false, true)
+	cert, key := GenerateECCCertificate(OperatorCA, operator, false, true, true)
 	err := saveCertificate(OperatorCA, ECCKey, fmt.Sprintf("%s.%s", clientNamespace, operator), cert, key)
 	return cert, key, err
 }
@@ -59,7 +59,7 @@ func OperatorServerGetCertificate(hostname string) ([]byte, []byte, error) {
 
 // OperatorServerGenerateCertificate - Generate a certificate signed with a given CA
 func OperatorServerGenerateCertificate(hostname string) ([]byte, []byte, error) {
-	cert, key := GenerateECCCertificate(OperatorCA, hostname, false, false)
+	cert, key := GenerateECCCertificate(OperatorCA, hostname, false, false, true)
 	err := saveCertificate(OperatorCA, ECCKey, fmt.Sprintf("%s.%s", serverNamespace, hostname), cert, key)
 	return cert, key, err
 }
diff --git a/server/console/console-admin_test.go b/server/console/console-admin_test.go
@@ -36,7 +36,7 @@ func TestRootOnlyVerifyCertificate(t *testing.T) {
 	}
 
 	// Test with wrong CA
-	wrongCert, _ := certs.GenerateECCCertificate(certs.HTTPSCA, "foobar", false, false)
+	wrongCert, _ := certs.GenerateECCCertificate(certs.HTTPSCA, "foobar", false, false, false)
 	block, _ = pem.Decode(wrongCert)
 	err = clienttransport.RootOnlyVerifyCertificate(config.CACertificate, [][]byte{block.Bytes})
 	if err == nil {

Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,7 @@ func GenerateCertificateAuthority(caType string, commonName string) (*x509.Certi`
`60`	`60`	`certFilePath := filepath.Join(storageDir, fmt.Sprintf("%s-ca-cert.pem", caType))`
`61`	`61`	`if _, err := os.Stat(certFilePath); os.IsNotExist(err) {`
`62`	`62`	`certsLog.Infof("Generating certificate authority for '%s'", caType)`
`63`		`- cert, key := GenerateECCCertificate(caType, commonName, true, false)`
	`63`	`+ cert, key := GenerateECCCertificate(caType, commonName, true, false, false)`
`64`	`64`	`SaveCertificateAuthority(caType, cert, key)`
`65`	`65`	`}`
`66`	`66`	`cert, key, err := GetCertificateAuthority(caType)`
Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ func TestRootOnlyVerifyCertificate(t *testing.T) {`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`// Test with wrong CA`
`39`		`- wrongCert, _ := certs.GenerateECCCertificate(certs.HTTPSCA, "foobar", false, false)`
	`39`	`+ wrongCert, _ := certs.GenerateECCCertificate(certs.HTTPSCA, "foobar", false, false, false)`
`40`	`40`	`block, _ = pem.Decode(wrongCert)`
`41`	`41`	`err = clienttransport.RootOnlyVerifyCertificate(config.CACertificate, [][]byte{block.Bytes})`
`42`	`42`	`if err == nil {`