Check CernVM image signing

Author: Andrew-McNab-UK

CHANGES

@@ -2,6 +2,8 @@
 - Use spaceDir not spaceName in cleanupJoboutputs()
 - machinetypes directories are now under /var/lib/vcycle/spaces/
 - Use common Vac Project vcycle.httpd.conf and specific vcycle.httpd.inc
+- cernvm_signing_dn option added, to check signatures of CernVM boot
+  images
 ==================== Changes in Vcycle version 0.7.0 =====================
 - Use machineoutputs -> joboutputs internally and in options
 ==================== Changes in Vcycle version 0.6.0 =====================

openstack_api.py

@@ -37,6 +37,7 @@
 import pprint
 
 import os
+import re
 import sys
 import stat
 import time
@@ -337,6 +338,16 @@ def getImageID(self, machinetypeName):
 
     vcycle.vacutils.logLine('Image "' + self.machinetypes[machinetypeName].root_image + '" not found in image service, so uploading')
 
+    if self.machinetypes[machinetypeName].cernvm_signing_dn:
+      cernvmDict = vac.vacutils.getCernvmImageData(self.machinetypes[machinetypeName]._imageFile)
+
+      if cernvmDict['verified'] == False:
+        raise OpenstackError('Failed to verify signature/cert for ' + self.machinetypes[machinetypeName].root_image)
+      elif re.search(self.machinetypes[machinetypeName].cernvm_signing_dn,  cernvmDict['dn']) is None:
+        raise OpenstackError('Signing DN ' + cernvmDict['dn'] + ' does not match cernvm_signing_dn = ' + self.machinetypes[machinetypeName].cernvm_signing_dn)
+      else:
+        vac.vacutils.logLine('Verified image signed by ' + cernvmDict['dn'])
+
     # Try to upload the image
     try:
       self.machinetypes[machinetypeName]._imageID = self.uploadImage(self.machinetypes[machinetypeName]._imageFile, imageName, imageLastModified)

shared.py

@@ -485,7 +485,12 @@ def __init__(self, spaceName, machinetypeName, parser, machinetypeSectionName):
       self.root_image = parser.get(machinetypeSectionName, 'root_image')
     except Exception as e:
       raise VcycleError('root_image is required in [' + machinetypeSectionName + '] (' + str(e) + ')')
-    
+
+    try:
+      self.cernvm_signing_dn = parser.get(machinetypeSectionName, 'cernvm_signing_dn').strip()
+    except:
+      self.cernvm_signing_dn = None
+
     try:
       self.flavor_name = parser.get(machinetypeSectionName, 'flavor_name')
     except Exception as e:
@@ -809,7 +814,7 @@ def httpRequest(self, url, request = None, headers = None, verbose = False, meth
       return { 'headers' : outputHeaders, 'response' : None, 'status' : self.curl.getinfo(pycurl.RESPONSE_CODE) }
 
   def publishStatus(self):
-    """Write out a GLUE2 JSON file describing this space's status"""
+    """Write out a GLUE 2.0 JSON file describing this space's status"""
 
     # This must only be run after the scanMachines method for this space!
 
@@ -877,9 +882,9 @@ def publishStatus(self):
         self.glue2['ExecutionEnvironment'] = executionEnvironments
 
     try:
-      vcycle.vacutils.createFile('/var/lib/vcycle/spaces/' + self.spaceName + '/glue2.json', json.dumps(self.glue2), 0644, '/var/lib/vcycle/tmp')
+      vcycle.vacutils.createFile('/var/lib/vcycle/spaces/' + self.spaceName + '/glue-2.0.json', json.dumps(self.glue2), 0644, '/var/lib/vcycle/tmp')
     except:
-      vcycle.vacutils.logLine('Failed writing GLUE2 JSON to /var/lib/vcycle/spaces/' + self.spaceName + '/glue2.json')
+      vcycle.vacutils.logLine('Failed writing GLUE 2.0 JSON to /var/lib/vcycle/spaces/' + self.spaceName + '/glue-2.0.json')
 
   def _deleteOneMachine(self, machineName):
 
@@ -1060,7 +1065,7 @@ def _createMachine(self, machinetypeName):
     try:
       userDataContents = vcycle.vacutils.createUserData(shutdownTime       = int(time.time() +
                                                                               self.machinetypes[machinetypeName].max_wallclock_seconds),
-                                                        machinetypePath    = '/var/lib/vcycle/spaces/' + self.spaceName + '/machinetypes/' + machinetypeName + '/files',
+                                                        machinetypesPath   = '/var/lib/vcycle/spaces/' + self.spaceName + '/machinetypes/' + machinetypeName + '/files',
                                                         options            = self.machinetypes[machinetypeName].options,
                                                         versionString      = 'Vcycle ' + vcycleVersion,
                                                         spaceName          = self.spaceName,

vacutils.py

@@ -41,14 +41,16 @@
 import sys
 import stat
 import time
+import json
 import ctypes
 import string
 import urllib
 import StringIO
 import tempfile
 import calendar
-
+import hashlib
 import pycurl
+import base64
 import M2Crypto
 
 def logLine(text):
@@ -88,7 +90,7 @@ def secondsToHHMMSS(seconds):
    mm, ss = divmod(ss, 60)
    return '%02d:%02d:%02d' % (hh, mm, ss)
 
-def createUserData(shutdownTime, machinetypePath, options, versionString, spaceName, machinetypeName, userDataPath, hostName, uuidStr, 
+def createUserData(shutdownTime, machinetypesPath, options, versionString, spaceName, machinetypeName, userDataPath, hostName, uuidStr, 
                    machinefeaturesURL = None, jobfeaturesURL = None, joboutputsURL = None):
 
    # Get raw user_data template file, either from network ...
@@ -121,7 +123,7 @@ def createUserData(shutdownTime, machinetypePath, options, versionString, spaceN
      if userDataPath[0] == '/':
        userDataFile = userDataPath
      else:
-       userDataFile = machinetypePath + '/' + userDataPath
+       userDataFile = machinetypesPath + '/' + machinetypeName + '/' + userDataPath
 
      try:
        u = open(userDataFile, 'r')
@@ -161,12 +163,12 @@ def createUserData(shutdownTime, machinetypePath, options, versionString, spaceN
      if options['user_data_proxy_cert'][0] == '/':
        certPath = options['user_data_proxy_cert']
      else:
-       certPath = machinetypePath + '/' + options['user_data_proxy_cert']
+       certPath = machinetypesPath + '/' + machinetypeName + '/' + options['user_data_proxy_cert']
 
      if options['user_data_proxy_key'][0] == '/':
        keyPath = options['user_data_proxy_key']
      else:
-       keyPath = machinetypePath + '/' + options['user_data_proxy_key']
+       keyPath = machinetypesPath + '/' + machinetypeName + '/' + options['user_data_proxy_key']
 
      try:
        if ('legacy_proxy' in options) and options['legacy_proxy']:
@@ -187,7 +189,7 @@ def createUserData(shutdownTime, machinetypePath, options, versionString, spaceN
            if oneValue[0] == '/':
              f = open(oneValue, 'r')
            else:
-             f = open(machinetypePath + '/' + oneValue, 'r')
+             f = open(machinetypesPath + '/' + machinetypeName + '/' + oneValue, 'r')
 
            userDataContents = userDataContents.replace('##' + oneOption + '##', f.read())
            f.close()
@@ -306,6 +308,96 @@ def makeX509Proxy(certPath, keyPath, expirationTime, isLegacyProxy=False):
 
    return proxyString 
 
+def getCernvmImageData(fileName):
+
+   data = { 'verified' : False, 'dn' : None }
+
+   try:
+     length = os.stat(fileName).st_size
+   except Exception as e:
+     logLine('Failed to get CernVM image size (' + str(e) + ')')     
+     return data
+   
+   if length <= 65536:
+     logLine('CernVM image only ' + str(length) + ' bytes long: must be more than 65536')
+     return data
+
+   try:
+     f = open(fileName, 'r')
+   except Exception as e:
+     logLine('Failed to open CernVM image (' + str(e) + ')')
+     return data
+
+   try:
+     f.seek(-64 * 1024, os.SEEK_END)
+     metadataBlock = f.read(32 * 1024).rstrip("\x00")
+     # Quick hack until the metadata section is fixed in the CernVM images (extra comma)
+     metadataBlock = metadataBlock.replace('HEAD",\n', 'HEAD"\n')
+     metadataDict  = json.loads(metadataBlock)
+
+     if 'ucernvm-version' in metadataDict:
+       data['version'] = metadataDict['ucernvm-version']
+   except Exception as e:
+     logLine('Failed to load Metadata Block JSON from CernVM image (' + str(e) + ')')
+
+   try:
+     f.seek(-32 * 1024, os.SEEK_END)
+     signatureBlock = f.read(32 * 1024).rstrip("\x00")
+     # Quick hack until the howto-verify section is fixed in the CernVM images (missing commas)
+     signatureBlock = signatureBlock.replace('signature>"\n', 'signature>",\n').replace('cvm-sign01.cern.ch"\n', 'cvm-sign01.cern.ch",\n')
+     signatureDict  = json.loads(signatureBlock)
+   except Exception as e:
+     logLine('Failed to load Signature Block JSON from CernVM image (' + str(e) + ')')
+     return data
+
+   try:
+     f.seek(0, os.SEEK_SET)
+     digestableImage = f.read(length - 32 * 1024)
+     hash = hashlib.sha256(digestableImage)
+     digest = hash.digest()
+   except Exception as e:
+     logLine('Failed to make digest of CernVM image (' + str(e) + ')')
+     return data
+
+   try:
+     certificate = base64.b64decode(signatureDict['certificate'])
+     x509 = M2Crypto.X509.load_cert_string(certificate)
+     rsaPubkey = x509.get_pubkey().get_rsa()
+   except Exception as e:
+     logLine('Failed to get X.509 certificate and RSA public key (' + str(e) + ')')
+     return data
+
+   try:
+     signature = base64.b64decode(signatureDict['signature'])
+   except:
+     logLine('Failed to get signature from CernVM Signature Block')
+     return data
+
+   if not rsaPubkey.verify(digest, signature, 'sha256'):
+     logLine('Certificate and calculated hash do not match given signature')
+     return data
+
+   try:
+     # This isn't provided by M2Crypto, so we use openssl command
+     p = os.popen('/usr/bin/openssl verify -CApath /etc/grid-security/certificates >/dev/null', 'w')
+     p.write(certificate)
+
+     if p.close() is None:
+       try:
+         dn = str(x509.get_subject())
+       except Exception as e:
+         logLine('Failed to get X.509 Subject DN (' + str(e) + ')')
+         return data
+       else:
+         data['verified'] = True
+         data['dn']       = dn
+         
+   except Exception as e:
+     logLine('Failed to run /usr/bin/openssl verify command (' + str(e) + ')')
+     return data
+   
+   return data
+
 def getRemoteRootImage(url, imageCache, tmpDir):
 
    try:

vcycle.conf.5

@@ -223,6 +223,17 @@ Alternatively, the images may be files in the local filesystem. If
 root_image ends in .iso , then the image will be declared as ISO format
 (a CD-ROM image), otherwise as a raw HDD image.
 
+.B cernvm_signing_dn
+is used to specify a regular expression to match the DN of an X.509
+certificate used to verify the authenticity of the root image. Vcycle
+attempts to obtain the certificate and signature from a CernVM Signature
+Block at the end of the image file, verifies the
+certificate using the CA files in /etc/grid-security/certificates, and
+compares the certificate DN to cernvm_signing_dn. If this option is
+given, all these verification steps must be satisified for the image
+to be used. As of 2015, CernVM images are signed with a DN matching
+the regular expression /CN=cvm-sign01\\.cern\\.ch$
+
 .B root_public_key
 is the file name of a public key which Vcycle will set up on the IaaS
 system and supply to the VMs to allow root ssh access. Setting this 

vcycle.spec

@@ -9,7 +9,7 @@ Source: vcycle.tgz
 URL: http://www.gridpp.ac.uk/vac/
 Vendor: GridPP
 Packager: Andrew McNab <[email protected]>
-Requires: httpd,mod_ssl,python-pycurl,m2crypto,python-requests
+Requires: httpd,mod_ssl,python-pycurl,m2crypto,python-requests,openssl
 
 %description
 VM lifecycle manager daemon for OpenStack etc