Closed
Bug 819053
Opened 12 years ago
Closed 12 years ago
Create public certificate for signing apps on prod.
Categories
(Cloud Services :: Operations: Marketplace, task, P1)
Cloud Services
Operations: Marketplace
Tracking
(blocking-b2g:-)
RESOLVED
FIXED
| blocking-b2g | - |
People
(Reporter: robhudson, Assigned: jstevensen)
References
Details
(Whiteboard: [temp cert verified][waiting on instructions for hsm generated cert])
Attachments
(2 files, 2 obsolete files)
+++ This bug was initially created as a clone of Bug #793876 +++
We need to create the real, public certificate for signing apps on -prod.
|
||
Comment 1•12 years ago
|
||
This is important. We have daily meetings about progress on this topic so please give me an ETA and a responsible party I can bug. Thanks. :)
|
||
Updated•12 years ago
|
Assignee: server-ops-amo → jthomas
|
|
||
Comment 2•12 years ago
|
||
CC'ing security to make sure that the cert creation steps in Bug #793876 gets r+ and any other recommendations or issues.
|
||
Updated•12 years ago
|
Blocks: packaged-apps
|
|
||
Updated•12 years ago
|
Flags: needinfo?(gdestuynder)
|
Assignee | |
Comment 3•12 years ago
|
||
Why aren't we using the marketplace HSMs for these certs?
|
||
Comment 4•12 years ago
|
||
Joe: We are. But we need someone with access to the marketplace HSMs to actually do the cert generation.
Flags: needinfo?(jstevensen)
|
|
||
Comment 5•12 years ago
|
||
We need a way to generate the required cert/key pair using the HSM. The current script we use to generate for receipt signing gives us the cert in jwk and jwt format which does not work with app signing [1]. We would need them to be in x.509 format. I believe the key is generated in x.509 format.
Any insight on how to generate the cert in the required format with the HSM would be great.
[1] https://mana.mozilla.org/wiki/display/websites/Addons+signer#Addonssigner-Generatenewsigningkey
|
|
||
Comment 6•12 years ago
|
||
Here is temp cert. @bsmith can you verify?
-----BEGIN CERTIFICATE-----
MIIEDzCCAvegAwIBAgIEAgAAADANBgkqhkiG9w0BAQsFADCBmTEiMCAGA1UEAxMZ
TWFya2V0cGxhY2VUZXN0IFJvb3QgQ0EgMTEbMBkGA1UECxMSTWFya2V0cGxhY2VU
ZXN0IENBMSQwIgYDVQQKExtNYXJrZXRwbGFjZVRlc3QgQ29ycG9yYXRpb24xFjAU
BgNVBAcTDU1vdW50YWluIFZpZXcxCzAJBgNVBAgTAkNBMQswCQYDVQQGEwJVUzAe
Fw0xMjEyMTMyMDE0MjFaFw0yMjEyMTEyMDE0MjFaMIG+MTIwMAYDVQQDEylNYXJr
ZXRwbGFjZVRlc3QgTWFya2V0cGxhY2UgQXBwIFNpZ25pbmcgMTEwMC4GA1UECxMn
TWFya2V0cGxhY2VUZXN0IE1hcmtldHBsYWNlIEFwcCBTaWduaW5nMSQwIgYDVQQK
ExtNYXJrZXRwbGFjZVRlc3QgQ29ycG9yYXRpb24xFjAUBgNVBAcTDU1vdW50YWlu
IFZpZXcxCzAJBgNVBAgTAkNBMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBANSag5LgeksMnLga8i2jArFrKQlkLfuqCTMwh7omHv+4
R+az42m0mxM8l647Vj8yPp0hfRUkG4IqFrCt8ugDBCX/RCo0I2ffJmSE4dlhwzNk
tT+IFb76ikNbCxtrRnxHCORKgc52sOEqZPFy9aTJInLg8VbJGJSwqxjRew7I7iJK
Rydn9aPWW6ZQrrOXbBvCsiACou45rqF9SrK/U13wx6TD+DqHkqcqpuWSMYC8rzrG
6Py6oz9gp6ikrYHi6OUmDdSagjAUsyhs+RX4aG18teLpUGvcRsnH8zFiZfRzeE2u
VspICEWYL4Jv4lxCM+5DGubG9ODSKFu4jppki/CSRU0CAwEAAaM4MDYwDAYDVR0T
AQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwMw
DQYJKoZIhvcNAQELBQADggEBALSVTcGK2nYw7M9cNvOv4NJ6wsVuh3Kf8w+UTrja
Wgi/V3+ndpSpCOluxEfTigSAqkSMlScWLW0ysV1MLi64YTzAzHWumyJxilr7oy94
49ejG0PW+1wRDPmaTdtQ4Dv+aSayMFOpPxE4XAQNt9AmZZcDaLEoXEO7BtFbsbWT
sbdaIiYvj1IVldOJ/sUruk4Qw9RcPyGqmlWtxg64Ou8AFMHS0APhwiE7DB9rVWZK
nNWqp6SPcqvx6m16bTDv+8CExPQ9QPq+O4dnSrwWxuU0OL/lP4lSeJaMXtmozwTv
LsYcyKte1bqUWrDFspSl5Xi9zEo+Rf4BkyC1JbR8v2TJUOw=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID6jCCAtKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBmTEiMCAGA1UEAxMZTWFy
a2V0cGxhY2VUZXN0IFJvb3QgQ0EgMTEbMBkGA1UECxMSTWFya2V0cGxhY2VUZXN0
IENBMSQwIgYDVQQKExtNYXJrZXRwbGFjZVRlc3QgQ29ycG9yYXRpb24xFjAUBgNV
BAcTDU1vdW50YWluIFZpZXcxCzAJBgNVBAgTAkNBMQswCQYDVQQGEwJVUzAeFw0x
MjEyMTMyMDE0MThaFw0yMjEyMTEyMDE0MThaMIGZMSIwIAYDVQQDExlNYXJrZXRw
bGFjZVRlc3QgUm9vdCBDQSAxMRswGQYDVQQLExJNYXJrZXRwbGFjZVRlc3QgQ0Ex
JDAiBgNVBAoTG01hcmtldHBsYWNlVGVzdCBDb3Jwb3JhdGlvbjEWMBQGA1UEBxMN
TW91bnRhaW4gVmlldzELMAkGA1UECBMCQ0ExCzAJBgNVBAYTAlVTMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvIOvvDJiLGozUOKfJuiLFCpkCVfSWmkb
5myLVDJJtY8aP4fFZ/Wu+iGKeDRl+qUIlpTtgHjheoufoNSxs5ggJHuBZlYy3VTc
eAtBaC+VJ2ysVydAbFGyjjnmLfNVs5LRVwPc50LqK89+9uNM7QGh0fxq5GQ9pNTP
gDTRHAB3HqnO2M87+LJ4b49GN8CAQBIrtT77RHNHy42TstUUUChJ6oF8zSmS0PeU
85uPwdTrKD/Mj7LXc2LlNUAzZABHi6CQgx+vLKUgi5XL0W584p7awMEO/+2bjoc2
E64yvagdqGP1IbkVv2672Nhpr0VSupCcDY793cLsIlo+hFIEkmES9wIDAQABozsw
OTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICBDAWBgNVHSUBAf8EDDAK
BggrBgEFBQcDAzANBgkqhkiG9w0BAQUFAAOCAQEAdB8KQa5YE8kFY/Hq3hF7D6lf
xFzTyRmwjPTmcfRy855G52bB+er7d3zTNUZhxlmAFGpOTLcgHiekBzaFEqh6f6hD
UNWMC1niKk/0L+Q5+QPfhIc1GrGGpdMokjEzFh2PVPAsnCXv7kcJdTmr1yB84etf
huokzft70lEhSo3FhQPACkLWr9LpmqP4K8Qze4N7fK3+qXHym7Hx49cF7wlxMNpH
BJLUt9zhbZZERHso27LFEdcrZovdhMq9f+Qlnmd+98EEMUfmkOcsbts5iAi93ltw
KXuVF8ewQ/ns0j2aot36If2otyqDDZZpzUCv653pjHXG6WQ6FT7jc9BZ5Nnagw==
-----END CERTIFICATE-----
|
||
Comment 7•12 years ago
|
||
(In reply to Jason Thomas [:jason] from comment #6)
> Here is temp cert. @bsmith can you verify?
Please attach a packaged app signed with this cert.
|
|
||
Comment 8•12 years ago
|
||
(In reply to Brian Smith (:bsmith) from comment #7)
> (In reply to Jason Thomas [:jason] from comment #6)
> > Here is temp cert. @bsmith can you verify?
>
> Please attach a packaged app signed with this cert.
Would someone be able to provide me with instructions or assist me with this?
Flags: needinfo?(jstevensen)
Flags: needinfo?(gdestuynder)
|
||
Comment 9•12 years ago
|
||
|
|
||
Comment 10•12 years ago
|
||
|
|
||
Updated•12 years ago
|
Attachment #694002 -
Attachment is obsolete: true
|
|
||
Comment 11•12 years ago
|
||
(In reply to krupa raj 82[:krupa] from comment #10)
> Created attachment 694112 [details]
> signed packaged app for verification
I verified that I am able to use the root certificate above to validate this app.
|
|
||
Updated•12 years ago
|
Status: NEW → ASSIGNED
Whiteboard: [temp cert verified][waiting on instructions for hsm generated cert]
|
|
||
Updated•12 years ago
|
Priority: P1 → P3
|
|
||
Updated•12 years ago
|
No longer blocks: packaged-apps
|
||
Comment 12•12 years ago
|
||
This bug blocks bug 822944, which is tef+. Changing priority to P1 as this is need to resolve this on device bug.
blocking-b2g: --- → tef+
Priority: P3 → P1
|
||
Comment 13•12 years ago
|
||
Clarifying that we are indeed blocked on bug 769729 (actually doing the HSM-based initial key gen which requires a physical, in-person key ceremony). Will update with an ETA shortly.
|
||
Comment 14•12 years ago
|
||
So we have a temp cert here (comment #6)? Is that usable while we wait on the HSM-generated cert?
|
|
||
Comment 15•12 years ago
|
||
Can we get a status update here?
|
|
||
Updated•12 years ago
|
Flags: needinfo?(rtilder)
|
|
||
Updated•12 years ago
|
Flags: needinfo?(jstevensen)
|
|
||
Comment 16•12 years ago
|
||
We need to regenerate the certs, but per bug 769729 since we shipped the HSM machines to PHX for final production installation we're waiting for them to be physically re-installed before we can do the re-generation "ceremony". That work is underway (captured in the dep tree), ETA is Tuesday, Feb 12th.
Flags: needinfo?(rtilder)
Flags: needinfo?(jstevensen)
|
|
Assignee | |
Comment 17•12 years ago
|
||
Before we commit to any ETA's or deadlines, I want to make sure we (OpSec) have all of the relevant information for the certs.
|
|
Assignee | |
Updated•12 years ago
|
Flags: needinfo?(rtilder)
Flags: needinfo?(mmayo)
Current generation scripts for CA, CSRs, and CSR signing (as well as Security World operations) are located here:
https://mana.mozilla.org/wiki/download/attachments/26416648/hsm_scripts-marketplace.tar.gz.gpg?version=1&modificationDate=1360623470254&api=v2
These are signed by the OpSec key and are the scripts to be used to regenerate the CA and CSRs for the final generation. Thus those are the ones to check.
They're basically the same as the test ones, except for removing "test" in the CN's and using SHA384 instead of SHA512 (per bsmith request)
|
||
Comment 19•12 years ago
|
||
Guillaume's scripts and configs look correct but for one thing. First the correct items:
- 2048 bit RSA keys
- SHA-384 as the default digest algorithm for certificates
- 10 years for the root CA certificate
- 5 years for the signing certificate
- code signing EKU for the code signing certificate requests and certification
- CN entries are as discussed in prior email thread
There is one thing that may need correction to make sure we don't inadvertently shoot ourselves in the foot at some point months or years from now. The root CA certificate should have the code signing EKU added as critical. That way if/when Gecko is modified to verify that an entire certificate chain has a given key usage application verification won't suddenly stop working.
Flags: needinfo?(rtilder)
This is the 2nd revision: https://mana.mozilla.org/wiki/download/attachments/26416648/hsm_scripts-marketplace-2.tar.gz.gpg?version=1&modificationDate=1360627052958&api=v2
Changes:
Added extendedKeyUsage=critical,codeSigning to [v3_ca_moz] in certs/ca/openssl.cnf
Changed policy to allow the use of the EKU in the CA. Note: this differs from commonly accepted SSL CA policies (as this is not to be used for a SSL CA, this may be ok).
|
||
Comment 21•12 years ago
|
||
Key Signing Ceremony tomorrow in Mountain View (THANK YOU JOE!!)
After discussion with rtilder, reassigning this bug to Joe and new bug comin' up for Jason to deploy certs to appropriate servers.
Assignee: jthomas → jstevensen
The key ceremony is completed, we have generated a new root ca as per comment 20 scripts.
Please verify and use the attached certificates if confirmed valid.
Thanks!
Flags: needinfo?(rtilder)
|
|
||
Comment 23•12 years ago
|
||
The generated certificates do appear to conform to the specs laid out in earlier comments.
Flags: needinfo?(rtilder)
|
||
Comment 24•12 years ago
|
||
(In reply to Ryan Tilder [:rtilder] from comment #23)
> The generated certificates do appear to conform to the specs laid out in
> earlier comments.
Can you comment further about what needs to be done to correct this and how they don't conform? Sorry if you've already address the issues off-bugzilla.
|
|
||
Comment 25•12 years ago
|
||
Sorry, I read "do appear to conform" as "do not appear to conform". Ignore comment 24.
Flags: needinfo?(mmayo)
|
|
||
Comment 26•12 years ago
|
||
Joe S
Can we close this bug?
|
|
Assignee | |
Comment 27•12 years ago
|
||
All done!
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
||
Updated•12 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Comment 29•12 years ago
|
||
reopened - see comments in 840368
open questions in https://etherpad.mozilla.org/dLWLvIJr4o
Copy of the certificates, reports, and generation files from https://bugzilla.mozilla.org/show_bug.cgi?id=840368
Those are the final reviewers and production certificates.
Attachment #713150 -
Attachment is obsolete: true
See bug 840368 for more information has most of the work has been done there.
Certs have been reviewed and tested for app signing and parameters agreed upon in the aforementioned bug 840368 and bug 845642
Status: REOPENED → RESOLVED
Closed: 12 years ago → 12 years ago
Resolution: --- → FIXED
|
||
Updated•10 years ago
|
Component: Server Operations: AMO Operations → Operations: Marketplace
Product: mozilla.org → Mozilla Services
You need to log in
before you can comment on or make changes to this bug.
Description
•