Class: MCollective::Security::Aes

Impliments a security system that encrypts payloads using AES and secures the AES encrypted data using RSA public/private key encryption.

The design goals of this plugin are:

Each actor - clients and servers - can have their own set of public and private keys
All actors are uniquely and cryptographically identified
Requests are encrypted using the clients private key and anyone that has the public key can see the request. Thus an atacker may see the requests given access to network or machine due to the broadcast nature of mcollective
The message time and TTL of messages are cryptographically secured making the ensuring messages can not be replayed with fake TTLs or times
Replies are encrypted using the calling clients public key. Thus no-one but the caller can view the contents of replies.
Servers can all have their own RSA keys, or share one, or reuse keys created by other PKI using software like Puppet
Requests from servers - like registration data - can be secured even to external eaves droppers depending on the level of configuration you are prepared to do
Given a network where you can ensure third parties are not able to access the middleware public key distribution can happen automatically

Configuration Options:

================

Common Options:

   # Enable this plugin
   securityprovider = aes_security

   # Use YAML as serializer
   plugin.aes.serializer = yaml

   # Send our public key with every request so servers can learn it
   plugin.aes.send_pubkey = 1

Clients:

   # The clients public and private keys
   plugin.aes.client_private = /home/user/.mcollective.d/user-private.pem
   plugin.aes.client_public = /home/user/.mcollective.d/user.pem

Servers:

   # Where to cache client keys or find manually distributed ones
   plugin.aes.client_cert_dir = /etc/mcollective/ssl/clients

   # Cache public keys promiscuously from the network (this requires either a ca_cert to be set
     or insecure_learning to be enabled)
   plugin.aes.learn_pubkeys = 1

   # Do not check if client certificate can be verified by a CA
   plugin.aes.insecure_learning = 1

   # CA cert used to verify public keys when in learning mode
   plugin.aes.ca_cert = /etc/mcollective/ssl/ca.cert

   # Log but accept messages that may have been tampered with
   plugin.aes.enforce_ttl = 0

   # The servers public and private keys
   plugin.aes.server_private = /etc/mcollective/ssl/server-private.pem
   plugin.aes.server_public = /etc/mcollective/ssl/server-public.pem

Methods

callerid certname_from_callerid certname_from_certificate client_cert_dir client_private_key client_public_key decodemsg decrypt deserialize encodereply encoderequest encrypt public_key_path_for_client request_description serialize server_private_key server_public_key update_secure_property validate_certificate

Public Instance methods

callerid()

sets the caller id to the md5 of the public key

certname_from_callerid(id)

Takes our cert=foo callerids and return the foo bit else nil

certname_from_certificate(cert)

client_cert_dir()

Figures out where to get client public certs from the plugin.aes.client_cert_dir config option

client_private_key()

Figures out the client private key either from MCOLLECTIVE_AES_PRIVATE or the plugin.aes.client_private config option

client_public_key()

Figures out the client public key either from MCOLLECTIVE_AES_PUBLIC or the plugin.aes.client_public config option

decodemsg(msg)

decrypt(string, certid)

deserialize(msg)

De-Serializes a message using the configured encoder

encodereply(sender, msg, requestid, requestcallerid)

Encodes a reply

encoderequest(sender, msg, requestid, filter, target_agent, target_collective, ttl=60)

Encodes a request msg

encrypt(string, certid)

public_key_path_for_client(clientid)

On servers this will look in the aes.client_cert_dir for public keys matching the clientid, clientid is expected to be in the format set by callerid

request_description(msg)

serialize(msg)

Serializes a message using the configured encoder

server_private_key()

Figures out the server private key from the plugin.aes.server_private config option

server_public_key()

Figures out the server public key from the plugin.aes.server_public config option

update_secure_property(msg, secure_property, property, description)

To avoid tampering we turn the origin body into a hash and copy some of the protocol keys like :ttl and :msg_time into the hash before encrypting it.

This function compares and updates the unencrypted ones based on the encrypted ones. By default it enforces matching and presense by raising exceptions, if aes.enforce_ttl is set to 0 it will only log warnings about violations

validate_certificate(client_cert, certid)