fix: cert gen

Author: stephane-segning

Cargo.lock

@@ -49,7 +49,7 @@ incremental = false
 strip = true
 
 [workspace.package]
-version = "0.2.23-rc.3"
+version = "0.2.23-rc.4"
 edition = "2024"
 license = "MIT"
 publish = false

Cargo.toml

@@ -10,19 +10,50 @@ use crate::services::save_to_file::save_cert_and_key;
 use crate::services::set_name::set_name;
 use crate::services::stop_agent::stop_agent;
 use crate::services::submit_csr::submit_csr;
+use crate::shared::cli::Opt;
 
 #[derive(Debug, Clone)]
 pub struct FlowParams {
-    pub issuer: String,
-    pub audience_csv: String,
-    pub client_id: String,
-    pub client_secret: Option<String>,
-    pub endpoint: String,
-    pub is_service_account: bool,
-    pub cert_path: String,
-    pub ca_cert_path: String,
-    pub key_path: String,
-    pub agent_control: bool,
+    issuer: String,
+    audience_csv: String,
+    client_id: String,
+    client_secret: Option<String>,
+    endpoint: String,
+    is_service_account: bool,
+    cert_path: String,
+    ca_cert_path: String,
+    key_path: String,
+    agent_control: bool,
+}
+
+impl From<Opt> for FlowParams {
+    fn from(value: Opt) -> Self {
+        match value {
+            Opt::OAuth2 {
+                issuer,
+                audience,
+                client_id,
+                client_secret,
+                endpoint,
+                is_service_account,
+                cert_path,
+                ca_cert_path,
+                key_path,
+                agent_control,
+            } => Self {
+                issuer,
+                audience_csv: audience,
+                client_id,
+                client_secret,
+                endpoint,
+                is_service_account,
+                cert_path,
+                key_path,
+                agent_control,
+                ca_cert_path,
+            },
+        }
+    }
 }
 
 pub async fn run_oauth2_flow(params: &FlowParams) -> AppResult<()> {

crates/wazuh-cert-oauth2-client/src/flow.rs

@@ -31,33 +31,14 @@ async fn main() {
 /// Orchestrates the CSR flow: stop agent, obtain token, validate claims,
 /// generate CSR and key, submit CSR, save cert+key, set agent name, restart agent.
 async fn app() -> AppResult<()> {
-    match Opt::try_parse()? {
-        Opt::OAuth2 {
-            issuer,
-            audience,
-            client_id,
-            client_secret,
-            endpoint,
-            is_service_account,
-            cert_path,
-            ca_cert_path,
-            key_path,
-            agent_control,
-        } => {
-            let params = FlowParams {
-                issuer,
-                audience_csv: audience,
-                client_id,
-                client_secret,
-                endpoint,
-                is_service_account,
-                cert_path,
-                key_path,
-                agent_control,
-                ca_cert_path,
-            };
-            run_oauth2_flow(&params).await
+    match Opt::try_parse() {
+        Ok(opt) => {
+            let params = FlowParams::from(opt);
+            run_oauth2_flow(&params).await?;
+
+            Ok(())
         }
+        _ => Ok(()),
     }
 }
 

crates/wazuh-cert-oauth2-client/src/main.rs

@@ -4,8 +4,10 @@ use clap::Parser;
 
 #[derive(Parser, Debug)]
 #[command(
+    version,
     name = "Wazuh Cert Auth CLI",
-    about = "Installs and configures Wazuh Certificate Authority"
+    about = "Wazuh Certificate Authority",
+    long_about = "Installs and configures Wazuh Certificate Authority"
 )]
 pub enum Opt {
     #[command(about = "Configure OAuth2 for Wazuh")]

crates/wazuh-cert-oauth2-client/src/shared/cli.rs

@@ -7,8 +7,11 @@ license.workspace = true
 authors.workspace = true
 
 [dependencies]
-tokio.workspace = true
 reqwest.workspace = true
 env_logger.workspace = true
 log.workspace = true
 clap.workspace = true
+
+[dependencies.tokio]
+workspace = true
+features = ["rt"]

crates/wazuh-cert-oauth2-healthcheck/Cargo.toml

@@ -65,41 +65,27 @@ pub(crate) fn append_client_eku(builder: &mut openssl::x509::X509Builder) -> App
     Ok(())
 }
 
-pub(crate) fn append_san_cn(
+pub(crate) fn append_san_cn_and_identity_uri(
     builder: &mut openssl::x509::X509Builder,
     ca_cert: &X509Ref,
     subject_cn: &str,
-) -> AppResult<()> {
-    let san = SubjectAlternativeName::new()
-        .dns(subject_cn)
-        .build(&builder.x509v3_context(Some(ca_cert), None))?;
-    builder.append_extension(san)?;
-    Ok(())
-}
-
-/// Add a SAN URI that binds the Keycloak issuer (realm) and subject together.
-/// Uses the form: "{iss}#sub={sub}", which remains a valid absolute URI while
-/// clearly associating the realm (from iss) with the subject identifier.
-pub(crate) fn append_san_identity_uri(
-    builder: &mut openssl::x509::X509Builder,
-    ca_cert: &X509Ref,
     issuer: &str,
     subject_sub: &str,
 ) -> AppResult<()> {
-    // Best-effort: ensure issuer parses as a URL; if not, still include a URN form
     let value = match Url::parse(issuer) {
         Ok(url) => {
-            // Reconstruct without params to avoid accidental leakage; keep path/host which include realm
             let mut base = String::new();
             base.push_str(url.as_str());
-            // Append the subject in a fragment to keep it within the URI
             format!("{}#sub={}", base.trim_end_matches('#'), subject_sub)
         }
         Err(_) => format!("urn:keycloak:sub:{}", subject_sub),
     };
+
     let san = SubjectAlternativeName::new()
+        .dns(subject_cn)
         .uri(&value)
         .build(&builder.x509v3_context(Some(ca_cert), None))?;
+
     builder.append_extension(san)?;
     Ok(())
 }

crates/wazuh-cert-oauth2-server/src/shared/certs/extensions.rs

@@ -9,8 +9,8 @@ use crate::models::ca_config::CaProvider;
 use crate::shared::ledger::Ledger;
 
 use super::{
-    append_client_eku, append_core_extensions, append_crl_dp, append_key_usage, append_san_cn,
-    append_san_identity_uri, enforce_key_policy, set_serial_number, set_subject_and_pubkey,
+    append_client_eku, append_core_extensions, append_crl_dp, append_key_usage,
+    append_san_cn_and_identity_uri, enforce_key_policy, set_serial_number, set_subject_and_pubkey,
     set_validity_1y, sign_builder,
 };
 
@@ -95,8 +95,7 @@ fn sign_csr_with_ca(
     append_crl_dp(&mut builder, ca_cert, crl_dist_url)?;
     append_key_usage(&mut builder, is_rsa)?;
     append_client_eku(&mut builder)?;
-    append_san_cn(&mut builder, ca_cert, subject_cn)?;
-    append_san_identity_uri(&mut builder, ca_cert, issuer, subject_cn)?;
+    append_san_cn_and_identity_uri(&mut builder, ca_cert, subject_cn, issuer, subject_cn)?;
     sign_builder(&mut builder, ca_key)?;
     Ok(builder.build())
 }

crates/wazuh-cert-oauth2-server/src/shared/certs/sign.rs

@@ -5,7 +5,7 @@ $ErrorActionPreference = "Stop"
 # Default log level and application details
 $LOG_LEVEL = if ($env:LOG_LEVEL -ne $null) { $env:LOG_LEVEL } else { "INFO" }
 $APP_NAME = if ($env:APP_NAME -ne $null) { $env:APP_NAME } else { "wazuh-cert-oauth2-client" }
-$DEFAULT_WOPS_VERSION = "0.2.23-rc.3"
+$DEFAULT_WOPS_VERSION = "0.2.23-rc.4"
 $WOPS_VERSION = if ($env:WOPS_VERSION -ne $null) { $env:WOPS_VERSION } else { $DEFAULT_WOPS_VERSION }
 $OSSEC_CONF_PATH = if ($env:OSSEC_CONF_PATH -ne $null) { $env:OSSEC_CONF_PATH } else { "C:\Program Files (x86)\ossec-agent\ossec.conf" }
 $USER = "root"

scripts/install.ps1

@@ -10,14 +10,14 @@ fi
 # Default log level and application details
 LOG_LEVEL=${LOG_LEVEL:-INFO}
 APP_NAME=${APP_NAME:-"wazuh-cert-oauth2-client"}
-WOPS_VERSION=${WOPS_VERSION:-"0.2.23-rc.3"}
+WOPS_VERSION=${WOPS_VERSION:-"0.2.23-rc.4"}
 USER="root"
 GROUP="wazuh"
 
 # Determine the OS and architecture
 case "$(uname)" in
-    "Linux") OS="unknown-linux-musl"; BIN_DIR="/var/ossec/bin"; OSSEC_CONF_PATH="/var/ossec/etc/ossec.conf" ;;
-    "Darwin") OS="apple-darwin"; BIN_DIR="/Library/Ossec/bin"; OSSEC_CONF_PATH="/Library/Ossec/etc/ossec.conf" ;;
+    "Linux") OS="unknown-linux-musl"; BIN_DIR=${BIN_DIR:-"/var/ossec/bin"}; OSSEC_CONF_PATH="/var/ossec/etc/ossec.conf" ;;
+    "Darwin") OS="apple-darwin"; BIN_DIR=${BIN_DIR:-"/Library/Ossec/bin"}; OSSEC_CONF_PATH="/Library/Ossec/etc/ossec.conf" ;;
     *) error_exit "Unsupported operating system: $(uname)" ;;
 esac