Merge branch 'feature-1790'

2025-03-20 10:50:08 +03:00 · 2013-03-07 13:23:27 +01:00 · 2013-03-07 13:23:27 +01:00 · a5b0be6d57
commit a5b0be6d57
parent d156f41b07 ca1b6ab41f
2 changed files with 42 additions and 1 deletions
--- a/src/authm_mad/remotes/x509/x509_auth.conf
+++ b/src/authm_mad/remotes/x509/x509_auth.conf
@ -2,3 +2,6 @@
 # the server, each CA certificate shoud be name CA_hash.0

 #:ca_dir: "/etc/one/auth/certificates"
+
+# Uncoment this line if you want to force crl checking
+#:check_crl: true
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@ -199,7 +199,6 @@ private
    ###########################################################################
    def validate
        now    = Time.now
-        failed = "Could not validate user credentials: "

        # Check start time and end time of certificates
        @cert_chain.each do |cert|
@ -213,6 +212,8 @@ private
            # Validate the proxy certifcates
            signee = @cert_chain[0]

+            check_crl(signee)
+
            @cert_chain[1..-1].each do |cert|
                if !((signee.issuer.to_s == cert.subject.to_s) &&
                     (signee.verify(cert.public_key)))
@ -247,4 +248,41 @@ private
            raise
        end
    end
+
+    def check_crl(signee)
+        failed = "Could not validate user credentials: "
+
+        ca_hash = signee.issuer.hash.to_s(16)
+        ca_path = @options[:ca_dir] + '/' + ca_hash + '.0'
+
+        crl_path = @options[:ca_dir] + '/' + ca_hash + '.r0'
+
+        if !File.exist?(crl_path)
+            if @options[:check_crl]
+                raise failed + "CRL file #{crl_path} does not exist"
+            else
+                return
+            end
+        end
+
+        ca_cert = OpenSSL::X509::Certificate.new( File.read(ca_path) )
+        crl_cert = OpenSSL::X509::CRL.new( File.read(crl_path) )
+
+        # First verify the CRL itself with its signer
+        unless crl_cert.verify( ca_cert.public_key ) then
+            raise failed + "CRL is not verified by its Signer"
+        end
+
+        # Extract the list of revoked certificates from the CRL
+        rc_array = crl_cert.revoked
+
+        # Loop over the list and compare with the target personal
+        # certificate
+        rc_array.each do |e|
+            if e.serial.eql?(signee.serial) then
+                raise failed + "#{signee.subject.to_s} is found in the "<<
+                    "CRL, i.e. it is revoked"
+            end
+        end
+    end
 end