From aedb8239e76307d20eb36b5abecff1f1700dfa60 Mon Sep 17 00:00:00 2001 From: Javi Fontan Date: Wed, 6 Mar 2013 18:44:55 +0100 Subject: [PATCH 1/2] feature #1790: check crl for x509 auth This patch is based on the work done by Hyunwoo Kim from FermiLab. More info at http://dev.opennebula.org/issues/1790 --- src/authm_mad/remotes/x509/x509_auth.conf | 3 ++ src/authm_mad/remotes/x509/x509_auth.rb | 37 +++++++++++++++++++++++ 2 files changed, 40 insertions(+) diff --git a/src/authm_mad/remotes/x509/x509_auth.conf b/src/authm_mad/remotes/x509/x509_auth.conf index b841529176..570843835a 100644 --- a/src/authm_mad/remotes/x509/x509_auth.conf +++ b/src/authm_mad/remotes/x509/x509_auth.conf @@ -2,3 +2,6 @@ # the server, each CA certificate shoud be name CA_hash.0 #:ca_dir: "/etc/one/auth/certificates" + +# Uncoment this line if you want to force crl checking +#:check_crl: true diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb index 4cdb0c7890..34afa5c20a 100644 --- a/src/authm_mad/remotes/x509/x509_auth.rb +++ b/src/authm_mad/remotes/x509/x509_auth.rb @@ -213,6 +213,8 @@ private # Validate the proxy certifcates signee = @cert_chain[0] + check_crl(signee) + @cert_chain[1..-1].each do |cert| if !((signee.issuer.to_s == cert.subject.to_s) && (signee.verify(cert.public_key))) @@ -247,4 +249,39 @@ private raise end end + + def check_crl(signee) + ca_hash = signee.issuer.hash.to_s(16) + ca_path = @options[:ca_dir] + '/' + ca_hash + '.0' + + crl_path = @options[:ca_dir] + '/' + ca_hash + '.r0' + + if !File.exist?(crl_path) + if @options[:check_crl] + raise failed + "CRL file #{crl_path} does not exist" + else + return + end + end + + ca_cert = OpenSSL::X509::Certificate.new( File.read(ca_path) ) + crl_cert = OpenSSL::X509::CRL.new( File.read(crl_path) ) + + # First verify the CRL itself with its signer + unless crl_cert.verify( ca_cert.public_key ) then + raise failed + "CRL is not verified by its Signer" + end + + # Extract the list of revoked certificates from the CRL + rc_array = crl_cert.revoked + + # Loop over the list and compare with the target personal + # certificate + rc_array.each do |e| + if e.serial.eql?(signee.serial) then + raise failed + "#{signee.subject.to_s} is found in the "<< + "CRL, i.e. it is revoked" + end + end + end end From ca1b6ab41f8a3501d107d93f899da5278e1fc7e4 Mon Sep 17 00:00:00 2001 From: Javi Fontan Date: Thu, 7 Mar 2013 12:45:04 +0100 Subject: [PATCH 2/2] feature #1790: bug in crl check function --- src/authm_mad/remotes/x509/x509_auth.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb index 34afa5c20a..24ff82d63f 100644 --- a/src/authm_mad/remotes/x509/x509_auth.rb +++ b/src/authm_mad/remotes/x509/x509_auth.rb @@ -199,7 +199,6 @@ private ########################################################################### def validate now = Time.now - failed = "Could not validate user credentials: " # Check start time and end time of certificates @cert_chain.each do |cert| @@ -251,6 +250,8 @@ private end def check_crl(signee) + failed = "Could not validate user credentials: " + ca_hash = signee.issuer.hash.to_s(16) ca_path = @options[:ca_dir] + '/' + ca_hash + '.0'