Bug 626951

Summary: Consumer certificates can be spoofed
Product: [Retired] Pulp Reporter: Jay Dobies <jason.dobies>
Component: z_otherAssignee: Jay Dobies <jason.dobies>
Status: CLOSED CURRENTRELEASE QA Contact: wes hayutin <whayutin>
Severity: medium Docs Contact:
Priority: low    
Version: unspecifiedCC: jconnor, pthomas
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-16 14:20:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 647488    

Description Jay Dobies 2010-08-24 18:13:38 UTC 
Since we don't do verification of the certificates (pulp.conf: "SSLVerifyClient optional_no_ca"), someone is able to create and sign their own certificate with any given consumer ID and pretend to be that consumer.
Comment 1 Jay Dobies 2010-08-24 18:26:06 UTC 
commit	a170699b2edb36840691fdfdd772a90918cb4fbd
tree	e3eb7df0b0fa391694747bedc13f31eeec2d7117


Changed SSL client cert handling to verify so we can ensure we were the ones who issued the certificate.


etc/httpd/conf.d/pulp.conf 


Configured apache to verify the client certificate, which ensures it was signed by its CA and not by a spoofer.
Comment 2 Jay Dobies 2010-08-24 18:28:50 UTC 
To verify:

Create a consumer in pulp, which will download the consumer's specific certificate to the machine:

- pulp-client consumer create --id=foo -uadmin -padmin

The certificates are placed in /etc/pki/consumer.

Verify these certificates work:

- pulp-client consumer update

This should be successful.

Generate a second certificate manually, using a different CA than is installed on the pulp server. The CN of that *must* match the CN in the certificate provided by pulp (hint: it's what you passed into --id). Copy this certificate and private key over the pulp ones in /etc/pki/consumer.

Attempt to use the self-signed certificates:

- pulp-client consumer update

This should fail with a message about a bad certificate.
Comment 3 Jay Dobies 2010-08-25 15:14:26 UTC 
commit	6dad1a25eaa3a451d3242accd406a6df8848409a
tree	f4b0dde29e6da243d2ece28d27cd310fa9b22e53


Added CA certificate validation only in cases where a consumer cert is being used.


src/pulp/server/webservices/role_check.py 	


The apache solution won't work because we have some operations that should not verify the client certificate. The logic for that verification has been pushed back into the pulp layer so we can have more fine grained control. The verification steps are the same.
Comment 4 Preethi Thomas 2011-05-06 13:29:20 UTC 
verified
[root@10 ~]# rpm -q pulp-client
pulp-client-0.0.173-1.fc14.noarch

with the actual consumer cert

[root@10 ~]# pulp-client consumer update
Successfully updated consumer [10.16.79.198] profile


after changing the consumer cert

[root@10 ~]# pulp-client consumer update
Enter passphrase:
Error updating consumer [10.16.79.198].
Comment 5 Preethi Thomas 2011-08-16 14:20:41 UTC 
Closing with Community Release 15

pulp-0.0.223-4.