Bug 782128

Summary:	Add support to repo auth code to verify requests against a CA chain file
Product:	[Retired] Pulp	Reporter:	James Slagle <jslagle>
Component:	user-experience	Assignee:	John Matthews <jmatthew>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Preethi Thomas <pthomas>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	1.0.0	CC:	skarmark
Target Milestone:	---	Keywords:	Triaged
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2012-02-24 20:14:16 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description James Slagle 2012-01-16 15:58:30 UTC

Our patches against m2crypto should have exposed the ability to verify a certificate against a CA chain file.

We need to add this support to our repo auth code.  Since the repo auth CA file (whether or not we're using global auth or not) might be a chain or just a single certificate, we will probably need to add a step in the verification to see if we're verifying against a chain or not.

Once we know if we're using a chain or not, that will let us know which m2crypto API to use.  It might be possible to use the same API and just it feed it one CA certificate for verification if we're not using a chain, i'm not sure.

Comment 1 John Matthews 2012-01-23 22:05:26 UTC

This commit introduces the ability to validate a certificate against a chain of CAs.

http://git.fedorahosted.org/git/?p=pulp.git;a=commitdiff;h=9bd3a204037bf0c706a4be611d0455c9c77a8d20

From a user's perspective, there should be no configuration changes needed.  Either configure with a single CA or concatenate a series of CAs together in the same file.  Pulp will work with either.

Comment 2 John Matthews 2012-01-25 20:07:11 UTC

This patch fixes a problem we introduced with adding more log information when a cert verification fails:

http://git.fedorahosted.org/git/?p=pulp.git;a=commitdiff;h=f3581ed4178f222ba18e2b643a584cc7401b055c


QE:
 Refer to scripts in Pulp Git
 cd playpen/certs/chain_example
 
 1) Generate a ROOT/SUB CA with a test cert that has OID extensions for repo_auth
   ./create_chain_data.sh

 2) Look at ./test_fetch.sh
 Uncomment out the pulp-admin repo create/sync lines and create a test Pulp repo and sync it.  Note the repo feed created needs to match what is in ./extensions.txt.   If you use what is in test_fetch.sh things will work

 3) Perform a curl/wget with the test cert we generated.

This uses test data of:
 ./certs/test_cert.pem 
 signed by ./certs/SUB_CA/sub_ca.pem
 and sub_ca.pem is issued by ./certs/ROOT_CA/root_ca.pem

Comment 3 Jeff Ortel 2012-01-26 13:56:24 UTC

build: 0.262

Comment 4 Preethi Thomas 2012-02-22 14:28:03 UTC

verified
[root@preethi chain_example]# rpm -q pulp
pulp-0.0.267-1.fc15.noarch

following the test plan from above

[root@preethi chain_example]# ./create_chain_data.sh 
Creating Root CA: ./certs/ROOT_CA/root_ca.pem
Generating RSA private key, 2048 bit long modulus
..........................................................+++
.......................................................................................................+++
e is 65537 (0x10001)
Creating Sub CA: ./certs/SUB_CA/sub_ca.pem
Generating RSA private key, 2048 bit long modulus
...............+++
......................................................................................................+++
e is 65537 (0x10001)
Signature ok
subject=/CN=Sub CA Common Name
Getting CA Private Key
Creating a test cert: ./certs/test_cert.pem
Generating RSA private key, 2048 bit long modulus
.........+++
.....................................+++
e is 65537 (0x10001)
Signature ok
subject=/CN=Test Common Name
Getting CA Private Key
[root@preethi chain_example]# 
[root@preethi chain_example]# 

[root@preethi chain_example]# ./test_fetch.sh 
Successfully created repository [ pulp_f15_x86_64 ]

Sync for repository pulp_f15_x86_64 started
Sync: Finished
20/20 new items downloaded
0/20 existing items processed

Item Details: 
RPMs: 20/20

<?xml version="1.0" encoding="UTF-8"?>
<repomd xmlns="http://linux.duke.edu/metadata/repo" xmlns:rpm="http://linux.duke.edu/metadata/rpm">
 <revision>1329921409</revision>
<data type="filelists">
  <checksum type="sha256">f679052cb4929a807839ecda108858dae67c9463c647a97cb98d1c6d7c290a4c</checksum>
  <open-checksum type="sha256">2e191464857851b377dea7d0fa23a9c603a88836981e86c00efd68cb94b4fa0b</open-checksum>
  <location href="repodata/f679052cb4929a807839ecda108858dae67c9463c647a97cb98d1c6d7c290a4c-filelists.xml.gz"/>
  <timestamp>1329921410</timestamp>
  <size>12348</size>
  <open-size>180705</open-size>
</data>
<data type="primary">
  <checksum type="sha256">94583cf1d114643bff9648aed87be014273f97343d88c23e9ac2c2f97693a6af</checksum>
  <open-checksum type="sha256">7e7c1bf47e28cfba1382ac4671b1eb1273d8094cde3b8ec287474c1fe1419aed</open-checksum>
  <location href="repodata/94583cf1d114643bff9648aed87be014273f97343d88c23e9ac2c2f97693a6af-primary.xml.gz"/>
  <timestamp>1329921410</timestamp>
  <size>6458</size>
  <open-size>34744</open-size>
</data>
<data type="primary_db">
  <checksum type="sha256">11718406a6fe75fab58eb03f0b44d1ef0b93986e8871a8434bcc46d5dedc4441</checksum>
  <open-checksum type="sha256">470b6062ff6ecf42eb4751c59e8b8e022494e37b123a178c6581515031a8c051</open-checksum>
  <location href="repodata/11718406a6fe75fab58eb03f0b44d1ef0b93986e8871a8434bcc46d5dedc4441-primary.sqlite.bz2"/>
  <timestamp>1329921411.38</timestamp>
  <database_version>10</database_version>
  <size>11169</size>
  <open-size>49152</open-size>
</data>
<data type="other_db">
  <checksum type="sha256">0ebb714e0f34fd3f1527a65c323f919ef38209ba41f25c8312e621c1711f7b95</checksum>
  <open-checksum type="sha256">f98ba7ce18a659b8987fa7a54ff8a67bfd15e1d721a950cf17db4aa3d337c75a</open-checksum>
  <location href="repodata/0ebb714e0f34fd3f1527a65c323f919ef38209ba41f25c8312e621c1711f7b95-other.sqlite.bz2"/>
  <timestamp>1329921410.77</timestamp>
  <database_version>10</database_version>
  <size>15820</size>
  <open-size>120832</open-size>
</data>
<data type="other">
  <checksum type="sha256">10002277184350b450088f49309945e038f1ee933d9d1591835e64a587624c56</checksum>
  <open-checksum type="sha256">9b585400f548c72c0bc9aac17be26f72af0d2c8fc31362896cff36016ac60e65</open-checksum>
  <location href="repodata/10002277184350b450088f49309945e038f1ee933d9d1591835e64a587624c56-other.xml.gz"/>
  <timestamp>1329921410</timestamp>
  <size>10710</size>
  <open-size>106987</open-size>
</data>
<data type="filelists_db">
  <checksum type="sha256">502a749f09297367dc78682e820b4e555867c8a1f6605834bc4f9e1adc74a4c9</checksum>
  <open-checksum type="sha256">586dd3aaf2c32d8489a50e8885c31ad0baf5fb182852080fdc9b6580d850bf5e</open-checksum>
  <location href="repodata/502a749f09297367dc78682e820b4e555867c8a1f6605834bc4f9e1adc74a4c9-filelists.sqlite.bz2"/>
  <timestamp>1329921410.97</timestamp>
  <database_version>10</database_version>
  <size>16058</size>
  <open-size>77824</open-size>
</data>
</repomd>

Comment 5 Preethi Thomas 2012-02-24 20:14:16 UTC

Pulp v1.0 is released
Closed Current Release.

Comment 6 Preethi Thomas 2012-02-24 20:19:05 UTC

Pulp v1.0 is released.