Bug 782128
Summary: | Add support to repo auth code to verify requests against a CA chain file | ||
---|---|---|---|
Product: | [Retired] Pulp | Reporter: | James Slagle <jslagle> |
Component: | user-experience | Assignee: | John Matthews <jmatthew> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Preethi Thomas <pthomas> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 1.0.0 | CC: | skarmark |
Target Milestone: | --- | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-02-24 20:14:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
James Slagle
2012-01-16 15:58:30 UTC
This commit introduces the ability to validate a certificate against a chain of CAs. http://git.fedorahosted.org/git/?p=pulp.git;a=commitdiff;h=9bd3a204037bf0c706a4be611d0455c9c77a8d20 From a user's perspective, there should be no configuration changes needed. Either configure with a single CA or concatenate a series of CAs together in the same file. Pulp will work with either. This patch fixes a problem we introduced with adding more log information when a cert verification fails: http://git.fedorahosted.org/git/?p=pulp.git;a=commitdiff;h=f3581ed4178f222ba18e2b643a584cc7401b055c QE: Refer to scripts in Pulp Git cd playpen/certs/chain_example 1) Generate a ROOT/SUB CA with a test cert that has OID extensions for repo_auth ./create_chain_data.sh 2) Look at ./test_fetch.sh Uncomment out the pulp-admin repo create/sync lines and create a test Pulp repo and sync it. Note the repo feed created needs to match what is in ./extensions.txt. If you use what is in test_fetch.sh things will work 3) Perform a curl/wget with the test cert we generated. This uses test data of: ./certs/test_cert.pem signed by ./certs/SUB_CA/sub_ca.pem and sub_ca.pem is issued by ./certs/ROOT_CA/root_ca.pem build: 0.262 verified [root@preethi chain_example]# rpm -q pulp pulp-0.0.267-1.fc15.noarch following the test plan from above [root@preethi chain_example]# ./create_chain_data.sh Creating Root CA: ./certs/ROOT_CA/root_ca.pem Generating RSA private key, 2048 bit long modulus ..........................................................+++ .......................................................................................................+++ e is 65537 (0x10001) Creating Sub CA: ./certs/SUB_CA/sub_ca.pem Generating RSA private key, 2048 bit long modulus ...............+++ ......................................................................................................+++ e is 65537 (0x10001) Signature ok subject=/CN=Sub CA Common Name Getting CA Private Key Creating a test cert: ./certs/test_cert.pem Generating RSA private key, 2048 bit long modulus .........+++ .....................................+++ e is 65537 (0x10001) Signature ok subject=/CN=Test Common Name Getting CA Private Key [root@preethi chain_example]# [root@preethi chain_example]# [root@preethi chain_example]# ./test_fetch.sh Successfully created repository [ pulp_f15_x86_64 ] Sync for repository pulp_f15_x86_64 started Sync: Finished 20/20 new items downloaded 0/20 existing items processed Item Details: RPMs: 20/20 <?xml version="1.0" encoding="UTF-8"?> <repomd xmlns="http://linux.duke.edu/metadata/repo" xmlns:rpm="http://linux.duke.edu/metadata/rpm"> <revision>1329921409</revision> <data type="filelists"> <checksum type="sha256">f679052cb4929a807839ecda108858dae67c9463c647a97cb98d1c6d7c290a4c</checksum> <open-checksum type="sha256">2e191464857851b377dea7d0fa23a9c603a88836981e86c00efd68cb94b4fa0b</open-checksum> <location href="repodata/f679052cb4929a807839ecda108858dae67c9463c647a97cb98d1c6d7c290a4c-filelists.xml.gz"/> <timestamp>1329921410</timestamp> <size>12348</size> <open-size>180705</open-size> </data> <data type="primary"> <checksum type="sha256">94583cf1d114643bff9648aed87be014273f97343d88c23e9ac2c2f97693a6af</checksum> <open-checksum type="sha256">7e7c1bf47e28cfba1382ac4671b1eb1273d8094cde3b8ec287474c1fe1419aed</open-checksum> <location href="repodata/94583cf1d114643bff9648aed87be014273f97343d88c23e9ac2c2f97693a6af-primary.xml.gz"/> <timestamp>1329921410</timestamp> <size>6458</size> <open-size>34744</open-size> </data> <data type="primary_db"> <checksum type="sha256">11718406a6fe75fab58eb03f0b44d1ef0b93986e8871a8434bcc46d5dedc4441</checksum> <open-checksum type="sha256">470b6062ff6ecf42eb4751c59e8b8e022494e37b123a178c6581515031a8c051</open-checksum> <location href="repodata/11718406a6fe75fab58eb03f0b44d1ef0b93986e8871a8434bcc46d5dedc4441-primary.sqlite.bz2"/> <timestamp>1329921411.38</timestamp> <database_version>10</database_version> <size>11169</size> <open-size>49152</open-size> </data> <data type="other_db"> <checksum type="sha256">0ebb714e0f34fd3f1527a65c323f919ef38209ba41f25c8312e621c1711f7b95</checksum> <open-checksum type="sha256">f98ba7ce18a659b8987fa7a54ff8a67bfd15e1d721a950cf17db4aa3d337c75a</open-checksum> <location href="repodata/0ebb714e0f34fd3f1527a65c323f919ef38209ba41f25c8312e621c1711f7b95-other.sqlite.bz2"/> <timestamp>1329921410.77</timestamp> <database_version>10</database_version> <size>15820</size> <open-size>120832</open-size> </data> <data type="other"> <checksum type="sha256">10002277184350b450088f49309945e038f1ee933d9d1591835e64a587624c56</checksum> <open-checksum type="sha256">9b585400f548c72c0bc9aac17be26f72af0d2c8fc31362896cff36016ac60e65</open-checksum> <location href="repodata/10002277184350b450088f49309945e038f1ee933d9d1591835e64a587624c56-other.xml.gz"/> <timestamp>1329921410</timestamp> <size>10710</size> <open-size>106987</open-size> </data> <data type="filelists_db"> <checksum type="sha256">502a749f09297367dc78682e820b4e555867c8a1f6605834bc4f9e1adc74a4c9</checksum> <open-checksum type="sha256">586dd3aaf2c32d8489a50e8885c31ad0baf5fb182852080fdc9b6580d850bf5e</open-checksum> <location href="repodata/502a749f09297367dc78682e820b4e555867c8a1f6605834bc4f9e1adc74a4c9-filelists.sqlite.bz2"/> <timestamp>1329921410.97</timestamp> <database_version>10</database_version> <size>16058</size> <open-size>77824</open-size> </data> </repomd> Pulp v1.0 is released Closed Current Release. Pulp v1.0 is released. |