Our patches against m2crypto should have exposed the ability to verify a certificate against a CA chain file. We need to add this support to our repo auth code. Since the repo auth CA file (whether or not we're using global auth or not) might be a chain or just a single certificate, we will probably need to add a step in the verification to see if we're verifying against a chain or not. Once we know if we're using a chain or not, that will let us know which m2crypto API to use. It might be possible to use the same API and just it feed it one CA certificate for verification if we're not using a chain, i'm not sure.
This commit introduces the ability to validate a certificate against a chain of CAs. http://git.fedorahosted.org/git/?p=pulp.git;a=commitdiff;h=9bd3a204037bf0c706a4be611d0455c9c77a8d20 From a user's perspective, there should be no configuration changes needed. Either configure with a single CA or concatenate a series of CAs together in the same file. Pulp will work with either.
This patch fixes a problem we introduced with adding more log information when a cert verification fails: http://git.fedorahosted.org/git/?p=pulp.git;a=commitdiff;h=f3581ed4178f222ba18e2b643a584cc7401b055c QE: Refer to scripts in Pulp Git cd playpen/certs/chain_example 1) Generate a ROOT/SUB CA with a test cert that has OID extensions for repo_auth ./create_chain_data.sh 2) Look at ./test_fetch.sh Uncomment out the pulp-admin repo create/sync lines and create a test Pulp repo and sync it. Note the repo feed created needs to match what is in ./extensions.txt. If you use what is in test_fetch.sh things will work 3) Perform a curl/wget with the test cert we generated. This uses test data of: ./certs/test_cert.pem signed by ./certs/SUB_CA/sub_ca.pem and sub_ca.pem is issued by ./certs/ROOT_CA/root_ca.pem
build: 0.262
verified [root@preethi chain_example]# rpm -q pulp pulp-0.0.267-1.fc15.noarch following the test plan from above [root@preethi chain_example]# ./create_chain_data.sh Creating Root CA: ./certs/ROOT_CA/root_ca.pem Generating RSA private key, 2048 bit long modulus ..........................................................+++ .......................................................................................................+++ e is 65537 (0x10001) Creating Sub CA: ./certs/SUB_CA/sub_ca.pem Generating RSA private key, 2048 bit long modulus ...............+++ ......................................................................................................+++ e is 65537 (0x10001) Signature ok subject=/CN=Sub CA Common Name Getting CA Private Key Creating a test cert: ./certs/test_cert.pem Generating RSA private key, 2048 bit long modulus .........+++ .....................................+++ e is 65537 (0x10001) Signature ok subject=/CN=Test Common Name Getting CA Private Key [root@preethi chain_example]# [root@preethi chain_example]# [root@preethi chain_example]# ./test_fetch.sh Successfully created repository [ pulp_f15_x86_64 ] Sync for repository pulp_f15_x86_64 started Sync: Finished 20/20 new items downloaded 0/20 existing items processed Item Details: RPMs: 20/20 <?xml version="1.0" encoding="UTF-8"?> <repomd xmlns="http://linux.duke.edu/metadata/repo" xmlns:rpm="http://linux.duke.edu/metadata/rpm"> <revision>1329921409</revision> <data type="filelists"> <checksum type="sha256">f679052cb4929a807839ecda108858dae67c9463c647a97cb98d1c6d7c290a4c</checksum> <open-checksum type="sha256">2e191464857851b377dea7d0fa23a9c603a88836981e86c00efd68cb94b4fa0b</open-checksum> <location href="repodata/f679052cb4929a807839ecda108858dae67c9463c647a97cb98d1c6d7c290a4c-filelists.xml.gz"/> <timestamp>1329921410</timestamp> <size>12348</size> <open-size>180705</open-size> </data> <data type="primary"> <checksum type="sha256">94583cf1d114643bff9648aed87be014273f97343d88c23e9ac2c2f97693a6af</checksum> <open-checksum type="sha256">7e7c1bf47e28cfba1382ac4671b1eb1273d8094cde3b8ec287474c1fe1419aed</open-checksum> <location href="repodata/94583cf1d114643bff9648aed87be014273f97343d88c23e9ac2c2f97693a6af-primary.xml.gz"/> <timestamp>1329921410</timestamp> <size>6458</size> <open-size>34744</open-size> </data> <data type="primary_db"> <checksum type="sha256">11718406a6fe75fab58eb03f0b44d1ef0b93986e8871a8434bcc46d5dedc4441</checksum> <open-checksum type="sha256">470b6062ff6ecf42eb4751c59e8b8e022494e37b123a178c6581515031a8c051</open-checksum> <location href="repodata/11718406a6fe75fab58eb03f0b44d1ef0b93986e8871a8434bcc46d5dedc4441-primary.sqlite.bz2"/> <timestamp>1329921411.38</timestamp> <database_version>10</database_version> <size>11169</size> <open-size>49152</open-size> </data> <data type="other_db"> <checksum type="sha256">0ebb714e0f34fd3f1527a65c323f919ef38209ba41f25c8312e621c1711f7b95</checksum> <open-checksum type="sha256">f98ba7ce18a659b8987fa7a54ff8a67bfd15e1d721a950cf17db4aa3d337c75a</open-checksum> <location href="repodata/0ebb714e0f34fd3f1527a65c323f919ef38209ba41f25c8312e621c1711f7b95-other.sqlite.bz2"/> <timestamp>1329921410.77</timestamp> <database_version>10</database_version> <size>15820</size> <open-size>120832</open-size> </data> <data type="other"> <checksum type="sha256">10002277184350b450088f49309945e038f1ee933d9d1591835e64a587624c56</checksum> <open-checksum type="sha256">9b585400f548c72c0bc9aac17be26f72af0d2c8fc31362896cff36016ac60e65</open-checksum> <location href="repodata/10002277184350b450088f49309945e038f1ee933d9d1591835e64a587624c56-other.xml.gz"/> <timestamp>1329921410</timestamp> <size>10710</size> <open-size>106987</open-size> </data> <data type="filelists_db"> <checksum type="sha256">502a749f09297367dc78682e820b4e555867c8a1f6605834bc4f9e1adc74a4c9</checksum> <open-checksum type="sha256">586dd3aaf2c32d8489a50e8885c31ad0baf5fb182852080fdc9b6580d850bf5e</open-checksum> <location href="repodata/502a749f09297367dc78682e820b4e555867c8a1f6605834bc4f9e1adc74a4c9-filelists.sqlite.bz2"/> <timestamp>1329921410.97</timestamp> <database_version>10</database_version> <size>16058</size> <open-size>77824</open-size> </data> </repomd>
Pulp v1.0 is released Closed Current Release.
Pulp v1.0 is released.