Bug 782128 - Add support to repo auth code to verify requests against a CA chain file
Summary: Add support to repo auth code to verify requests against a CA chain file
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Pulp
Classification: Retired
Component: user-experience
Version: 1.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: John Matthews
QA Contact: Preethi Thomas
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-16 15:58 UTC by James Slagle
Modified: 2012-02-24 20:19 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-02-24 20:14:16 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 745945 1 None None None 2021-01-20 06:05:38 UTC
Red Hat Bugzilla 754728 0 unspecified CLOSED Document how to install Satellite 6.0 with own CA 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 769888 0 unspecified CLOSED Changes that needs to be done to integrate Katello generated certificates 2021-02-22 00:41:40 UTC

Internal Links: 745945 754728 769888

Description James Slagle 2012-01-16 15:58:30 UTC
Our patches against m2crypto should have exposed the ability to verify a certificate against a CA chain file.

We need to add this support to our repo auth code.  Since the repo auth CA file (whether or not we're using global auth or not) might be a chain or just a single certificate, we will probably need to add a step in the verification to see if we're verifying against a chain or not.

Once we know if we're using a chain or not, that will let us know which m2crypto API to use.  It might be possible to use the same API and just it feed it one CA certificate for verification if we're not using a chain, i'm not sure.

Comment 1 John Matthews 2012-01-23 22:05:26 UTC
This commit introduces the ability to validate a certificate against a chain of CAs.

http://git.fedorahosted.org/git/?p=pulp.git;a=commitdiff;h=9bd3a204037bf0c706a4be611d0455c9c77a8d20

From a user's perspective, there should be no configuration changes needed.  Either configure with a single CA or concatenate a series of CAs together in the same file.  Pulp will work with either.

Comment 2 John Matthews 2012-01-25 20:07:11 UTC
This patch fixes a problem we introduced with adding more log information when a cert verification fails:

http://git.fedorahosted.org/git/?p=pulp.git;a=commitdiff;h=f3581ed4178f222ba18e2b643a584cc7401b055c


QE:
 Refer to scripts in Pulp Git
 cd playpen/certs/chain_example
 
 1) Generate a ROOT/SUB CA with a test cert that has OID extensions for repo_auth
   ./create_chain_data.sh

 2) Look at ./test_fetch.sh
 Uncomment out the pulp-admin repo create/sync lines and create a test Pulp repo and sync it.  Note the repo feed created needs to match what is in ./extensions.txt.   If you use what is in test_fetch.sh things will work

 3) Perform a curl/wget with the test cert we generated.

This uses test data of:
 ./certs/test_cert.pem 
 signed by ./certs/SUB_CA/sub_ca.pem
 and sub_ca.pem is issued by ./certs/ROOT_CA/root_ca.pem

Comment 3 Jeff Ortel 2012-01-26 13:56:24 UTC
build: 0.262

Comment 4 Preethi Thomas 2012-02-22 14:28:03 UTC
verified
[root@preethi chain_example]# rpm -q pulp
pulp-0.0.267-1.fc15.noarch

following the test plan from above

[root@preethi chain_example]# ./create_chain_data.sh 
Creating Root CA: ./certs/ROOT_CA/root_ca.pem
Generating RSA private key, 2048 bit long modulus
..........................................................+++
.......................................................................................................+++
e is 65537 (0x10001)
Creating Sub CA: ./certs/SUB_CA/sub_ca.pem
Generating RSA private key, 2048 bit long modulus
...............+++
......................................................................................................+++
e is 65537 (0x10001)
Signature ok
subject=/CN=Sub CA Common Name
Getting CA Private Key
Creating a test cert: ./certs/test_cert.pem
Generating RSA private key, 2048 bit long modulus
.........+++
.....................................+++
e is 65537 (0x10001)
Signature ok
subject=/CN=Test Common Name
Getting CA Private Key
[root@preethi chain_example]# 
[root@preethi chain_example]# 

[root@preethi chain_example]# ./test_fetch.sh 
Successfully created repository [ pulp_f15_x86_64 ]

Sync for repository pulp_f15_x86_64 started
Sync: Finished
20/20 new items downloaded
0/20 existing items processed

Item Details: 
RPMs: 20/20

<?xml version="1.0" encoding="UTF-8"?>
<repomd xmlns="http://linux.duke.edu/metadata/repo" xmlns:rpm="http://linux.duke.edu/metadata/rpm">
 <revision>1329921409</revision>
<data type="filelists">
  <checksum type="sha256">f679052cb4929a807839ecda108858dae67c9463c647a97cb98d1c6d7c290a4c</checksum>
  <open-checksum type="sha256">2e191464857851b377dea7d0fa23a9c603a88836981e86c00efd68cb94b4fa0b</open-checksum>
  <location href="repodata/f679052cb4929a807839ecda108858dae67c9463c647a97cb98d1c6d7c290a4c-filelists.xml.gz"/>
  <timestamp>1329921410</timestamp>
  <size>12348</size>
  <open-size>180705</open-size>
</data>
<data type="primary">
  <checksum type="sha256">94583cf1d114643bff9648aed87be014273f97343d88c23e9ac2c2f97693a6af</checksum>
  <open-checksum type="sha256">7e7c1bf47e28cfba1382ac4671b1eb1273d8094cde3b8ec287474c1fe1419aed</open-checksum>
  <location href="repodata/94583cf1d114643bff9648aed87be014273f97343d88c23e9ac2c2f97693a6af-primary.xml.gz"/>
  <timestamp>1329921410</timestamp>
  <size>6458</size>
  <open-size>34744</open-size>
</data>
<data type="primary_db">
  <checksum type="sha256">11718406a6fe75fab58eb03f0b44d1ef0b93986e8871a8434bcc46d5dedc4441</checksum>
  <open-checksum type="sha256">470b6062ff6ecf42eb4751c59e8b8e022494e37b123a178c6581515031a8c051</open-checksum>
  <location href="repodata/11718406a6fe75fab58eb03f0b44d1ef0b93986e8871a8434bcc46d5dedc4441-primary.sqlite.bz2"/>
  <timestamp>1329921411.38</timestamp>
  <database_version>10</database_version>
  <size>11169</size>
  <open-size>49152</open-size>
</data>
<data type="other_db">
  <checksum type="sha256">0ebb714e0f34fd3f1527a65c323f919ef38209ba41f25c8312e621c1711f7b95</checksum>
  <open-checksum type="sha256">f98ba7ce18a659b8987fa7a54ff8a67bfd15e1d721a950cf17db4aa3d337c75a</open-checksum>
  <location href="repodata/0ebb714e0f34fd3f1527a65c323f919ef38209ba41f25c8312e621c1711f7b95-other.sqlite.bz2"/>
  <timestamp>1329921410.77</timestamp>
  <database_version>10</database_version>
  <size>15820</size>
  <open-size>120832</open-size>
</data>
<data type="other">
  <checksum type="sha256">10002277184350b450088f49309945e038f1ee933d9d1591835e64a587624c56</checksum>
  <open-checksum type="sha256">9b585400f548c72c0bc9aac17be26f72af0d2c8fc31362896cff36016ac60e65</open-checksum>
  <location href="repodata/10002277184350b450088f49309945e038f1ee933d9d1591835e64a587624c56-other.xml.gz"/>
  <timestamp>1329921410</timestamp>
  <size>10710</size>
  <open-size>106987</open-size>
</data>
<data type="filelists_db">
  <checksum type="sha256">502a749f09297367dc78682e820b4e555867c8a1f6605834bc4f9e1adc74a4c9</checksum>
  <open-checksum type="sha256">586dd3aaf2c32d8489a50e8885c31ad0baf5fb182852080fdc9b6580d850bf5e</open-checksum>
  <location href="repodata/502a749f09297367dc78682e820b4e555867c8a1f6605834bc4f9e1adc74a4c9-filelists.sqlite.bz2"/>
  <timestamp>1329921410.97</timestamp>
  <database_version>10</database_version>
  <size>16058</size>
  <open-size>77824</open-size>
</data>
</repomd>

Comment 5 Preethi Thomas 2012-02-24 20:14:16 UTC
Pulp v1.0 is released
Closed Current Release.

Comment 6 Preethi Thomas 2012-02-24 20:19:05 UTC
Pulp v1.0 is released.


Note You need to log in before you can comment on or make changes to this bug.