Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cert validation changes in the latest NSS #4830

Merged
merged 2 commits into from
Aug 21, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .github/workflows/ipa-subca-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -96,11 +96,16 @@ jobs:
docker exec ipa pki nss-cert-import \
--cert root-ca_signing.crt \
--trust CT,C,C \
root-ca_signing

docker exec ipa pki nss-cert-import \
--cert ipa.crt \
ca_signing

docker exec ipa pki pkcs12-import \
--pkcs12 /root/ca-agent.p12 \
--pkcs12-password Secret.123

docker exec ipa pki -n ipa-ca-agent ca-user-show admin

- name: Check lightweight CAs
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/server-https-nss-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,7 @@ jobs:
-o /dev/null \
https://pki.example.com:8443

- name: Check PKI CLI with untrusted server cert
- name: Check PKI CLI with unknown issuer
run: |
# run PKI CLI but don't trust the cert
echo n | docker exec -i client pki -U https://pki.example.com:8443 info \
Expand All @@ -178,7 +178,7 @@ jobs:

# check stderr
cat > expected << EOF
WARNING: UNTRUSTED ISSUER encountered on 'CN=pki.example.com' indicates a non-trusted CA cert 'CN=CA Signing Certificate'
WARNING: UNKNOWN_ISSUER encountered on 'CN=pki.example.com' indicates an unknown CA cert 'CN=CA Signing Certificate'
Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent: BAD_CERTIFICATE
IOException: Unable to write to socket: Failed to write to socket: (-5987) Invalid function argument.
EOF
Expand All @@ -190,7 +190,7 @@ jobs:

diff /dev/null output

- name: Check PKI CLI with untrusted server cert with wrong hostname
- name: Check PKI CLI with unknown issuer with wrong hostname
run: |
# run PKI CLI with wrong hostname
echo n | docker exec -i client pki -U https://server.example.com:8443 info \
Expand All @@ -205,8 +205,8 @@ jobs:

# check stderr
cat > expected << EOF
WARNING: UNKNOWN_ISSUER encountered on 'CN=pki.example.com' indicates an unknown CA cert 'CN=CA Signing Certificate'
WARNING: BAD_CERT_DOMAIN encountered on 'CN=pki.example.com' indicates a common-name mismatch
WARNING: UNTRUSTED ISSUER encountered on 'CN=pki.example.com' indicates a non-trusted CA cert 'CN=CA Signing Certificate'
Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent: BAD_CERTIFICATE
IOException: Unable to write to socket: Failed to write to socket: (-12276) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
EOF
Expand All @@ -229,7 +229,7 @@ jobs:

# check stderr
cat > expected << EOF
WARNING: UNTRUSTED ISSUER encountered on 'CN=pki.example.com' indicates a non-trusted CA cert 'CN=CA Signing Certificate'
WARNING: UNKNOWN_ISSUER encountered on 'CN=pki.example.com' indicates an unknown CA cert 'CN=CA Signing Certificate'
Trust this certificate (y/N)?
EOF

Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/server-https-pkcs12-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,7 @@ jobs:
-o /dev/null \
https://pki.example.com:8443

- name: Check PKI CLI with untrusted server cert
- name: Check PKI CLI with unknown issuer
run: |
# run PKI CLI but don't trust the cert
echo n | docker exec -i client pki \
Expand All @@ -214,7 +214,7 @@ jobs:

# check stderr
cat > expected << EOF
WARNING: UNTRUSTED ISSUER encountered on 'CN=pki.example.com' indicates a non-trusted CA cert 'CN=CA Signing Certificate'
WARNING: UNKNOWN_ISSUER encountered on 'CN=pki.example.com' indicates an unknown CA cert 'CN=CA Signing Certificate'
Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent: BAD_CERTIFICATE
IOException: Unable to write to socket: Failed to write to socket: (-5987) Invalid function argument.
EOF
Expand All @@ -226,7 +226,7 @@ jobs:

diff /dev/null output

- name: Check PKI CLI with untrusted server cert and wrong hostname
- name: Check PKI CLI with unknown issuer and wrong hostname
run: |
# run PKI CLI with wrong hostname
echo n | docker exec -i client pki \
Expand All @@ -243,8 +243,8 @@ jobs:

# check stderr
cat > expected << EOF
WARNING: UNKNOWN_ISSUER encountered on 'CN=pki.example.com' indicates an unknown CA cert 'CN=CA Signing Certificate'
WARNING: BAD_CERT_DOMAIN encountered on 'CN=pki.example.com' indicates a common-name mismatch
WARNING: UNTRUSTED ISSUER encountered on 'CN=pki.example.com' indicates a non-trusted CA cert 'CN=CA Signing Certificate'
Trust this certificate (y/N)? SEVERE: FATAL: SSL alert sent: BAD_CERTIFICATE
IOException: Unable to write to socket: Failed to write to socket: (-12276) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
EOF
Expand All @@ -269,7 +269,7 @@ jobs:

# check stderr
cat > expected << EOF
WARNING: UNTRUSTED ISSUER encountered on 'CN=pki.example.com' indicates a non-trusted CA cert 'CN=CA Signing Certificate'
WARNING: UNKNOWN_ISSUER encountered on 'CN=pki.example.com' indicates an unknown CA cert 'CN=CA Signing Certificate'
Trust this certificate (y/N)?
EOF

Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/subca-basic-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -172,11 +172,16 @@ jobs:
docker exec subordinate pki nss-cert-import \
--cert $SHARED/root-ca_signing.crt \
--trust CT,C,C \
root-ca_signing

docker exec subordinate pki nss-cert-import \
--cert ca_signing.crt \
ca_signing

docker exec subordinate pki pkcs12-import \
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password Secret.123

docker exec subordinate pki -n caadmin --ignore-banner ca-user-show caadmin

- name: Check cert requests in subordinate CA
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/subca-clone-hsm-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -283,6 +283,7 @@ jobs:
docker exec primary-subca pki pkcs12-import \
--pkcs12 $SHARED/caadmin.p12 \
--pkcs12-password Secret.123

docker exec primary-subca pki -n caadmin ca-user-show caadmin

- name: Set up secondary DS container
Expand Down
10 changes: 10 additions & 0 deletions .github/workflows/subca-clone-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -116,9 +116,14 @@ jobs:
--trust CT,C,C \
root-ca_signing

docker exec primary-subca pki nss-cert-import \
--cert $SHARED/subca_signing.crt \
ca_signing

docker exec primary-subca pki pkcs12-import \
--pkcs12 $SHARED/caadmin.p12 \
--pkcs12-password Secret.123

docker exec primary-subca pki -n caadmin ca-user-show caadmin

- name: Export primary sub-CA certs
Expand Down Expand Up @@ -246,9 +251,14 @@ jobs:
--trust CT,C,C \
root-ca_signing

docker exec secondary-subca pki nss-cert-import \
--cert $SHARED/subca_signing.crt \
ca_signing

docker exec secondary-subca pki pkcs12-import \
--pkcs12 $SHARED/caadmin.p12 \
--pkcs12-password Secret.123

docker exec secondary-subca pki -n caadmin ca-user-show caadmin

- name: Check users in primary sub-CA and secondary sub-CA
Expand Down
11 changes: 10 additions & 1 deletion .github/workflows/subca-cmc-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -187,10 +187,19 @@ jobs:

- name: Verify subordinate CA admin cert
run: |
docker exec subordinate pki client-cert-import ca_signing --ca-cert $SHARED/ca_signing.p7b
docker exec subordinate pki nss-cert-import \
--cert $SHARED/root-ca_signing.crt \
--trust CT,C,C \
root-ca_signing

docker exec subordinate pki nss-cert-import \
--cert ca_signing.crt \
ca_signing

docker exec subordinate pki pkcs12-import \
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password Secret.123

docker exec subordinate pki -n caadmin ca-user-show caadmin

- name: Check cert requests in subordinate CA
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/subca-external-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -117,11 +117,16 @@ jobs:
docker exec pki pki nss-cert-import \
--cert root-ca_signing.crt \
--trust CT,C,C \
root-ca_signing

docker exec pki pki nss-cert-import \
--cert ca_signing.crt \
ca_signing

docker exec pki pki pkcs12-import \
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password Secret.123

docker exec pki pki -n caadmin ca-user-show caadmin

- name: Check cert requests in CA
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/subca-hsm-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -272,6 +272,7 @@ jobs:
docker exec pki pki pkcs12-import \
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password Secret.123

docker exec pki pki -n caadmin ca-user-show caadmin

- name: Check CA certs and requests
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -109,11 +109,17 @@ public String getMessage(org.mozilla.jss.crypto.X509Certificate serverCert, int
}

if (reason == SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER) {
return "UNTRUSTED ISSUER encountered on '" +
return "UNTRUSTED_ISSUER encountered on '" +
serverCert.getSubjectDN() + "' indicates a non-trusted CA cert '" +
serverCert.getIssuerDN() + "'";
}

if (reason == SSLCertificateApprovalCallback.ValidityStatus.UNKNOWN_ISSUER) {
return "UNKNOWN_ISSUER encountered on '" +
serverCert.getSubjectDN() + "' indicates an unknown CA cert '" +
serverCert.getIssuerDN() + "'";
}

if (reason == SSLCertificateApprovalCallback.ValidityStatus.CA_CERT_INVALID) {
return "CA_CERT_INVALID encountered on '"+serverCert.getSubjectDN()+"' results in a denied SSL server cert!";
}
Expand All @@ -126,7 +132,7 @@ public String getMessage(org.mozilla.jss.crypto.X509Certificate serverCert, int
return "Unknown/undefined reason "+reason+" encountered on '"+serverCert.getSubjectDN()+"' results in a denied SSL server cert!";
}

public boolean handleUntrustedIssuer(org.mozilla.jss.crypto.X509Certificate serverCert) {
public boolean trustCert(org.mozilla.jss.crypto.X509Certificate serverCert) {
try {
System.err.print("Trust this certificate (y/N)? ");

Expand Down Expand Up @@ -172,7 +178,9 @@ public boolean approve(X509Certificate cert, ValidityStatus status) {
// continue, or you can continue to make further tests of
// your own to determine trustworthiness.
Enumeration<?> errors = status.getReasons();

boolean approval = true;
boolean prompt = false;

while (errors.hasMoreElements()) {
SSLCertificateApprovalCallback.ValidityItem item =
Expand All @@ -193,14 +201,13 @@ public boolean approve(X509Certificate cert, ValidityStatus status) {
} else if (isIgnored(reason)) {
// Ignore validity status

} else if (reason == SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER) {
} else if (reason == SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER
|| reason == SSLCertificateApprovalCallback.ValidityStatus.UNKNOWN_ISSUER) {
// Issue a WARNING, but allow this process
// to continue since we haven't installed a trusted CA
// cert for this operation.
System.err.println("WARNING: " + getMessage(serverCert, reason));
if (!handleUntrustedIssuer(serverCert)) {
approval = false;
}
prompt = true;

} else if (reason == SSLCertificateApprovalCallback.ValidityStatus.BAD_CERT_DOMAIN) {
// Issue a WARNING, but allow this process to continue on
Expand All @@ -224,6 +231,10 @@ public boolean approve(X509Certificate cert, ValidityStatus status) {
}
}

if (prompt && !trustCert(serverCert)) {
approval = false;
}

return approval;
}
}
Loading