Merge pull request choria-legacy#14 from vjanelle/intermediate_client…

…_certs

(choria-legacy#13) Add intermediate client certificate support

filesec/file_security.go

@@ -423,8 +423,16 @@ func (s *FileSecurity) VerifyCertificate(certpem []byte, name string) error {
 		return err
 	}
 
+	intermediates := x509.NewCertPool()
+	if !intermediates.AppendCertsFromPEM(certpem) {
+		s.log.Warnf("Could not add intermediates: %s", err)
+		return err
+	}
+
 	opts := x509.VerifyOptions{
 		Roots: roots,
+		Intermediates: intermediates,
+		KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 	}
 
 	if name != "" {

filesec/file_security_test.go

@@ -364,6 +364,23 @@ var _ = Describe("FileSSL", func() {
 			err := prov.VerifyCertificate(pem, "rip.mcollective")
 			Expect(err).ToNot(HaveOccurred())
 		})
+
+		It("Should work with client provided intermediate chains", func() {
+			c, err := config.NewDefaultConfig()
+			Expect(err).ToNot(HaveOccurred())
+
+			c.Choria.FileSecurityCA = filepath.Join("..", "testdata", "intermediate", "certs", "ca.pem")
+			c.Choria.FileSecurityCache = filepath.Join("..", "testdata", "intermediate", "certs")
+
+			prov, err := New(WithChoriaConfig(c), WithLog(l.WithFields(logrus.Fields{})))
+			Expect(err).ToNot(HaveOccurred())
+
+			pem, err = ioutil.ReadFile(filepath.Join("..", "testdata", "intermediate", "certs", "rip.mcollective.pem"))
+			Expect(err).ToNot(HaveOccurred())
+
+			err = prov.VerifyCertificate(pem, "rip.mcollective")
+			Expect(err).ToNot(HaveOccurred())
+		})
 	})
 
 	Describe("PublicCertPem", func() {

testdata/intermediate/README.md

@@ -0,0 +1,6 @@
+Intermediate certs
+---
+
+Requires `cfssl` and friends.  Install them from https://github.com/cloudflare/cfssl
+
+Run the Makefile to regenerate the CA, intermediate CA, and the chained cert.  This test does not currently need the private keys around.

testdata/intermediate/certs/ca.pem

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICOTCCAd+gAwIBAgIUHcItm2WcJQd0By9Sg5Wqlt0sONIwCgYIKoZIzj0EAwIw
+eTELMAkGA1UEBhMCWFgxETAPBgNVBAgTCExvY2FsaXR5MQ0wCwYDVQQHEwRDaXR5
+MQ8wDQYDVQQKEwZDaG9yaWExJTAjBgNVBAsTHFVuaXQgdGVzdGluZyBJbnRlcm1l
+ZGlhdGUgQ0ExEDAOBgNVBAMTB1Jvb3QgQ0EwHhcNMTgxMTExMjEzMDAwWhcNNDgx
+MTAzMjEzMDAwWjB5MQswCQYDVQQGEwJYWDERMA8GA1UECBMITG9jYWxpdHkxDTAL
+BgNVBAcTBENpdHkxDzANBgNVBAoTBkNob3JpYTElMCMGA1UECxMcVW5pdCB0ZXN0
+aW5nIEludGVybWVkaWF0ZSBDQTEQMA4GA1UEAxMHUm9vdCBDQTBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABPt/emjXdaHwnClOeT4qCjjPgOy8P5+sWwkV7UvWqDGW
+YozFo0J9Sy5zBDAEdw6vmFA9F1yqx4Huuip4M/yF6USjRTBDMA4GA1UdDwEB/wQE
+AwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBRT2Qng+4kiaIILKMQ1
+n9xNF5Rj3DAKBggqhkjOPQQDAgNIADBFAiEA+4RpvLfS0zX5T/uPXr2vHX7Ws78J
+P/EyAiAYha39SNwCIDuRVsoTy72UtQdSkUAhslporEUNkNtbphynP3DaLZdd
+-----END CERTIFICATE-----

testdata/intermediate/certs/rip.mcollective.pem

@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIDBjCCAqygAwIBAgIUVH5ROCpcZSA1uKg3RUD4/+GdFskwCgYIKoZIzj0EAwIw
+gYExCzAJBgNVBAYTAlhYMREwDwYDVQQIEwhMb2NhbGl0eTENMAsGA1UEBxMEQ2l0
+eTEPMA0GA1UEChMGQ2hvcmlhMSUwIwYDVQQLExxVbml0IHRlc3RpbmcgSW50ZXJt
+ZWRpYXRlIENBMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0EwHhcNMTgxMTExMjEz
+MDAwWhcNMTkxMTExMjEzMDAwWjAaMRgwFgYDVQQDEw9yaXAubWNvbGxlY3RpdmUw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLNagA3ZY7Ohu2MscPPUy1
+Yp8960WQdGUjBCGbN6nFOofGChuTRZXwVLxONWQuXS3fcBFkLQ9gfGBFyGSaYcKq
+A2nYAvsuS46xTa+SkDUFePwE+JY/TcQR1lOLr2iCTqcNOFVaEYPsqaGhSlWnxZ9d
+1sA7enzOb9DnDeHc/SAJII7r3cY3TLzvNqbBLcmfOh3wdA2Eqvosd7/TXcTY2eHQ
+k9a9PJWbFeuLELgnPNROkw/ul0Dl1Vg0wGlr7q6jQFg22N+zZiKRa2740coSyuZ9
+ziWVhW3H+XeWJSQrsmkML7xfTjTNTpPJfh18DWdjJ6mTq8yVkACkAlu3LZZiKd6H
+AgMBAAGjgZwwgZkwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRD5gmqomK9pQOzUE6p
+gbLgBP48JjAfBgNVHSMEGDAWgBTE9RmIwQ7C2pfp37E4djWmkQrMyzAaBgNVHREE
+EzARgg9yaXAubWNvbGxlY3RpdmUwCgYIKoZIzj0EAwIDSAAwRQIgKNywnHJ4NExk
+1w8iwrvGP8bP9oeyoRBqPJjcCPWdNYACIQCyOi4N9N5vMK8QSSEJ2vRizq9neWhX
+Y11phu0xsBIBPQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICYzCCAgmgAwIBAgIUM0jKjSKTjq5eO7N1jAHG+pVH3FUwCgYIKoZIzj0EAwIw
+eTELMAkGA1UEBhMCWFgxETAPBgNVBAgTCExvY2FsaXR5MQ0wCwYDVQQHEwRDaXR5
+MQ8wDQYDVQQKEwZDaG9yaWExJTAjBgNVBAsTHFVuaXQgdGVzdGluZyBJbnRlcm1l
+ZGlhdGUgQ0ExEDAOBgNVBAMTB1Jvb3QgQ0EwHhcNMTgxMTExMjEzMDAwWhcNNDgx
+MTAzMjEzMDAwWjCBgTELMAkGA1UEBhMCWFgxETAPBgNVBAgTCExvY2FsaXR5MQ0w
+CwYDVQQHEwRDaXR5MQ8wDQYDVQQKEwZDaG9yaWExJTAjBgNVBAsTHFVuaXQgdGVz
+dGluZyBJbnRlcm1lZGlhdGUgQ0ExGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBDQTBZ
+MBMGByqGSM49AgEGCCqGSM49AwEHA0IABLrrCCE1cvyKEHwmmKu5x2/eCnR8Qgkk
+/TGi3eygp671u0G9kZOy2MdvgCecHCF/zR/YUPozEILZE9QldXVQWg+jZjBkMA4G
+A1UdDwEB/wQEAwIBpjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBTE9RmI
+wQ7C2pfp37E4djWmkQrMyzAfBgNVHSMEGDAWgBRT2Qng+4kiaIILKMQ1n9xNF5Rj
+3DAKBggqhkjOPQQDAgNIADBFAiEAtH7hxZ7QcPlFnM+YJuptChhGox7fSwwPbnyH
+z7YMKygCIGn4lC2hIXRTk9FHPPCcZSPi8bJ9j5ZgKJO08xh3UGkb
+-----END CERTIFICATE-----

testdata/intermediate/config.json

@@ -0,0 +1,36 @@
+{
+    "signing": {
+        "default": {
+            "expiry": "262800h"
+        },
+        "profiles": {
+            "ca-to-root": {
+                "usages": [
+                    "signing",
+                    "key encipherment",
+                    "cert sign",
+                    "crl sign"
+                ],
+                "ca_constraint": {"is_ca": true, "max_path_len":0, "max_path_len_zero": true},
+                "expiry": "262800h"
+            },
+            "client": {
+                "usages": [
+                    "client auth",
+                    "key encipherment",
+                    "digital signature"
+                ],
+                "expiry": "262800h"
+            },
+            "server": {
+                "usages": [
+                    "server auth",
+                    "client auth",
+                    "key encipherment",
+                    "digital signature"
+                ],
+                "expiry": "262800h"
+            }
+        }
+    }
+}

testdata/intermediate/csr.json

@@ -0,0 +1,10 @@
+{
+    "hosts": [
+        "rip.mcollective"
+    ],
+    "key": {
+        "algo": "rsa",
+        "size": 2048
+    },
+    "names": [ ]
+}

testdata/intermediate/intermediate.json

@@ -0,0 +1,20 @@
+{
+  "CN": "Intermediate CA",
+  "key": {
+    "algo": "ecdsa",
+    "size": 256
+  },
+  "ca": {
+    "expiry": "262800h",
+    "pathlen": 0
+  },
+  "names": [
+    {
+      "C": "XX",
+      "L": "City",
+      "O": "Choria",
+      "OU": "Unit testing Intermediate CA",
+      "ST": "Locality"
+    }
+  ]
+}

testdata/intermediate/root.json

@@ -0,0 +1,20 @@
+{
+  "CN": "Root CA",
+  "key": {
+    "algo": "ecdsa",
+    "size": 256
+  },
+  "ca": {
+    "expiry": "262800h",
+    "pathlen": 1
+  },
+  "names": [
+    {
+      "C": "XX",
+      "L": "City",
+      "O": "Choria",
+      "OU": "Unit testing Intermediate CA",
+      "ST": "Locality"
+    }
+  ]
+}

testdata/intermediate/subject.json

@@ -0,0 +1,4 @@
+{
+    "CN": "rip.mcollective",
+    "names": []
+}