From 17f8e6ed29aa3b58148076a026d4aff18c2109b2 Mon Sep 17 00:00:00 2001
From: Francesco Giacomini <giaco at cnaf dot infn dot it>
Date: Wed, 13 Mar 2019 17:26:37 +0100
Subject: [PATCH] configure openssl to accept proxy certs
fix issue #19
---
docker/assets/nginx.conf | 1 -
src/ngx_http_voms_module.cpp | 48 ++++++++++++++++++++++++++++++------
t/eec_cert.t | 1 -
t/eec_subject.t | 4 ---
t/encoding.t | 1 -
t/expired.t | 1 -
t/expired_ac.t | 1 -
t/no_ac.t | 1 -
t/no_ssl.t | 1 -
t/no_ta.t | 1 -
t/ssl_no_client_authn.t | 1 -
t/untrusted_ac.t | 2 --
t/valid_ac.t | 1 -
13 files changed, 40 insertions(+), 24 deletions(-)
diff --git a/docker/assets/nginx.conf b/docker/assets/nginx.conf
index 5058369..d5135ff 100644
--- a/docker/assets/nginx.conf
+++ b/docker/assets/nginx.conf
@@ -1,7 +1,6 @@
user build;
worker_processes 1;
-env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=/vomsdir;
error_log logs/error.log warn;
diff --git a/src/ngx_http_voms_module.cpp b/src/ngx_http_voms_module.cpp
index 6f657c1..465fa96 100644
--- a/src/ngx_http_voms_module.cpp
+++ b/src/ngx_http_voms_module.cpp
@@ -38,16 +38,18 @@ using MaybeVomsAc = boost::optional<VomsAc>;
enum class EeDn { SUBJECT, ISSUER };
static ngx_int_t add_variables(ngx_conf_t* cf);
+static ngx_int_t ngx_ssl_allow_proxy_certs(ngx_ssl_t* ssl);
+static char* ngx_http_voms_merge_srv_conf(ngx_conf_t* cf, void*, void*);
static ngx_http_module_t ctx = {
- add_variables, // preconfiguration
- NULL, // postconfiguration
- NULL, // create main configuration
- NULL, // init main configuration
- NULL, // create server configuration
- NULL, // merge server configuration
- NULL, // create location configuration
- NULL // merge location configuration
+ add_variables, // preconfiguration
+ NULL, // postconfiguration
+ NULL, // create main configuration
+ NULL, // init main configuration
+ NULL, // create server configuration
+ ngx_http_voms_merge_srv_conf, // merge server configuration
+ NULL, // create location configuration
+ NULL // merge location configuration
};
ngx_module_t ngx_http_voms_module = {
@@ -224,6 +226,36 @@ static ngx_int_t add_variables(ngx_conf_t* cf)
return NGX_OK;
}
+static ngx_int_t ngx_ssl_allow_proxy_certs(ngx_ssl_t* ssl)
+{
+ X509_STORE* store = SSL_CTX_get_cert_store(ssl->ctx);
+ if (store == NULL) {
+ ngx_ssl_error(NGX_LOG_EMERG,
+ ssl->log,
+ 0,
+ const_cast<char*>("SSL_CTX_get_cert_store() failed"));
+ return NGX_ERROR;
+ }
+
+ X509_STORE_set_flags(store, X509_V_FLAG_ALLOW_PROXY_CERTS);
+
+ return NGX_OK;
+}
+
+static char* ngx_http_voms_merge_srv_conf(ngx_conf_t* cf, void*, void*)
+{
+ auto conf = static_cast<ngx_http_ssl_srv_conf_t*>(
+ ngx_http_conf_get_module_srv_conf(cf, ngx_http_ssl_module));
+
+ if (conf->ssl.ctx != nullptr) {
+ if (ngx_ssl_allow_proxy_certs(&conf->ssl) != NGX_OK) {
+ return static_cast<char*>(NGX_CONF_ERROR);
+ }
+ }
+
+ return NGX_CONF_OK;
+}
+
// return the first AC, if present
static MaybeVomsAc retrieve_voms_ac_from_proxy(ngx_http_request_t* r)
{
diff --git a/t/eec_cert.t b/t/eec_cert.t
index 6368491..12c1179 100644
--- a/t/eec_cert.t
+++ b/t/eec_cert.t
@@ -6,7 +6,6 @@ __DATA__
=== TEST 1: rfc proxy certificate, no AC
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
--- http_config
diff --git a/t/eec_subject.t b/t/eec_subject.t
index a1e316e..65980d0 100644
--- a/t/eec_subject.t
+++ b/t/eec_subject.t
@@ -6,7 +6,6 @@ __DATA__
=== TEST 1: rfc proxy certificate, no AC
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
--- http_config
@@ -40,7 +39,6 @@ CN=Test CA,O=IGI,C=IT
=== TEST 2: standard x.509 certificate
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
--- http_config
@@ -78,7 +76,6 @@ CN=Test CA,O=IGI,C=IT
=== TEST 3: three delegations proxy
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
--- http_config
@@ -113,7 +110,6 @@ CN=Test CA,O=IGI,C=IT
=== TEST 4: three delegations proxy + CA cert
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
--- http_config
diff --git a/t/encoding.t b/t/encoding.t
index c766381..e3685f4 100644
--- a/t/encoding.t
+++ b/t/encoding.t
@@ -7,7 +7,6 @@ __DATA__
=== TEST 1: valid AC, verification of VOMS generic attributes encoding
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
--- http_config
diff --git a/t/expired.t b/t/expired.t
index f3ac305..517a010 100644
--- a/t/expired.t
+++ b/t/expired.t
@@ -7,7 +7,6 @@ __DATA__
=== TEST 1: https with x509 client authentication, expired client certificate
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
--- http_config
server {
error_log logs/error.log debug;
diff --git a/t/expired_ac.t b/t/expired_ac.t
index 348cb1f..f1ae64f 100644
--- a/t/expired_ac.t
+++ b/t/expired_ac.t
@@ -7,7 +7,6 @@ __DATA__
=== TEST 1: https with x509 client authentication, valid proxy certificate with expired VOMS attributes
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
--- http_config
diff --git a/t/no_ac.t b/t/no_ac.t
index 677673d..27080ab 100644
--- a/t/no_ac.t
+++ b/t/no_ac.t
@@ -7,7 +7,6 @@ __DATA__
=== TEST 1: https with x509 client authentication, valid proxy certificate with no VOMS attributes
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
--- http_config
server {
diff --git a/t/no_ssl.t b/t/no_ssl.t
index 1ae8c64..ea3fea8 100644
--- a/t/no_ssl.t
+++ b/t/no_ssl.t
@@ -7,7 +7,6 @@ __DATA__
=== TEST 1: HTTP connection, no SSL
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
--- http_config
server {
diff --git a/t/no_ta.t b/t/no_ta.t
index 441430a..28e5da3 100644
--- a/t/no_ta.t
+++ b/t/no_ta.t
@@ -7,7 +7,6 @@ __DATA__
=== TEST 1: Valid proxy, wrong client trust-anchor
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
--- http_config
diff --git a/t/ssl_no_client_authn.t b/t/ssl_no_client_authn.t
index d30f87f..f7465d0 100644
--- a/t/ssl_no_client_authn.t
+++ b/t/ssl_no_client_authn.t
@@ -7,7 +7,6 @@ __DATA__
=== TEST 1: HTTPS with no X.509 client authentication
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
--- http_config
server {
diff --git a/t/untrusted_ac.t b/t/untrusted_ac.t
index f7a97b3..4aec7b1 100644
--- a/t/untrusted_ac.t
+++ b/t/untrusted_ac.t
@@ -7,7 +7,6 @@ __DATA__
=== TEST 1: https with x509 client authentication, untrusted AC signature LSC missing
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
--- http_config
@@ -41,7 +40,6 @@ Cannot verify AC signature
=== TEST 2: Valid proxy, VOMS trust-anchor missing
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t;
--- http_config
diff --git a/t/valid_ac.t b/t/valid_ac.t
index 60aceaf..5241d3f 100644
--- a/t/valid_ac.t
+++ b/t/valid_ac.t
@@ -7,7 +7,6 @@ __DATA__
=== TEST 1: valid AC, verification of valid VOMS attributes extracted by ngx_http_voms_module
--- main_config
- env OPENSSL_ALLOW_PROXY_CERTS=1;
env X509_VOMS_DIR=t/vomsdir;
env X509_CERT_DIR=t/trust-anchors;
--- http_config
--
GitLab