Skip to content

Commit

Permalink
Merge pull request #31 from insight-platform/issue-30
Browse files Browse the repository at this point in the history 
Resolves #30. Make CRL check optional while verifying peer certificates.
  • Loading branch information
@ksenia-vazhdaeva
ksenia-vazhdaeva authored Aug 6, 2024
2 parents 2f78441 + 8dce241 commit 4ac0b4b
Show file tree
Hide file tree
Showing 6 changed files with 43 additions and 14 deletions.
5 changes: 4 additions & 1 deletion benches/config/server_tls_config.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,10 @@
"certificate": "/etc/certs/server.crt",
"key": "/etc/certs/server.key"
},
"peer_lookup_hash_directory": "/etc/certs/lookup-hash-dir"
"peers": {
"lookup_hash_directory": "/etc/certs/lookup-hash-dir",
"crl_enabled": true
}
},
"out_stream": {
"url": "pub+bind:ipc:///tmp/server",
Expand Down
5 changes: 4 additions & 1 deletion docs/source/cookbook/1_tls.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,10 @@ To enable client certificate authentication in Media Gateway update both server
"tls": {
// see HTTPS section
"peer_lookup_hash_directory" : "/opt/etc/certs/lookup-hash-dir"
"peers": {
"lookup_hash_directory" : "/opt/etc/certs/lookup-hash-dir",
"crl_enabled": true
}
}
.. code-block:: json
Expand Down
10 changes: 8 additions & 2 deletions docs/source/getting_started/0_configuration.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -251,9 +251,15 @@ tls
* - identity.key
- A path to a private key for the certificate.
- yes
* - peer_lookup_hash_directory
- A directory with certificates and CRLs to verify client certificates. See `X509_LOOKUP_hash_dir method <https://www.openssl.org/docs/man1.1.1/man3/X509_LOOKUP_hash_dir.html>`_ for more details.
* - peers
- Settings to verify peer certificates.
- no
* - peers.lookup_hash_directory
- A directory with certificates and CRLs to verify client certificates. See `X509_LOOKUP_hash_dir method <https://www.openssl.org/docs/man1.1.1/man3/X509_LOOKUP_hash_dir.html>`_ for more details.
- yes
* - peers.crl_enabled
- ``true`` if CRLs must be checked during client certificate verification, ``false`` otherwise.
- yes

statistics
^^^^^^^^^^
Expand Down
24 changes: 16 additions & 8 deletions media_gateway_server/src/main.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -173,21 +173,29 @@ fn main() -> Result<()> {
builder.set_private_key_file(ssl_conf.identity.key, SslFiletype::PEM)?;
builder.set_certificate_chain_file(ssl_conf.identity.certificate)?;

builder = if let Some(peer_lookup_hash_directory) = &ssl_conf.peer_lookup_hash_directory {
builder = if let Some(peer_tls_conf) = &ssl_conf.peers {
let mut cert_store_builder = X509StoreBuilder::new().unwrap();

let lookup_method = X509Lookup::hash_dir();
let lookup = cert_store_builder.add_lookup(lookup_method).unwrap();
lookup
.add_dir(peer_lookup_hash_directory.as_str(), SslFiletype::PEM)
.add_dir(
peer_tls_conf.lookup_hash_directory.as_str(),
SslFiletype::PEM,
)
.unwrap();

cert_store_builder
.set_flags(X509VerifyFlags::from_iter(vec![
X509VerifyFlags::CRL_CHECK,
X509VerifyFlags::CRL_CHECK_ALL,
]))
.unwrap();
let cert_store_builder = if peer_tls_conf.crl_enabled {
cert_store_builder
.set_flags(X509VerifyFlags::from_iter(vec![
X509VerifyFlags::CRL_CHECK,
X509VerifyFlags::CRL_CHECK_ALL,
]))
.unwrap();
cert_store_builder
} else {
cert_store_builder
};

builder
.set_verify_cert_store(cert_store_builder.build())
Expand Down
8 changes: 7 additions & 1 deletion media_gateway_server/src/server/configuration.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,13 @@ impl GatewayConfiguration {
#[derive(Debug, Serialize, Deserialize)]
pub struct ServerTlsConfiguration {
pub identity: Identity,
pub peer_lookup_hash_directory: Option<String>,
pub peers: Option<PeerTlsConfiguration>,
}

#[derive(Debug, Serialize, Deserialize)]
pub struct PeerTlsConfiguration {
pub lookup_hash_directory: String,
pub crl_enabled: bool,
}

#[derive(Debug, Serialize, Deserialize)]
Expand Down
5 changes: 4 additions & 1 deletion samples/configuration/server/certificate_auth_config.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,10 @@
"certificate": "server.crt",
"key": "server.key"
},
"peer_lookup_hash_directory": "lookup-hash-dir"
"peer": {
"lookup_hash_directory": "lookup-hash-dir",
"crl_enabled": true
}
},
"out_stream": {
"url": "pub+bind:ipc:///tmp/server",
Expand Down

0 comments on commit 4ac0b4b

Please sign in to comment.