Merge pull request #1012 from 3scale/3.5-merge

3.5 stable to master

Author: mikz

CHANGELOG.md

@@ -6,9 +6,14 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
 
+### Added
+
+- Ability to configure client certificate chain depth [PR #1006](https://github.com/3scale/APIcast/pull/1006)
+
 ### Fixed
 
 - Fixed incorrect description of the `client` attribute in the Keycloak role check policy [PR #1005](https://github.com/3scale/APIcast/pull/1005), [THREESCALE_1867](https://issues.jboss.org/browse/THREESCALE-1867)
+- Segfault when normalizing some client certificates [PR #1006](https://github.com/3scale/APIcast/pull/1006)
 
 ## [3.5.0-rc1] - 2019-03-29
 

doc/parameters.md

@@ -155,6 +155,14 @@ Path to a file with passphrases for the SSL cert keys specified with
 - `on`: reuses SSL sessions.
 - `off`: does not reuse SSL sessions.
 
+### `APICAST_PROXY_HTTPS_VERIFY_DEPTH`
+
+**Default:** 1
+**Values:** positive integers
+
+Defines the maximum length of the client certificate chain.
+If this parameter has 1 as its value, it implies that this length might include one additional certificate (eg. intermediate CA).
+
 ### `APICAST_REPORTING_THREADS`
 
 **Default**: 0  

gateway/http.d/apicast.conf.liquid

@@ -72,6 +72,7 @@ server {
 
   ssl_verify_client optional_no_ca;
   ssl_certificate_by_lua_block { require('apicast.executor'):ssl_certificate() }
+  ssl_verify_depth {{ env.APICAST_HTTPS_VERIFY_DEPTH | default: 1 }};
   {%- endif %}
 
   server_name _;

gateway/src/resty/openssl/x509.lua

@@ -55,7 +55,8 @@ local function normalize_pem_cert(str)
   if not str then return end
   if #(str) == 0 then return end
 
-  return re_gsub(str, [[\s(?!CERTIFICATE)]], '\n', 'oj')
+  -- using also jit compiler (j) will result in a segfault with some certificates
+  return re_gsub(str, [[\s(?!CERTIFICATE)]], '\n', 'o')
 end
 
 function _M.parse_pem_cert(str)

spec/policy/tls_validation/tls_validation_spec.lua

@@ -1,7 +1,7 @@
 local _M = require('apicast.policy.tls_validation')
 
 local server = assert(fixture('CA', 'server.crt'))
-local CA = assert(fixture('CA', 'CA.crt'))
+local CA = assert(fixture('CA', 'intermediate-ca.crt'))
 local client = assert(fixture('CA', 'client.crt'))
 
 describe('tls_validation policy', function()

t/apicast-policy-tls_validation.t

@@ -34,6 +34,8 @@ to_json({
   }]
 });
 --- test env
+proxy_ssl_verify on;
+proxy_ssl_trusted_certificate $TEST_NGINX_SERVER_ROOT/html/ca.crt;
 proxy_ssl_certificate $TEST_NGINX_SERVER_ROOT/html/client.crt;
 proxy_ssl_certificate_key $TEST_NGINX_SERVER_ROOT/html/client.key;
 proxy_pass https://$server_addr:$apicast_port/t;
@@ -60,7 +62,7 @@ to_json({
           { name => 'apicast.policy.tls_validation',
             configuration => {
               whitelist => [
-                { pem_certificate => CORE::join('', read_file('t/fixtures/CA/CA.crt')) }
+                { pem_certificate => CORE::join('', read_file('t/fixtures/CA/intermediate-ca.crt')) }
               ]
             }
           },
@@ -70,6 +72,8 @@ to_json({
   }]
 });
 --- test env
+proxy_ssl_verify on;
+proxy_ssl_trusted_certificate $TEST_NGINX_SERVER_ROOT/html/ca.crt;
 proxy_ssl_certificate $TEST_NGINX_SERVER_ROOT/html/client.crt;
 proxy_ssl_certificate_key $TEST_NGINX_SERVER_ROOT/html/client.key;
 proxy_pass https://$server_addr:$apicast_port/t;
@@ -104,6 +108,8 @@ to_json({
   }]
 });
 --- test env
+proxy_ssl_verify on;
+proxy_ssl_trusted_certificate $TEST_NGINX_SERVER_ROOT/html/ca.crt;
 proxy_ssl_certificate $TEST_NGINX_SERVER_ROOT/html/client.crt;
 proxy_ssl_certificate_key $TEST_NGINX_SERVER_ROOT/html/client.key;
 proxy_pass https://$server_addr:$apicast_port/t;
@@ -138,6 +144,8 @@ to_json({
   }]
 });
 --- test env
+proxy_ssl_verify on;
+proxy_ssl_trusted_certificate $TEST_NGINX_SERVER_ROOT/html/ca.crt;
 proxy_pass https://$server_addr:$apicast_port/t;
 proxy_set_header Host localhost;
 log_by_lua_block { collectgarbage() }
@@ -148,3 +156,43 @@ Invalid certificate verification context
 [error]
 [alert]
 --- user_files fixture=CA/files.pl eval
+
+
+
+=== TEST 5: TLS Client Certificate contains whole certificate chain
+--- env eval
+("APICAST_HTTPS_VERIFY_DEPTH" => 2)
+--- configuration eval
+use JSON qw(to_json);
+use File::Slurp qw(read_file);
+
+to_json({
+  services => [{
+    proxy => {
+        policy_chain => [
+          { name => 'apicast.policy.tls_validation',
+            configuration => {
+              whitelist => [
+                { pem_certificate => CORE::join('', read_file('t/fixtures/CA/intermediate-ca.crt')) }
+              ]
+            }
+          },
+          { name => 'apicast.policy.echo' },
+        ]
+    }
+  }]
+});
+--- test env
+proxy_ssl_verify on;
+proxy_ssl_trusted_certificate $TEST_NGINX_SERVER_ROOT/html/ca.crt;
+proxy_ssl_certificate $TEST_NGINX_SERVER_ROOT/html/client-bundle.crt;
+proxy_ssl_certificate_key $TEST_NGINX_SERVER_ROOT/html/client.key;
+proxy_pass https://$server_addr:$apicast_port/t;
+proxy_set_header Host localhost;
+log_by_lua_block { collectgarbage() }
+--- response_body
+GET /t HTTP/1.0
+--- error_code: 200
+--- no_error_log
+[error]
+--- user_files fixture=CA/files.pl eval

t/fixtures/CA/CA.crt

@@ -0,0 +1,29 @@
+all: client.key client.crt server.key server.crt ca-bundle.crt:
+
+EXPIRATION := 87600h # 10 years 
+
+clean:
+	rm *.crt *.key
+
+# http://smallstep.com
+root-ca.crt root-ca.key:
+	step certificate create root-ca root-ca.crt root-ca.key --profile root-ca \
+		--no-password --insecure --not-after=${EXPIRATION}
+
+intermediate-ca.crt intermediate-ca.key: root-ca.crt root-ca.key
+	step certificate create intermediate-ca intermediate-ca.crt intermediate-ca.key \
+		--profile intermediate-ca --ca ./root-ca.crt --ca-key ./root-ca.key \
+		--no-password --insecure --not-after=${EXPIRATION}
+
+ca-bundle.crt: intermediate-ca.crt root-ca.crt
+	step certificate bundle intermediate-ca.crt root-ca.crt $@
+
+server.crt server.key: intermediate-ca.crt intermediate-ca.key
+	step certificate create server server.crt server.key --profile leaf \
+		--ca ./intermediate-ca.crt --ca-key ./intermediate-ca.key \
+		--san localhost --san test --no-password --insecure --not-after=${EXPIRATION}
+
+client.crt client.key: intermediate-ca.crt intermediate-ca.key
+	step certificate create client client.crt client.key --profile leaf \
+		--ca ./intermediate-ca.crt --ca-key ./intermediate-ca.key \
+		--no-password --insecure --not-after=${EXPIRATION}

t/fixtures/CA/CA.key

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIBkTCCATegAwIBAgIRAPvf2lJeYv9BaUhvVQzCD8wwCgYIKoZIzj0EAwIwEjEQ
+MA4GA1UEAxMHcm9vdC1jYTAeFw0xOTA0MDQxMTMyNTlaFw0yOTA0MDExMTMyNTla
+MBoxGDAWBgNVBAMTD2ludGVybWVkaWF0ZS1jYTBZMBMGByqGSM49AgEGCCqGSM49
+AwEHA0IABAWpNxVoU+FB6ESOOqt1knztvYdjDFlzvtrOPHJz3Meo2JnMUzINPiIV
+FHJkXtSStRKHuB/Lw2vj/gH0AJPg5CKjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNV
+HRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBTaEjeKcCSJEuUcnwUlddtXhKhMcTAf
+BgNVHSMEGDAWgBRfJt1t0sAlUMBwfeTWVv2v4XNcNjAKBggqhkjOPQQDAgNIADBF
+AiBXmwMUs2/CG8UdL4ThgNrZ5k+Jnd6tJagDagjS/1pIEAIhAPOI6vWuaqUU68K6
+2Uvp9lVMDCS6vd3cljqeipcsOYzl
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBZjCCAQ2gAwIBAgIQBHMSmrmlj2QTqgFRa+HP3DAKBggqhkjOPQQDAjASMRAw
+DgYDVQQDEwdyb290LWNhMB4XDTE5MDQwNDExMzI1OVoXDTI5MDQwMTExMzI1OVow
+EjEQMA4GA1UEAxMHcm9vdC1jYTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGG2
+NDgiBuXNVWVVxrDNVjPsKm14wg76w4830Zn3K24u03LJthzsB3RPJN9l+kM7ryjg
+dCenDYANVabMMQEy2iGjRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAG
+AQH/AgEBMB0GA1UdDgQWBBRfJt1t0sAlUMBwfeTWVv2v4XNcNjAKBggqhkjOPQQD
+AgNHADBEAiB+MlaTocrG33AiOE8TrH4N2gVrDBo2fAyJ1qDmjxhWvAIgPOoAoWQ9
+qwUVj52L6/Ptj0Tn4Mt6u+bdVr6jEXkZ8f0=
+-----END CERTIFICATE-----

t/fixtures/CA/Makefile

@@ -1,19 +1,11 @@
 -----BEGIN CERTIFICATE-----
-MIIDHzCCAgegAwIBAgIQNiJmU2AYPhdxAbbSqoQD1DANBgkqhkiG9w0BAQsFADAd
-MRswGQYDVQQDExJBUEljYXN0IHRlc3RpbmcgQ0EwHhcNMTkwMTE2MDYyNDI5WhcN
-MjAwMTE2MDYyNDI5WjARMQ8wDQYDVQQDEwZjbGllbnQwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQDR95eHegZny9kFLtiJZmeu7UN/PXP+KblGxkYoOYix
-dI4pc09xufCjcOi1syMLa8BtnKzBUKE8l9Zu71jSnmWnwAaBd1Lqw+qfqHpnZHe4
-lNKvhxnfgS4bi01J/mV3Q9smpPQd1HVboymTOZoqHH2snZRT4R7OML9bS3RLrq6W
-fEPYx5FCT4/CAFKblBrJX3NxqVscDcULQwOqgIkvYM1Uhq7YRQUT+HuiMqU7lDf9
-I/6Klon+vj3f2GJpZ6Uc9rD083V0QcjIztoSInW6tZ07/ZI22gNOxM7qYxGXdMDO
-HIbq2C7TuH4nW5BIUtfv2WnPgag36u2/E5ZJWBSwoa4RAgMBAAGjZzBlMA4GA1Ud
-DwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQUkaN2kS95
-T6UQhGSPdGvE8BDeKq4wHwYDVR0jBBgwFoAUJD9RABIUSLD30ZMncwmnnmv4azEw
-DQYJKoZIhvcNAQELBQADggEBALCRmd6jY8QyFho55dLx6UVvCw4wUJEp9W8sHfJM
-jycIYIASiQOPN7UIFzAyF+ujOxm2e3Zap+ppQaZ7zfciRaccDE4crsV44pySH5Bk
-53RH1haM92mdwJNSczbPnhSCI64N8rFYUZyocL0/amV3yYepuKu8iIDgnxgSiko6
-d2hBCfq71Pi+1bN004pHVizqvgISk6bRlNfesyrt0+aKn3uWB/+oBvAWzZRCyBPf
-sLiBcG+utOR10Py8vMITa08hKnWWTSYUir2J3iwDWI+8F6pIEGeHEd8BZjFnd10W
-+WPWz11fgjUgafyAdZDbGUqZ28Cjb+PCetSdpCLVt2Tcfqc=
+MIIBmjCCAUCgAwIBAgIQUcZ+JcZiYBkY1+U2Wa3XLDAKBggqhkjOPQQDAjAaMRgw
+FgYDVQQDEw9pbnRlcm1lZGlhdGUtY2EwHhcNMTkwNDA0MTEzMjU5WhcNMjkwNDAx
+MTEzMjU5WjARMQ8wDQYDVQQDEwZjbGllbnQwWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAASsKgVvKiD+TeyRWhs3CBoGmIAFiCNplJ4JVmX7nE53HfBrqEOdnftHllCO
+Dm3VT2/vfFw4bDPsbGFtMZjIpCM8o3EwbzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l
+BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRxJJmM0Zj+HIBXBkIR
+9YTJkbhFRDAfBgNVHSMEGDAWgBTaEjeKcCSJEuUcnwUlddtXhKhMcTAKBggqhkjO
+PQQDAgNIADBFAiABKzFUTP4MqJAGwPkdid+TCBmSXS+C2FnrSJ6aAjYbWgIhAPV3
+PCV/T+AylMWeL3iPq8FuaXjWNAsTC9aii6g/NAQV
 -----END CERTIFICATE-----

t/fixtures/CA/ca-bundle.crt

@@ -1,27 +1,5 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA0feXh3oGZ8vZBS7YiWZnru1Dfz1z/im5RsZGKDmIsXSOKXNP
-cbnwo3DotbMjC2vAbZyswVChPJfWbu9Y0p5lp8AGgXdS6sPqn6h6Z2R3uJTSr4cZ
-34EuG4tNSf5ld0PbJqT0HdR1W6MpkzmaKhx9rJ2UU+EezjC/W0t0S66ulnxD2MeR
-Qk+PwgBSm5QayV9zcalbHA3FC0MDqoCJL2DNVIau2EUFE/h7ojKlO5Q3/SP+ipaJ
-/r4939hiaWelHPaw9PN1dEHIyM7aEiJ1urWdO/2SNtoDTsTO6mMRl3TAzhyG6tgu
-07h+J1uQSFLX79lpz4GoN+rtvxOWSVgUsKGuEQIDAQABAoIBAE0YnIsiQzfZodZF
-XT0WXPveIuqVpgGtUFqscxZSCd8e7RRLQuB/ZdydmNUe8b8/0WhuHwDcmlelaRdS
-y0qK3si5uanQJqINThlRw6AzQ8KC4tmQwe9Pf56dh8OjpZ4lTFLkPr61RGJhhuKI
-RBMyYvL+6XfjMWyEeb8L9afUfEbEr4bgSsHwOGZrPu8JBOXCq4cHp5Tr/PnERdMp
-wVJl6CHyoba6NbsGsFoCPpuvrLIL5TykxSLsaYqm4ZdN+eCjBp3cU1CNl+0zUkhf
-B6zobztQ5hNSc9NErQK6m7zCAOTNKi1YQYgPigAhbFHURamFG76DNE/EojBDuxKK
-JITfGAECgYEA2U8btbG/mJmgHDZxoAyw/GrG+pgMTfBvJU9VPAtipImov2u+AvON
-RdLg4cg1ZVsgM+kynyBhGwTytpEvFpChqnKXVb5rrJObYXJSxYRF26TEmkfUcWLF
-gHIMIJlp8PloBP3DC1MyKnOPxry0Ye5DI+avWkDy305zAq94TV/Ts3sCgYEA91nX
-7OcVePWdF3ooDfvrjsDkmsPMKyDxJkbrFVoLJ1jhTPD/C8XnWC92RH5z1wpDizhu
-yslpQkTvadJEoR26Df044Jg1rfcfu2S7xd9051aKUL1mLMEu9o+/d+SIy1U8hLU6
-Fjjaj3NVhvUlBQInPQUWh6KeVV3XQ7RfMV5iGOMCgYEAwMWdhjPVDDETyJM/fsRj
-aLfsJbcmCynD3yweJ3LOIboAWTbhy0p0w0ELvx7Ux0HsMkCnaGPX4JkmGnB2fiT1
-VPfsaeLPL7uNdgdth8wMEIl84oPf4GnHXGdPfMe7JEqLTQozsOMvuFrla15RAiLT
-qpBkc8Lz8MZt3i78oF7mtOsCgYEAg08PoLUAIimJTphLwTi2UR83fK1qqo6fVimZ
-zMjzWN0HJdheHPrfmGIBz9StXEAXoUXBEygfF84Opse4JSvpxFlkI17KSGMDVnDg
-eefpYJIBdWFGZ4Xaj4u6IkSRFhhWu0CV6IwgAr1Abxeeom0FNZCI6FI86aaai1eq
-nUO0oe8CgYAuDgnydP5SFs1Dl31NZJkPT6a69jMuCI31LVlwFaBHIZrXPal+5mHo
-mptdZv/pIimbegdoOEky35Bnx2WiCc8VA2npirqeDsqQeyilXHlW2CvDsV5k2XzS
-lSOtg7NUlVJBMJ7+p7VDJEd+YSOEs0+ttcgB1QI4kb+cNZiuycP55g==
------END RSA PRIVATE KEY-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIMOOktLiaoQeRNeEQmDalcIftZdB/GG6G0HmDI7aQ+HEoAoGCCqGSM49
+AwEHoUQDQgAErCoFbyog/k3skVobNwgaBpiABYgjaZSeCVZl+5xOdx3wa6hDnZ37
+R5ZQjg5t1U9v73xcOGwz7GxhbTGYyKQjPA==
+-----END EC PRIVATE KEY-----

t/fixtures/CA/client.crt

@@ -1,8 +1,24 @@
 use File::Slurp qw(read_file);
 
 [
-    [ "server.crt" => CORE::join('', read_file('t/fixtures/CA/server.crt')) ],
+    [ "server.crt" => CORE::join('',
+        read_file('t/fixtures/CA/server.crt'),
+    ) ],
+    [ "server-bundle.crt" => CORE::join('',
+        read_file('t/fixtures/CA/server.crt'),
+        read_file('t/fixtures/CA/intermediate-ca.crt'),
+        read_file('t/fixtures/CA/root-ca.crt'),
+    ) ],
+    [ "ca.crt" => CORE::join('',
+        read_file('t/fixtures/CA/intermediate-ca.crt'),
+        read_file('t/fixtures/CA/root-ca.crt'),
+    ) ],
     [ "server.key" => CORE::join('', read_file('t/fixtures/CA/server.key')) ],
-    [ "client.crt" => CORE::join('', read_file('t/fixtures/CA/client.crt')) ],
+    [ "client.crt" => CORE::join('',read_file('t/fixtures/CA/client.crt')) ],
+    [ "client-bundle.crt" => CORE::join('',
+        read_file('t/fixtures/CA/client.crt'),
+        read_file('t/fixtures/CA/intermediate-ca.crt'),
+        read_file('t/fixtures/CA/root-ca.crt'),
+    ) ],
     [ "client.key" => CORE::join('', read_file('t/fixtures/CA/client.key')) ],
 ]

t/fixtures/CA/client.key

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBkTCCATegAwIBAgIRAPvf2lJeYv9BaUhvVQzCD8wwCgYIKoZIzj0EAwIwEjEQ
+MA4GA1UEAxMHcm9vdC1jYTAeFw0xOTA0MDQxMTMyNTlaFw0yOTA0MDExMTMyNTla
+MBoxGDAWBgNVBAMTD2ludGVybWVkaWF0ZS1jYTBZMBMGByqGSM49AgEGCCqGSM49
+AwEHA0IABAWpNxVoU+FB6ESOOqt1knztvYdjDFlzvtrOPHJz3Meo2JnMUzINPiIV
+FHJkXtSStRKHuB/Lw2vj/gH0AJPg5CKjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNV
+HRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBTaEjeKcCSJEuUcnwUlddtXhKhMcTAf
+BgNVHSMEGDAWgBRfJt1t0sAlUMBwfeTWVv2v4XNcNjAKBggqhkjOPQQDAgNIADBF
+AiBXmwMUs2/CG8UdL4ThgNrZ5k+Jnd6tJagDagjS/1pIEAIhAPOI6vWuaqUU68K6
+2Uvp9lVMDCS6vd3cljqeipcsOYzl
+-----END CERTIFICATE-----

t/fixtures/CA/files.pl

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIHo2cUPeDiROHNEYFm6ljYQOvHdKbleUKzOm8oYWz0aJoAoGCCqGSM49
+AwEHoUQDQgAEBak3FWhT4UHoRI46q3WSfO29h2MMWXO+2s48cnPcx6jYmcxTMg0+
+IhUUcmRe1JK1Eoe4H8vDa+P+AfQAk+DkIg==
+-----END EC PRIVATE KEY-----

t/fixtures/CA/intermediate-ca.crt

@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBZjCCAQ2gAwIBAgIQBHMSmrmlj2QTqgFRa+HP3DAKBggqhkjOPQQDAjASMRAw
+DgYDVQQDEwdyb290LWNhMB4XDTE5MDQwNDExMzI1OVoXDTI5MDQwMTExMzI1OVow
+EjEQMA4GA1UEAxMHcm9vdC1jYTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGG2
+NDgiBuXNVWVVxrDNVjPsKm14wg76w4830Zn3K24u03LJthzsB3RPJN9l+kM7ryjg
+dCenDYANVabMMQEy2iGjRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAG
+AQH/AgEBMB0GA1UdDgQWBBRfJt1t0sAlUMBwfeTWVv2v4XNcNjAKBggqhkjOPQQD
+AgNHADBEAiB+MlaTocrG33AiOE8TrH4N2gVrDBo2fAyJ1qDmjxhWvAIgPOoAoWQ9
+qwUVj52L6/Ptj0Tn4Mt6u+bdVr6jEXkZ8f0=
+-----END CERTIFICATE-----

t/fixtures/CA/intermediate-ca.key

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIHVw+IOhIZzhskNuXFHLQdBtoutotAQioIAniZjAWNwIoAoGCCqGSM49
+AwEHoUQDQgAEYbY0OCIG5c1VZVXGsM1WM+wqbXjCDvrDjzfRmfcrbi7Tcsm2HOwH
+dE8k32X6QzuvKOB0J6cNgA1VpswxATLaIQ==
+-----END EC PRIVATE KEY-----