Skip to content

Commit

Permalink
Fix issue where cert chain is not taken into account in mTLS authenti…
Browse files Browse the repository at this point in the history 
…cation (#467)
  • Loading branch information
@massakam
massakam authored Dec 19, 2024
1 parent aeff955 commit 4ba83e8
Show file tree
Hide file tree
Showing 12 changed files with 411 additions and 259 deletions.
3 changes: 2 additions & 1 deletion build-support/start-mim-test-service-inside-container.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,8 @@ put tenants/private '{
put namespaces/private/auth '{
"auth_policies": {
"namespace_auth": {
"token-principal": ["produce", "consume"]
"token-principal": ["produce", "consume"],
"chained-client": ["produce", "consume"]
}
},
"replication_clusters": ["standalone"]
Expand Down
3 changes: 2 additions & 1 deletion build-support/start-test-service-inside-container.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,8 @@ put tenants/private '{
put namespaces/private/auth '{
"auth_policies": {
"namespace_auth": {
"token-principal": ["produce", "consume"]
"token-principal": ["produce", "consume"],
"chained-client": ["produce", "consume"]
}
},
"replication_clusters": ["standalone"]
Expand Down
4 changes: 2 additions & 2 deletions lib/ClientConnection.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -253,11 +253,11 @@ ClientConnection::ClientConnection(const std::string& logicalAddress, const std:
throw ResultAuthenticationError;
}
ctx.use_private_key_file(tlsPrivateKey, ASIO::ssl::context::pem);
ctx.use_certificate_file(tlsCertificates, ASIO::ssl::context::pem);
ctx.use_certificate_chain_file(tlsCertificates);
} else {
if (file_exists(tlsPrivateKey) && file_exists(tlsCertificates)) {
ctx.use_private_key_file(tlsPrivateKey, ASIO::ssl::context::pem);
ctx.use_certificate_file(tlsCertificates, ASIO::ssl::context::pem);
ctx.use_certificate_chain_file(tlsCertificates);
}
}

Expand Down
134 changes: 51 additions & 83 deletions test-conf/broker-cert.pem
View file
Original file line number Diff line number Diff line change
@@ -1,16 +1,17 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4098 (0x1002)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=California, L=Palo Alto, O=Apache Software Foundation, OU=Pulsar, CN=Pulsar CA/[email protected]
Serial Number:
53:f8:da:b4:2b:b3:53:ff:db:96:69:f4:54:4b:8c:94:c9:24:d4:32
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=California, O=Apache Software Foundation, OU=Pulsar, CN=Pulsar CA/[email protected]
Validity
Not Before: Feb 17 17:00:44 2021 GMT
Not After : Feb 12 17:00:44 2041 GMT
Not Before: Dec 18 06:29:25 2024 GMT
Not After : Dec 13 06:29:25 2044 GMT
Subject: C=US, ST=California, O=Apache Software Foundation, OU=Pulsar, CN=localhost/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
RSA Public-Key: (2048 bit)
Modulus:
00:9b:2a:6f:24:02:23:f7:ff:e6:75:61:ca:07:a8:
c0:ab:e9:8d:eb:51:2e:64:f7:9e:9b:d4:b4:be:3a:
Expand All @@ -32,86 +33,53 @@ Certificate:
5e:cd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
49:3C:B2:98:30:CE:7F:79:7A:C6:8B:57:CA:24:9F:12:82:1E:5D:EF
X509v3 Authority Key Identifier:
keyid:D2:B2:3D:B1:A4:7C:48:4B:36:E1:A7:DE:D8:FC:BA:92:BA:A7:C4:71
DirName:/C=US/ST=California/L=Palo Alto/O=Apache Software Foundation/OU=Pulsar/CN=Pulsar CA/[email protected]
serial:52:7B:B4:00:96:60:B4:26:85:BE:01:82:B8:B8:E2:8C:72:EF:5B:90
X509v3 Authority Key Identifier:
keyid:9C:66:A6:5E:95:A5:D7:72:6E:11:76:44:43:35:B4:61:FB:70:27:6F

X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
Signature Algorithm: sha256WithRSAEncryption
0f:bd:af:39:0c:2c:dc:8f:7e:06:0d:27:df:35:c7:8d:5a:03:
68:97:f6:dc:d6:d3:39:0e:b4:76:48:7d:e1:1c:a9:4b:83:fa:
52:00:ab:28:93:2d:06:76:0c:14:35:3c:f1:8e:3b:af:c8:d0:
27:1f:58:d4:71:22:5f:05:a6:9e:73:c6:a5:5e:2a:e6:fb:eb:
fc:73:52:87:ca:8a:2a:f9:1e:5f:e2:b9:bd:01:27:9f:7c:61:
a6:97:ad:a0:ab:4e:fb:cc:fa:c8:77:6a:65:1b:ae:60:5e:fb:
97:14:8c:40:d7:96:c6:2c:64:59:c0:52:52:7c:2d:98:4b:f4:
72:da:83:f7:c6:4f:32:42:ce:df:02:dd:5f:eb:58:42:f9:62:
a1:9a:05:ef:13:48:27:af:a3:7f:23:eb:e0:dc:1d:8f:96:2a:
88:47:f7:e4:75:6f:a9:15:f6:44:f1:6d:39:3a:2c:df:a7:82:
cc:7e:aa:9c:1c:c0:a7:7d:68:31:4a:4e:21:b8:9f:17:90:4b:
f1:68:23:ef:a7:53:fc:a9:a8:35:6b:8f:4c:5e:d4:ea:b0:8a:
27:9a:86:89:ce:f2:5d:03:35:80:fc:45:e8:87:66:0f:32:b5:
2a:f5:1b:79:0e:09:8b:90:40:20:fb:e3:27:8a:c9:92:c1:53:
97:10:5a:8c:50:ef:02:46:7e:ec:68:c8:1e:26:66:0e:1d:d6:
6c:82:e7:38:14:e8:cb:45:77:29:5f:2c:1a:9d:d7:54:21:8a:
cf:0f:b7:0c:ae:fe:d6:fb:fb:c3:07:3e:33:df:59:25:1c:73:
d4:87:73:14:b4:76:16:8a:3f:82:05:7b:42:0a:55:0c:79:24:
3c:58:31:3f:e0:3e:9f:4e:d0:0e:fd:77:b7:13:2c:d3:d0:46:
cc:80:09:0f:50:56:8b:6e:6e:91:b2:5b:c8:2f:4d:86:dc:72:
00:de:08:0d:5e:3e:96:1f:12:7d:3b:0d:4d:71:d5:c8:a8:06:
ba:00:23:ec:10:4c:a4:c3:6f:bc:f0:d7:b1:cf:57:3f:3b:79:
db:80:87:35:c7:4e:7f:bb:38:30:0a:9f:fe:5a:86:f5:97:ce:
24:38:79:fd:a0:dc:0b:82:11:a1:ea:0c:e9:16:65:e0:c0:54:
80:ad:6e:55:18:ac:27:35:3a:b0:20:70:62:8e:5d:a2:33:53:
8c:ce:f9:ee:a1:27:cb:db:e5:9a:5e:e6:f7:80:93:84:63:04:
26:58:ab:23:bb:94:80:d0:a0:55:a2:8a:ed:bc:0f:c3:41:d2:
26:a5:b9:8d:8a:45:e8:a1:fc:e8:ee:7a:64:93:ed:d6:ef:a2:
51:d7:c9:0a:31:39:35:4a
46:44:07:07:74:de:fa:e9:ad:ee:10:87:72:e4:06:81:e7:d9:
9c:91:99:9e:fe:b2:fe:29:fc:58:12:38:7d:28:c1:3b:d6:ca:
19:dd:06:6c:1e:95:17:58:fa:48:47:62:2b:4f:29:a2:39:3a:
90:f4:37:5a:8c:75:4c:60:b3:61:50:94:5a:4d:70:6a:50:62:
c8:17:46:38:92:1a:02:4d:71:ad:ab:94:10:a3:91:b1:aa:18:
a9:00:88:b7:16:25:3c:aa:59:45:90:49:9a:9c:15:5e:d5:2f:
2f:2a:9e:61:77:b8:59:b7:7e:30:c9:8e:89:2a:57:11:84:e2:
cd:a6:ba:78:73:05:a0:f0:aa:47:5b:8c:f2:a9:20:c6:f7:50:
39:d7:07:bc:ef:7f:04:85:60:1b:c2:5e:53:dc:40:f9:22:f8:
78:b6:be:d7:1b:84:51:45:f7:30:6c:15:fd:c4:07:83:cf:89:
f0:6f:f9:49:7a:cc:f3:17:00:ef:33:f5:0a:6a:79:75:e5:6f:
2e:1f:ad:bf:7e:34:e8:1c:2e:08:de:1e:16:c0:ab:73:69:f9:
2e:09:d1:7b:f4:f0:8c:59:b6:82:c3:1a:a3:8c:25:0f:78:bf:
0b:b3:87:72:46:36:be:8e:4c:67:4c:ca:49:05:a0:2e:fd:3d:
a1:62:d6:01
-----BEGIN CERTIFICATE-----
MIIGPDCCBCSgAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwgaYxCzAJBgNVBAYTAlVT
MRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlQYWxvIEFsdG8xIzAhBgNV
BAoMGkFwYWNoZSBTb2Z0d2FyZSBGb3VuZGF0aW9uMQ8wDQYDVQQLDAZQdWxzYXIx
EjAQBgNVBAMMCVB1bHNhciBDQTEkMCIGCSqGSIb3DQEJARYVZGV2QHB1bHNhci5h
cGFjaGUub3JnMB4XDTIxMDIxNzE3MDA0NFoXDTQxMDIxMjE3MDA0NFowgZIxCzAJ
BgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMSMwIQYDVQQKDBpBcGFjaGUg
U29mdHdhcmUgRm91bmRhdGlvbjEPMA0GA1UECwwGUHVsc2FyMRIwEAYDVQQDDAls
b2NhbGhvc3QxJDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBhY2hlLm9yZzCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJsqbyQCI/f/5nVhygeowKvp
jetRLmT3npvUtL46+vRuxpKPOE0IzYkVPizEmW3LWID84E3WffaCqw2U8uJFydMV
lVcKbIbceGQ7NEsBfF3eT9QhGl0noKVwei4CUOEZtLkF35kNi8xi3BBz+nKLOH/T
VlRhULuS/wlxCce9BEM8jJyLMtEFBIrGidh4Vk3aL/TsNDcmtYfkPybJQWC6MRAZ
vvgMpAqFGVniAF23wL3RLvymNIuFKswF9vvkAOZ0lf8Cb0N/OafCg45bOEDJQsi8
JnI2NWTCVCIRh+hljz3pQadtGYiaIJuaUufSy7PgLo/BVlS8bRQwc8XXjtBaXs0C
AwEAAaOCAYQwggGAMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCG
SAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUw
HQYDVR0OBBYEFEk8spgwzn95esaLV8oknxKCHl3vMIHmBgNVHSMEgd4wgduAFNKy
PbGkfEhLNuGn3tj8upK6p8RxoYGspIGpMIGmMQswCQYDVQQGEwJVUzETMBEGA1UE
CAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJUGFsbyBBbHRvMSMwIQYDVQQKDBpBcGFj
aGUgU29mdHdhcmUgRm91bmRhdGlvbjEPMA0GA1UECwwGUHVsc2FyMRIwEAYDVQQD
DAlQdWxzYXIgQ0ExJDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBhY2hlLm9y
Z4IUUnu0AJZgtCaFvgGCuLjijHLvW5AwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQM
MAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQAPva85DCzcj34GDSffNceN
WgNol/bc1tM5DrR2SH3hHKlLg/pSAKsoky0GdgwUNTzxjjuvyNAnH1jUcSJfBaae
c8alXirm++v8c1KHyooq+R5f4rm9ASeffGGml62gq077zPrId2plG65gXvuXFIxA
15bGLGRZwFJSfC2YS/Ry2oP3xk8yQs7fAt1f61hC+WKhmgXvE0gnr6N/I+vg3B2P
liqIR/fkdW+pFfZE8W05Oizfp4LMfqqcHMCnfWgxSk4huJ8XkEvxaCPvp1P8qag1
a49MXtTqsIonmoaJzvJdAzWA/EXoh2YPMrUq9Rt5DgmLkEAg++MnismSwVOXEFqM
UO8CRn7saMgeJmYOHdZsguc4FOjLRXcpXywanddUIYrPD7cMrv7W+/vDBz4z31kl
HHPUh3MUtHYWij+CBXtCClUMeSQ8WDE/4D6fTtAO/Xe3EyzT0EbMgAkPUFaLbm6R
slvIL02G3HIA3ggNXj6WHxJ9Ow1NcdXIqAa6ACPsEEykw2+88Nexz1c/O3nbgIc1
x05/uzgwCp/+Wob1l84kOHn9oNwLghGh6gzpFmXgwFSArW5VGKwnNTqwIHBijl2i
M1OMzvnuoSfL2+WaXub3gJOEYwQmWKsju5SA0KBVoortvA/DQdImpbmNikXoofzo
7npkk+3W76JR18kKMTk1Sg==
MIIELzCCAxegAwIBAgIUU/jatCuzU//blmn0VEuMlMkk1DIwDQYJKoZIhvcNAQEL
BQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMSMwIQYDVQQK
DBpBcGFjaGUgU29mdHdhcmUgRm91bmRhdGlvbjEPMA0GA1UECwwGUHVsc2FyMRIw
EAYDVQQDDAlQdWxzYXIgQ0ExJDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBh
Y2hlLm9yZzAeFw0yNDEyMTgwNjI5MjVaFw00NDEyMTMwNjI5MjVaMIGSMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEjMCEGA1UECgwaQXBhY2hlIFNv
ZnR3YXJlIEZvdW5kYXRpb24xDzANBgNVBAsMBlB1bHNhcjESMBAGA1UEAwwJbG9j
YWxob3N0MSQwIgYJKoZIhvcNAQkBFhVkZXZAcHVsc2FyLmFwYWNoZS5vcmcwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbKm8kAiP3/+Z1YcoHqMCr6Y3r
US5k956b1LS+Ovr0bsaSjzhNCM2JFT4sxJlty1iA/OBN1n32gqsNlPLiRcnTFZVX
CmyG3HhkOzRLAXxd3k/UIRpdJ6ClcHouAlDhGbS5Bd+ZDYvMYtwQc/pyizh/01ZU
YVC7kv8JcQnHvQRDPIycizLRBQSKxonYeFZN2i/07DQ3JrWH5D8myUFgujEQGb74
DKQKhRlZ4gBdt8C90S78pjSLhSrMBfb75ADmdJX/Am9DfzmnwoOOWzhAyULIvCZy
NjVkwlQiEYfoZY896UGnbRmImiCbmlLn0suz4C6PwVZUvG0UMHPF147QWl7NAgMB
AAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJh
dGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRJPLKYMM5/eXrGi1fKJJ8Sgh5d7zAf
BgNVHSMEGDAWgBScZqZelaXXcm4RdkRDNbRh+3AnbzANBgkqhkiG9w0BAQsFAAOC
AQEARkQHB3Te+umt7hCHcuQGgefZnJGZnv6y/in8WBI4fSjBO9bKGd0GbB6VF1j6
SEdiK08pojk6kPQ3Wox1TGCzYVCUWk1walBiyBdGOJIaAk1xrauUEKORsaoYqQCI
txYlPKpZRZBJmpwVXtUvLyqeYXe4Wbd+MMmOiSpXEYTizaa6eHMFoPCqR1uM8qkg
xvdQOdcHvO9/BIVgG8JeU9xA+SL4eLa+1xuEUUX3MGwV/cQHg8+J8G/5SXrM8xcA
7zP1Cmp5deVvLh+tv3406BwuCN4eFsCrc2n5LgnRe/TwjFm2gsMao4wlD3i/C7OH
ckY2vo5MZ0zKSQWgLv09oWLWAQ==
-----END CERTIFICATE-----
Loading

0 comments on commit 4ba83e8

Please sign in to comment.