[prev in list] [next in list] [prev in thread] [next in thread]
List: lprng
Subject: Re: LPRng: Need an OpenSSL expert
From: Rabellino Sergio <rabellino () di ! unito ! it>
Date: 2002-06-19 8:16:46
[Download RAW message or body]
Patrick Powell wrote:
>
> > From lprng@lprng.com Fri Jun 14 07:24:32 2002
> > Date: Fri, 14 Jun 2002 15:15:54 +0200
> > From: Rabellino Sergio <rabellino@di.unito.it>
> > To: lprng@lprng.com
> > Subject: Re: LPRng: Need an OpenSSL expert
> >
> > This is a multi-part message in MIME format.
> > --------------31F088C6826A8CC60CC8D5A8
> > Content-Type: text/plain; charset=us-ascii
> > Content-Transfer-Encoding: 7bit
> >
> > Patrick Powell wrote:
> > >
> > > Ah... an expert.
> > >
> > > OK. Welcome to the joys of "certificate revocation" and 'accept
> > > users with certs signed only by this 'signer' cert'
> > >
> > > Certificate revocation is ugly.
> > > I looked at the way that mod_ssl in Apache did it and was taken
> > > aback.
> > > You need to:
> > > a) set up a 'certificate revocation list/directory MIT Hash Files Yet'
> > > b) Do magic to read the certs in the CRL/CRL Dir
> > > c) Write/add a callback so that on connection/ssl authentication
> > > you check to see if the user/signer is in the revocation list.
> > > (... and there are all sorts of nasty things...)
> > >
> > > Don't forget to use the 'cca' script to 'revoke' the cert,
> > > put the cert into a revocation directory, and create the hash
> > > to it OR append it to a file of revoked certs.
> > >
> > > So... I can go through the pain and agony of handling this a la mod_ssl
> > > in Apache, or I can ... cheat.
> > >
> > > Now I just know that you will say 'write your own authentication callback'.
> > > Nope. I looked at that code in the SSL distribution and it was... ugly.
> > > And that is coming from me who has written some code that was so ugly
> > > that monitors died before they would display it.
> > >
> > > But If I could simply EXTRACT the cert information, then I could
> > > do something more audatious:
> > >
> > > Idea: use the LPRng lpd.perms and add a new option: AUTH_CHAIN
> > >
> > > This would have a value of all subject name and all of the signers
> > > of a cert:
> > >
> > > h110: {33} % openssl x509 -noout -subject -issuer -in signer1.crt
> > > subject= /C=US/ST=California/L=San \
> > > Diego/O=Astart/OU=Signer/CN=signer1/Email=signer1@astart.com issuer= \
> > > /C=US/ST=California/L=San Diego/O=Astart/OU=Certificate Authority/CN=Astart \
> > > CA/Email=ca@astart.com
> > > h110: {34} % openssl x509 -noout -subject -issuer -in user1.crt
> > > issuer= /C=US/ST=California/L=San \
> > > Diego/O=Astart/OU=Signer/CN=signer1/Email=signer1@astart.com subject= \
> > > /C=US/ST=California/L=San \
> > > Diego/O=Astart/OU=User/CN=user1/Email=user1@astart.com
> > > AUTH_CHAIN=
> > > /C=US/ST=California/L=San \
> > > Diego/O=Astart/OU=User/CN=user1/Email=user1@astart.com \
> > > /C=US/ST=California/L=San \
> > > Diego/O=Astart/OU=Signer/CN=signer1/Email=signer1@astart.com \
> > > /C=US/ST=California/L=San Diego/O=Astart/OU=Certificate Authority/CN=Astart \
> > > CA/Email=id@astart.com
> > > (line folded to fit)
> > >
> > > This would represent the signature chain starting from the
> > > bottom of the certificate and going to the top.
> > >
> > > Now you could 'cancel' a user with subject: '/.../ON=jsmith/...' using:
> > > REJECT AUTHTYPE=SSL AUTH_CHAIN=*/ON=jsmith/*
> > >
> > > You probably would put these into a file, say /etc/lpd/ssl/revoke.list
> > >
> > > REJECT AUTHTYPE=SSL AUTH_CHAIN=</etc/lpd/ssl/revoke.list
> > >
> > > You can only accept certs signed by ON=jsmith using:
> > >
> > > REJECT AUTHTYPE=SSL NOT AUTH_CHAIN=*/ON=jsmith/*
> > >
> > > Now, I know that the SSL/OpenSSL community is having the dry
> > > heaves at this method (I feel kinda queasy myself). But this
> > > does have the benefit of allowing you to require a cert to have
> > > a specific signer... and instead of enumerating all of the
> > > allowed certs, to delegate this.
> > >
> > > Patrick Powell Astart Technologies,
> > > papowell@astart.com 9475 Chesapeake Drive, Suite D,
> > > Network and System San Diego, CA 92123
> > > Consulting 858-874-6543 FAX 858-279-8424
> > > LPRng - Print Spooler (http://www.lprng.com)
> > >
> > ....
> >
> > If I understand your way to do the certificate checking, it's completely failing, \
> > because you don't use any of the mechanism along the certificate infrastructure; \
> > so checking only a textual part of the certificate, as the subject or the issuer, \
> > can lead anyone to forge a certificate for the connection.
>
> Ooops... I forgot to mention that I am using the default OpenSSL certificate
> verification.
>
> > The best way to do the job is:
> >
> > 1) A directory with an hashed list of accepted CAs
> Right.
> > 2) A directory with an hashed list of CRL (ideally one for every CA)
> Right.
> >
> > then check every certificate with a "standard" callback function,
> > you don't need to change at all (I've attached a cbf as a full sample,
> > grabbed an adjusted from apps/s_cb.c on openssl distribution)
> >
> > Then if the ssl connection is ok, you have certainly a "legal"
> > certificate passed by the client (as the relative ca chain is legal...).
> > You can now add every check in the code based on the subject or the issuer,
> > as you need.
> >
> > The issuer can be catched with these lines (grabbed from apps/s_server.c on \
> > openssl distribution)
> > peer=SSL_get_peer_certificate(con);
> > X509_NAME_oneline(X509_get_issuer_name(peer),buf,BUFSIZ);
> >
> > where con is the SSL connection handler (SSL*)
> > and buf is a buffer BUFSIZ bytes long, sufficient to hold the issuer string.
>
> Right.
>
> >
> > Hope this help.
> >
> >
> > Dott. Sergio Rabellino
> >
> > Technical Staff
> > Department of Computer Science
> > University of Torino (Italy)
> > Member of the Internet Society
> >
> > http://www.di.unito.it/~rabser
> > Tel. +39-0116706701
> > Fax. +39-011751603
> > --------------31F088C6826A8CC60CC8D5A8
> > Content-Type: text/plain; charset=us-ascii;
> > name="sslutil.c"
> > Content-Transfer-Encoding: 7bit
> > Content-Disposition: inline;
> > filename="sslutil.c"
> >
> > #include <stdio.h>
> > #include <stdlib.h>
> > #include <openssl/err.h>
> > #include <openssl/x509.h>
> > #include <openssl/ssl.h>
> >
> > int verify_depth=0;
> > int verify_error=X509_V_OK;
> >
> > int verify_callback(int ok, X509_STORE_CTX *ctx)
> > {
> > char buf[256];
> > X509 *err_cert;
> > int err,depth;
> >
> > err_cert=X509_STORE_CTX_get_current_cert(ctx);
> > err= X509_STORE_CTX_get_error(ctx);
> > depth= X509_STORE_CTX_get_error_depth(ctx);
> >
> > X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256);
> > if (!ok)
> > {
> > if (verify_depth >= depth)
> > {
> > ok=1;
> > verify_error=X509_V_OK;
> > }
> > else
> > {
> > ok=0;
> > verify_error=X509_V_ERR_CERT_CHAIN_TOO_LONG;
> > }
> > }
> > switch (ctx->error)
> > {
> > case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
> > X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256);
> > break;
> > case X509_V_ERR_CERT_NOT_YET_VALID:
> > case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
> > break;
> > case X509_V_ERR_CERT_HAS_EXPIRED:
> > case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
> > break;
> > }
> > return(ok);
> > }
> >
>
> But you have not set up your revocation lists.
>
> Note that these checks are only done for information in
> the certificates themselves. I looked at the code in
> mod_ssl and discovered:
>
> a) you need to set up and read a revocation file and/or
> the files in a revocation list.
>
> b) When you get a cert chain to check, you need to
> look up the subject and the signer in the revocation
> index/file/directory and make sure that they have
> not been revoked.
>
> If worst comes to worst, then I might be driven to adapt
> the mod_ssl code, but I then need to add in the other parts
> which have to do with the Netscape options, which are done
> in the OpenSSL code but not in the mod_ssl code... Sigh...
>
> Patrick
>
I'll take a look ....
--
Dott. Sergio Rabellino
Technical Staff
Department of Computer Science
University of Torino (Italy)
Member of the Internet Society
http://www.di.unito.it/~rabser
Tel. +39-0116706701
Fax. +39-011751603
-----------------------------------------------------------------------------
YOU MUST BE A LIST MEMBER IN ORDER TO POST TO THE LPRNG MAILING LIST
The address you post from MUST be your subscription address
If you need help, send email to majordomo@lprng.com (or lprng-requests
or lprng-digest-requests) with the word 'help' in the body. For the impatient,
to subscribe to a list with name LIST, send mail to majordomo@lprng.com
with: | example:
subscribe LIST <mailaddr> | subscribe lprng-digest myname@host.org
unsubscribe LIST <mailaddr> | unsubscribe lprng myname@host.org
If you have major problems, send email to papowell@astart.com with the word
LPRNGLIST in the SUBJECT line.
-----------------------------------------------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic