Commit c4551e21 authored by Leigh Stoller's avatar Leigh Stoller

Do a check on the certificate presented to make sure the SSL chain

verifies. This handles the current (today) problem of Geni Portal users
presenting certs signed by an expired CA cert.
parent abec1aac
#!/usr/bin/perl -w
#
# Copyright (c) 2008-2015 University of Utah and the Flux Group.
# Copyright (c) 2008-2018 University of Utah and the Flux Group.
#
# {{{GENIPUBLIC-LICENSE
#
......@@ -37,10 +37,11 @@ use Data::Dumper;
#
sub usage()
{
print STDERR "Usage: $0 <cert file>\n";
print STDERR "Usage: $0 [-e] <cert file>\n";
exit(1);
}
my $optlist = "";
my $optlist = "e";
my $chainonly = 0;
# Configure ...
my $TB = "@prefix@";
......@@ -66,6 +67,9 @@ my %options = ();
if (! getopts($optlist, \%options)) {
usage();
}
if (defined($options{"e"})) {
$chainonly = 1;
}
usage()
if (@ARGV != 1);
my $certfile = $ARGV[0];
......@@ -77,6 +81,8 @@ if (!defined($certificate)) {
if ($certificate->VerifySSLChain()) {
fatal("Could not verify certificate");
}
exit(0)
if ($chainonly);
#
# We now know the the root cert, make sure its us.
#
......
<?php
#
# Copyright (c) 2000-2017 University of Utah and the Flux Group.
# Copyright (c) 2000-2018 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -114,6 +114,14 @@ function Do_CreateSecret()
}
$certificate = $ajax_args["certificate"];
#
# Watch for an expired or invalid certificate.
#
if (VerifyLocalUser(null, $certificate)) {
SPITAJAX_ERROR(1, "Cannot verify your certificate");
return;
}
if (!isset($ajax_args["r1_encrypted"])) {
SPITAJAX_ERROR(1, "Missing encrypted random string");
return;
......@@ -473,13 +481,14 @@ function UpdateCredentials($user, $cert, $cred, &$error)
function VerifyLocalUser($user, $cert)
{
$certfile = tempnam("/tmp", "cert");
$args = ($user ? "" : "-e");
$fp = fopen($certfile, "w");
fwrite($fp, $cert);
fclose($fp);
chmod($certfile, 0666);
$retval = SUEXEC("nobody", "nobody", "webverifycert $certfile",
$retval = SUEXEC("nobody", "nobody", "webverifycert $args $certfile",
SUEXEC_ACTION_CONTINUE);
unlink($certfile);
if ($retval)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment