Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MINIFICPP-1070 - Fixed handling of PKCS12 certificates #666

Closed
wants to merge 1 commit into from
Closed

MINIFICPP-1070 - Fixed handling of PKCS12 certificates #666

wants to merge 1 commit into from

Conversation

asdaraujo
Copy link
Contributor

There are two issues fixed in this commit:

  • SSLContextService was ignoring additional certs in the P12
    file, which was preventing the server to establish trust of
    the client certificate when it was signed by an intermediate
    CA.
  • TLSSocket only supported PEM certificates. It has been changed
    to delegate the handling of cert files to the SSLContextService.

Thank you for submitting a contribution to Apache NiFi - MiNiFi C++.

In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:

For all changes:

  • Is there a JIRA ticket associated with this PR? Is it referenced
    in the commit message?

  • Does your PR title start with MINIFICPP-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.

  • Has your PR been rebased against the latest commit within the target branch (typically master)?

  • Is your initial contribution a single, squashed commit?

For code changes:

  • If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
  • If applicable, have you updated the LICENSE file?
  • If applicable, have you updated the NOTICE file?

For documentation related changes:

  • Have you ensured that format looks appropriate for the output in which it is rendered?

Note:

Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.

@asdaraujo
Copy link
Contributor Author

I've tested the changes with PEM and PKCS12 certs, signed directly with a root CA as well as with an intermediate and all the combinations work well.

arpadboda
arpadboda reviewed Oct 22, 2019
View reviewed changes
libminifi/src/controllers/SSLContextService.cpp
@@ -80,7 +82,16 @@ bool SSLContextService::configure_ssl_context(SSL_CTX *ctx) {
X509_free(cert);
Copy link
Contributor

@arpadboda arpadboda Oct 22, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My gut feeling says that whenever we do this we leak the page pointed by "ca".
PKCS12_parse allocates that as well, so I think we need to free it.

I would also prefer using scope guards for the resources here to avoid leaks.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed the code to use scope guards.

libminifi/src/controllers/SSLContextService.cpp Outdated
logging::LOG_ERROR(logger_) << "Failed to set additional certificate from " << certificate << ", " << getLatestOpenSSLErrorString();
EVP_PKEY_free(pkey);
X509_free(cacert);
return false;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So we iterate through "ca" and free one of the certs in case of error and leave the rest. This definitely feels wrong.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed this with scope guard as well

arpadboda
arpadboda reviewed Oct 23, 2019
View reviewed changes
Copy link
Contributor

@arpadboda arpadboda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Look good, nice work, thanks!

The changes you added are indented with tabs instead of 2 spaces. Please fix that (preferably also in your IDE), otherwise I’m happy to merge.

@arpadboda
Copy link
Contributor

@asdaraujo : according to CI it seems security related tests fail with segfault.

You can execute them with the following command:

ctest --parallel 12

Please make sure they pass!

@asdaraujo
Copy link
Contributor Author

Thanks, @arpadboda ! Fixed the tabs and the segfault.

@arpadboda
Copy link
Contributor

arpadboda commented Oct 24, 2019
edited
Loading

Looks good, will merge soon, thanks!

@asdaraujo : next time please take a look at linter errors! (You can run linter by executing "make linter"). Will fix the current ones when merging.

/Users/travis/build/apache/nifi-minifi-cpp/libminifi/src//controllers/SSLContextService.cpp:101:  An else should appear on the same line as the preceding }  [whitespace/newline] [4]

/Users/travis/build/apache/nifi-minifi-cpp/libminifi/src//controllers/SSLContextService.cpp:101:  If an else has a brace on one side, it should have it on both  [readability/braces] [5]

/Users/travis/build/apache/nifi-minifi-cpp/libminifi/src//controllers/SSLContextService.cpp:31:  Unexpected \r (^M) found; better to use only \n  [whitespace/newline] [1]

/Users/travis/build/apache/nifi-minifi-cpp/libminifi/src//controllers/SSLContextService.cpp:73:  Unexpected \r (^M) found; better to use only \n  [whitespace/newline] [1]

/Users/travis/build/apache/nifi-minifi-cpp/libminifi/src//controllers/SSLContextService.cpp:87:  Unexpected \r (^M) found; better to use only \n  [whitespace/newline] [1]

/Users/travis/build/apache/nifi-minifi-cpp/libminifi/src//controllers/SSLContextService.cpp:88:  Unexpected \r (^M) found; better to use only \n  [whitespace/newline] [1]

/Users/travis/build/apache/nifi-minifi-cpp/libminifi/src//controllers/SSLContextService.cpp:89:  Unexpected \r (^M) found; better to use only \n  [whitespace/newline] [1]

/Users/travis/build/apache/nifi-minifi-cpp/libminifi/src//controllers/SSLContextService.cpp:90:  Unexpected \r (^M) found; better to use only \n  [whitespace/newline] [1]

/Users/travis/build/apache/nifi-minifi-cpp/libminifi/src//controllers/SSLContextService.cpp:91:  Unexpected \r (^M) found; better to use only \n  [whitespace/newline] [1]

/Users/travis/build/apache/nifi-minifi-cpp/libminifi/src//controllers/SSLContextService.cpp:92:  Unexpected \r (^M) found; better to use only \n  [whitespace/newline] [1]

/Users/travis/build/apache/nifi-minifi-cpp/libminifi/src//controllers/SSLContextService.cpp:93:  Unexpected \r (^M) found; better to use only \n  [whitespace/newline] [1]

/Users/travis/build/apache/nifi-minifi-cpp/libminifi/src//controllers/SSLContextService.cpp:94:  Unexpected \r (^M) found; better to use only \n  [whitespace/newline] [1]

@asdaraujo
MINIFICPP-1070 - Fixed handling of PKCS12 certificates
64c9927 
There are two issues fixed in this commit:

* SSLContextService was ignoring additional certs in the P12
  file, which was preventing the server to establish trust of
  the client certificate when it was signed by an intermediate
  CA.
* TLSSocket only supported PEM certificates. It has been changed
  to delegate the handling of cert files to the SSLContextService.
@asdaraujo
Copy link
Contributor Author

Thanks, @arpadboda, and thanks for the linter tip. I'm sending an update with the linter errors fixed.

@arpadboda
Copy link
Contributor

Merged, just forgot to close in scope of that commit ( aabcbee )

Manually closing now.

Thanks again @asdaraujo !

@arpadboda arpadboda closed this Oct 28, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arpadboda arpadboda arpadboda left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@asdaraujo @arpadboda