[Rt-commit] rt branch, 4.4/support-openssl-crl-check, created. rt-4.4.4-157-g860e5a4c96
Dianne Skoll
dianne at bestpractical.com
Fri Nov 6 16:32:06 EST 2020
The branch, 4.4/support-openssl-crl-check has been created
at 860e5a4c96c5a86a1b8f6abd80f43bd068b460c9 (commit)
- Log -----------------------------------------------------------------
commit 860e5a4c96c5a86a1b8f6abd80f43bd068b460c9
Author: Dianne Skoll <dianne at bestpractical.com>
Date: Fri Nov 6 16:31:03 2020 -0500
When we verify a certificate, use the -crl_check -crl_download options if OpenSSL supports them.
If we are unable to download a CRL, we fall back to checking without
the above options, but if the certificate is trusted, note that we
were unable to download the CRL.
diff --git a/lib/RT/Crypt/SMIME.pm b/lib/RT/Crypt/SMIME.pm
index 5ea826327c..ecf33b4518 100644
--- a/lib/RT/Crypt/SMIME.pm
+++ b/lib/RT/Crypt/SMIME.pm
@@ -62,6 +62,10 @@ use RT::Util 'safe_run_child';
use Crypt::X509;
use String::ShellQuote 'shell_quote';
+# This will be set to a true value by Probe
+# if "openssl verify" supports the -crl_download option
+our $OpenSSL_Supports_CRL_Download;
+
=head1 NAME
RT::Crypt::SMIME - encrypt/decrypt and sign/verify email messages with the SMIME
@@ -212,6 +216,14 @@ sub Probe {
" SMIME support has been disabled");
return;
} else {
+ ($buf, $err) = ('', '');
+ # Interrogate openssl verify command to see if it supports
+ # the -crl_download option.
+ safe_run_child { run3( [$bin, 'verify', '-help'],
+ \undef, \$buf, \$err) };
+ if ($err =~ /crl_download/) {
+ $OpenSSL_Supports_CRL_Download = 1;
+ }
return 1;
}
}
@@ -933,8 +945,11 @@ sub GetCertificateInfo {
my $method = $type . "_" . $USER_MAP{$_};
$data{$_} = $cert->$method if $cert->can($method);
}
- $data{String} = Email::Address->new( @data{'Name', 'EmailAddress'} )->format
- if $data{EmailAddress};
+ if ($data{EmailAddress}) {
+ $data{String} = Email::Address->new( @data{'Name', 'EmailAddress'} )->format;
+ } else {
+ $data{String} = $data{Name};
+ }
return \%data;
};
@@ -957,6 +972,33 @@ sub GetCertificateInfo {
stderr => ''
);
+ my $note_about_crl_download = '';
+ if ($OpenSSL_Supports_CRL_Download) {
+ $self->RunOpenSSLVerify($PEM, \%res, '-crl_check', '-crl_download');
+ if ($res{stderr} !~ /unable to get certificate CRL/) {
+ return %res;
+ }
+ $note_about_crl_download = " (NOTE: Unable to download CRL)";
+ }
+
+ # Either we don't support -crl_download, or we do, but it failed
+ # due to a network problem. Re-run without -crl_check -crl_download
+ $self->RunOpenSSLVerify($PEM, \%res);
+ if (($res{info}[0]{TrustTerse} // '') eq 'full') {
+ $res{info}[0]{Trust} .= $note_about_crl_download;
+ }
+ return %res;
+}
+
+sub RunOpenSSLVerify
+{
+ my $self = shift;
+ my $PEM = shift;
+ my $res = shift;
+ # Remaining args are extra arguments to "openssl verify"
+
+ $res->{stderr} = '';
+
# Check the validity
my $ca = RT->Config->Get('SMIME')->{'CAPath'};
if ($ca) {
@@ -968,39 +1010,36 @@ sub GetCertificateInfo {
}
local $SIG{CHLD} = 'DEFAULT';
+
my $cmd = [
$self->OpenSSLPath,
- 'verify', @ca_verify,
- ];
+ 'verify', @ca_verify, @_,
+ ];
my $buf = '';
- safe_run_child { run3( $cmd, \$PEM, \$buf, \$res{stderr} ) };
+ safe_run_child { run3( $cmd, \$PEM, \$buf, \$res->{stderr} ) };
if ($buf =~ /^stdin: OK$/) {
- $res{info}[0]{Trust} = "Signed by trusted CA $res{info}[0]{Issuer}[0]{String}";
- $res{info}[0]{TrustTerse} = "full";
- $res{info}[0]{TrustLevel} = 2;
+ $res->{info}[0]{Trust} = "Signed by trusted CA $res->{info}[0]{Issuer}[0]{String}";
+ $res->{info}[0]{TrustTerse} = "full";
+ $res->{info}[0]{TrustLevel} = 2;
} elsif ($? == 0 or ($? >> 8) == 2) {
- $res{info}[0]{Trust} = "UNTRUSTED signing CA $res{info}[0]{Issuer}[0]{String}";
- $res{info}[0]{TrustTerse} = "none";
- $res{info}[0]{TrustLevel} = -1;
+ $res->{info}[0]{Trust} = "UNTRUSTED signing CA $res->{info}[0]{Issuer}[0]{String}";
+ $res->{info}[0]{TrustTerse} = "none";
+ $res->{info}[0]{TrustLevel} = -1;
} else {
- $res{exit_code} = $?;
- $res{message} = "openssl exited with error code ". ($? >> 8)
+ $res->{exit_code} = $?;
+ $res->{message} = "openssl exited with error code ". ($? >> 8)
." and stout: $buf";
- $res{info}[0]{Trust} = "unknown (openssl failed)";
- $res{info}[0]{TrustTerse} = "unknown";
- $res{info}[0]{TrustLevel} = 0;
+ $res->{info}[0]{Trust} = "unknown (openssl failed)";
+ $res->{info}[0]{TrustTerse} = "unknown";
+ $res->{info}[0]{TrustLevel} = 0;
}
} else {
- $res{info}[0]{Trust} = "unknown (no CAPath set)";
- $res{info}[0]{TrustTerse} = "unknown";
- $res{info}[0]{TrustLevel} = 0;
+ $res->{info}[0]{Trust} = "unknown (no CAPath set)";
+ $res->{info}[0]{TrustTerse} = "unknown";
+ $res->{info}[0]{TrustLevel} = 0;
}
-
- $res{info}[0]{Formatted} = $res{info}[0]{User}[0]{String}
- . " (issued by $res{info}[0]{Issuer}[0]{String})";
-
- return %res;
+ $res->{info}[0]{Formatted} = $res->{info}[0]{User}[0]{String} . " (issued by $res->{info}[0]{Issuer}[0]{String})";
}
1;
diff --git a/t/crypt/smime/crl-download.t b/t/crypt/smime/crl-download.t
new file mode 100644
index 0000000000..08d19cc17a
--- /dev/null
+++ b/t/crypt/smime/crl-download.t
@@ -0,0 +1,41 @@
+use strict;
+use warnings;
+
+use RT::Test::SMIME tests => undef;
+
+my $openssl = RT::Test->find_executable('openssl');
+my $keyring = File::Spec->catfile(RT::Test->temp_directory, "smime" );
+my $ca = RT::Test::find_relocatable_path(qw(data smime keys CAWithCRL));
+$ca = File::Spec->catfile($ca, 'cacert.pem');
+
+RT->Config->Set('SMIME', Enable => 1,
+ Passphrase => {'sender-crl\@example.com' => '123456'},
+ OpenSSL => $openssl,
+ Keyring => $keyring,
+ CAPath => $ca,
+);
+
+RT::Test::SMIME->import_key('sender-crl at example.com');
+
+
+if (!$::RT::Crypt::SMIME::OpenSSL_Supports_CRL_Download) {
+ RT::Test::plan( skip_all => 'This version of openssl does not support the -crl_download option');
+}
+
+my $crt;
+{
+ local $/;
+ if (open my $fh, "<" . File::Spec->catfile($keyring, 'sender-crl at example.com.pem')) {
+ $crt = <$fh>;
+ close($fh);
+ } else {
+ die("Could not read " . File::Spec->catfile($keyring, 'sender-crl at example.com.pem') . ": $!");
+ }
+}
+
+my %res;
+%res = RT::Crypt::SMIME->GetCertificateInfo(Certificate => $crt);
+
+is ($res{info}[0]{Trust}, 'Signed by trusted CA fake.ca.bestpractical.com (NOTE: Unable to download CRL)', "We attempted to use -crl_download, but it failed.");
+
+done_testing;
diff --git a/t/data/smime/keys/CAWithCRL/cacert.pem b/t/data/smime/keys/CAWithCRL/cacert.pem
new file mode 100644
index 0000000000..4bfda10da0
--- /dev/null
+++ b/t/data/smime/keys/CAWithCRL/cacert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtzCCAp+gAwIBAgIUGoJcpO/tVR5L1ziwAIFJsXipz2wwDQYJKoZIhvcNAQEL
+BQAwajELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDzANBgNVBAcMBk90
+dGF3YTEUMBIGA1UECgwLQlBTIEZha2UgQ0ExIjAgBgNVBAMMGWZha2UuY2EuYmVz
+dHByYWN0aWNhbC5jb20wIBcNMjAxMTA2MjAyMzUyWhgPMjE1NzA5MjkyMDIzNTJa
+MGoxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMQ8wDQYDVQQHDAZPdHRh
+d2ExFDASBgNVBAoMC0JQUyBGYWtlIENBMSIwIAYDVQQDDBlmYWtlLmNhLmJlc3Rw
+cmFjdGljYWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6lmS
+x/a8PP4K+KQyMDOpHDRBEYj30dyQFDjfWUc/W00R3eF/mXlq5Ox9XSiI/xzeayfl
+5Ekkh0BZfURprLHrsiApfhVxq4NykUVDE0KQqU3Syj+TI5v5E+2e1c9FTzq5aezr
+i5RSsC+PAmiCXUnJudzIxNNwzvW+Xr0a7MGjrLXCh0LMlj0n7v1BaPF0dnumGxEN
+F2PQJF7WeaTPrjeBljyhpEykWNM3T98gc8XuBZjv34gCywb+ssoEBCSezPvDLXIz
+8nHfhkmYa1wQvkylHCEb15ouZUgKfdvmDEq7VsS/sKrF50PYGMWf16oJfS0b3uO8
+WYPpOCRYCFPao+kEuQIDAQABo1MwUTAdBgNVHQ4EFgQUQtf+J+O47jZTXoE6R0BX
+dSy8pjAwHwYDVR0jBBgwFoAUQtf+J+O47jZTXoE6R0BXdSy8pjAwDwYDVR0TAQH/
+BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEA0IBnMZ3Ybd1dy6rJTOcrtoYkwlFZ
+97KFR0oE3tDaPy5xoVwbHkqJfqXTOorgQqz39pNFJxZlVmfY90U6QDdc+Y1EfmOL
+t8VNZpaATLRTPKt/DCAL19XMQtXdP8A9hSUIY+Y4UUDRTX0AmIvxKGRzo4wImr6B
+ccwNxf3eldc6dqGUrQxLh2CWNT3K4a5Vr/2OwVkXiydFVJ2IrVvdGrahWOLPmgZm
+0XGCLne5AKTF8AtZBSQGY/8dEN8GKuZnclMwRkesR0AKKUf9M810pF3Y3cRfL7lG
+SuQ7iWAPTYSal+1U3M/kVDKCpO5h8I3p5BbXXiLb1VRrcnsz7teAPOV+KA==
+-----END CERTIFICATE-----
diff --git a/t/data/smime/keys/CAWithCRL/mycrl.cnf b/t/data/smime/keys/CAWithCRL/mycrl.cnf
new file mode 100644
index 0000000000..42ed83f5fc
--- /dev/null
+++ b/t/data/smime/keys/CAWithCRL/mycrl.cnf
@@ -0,0 +1 @@
+crlDistributionPoints=URI:http://this.will.never.resolve.example.com/crl.pem
diff --git a/t/data/smime/keys/CAWithCRL/private/cakey.pem b/t/data/smime/keys/CAWithCRL/private/cakey.pem
new file mode 100644
index 0000000000..1ea3e190a4
--- /dev/null
+++ b/t/data/smime/keys/CAWithCRL/private/cakey.pem
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,DFE7DF2B024DBCCD
+
+RcYxRMyOV5shmvveckaen26WWduuBZpG4ECMZ/v4Psbl0iKuFgCJ+wlgHkjjgtcs
+QjLWtcQ7SPW8Qed/hd4kNS6I8MHrTeJZu4zt5GOYMQmBPT+drWfWV9GeasMlezeD
+8PEjR8lkN0zxp2pbCWNP2150lEtcRVwJI3XlBabhijkhWg5+Jm6y6Iw7reFcaH1P
+JDdmhyHto4eZk4Q6hMsccc9vfVUIDY/S2bdRbo+uWZex0pvUJr1tjrOxshH47bv1
+cAYf5MqpBJP1LU4aO6xudWV+ZJC/Mdh8kH6XeCQyCnyMIKXJz9EL5FuUNW0yo7pC
+oqqJbWchw1BM8Ll5lZDA0epJlnCY3/1VjBag81afIsLNXaKhQw39GatOfkoIIodr
+1AUzT8nlTijq/FU3qsmLkrbVA6x1+7C1vuAfCOi5nOPI04BrRinAqN7usP/a2maO
+9L6q9HWjDQcODoy0frGrbmyLiGNH7fhSqA9s8pf9aZqoz9PmHApMGTwr0i5mNnWK
+552NIOVSyHYdu/teFLZs8XMFR9P2qq47Lsgcw3djBh14HQC29FWMZGcyuwzl9ZbG
+anIAitGU9b0cEstpw4wr7Dtdnk+eU+J89uF2G8iU0R3j+9f0icOpwUl2TlHNHgXN
+C29Ur+zAXJ92Bs7q1grdbYSA2zkQaZ+wnFmZ9FwAhSqljXqaKoIqd4hOJ6Hxk4kw
+dnFfskO+4iWbfXofCp4tmTv5MO5o+ts2S5HAAW+QM9Sy4OHWpk5PptIfzf7o22M7
+AJGYbamTDr90D5K05k3OHFCQezX1faMrs758CG8wduQ/qTF0PgeCOg/0Zi7UmRd4
+75rmTTxYGCO6kyDqs+MK2ZsxDkhjV2USer0OLLIlq4oC25vWihcJ/DjD1C+HCCJ1
+j38XyqvrPuG0KYqoh7CwDtrG4hgBvs7k5B1XM1yqZ3HQWzPV3JpFor4do1hP52Qq
+NBMqP2q8GjkHBll2MzXcJNYWOmAtu4C8mVYPO/3P2Nr/XMMKwXNjFYsSxSDMTzC/
+Jb2GwCPPot1HjV3KQTFfNMSKfpQ1P6PL05JVFQzgRu7hjERrjbkZo/PiVevmtpBF
+PfI5f5d/rMDAvXvypc4cAyqDCzC4LMhznx92gX3wYnVCj7BOBcruzAfOiosay5Gg
+UIsClja/CphTmYFVe2FOgLKbRbIDYsMpvgD7HcmlS0GKjnbbnV0YtVDKEd8UO23x
+jfRtKDRIARVCnh95H9FSUy+TQj5jejvTVVCzohcJOY6PFmjR9QsxtwXwdRmgBW8h
+yuw2f2SJtTVtQsJM9xtWzZPy+5M3kGRcoJc+th/NuzlO34J2wLbbiROi+mg2UGwK
+KXRNWtY1AjG+JjRJTmSKnek7Am7zElAk9WEhuXaRhL1N51Fj3A82JekEOAoyUYyd
+XRAgy4vn4y8tzc5H5T7PDSeOdNq+7Ez4sl1D2/WeVwQ0aKCOs6GV9yen3bloyBQ3
+ybsI3tSI7s8rKkBq0BZjMbUeMi4SnmG8Ro1l9pTScVTXcmAgg2QaLGSxBlzQdPBY
+ZaGWhvJwNf4zaUIcceMk/q276zlGtssQuiHx7IOwAgB9uqmoh9TLCA==
+-----END RSA PRIVATE KEY-----
diff --git a/t/data/smime/keys/sender-crl at example.com.key b/t/data/smime/keys/sender-crl at example.com.key
new file mode 100644
index 0000000000..1ea3e190a4
--- /dev/null
+++ b/t/data/smime/keys/sender-crl at example.com.key
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,DFE7DF2B024DBCCD
+
+RcYxRMyOV5shmvveckaen26WWduuBZpG4ECMZ/v4Psbl0iKuFgCJ+wlgHkjjgtcs
+QjLWtcQ7SPW8Qed/hd4kNS6I8MHrTeJZu4zt5GOYMQmBPT+drWfWV9GeasMlezeD
+8PEjR8lkN0zxp2pbCWNP2150lEtcRVwJI3XlBabhijkhWg5+Jm6y6Iw7reFcaH1P
+JDdmhyHto4eZk4Q6hMsccc9vfVUIDY/S2bdRbo+uWZex0pvUJr1tjrOxshH47bv1
+cAYf5MqpBJP1LU4aO6xudWV+ZJC/Mdh8kH6XeCQyCnyMIKXJz9EL5FuUNW0yo7pC
+oqqJbWchw1BM8Ll5lZDA0epJlnCY3/1VjBag81afIsLNXaKhQw39GatOfkoIIodr
+1AUzT8nlTijq/FU3qsmLkrbVA6x1+7C1vuAfCOi5nOPI04BrRinAqN7usP/a2maO
+9L6q9HWjDQcODoy0frGrbmyLiGNH7fhSqA9s8pf9aZqoz9PmHApMGTwr0i5mNnWK
+552NIOVSyHYdu/teFLZs8XMFR9P2qq47Lsgcw3djBh14HQC29FWMZGcyuwzl9ZbG
+anIAitGU9b0cEstpw4wr7Dtdnk+eU+J89uF2G8iU0R3j+9f0icOpwUl2TlHNHgXN
+C29Ur+zAXJ92Bs7q1grdbYSA2zkQaZ+wnFmZ9FwAhSqljXqaKoIqd4hOJ6Hxk4kw
+dnFfskO+4iWbfXofCp4tmTv5MO5o+ts2S5HAAW+QM9Sy4OHWpk5PptIfzf7o22M7
+AJGYbamTDr90D5K05k3OHFCQezX1faMrs758CG8wduQ/qTF0PgeCOg/0Zi7UmRd4
+75rmTTxYGCO6kyDqs+MK2ZsxDkhjV2USer0OLLIlq4oC25vWihcJ/DjD1C+HCCJ1
+j38XyqvrPuG0KYqoh7CwDtrG4hgBvs7k5B1XM1yqZ3HQWzPV3JpFor4do1hP52Qq
+NBMqP2q8GjkHBll2MzXcJNYWOmAtu4C8mVYPO/3P2Nr/XMMKwXNjFYsSxSDMTzC/
+Jb2GwCPPot1HjV3KQTFfNMSKfpQ1P6PL05JVFQzgRu7hjERrjbkZo/PiVevmtpBF
+PfI5f5d/rMDAvXvypc4cAyqDCzC4LMhznx92gX3wYnVCj7BOBcruzAfOiosay5Gg
+UIsClja/CphTmYFVe2FOgLKbRbIDYsMpvgD7HcmlS0GKjnbbnV0YtVDKEd8UO23x
+jfRtKDRIARVCnh95H9FSUy+TQj5jejvTVVCzohcJOY6PFmjR9QsxtwXwdRmgBW8h
+yuw2f2SJtTVtQsJM9xtWzZPy+5M3kGRcoJc+th/NuzlO34J2wLbbiROi+mg2UGwK
+KXRNWtY1AjG+JjRJTmSKnek7Am7zElAk9WEhuXaRhL1N51Fj3A82JekEOAoyUYyd
+XRAgy4vn4y8tzc5H5T7PDSeOdNq+7Ez4sl1D2/WeVwQ0aKCOs6GV9yen3bloyBQ3
+ybsI3tSI7s8rKkBq0BZjMbUeMi4SnmG8Ro1l9pTScVTXcmAgg2QaLGSxBlzQdPBY
+ZaGWhvJwNf4zaUIcceMk/q276zlGtssQuiHx7IOwAgB9uqmoh9TLCA==
+-----END RSA PRIVATE KEY-----
diff --git a/t/data/smime/keys/sender-crl at example.com.pem b/t/data/smime/keys/sender-crl at example.com.pem
new file mode 100644
index 0000000000..f56f120a52
--- /dev/null
+++ b/t/data/smime/keys/sender-crl at example.com.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDyTCCArGgAwIBAgIUXlUIAltyUt+LwI8Ef1RQdGkM4p4wDQYJKoZIhvcNAQEL
+BQAwajELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDzANBgNVBAcMBk90
+dGF3YTEUMBIGA1UECgwLQlBTIEZha2UgQ0ExIjAgBgNVBAMMGWZha2UuY2EuYmVz
+dHByYWN0aWNhbC5jb20wIBcNMjAxMTA2MjAyNjQxWhgPMjE1NzA5MjkyMDI2NDFa
+MIGHMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwGT3R0
+YXdhMQ0wCwYDVQQKDARCbGFoMR8wHQYDVQQDDBZzZW5kZXItY3JsQGV4YW1wbGUu
+Y29tMSUwIwYJKoZIhvcNAQkBFhZzZW5kZXItY3JsQGV4YW1wbGUuY29tMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6lmSx/a8PP4K+KQyMDOpHDRBEYj3
+0dyQFDjfWUc/W00R3eF/mXlq5Ox9XSiI/xzeayfl5Ekkh0BZfURprLHrsiApfhVx
+q4NykUVDE0KQqU3Syj+TI5v5E+2e1c9FTzq5aezri5RSsC+PAmiCXUnJudzIxNNw
+zvW+Xr0a7MGjrLXCh0LMlj0n7v1BaPF0dnumGxENF2PQJF7WeaTPrjeBljyhpEyk
+WNM3T98gc8XuBZjv34gCywb+ssoEBCSezPvDLXIz8nHfhkmYa1wQvkylHCEb15ou
+ZUgKfdvmDEq7VsS/sKrF50PYGMWf16oJfS0b3uO8WYPpOCRYCFPao+kEuQIDAQAB
+o0cwRTBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vdGhpcy53aWxsLm5ldmVyLnJl
+c29sdmUuZXhhbXBsZS5jb20vY3JsLnBlbTANBgkqhkiG9w0BAQsFAAOCAQEAbFB1
+j2lYHEiyDXfH4FRtGq32O+7dYs/5vG0qHrbSYJ9PvjU7FMgs1nk20drE01rtXEvT
+C3BNFR3Uu+YY+UgC+ZRt/zzldw1YqKNFSZVYfdxejIVQzPhu2wOmrcVlarSwjTe7
+xzzOzQEz1U2kbt10Hj8iEiXyPcWjjst3YiRMY5qy40WG8NMqLFsbMcTtzgnLwvgz
+BFZXliS+Zamq79UBZ7kD6Sgn7BIY+4xSC/4BXa5548nTRcNKw+QZQt+b5E/EhXhh
+JLbhC/m4v+k375dLUBgcvlOTOuCyKKPWNGncxFV94FAWFJqSrCcUuhlv63evJIza
+wzgi7xMBojp3wGZ9pA==
+-----END CERTIFICATE-----
-----------------------------------------------------------------------
More information about the rt-commit
mailing list