search

cloudfoundry-attic / cfdev

A fast and easy local Cloud Foundry experience on native hypervisors, powered by LinuxKit with VPNKit
Apache License 2.0
227 stars 64 forks source link

Feature request: Add ability to verify a client certificate #91

Closed tyrannosaurus-becks closed 5 years ago

tyrannosaurus-becks commented 5 years ago

Hi!

First off, thank you for offering this helpful development environment for PCF.

I am using this version of PCF:

$ cf --version
cf version 6.41.0+dd4c76cdd.2018-11-28

I'd like to take advantage of the identity assurance certificates that became available in PCF version 2.1, as described here. I've been testing and I've found that the CF_INSTANCE_CERT and CF_INSTANCE_KEY environment variables are populated. The certificate at that path has an issuer organization of Cloud Foundry, country of "USA", and common name of "instanceIdentityCA".

However, when I look at the CA's available at "/etc/ssl/certs/ca-certificates.crt", the ones issued by Cloud Foundry are as follows:

2019-04-24T22:30:46.89-0700 [APP/PROC/WEB/0] OUT CN=appRootCA,O=Cloud Foundry,C=USA
2019-04-24T22:30:46.89-0700 [APP/PROC/WEB/0] OUT CN=credhubServerCa,O=Cloud Foundry,C=USA
2019-04-24T22:30:46.89-0700 [APP/PROC/WEB/0] OUT CN=uaaCA,O=Cloud Foundry,C=USA

This means I can't use them to verify that the client certificate's root certificate is really the one with the CN of "instanceIdentityCA".

Is there any way in the cf dev environment to verify that the client certs on an instance were issued by the stated CN, and not by an attacker hand-creating the client certificate and filling in the expected strings in the same fields? Basically, because I want to verify that the client certificate is mathematically tied to the real certificate authority.

One thing that would work is if there were an API endpoint providing that CA certificate. Another way would be if the CA certificate were available locally somewhere else.

I hope that makes sense and I apologize if there's a better forum for this question. I found that I couldn't join the Slack room listed in the README because I would need authentication credentials to it. I also am a PCF noob so I may be missing something. Any help or "pointing in the right direction" is appreciated.

Thanks in advance!

cf-gitbot commented 5 years ago

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/165625766

The labels on this github issue will be updated when the story is started.

aemengo commented 5 years ago

@tyrannosaurus-becks Yes, you're making sense. For your instance of CF Dev, you can find the certificate at ~/.cfdev/state/bosh/creds.yml. If you have BOSH CLI, an easy way to extract it is:

bosh int --path /diego_instance_identity_ca ~/.cfdev/state/bosh/creds.yml

I'm just unclear about the use-case. You're seeing the same behavior that you would see in a real cloud deployment of CF. Is this a one time validation that you want to perform? Then hopefully the above steps should be sufficient. Or are you asking for a way to programmatically access this certificate inside of every deployed application in your CF instance.

tyrannosaurus-becks commented 5 years ago

Thanks @aemengo ! That's super helpful!

The use case I'm thinking of is this:

My only question was how to get that CA certificate. Sounds like in cf dev it's available in the creds.yml file you've pointed out. I've seen docs indicating it could also be configured and inspected through Ops Manager.

I suppose I was also wondering if there's any other way in production that doesn't require Ops Manager - though I didn't know that it was available in creds.yml so that's already helpful.

aemengo commented 5 years ago

@tyrannosaurus-becks Just to tie up loose ends on this. In PAS, the recommended way to inspect this certificate is, indeed, through Ops Manager.