search

deptofdefense / iceberg

File server using client certificate authentication and policy-based access control
MIT License
6 stars 6 forks source link

CRL support #15

Closed pjdufour-dds closed 3 years ago

pjdufour-dds commented 3 years ago

Closes https://github.com/deptofdefense/iceberg/issues/8

Add the --client-crl and --client-crl-format command line flags and reworks the Makefile targets to support the full openssl ca workflow instead of just using openssl x509.

chrisgilmerproj commented 3 years ago

I was reviewing this and running through the Makefile examples when I hit an error. I ran rm -rf temp/ && make test_cli and got this output:

mkdir -p temp
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -subj "/C=US/O=Atlantis/OU=Atlantis Digital Service/CN=icebergca" -keyout temp/ca.key -out temp/ca.crt
Generating a RSA private key
.....................................................................................................................................................+++++
...................................+++++
writing new private key to 'temp/ca.key'
-----
echo '01' > temp/ca.srl
touch temp/index.txt
echo 'unique_subject = yes' > temp/index.txt.attr
mkdir -p temp
openssl genrsa -out temp/server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
......................................................+++++
...........+++++
e is 65537 (0x010001)
openssl req -new -key temp/server.key -subj "/C=US/O=Atlantis/OU=Atlantis Digital Service/CN=iceberglocal" -out temp/server.csr
openssl ca -config examples/conf/openssl.cnf -batch -notext -in temp/server.csr -out temp/server.crt
Using configuration from examples/conf/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep  3 22:11:23 2020 GMT
            Not After : Sep  3 22:11:23 2021 GMT
        Subject:
            countryName               = US
            organizationName          = Atlantis
            organizationalUnitName    = Atlantis Digital Service
            commonName                = iceberglocal
Certificate is to be certified until Sep  3 22:11:23 2021 GMT (365 days)

Write out database with 1 new entries
Data Base Updated
bash scripts/test-cli.sh
Using temporary directory at /var/folders/b5/2fhdzt3s19l41s4j63z1swjh0000gn/T/shunit.zyN6iB/tmp
Reading testdata from /Users/cgilmer/Projects/deptofdefense/iceberg/scripts/../testdata
testServe
ASSERT:unexpected output expected:<> but was:<iceberg: error initializing certificate revocation list: error loading CRL from file "temp/ca.crl.der": open temp/ca.crl.der: no such file or directory
Try iceberg --help for more information.>
shunit2:ERROR testServe() returned non-zero return code.
Tearing Down

Ran 1 test.

FAILED (failures=2)
Tearing Down
make: *** [test_cli] Error 1

Running make crl fixed this issue for me. I suggest one update in the Makefile on line 35 should be updated to this:

test_cli: bin/iceberg temp/ca.crt temp/server.crt crl ## Run CLI tests
pjdufour-dds commented 3 years ago

I refactored the crl make target, so it is run with test_cli. Added check for CRL format. Thanks for the review!