Skip to content

Commit

Permalink
Update HTTP-TPC to ignore whether certificates have allowed namespace
Browse files Browse the repository at this point in the history
Motivation:

Namespace checking rejects certificates if the subject DN is not one of
the allowed values for that certificate's CA.  A list of allowed subject
DNs is maintained by IGTF for their trust store.

There are two problems with this approach.

  1. it is IGTF specific.  There is no equivalent for CA/B, making
     interoperability with CA/B-approved CAs non-trivial.

  2. for HTTP-TPC, the check is pointless.  It protects the
     certificate's Subject DN, which plays no role in the identity of
     the remote site.  Instead, the X.509 v3 Subject Alternative Name is
     used, instead.

Modification:

Update the SSLContext (which includes the certificate chain validation)
for the Apache HTTP client.  There is (no longer) any namespace checking
for such certificates.

Note that the namespace checking for client X.509 certificates (which is
the intended target of namespace checking) is unaffected by this change.

Result:

HTTP-TPC now works with remote sites that have a CA/B certificate and
using the system standard trust store.
  • Loading branch information
paulmillar committed Nov 27, 2024
1 parent fdddb64 commit ce2b0d8
Showing 1 changed file with 14 additions and 5 deletions.
19 changes: 14 additions & 5 deletions src/main/java/org/italiangrid/storm/webdav/spring/AppConfig.java
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ThreadFactory;
import java.util.concurrent.TimeUnit;
import java.util.function.Function;

import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
Expand Down Expand Up @@ -200,25 +201,31 @@ HealthCheckRegistry healthCheckRegistry() {

@Bean
X509CertChainValidatorExt canlCertChainValidator(ServiceConfiguration configuration) {
return canlCertChainCustomValidator(configuration,
b -> b.namespaceChecks(NamespaceCheckingMode.EUGRIDPMA_AND_GLOBUS_REQUIRE));
}

private X509CertChainValidatorExt canlCertChainCustomValidator(ServiceConfiguration configuration,
Function<CertificateValidatorBuilder,CertificateValidatorBuilder> customiseValidatorBuilder) {

CANLListener l = new org.italiangrid.storm.webdav.server.util.CANLListener();
CertificateValidatorBuilder builder = new CertificateValidatorBuilder();

long refreshInterval =
TimeUnit.SECONDS.toMillis(configuration.getTrustAnchorsRefreshIntervalInSeconds());

return builder.namespaceChecks(NamespaceCheckingMode.EUGRIDPMA_AND_GLOBUS_REQUIRE)
CertificateValidatorBuilder builder = new CertificateValidatorBuilder()
.crlChecks(CrlCheckingMode.IF_VALID)
.ocspChecks(OCSPCheckingMode.IGNORE)
.lazyAnchorsLoading(false)
.storeUpdateListener(l)
.validationErrorListener(l)
.trustAnchorsDir(configuration.getTrustAnchorsDir())
.trustAnchorsUpdateInterval(refreshInterval)
.build();
.trustAnchorsUpdateInterval(refreshInterval);

return customiseValidatorBuilder.apply(builder).build();
}


@Bean
PathResolver pathResolver(ServiceConfiguration conf) {
return new DefaultPathResolver(storageAreaConfiguration(conf));
Expand All @@ -241,7 +248,9 @@ HttpClientConnectionManager tpcClientConnectionManager(ThirdPartyCopyProperties
NoSuchAlgorithmException, NoSuchProviderException, KeyManagementException {
PEMCredential serviceCredential = serviceCredential(conf);

SSLTrustManager tm = new SSLTrustManager(canlCertChainValidator(conf));
X509CertChainValidatorExt validator = canlCertChainCustomValidator(conf,
b -> b.namespaceChecks(NamespaceCheckingMode.IGNORE));
SSLTrustManager tm = new SSLTrustManager(validator);

SSLContext ctx;

Expand Down

0 comments on commit ce2b0d8

Please sign in to comment.