Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[fix] Fix issue where cert chain is not taken into account in mTLS authentication #467

Merged
merged 1 commit into from
Dec 19, 2024
Merged

[fix] Fix issue where cert chain is not taken into account in mTLS authentication #467

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion build-support/start-mim-test-service-inside-container.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,8 @@ put tenants/private '{
put namespaces/private/auth '{
"auth_policies": {
"namespace_auth": {
"token-principal": ["produce", "consume"]
"token-principal": ["produce", "consume"],
"chained-client": ["produce", "consume"]
}
},
"replication_clusters": ["standalone"]
Expand Down
3 changes: 2 additions & 1 deletion build-support/start-test-service-inside-container.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,8 @@ put tenants/private '{
put namespaces/private/auth '{
"auth_policies": {
"namespace_auth": {
"token-principal": ["produce", "consume"]
"token-principal": ["produce", "consume"],
"chained-client": ["produce", "consume"]
}
},
"replication_clusters": ["standalone"]
Expand Down
4 changes: 2 additions & 2 deletions lib/ClientConnection.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -253,11 +253,11 @@ ClientConnection::ClientConnection(const std::string& logicalAddress, const std:
throw ResultAuthenticationError;
}
ctx.use_private_key_file(tlsPrivateKey, ASIO::ssl::context::pem);
ctx.use_certificate_file(tlsCertificates, ASIO::ssl::context::pem);
ctx.use_certificate_chain_file(tlsCertificates);
} else {
if (file_exists(tlsPrivateKey) && file_exists(tlsCertificates)) {
ctx.use_private_key_file(tlsPrivateKey, ASIO::ssl::context::pem);
ctx.use_certificate_file(tlsCertificates, ASIO::ssl::context::pem);
ctx.use_certificate_chain_file(tlsCertificates);
}
}

Expand Down
134 changes: 51 additions & 83 deletions test-conf/broker-cert.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,17 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4098 (0x1002)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=California, L=Palo Alto, O=Apache Software Foundation, OU=Pulsar, CN=Pulsar CA/[email protected]
Serial Number:
53:f8:da:b4:2b:b3:53:ff:db:96:69:f4:54:4b:8c:94:c9:24:d4:32
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=California, O=Apache Software Foundation, OU=Pulsar, CN=Pulsar CA/[email protected]
Validity
Not Before: Feb 17 17:00:44 2021 GMT
Not After : Feb 12 17:00:44 2041 GMT
Not Before: Dec 18 06:29:25 2024 GMT
Not After : Dec 13 06:29:25 2044 GMT
Subject: C=US, ST=California, O=Apache Software Foundation, OU=Pulsar, CN=localhost/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
RSA Public-Key: (2048 bit)
Modulus:
00:9b:2a:6f:24:02:23:f7:ff:e6:75:61:ca:07:a8:
c0:ab:e9:8d:eb:51:2e:64:f7:9e:9b:d4:b4:be:3a:
Expand All @@ -32,86 +33,53 @@ Certificate:
5e:cd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
49:3C:B2:98:30:CE:7F:79:7A:C6:8B:57:CA:24:9F:12:82:1E:5D:EF
X509v3 Authority Key Identifier:
keyid:D2:B2:3D:B1:A4:7C:48:4B:36:E1:A7:DE:D8:FC:BA:92:BA:A7:C4:71
DirName:/C=US/ST=California/L=Palo Alto/O=Apache Software Foundation/OU=Pulsar/CN=Pulsar CA/[email protected]
serial:52:7B:B4:00:96:60:B4:26:85:BE:01:82:B8:B8:E2:8C:72:EF:5B:90
X509v3 Authority Key Identifier:
keyid:9C:66:A6:5E:95:A5:D7:72:6E:11:76:44:43:35:B4:61:FB:70:27:6F

X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
Signature Algorithm: sha256WithRSAEncryption
0f:bd:af:39:0c:2c:dc:8f:7e:06:0d:27:df:35:c7:8d:5a:03:
68:97:f6:dc:d6:d3:39:0e:b4:76:48:7d:e1:1c:a9:4b:83:fa:
52:00:ab:28:93:2d:06:76:0c:14:35:3c:f1:8e:3b:af:c8:d0:
27:1f:58:d4:71:22:5f:05:a6:9e:73:c6:a5:5e:2a:e6:fb:eb:
fc:73:52:87:ca:8a:2a:f9:1e:5f:e2:b9:bd:01:27:9f:7c:61:
a6:97:ad:a0:ab:4e:fb:cc:fa:c8:77:6a:65:1b:ae:60:5e:fb:
97:14:8c:40:d7:96:c6:2c:64:59:c0:52:52:7c:2d:98:4b:f4:
72:da:83:f7:c6:4f:32:42:ce:df:02:dd:5f:eb:58:42:f9:62:
a1:9a:05:ef:13:48:27:af:a3:7f:23:eb:e0:dc:1d:8f:96:2a:
88:47:f7:e4:75:6f:a9:15:f6:44:f1:6d:39:3a:2c:df:a7:82:
cc:7e:aa:9c:1c:c0:a7:7d:68:31:4a:4e:21:b8:9f:17:90:4b:
f1:68:23:ef:a7:53:fc:a9:a8:35:6b:8f:4c:5e:d4:ea:b0:8a:
27:9a:86:89:ce:f2:5d:03:35:80:fc:45:e8:87:66:0f:32:b5:
2a:f5:1b:79:0e:09:8b:90:40:20:fb:e3:27:8a:c9:92:c1:53:
97:10:5a:8c:50:ef:02:46:7e:ec:68:c8:1e:26:66:0e:1d:d6:
6c:82:e7:38:14:e8:cb:45:77:29:5f:2c:1a:9d:d7:54:21:8a:
cf:0f:b7:0c:ae:fe:d6:fb:fb:c3:07:3e:33:df:59:25:1c:73:
d4:87:73:14:b4:76:16:8a:3f:82:05:7b:42:0a:55:0c:79:24:
3c:58:31:3f:e0:3e:9f:4e:d0:0e:fd:77:b7:13:2c:d3:d0:46:
cc:80:09:0f:50:56:8b:6e:6e:91:b2:5b:c8:2f:4d:86:dc:72:
00:de:08:0d:5e:3e:96:1f:12:7d:3b:0d:4d:71:d5:c8:a8:06:
ba:00:23:ec:10:4c:a4:c3:6f:bc:f0:d7:b1:cf:57:3f:3b:79:
db:80:87:35:c7:4e:7f:bb:38:30:0a:9f:fe:5a:86:f5:97:ce:
24:38:79:fd:a0:dc:0b:82:11:a1:ea:0c:e9:16:65:e0:c0:54:
80:ad:6e:55:18:ac:27:35:3a:b0:20:70:62:8e:5d:a2:33:53:
8c:ce:f9:ee:a1:27:cb:db:e5:9a:5e:e6:f7:80:93:84:63:04:
26:58:ab:23:bb:94:80:d0:a0:55:a2:8a:ed:bc:0f:c3:41:d2:
26:a5:b9:8d:8a:45:e8:a1:fc:e8:ee:7a:64:93:ed:d6:ef:a2:
51:d7:c9:0a:31:39:35:4a
46:44:07:07:74:de:fa:e9:ad:ee:10:87:72:e4:06:81:e7:d9:
9c:91:99:9e:fe:b2:fe:29:fc:58:12:38:7d:28:c1:3b:d6:ca:
19:dd:06:6c:1e:95:17:58:fa:48:47:62:2b:4f:29:a2:39:3a:
90:f4:37:5a:8c:75:4c:60:b3:61:50:94:5a:4d:70:6a:50:62:
c8:17:46:38:92:1a:02:4d:71:ad:ab:94:10:a3:91:b1:aa:18:
a9:00:88:b7:16:25:3c:aa:59:45:90:49:9a:9c:15:5e:d5:2f:
2f:2a:9e:61:77:b8:59:b7:7e:30:c9:8e:89:2a:57:11:84:e2:
cd:a6:ba:78:73:05:a0:f0:aa:47:5b:8c:f2:a9:20:c6:f7:50:
39:d7:07:bc:ef:7f:04:85:60:1b:c2:5e:53:dc:40:f9:22:f8:
78:b6:be:d7:1b:84:51:45:f7:30:6c:15:fd:c4:07:83:cf:89:
f0:6f:f9:49:7a:cc:f3:17:00:ef:33:f5:0a:6a:79:75:e5:6f:
2e:1f:ad:bf:7e:34:e8:1c:2e:08:de:1e:16:c0:ab:73:69:f9:
2e:09:d1:7b:f4:f0:8c:59:b6:82:c3:1a:a3:8c:25:0f:78:bf:
0b:b3:87:72:46:36:be:8e:4c:67:4c:ca:49:05:a0:2e:fd:3d:
a1:62:d6:01
-----BEGIN CERTIFICATE-----
MIIGPDCCBCSgAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwgaYxCzAJBgNVBAYTAlVT
MRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlQYWxvIEFsdG8xIzAhBgNV
BAoMGkFwYWNoZSBTb2Z0d2FyZSBGb3VuZGF0aW9uMQ8wDQYDVQQLDAZQdWxzYXIx
EjAQBgNVBAMMCVB1bHNhciBDQTEkMCIGCSqGSIb3DQEJARYVZGV2QHB1bHNhci5h
cGFjaGUub3JnMB4XDTIxMDIxNzE3MDA0NFoXDTQxMDIxMjE3MDA0NFowgZIxCzAJ
BgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMSMwIQYDVQQKDBpBcGFjaGUg
U29mdHdhcmUgRm91bmRhdGlvbjEPMA0GA1UECwwGUHVsc2FyMRIwEAYDVQQDDAls
b2NhbGhvc3QxJDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBhY2hlLm9yZzCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJsqbyQCI/f/5nVhygeowKvp
jetRLmT3npvUtL46+vRuxpKPOE0IzYkVPizEmW3LWID84E3WffaCqw2U8uJFydMV
lVcKbIbceGQ7NEsBfF3eT9QhGl0noKVwei4CUOEZtLkF35kNi8xi3BBz+nKLOH/T
VlRhULuS/wlxCce9BEM8jJyLMtEFBIrGidh4Vk3aL/TsNDcmtYfkPybJQWC6MRAZ
vvgMpAqFGVniAF23wL3RLvymNIuFKswF9vvkAOZ0lf8Cb0N/OafCg45bOEDJQsi8
JnI2NWTCVCIRh+hljz3pQadtGYiaIJuaUufSy7PgLo/BVlS8bRQwc8XXjtBaXs0C
AwEAAaOCAYQwggGAMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCG
SAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUw
HQYDVR0OBBYEFEk8spgwzn95esaLV8oknxKCHl3vMIHmBgNVHSMEgd4wgduAFNKy
PbGkfEhLNuGn3tj8upK6p8RxoYGspIGpMIGmMQswCQYDVQQGEwJVUzETMBEGA1UE
CAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJUGFsbyBBbHRvMSMwIQYDVQQKDBpBcGFj
aGUgU29mdHdhcmUgRm91bmRhdGlvbjEPMA0GA1UECwwGUHVsc2FyMRIwEAYDVQQD
DAlQdWxzYXIgQ0ExJDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBhY2hlLm9y
Z4IUUnu0AJZgtCaFvgGCuLjijHLvW5AwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQM
MAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQAPva85DCzcj34GDSffNceN
WgNol/bc1tM5DrR2SH3hHKlLg/pSAKsoky0GdgwUNTzxjjuvyNAnH1jUcSJfBaae
c8alXirm++v8c1KHyooq+R5f4rm9ASeffGGml62gq077zPrId2plG65gXvuXFIxA
15bGLGRZwFJSfC2YS/Ry2oP3xk8yQs7fAt1f61hC+WKhmgXvE0gnr6N/I+vg3B2P
liqIR/fkdW+pFfZE8W05Oizfp4LMfqqcHMCnfWgxSk4huJ8XkEvxaCPvp1P8qag1
a49MXtTqsIonmoaJzvJdAzWA/EXoh2YPMrUq9Rt5DgmLkEAg++MnismSwVOXEFqM
UO8CRn7saMgeJmYOHdZsguc4FOjLRXcpXywanddUIYrPD7cMrv7W+/vDBz4z31kl
HHPUh3MUtHYWij+CBXtCClUMeSQ8WDE/4D6fTtAO/Xe3EyzT0EbMgAkPUFaLbm6R
slvIL02G3HIA3ggNXj6WHxJ9Ow1NcdXIqAa6ACPsEEykw2+88Nexz1c/O3nbgIc1
x05/uzgwCp/+Wob1l84kOHn9oNwLghGh6gzpFmXgwFSArW5VGKwnNTqwIHBijl2i
M1OMzvnuoSfL2+WaXub3gJOEYwQmWKsju5SA0KBVoortvA/DQdImpbmNikXoofzo
7npkk+3W76JR18kKMTk1Sg==
MIIELzCCAxegAwIBAgIUU/jatCuzU//blmn0VEuMlMkk1DIwDQYJKoZIhvcNAQEL
BQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMSMwIQYDVQQK
DBpBcGFjaGUgU29mdHdhcmUgRm91bmRhdGlvbjEPMA0GA1UECwwGUHVsc2FyMRIw
EAYDVQQDDAlQdWxzYXIgQ0ExJDAiBgkqhkiG9w0BCQEWFWRldkBwdWxzYXIuYXBh
Y2hlLm9yZzAeFw0yNDEyMTgwNjI5MjVaFw00NDEyMTMwNjI5MjVaMIGSMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEjMCEGA1UECgwaQXBhY2hlIFNv
ZnR3YXJlIEZvdW5kYXRpb24xDzANBgNVBAsMBlB1bHNhcjESMBAGA1UEAwwJbG9j
YWxob3N0MSQwIgYJKoZIhvcNAQkBFhVkZXZAcHVsc2FyLmFwYWNoZS5vcmcwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbKm8kAiP3/+Z1YcoHqMCr6Y3r
US5k956b1LS+Ovr0bsaSjzhNCM2JFT4sxJlty1iA/OBN1n32gqsNlPLiRcnTFZVX
CmyG3HhkOzRLAXxd3k/UIRpdJ6ClcHouAlDhGbS5Bd+ZDYvMYtwQc/pyizh/01ZU
YVC7kv8JcQnHvQRDPIycizLRBQSKxonYeFZN2i/07DQ3JrWH5D8myUFgujEQGb74
DKQKhRlZ4gBdt8C90S78pjSLhSrMBfb75ADmdJX/Am9DfzmnwoOOWzhAyULIvCZy
NjVkwlQiEYfoZY896UGnbRmImiCbmlLn0suz4C6PwVZUvG0UMHPF147QWl7NAgMB
AAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJh
dGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRJPLKYMM5/eXrGi1fKJJ8Sgh5d7zAf
BgNVHSMEGDAWgBScZqZelaXXcm4RdkRDNbRh+3AnbzANBgkqhkiG9w0BAQsFAAOC
AQEARkQHB3Te+umt7hCHcuQGgefZnJGZnv6y/in8WBI4fSjBO9bKGd0GbB6VF1j6
SEdiK08pojk6kPQ3Wox1TGCzYVCUWk1walBiyBdGOJIaAk1xrauUEKORsaoYqQCI
txYlPKpZRZBJmpwVXtUvLyqeYXe4Wbd+MMmOiSpXEYTizaa6eHMFoPCqR1uM8qkg
xvdQOdcHvO9/BIVgG8JeU9xA+SL4eLa+1xuEUUX3MGwV/cQHg8+J8G/5SXrM8xcA
7zP1Cmp5deVvLh+tv3406BwuCN4eFsCrc2n5LgnRe/TwjFm2gsMao4wlD3i/C7OH
ckY2vo5MZ0zKSQWgLv09oWLWAQ==
-----END CERTIFICATE-----
Loading
Loading