static int process_request(request_rec* r) {
char message[MESSAGE_LEN];
sprintf(message, "Starting Tractis auth module process for url %s\n", r->uri);
log_debug(message);
char *enabled = is_enabled(r);
//Not enabled
if (enabled == NULL || strcmp(enabled,"true") !=0) {
char buff[MESSAGE_LEN];
sprintf(buff,"Module not enabled for given url");
log_debug(buff);
return DECLINED;
} else {
char buff[MESSAGE_LEN];
sprintf(buff,"Module enabled for given url");
log_debug(buff);
}
//Recover credentials
char *user = get_username(r);
char *password = get_password(r);
char *api_key = get_api_key(r);
if (is_debug_enabled()) {
char debug_message[MESSAGE_LEN];
sprintf(debug_message, "Credentials are %s:%s and api key is %s", user,password,api_key);
log_debug(debug_message);
}
char* certificate = (char*)apr_table_get(r->subprocess_env, "SSL_CLIENT_CERT");
//The certificate is not present so the client is not allowed to use the service
if (!certificate) {
char error_message[MESSAGE_LEN];
log_error(401, "No certificate has been provided");
return 401; //HTTP unauthorized
} else {
if (is_debug_enabled()) {
char message[MESSAGE_LEN + strlen(certificate)];
sprintf(message, "User provided certificate \n->%s<-",certificate);
log_debug(message);
}
}
int certificate_status = validate_certificate(r,certificate, user, password, api_key);
if (certificate_status == VALID) return OK;
else {
if(is_info_enabled()) {
char validation_result[MESSAGE_LEN];
sprintf(validation_result, "The provided certificate reported unsuccessful validation, result code is %d", certificate_status);
log_info(validation_result);
}
//Non valid auth
return 401;
}
}
std::list<std::string> socket_helpers::connection_info::validate_ssl() {
std::list<std::string> list;
if (!ssl.enabled)
return list;
#ifndef USE_SSL
list.push_back("SSL is not supported (not compiled with openssl)");
#endif
#ifdef USE_SSL
validate_certificate(ssl.certificate, list);
validate_certificate(ssl.ca_path, list);
if (!ssl.certificate_key.empty() && !boost::filesystem::is_regular(ssl.certificate_key))
list.push_back("Certificate key not found: " + ssl.certificate_key);
if (!ssl.dh_key.empty() && !boost::filesystem::is_regular(ssl.dh_key))
list.push_back("DH key not found: " + ssl.dh_key);
#endif
return list;
}
/* This function must be called before trying to sign any file.
* It loads string for errors, and ciphers are auto-loaded by OpenSSL now.
* If this function fails it may be because the certificate cannot
* be validated.
*
* returns: true if can initialize and validate certificates, otherwise false */
bool initialize_signature(void)
{
int ret = -1;
time_t mod_sec = 0;
struct tm *alttime;
struct stat statt;
string_or_die(&CERTNAME, "%s/%s", cert_path, SWUPDCERT);
ERR_load_crypto_strings();
ERR_load_PKCS7_strings();
EVP_add_digest(EVP_sha256());
if (!get_pubkey()) {
goto fail;
}
ret = validate_certificate();
if (ret) {
printf("Failed to verify certificate: %s\n", X509_verify_cert_error_string(ret));
if (ret == X509_V_ERR_CERT_NOT_YET_VALID) {
/* If we can retrieve an approx. good system time, report out to user */
if (stat("/usr/lib/os-release", &statt) != -1) {
mod_sec = statt.st_mtim.tv_sec;
char timebuf[30];
alttime = localtime(&mod_sec);
strftime(timebuf, sizeof(timebuf), "%F", alttime);
printf("System clock should be at least %s\n", timebuf);
}
}
goto fail;
}
/* Push our trust cert(s) to the stack, which is a set of certificates
* in which to search for the signer's cert. */
x509_stack = sk_X509_new_null();
if (!x509_stack) {
goto fail;
}
sk_X509_push(x509_stack, cert);
return true;
fail:
return false;
}
/* This function must be called before trying to sign any file.
* It loads string for errors, and ciphers are auto-loaded by OpenSSL now.
* If this function fails it may be because the certificate cannot
* be validated.
*
* returns: true if can initialize and validate certificates, otherwise false */
bool signature_init(const char *certificate_path, const char *crl)
{
int ret = -1;
X509 *cert;
if (!certificate_path) {
error("Invalid swupd certificate - Empty");
return false;
}
ERR_load_crypto_strings();
ERR_load_PKCS7_strings();
EVP_add_digest(EVP_sha256());
cert = get_cert_from_path(certificate_path);
if (!cert) {
goto fail;
}
ret = validate_certificate(cert, certificate_path, crl);
if (ret) {
if (ret == X509_V_ERR_CERT_NOT_YET_VALID) {
BIO *b;
time_t currtime = 0;
struct tm *timeinfo;
char time_str[50];
/* The system time wasn't sane, print out what it is and the cert validity range */
time(&currtime);
timeinfo = localtime(&currtime);
strftime(time_str, sizeof(time_str), "%a %b %d %H:%M:%S %Y", timeinfo);
warn("Current time is %s\n", time_str);
info("Certificate validity is:\n");
b = BIO_new_fp(stdout, BIO_NOCLOSE);
if (b == NULL) {
error("Failed to create BIO wrapping stream\n");
goto fail;
}
/* The ASN1_TIME_print function does not include a newline... */
if (!ASN1_TIME_print(b, X509_get_notBefore(cert))) {
info("\n");
error("Failed to get certificate begin date\n");
goto fail;
}
info("\n");
if (!ASN1_TIME_print(b, X509_get_notAfter(cert))) {
info("\n");
error("Failed to get certificate expiration date\n");
goto fail;
}
info("\n");
BIO_free(b);
}
goto fail;
}
/* Push our trust cert(s) to the stack, which is a set of certificates
* in which to search for the signer's cert. */
x509_stack = sk_X509_new_null();
if (!x509_stack) {
goto fail;
}
sk_X509_push(x509_stack, cert);
return true;
fail:
error("Failed to verify certificate: %s\n", X509_verify_cert_error_string(ret));
return false;
}
