"cert" + clientcert=verify-ca in pg_hba.conf?

Wed, 15 Jul 2020 17:31:01 -0700 

Hello.

The "Certificate Authentication" section in the doc for PG12 and later
describes the relation ship with clientcert as follows.

> In a pg_hba.conf record specifying certificate authentication, the
> authentication option clientcert is assumed to be verify-ca or
> verify-full, and it cannot be turned off since a client certificate
> is necessary for this method. What the cert method adds to the basic
> clientcert certificate validity test is a check that the cn
> attribute matches the database user name.

In reality, cert method is assumed as "vefiry-full" and does not add
anything to verify-full and cannot be degraded or turned off. It seems
to be a mistake on rewriting it when clientcert was changed to accept
verify-ca/full at PG12.

Related to that, pg_hba.conf accepts the combination of "cert" method
and the option clientcert="verify-ca" but it is ignored. We should
reject that combination the same way with "cert"+"no-verify".

regards.

-- 
Kyotaro Horiguchi
NTT Open Source Software Center

>From d7e24df379f29e55adc41c6a98602f2434f5b07e Mon Sep 17 00:00:00 2001
From: Kyotaro Horiguchi <horikyoga....@gmail.com>
Date: Wed, 15 Jul 2020 21:00:20 +0900
Subject: [PATCH] Fix behavior for "cert"+"verify-ca" in pg_hba.conf

"cert" method in a line in pg_hba.conf is assumed as
clientcert="verify_full" and if we set it to "verify-ca", it is just
ignored. Since we explicitly reject "no-verify" in that case so we
should reject verify-ca as well.
---
 doc/src/sgml/client-auth.sgml |  7 ++-----
 src/backend/libpq/hba.c       | 10 ++++++++++
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 5cd88b462d..5ea45d5b87 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -2044,11 +2044,8 @@ host ... radius radiusservers="server1,server2" radiussecrets="""secret one"",""
    <para>
     In a <filename>pg_hba.conf</filename> record specifying certificate
     authentication, the authentication option <literal>clientcert</literal> is
-    assumed to be <literal>verify-ca</literal> or <literal>verify-full</literal>,
-    and it cannot be turned off since a client certificate is necessary for this
-    method. What the <literal>cert</literal> method adds to the basic
-    <literal>clientcert</literal> certificate validity test is a check that the
-    <literal>cn</literal> attribute matches the database user name.
+    assumed to be <literal>verify-full</literal>,
+    and it cannot be degradated to verify-ca nor turned off.
    </para>
   </sect1>
 
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 9d63830553..18ef385405 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1711,6 +1711,16 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
 		if (strcmp(val, "1") == 0
 			|| strcmp(val, "verify-ca") == 0)
 		{
+			if (hbaline->auth_method == uaCert)
+			{
+				ereport(elevel,
+						(errcode(ERRCODE_CONFIG_FILE_ERROR),
+						 errmsg("clientcert can not be set to \"verify-ca\" when using \"cert\" authentication"),
+						 errcontext("line %d of configuration file \"%s\"",
+									line_num, HbaFileName)));
+				*err_msg = "clientcert can not be set to \"verify-ca\" when using \"cert\" authentication";
+				return false;
+			}
 			hbaline->clientcert = clientCertCA;
 		}
 		else if (strcmp(val, "verify-full") == 0)
-- 
2.18.4

Reply via email to