[kudu-CR] KUDU-2401: External TLS certificate with Intermediate CA in server cert file fails

Thu, 05 Apr 2018 15:15:11 -0700 

Hello Lars Volker, Alexey Serbin, Dan Burkert, Kudu Jenkins,

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/9934

to look at the new patch set (#3).

Change subject: KUDU-2401: External TLS certificate with Intermediate CA in 
server cert file fails
......................................................................

KUDU-2401: External TLS certificate with Intermediate CA in server cert file 
fails

Take 2 certificate files: cert.pem and truststore.pem

cert.pem has 2 certificates in it:
A cert for that node (with CN="hostname", and signed by CN=CertToolkitIntCA)
And the intermediate CA cert (with CN=CertToolkitIntCA, and signed by 
CN=CertToolkitRootCA)

truststore.pem has 1 certificate in it:
A cert which is the root CA (with CN=CertToolkitRootCA, self-signed)

This previously would not work with KRPC because in
TlsContext::VerifyCertChainUnlocked(), we would only verify X509_verify_cert()
with the top certificate in the server certificate chain.

With this change, we pass the chain to X509_STORE_CTX_init() as well to make
sure that the entire chain gets checked against the CA.

A test is added that uses the specific certificate format mentioned above
and added to rpc-test.

TODO: Add a test case that has multiple intermediate CAs. Right now we're 
testing
with only one intermediate CA.

Change-Id: If4af35e97ec6f91c1d9ed902128bd7f4e260f0f4
---
M src/kudu/rpc/rpc-test.cc
M src/kudu/security/test/test_certs.cc
M src/kudu/security/test/test_certs.h
M src/kudu/security/tls_context.cc
4 files changed, 263 insertions(+), 4 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/34/9934/3
--
To view, visit http://gerrit.cloudera.org:8080/9934
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: If4af35e97ec6f91c1d9ed902128bd7f4e260f0f4
Gerrit-Change-Number: 9934
Gerrit-PatchSet: 3
Gerrit-Owner: Sailesh Mukil <sail...@cloudera.com>
Gerrit-Reviewer: Alexey Serbin <aser...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <danburk...@apache.org>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Lars Volker <l...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sail...@cloudera.com>

Reply via email to