Ah... an expert.
OK. Welcome to the joys of "certificate revocation" and 'accept
users with certs signed only by this 'signer' cert'
Certificate revocation is ugly.
I looked at the way that mod_ssl in Apache did it and was taken
aback.
You need to:
a) set up a 'certificate revocation list/directory MIT Hash Files Yet'
b) Do magic to read the certs in the CRL/CRL Dir
c) Write/add a callback so that on connection/ssl authentication
you check to see if the user/signer is in the revocation list.
(... and there are all sorts of nasty things...)
Don't forget to use the 'cca' script to 'revoke' the cert,
put the cert into a revocation directory, and create the hash
to it OR append it to a file of revoked certs.
So... I can go through the pain and agony of handling this a la mod_ssl
in Apache, or I can ... cheat.
Now I just know that you will say 'write your own authentication callback'.
Nope. I looked at that code in the SSL distribution and it was... ugly.
And that is coming from me who has written some code that was so ugly
that monitors died before they would display it.
But If I could simply EXTRACT the cert information, then I could
do something more audatious:
Idea: use the LPRng lpd.perms and add a new option: AUTH_CHAIN
This would have a value of all subject name and all of the signers
of a cert:
h110: {33} % openssl x509 -noout -subject -issuer -in signer1.crt
subject= /C=US/ST=California/L=San
[EMAIL PROTECTED]
issuer= /C=US/ST=California/L=San Diego/O=Astart/OU=Certificate Authority/CN=Astart
[EMAIL PROTECTED]
h110: {34} % openssl x509 -noout -subject -issuer -in user1.crt
issuer= /C=US/ST=California/L=San
[EMAIL PROTECTED]
subject= /C=US/ST=California/L=San
[EMAIL PROTECTED]
AUTH_CHAIN=
/C=US/ST=California/L=San [EMAIL PROTECTED]
/C=US/ST=California/L=San [EMAIL PROTECTED]
/C=US/ST=California/L=San Diego/O=Astart/OU=Certificate Authority/CN=Astart
[EMAIL PROTECTED]
(line folded to fit)
This would represent the signature chain starting from the
bottom of the certificate and going to the top.
Now you could 'cancel' a user with subject: '/.../ON=jsmith/...' using:
REJECT AUTHTYPE=SSL AUTH_CHAIN=*/ON=jsmith/*
You probably would put these into a file, say /etc/lpd/ssl/revoke.list
REJECT AUTHTYPE=SSL AUTH_CHAIN=</etc/lpd/ssl/revoke.list
You can only accept certs signed by ON=jsmith using:
REJECT AUTHTYPE=SSL NOT AUTH_CHAIN=*/ON=jsmith/*
Now, I know that the SSL/OpenSSL community is having the dry
heaves at this method (I feel kinda queasy myself). But this
does have the benefit of allowing you to require a cert to have
a specific signer... and instead of enumerating all of the
allowed certs, to delegate this.
Patrick Powell Astart Technologies,
[EMAIL PROTECTED] 9475 Chesapeake Drive, Suite D,
Network and System San Diego, CA 92123
Consulting 858-874-6543 FAX 858-279-8424
LPRng - Print Spooler (http://www.lprng.com)
> From [EMAIL PROTECTED] Thu Jun 13 02:47:26 2002
> Date: Thu, 13 Jun 2002 10:49:21 +0200
> From: Rabellino Sergio <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: LPRng: Need an OpenSSL expert
>
> Patrick Powell wrote:
> >
> > I need somebody who is an OpenSSL expert to answer the following
> > stupid question:
> >
> > I can get the peer certificate, and the subject and issuer
> > by using:
> >
> > X509 *peer;
> > peer = SSL_get_peer_certificate(ssl);
> > if( peer ){
> > if( X509_NAME_oneline( X509_get_subject_name( peer ),
> > buffer, sizeof(buffer) ) ){
> > DEBUG1("Accept_SSL_connection: subject '%s'", buffer );
> > if( info ) Set_str_value(info,AUTHFROM,buffer);
> > }
> > if( X509_NAME_oneline( X509_get_issuer_name( peer ),
> > buffer, sizeof(buffer) ) ){
> > if( info ) Set_str_value(info,ISSUER,buffer);
> > DEBUG1("Accept_SSL_connection: issuer '%s'", buffer );
> > }
> > /* the SSL_get_peer_certificate man page indicates that
> > this memory is not freed */
> > X509_free(peer); peer = 0;
> > }
> >
> > (Note the rough file marks on the code where I removed the identification.)
> >
> > How do I walk up the certificate CHAIN and get the issuers for
> > each certificate?
> >
> > I swear that I saw an example of this in my readings, but I cannot put
> > my fingers on the code.
> >
> > Patrick Powell
> (I work on openssl since '96)
> Why you want the issuer ? Openssl can check the validity of a cert,checking against
>a arbitrary long cert chain (if configured) assuring
> that the cert in SSL connection is valid at all.
>
> Bye.
> --
> Dott. Sergio Rabellino
>
> Technical Staff
> Department of Computer Science
> University of Torino (Italy)
> Member of the Internet Society
>
> http://www.di.unito.it/~rabser
> Tel. +39-0116706701
> Fax. +39-011751603
>
> -----------------------------------------------------------------------------
> YOU MUST BE A LIST MEMBER IN ORDER TO POST TO THE LPRNG MAILING LIST
> The address you post from MUST be your subscription address
>
> If you need help, send email to [EMAIL PROTECTED] (or lprng-requests
> or lprng-digest-requests) with the word 'help' in the body. For the impatient,
> to subscribe to a list with name LIST, send mail to [EMAIL PROTECTED]
> with: | example:
> subscribe LIST <mailaddr> | subscribe lprng-digest [EMAIL PROTECTED]
> unsubscribe LIST <mailaddr> | unsubscribe lprng [EMAIL PROTECTED]
>
> If you have major problems, send email to [EMAIL PROTECTED] with the word
> LPRNGLIST in the SUBJECT line.
> -----------------------------------------------------------------------------
>
-----------------------------------------------------------------------------
YOU MUST BE A LIST MEMBER IN ORDER TO POST TO THE LPRNG MAILING LIST
The address you post from MUST be your subscription address
If you need help, send email to [EMAIL PROTECTED] (or lprng-requests
or lprng-digest-requests) with the word 'help' in the body. For the impatient,
to subscribe to a list with name LIST, send mail to [EMAIL PROTECTED]
with: | example:
subscribe LIST <mailaddr> | subscribe lprng-digest [EMAIL PROTECTED]
unsubscribe LIST <mailaddr> | unsubscribe lprng [EMAIL PROTECTED]
If you have major problems, send email to [EMAIL PROTECTED] with the word
LPRNGLIST in the SUBJECT line.
-----------------------------------------------------------------------------
