diff --git a/lxd-agent/server.go b/lxd-agent/server.go index fac40701d1b7..d1d885916d24 100644 --- a/lxd-agent/server.go +++ b/lxd-agent/server.go @@ -111,7 +111,7 @@ func authenticate(r *http.Request, cert *x509.Certificate) bool { clientCerts := map[string]x509.Certificate{"0": *cert} for _, cert := range r.TLS.PeerCertificates { - trusted, _ := util.CheckTrustState(*cert, clientCerts, nil, false) + trusted, _ := util.CheckMutualTLS(*cert, clientCerts) if trusted { return true } diff --git a/lxd/certificates.go b/lxd/certificates.go index 37879bc1c9af..fe01e4d00e2b 100644 --- a/lxd/certificates.go +++ b/lxd/certificates.go @@ -488,7 +488,16 @@ func certificatesPost(d *Daemon, r *http.Request) response.Response { // added when in CA mode. return response.BadRequest(fmt.Errorf("No client certificate provided")) } + cert = r.TLS.PeerCertificates[len(r.TLS.PeerCertificates)-1] + networkCert := d.endpoints.NetworkCert() + if networkCert.CA() != nil { + // If we are in CA mode, we only allow adding certificates that are signed by the CA. + trusted, _, _ := util.CheckCASignature(*cert, networkCert) + if !trusted { + return response.Forbidden(fmt.Errorf("The certificate is not trusted by the CA or has been revoked")) + } + } remoteHost, _, err := net.SplitHostPort(r.RemoteAddr) if err != nil { diff --git a/lxd/cluster/tls.go b/lxd/cluster/tls.go index ad02b5239202..77defbbdce34 100644 --- a/lxd/cluster/tls.go +++ b/lxd/cluster/tls.go @@ -70,13 +70,13 @@ func tlsCheckCert(r *http.Request, networkCert *shared.CertInfo, serverCert *sha // member before the database is available. It also allows us to switch the server certificate to // the network certificate during cluster upgrade to per-server certificates, and it be trusted. trustedServerCert, _ := x509.ParseCertificate(serverCert.KeyPair().Certificate[0]) - trusted, _ := util.CheckTrustState(*i, map[string]x509.Certificate{serverCert.Fingerprint(): *trustedServerCert}, networkCert, false) + trusted, _ := util.CheckMutualTLS(*i, map[string]x509.Certificate{serverCert.Fingerprint(): *trustedServerCert}) if trusted { return true } // Check the trusted server certficates list provided. - trusted, _ = util.CheckTrustState(*i, trustedCerts[db.CertificateTypeServer], networkCert, false) + trusted, _ = util.CheckMutualTLS(*i, trustedCerts[db.CertificateTypeServer]) if trusted { return true } diff --git a/lxd/daemon.go b/lxd/daemon.go index 341588c8aa0d..339af7869a93 100644 --- a/lxd/daemon.go +++ b/lxd/daemon.go @@ -296,7 +296,7 @@ func (d *Daemon) Authenticate(w http.ResponseWriter, r *http.Request) (bool, str // Allow internal cluster traffic by checking against the trusted certfificates. if r.TLS != nil { for _, i := range r.TLS.PeerCertificates { - trusted, _ := util.CheckTrustState(*i, trustedCerts[db.CertificateTypeServer], d.endpoints.NetworkCert(), false) + trusted, _ := util.CheckMutualTLS(*i, trustedCerts[db.CertificateTypeServer]) if trusted { return true, "", "cluster", nil } @@ -368,8 +368,19 @@ func (d *Daemon) Authenticate(w http.ResponseWriter, r *http.Request) (bool, str return false, "", "", err } + networkCert := d.endpoints.NetworkCert() + checkCertificateSignature := networkCert.CA() != nil for _, i := range r.TLS.PeerCertificates { - trusted, username := util.CheckTrustState(*i, trustedCerts[db.CertificateTypeClient], d.endpoints.NetworkCert(), trustCACertificates) + if checkCertificateSignature { + trusted, _, username := util.CheckCASignature(*i, networkCert) + if !trusted { + return false, "", "", nil + } else if trustCACertificates { + return true, username, "tls", nil + } + } + + trusted, username := util.CheckMutualTLS(*i, trustedCerts[db.CertificateTypeClient]) if trusted { return true, username, "tls", nil } diff --git a/lxd/util/http.go b/lxd/util/http.go index 14a71f4f62b7..0b285369d050 100644 --- a/lxd/util/http.go +++ b/lxd/util/http.go @@ -21,6 +21,7 @@ import ( log "gopkg.in/inconshreveable/log15.v2" "github.com/canonical/lxd/shared" + "github.com/canonical/lxd/shared/api" "github.com/canonical/lxd/shared/logger" ) @@ -148,40 +149,76 @@ type ContextAwareRequest interface { WithContext(ctx context.Context) *http.Request } -// CheckTrustState checks whether the given client certificate is trusted -// (i.e. it has a valid time span and it belongs to the given list of trusted -// certificates). -func CheckTrustState(cert x509.Certificate, trustedCerts map[string]x509.Certificate, networkCert *shared.CertInfo, trustCACertificates bool) (bool, string) { - // Extra validity check (should have been caught by TLS stack) - if time.Now().Before(cert.NotBefore) || time.Now().After(cert.NotAfter) { - return false, "" +// certificateInDate returns an error if the current time is before the certificates "not before", or after the +// certificates "not after". +func certificateInDate(cert x509.Certificate) error { + now := time.Now() + if now.Before(cert.NotBefore) { + return api.StatusErrorf(http.StatusUnauthorized, "Certificate is not yet valid") } - if networkCert != nil && trustCACertificates { - ca := networkCert.CA() + if now.After(cert.NotAfter) { + return api.StatusErrorf(http.StatusUnauthorized, "Certificate has expired") + } - if ca != nil && cert.CheckSignatureFrom(ca) == nil { - // Check whether the certificate has been revoked. - crl := networkCert.CRL() + return nil +} - if crl != nil { - for _, revoked := range crl.TBSCertList.RevokedCertificates { - if cert.SerialNumber.Cmp(revoked.SerialNumber) == 0 { - return false, "" // Certificate is revoked, so not trusted anymore. - } - } - } +// CheckCASignature returns whether the certificate is signed by the CA, whether the certificate has been revoked, and the +// certificate fingerprint. +func CheckCASignature(cert x509.Certificate, networkCert *shared.CertInfo) (trusted bool, revoked bool, fingerprint string) { + err := certificateInDate(cert) + if err != nil { + return false, false, "" + } + + if networkCert == nil { + logger.Error("Failed to check certificate has been signed by the CA, no network certificate provided") + return false, false, "" + } + + ca := networkCert.CA() + if ca == nil { + logger.Error("Failed to check certificate has been signed by the CA, no CA defined on network certificate") + return false, false, "" + } - // Certificate not revoked, so trust it as is signed by CA cert. - return true, shared.CertFingerprint(&cert) + err = cert.CheckSignatureFrom(ca) + if err != nil { + // Certificate not signed by CA. + return false, false, "" + } + + crl := networkCert.CRL() + if crl == nil { + // No revokation list entries to check. + return true, false, shared.CertFingerprint(&cert) + } + + for _, revoked := range crl.TBSCertList.RevokedCertificates { + if cert.SerialNumber.Cmp(revoked.SerialNumber) == 0 { + // Certificate has been revoked + return false, true, "" } } - // Check whether client certificate is in trust store. - for k, v := range trustedCerts { + // Certificate not revoked. + return true, false, shared.CertFingerprint(&cert) +} + +// CheckMutualTLS checks whether the given certificate is valid and is present in the given trustedCerts map. +// Returns true if the certificate is trusted, and the fingerprint of the certificate. +func CheckMutualTLS(cert x509.Certificate, trustedCerts map[string]x509.Certificate) (bool, string) { + err := certificateInDate(cert) + if err != nil { + return false, "" + } + + // Check whether client certificate is in the map of trusted certs. + for fingerprint, v := range trustedCerts { if bytes.Compare(cert.Raw, v.Raw) == 0 { - logger.Debug("Matched trusted cert", log.Ctx{"fingerprint": k, "subject": v.Subject}) - return true, k + logger.Debug("Matched trusted cert", log.Ctx{"fingerprint": fingerprint, "subject": v.Subject}) + return true, fingerprint } } diff --git a/lxd/util/net.go b/lxd/util/net.go index 73c54d7b7409..99f81d844091 100644 --- a/lxd/util/net.go +++ b/lxd/util/net.go @@ -117,7 +117,7 @@ func ServerTLSConfig(cert *shared.CertInfo) *tls.Config { config.RootCAs = pool config.ClientCAs = pool - logger.Infof("LXD is in CA mode, only CA-signed certificates will be allowed") + logger.Infof("LXD is in CA mode, only CA-signed client certificates will be allowed") } config.BuildNameToCertificate() diff --git a/shared/network.go b/shared/network.go index b681e29afcc6..a8bf64fba803 100644 --- a/shared/network.go +++ b/shared/network.go @@ -147,6 +147,12 @@ func GetTLSConfigMem(tlsClientCert string, tlsClientKey string, tlsClientCA stri } tlsConfig.Certificates = []tls.Certificate{cert} + tlsConfig.GetClientCertificate = func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) { + // GetClientCertificate is called if not nil instead of performing the default selection of an appropriate + // certificate from the `Certificates` list. We only have one-key pair to send, and we always want to send it + // because this is what uniquely identifies the caller to the server. + return &cert, nil + } } var tlsRemoteCert *x509.Certificate diff --git a/test/suites/pki.sh b/test/suites/pki.sh index ad6aec8d741d..fbaa124c5f6b 100644 --- a/test/suites/pki.sh +++ b/test/suites/pki.sh @@ -1,14 +1,21 @@ +# shellcheck disable=2031 test_pki() { if [ ! -d "/usr/share/easy-rsa/" ]; then echo "==> SKIP: The pki test requires easy-rsa to be installed" return fi + cert_fingerprint() { + openssl x509 -noout -fingerprint -sha256 -in "${1}" | sed 's/.*=//; s/://g; s/\(.*\)/\L\1/' + } + # Setup the PKI. cp -R /usr/share/easy-rsa "${TEST_DIR}/pki" ( set -e cd "${TEST_DIR}/pki" + export EASYRSA_KEY_SIZE=4096 + # shellcheck disable=SC1091 if [ -e pkitool ]; then . ./vars @@ -23,12 +30,13 @@ test_pki() { echo "lxd" | ./easyrsa build-ca nopass ./easyrsa gen-crl ./easyrsa build-client-full lxd-client nopass - ./easyrsa build-client-full lxd-client-revoked nopass + ./easyrsa build-client-full ca-trusted nopass + ./easyrsa build-client-full prior-revoked nopass mkdir keys cp pki/private/* keys/ cp pki/issued/* keys/ cp pki/ca.crt keys/ - echo "yes" | ./easyrsa revoke lxd-client-revoked + echo "yes" | ./easyrsa revoke prior-revoked ./easyrsa gen-crl cp pki/crl.pem keys/ fi @@ -37,65 +45,183 @@ test_pki() { # Setup the daemon. LXD5_DIR=$(mktemp -d -p "${TEST_DIR}" XXX) chmod +x "${LXD5_DIR}" - cp "${TEST_DIR}/pki/keys/ca.crt" "${LXD5_DIR}/server.ca" - cp "${TEST_DIR}/pki/keys/crl.pem" "${LXD5_DIR}/ca.crl" spawn_lxd "${LXD5_DIR}" true LXD5_ADDR=$(cat "${LXD5_DIR}/lxd.addr") - # Setup the client. + # Add a certificate to the trust store that is not signed by the CA before enabling CA mode. + lxc_remote remote add pki-lxd "${LXD5_ADDR}" --accept-certificate --password foo + + # Shutdown LXD. The CA certificate and revokation list must be present at start up to enable PKI. + shutdown_lxd "${LXD5_DIR}" + cp "${TEST_DIR}/pki/keys/ca.crt" "${LXD5_DIR}/server.ca" + cp "${TEST_DIR}/pki/keys/crl.pem" "${LXD5_DIR}/ca.crl" + respawn_lxd "${LXD5_DIR}" true + + # New tmp directory for lxc client config. LXC5_DIR=$(mktemp -d -p "${TEST_DIR}" XXX) - cp "${TEST_DIR}/pki/keys/lxd-client.crt" "${LXC5_DIR}/client.crt" - cp "${TEST_DIR}/pki/keys/lxd-client.key" "${LXC5_DIR}/client.key" - cp "${TEST_DIR}/pki/keys/ca.crt" "${LXC5_DIR}/client.ca" # Confirm that a valid client certificate works. ( set -e - export LXD_CONF=${LXC5_DIR} + # shellcheck disable=2030 + export LXD_CONF="${LXC5_DIR}" + + ### CA signed certificate with `core.trust_ca_certificates` disabled. + + # Set up the client config + cp "${TEST_DIR}/pki/keys/lxd-client.crt" "${LXD_CONF}/client.crt" + cp "${TEST_DIR}/pki/keys/lxd-client.key" "${LXD_CONF}/client.key" + cp "${TEST_DIR}/pki/keys/ca.crt" "${LXD_CONF}/client.ca" + cat "${LXD_CONF}/client.crt" "${LXD_CONF}/client.key" > "${LXD_CONF}/client.pem" - # Try adding remote using an incorrect password. - # This should fail, as if the certificate is unknown and password is wrong then no access should be allowed. + # Try adding remote using an incorrect password. This should fail even though the client certificate + # has been signed by the CA because `core.trust_ca_certificates` is not enabled. ! lxc_remote remote add pki-lxd "${LXD5_ADDR}" --accept-certificate --password=bar || false # Add remote using the correct password. # This should work because the client certificate is signed by the CA. - lxc_remote remote add pki-lxd "${LXD5_ADDR}" --accept-certificate --password=foo + lxc_remote remote add pki-lxd "${LXD5_ADDR}" --accept-certificate --password foo + + # Should have trust store entry because `core.trust_ca_certificates` is disabled. lxc_remote config trust ls pki-lxd: | grep lxd-client + + # Should be able to view server config + lxc_remote info pki-lxd: | grep -F 'core.https_address' + curl -s --cert "${LXD_CONF}/client.pem" --cacert "${LXD5_DIR}/server.crt" "https://${LXD5_ADDR}/1.0" | jq -e '.metadata.config."core.https_address"' + + # Revoke the client certificate + cd "${TEST_DIR}/pki" && "${TEST_DIR}/pki/easyrsa" --batch revoke lxd-client keyCompromise && "${TEST_DIR}/pki/easyrsa" gen-crl && cd - + + # Restart LXD with the revoked certificate in the CRL. + shutdown_lxd "${LXD5_DIR}" + cp "${TEST_DIR}/pki/pki/crl.pem" "${LXD5_DIR}/ca.crl" + respawn_lxd "${LXD5_DIR}" true + + # Revoked certificate no longer has access even though it is in the trust store. + lxc_remote info pki-lxd: | grep -F 'auth: untrusted' + ! lxc_remote ls pki-lxd: || false + [ "$(curl -s --cert "${LXD_CONF}/client.pem" --cacert "${LXD5_DIR}/server.crt" "https://${LXD5_ADDR}/1.0/instances" | jq -e -r '.error')" = "not authorized" ] + + # Remove cert from truststore. + fingerprint="$(cert_fingerprint "${LXD_CONF}/client.crt")" + LXD_DIR="${LXD5_DIR}" lxc config trust remove "${fingerprint}" lxc_remote remote remove pki-lxd - # Add remote using a CA-signed client certificate, and not providing a password. - # This should succeed and tests that the CA trust is working, as adding the client certificate to the trust - # store without a trust password would normally fail. + + ### CA signed certificate with `core.trust_ca_certificates` enabled. + + # Set up the client config + cp "${TEST_DIR}/pki/keys/ca-trusted.crt" "${LXD_CONF}/client.crt" + cp "${TEST_DIR}/pki/keys/ca-trusted.key" "${LXD_CONF}/client.key" + cat "${LXD_CONF}/client.crt" "${LXD_CONF}/client.key" > "${LXD_CONF}/client.pem" + + # Enable `core.trust_ca_certificates`. LXD_DIR=${LXD5_DIR} lxc config set core.trust_ca_certificates true + + # Add remote using a CA-signed client certificate, and not providing a password. + # This should succeed because `core.trust_ca_certificates` is enabled. lxc_remote remote add pki-lxd "${LXD5_ADDR}" --accept-certificate - lxc_remote config trust ls pki-lxd: | grep lxd-client + + # Client cert should not be present in trust store. + ! lxc_remote config trust ls pki-lxd: | grep ca-trusted || false + + # Remove remote lxc_remote remote remove pki-lxd - # Add remote using a CA-signed client certificate, and providing an incorrect password. + # Add the remote again using an incorrect password. # This should succeed as is the same as the test above but with an incorrect password rather than no password. lxc_remote remote add pki-lxd "${LXD5_ADDR}" --accept-certificate --password=bar - lxc_remote config trust ls pki-lxd: | grep lxd-client - lxc_remote remote remove pki-lxd + + # Client cert should not be present in trust store. + ! lxc_remote config trust ls pki-lxd: | grep ca-trusted || false + + # The certificate is trusted as root because `core.trust_ca_certificates` is enabled. + lxc_remote info pki-lxd: | grep -F 'core.https_address' + curl -s --cert "${LXD_CONF}/client.pem" --cacert "${LXD5_DIR}/server.crt" "https://${LXD5_ADDR}/1.0" | jq -e '.metadata.config."core.https_address"' + + # Unset `core.trust_ca_certificates` (this should work because the certificate is trusted as root as `core.trust_ca_certificates` is still enabled). + lxc_remote config unset pki-lxd: core.trust_ca_certificates + + # Check that we no longer have access. + lxc_remote info pki-lxd: | grep -F 'auth: untrusted' + ! lxc_remote ls pki-lxd: || false + [ "$(curl -s --cert "${LXD_CONF}/client.pem" --cacert "${LXD5_DIR}/server.crt" "https://${LXD5_ADDR}/1.0/instances" | jq -e -r '.error')" = "not authorized" ] + + # Re-enable `core.trust_ca_certificates`. + LXD_DIR=${LXD5_DIR} lxc config set core.trust_ca_certificates true + + # Revoke the client certificate + cd "${TEST_DIR}/pki" && "${TEST_DIR}/pki/easyrsa" --batch revoke ca-trusted keyCompromise && "${TEST_DIR}/pki/easyrsa" gen-crl && cd - + + # Restart LXD with the revoked certificate. + shutdown_lxd "${LXD5_DIR}" + cp "${TEST_DIR}/pki/pki/crl.pem" "${LXD5_DIR}/ca.crl" + respawn_lxd "${LXD5_DIR}" true + + # Check that we no longer have access (certificate was previously trusted, but is now revoked). + lxc_remote info pki-lxd: | grep -F 'auth: untrusted' + ! lxc_remote ls pki-lxd: || false + [ "$(curl -s --cert "${LXD_CONF}/client.pem" --cacert "${LXD5_DIR}/server.crt" "https://${LXD5_ADDR}/1.0/instances" | jq -e -r '.error')" = "not authorized" ] + + # Remove remote. + lxc remote remove pki-lxd + + ### CA signed certificate that has been revoked prior to connecting to LXD. + # `core.trust_ca_certificates` is currently enabled. # Replace the client certificate with a revoked certificate in the CRL. - cp "${TEST_DIR}/pki/keys/lxd-client-revoked.crt" "${LXC5_DIR}/client.crt" - cp "${TEST_DIR}/pki/keys/lxd-client-revoked.key" "${LXC5_DIR}/client.key" + cp "${TEST_DIR}/pki/keys/prior-revoked.crt" "${LXC5_DIR}/client.crt" + cp "${TEST_DIR}/pki/keys/prior-revoked.key" "${LXC5_DIR}/client.key" # Try adding a remote using a revoked client certificate, and the correct password. - # This should fail, as although revoked certificates can be added to the trust store, they will not be usable. - ! lxc_remote remote add pki-lxd "${LXD5_ADDR}" --accept-certificate --password=foo || false + # This should fail, and the revoked certificate should not be added to the trust store. + ! lxc_remote remote add pki-lxd "${LXD5_ADDR}" --accept-certificate --password foo || false + ! lxc config trust ls | grep prior-revoked || false # Try adding a remote using a revoked client certificate, and an incorrect password. # This should fail, as if the certificate is revoked and password is wrong then no access should be allowed. ! lxc_remote remote add pki-lxd "${LXD5_ADDR}" --accept-certificate --password=incorrect || false + + # Unset `core.trust_ca_certificates` and re-test, there should be no change in behaviour as the certificate is revoked. + LXD_DIR=${LXD5_DIR} lxc config unset core.trust_ca_certificates + + # Try adding a remote using a revoked client certificate, and the correct password. + # This should fail, and the revoked certificate should not be added to the trust store. + ! lxc_remote remote add pki-lxd "${LXD5_ADDR}" --accept-certificate --password foo || false + ! lxc config trust ls | grep prior-revoked || false + + # Try adding a remote using a revoked client certificate, and an incorrect password. + # This should fail, as if the certificate is revoked and password is wrong then no access should be allowed. + ! lxc_remote remote add pki-lxd "${LXD5_ADDR}" --accept-certificate --password=incorrect || false + + # Check we can't access anything with the revoked certificate. + [ "$(curl -s --cert "${LXD_CONF}/client.pem" --cacert "${LXD5_DIR}/server.crt" "https://${LXD5_ADDR}/1.0/instances" | jq -e -r '.error')" = "not authorized" ] ) - # Confirm that a normal, non-PKI certificate doesn't. - # As LXD_CONF is not set to LXC5_DIR where the CA signed client certs are, this will cause the lxc command to - # generate a new certificate that isn't trusted by the CA certificate and thus will not be allowed, even with a - # correct trust password. This is because the LXD TLS listener in CA mode will not consider a client cert that - # is not signed by the CA as valid. - ! lxc_remote remote add pki-lxd "${LXD5_ADDR}" --accept-certificate --password=foo || false + # Confirm that we cannot add a remote using a certificate that is not signed by the CA. + # Outside of the subshell above, `LXD_CONF` is not set to `LXD5_DIR` where the CA trusted certs are. + # Since we added a certificate to the trust store prior to enabling PKI, the certificates in current `LXD_CONF` are + # in the trust store, but not signed by the CA. So here we are checking that mTLS for a client does not work when CA + # mode is enabled. + ! lxc_remote remote add pki-lxd2 "${LXD5_ADDR}" --accept-certificate --password foo || false + + # Confirm that the certificate we added earlier cannot authenticate with LXD. + lxc_remote info pki-lxd: | grep -F 'auth: untrusted' + ! lxc_remote ls pki-lxd: || false + cat "${LXD_CONF}/client.crt" "${LXD_CONF}/client.key" > "${LXD_CONF}/client.pem" + [ "$(curl -s --cert "${LXD_CONF}/client.pem" --cacert "${LXD5_DIR}/server.crt" "https://${LXD5_ADDR}/1.0/instances" | jq -e -r '.error')" = "not authorized" ] + + # Trick LXD into thinking the client cert is a server certificate. + LXD_DIR="${LXD5_DIR}" lxd sql global "UPDATE certificates SET type = 2 WHERE fingerprint = '$(cert_fingerprint "${LXD_CONF}/client.crt")'" + shutdown_lxd "${LXD5_DIR}" + respawn_lxd "${LXD5_DIR}" true + + # Show that mTLS still works for server certificates. A server certificate has root access, so it can see server config. + lxc_remote info pki-lxd: | grep -F 'auth: trusted' + curl -s --cert "${LXD_CONF}/client.pem" --cacert "${LXD5_DIR}/server.crt" "https://${LXD5_ADDR}/1.0" | jq -e '.metadata.config."core.https_address"' + + rm "${LXD_CONF}/client.pem" + lxc remote rm pki-lxd kill_lxd "${LXD5_DIR}" }