Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
36b60c36
Commit
36b60c36
authored
Feb 25, 2021
by
David Kim
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'x509-cert-loading' into 'master'
Forcibly load X509 cert See merge request gitlab-org/gitlab!54569
parents
eedfbf72
56933f2f
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
83 additions
and
50 deletions
+83
-50
changelogs/unreleased/x509-cert-loading.yml
changelogs/unreleased/x509-cert-loading.yml
+5
-0
lib/gitlab/x509/signature.rb
lib/gitlab/x509/signature.rb
+6
-0
spec/lib/gitlab/x509/signature_spec.rb
spec/lib/gitlab/x509/signature_spec.rb
+72
-50
No files found.
changelogs/unreleased/x509-cert-loading.yml
0 → 100644
View file @
36b60c36
---
title
:
Forcibly load OpenSSL::X509::DEFAULT_CERT_FILE
merge_request
:
54569
author
:
type
:
fixed
lib/gitlab/x509/signature.rb
View file @
36b60c36
...
@@ -52,6 +52,12 @@ module Gitlab
...
@@ -52,6 +52,12 @@ module Gitlab
strong_memoize
(
:cert_store
)
do
strong_memoize
(
:cert_store
)
do
store
=
OpenSSL
::
X509
::
Store
.
new
store
=
OpenSSL
::
X509
::
Store
.
new
store
.
set_default_paths
store
.
set_default_paths
if
Feature
.
enabled?
(
:x509_forced_cert_loading
,
type: :ops
)
# Forcibly load the default cert file because the OpenSSL library seemingly ignores it
store
.
add_file
(
OpenSSL
::
X509
::
DEFAULT_CERT_FILE
)
if
File
.
exist?
(
OpenSSL
::
X509
::
DEFAULT_CERT_FILE
)
end
# valid_signing_time? checks the time attributes already
# valid_signing_time? checks the time attributes already
# this flag is required, otherwise expired certificates would become
# this flag is required, otherwise expired certificates would become
# unverified when notAfter within certificate attribute is reached
# unverified when notAfter within certificate attribute is reached
...
...
spec/lib/gitlab/x509/signature_spec.rb
View file @
36b60c36
...
@@ -11,25 +11,7 @@ RSpec.describe Gitlab::X509::Signature do
...
@@ -11,25 +11,7 @@ RSpec.describe Gitlab::X509::Signature do
}
}
end
end
context
'commit signature'
do
shared_examples
"a verified signature"
do
let
(
:certificate_attributes
)
do
{
subject_key_identifier:
X509Helpers
::
User1
.
certificate_subject_key_identifier
,
subject:
X509Helpers
::
User1
.
certificate_subject
,
email:
X509Helpers
::
User1
.
certificate_email
,
serial_number:
X509Helpers
::
User1
.
certificate_serial
}
end
context
'verified signature'
do
context
'with trusted certificate store'
do
before
do
store
=
OpenSSL
::
X509
::
Store
.
new
certificate
=
OpenSSL
::
X509
::
Certificate
.
new
(
X509Helpers
::
User1
.
trust_cert
)
store
.
add_cert
(
certificate
)
allow
(
OpenSSL
::
X509
::
Store
).
to
receive
(
:new
).
and_return
(
store
)
end
it
'returns a verified signature if email does match'
do
it
'returns a verified signature if email does match'
do
signature
=
described_class
.
new
(
signature
=
described_class
.
new
(
X509Helpers
::
User1
.
signed_commit_signature
,
X509Helpers
::
User1
.
signed_commit_signature
,
...
@@ -88,6 +70,46 @@ RSpec.describe Gitlab::X509::Signature do
...
@@ -88,6 +70,46 @@ RSpec.describe Gitlab::X509::Signature do
end
end
end
end
context
'commit signature'
do
let
(
:certificate_attributes
)
do
{
subject_key_identifier:
X509Helpers
::
User1
.
certificate_subject_key_identifier
,
subject:
X509Helpers
::
User1
.
certificate_subject
,
email:
X509Helpers
::
User1
.
certificate_email
,
serial_number:
X509Helpers
::
User1
.
certificate_serial
}
end
context
'verified signature'
do
context
'with trusted certificate store'
do
before
do
store
=
OpenSSL
::
X509
::
Store
.
new
certificate
=
OpenSSL
::
X509
::
Certificate
.
new
(
X509Helpers
::
User1
.
trust_cert
)
store
.
add_cert
(
certificate
)
allow
(
OpenSSL
::
X509
::
Store
).
to
receive
(
:new
).
and_return
(
store
)
end
it_behaves_like
"a verified signature"
end
context
'with the certificate defined by OpenSSL::X509::DEFAULT_CERT_FILE'
do
before
do
store
=
OpenSSL
::
X509
::
Store
.
new
certificate
=
OpenSSL
::
X509
::
Certificate
.
new
(
X509Helpers
::
User1
.
trust_cert
)
file_path
=
Rails
.
root
.
join
(
"tmp/cert.pem"
).
to_s
File
.
open
(
file_path
,
"wb"
)
do
|
f
|
f
.
print
certificate
.
to_pem
end
stub_const
(
"OpenSSL::X509::DEFAULT_CERT_FILE"
,
file_path
)
allow
(
OpenSSL
::
X509
::
Store
).
to
receive
(
:new
).
and_return
(
store
)
end
it_behaves_like
"a verified signature"
end
context
'without trusted certificate within store'
do
context
'without trusted certificate within store'
do
before
do
before
do
store
=
OpenSSL
::
X509
::
Store
.
new
store
=
OpenSSL
::
X509
::
Store
.
new
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment