Commit 36b60c36 authored by David Kim's avatar David Kim

Merge branch 'x509-cert-loading' into 'master'

Forcibly load X509 cert

See merge request gitlab-org/gitlab!54569
parents eedfbf72 56933f2f
---
title: Forcibly load OpenSSL::X509::DEFAULT_CERT_FILE
merge_request: 54569
author:
type: fixed
...@@ -52,6 +52,12 @@ module Gitlab ...@@ -52,6 +52,12 @@ module Gitlab
strong_memoize(:cert_store) do strong_memoize(:cert_store) do
store = OpenSSL::X509::Store.new store = OpenSSL::X509::Store.new
store.set_default_paths store.set_default_paths
if Feature.enabled?(:x509_forced_cert_loading, type: :ops)
# Forcibly load the default cert file because the OpenSSL library seemingly ignores it
store.add_file(OpenSSL::X509::DEFAULT_CERT_FILE) if File.exist?(OpenSSL::X509::DEFAULT_CERT_FILE)
end
# valid_signing_time? checks the time attributes already # valid_signing_time? checks the time attributes already
# this flag is required, otherwise expired certificates would become # this flag is required, otherwise expired certificates would become
# unverified when notAfter within certificate attribute is reached # unverified when notAfter within certificate attribute is reached
......
...@@ -11,25 +11,7 @@ RSpec.describe Gitlab::X509::Signature do ...@@ -11,25 +11,7 @@ RSpec.describe Gitlab::X509::Signature do
} }
end end
context 'commit signature' do shared_examples "a verified signature" do
let(:certificate_attributes) do
{
subject_key_identifier: X509Helpers::User1.certificate_subject_key_identifier,
subject: X509Helpers::User1.certificate_subject,
email: X509Helpers::User1.certificate_email,
serial_number: X509Helpers::User1.certificate_serial
}
end
context 'verified signature' do
context 'with trusted certificate store' do
before do
store = OpenSSL::X509::Store.new
certificate = OpenSSL::X509::Certificate.new(X509Helpers::User1.trust_cert)
store.add_cert(certificate)
allow(OpenSSL::X509::Store).to receive(:new).and_return(store)
end
it 'returns a verified signature if email does match' do it 'returns a verified signature if email does match' do
signature = described_class.new( signature = described_class.new(
X509Helpers::User1.signed_commit_signature, X509Helpers::User1.signed_commit_signature,
...@@ -88,6 +70,46 @@ RSpec.describe Gitlab::X509::Signature do ...@@ -88,6 +70,46 @@ RSpec.describe Gitlab::X509::Signature do
end end
end end
context 'commit signature' do
let(:certificate_attributes) do
{
subject_key_identifier: X509Helpers::User1.certificate_subject_key_identifier,
subject: X509Helpers::User1.certificate_subject,
email: X509Helpers::User1.certificate_email,
serial_number: X509Helpers::User1.certificate_serial
}
end
context 'verified signature' do
context 'with trusted certificate store' do
before do
store = OpenSSL::X509::Store.new
certificate = OpenSSL::X509::Certificate.new(X509Helpers::User1.trust_cert)
store.add_cert(certificate)
allow(OpenSSL::X509::Store).to receive(:new).and_return(store)
end
it_behaves_like "a verified signature"
end
context 'with the certificate defined by OpenSSL::X509::DEFAULT_CERT_FILE' do
before do
store = OpenSSL::X509::Store.new
certificate = OpenSSL::X509::Certificate.new(X509Helpers::User1.trust_cert)
file_path = Rails.root.join("tmp/cert.pem").to_s
File.open(file_path, "wb") do |f|
f.print certificate.to_pem
end
stub_const("OpenSSL::X509::DEFAULT_CERT_FILE", file_path)
allow(OpenSSL::X509::Store).to receive(:new).and_return(store)
end
it_behaves_like "a verified signature"
end
context 'without trusted certificate within store' do context 'without trusted certificate within store' do
before do before do
store = OpenSSL::X509::Store.new store = OpenSSL::X509::Store.new
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment