# -------------------------------------------------------------------------- # # Copyright 2002-2012, OpenNebula Project Leads (OpenNebula.org) # # # # Licensed under the Apache License, Version 2.0 (the "License"); you may # # not use this file except in compliance with the License. You may obtain # # a copy of the License at # # # # http://www.apache.org/licenses/LICENSE-2.0 # # # # Unless required by applicable law or agreed to in writing, software # # distributed under the License is distributed on an "AS IS" BASIS, # # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # # See the License for the specific language governing permissions and # # limitations under the License. # #--------------------------------------------------------------------------- # require 'openssl' require 'base64' require 'fileutils' require 'yaml' # X509 authentication class. It can be used as a driver for auth_mad # as auth method is defined. It also holds some helper methods to be used # by oneauth command class X509Auth ########################################################################### #Constants with paths to relevant files and defaults ########################################################################### if !ENV["ONE_LOCATION"] ETC_LOCATION = "/etc/one" else ETC_LOCATION = ENV["ONE_LOCATION"] + "/etc" end LOGIN_PATH = ENV['HOME']+'/.one/one_x509' X509_AUTH_CONF_PATH = ETC_LOCATION + "/auth/x509_auth.conf" X509_DEFAULTS = { :ca_dir => ETC_LOCATION + "/auth/certificates" } ########################################################################### # Initialize x509Auth object # # @param [Hash] default options for path # @option options [String] :certs_pem # cert chain array in colon-separated pem format # @option options [String] :key_pem # key in pem format # @option options [String] :ca_dir # directory of trusted CA's. Needed for auth method, not for login. def initialize(options={}) @options ||= X509_DEFAULTS @options.merge!(options) load_options(X509_AUTH_CONF_PATH) @cert_chain = @options[:certs_pem].collect do |cert_pem| OpenSSL::X509::Certificate.new(cert_pem) end if @options[:key_pem] @key = OpenSSL::PKey::RSA.new(@options[:key_pem]) end end ########################################################################### # Client side ########################################################################### # Creates the login file for x509 authentication at ~/.one/one_x509. # By default it is valid as long as the certificate is valid. It can # be changed to any number of seconds with expire parameter (sec.) def login(user, expire=0) write_login(login_token(user,expire)) end # Returns a valid password string to create a user using this auth driver. # In this case the dn of the user certificate. def password @cert_chain[0].subject.to_s.delete("\s") end # Generates a login token in the form: # user_name:x509:user_name:time_expires:cert_chain # - user_name:time_expires is encrypted with the user certificate # - user_name:time_expires:cert_chain is base64 encoded def login_token(user, expire) if expire != 0 expires = Time.now.to_i + expire.to_i else expires = @cert_chain[0].not_after.to_i end text_to_sign = "#{user}:#{expires}" signed_text = encrypt(text_to_sign) certs_pem = @cert_chain.collect{|cert| cert.to_pem}.join(":") token = "#{signed_text}:#{certs_pem}" token64 = Base64::encode64(token).strip.delete("\n") login_out = "#{user}:#{token64}" login_out end ########################################################################### # Server side ########################################################################### # auth method for auth_mad def authenticate(user, pass, signed_text) begin # Decryption demonstrates that the user posessed the private key. _user, expires = decrypt(signed_text).split(':') return "User name missmatch" if user != _user return "x509 proxy expired" if Time.now.to_i >= expires.to_i # Some DN in the chain must match a DN in the password dn_ok = @cert_chain.each do |cert| if pass.split('|').include?(cert.subject.to_s.delete("\s")) break true end end unless dn_ok == true return "Certificate subject missmatch" end validate return true rescue => e return e.message end end private # Writes a login_txt to the login file as defined in LOGIN_PATH # constant def write_login(login_txt) # Inits login file path and creates ~/.one directory if needed # Set instance variables login_dir = File.dirname(LOGIN_PATH) begin FileUtils.mkdir_p(login_dir) rescue Errno::EEXIST end file = File.open(LOGIN_PATH, "w") file.write(login_txt) file.close File.chmod(0600,LOGIN_PATH) end # Load class options form a configuration file (yaml syntax) def load_options(conf_file) if File.readable?(conf_file) conf_txt = File.read(conf_file) conf_opt = YAML::load(conf_txt) @options.merge!(conf_opt) if conf_opt != false end end ########################################################################### # Methods to encrpyt/decrypt keys ########################################################################### # Encrypts data with the private key of the user and returns # base 64 encoded output in a single line def encrypt(data) return nil if !@key Base64::encode64(@key.private_encrypt(data)).delete("\n").strip end # Decrypts base 64 encoded data with pub_key (public key) def decrypt(data) @cert_chain[0].public_key.public_decrypt(Base64::decode64(data)) end ########################################################################### # Validate the user certificate ########################################################################### def validate now = Time.now failed = "Could not validate user credentials: " # Check start time and end time of certificates @cert_chain.each do |cert| if cert.not_before > now || cert.not_after < now raise failed + "Certificate not valid. Current time is " + now.localtime.to_s + "." end end begin # Validate the proxy certifcates signee = @cert_chain[0] ## FC-Start fc_ca_hash = signee.issuer.hash.to_s(16) fc_ca_path = @options[:ca_dir] + '/' + fc_ca_hash + '.0' fc_ca_cert = OpenSSL::X509::Certificate.new( File.read(fc_ca_path) ) fc_rl_path = @options[:ca_dir] + '/' + fc_ca_hash + '.r0' fc_rl_cert = OpenSSL::X509::CRL.new( File.read(fc_rl_path) ) ## First verify the CRL itself with its signer(DOEGrids.pem) unless fc_rl_cert.verify( fc_ca_cert.public_key ) then raise failed + "CRL is not verified by its Signer" end fcarray = fc_rl_cert.revoked ## Extract the list of revoked certificates from the CRL ## Loop over the list and compare with the target personal certificate fcarray.each do |e| if e.serial.eql?(signee.serial) then # if e.serial == hkcert.serial then # puts "A = e.serial and B = signee.serial" raise failed + "#{signee.subject.to_s} is found in the CRL, i.e. it is revoked" end end ## FC-End @cert_chain[1..-1].each do |cert| if !((signee.issuer.to_s == cert.subject.to_s) && (signee.verify(cert.public_key))) raise failed + signee.subject.to_s + " with issuer " + signee.issuer.to_s + " was not verified by " + cert.subject.to_s + "." end signee = cert end # Validate the End Entity certificate if !@options[:ca_dir] raise failed + "No certifcate authority directory was specified." end begin ca_hash = signee.issuer.hash.to_s(16) ca_path = @options[:ca_dir] + '/' + ca_hash + '.0' ca_cert = OpenSSL::X509::Certificate.new(File.read(ca_path)) if !((signee.issuer.to_s == ca_cert.subject.to_s) && (signee.verify(ca_cert.public_key))) raise failed + signee.subject.to_s + " with issuer " + signee.issuer.to_s + " was not verified by " + ca_cert.subject.to_s + "." end signee = ca_cert end while ca_cert.subject.to_s != ca_cert.issuer.to_s rescue raise end end end