Implement support for CRLs.

Fixes #3657
2013-11-13 10:30:40 +01:00 · 2013-11-13 10:30:40 +01:00 · a5e3c70bcc
parent 438d5c0f57
commit a5e3c70bcc
6 changed files with 40 additions and 0 deletions
--- a/components/cluster/cluster-type.conf
+++ b/components/cluster/cluster-type.conf
@ -27,6 +27,8 @@ type ClusterListener {
 	%attribute string "ca_path",
 	%require "ca_path",

+	%attribute string "crl_path",
+
 	%attribute string "bind_host",
 	%attribute string "bind_port",

--- a/components/cluster/clusterlistener.cpp
+++ b/components/cluster/clusterlistener.cpp
@ -61,6 +61,9 @@ void ClusterListener::Start(void)

 	m_SSLContext = MakeSSLContext(GetCertPath(), GetKeyPath(), GetCaPath());

+	if (!GetCrlPath().IsEmpty())
+		AddCRLToSSLContext(m_SSLContext, GetCrlPath());
+
 	/* create the primary JSON-RPC listener */
 	if (!GetBindPort().IsEmpty())
 		AddListener(GetBindPort());
--- a/components/cluster/clusterlistener.ti
+++ b/components/cluster/clusterlistener.ti
@ -8,6 +8,7 @@ class ClusterListener : DynamicObject
 	[config] String cert_path;
 	[config] String key_path;
 	[config] String ca_path;
+	[config] String crl_path;
 	[config] String bind_host;
 	[config] String bind_port;
 	[config] Array::Ptr peers;
--- a/doc/4.3-object-types.md
+++ b/doc/4.3-object-types.md
@ -826,6 +826,7 @@ Attributes:
  cert\_path      |**Required.** Path to the public key.
  key\_path       |**Required.** Path to the private key.
  ca\_path        |**Required.** Path to the CA certificate file.
+  crl\_path       |**Optional.** Path to the CRL file.
  bind\_host      |**Optional.** The IP address the cluster listener should be bound to.
  bind\_port      |**Optional.** The port the cluster listener should be bound to.
  peers           |**Optional.** A list of
--- a/lib/base/tlsutility.cpp
+++ b/lib/base/tlsutility.cpp
@ -98,6 +98,38 @@ shared_ptr<SSL_CTX> MakeSSLContext(const String& pubkey, const String& privkey,
 	return sslContext;
 }

+/**
+ * Loads a CRL and appends its certificates to the specified SSL context.
+ *
+ * @param context The SSL context.
+ * @param crlPath The path to the CRL file.
+ */
+void AddCRLToSSLContext(const shared_ptr<SSL_CTX>& context, const String& crlPath)
+{
+	X509_STORE *x509_store = SSL_CTX_get_cert_store(context.get());
+
+	X509_LOOKUP *lookup;
+	lookup = X509_STORE_add_lookup(x509_store, X509_LOOKUP_file());
+
+	if (!lookup) {
+		BOOST_THROW_EXCEPTION(openssl_error()
+			<< boost::errinfo_api_function("X509_STORE_add_lookup")
+			<< errinfo_openssl_error(ERR_get_error()));
+	}
+
+	if (X509_LOOKUP_load_file(lookup, crlPath.CStr(), X509_FILETYPE_PEM) != 0) {
+		BOOST_THROW_EXCEPTION(openssl_error()
+			<< boost::errinfo_api_function("X509_LOOKUP_load_file")
+			<< errinfo_openssl_error(ERR_get_error())
+			<< boost::errinfo_file_name(crlPath));
+	}
+
+	X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();
+	X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
+	SSL_CTX_set1_param(context.get(), param);
+	X509_VERIFY_PARAM_free(param);
+}
+
 /**
 * Retrieves the common name for an X509 certificate.
 *
--- a/lib/base/tlsutility.h
+++ b/lib/base/tlsutility.h
@ -34,6 +34,7 @@ namespace icinga
 {

 shared_ptr<SSL_CTX> I2_BASE_API MakeSSLContext(const String& pubkey, const String& privkey, const String& cakey);
+void I2_BASE_API AddCRLToSSLContext(const shared_ptr<SSL_CTX>& context, const String& crlPath);
 String I2_BASE_API GetCertificateCN(const shared_ptr<X509>& certificate);
 shared_ptr<X509> I2_BASE_API GetX509Certificate(const String& pemfile);
 String I2_BASE_API SHA256(const String& s);