Require manual override for user chain certificates.

An override for the wallet to daemon connection is provided, but not for
other SSL contexts. The intent is to prevent users from supplying a
system CA as the "user" whitelisted certificate, which is less secure
since the key is controlled by a third party.
This commit is contained in:
Lee Clagett 2019-04-04 13:35:33 -04:00
parent 97cd1fa98d
commit d58f368289
3 changed files with 10 additions and 1 deletions

View file

@ -51,7 +51,8 @@ namespace net_utils
{ {
none = 0, //!< Do not verify peer. none = 0, //!< Do not verify peer.
system_ca, //!< Verify peer via system ca only (do not inspect user certificates) system_ca, //!< Verify peer via system ca only (do not inspect user certificates)
user_certificates //!< Verify peer via user certificate(s) only. user_certificates,//!< Verify peer via specific (non-chain) certificate(s) only.
user_ca //!< Verify peer via specific (possibly chain) certificate(s) only.
}; };
struct ssl_authentication_t struct ssl_authentication_t

View file

@ -221,6 +221,9 @@ boost::asio::ssl::context ssl_options_t::create_context() const
ssl_context.set_default_verify_paths(); ssl_context.set_default_verify_paths();
break; break;
case ssl_verification_t::user_certificates: case ssl_verification_t::user_certificates:
ssl_context.set_verify_depth(0);
/* fallthrough */
case ssl_verification_t::user_ca:
if (!ca_path.empty()) if (!ca_path.empty())
{ {
const boost::system::error_code err = load_ca_file(ssl_context, ca_path); const boost::system::error_code err = load_ca_file(ssl_context, ca_path);

View file

@ -246,6 +246,7 @@ struct options {
const command_line::arg_descriptor<std::string> daemon_ssl_ca_certificates = {"daemon-ssl-ca-certificates", tools::wallet2::tr("Path to file containing concatenated PEM format certificate(s) to replace system CA(s).")}; const command_line::arg_descriptor<std::string> daemon_ssl_ca_certificates = {"daemon-ssl-ca-certificates", tools::wallet2::tr("Path to file containing concatenated PEM format certificate(s) to replace system CA(s).")};
const command_line::arg_descriptor<std::vector<std::string>> daemon_ssl_allowed_fingerprints = {"daemon-ssl-allowed-fingerprints", tools::wallet2::tr("List of valid fingerprints of allowed RPC servers")}; const command_line::arg_descriptor<std::vector<std::string>> daemon_ssl_allowed_fingerprints = {"daemon-ssl-allowed-fingerprints", tools::wallet2::tr("List of valid fingerprints of allowed RPC servers")};
const command_line::arg_descriptor<bool> daemon_ssl_allow_any_cert = {"daemon-ssl-allow-any-cert", tools::wallet2::tr("Allow any SSL certificate from the daemon"), false}; const command_line::arg_descriptor<bool> daemon_ssl_allow_any_cert = {"daemon-ssl-allow-any-cert", tools::wallet2::tr("Allow any SSL certificate from the daemon"), false};
const command_line::arg_descriptor<bool> daemon_ssl_allow_chained = {"daemon-ssl-allow-chained", tools::wallet2::tr("Allow user (via --daemon-ssl-ca-certificates) chain certificates"), false};
const command_line::arg_descriptor<bool> testnet = {"testnet", tools::wallet2::tr("For testnet. Daemon must also be launched with --testnet flag"), false}; const command_line::arg_descriptor<bool> testnet = {"testnet", tools::wallet2::tr("For testnet. Daemon must also be launched with --testnet flag"), false};
const command_line::arg_descriptor<bool> stagenet = {"stagenet", tools::wallet2::tr("For stagenet. Daemon must also be launched with --stagenet flag"), false}; const command_line::arg_descriptor<bool> stagenet = {"stagenet", tools::wallet2::tr("For stagenet. Daemon must also be launched with --stagenet flag"), false};
const command_line::arg_descriptor<std::string, false, true, 2> shared_ringdb_dir = { const command_line::arg_descriptor<std::string, false, true, 2> shared_ringdb_dir = {
@ -338,6 +339,9 @@ std::unique_ptr<tools::wallet2> make_basic(const boost::program_options::variabl
ssl_options = epee::net_utils::ssl_options_t{ ssl_options = epee::net_utils::ssl_options_t{
std::move(ssl_allowed_fingerprints), std::move(daemon_ssl_ca_file) std::move(ssl_allowed_fingerprints), std::move(daemon_ssl_ca_file)
}; };
if (command_line::get_arg(vm, opts.daemon_ssl_allow_chained))
ssl_options.verification = epee::net_utils::ssl_verification_t::user_ca;
} }
if (ssl_options.verification != epee::net_utils::ssl_verification_t::user_certificates || !command_line::is_arg_defaulted(vm, opts.daemon_ssl)) if (ssl_options.verification != epee::net_utils::ssl_verification_t::user_certificates || !command_line::is_arg_defaulted(vm, opts.daemon_ssl))
@ -1110,6 +1114,7 @@ void wallet2::init_options(boost::program_options::options_description& desc_par
command_line::add_arg(desc_params, opts.daemon_ssl_ca_certificates); command_line::add_arg(desc_params, opts.daemon_ssl_ca_certificates);
command_line::add_arg(desc_params, opts.daemon_ssl_allowed_fingerprints); command_line::add_arg(desc_params, opts.daemon_ssl_allowed_fingerprints);
command_line::add_arg(desc_params, opts.daemon_ssl_allow_any_cert); command_line::add_arg(desc_params, opts.daemon_ssl_allow_any_cert);
command_line::add_arg(desc_params, opts.daemon_ssl_allow_chained);
command_line::add_arg(desc_params, opts.testnet); command_line::add_arg(desc_params, opts.testnet);
command_line::add_arg(desc_params, opts.stagenet); command_line::add_arg(desc_params, opts.stagenet);
command_line::add_arg(desc_params, opts.shared_ringdb_dir); command_line::add_arg(desc_params, opts.shared_ringdb_dir);