You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ic...@apache.org on 2021/09/01 13:16:03 UTC
svn commit: r1892782 - in /httpd/httpd/trunk: ./
changes-entries/md_check_keys.txt modules/md/md_acme_drive.c
modules/md/md_crypt.c modules/md/md_crypt.h modules/md/md_version.h test/
Author: icing
Date: Wed Sep 1 13:16:03 2021
New Revision: 1892782
URL: http://svn.apache.org/viewvc?rev=1892782&view=rev
Log:
mod_md:
* Certificate/keys pairs are verified as matching before a renewal is accepted
as successful or a staged renewal is replacing the existing certificates.
This avoid potential mess ups in the md store file system to render the active
certificates non-working. [@mkauf]
Added:
httpd/httpd/trunk/changes-entries/md_check_keys.txt
Modified:
httpd/httpd/trunk/ (props changed)
httpd/httpd/trunk/modules/md/md_acme_drive.c
httpd/httpd/trunk/modules/md/md_crypt.c
httpd/httpd/trunk/modules/md/md_crypt.h
httpd/httpd/trunk/modules/md/md_version.h
httpd/httpd/trunk/test/ (props changed)
Propchange: httpd/httpd/trunk/
------------------------------------------------------------------------------
--- svn:ignore (original)
+++ svn:ignore Wed Sep 1 13:16:03 2021
@@ -47,3 +47,5 @@ TAGS
.kdev_include_paths
.cproject
.project
+.idea
+.pytest_cache
Added: httpd/httpd/trunk/changes-entries/md_check_keys.txt
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/changes-entries/md_check_keys.txt?rev=1892782&view=auto
==============================================================================
--- httpd/httpd/trunk/changes-entries/md_check_keys.txt (added)
+++ httpd/httpd/trunk/changes-entries/md_check_keys.txt Wed Sep 1 13:16:03 2021
@@ -0,0 +1,4 @@
+ * mod_md: Certificate/keys pairs are verified as matching before a renewal is accepted
+ as successful or a staged renewal is replacing the existing certificates.
+ This avoid potential mess ups in the md store file system to render the active
+ certificates non-working. [@mkauf]
Modified: httpd/httpd/trunk/modules/md/md_acme_drive.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/md/md_acme_drive.c?rev=1892782&r1=1892781&r2=1892782&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/md/md_acme_drive.c (original)
+++ httpd/httpd/trunk/modules/md/md_acme_drive.c Wed Sep 1 13:16:03 2021
@@ -767,6 +767,27 @@ static apr_status_t acme_renew(md_proto_
}
if (!md_array_is_empty(ad->cred->chain)) {
+
+ if (!ad->cred->pkey) {
+ rv = md_pkey_load(d->store, MD_SG_STAGING, d->md->name, ad->cred->spec, &ad->cred->pkey, d->p);
+ if (APR_SUCCESS != rv) {
+ md_result_printf(result, rv, "Loading the private key.");
+ goto out;
+ }
+ }
+
+ if (ad->cred->pkey) {
+ rv = md_check_cert_and_pkey(ad->cred->chain, ad->cred->pkey);
+ if (APR_SUCCESS != rv) {
+ md_result_printf(result, rv, "Certificate and private key do not match.");
+
+ /* Delete the order */
+ md_acme_order_purge(d->store, d->p, MD_SG_STAGING, d->md->name, d->env);
+
+ goto out;
+ }
+ }
+
rv = md_pubcert_save(d->store, d->p, MD_SG_STAGING, d->md->name,
ad->cred->spec, ad->cred->chain, 0);
if (APR_SUCCESS != rv) {
@@ -901,6 +922,10 @@ static apr_status_t acme_preload(md_prot
md_result_printf(result, rv, "no certificate in staged credentials #%d", i);
goto leave;
}
+ if (APR_SUCCESS != (rv = md_check_cert_and_pkey(creds->chain, creds->pkey))) {
+ md_result_printf(result, rv, "certificate and private key do not match in staged credentials #%d", i);
+ goto leave;
+ }
APR_ARRAY_PUSH(all_creds, md_credentials_t*) = creds;
}
Modified: httpd/httpd/trunk/modules/md/md_crypt.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/md/md_crypt.c?rev=1892782&r1=1892781&r2=1892782&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/md/md_crypt.c (original)
+++ httpd/httpd/trunk/modules/md/md_crypt.c Wed Sep 1 13:16:03 2021
@@ -2014,3 +2014,19 @@ cleanup:
return rv;
}
+apr_status_t md_check_cert_and_pkey(struct apr_array_header_t *certs, md_pkey_t *pkey)
+{
+ const md_cert_t *cert;
+
+ if (certs->nelts == 0) {
+ return APR_ENOENT;
+ }
+
+ cert = APR_ARRAY_IDX(certs, 0, const md_cert_t*);
+
+ if (1 != X509_check_private_key(cert->x509, pkey->pkey)) {
+ return APR_EGENERAL;
+ }
+
+ return APR_SUCCESS;
+}
Modified: httpd/httpd/trunk/modules/md/md_crypt.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/md/md_crypt.h?rev=1892782&r1=1892781&r2=1892782&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/md/md_crypt.h (original)
+++ httpd/httpd/trunk/modules/md/md_crypt.h Wed Sep 1 13:16:03 2021
@@ -218,6 +218,9 @@ apr_status_t md_cert_get_ct_scts(apr_arr
apr_status_t md_cert_get_ocsp_responder_url(const char **purl, apr_pool_t *p, const md_cert_t *cert);
+apr_status_t md_check_cert_and_pkey(struct apr_array_header_t *certs, md_pkey_t *pkey);
+
+
/**************************************************************************************************/
/* X509 certificate transparency */
Modified: httpd/httpd/trunk/modules/md/md_version.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/md/md_version.h?rev=1892782&r1=1892781&r2=1892782&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/md/md_version.h (original)
+++ httpd/httpd/trunk/modules/md/md_version.h Wed Sep 1 13:16:03 2021
@@ -27,7 +27,7 @@
* @macro
* Version number of the md module as c string
*/
-#define MOD_MD_VERSION "2.4.4"
+#define MOD_MD_VERSION "2.4.5"
/**
* @macro
Propchange: httpd/httpd/trunk/test/
------------------------------------------------------------------------------
--- svn:ignore (original)
+++ svn:ignore Wed Sep 1 13:16:03 2021
@@ -18,3 +18,4 @@ sni
httpdunit
httpdunit.cases
.pytest_cache
+perl-framework