Merge branch 'x509-cert-loading' into 'master'

Forcibly load X509 cert See merge request gitlab-org/gitlab!54569

Merge branch 'x509-cert-loading' into 'master'
Forcibly load X509 cert See merge request gitlab-org/gitlab!54569
36b60c36 · David Kim · eedfbf72 · 56933f2f · 36b60c36 · 36b60c36
Commit 36b60c36 authored Feb 25, 2021 by David Kim
3 changed files
--- a/changelogs/unreleased/x509-cert-loading.yml
+++ b/changelogs/unreleased/x509-cert-loading.yml
+---
+title: Forcibly load OpenSSL::X509::DEFAULT_CERT_FILE
+merge_request: 54569
+author:
+type: fixed
--- a/lib/gitlab/x509/signature.rb
+++ b/lib/gitlab/x509/signature.rb
@@ -52,6 +52,12 @@ module Gitlab
        strong_memoize(:cert_store) do
          store = OpenSSL::X509::Store.new
          store.set_default_paths
+
+          if Feature.enabled?(:x509_forced_cert_loading, type: :ops)
+            # Forcibly load the default cert file because the OpenSSL library seemingly ignores it
+            store.add_file(OpenSSL::X509::DEFAULT_CERT_FILE) if File.exist?(OpenSSL::X509::DEFAULT_CERT_FILE)
+          end
+
          # valid_signing_time? checks the time attributes already
          # this flag is required, otherwise expired certificates would become
          # unverified when notAfter within certificate attribute is reached

--- a/spec/lib/gitlab/x509/signature_spec.rb
+++ b/spec/lib/gitlab/x509/signature_spec.rb
@@ -11,6 +11,65 @@ RSpec.describe Gitlab::X509::Signature do
    }
  end

+  shared_examples "a verified signature" do
+    it 'returns a verified signature if email does match' do
+      signature = described_class.new(
+        X509Helpers::User1.signed_commit_signature,
+        X509Helpers::User1.signed_commit_base_data,
+        X509Helpers::User1.certificate_email,
+        X509Helpers::User1.signed_commit_time
+      )
+
+      expect(signature.x509_certificate).to have_attributes(certificate_attributes)
+      expect(signature.x509_certificate.x509_issuer).to have_attributes(issuer_attributes)
+      expect(signature.verified_signature).to be_truthy
+      expect(signature.verification_status).to eq(:verified)
+    end
+
+    it 'returns an unverified signature if email does not match' do
+      signature = described_class.new(
+        X509Helpers::User1.signed_commit_signature,
+        X509Helpers::User1.signed_commit_base_data,
+        "gitlab@example.com",
+        X509Helpers::User1.signed_commit_time
+      )
+
+      expect(signature.x509_certificate).to have_attributes(certificate_attributes)
+      expect(signature.x509_certificate.x509_issuer).to have_attributes(issuer_attributes)
+      expect(signature.verified_signature).to be_truthy
+      expect(signature.verification_status).to eq(:unverified)
+    end
+
+    it 'returns an unverified signature if email does match and time is wrong' do
+      signature = described_class.new(
+        X509Helpers::User1.signed_commit_signature,
+        X509Helpers::User1.signed_commit_base_data,
+        X509Helpers::User1.certificate_email,
+        Time.new(2020, 2, 22)
+      )
+
+      expect(signature.x509_certificate).to have_attributes(certificate_attributes)
+      expect(signature.x509_certificate.x509_issuer).to have_attributes(issuer_attributes)
+      expect(signature.verified_signature).to be_falsey
+      expect(signature.verification_status).to eq(:unverified)
+    end
+
+    it 'returns an unverified signature if certificate is revoked' do
+      signature = described_class.new(
+        X509Helpers::User1.signed_commit_signature,
+        X509Helpers::User1.signed_commit_base_data,
+        X509Helpers::User1.certificate_email,
+        X509Helpers::User1.signed_commit_time
+      )
+
+      expect(signature.verification_status).to eq(:verified)
+
+      signature.x509_certificate.revoked!
+
+      expect(signature.verification_status).to eq(:unverified)
+    end
+  end
+
  context 'commit signature' do
    let(:certificate_attributes) do
      {
@@ -30,62 +89,25 @@ RSpec.describe Gitlab::X509::Signature do
          allow(OpenSSL::X509::Store).to receive(:new).and_return(store)
        end

-        it 'returns a verified signature if email does match' do
-          signature = described_class.new(
-            X509Helpers::User1.signed_commit_signature,
-            X509Helpers::User1.signed_commit_base_data,
-            X509Helpers::User1.certificate_email,
-            X509Helpers::User1.signed_commit_time
-          )
-
-          expect(signature.x509_certificate).to have_attributes(certificate_attributes)
-          expect(signature.x509_certificate.x509_issuer).to have_attributes(issuer_attributes)
-          expect(signature.verified_signature).to be_truthy
-          expect(signature.verification_status).to eq(:verified)
-        end
+        it_behaves_like "a verified signature"
+      end

-        it 'returns an unverified signature if email does not match' do
-          signature = described_class.new(
-            X509Helpers::User1.signed_commit_signature,
-            X509Helpers::User1.signed_commit_base_data,
-            "gitlab@example.com",
-            X509Helpers::User1.signed_commit_time
-          )
+      context 'with the certificate defined by OpenSSL::X509::DEFAULT_CERT_FILE' do
+        before do
+          store = OpenSSL::X509::Store.new
+          certificate = OpenSSL::X509::Certificate.new(X509Helpers::User1.trust_cert)
+          file_path = Rails.root.join("tmp/cert.pem").to_s

-          expect(signature.x509_certificate).to have_attributes(certificate_attributes)
-          expect(signature.x509_certificate.x509_issuer).to have_attributes(issuer_attributes)
-          expect(signature.verified_signature).to be_truthy
-          expect(signature.verification_status).to eq(:unverified)
-        end
+          File.open(file_path, "wb") do |f|
+            f.print certificate.to_pem
+          end

-        it 'returns an unverified signature if email does match and time is wrong' do
-          signature = described_class.new(
-            X509Helpers::User1.signed_commit_signature,
-            X509Helpers::User1.signed_commit_base_data,
-            X509Helpers::User1.certificate_email,
-            Time.new(2020, 2, 22)
-          )
+          stub_const("OpenSSL::X509::DEFAULT_CERT_FILE", file_path)

-          expect(signature.x509_certificate).to have_attributes(certificate_attributes)
-          expect(signature.x509_certificate.x509_issuer).to have_attributes(issuer_attributes)
-          expect(signature.verified_signature).to be_falsey
-          expect(signature.verification_status).to eq(:unverified)
+          allow(OpenSSL::X509::Store).to receive(:new).and_return(store)
        end

-        it 'returns an unverified signature if certificate is revoked' do
-          signature = described_class.new(
-            X509Helpers::User1.signed_commit_signature,
-            X509Helpers::User1.signed_commit_base_data,
-            X509Helpers::User1.certificate_email,
-            X509Helpers::User1.signed_commit_time
-          )
-
-          expect(signature.verification_status).to eq(:verified)
-
-          signature.x509_certificate.revoked!
-
-          expect(signature.verification_status).to eq(:unverified)
-        end
+        it_behaves_like "a verified signature"
      end

      context 'without trusted certificate within store' do