Merge branch 'x509-cert-loading' into 'master'

Forcibly load X509 cert See merge request gitlab-org/gitlab!54569

Merge branch 'x509-cert-loading' into 'master'
Forcibly load X509 cert See merge request gitlab-org/gitlab!54569
36b60c36 · David Kim · eedfbf72 · 56933f2f · 36b60c36 · 36b60c36
Commit 36b60c36 authored Feb 25, 2021 by David Kim
3 changed files
--- a/changelogs/unreleased/x509-cert-loading.yml
+++ b/changelogs/unreleased/x509-cert-loading.yml
+---
+title: Forcibly load OpenSSL::X509::DEFAULT_CERT_FILE
+merge_request: 54569
+author:
+type: fixed
--- a/lib/gitlab/x509/signature.rb
+++ b/lib/gitlab/x509/signature.rb
@@ -52,6 +52,12 @@ module Gitlab
        strong_memoize(:cert_store) do
          store = OpenSSL::X509::Store.new
          store.set_default_paths
+
+          if Feature.enabled?(:x509_forced_cert_loading, type: :ops)
+            # Forcibly load the default cert file because the OpenSSL library seemingly ignores it
+            store.add_file(OpenSSL::X509::DEFAULT_CERT_FILE) if File.exist?(OpenSSL::X509::DEFAULT_CERT_FILE)
+          end
+
          # valid_signing_time? checks the time attributes already
          # this flag is required, otherwise expired certificates would become
          # unverified when notAfter within certificate attribute is reached

--- a/spec/lib/gitlab/x509/signature_spec.rb
+++ b/spec/lib/gitlab/x509/signature_spec.rb
@@ -11,25 +11,7 @@ RSpec.describe Gitlab::X509::Signature do
    }
  end

-  context 'commit signature' do
-    let(:certificate_attributes) do
-      {
-        subject_key_identifier: X509Helpers::User1.certificate_subject_key_identifier,
-        subject: X509Helpers::User1.certificate_subject,
-        email: X509Helpers::User1.certificate_email,
-        serial_number: X509Helpers::User1.certificate_serial
-      }
-    end
-
-    context 'verified signature' do
-      context 'with trusted certificate store' do
-        before do
-          store = OpenSSL::X509::Store.new
-          certificate = OpenSSL::X509::Certificate.new(X509Helpers::User1.trust_cert)
-          store.add_cert(certificate)
-          allow(OpenSSL::X509::Store).to receive(:new).and_return(store)
-        end
-
+  shared_examples "a verified signature" do
    it 'returns a verified signature if email does match' do
      signature = described_class.new(
        X509Helpers::User1.signed_commit_signature,
@@ -88,6 +70,46 @@ RSpec.describe Gitlab::X509::Signature do
    end
  end

+  context 'commit signature' do
+    let(:certificate_attributes) do
+      {
+        subject_key_identifier: X509Helpers::User1.certificate_subject_key_identifier,
+        subject: X509Helpers::User1.certificate_subject,
+        email: X509Helpers::User1.certificate_email,
+        serial_number: X509Helpers::User1.certificate_serial
+      }
+    end
+
+    context 'verified signature' do
+      context 'with trusted certificate store' do
+        before do
+          store = OpenSSL::X509::Store.new
+          certificate = OpenSSL::X509::Certificate.new(X509Helpers::User1.trust_cert)
+          store.add_cert(certificate)
+          allow(OpenSSL::X509::Store).to receive(:new).and_return(store)
+        end
+
+        it_behaves_like "a verified signature"
+      end
+
+      context 'with the certificate defined by OpenSSL::X509::DEFAULT_CERT_FILE' do
+        before do
+          store = OpenSSL::X509::Store.new
+          certificate = OpenSSL::X509::Certificate.new(X509Helpers::User1.trust_cert)
+          file_path = Rails.root.join("tmp/cert.pem").to_s
+
+          File.open(file_path, "wb") do |f|
+            f.print certificate.to_pem
+          end
+
+          stub_const("OpenSSL::X509::DEFAULT_CERT_FILE", file_path)
+
+          allow(OpenSSL::X509::Store).to receive(:new).and_return(store)
+        end
+
+        it_behaves_like "a verified signature"
+      end
+
      context 'without trusted certificate within store' do
        before do
          store = OpenSSL::X509::Store.new