Sfoglia il codice sorgente

finally merge the rest of the patchset from Arnaud Ebalard
with the CRL and Issuers options for https, thanks! (Closes: #485963)

David Kalnischkies 16 anni fa
parent
commit
930f51811c
3 ha cambiato i file con 38 aggiunte e 0 eliminazioni
  1. 3 0
      debian/changelog
  2. 21 0
      doc/examples/apt-https-method-example.conf
  3. 14 0
      methods/https.cc

+ 3 - 0
debian/changelog

@@ -45,6 +45,9 @@ apt (0.7.26) UNRELEASED; urgency=low
   * methods/gpgv.cc:
   * methods/gpgv.cc:
     - pass all keyrings (TrustedParts) to gpgv instead of
     - pass all keyrings (TrustedParts) to gpgv instead of
       using only one trusted.gpg keyring (Closes: #304846)
       using only one trusted.gpg keyring (Closes: #304846)
+  * methods/https.cc:
+    - finally merge the rest of the patchset from Arnaud Ebalard
+      with the CRL and Issuers options, thanks! (Closes: #485963)
 
 
  -- Michael Vogt <mvo@debian.org>  Thu, 10 Dec 2009 22:02:38 +0100
  -- Michael Vogt <mvo@debian.org>  Thu, 10 Dec 2009 22:02:38 +0100
 
 

+ 21 - 0
doc/examples/apt-https-method-example.conf

@@ -36,6 +36,8 @@
       to access its content.
       to access its content.
     - The certificate presented by both server have (as expected) a CN that
     - The certificate presented by both server have (as expected) a CN that
       matches their respective DNS names.
       matches their respective DNS names.
+    - We have CRL available for both dom1.tld and dom2.tld PKI, and intend
+      to use them.
     - It somtimes happens that we had other more generic https available
     - It somtimes happens that we had other more generic https available
       repository to our list. We want the checks to be performed against
       repository to our list. We want the checks to be performed against
       a common list of anchors (like the one provided by ca-certificates
       a common list of anchors (like the one provided by ca-certificates
@@ -56,10 +58,13 @@ Acquire::https::CaInfo     "/etc/ssl/certs/ca-certificates.pem";
 // Use a specific anchor and associated CRL. Enforce issuer of
 // Use a specific anchor and associated CRL. Enforce issuer of
 // server certificate using its cert.
 // server certificate using its cert.
 Acquire::https::secure.dom1.tld::CaInfo     "/etc/apt/certs/ca-dom1-crt.pem";
 Acquire::https::secure.dom1.tld::CaInfo     "/etc/apt/certs/ca-dom1-crt.pem";
+Acquire::https::secure.dom1.tld::CrlFile    "/etc/apt/certs/ca-dom1-crl.pem";
+Acquire::https::secure.dom1.tld::IssuerCert "/etc/apt/certs/secure.dom1-issuer-crt.pem";
 
 
 // Like previous for anchor and CRL, but also provide our
 // Like previous for anchor and CRL, but also provide our
 // certificate and keys for client authentication.
 // certificate and keys for client authentication.
 Acquire::https::secure.dom2.tld::CaInfo  "/etc/apt/certs/ca-dom2-crt.pem";
 Acquire::https::secure.dom2.tld::CaInfo  "/etc/apt/certs/ca-dom2-crt.pem";
+Acquire::https::secure.dom2.tld::CrlFile "/etc/apt/certs/ca-dom2-crl.pem";
 Acquire::https::secure.dom2.tld::SslCert "/etc/apt/certs/my-crt.pem";
 Acquire::https::secure.dom2.tld::SslCert "/etc/apt/certs/my-crt.pem";
 Acquire::https::secure.dom2.tld::SslKey  "/etc/apt/certs/my-key.pem";
 Acquire::https::secure.dom2.tld::SslKey  "/etc/apt/certs/my-key.pem";
 
 
@@ -97,6 +102,22 @@ Acquire::https::secure.dom2.tld::SslKey  "/etc/apt/certs/my-key.pem";
     used for the https entries in the sources.list file that use that
     used for the https entries in the sources.list file that use that
     repository (with the same name).
     repository (with the same name).
 
 
+  Acquire::https[::repo.domain.tld]::CrlFile  "/path/to/all/crl.pem";
+
+    Like previous knob but for passing the list of CRL files (in PEM
+    format) to be used to verify revocation status. Again, if the
+    option is defined with no specific mirror (probably makes little
+    sense), this CRL information is used for all defined https entries
+    in sources.list file. In a mirror specific context, it only applies
+    to that mirror.
+
+  Acquire::https[::repo.domain.tld]::IssuerCert "/path/to/issuer/cert.pem";
+
+    Allows to constrain the issuer of the server certificate (for all
+    https mirrors or a specific one) to a specific issuer. If the
+    server certificate has not been issued by this certificate,
+    connection fails.
+
   Acquire::https[::repo.domain.tld]::Verify-Peer "true";
   Acquire::https[::repo.domain.tld]::Verify-Peer "true";
 
 
     When authenticating the server, if the certificate verification fails
     When authenticating the server, if the certificate verification fails

+ 14 - 0
methods/https.cc

@@ -151,6 +151,13 @@ bool HttpsMethod::Fetch(FetchItem *Itm)
       default_verify = 0;
       default_verify = 0;
    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, verify);
    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, verify);
 
 
+   // Also enforce issuer of server certificate using its cert
+   string issuercert = _config->Find("Acquire::https::IssuerCert","");
+   knob = "Acquire::https::"+remotehost+"::IssuerCert";
+   issuercert = _config->Find(knob.c_str(),issuercert.c_str());
+   if(issuercert != "")
+      curl_easy_setopt(curl, CURLOPT_ISSUERCERT,issuercert.c_str());
+
    // For client authentication, certificate file ...
    // For client authentication, certificate file ...
    string pem = _config->Find("Acquire::https::SslCert","");
    string pem = _config->Find("Acquire::https::SslCert","");
    knob = "Acquire::https::"+remotehost+"::SslCert";
    knob = "Acquire::https::"+remotehost+"::SslCert";
@@ -177,6 +184,13 @@ bool HttpsMethod::Fetch(FetchItem *Itm)
      final_version = CURL_SSLVERSION_SSLv3;
      final_version = CURL_SSLVERSION_SSLv3;
    curl_easy_setopt(curl, CURLOPT_SSLVERSION, final_version);
    curl_easy_setopt(curl, CURLOPT_SSLVERSION, final_version);
 
 
+   // CRL file
+   string crlfile = _config->Find("Acquire::https::CrlFile","");
+   knob = "Acquire::https::"+remotehost+"::CrlFile";
+   crlfile = _config->Find(knob.c_str(),crlfile.c_str());
+   if(crlfile != "")
+      curl_easy_setopt(curl, CURLOPT_CRLFILE, crlfile.c_str());
+
    // cache-control
    // cache-control
    if(_config->FindB("Acquire::https::No-Cache",
    if(_config->FindB("Acquire::https::No-Cache",
 	_config->FindB("Acquire::http::No-Cache",false)) == false)
 	_config->FindB("Acquire::http::No-Cache",false)) == false)