process certificate chains presented by the client

Similar to Icinga#8859 this patch works
around Icinga#7719 by allowing the
intermediate certificate presented by the icinga2-agent.

To make this work the icinga2-master only holds to root-ca in its local
ca.crt, while the icinga2-agent has the intermediate-cert in its local
ca.crt (or the intermediate together with the root in the ca.crt / or
the intermediate in the cert.pem - doesn't matter).

Author: sircubbi

lib/base/tlsutility.cpp

@@ -983,12 +983,12 @@ String BinaryToHex(const unsigned char* data, size_t length) {
 	return output;
 }
 
-bool VerifyCertificate(const std::shared_ptr<X509> &caCertificate, const std::shared_ptr<X509> &certificate, const String& crlFile)
+bool VerifyCertificate(const std::shared_ptr<X509> &caCertificate, const std::shared_ptr<X509> &certificate, const String& crlFile, const String& caBundleFile)
 {
-	return VerifyCertificate(caCertificate.get(), certificate.get(), crlFile);
+	return VerifyCertificate(caCertificate.get(), certificate.get(), crlFile, caBundleFile);
 }
 
-bool VerifyCertificate(X509* caCertificate, X509* certificate, const String& crlFile)
+bool VerifyCertificate(X509* caCertificate, X509* certificate, const String& crlFile, const String& caBundleFile)
 {
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 	/*
@@ -1019,6 +1019,10 @@ bool VerifyCertificate(X509* caCertificate, X509* certificate, const String& crl
 		AddCRLToSSLContext(store.get(), crlFile);
 	}
 
+	if (!caBundleFile.IsEmpty()) {
+		X509_STORE_load_locations(store.get(), caBundleFile.CStr(), NULL); /* ignore any errors for the moment, since this is just the convenient way to add full chain */
+	}
+
 	std::unique_ptr<X509_STORE_CTX, decltype(&X509_STORE_CTX_free)> csc{X509_STORE_CTX_new(), &X509_STORE_CTX_free};
 	X509_STORE_CTX_init(csc.get(), store.get(), certificate, nullptr);
 

lib/base/tlsutility.hpp

@@ -78,8 +78,8 @@ String SHA256(const String& s);
 String RandomString(int length);
 String BinaryToHex(const unsigned char* data, size_t length);
 
-bool VerifyCertificate(const std::shared_ptr<X509>& caCertificate, const std::shared_ptr<X509>& certificate, const String& crlFile);
-bool VerifyCertificate(X509* caCertificate, X509* certificate, const String& crlFile);
+bool VerifyCertificate(const std::shared_ptr<X509> &caCertificate, const std::shared_ptr<X509> &certificate, const String& crlFile, const String& caBundleFile);
+bool VerifyCertificate(X509* caCertificate, X509* certificate, const String& crlFile, const String& caBundleFile);
 bool IsCa(const std::shared_ptr<X509>& cacert);
 int GetCertificateVersion(const std::shared_ptr<X509>& cert);
 String GetSignatureAlgorithm(const std::shared_ptr<X509>& cert);

lib/cli/pkiverifycommand.cpp

@@ -130,7 +130,7 @@ int PKIVerifyCommand::Run(const boost::program_options::variables_map& vm, const
 		bool signedByCA;
 
 		try {
-			signedByCA = VerifyCertificate(cacert, cert, crlFile);
+			signedByCA = VerifyCertificate(cacert, cert, crlFile, caCertFile);
 		} catch (const std::exception& ex) {
 			Log logmsg (LogCritical, "cli");
 			logmsg << "CRITICAL: Certificate with CN '" << certCN << "' is NOT signed by CA: ";

lib/remote/apilistener.cpp

@@ -193,7 +193,7 @@ std::shared_ptr<X509> ApiListener::RenewCert(const std::shared_ptr<X509>& cert,
 	 * we're using for cluster connections (there's no point in sending a client
 	 * a certificate it wouldn't be able to use to connect to us anyway) */
 	try {
-		if (!VerifyCertificate(cacert, newcert, GetCrlPath())) {
+		if (!VerifyCertificate(cacert, newcert, GetCrlPath(), GetDefaultCaPath())) {
 			Log(LogWarning, "ApiListener")
 				<< "The CA in '" << GetDefaultCaPath() << "' does not match the CA which Icinga uses "
 				<< "for its own cluster connections. This is most likely a configuration problem.";

lib/remote/jsonrpcconnection-pki.cpp

@@ -62,7 +62,7 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
 		logmsg << "Received certificate request for CN '" << cn << "'";
 
 		try {
-			signedByCA = VerifyCertificate(cacert, cert, listener->GetCrlPath());
+			signedByCA = VerifyCertificate(cacert, cert, listener->GetCrlPath(), listener->GetDefaultCaPath());
 			if (!signedByCA) {
 				logmsg << " not";
 			}

test/base-tlsutility.cpp

@@ -144,12 +144,12 @@ BOOST_AUTO_TEST_CASE(VerifyCertificate_revalidate)
 	X509_NAME_add_entry_by_txt(leafSubject, "CN", MBSTRING_ASC, (const unsigned char*)"Leaf Certificate", -1, -1, 0);
 	auto leafKey = GenKeypair();
 	auto leafCert = CreateCert(leafKey, leafSubject, caSubject, signingCaKey, false);
-	BOOST_CHECK(VerifyCertificate(signingCaCert, leafCert, ""));
+	BOOST_CHECK(VerifyCertificate(signingCaCert, leafCert, "", ""));
 
 	// Create a second CA with a different key, the leaf certificate is supposed to fail validation against that CA.
 	auto otherCaKey = GenKeypair();
 	auto otherCaCert = CreateCert(otherCaKey, caSubject, caSubject, otherCaKey, true);
-	BOOST_CHECK_THROW(VerifyCertificate(otherCaCert, leafCert, ""), openssl_error);
+	BOOST_CHECK_THROW(VerifyCertificate(otherCaCert, leafCert, "", ""), openssl_error);
 }
 
 BOOST_AUTO_TEST_SUITE_END()