Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit3c486fb

Browse files
committed
Control client certificate requesting with the pg_hba option "clientcert"
instead of just relying on the root certificate file to be present.
1 parent5054867 commit3c486fb

File tree

6 files changed

+148
-25
lines changed

6 files changed

+148
-25
lines changed

‎doc/src/sgml/runtime.sgml‎

Lines changed: 25 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.420 2008/11/13 09:45:24 mha Exp $ -->
1+
<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.421 2008/11/20 09:29:35 mha Exp $ -->
22

33
<chapter Id="runtime">
44
<title>Operating System Environment</title>
@@ -1646,13 +1646,17 @@ $ <userinput>kill -INT `head -1 /usr/local/pgsql/data/postmaster.pid`</userinput
16461646
been entered.
16471647
</para>
16481648

1649-
<para>
1649+
<sect2 id="ssl-client-certificates">
1650+
<title>Using client certificates</title>
1651+
<para>
16501652
To require the client to supply a trusted certificate, place
16511653
certificates of the certificate authorities (<acronym>CA</acronym>)
16521654
you trust in the file <filename>root.crt</filename> in the data
1653-
directory. A certificate will then be requested from the client during
1655+
directory, and set the <literal>clientcert</literal> parameter
1656+
to <literal>1</literal> on the appropriate line(s) in pg_hba.conf.
1657+
A certificate will then be requested from the client during
16541658
SSL connection startup. (See <xref linkend="libpq-ssl"> for a
1655-
description of how to set upclientcertificates.) The server will
1659+
description of how to set up certificates on the client.) The server will
16561660
verify that the client's certificate is signed by one of the trusted
16571661
certificate authorities. Certificate Revocation List (CRL) entries
16581662
are also checked if the file <filename>root.crl</filename> exists.
@@ -1663,11 +1667,23 @@ $ <userinput>kill -INT `head -1 /usr/local/pgsql/data/postmaster.pid`</userinput
16631667
</para>
16641668

16651669
<para>
1666-
If the <filename>root.crt</filename> file is not present, client
1667-
certificates will not be requested or checked. In this mode, SSL
1668-
provides encrypted communication but not authentication.
1670+
The <literal>clientcert</literal> option in <filename>pg_hba.conf</>
1671+
is available for all authentication methods, but only for rows
1672+
specified as <literal>hostssl</>. Unless specified, the default is
1673+
not to verify the client certificate.
1674+
</para>
1675+
1676+
<para>
1677+
<productname>PostgreSQL</> currently does not support authentication
1678+
using client certificates, since it cannot differentiate between
1679+
different users. As long as the user holds any certificate issued
1680+
by a trusted CA it will be accepted, regardless of what account the
1681+
user is trying to connect with.
16691682
</para>
1683+
</sect2>
16701684

1685+
<sect2 id="ssl-server-files">
1686+
<title>SSL Server File Usage</title>
16711687
<para>
16721688
The files <filename>server.key</>, <filename>server.crt</>,
16731689
<filename>root.crt</filename>, and <filename>root.crl</filename>
@@ -1704,7 +1720,7 @@ $ <userinput>kill -INT `head -1 /usr/local/pgsql/data/postmaster.pid`</userinput
17041720
<row>
17051721
<entry><filename>root.crt</></entry>
17061722
<entry>trusted certificate authorities</entry>
1707-
<entry>requests client certificate; checks certificate is
1723+
<entry>checks that client certificate is
17081724
signed by a trusted certificate authority</entry>
17091725
</row>
17101726

@@ -1717,6 +1733,7 @@ $ <userinput>kill -INT `head -1 /usr/local/pgsql/data/postmaster.pid`</userinput
17171733
</tbody>
17181734
</tgroup>
17191735
</table>
1736+
</sect2>
17201737

17211738
<sect2 id="ssl-certificate-creation">
17221739
<title>Creating a Self-Signed Certificate</title>

‎src/backend/libpq/auth.c‎

Lines changed: 35 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
*
99
*
1010
* IDENTIFICATION
11-
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.171 2008/11/18 13:10:20 petere Exp $
11+
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.172 2008/11/20 09:29:36 mha Exp $
1212
*
1313
*-------------------------------------------------------------------------
1414
*/
@@ -275,6 +275,40 @@ ClientAuthentication(Port *port)
275275
errmsg("missing or erroneous pg_hba.conf file"),
276276
errhint("See server log for details.")));
277277

278+
/*
279+
* This is the first point where we have access to the hba record for
280+
* the current connection, so perform any verifications based on the
281+
* hba options field that should be done *before* the authentication
282+
* here.
283+
*/
284+
if (port->hba->clientcert)
285+
{
286+
/*
287+
* When we parse pg_hba.conf, we have already made sure that we have
288+
* been able to load a certificate store. Thus, if a certificate is
289+
* present on the client, it has been verified against our root
290+
* certificate store, and the connection would have been aborted
291+
* already if it didn't verify ok.
292+
*/
293+
#ifdefUSE_SSL
294+
if (!port->peer)
295+
{
296+
ereport(FATAL,
297+
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
298+
errmsg("connection requires a valid client certificate")));
299+
}
300+
#else
301+
/*
302+
* hba.c makes sure hba->clientcert can't be set unless OpenSSL
303+
* is present.
304+
*/
305+
Assert(false);
306+
#endif
307+
}
308+
309+
/*
310+
* Now proceed to do the actual authentication check
311+
*/
278312
switch (port->hba->auth_method)
279313
{
280314
caseuaReject:

‎src/backend/libpq/be-secure.c‎

Lines changed: 51 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
*
1212
*
1313
* IDENTIFICATION
14-
* $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.85 2008/10/24 12:24:35 mha Exp $
14+
* $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.86 2008/11/20 09:29:36 mha Exp $
1515
*
1616
* Since the server static private key ($DataDir/server.key)
1717
* will normally be stored unencrypted so that the database
@@ -102,6 +102,7 @@ static const char *SSLerrmessage(void);
102102
#defineRENEGOTIATION_LIMIT (512 * 1024 * 1024)
103103

104104
staticSSL_CTX*SSL_context=NULL;
105+
staticboolssl_loaded_verify_locations= false;
105106

106107
/* GUC variable controlling SSL cipher list */
107108
char*SSLCipherSuites=NULL;
@@ -202,6 +203,19 @@ secure_destroy(void)
202203
#endif
203204
}
204205

206+
/*
207+
* Indicate if we have loaded the root CA store to verify certificates
208+
*/
209+
bool
210+
secure_loaded_verify_locations(void)
211+
{
212+
#ifdefUSE_SSL
213+
returnssl_loaded_verify_locations;
214+
#endif
215+
216+
return false;
217+
}
218+
205219
/*
206220
*Attempt to negotiate secure session.
207221
*/
@@ -754,15 +768,34 @@ initialize_SSL(void)
754768
elog(FATAL,"could not set the cipher list (no valid ciphers available)");
755769

756770
/*
757-
*Require and check client certificates only ifwehave a root.crt file.
771+
*Attempt to load CA store, sowecan verify client certificates if needed.
758772
*/
759-
if (!SSL_CTX_load_verify_locations(SSL_context,ROOT_CERT_FILE,NULL))
773+
if (access(ROOT_CERT_FILE,R_OK))
760774
{
761-
/* Not fatal - we do not require client certificates */
762-
ereport(LOG,
775+
ssl_loaded_verify_locations= false;
776+
777+
/*
778+
* If root certificate file simply not found. Don't log an error here, because
779+
* it's quite likely the user isn't planning on using client certificates.
780+
* If we can't access it for other reasons, it is an error.
781+
*/
782+
if (errno!=ENOENT)
783+
{
784+
ereport(FATAL,
785+
(errmsg("could not access root certificate file \"%s\": %m",
786+
ROOT_CERT_FILE)));
787+
}
788+
}
789+
elseif (!SSL_CTX_load_verify_locations(SSL_context,ROOT_CERT_FILE,NULL))
790+
{
791+
/*
792+
* File was there, but we could not load it. This means the file is somehow
793+
* broken, and we cannot do verification at all - so abort here.
794+
*/
795+
ssl_loaded_verify_locations= false;
796+
ereport(FATAL,
763797
(errmsg("could not load root certificate file \"%s\": %s",
764-
ROOT_CERT_FILE,SSLerrmessage()),
765-
errdetail("Will not verify client certificates.")));
798+
ROOT_CERT_FILE,SSLerrmessage())));
766799
}
767800
else
768801
{
@@ -795,13 +828,18 @@ initialize_SSL(void)
795828
ROOT_CRL_FILE,SSLerrmessage()),
796829
errdetail("Certificates will not be checked against revocation list.")));
797830
}
798-
}
799831

800-
SSL_CTX_set_verify(SSL_context,
801-
(SSL_VERIFY_PEER |
802-
SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
803-
SSL_VERIFY_CLIENT_ONCE),
804-
verify_cb);
832+
/*
833+
* Always ask for SSL client cert, but don't fail if it's not presented. We'll fail later in this case,
834+
* based on what we find in pg_hba.conf.
835+
*/
836+
SSL_CTX_set_verify(SSL_context,
837+
(SSL_VERIFY_PEER |
838+
SSL_VERIFY_CLIENT_ONCE),
839+
verify_cb);
840+
841+
ssl_loaded_verify_locations= true;
842+
}
805843
}
806844
}
807845

‎src/backend/libpq/hba.c‎

Lines changed: 33 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
*
1111
*
1212
* IDENTIFICATION
13-
* $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.172 2008/10/28 12:10:43 mha Exp $
13+
* $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.173 2008/11/20 09:29:36 mha Exp $
1414
*
1515
*-------------------------------------------------------------------------
1616
*/
@@ -927,6 +927,38 @@ parse_hba_line(List *line, int line_num, HbaLine *parsedline)
927927
INVALID_AUTH_OPTION("map","ident, krb5, gssapi and sspi");
928928
parsedline->usermap=pstrdup(c);
929929
}
930+
elseif (strcmp(token,"clientcert")==0)
931+
{
932+
/*
933+
* Since we require ctHostSSL, this really can never happen on non-SSL-enabled
934+
* builds, so don't bother checking for USE_SSL.
935+
*/
936+
if (parsedline->conntype!=ctHostSSL)
937+
{
938+
ereport(LOG,
939+
(errcode(ERRCODE_CONFIG_FILE_ERROR),
940+
errmsg("clientcert can only be configured for \"hostssl\" rows"),
941+
errcontext("line %d of configuration file \"%s\"",
942+
line_num,HbaFileName)));
943+
return false;
944+
}
945+
if (strcmp(c,"1")==0)
946+
{
947+
if (!secure_loaded_verify_locations())
948+
{
949+
ereport(LOG,
950+
(errcode(ERRCODE_CONFIG_FILE_ERROR),
951+
errmsg("client certificates can only be checked if a root certificate store is available"),
952+
errdetail("make sure the root certificate store is present and readable"),
953+
errcontext("line %d of configuration file \"%s\"",
954+
line_num,HbaFileName)));
955+
return false;
956+
}
957+
parsedline->clientcert= true;
958+
}
959+
else
960+
parsedline->clientcert= false;
961+
}
930962
elseif (strcmp(token,"pamservice")==0)
931963
{
932964
REQUIRE_AUTH_OPTION(uaPAM,"pamservice","pam");

‎src/include/libpq/hba.h‎

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
* Interface to hba.c
55
*
66
*
7-
* $PostgreSQL: pgsql/src/include/libpq/hba.h,v 1.51 2008/10/28 12:10:44 mha Exp $
7+
* $PostgreSQL: pgsql/src/include/libpq/hba.h,v 1.52 2008/11/20 09:29:36 mha Exp $
88
*
99
*-------------------------------------------------------------------------
1010
*/
@@ -54,6 +54,7 @@ typedef struct
5454
intldapport;
5555
char*ldapprefix;
5656
char*ldapsuffix;
57+
boolclientcert;
5758
}HbaLine;
5859

5960
typedefstructPorthbaPort;

‎src/include/libpq/libpq.h‎

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
* Portions Copyright (c) 1996-2008, PostgreSQL Global Development Group
88
* Portions Copyright (c) 1994, Regents of the University of California
99
*
10-
* $PostgreSQL: pgsql/src/include/libpq/libpq.h,v 1.69 2008/01/01 19:45:58 momjian Exp $
10+
* $PostgreSQL: pgsql/src/include/libpq/libpq.h,v 1.70 2008/11/20 09:29:36 mha Exp $
1111
*
1212
*-------------------------------------------------------------------------
1313
*/
@@ -67,6 +67,7 @@ extern void pq_endcopyout(bool errorAbort);
6767
* prototypes for functions in be-secure.c
6868
*/
6969
externintsecure_initialize(void);
70+
externboolsecure_loaded_verify_locations(void);
7071
externvoidsecure_destroy(void);
7172
externintsecure_open_server(Port*port);
7273
externvoidsecure_close(Port*port);

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp