(PUP-11522) Support mTLS with an external CA

joshcooper · joshcooper · commit 3f7f830f0aef · 2022-05-10T16:20:07.000-07:00
Passing "include_system_store: true" to any of the http client methods will now
attempt to include the client cert for mutual TLS authentication. The client
cert will be ignored if it doesn't exist, e.g. when running puppet apply.
diff --git a/lib/puppet/http/client.rb b/lib/puppet/http/client.rb
@@ -426,7 +426,7 @@ def system_ssl_context
     cacerts = cert_provider.load_cacerts || []
 
     ssl = Puppet::SSL::SSLProvider.new
-    @default_system_ssl_context = ssl.create_system_context(cacerts: cacerts)
+    @default_system_ssl_context = ssl.create_system_context(cacerts: cacerts, include_client_cert: true)
     ssl.print(@default_system_ssl_context)
     @default_system_ssl_context
   end
diff --git a/spec/integration/http/client_spec.rb b/spec/integration/http/client_spec.rb
@@ -83,7 +83,7 @@
       res
     end
 
-    it "mutually authenticates the connection" do
+    it "mutually authenticates the connection using an explicit context" do
       client_context = ssl_provider.create_context(
         cacerts: [https_server.ca_cert], crls: [https_server.ca_crl],
         client_cert: https_server.server_cert, private_key: https_server.server_key
@@ -95,6 +95,23 @@
       end
     end
 
+    it "mutually authenticates the connection when the client and server certs are issued from different CAs" do
+      # this is the client cert's CA, key and cert
+      Puppet[:localcacert] = fixtures('ssl/unknown-ca.pem')
+      Puppet[:hostprivkey] = fixtures('ssl/unknown-127.0.0.1-key.pem')
+      Puppet[:hostcert] = fixtures('ssl/unknown-127.0.0.1.pem')
+
+      # this is the server cert's CA that the client needs in order to authenticate the server
+      Puppet[:ssl_trust_store] = fixtures('ssl/ca.pem')
+
+      # need to pass both the client and server CAs. The former is needed so the server can authenticate our client cert
+      https_server = PuppetSpec::HTTPSServer.new(ca_cert: [cert_fixture('ca.pem'), cert_fixture('unknown-ca.pem')])
+      https_server.start_server(ctx_proc: ctx_proc) do |port|
+        res = client.get(URI("https://127.0.0.1:#{port}"), options: {include_system_store: true})
+        expect(res).to be_success
+      end
+    end
+
     it "connects when the server's CA is in the system store and the connection is mutually authenticated using create_context" do
       Puppet::Util.withenv("SSL_CERT_FILE" => cert_file) do
         client_context = ssl_provider.create_context(
diff --git a/spec/lib/puppet_spec/https.rb b/spec/lib/puppet_spec/https.rb
@@ -40,7 +40,7 @@ def start_server(ctx_proc: nil, response_proc: nil, &block)
 
     IO.pipe {|stop_pipe_r, stop_pipe_w|
       store = OpenSSL::X509::Store.new
-      store.add_cert(@ca_cert)
+      Array(@ca_cert).each { |c| store.add_cert(c) }
       store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
       ctx = OpenSSL::SSL::SSLContext.new
       ctx.cert_store = store
