(PUP-11522) Include client cert if requested

joshcooper · joshcooper · commit 8c41acb9e18b · 2022-05-10T16:20:07.000-07:00
It's now possible to create a `system` context that performs mutual TLS and
trusts certs in the system store and/or the external store, based on
`Puppet[:ssl_trust_store]`.

If the agent doesn't have a client cert yet, then it will be ignored. For
example, when running `puppet apply` without a client certificate and trying to
apply a file resource with an "https" source.
diff --git a/lib/puppet/ssl/ssl_provider.rb b/lib/puppet/ssl/ssl_provider.rb
@@ -42,15 +42,18 @@ def create_root_context(cacerts:, crls: [], revocation: Puppet[:certificate_revo
   # refers to the cacerts bundle in the puppet-agent package.
   #
   # Connections made from the returned context will authenticate the server,
-  # i.e. `VERIFY_PEER`, but will not use a client certificate and will not
-  # perform revocation checking.
+  # i.e. `VERIFY_PEER`, but will not use a client certificate (unless requested)
+  # and will not perform revocation checking.
   #
   # @param cacerts [Array<OpenSSL::X509::Certificate>] Array of trusted CA certs
   # @param path [String, nil] A file containing additional trusted CA certs.
+  # @param include_client_cert [true, false] If true, the client cert will be added to the context
+  #   allowing mutual TLS authentication. The default is false. If the client cert doesn't exist
+  #   then the option will be ignored.
   # @return [Puppet::SSL::SSLContext] A context to use to create connections
   # @raise (see #create_context)
   # @api private
-  def create_system_context(cacerts:, path: Puppet[:ssl_trust_store])
+  def create_system_context(cacerts:, path: Puppet[:ssl_trust_store], include_client_cert: false)
     store = create_x509_store(cacerts, [], false, include_system_store: true)
 
     if path
@@ -71,6 +74,30 @@ def create_system_context(cacerts:, path: Puppet[:ssl_trust_store])
       end
     end
 
+    if include_client_cert
+      cert_provider = Puppet::X509::CertProvider.new
+      private_key = cert_provider.load_private_key(Puppet[:certname], required: false)
+      client_cert = cert_provider.load_client_cert(Puppet[:certname], required: false)
+
+      if private_key && client_cert
+        client_chain = verify_cert_with_store(store, client_cert)
+
+        if !private_key.is_a?(OpenSSL::PKey::RSA) && !private_key.is_a?(OpenSSL::PKey::EC)
+          raise Puppet::SSL::SSLError, _("Unsupported key '%{type}'") % { type: private_key.class.name }
+        end
+
+        unless client_cert.check_private_key(private_key)
+          raise Puppet::SSL::SSLError, _("The certificate for '%{name}' does not match its private key") % { name: subject(client_cert) }
+        end
+
+        return Puppet::SSL::SSLContext.new(
+          store: store, cacerts: cacerts, crls: [],
+          private_key: private_key, client_cert: client_cert, client_chain: client_chain,
+          revocation: false
+        ).freeze
+      end
+    end
+
     Puppet::SSL::SSLContext.new(store: store, cacerts: cacerts, crls: [], revocation: false).freeze
   end
 
diff --git a/spec/unit/ssl/ssl_provider_spec.rb b/spec/unit/ssl/ssl_provider_spec.rb
@@ -144,6 +144,31 @@
       expect(sslctx.private_key).to be_nil
     end
 
+    it 'includes the client cert and private key when requested' do
+      Puppet[:hostcert] = fixtures('ssl/signed.pem')
+      Puppet[:hostprivkey] = fixtures('ssl/signed-key.pem')
+      sslctx = subject.create_system_context(cacerts: [], include_client_cert: true)
+      expect(sslctx.client_cert).to be_an(OpenSSL::X509::Certificate)
+      expect(sslctx.private_key).to be_an(OpenSSL::PKey::RSA)
+    end
+
+    it 'ignores non-existent client cert and private key when requested' do
+      Puppet[:certname] = 'doesnotexist'
+      sslctx = subject.create_system_context(cacerts: [], include_client_cert: true)
+      expect(sslctx.client_cert).to be_nil
+      expect(sslctx.private_key).to be_nil
+    end
+
+    it 'raises if client cert and private key are mismatched' do
+      Puppet[:hostcert] = fixtures('ssl/signed.pem')
+      Puppet[:hostprivkey] = fixtures('ssl/127.0.0.1-key.pem')
+
+      expect {
+        subject.create_system_context(cacerts: [], include_client_cert: true)
+      }.to raise_error(Puppet::SSL::SSLError,
+        "The certificate for 'CN=signed' does not match its private key")
+    end
+
     it 'trusts additional system certs' do
       path = tmpfile('system_cacerts')
       File.write(path, cert_fixture('ca.pem').to_pem)
