use receptorNames (oid=otherNames) in tls bootstrap; fixed associated unit tests for receptor and receptorctl

pkg/netceptor/netceptor.go

@@ -1081,21 +1081,10 @@ func ReceptorVerifyFunc(tlscfg *tls.Config, pinnedFingerprints [][]byte, expecte
 		}
 
 		if expectedHostnameType == ExpectedHostnameTypeReceptor {
-			var receptorNames []string
-			receptorNames, err = utils.ReceptorNames(certs[0].Extensions)
+			found, receptorNames, err := utils.ParseReceptorNamesFromCert(certs[0], expectedHostname)
 			if err != nil {
-				logger.Error("RVF failed to get ReceptorNames: %s", err)
-
 				return err
 			}
-			found := false
-			for _, receptorName := range receptorNames {
-				if receptorName == expectedHostname {
-					found = true
-
-					break
-				}
-			}
 			if !found {
 				logger.Error("RVF ReceptorNameError: expected %s but found %s", expectedHostname, strings.Join(receptorNames, ", "))
 

pkg/netceptor/tlsconfig.go

@@ -7,10 +7,12 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/hex"
+	"encoding/pem"
 	"fmt"
 	"io/ioutil"
 	"strings"
 
+	"github.com/ansible/receptor/pkg/utils"
 	"github.com/ghjm/cmdline"
 )
 
@@ -39,14 +41,39 @@ func decodeFingerprints(fingerprints []string) ([][]byte, error) {
 	return fingerprintBytes, nil
 }
 
+func checkCertificatesMatchNodeID(certbytes []byte, n *Netceptor, certName string, certPath string) error {
+	block, _ := pem.Decode(certbytes)
+
+	if block == nil {
+		return fmt.Errorf("failed to parse certfifcate PEM")
+	}
+
+	parsedCert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return err
+	}
+
+	found, receptorNames, err := utils.ParseReceptorNamesFromCert(parsedCert, n.nodeID)
+	if err != nil {
+		return err
+	}
+
+	if !found {
+		return fmt.Errorf("MainInstance.nodeID=%s not found in certificate name(s); names found=%s; cfg section=%s; server cert=%s", MainInstance.nodeID, fmt.Sprint(receptorNames), certName, certPath)
+	}
+
+	return nil
+}
+
 // tlsServerCfg stores the configuration options for a TLS server.
 type tlsServerCfg struct {
-	Name              string   `required:"true" description:"Name of this TLS server configuration"`
-	Cert              string   `required:"true" description:"Server certificate filename"`
-	Key               string   `required:"true" description:"Server private key filename"`
-	RequireClientCert bool     `description:"Require client certificates" default:"false"`
-	ClientCAs         string   `description:"Filename of CA bundle to verify client certs with"`
-	PinnedClientCert  []string `description:"Pinned fingerprint of required client certificate"`
+	Name                   string   `required:"true" description:"Name of this TLS server configuration"`
+	Cert                   string   `required:"true" description:"Server certificate filename"`
+	Key                    string   `required:"true" description:"Server private key filename"`
+	RequireClientCert      bool     `required:"false" description:"Require client certificates" default:"false"`
+	ClientCAs              string   `required:"false" description:"Filename of CA bundle to verify client certs with"`
+	PinnedClientCert       []string `required:"false" description:"Pinned fingerprint of required client certificate"`
+	SkipReceptorNamesCheck bool     `required:"false" description:"Skip verifying ReceptorNames OIDs in certificate at startup" default:"false"`
 }
 
 // Prepare creates the tls.config and stores it in the global map.
@@ -56,18 +83,24 @@ func (cfg tlsServerCfg) Prepare() error {
 		MinVersion:               tls.VersionTLS12,
 	}
 
-	certbytes, err := ioutil.ReadFile(cfg.Cert)
+	certBytes, err := ioutil.ReadFile(cfg.Cert)
 	if err != nil {
 		return err
 	}
 	keybytes, err := ioutil.ReadFile(cfg.Key)
 	if err != nil {
 		return err
 	}
-	cert, err := tls.X509KeyPair(certbytes, keybytes)
+	cert, err := tls.X509KeyPair(certBytes, keybytes)
 	if err != nil {
 		return err
 	}
+	// check server crt to ensure that the receptor NodeID is in the client certificate as an OID
+	if !cfg.SkipReceptorNamesCheck {
+		if err := checkCertificatesMatchNodeID(certBytes, MainInstance, cfg.Name, cfg.Cert); err != nil {
+			return err
+		}
+	}
 
 	tlscfg.Certificates = []tls.Certificate{cert}
 
@@ -106,12 +139,13 @@ func (cfg tlsServerCfg) Prepare() error {
 
 // tlsClientConfig stores the configuration options for a TLS client.
 type tlsClientConfig struct {
-	Name               string   `required:"true" description:"Name of this TLS client configuration"`
-	Cert               string   `required:"false" description:"Client certificate filename"`
-	Key                string   `required:"false" description:"Client private key filename"`
-	RootCAs            string   `required:"false" description:"Root CA bundle to use instead of system trust"`
-	InsecureSkipVerify bool     `required:"false" description:"Accept any server cert" default:"false"`
-	PinnedServerCert   []string `required:"false" description:"Pinned fingerprint of required server certificate"`
+	Name                   string   `required:"true" description:"Name of this TLS client configuration"`
+	Cert                   string   `required:"false" description:"Client certificate filename"`
+	Key                    string   `required:"false" description:"Client private key filename"`
+	RootCAs                string   `required:"false" description:"Root CA bundle to use instead of system trust"`
+	InsecureSkipVerify     bool     `required:"false" description:"Accept any server cert" default:"false"`
+	PinnedServerCert       []string `required:"false" description:"Pinned fingerprint of required server certificate"`
+	SkipReceptorNamesCheck bool     `required:"false" description:"if enabled, skip verifying ReceptorNames OIDs in certificate at startup"`
 }
 
 // Prepare creates the tls.config and stores it in the global map.
@@ -137,6 +171,13 @@ func (cfg tlsClientConfig) Prepare() error {
 		if err != nil {
 			return err
 		}
+
+		// check client crt to ensure that the receptor NodeID is in the client certificate as an OID
+		if !cfg.SkipReceptorNamesCheck {
+			if err := checkCertificatesMatchNodeID(certBytes, MainInstance, cfg.Name, cfg.Cert); err != nil {
+				return err
+			}
+		}
 		tlscfg.Certificates = []tls.Certificate{cert}
 	}