Skip to content

Add a tlsinfo command to fdbcli that prints the certificate chain. #2810

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
etschannen merged 5 commits into from
Mar 16, 2020
Merged

Add a tlsinfo command to fdbcli that prints the certificate chain. #2810

etschannen merged 5 commits into from
Mar 16, 2020

Conversation

@alexmiller-apple
Copy link
Contributor

@alexmiller-apple alexmiller-apple commented Mar 13, 2020
edited
Loading

This requires the certificate chain to load successfully, otherwise
fdbcli will error out at an earlier point due to Net2 not being able to
configure TLS.

As this only dumps certificates, and requires that they load, I don't like the name tlsinfo, but I'm struggling to think of how to name/nest it in the cli... @ajbeamon ? I supposed I could make it a flag and not a command, which would then open the door for being able to make this something that can do more verbose error reporting of TLS configuration issues. --debug-tls ?

And +cc @apkar for visibility

Not what I meant to do today, but...

$ ./bin/fdbcli -C ../local.cluster --tls_certificate_file=FDBLibTLS/testdata/test-client-1.pem --tls_key_file=FDBLibTLS/testdata/test-client-1.pem --tls_ca_file=FDBLibTLS/testdata/test-ca-1.pem
Using cluster file `../local.cluster'.

The database is unavailable; type `status' for more information.

Welcome to the fdbcli. For help, type `help'.
fdb> tlsinfo
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b3:8f:4e:b4:06:a5:eb:78
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=California, L=Cupertino, O=Apple Inc., OU=FDB Team, CN=FDB LibTLS Plugin Test Intermediate CA 1
        Validity
            Not Before: Apr 26 16:35:55 2018 GMT
            Not After : Apr 23 16:35:55 2028 GMT
        Subject: C=US, ST=California, L=Cupertino, O=Apple Inc., OU=FDB Team, CN=FDB LibTLS Plugin Test Client 1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:d8:f7:ab:72:98:13:11:da:38:b9:2b:cd:cf:ab:
                    00:79:7d:d2:97:3c:fe:6b:01:a1:ce:42:67:e9:d5:
                    1c:17:f2:08:d9:0e:96:53:6d:52:1f:3e:b1:2c:e9:
                    91:f5:89:07:e5:ea:42:11:42:8f:94:fd:9e:e7:70:
                    9d:a4:d8:1c:04:9f:77:d4:09:fe:c7:f9:22:69:73:
                    3f:55:a2:28:91:4c:6f:1c:83:32:d6:91:90:79:12:
                    2a:f9:cc:85:2a:ae:64:77:72:dd:40:4c:29:3c:d4:
                    05:b4:80:30:76:b5:60:1e:bd:06:65:98:9d:a5:0c:
                    a3:ab:4c:c9:44:56:31:56:08:88:84:7a:84:ff:c9:
                    39:01:22:eb:d8:8a:e0:81:f2:0a:46:41:20:18:a6:
                    d1:81:5a:4e:6f:ff:0c:3f:70:32:93:d0:f5:62:90:
                    08:b5:6f:39:65:e4:2b:30:b8:ea:89:d3:d4:1d:21:
                    42:a5:11:69:be:18:4f:1e:25:6c:bf:94:c7:d4:9f:
                    3c:c7:21:c3:ea:ba:d4:7e:8d:28:3c:a3:cb:ee:b9:
                    60:04:97:5b:ee:f4:59:5c:ae:02:cb:48:4a:ba:e3:
                    c0:35:63:09:9e:b0:4e:63:23:29:d9:0f:ac:fe:a7:
                    e3:43:40:e2:cf:34:a1:3f:29:4c:71:a3:e5:0c:a4:
                    f6:71
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                F3:74:3E:18:59:2E:D3:F9:C3:F5:06:EF:6D:2A:5B:AD:C1:75:45:31
            X509v3 Authority Key Identifier: 
                keyid:4E:64:5A:B4:02:07:31:EE:EE:A1:B9:80:C7:5A:9B:36:74:94:7A:52

            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature
    Signature Algorithm: sha1WithRSAEncryption
         76:f9:67:1c:e3:cb:71:3d:0c:a0:87:ff:f6:9f:1c:f1:4c:25:
         22:0e:12:a7:c5:76:8e:a8:96:b0:27:5b:0a:c0:b5:61:19:8b:
         e5:25:03:15:05:65:14:2a:be:3a:c6:c8:98:97:d0:27:42:ed:
         09:d0:04:47:0d:92:b0:62:f5:22:79:a1:bb:c1:57:78:96:7b:
         03:0a:27:d1:c3:25:28:30:be:25:11:35:41:b9:c2:bf:a1:35:
         6d:e4:a7:5e:84:47:7a:55:1f:1f:9d:2e:4f:e6:18:e7:7c:26:
         7d:5c:1e:44:c2:a4:64:fa:7c:90:3b:75:c5:05:02:e3:60:17:
         82:aa:10:3d:bd:19:c8:b8:4e:b1:61:30:b6:d0:3b:2c:ff:39:
         78:48:94:11:0b:55:90:d0:2d:7e:3b:4e:f5:f7:21:e0:ba:38:
         ec:6a:2f:63:97:12:e9:a6:7c:59:cf:5d:99:7d:0c:bb:5e:65:
         c9:14:2a:64:32:c9:88:f7:9f:9e:33:83:bf:ee:9e:d1:39:bb:
         65:54:90:84:86:57:89:6d:cf:0d:f1:a6:76:25:8b:91:10:dc:
         32:ba:f6:86:e7:3d:9f:a4:af:5c:86:b3:fb:62:4c:04:d8:f3:
         13:38:6b:0b:0d:2d:b5:a5:fc:6b:2c:2b:0f:58:61:5e:f6:d2:
         c0:3d:ab:9c

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b3:8f:4e:b4:06:a5:eb:78
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=California, L=Cupertino, O=Apple Inc., OU=FDB Team, CN=FDB LibTLS Plugin Test Intermediate CA 1
        Validity
            Not Before: Apr 26 16:35:55 2018 GMT
            Not After : Apr 23 16:35:55 2028 GMT
        Subject: C=US, ST=California, L=Cupertino, O=Apple Inc., OU=FDB Team, CN=FDB LibTLS Plugin Test Client 1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:d8:f7:ab:72:98:13:11:da:38:b9:2b:cd:cf:ab:
                    00:79:7d:d2:97:3c:fe:6b:01:a1:ce:42:67:e9:d5:
                    1c:17:f2:08:d9:0e:96:53:6d:52:1f:3e:b1:2c:e9:
                    91:f5:89:07:e5:ea:42:11:42:8f:94:fd:9e:e7:70:
                    9d:a4:d8:1c:04:9f:77:d4:09:fe:c7:f9:22:69:73:
                    3f:55:a2:28:91:4c:6f:1c:83:32:d6:91:90:79:12:
                    2a:f9:cc:85:2a:ae:64:77:72:dd:40:4c:29:3c:d4:
                    05:b4:80:30:76:b5:60:1e:bd:06:65:98:9d:a5:0c:
                    a3:ab:4c:c9:44:56:31:56:08:88:84:7a:84:ff:c9:
                    39:01:22:eb:d8:8a:e0:81:f2:0a:46:41:20:18:a6:
                    d1:81:5a:4e:6f:ff:0c:3f:70:32:93:d0:f5:62:90:
                    08:b5:6f:39:65:e4:2b:30:b8:ea:89:d3:d4:1d:21:
                    42:a5:11:69:be:18:4f:1e:25:6c:bf:94:c7:d4:9f:
                    3c:c7:21:c3:ea:ba:d4:7e:8d:28:3c:a3:cb:ee:b9:
                    60:04:97:5b:ee:f4:59:5c:ae:02:cb:48:4a:ba:e3:
                    c0:35:63:09:9e:b0:4e:63:23:29:d9:0f:ac:fe:a7:
                    e3:43:40:e2:cf:34:a1:3f:29:4c:71:a3:e5:0c:a4:
                    f6:71
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                F3:74:3E:18:59:2E:D3:F9:C3:F5:06:EF:6D:2A:5B:AD:C1:75:45:31
            X509v3 Authority Key Identifier: 
                keyid:4E:64:5A:B4:02:07:31:EE:EE:A1:B9:80:C7:5A:9B:36:74:94:7A:52

            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature
    Signature Algorithm: sha1WithRSAEncryption
         76:f9:67:1c:e3:cb:71:3d:0c:a0:87:ff:f6:9f:1c:f1:4c:25:
         22:0e:12:a7:c5:76:8e:a8:96:b0:27:5b:0a:c0:b5:61:19:8b:
         e5:25:03:15:05:65:14:2a:be:3a:c6:c8:98:97:d0:27:42:ed:
         09:d0:04:47:0d:92:b0:62:f5:22:79:a1:bb:c1:57:78:96:7b:
         03:0a:27:d1:c3:25:28:30:be:25:11:35:41:b9:c2:bf:a1:35:
         6d:e4:a7:5e:84:47:7a:55:1f:1f:9d:2e:4f:e6:18:e7:7c:26:
         7d:5c:1e:44:c2:a4:64:fa:7c:90:3b:75:c5:05:02:e3:60:17:
         82:aa:10:3d:bd:19:c8:b8:4e:b1:61:30:b6:d0:3b:2c:ff:39:
         78:48:94:11:0b:55:90:d0:2d:7e:3b:4e:f5:f7:21:e0:ba:38:
         ec:6a:2f:63:97:12:e9:a6:7c:59:cf:5d:99:7d:0c:bb:5e:65:
         c9:14:2a:64:32:c9:88:f7:9f:9e:33:83:bf:ee:9e:d1:39:bb:
         65:54:90:84:86:57:89:6d:cf:0d:f1:a6:76:25:8b:91:10:dc:
         32:ba:f6:86:e7:3d:9f:a4:af:5c:86:b3:fb:62:4c:04:d8:f3:
         13:38:6b:0b:0d:2d:b5:a5:fc:6b:2c:2b:0f:58:61:5e:f6:d2:
         c0:3d:ab:9c

@alexmiller-apple
Add a tlsinfo command to fdbcli that prints the certificate chain.
0c558ef 
This requires the certificate chain to load successfully, otherwise
fdbcli will error out at an earlier point due to Net2 not being able to
configure TLS.
@alexmiller-apple
Copy link
Contributor Author

alexmiller-apple commented Mar 13, 2020

I'm also honestly unclear what work we're doing against release-6.2 and what work we're doing against master these days.

@ajbeamon
Copy link
Contributor

ajbeamon commented Mar 13, 2020

I suppose if you thought tlsinfo could be used for more stuff, we could add a second parameter to specify what you want, like tlsinfo certificates. Then tlsinfo could then print some high-level status if we had something interesting to print.

I haven't given much thought to what kind of stuff would be useful. A list of the set TLS parameters is possibly interesting given that some of them could be coming from the environment or default values.

@alexmiller-apple
Copy link
Contributor Author

alexmiller-apple commented Mar 13, 2020

What I had in my head was a sort of "Do this and paste us the output if you have TLS problems", because I presume that's the only time that people are going to care about what their TLS settings are.

I think in that regard, having this be a --debug-tls flag on fdbcli would be better (and thus just hijack fdbcli as a tool installed with the client packages already), so that we can do what you suggest: print out the configuration, and do more detailed checking of things than just certificates.

@alexmiller-apple
Copy link
Contributor Author

alexmiller-apple commented Mar 13, 2020

So this is now fdbcli --debug-tls, which prints tls configuration and exits.

Happy case:

TLS Configuration:
	Certificate Path: FDBLibTLS/testdata/test-client-3.pem
	Key Path: FDBLibTLS/testdata/test-client-3.pem
	CA Path: FDBLibTLS/testdata/test-ca-1.pem
	Password: Exists, but redacted

Certificate:
[snip]

Sad case:

TLS Configuration:
	Certificate Path: FDBLibTLS/testdata/test-client-3.pem
	Key Path: FDBLibTLS/testdata/test-client-1.pem
	CA Path: FDBLibTLS/testdata/test-ca-1.pem
	Password: Exists, but redacted

There was an error in loading the certificate chain.
ERROR: TLS error (2107)
Use --log and look at the trace logs for more detailed information on the failure.

This also leaves the option that in the future, we could expand this into doing a more step-by-step loading and verifying of certificates to print out things about them. (Like that the -3 certs loaded, but are expired.)

@etschannen
Copy link
Contributor

etschannen commented Mar 16, 2020

fix the conflict, otherwise it looks good

@etschannen etschannen merged commit c197520 into apple:release-6.2 Mar 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@etschannen etschannen Awaiting requested review from etschannen

Assignees

@etschannen etschannen

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@alexmiller-apple @ajbeamon @etschannen