Check that stored private keys match certificates

This is done in two places: * Certificate import validator -- throws validation errors. * Certificate model constructor -- to ensure integrity of Lemur's data even when issuer plugins or other code paths have bugs.
2018-06-20 18:42:34 +03:00
parent d60b0c8805
commit 542e953919
8 changed files with 181 additions and 31 deletions
--- a/lemur/certificates/models.py
+++ b/lemur/certificates/models.py
@ -19,7 +19,7 @@ from sqlalchemy.sql.expression import case, extract
 from sqlalchemy_utils.types.arrow import ArrowType
 from werkzeug.utils import cached_property

-from lemur.common import defaults, utils
+from lemur.common import defaults, utils, validators
 from lemur.constants import SUCCESS_METRIC_STATUS, FAILURE_METRIC_STATUS
 from lemur.database import db
 from lemur.domains.models import Domain
@ -186,6 +186,18 @@ class Certificate(db.Model):
        for domain in defaults.domains(cert):
            self.domains.append(Domain(name=domain))

+        # Check integrity before saving anything into the database.
+        # For user-facing API calls, validation should also be done in schema validators.
+        self.check_integrity()
+
+    def check_integrity(self):
+        """
+        Integrity checks: Does the cert have a matching private key?
+        """
+        if self.private_key:
+            validators.verify_private_key_match(utils.parse_private_key(self.private_key), self.parsed_cert,
+                                                error_class=AssertionError)
+
    @cached_property
    def parsed_cert(self):
        assert self.body, "Certificate body not set"
--- a/lemur/certificates/schemas.py
+++ b/lemur/certificates/schemas.py
@ -10,7 +10,7 @@ from marshmallow import fields, validate, validates_schema, post_load, pre_load
 from marshmallow.exceptions import ValidationError

 from lemur.authorities.schemas import AuthorityNestedOutputSchema
-from lemur.common import validators, missing
+from lemur.common import missing, utils, validators
 from lemur.common.fields import ArrowDateTime, Hex
 from lemur.common.schema import LemurInputSchema, LemurOutputSchema
 from lemur.constants import CERTIFICATE_KEY_TYPES
@ -242,8 +242,8 @@ class CertificateUploadInputSchema(CertificateCreationSchema):
    authority = fields.Nested(AssociatedAuthoritySchema, required=False)
    notify = fields.Boolean(missing=True)
    external_id = fields.String(missing=None, allow_none=True)
-    private_key = fields.String(validate=validators.private_key)
-    body = fields.String(required=True, validate=validators.public_certificate)
+    private_key = fields.String()
+    body = fields.String(required=True)
    chain = fields.String(validate=validators.public_certificate, missing=None,
                          allow_none=True)  # TODO this could be multiple certificates

@ -258,6 +258,26 @@ class CertificateUploadInputSchema(CertificateCreationSchema):
            if not data.get('private_key'):
                raise ValidationError('Destinations require private key.')

+    @validates_schema
+    def validate_cert_private_key(self, data):
+        cert = None
+        key = None
+        if data.get('body'):
+            try:
+                cert = utils.parse_certificate(data['body'])
+            except ValueError:
+                raise ValidationError("Public certificate presented is not valid.", field_names=['body'])
+
+        if data.get('private_key'):
+            try:
+                key = utils.parse_private_key(data['private_key'])
+            except ValueError:
+                raise ValidationError("Private key presented is not valid.", field_names=['private_key'])
+
+        if cert and key:
+            # Throws ValidationError
+            validators.verify_private_key_match(key, cert)
+

 class CertificateExportInputSchema(LemurInputSchema):
    plugin = fields.Nested(PluginInputSchema)