allow system administrator to turn off certificate verification on KM…

…IP server
HouzuoGuo · Jun 7, 2017 · 281be4d · 281be4d
1 parent ec3b9a6
commit 281be4d
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 7 deletions.
diff --git a/command/server.go b/command/server.go
@@ -239,7 +239,7 @@ Important notes for client computers:
 	sysconf.Set(keyserv.SRV_CONF_TLS_VALIDATE_CLIENT, validateClient)
 	if validateClient {
 		sysconf.Set(keyserv.SRV_CONF_TLS_CA,
-			sys.Input(true,
+			sys.InputAbsFilePath(true,
 				sysconf.GetString(keyserv.SRV_CONF_TLS_CA, ""),
 				"PEM-encoded TLS certificate authority that will issue client certificates"))
 	}
@@ -250,9 +250,9 @@ Important notes for client computers:
 		sysconf.Set(keyserv.SRV_CONF_KMIP_SERVER_ADDRS, sys.Input(true, "", "Space-separated KMIP server addresses (host1:port1 host2:port2 ...)"))
 		sysconf.Set(keyserv.SRV_CONF_KMIP_SERVER_USER, sys.Input(false, "", "KMIP username"))
 		sysconf.Set(keyserv.SRV_CONF_KMIP_SERVER_PASS, sys.InputPassword(false, "", "KMIP password"))
-		sysconf.Set(keyserv.SRV_CONF_KMIP_SERVER_TLS_CA, sys.Input(false, "", "PEM-encoded TLS certificate authority that issued KMIP server certificate"))
-		sysconf.Set(keyserv.SRV_CONF_KMIP_SERVER_TLS_CERT, sys.Input(false, "", "PEM-encoded TLS client identitiy certificate"))
-		sysconf.Set(keyserv.SRV_CONF_KMIP_SERVER_TLS_KEY, sys.Input(false, "", "PEM-encoded TLS client identitiy certificate key"))
+		sysconf.Set(keyserv.SRV_CONF_KMIP_SERVER_TLS_CA, sys.InputAbsFilePath(false, "", "PEM-encoded TLS certificate authority of KMIP server"))
+		sysconf.Set(keyserv.SRV_CONF_KMIP_SERVER_TLS_CERT, sys.InputAbsFilePath(false, "", "PEM-encoded TLS client identity certificate"))
+		sysconf.Set(keyserv.SRV_CONF_KMIP_SERVER_TLS_KEY, sys.InputAbsFilePath(false, "", "PEM-encoded TLS client identity certificate key"))
 	}
 	// Walk through optional email settings
 	fmt.Println("\nTo enable Email notifications, enter the following parameters:")

diff --git a/keyserv/rpc_svc.go b/keyserv/rpc_svc.go
@@ -49,6 +49,7 @@ const (
 	SRV_CONF_KMIP_SERVER_ADDRS    = "KMIP_SERVER_ADDRESSES"
 	SRV_CONF_KMIP_SERVER_USER     = "KMIP_SERVER_USER"
 	SRV_CONF_KMIP_SERVER_PASS     = "KMIP_SERVER_PASS"
+	SRV_CONF_KMIP_TLS_DO_VERIFY   = "KMIP_TLS_DO_VERIFY"
 	SRV_CONF_KMIP_SERVER_TLS_CA   = "KMIP_CA_PEM"
 	SRV_CONF_KMIP_SERVER_TLS_CERT = "KMIP_TLS_CERT_PEM"
 	SRV_CONF_KMIP_SERVER_TLS_KEY  = "KMIP_TLS_CERT_KEY_PEM"
@@ -107,6 +108,7 @@ type CryptServiceConfig struct {
 	KMIPUser             string              // optional KMIP service access user
 	KMIPPass             string              // optional KMIP service access password
 	KMIPCertAuthorityPEM string              // optional KMIP server CA certificate
+	KMIPTLSDoVerify      bool                // Enable verification on KMIP server's TLS certificate
 	KMIPCertPEM          string              // optional KMIP client certificate
 	KMIPKeyPEM           string              // optional KMIP client certificate key
 }
@@ -155,10 +157,10 @@ func (conf *CryptServiceConfig) ReadFromSysconfig(sysconf *sys.Sysconfig) error
 	conf.KeyRetrievalGreeting = sysconf.GetString(SRV_CONF_MAIL_RETRIEVAL_TEXT, "The key server has sent the following encryption key to allow access to its file systems:")
 
 	conf.KMIPAddresses = sysconf.GetStringArray(SRV_CONF_KMIP_SERVER_ADDRS, []string{})
-
 	conf.KMIPUser = sysconf.GetString(SRV_CONF_KMIP_SERVER_USER, "")
 	conf.KMIPPass = sysconf.GetString(SRV_CONF_KMIP_SERVER_PASS, "")
 	conf.KMIPCertAuthorityPEM = sysconf.GetString(SRV_CONF_KMIP_SERVER_TLS_CA, "")
+	conf.KMIPTLSDoVerify = sysconf.GetBool(SRV_CONF_KMIP_TLS_DO_VERIFY, true)
 	conf.KMIPCertPEM = sysconf.GetString(SRV_CONF_KMIP_SERVER_TLS_CERT, "")
 	conf.KMIPKeyPEM = sysconf.GetString(SRV_CONF_KMIP_SERVER_TLS_KEY, "")
 	return conf.Validate()
@@ -254,6 +256,10 @@ func (srv *CryptServer) ListenRPC() error {
 			caCert, srv.Config.KMIPCertPEM, srv.Config.KMIPKeyPEM); err != nil {
 			return err
 		}
+		if !srv.Config.KMIPTLSDoVerify {
+			log.Printf("CryptServer.ListenRPC: KMIP client will not verify KMIP server's identity, as instructed by configuration.")
+			srv.KMIPClient.TLSConfig.InsecureSkipVerify = !srv.Config.KMIPTLSDoVerify
+		}
 	}
 	// Start ordinary RPC server
 	if srv.Listener, err = tls.Listen("tcp", fmt.Sprintf("%s:%d", srv.Config.Address, srv.Config.Port), srv.TLSConfig); err != nil {

diff --git a/keyserv/rpc_svc_test.go b/keyserv/rpc_svc_test.go
@@ -108,6 +108,7 @@ func TestServiceReadFromSysconfig(t *testing.T) {
 		KeyRetrievalSubject:  "c",
 		KeyRetrievalGreeting: "d",
 		KMIPAddresses:        []string{},
+		KMIPTLSDoVerify:      true,
 	}) {
 		t.Fatalf("%+v", svcConf)
 	}

diff --git a/ospackage/etc/sysconfig/cryptctl-server b/ospackage/etc/sysconfig/cryptctl-server
@@ -160,3 +160,10 @@ KMIP_TLS_CERT_PEM=""
 # If key server should act as KMIP proxy, this is the KMIP client certificate key.
 KMIP_TLS_CERT_KEY_PEM=""
 
+## Type:    boolean
+## Default: "yes"
+#
+# For security reasons, you are strongly recommended to leave the setting at its default "yes".
+# If set to "no", cryptctl server will reduce its security measures by not verifying KMIP server's TLS certificate.
+# Remember to restart cryptctl-server.service after changing any value of this file.
+KMIP_TLS_DO_VERIFY="yes"
diff --git a/ospackage/man/cryptctl.8 b/ospackage/man/cryptctl.8
@@ -174,11 +174,17 @@ details during server's initialisation sequence. You must make the decision on w
 any disk is encrypted using the key server, and you may not change the settings (e.g. turn off KMIP and use built-in
 database again) once a disk has been encrypted.
 
+By default,
 .I cryptctl
 performs strong verification on all TLS certificates. When it acts as a KMIP client, it verifies the common name of KMIP
 server against the certificate presented by it, along with other checks such as validity date. Should any certificate
 verification error occur, cryptctl will report back with the error reason and temporarily cease conversation with the KMIP
-server.
+server. It is strongly recommended to leave certificate verification enabled.
+
+However, should you wish not to verify KMIP server certificate, you may turn it off by editing server configuration file
+.I /etc/sysconfig/cryptctl-server
+, find key "KMIP_TLS_DO_VERIFY" and change its value to "no", then restart cryptctl-server.service. Turning off the
+verification opens up the risk of leaking disk encryption keys to eavesdroppers.
 
 .SH CHANGE/REVOKE OR DELETE ENCRYPTION KEY
 If you decide to revoke or change encryption key for an encrypted file system, please back up the encrypted data onto a

diff --git a/sys/sysconfig.go b/sys/sysconfig.go
@@ -187,7 +187,7 @@ func (conf *Sysconfig) GetBool(key string, defaultValue bool) bool {
 		defaultValStr = "yes"
 	}
 	value := strings.ToLower(conf.GetString(key, defaultValStr))
-	return (value == "yes" || value == "true")
+	return value == "yes" || value == "true"
 }
 
 // Convert key-value pairs back into text. Values are always surrounded by double-quotes.