[SERVER-11009] Users can authenticate with an invalid x509 certificate Created: 02/Oct/13  Updated: 09/Oct/13  Resolved: 07/Oct/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Luke Lovett Assignee: Andreas Nilsson
Resolution: Cannot Reproduce Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File client_invalid.pem     File client_invalid2.pem    
Issue Links:
Depends
Operating System: ALL
Steps To Reproduce:

1. Start a mongod instance:

$ mongod --version
2013-10-02T17:22:46.708+0000 git version: 7e57c5311b0b660cf2df6d3c2cd01245adbafe21
2013-10-02T17:22:46.709+0000 OpenSSL version: OpenSSL 0.9.8y 5 Feb 2013
$ mongod --sslOnNormalPorts --sslPEMKeyFile jstests/libs/server.pem --sslCRLFile jstests/libs/crl.pem --sslCAFile jstests/libs/ca.pem --auth

2. Connect to mongod:

$ mongo --version
MongoDB shell version: 2.5.3-pre-
$ mongo --ssl --sslPEMKeyFile client_invalid.pem
> use $external
> db.addUser({
...   user:"CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US",
...   roles:[
...                    {name: 'clusterAdmin', source: 'admin', hasRole: true, 'canDelegate': true},
...                    {name: 'userAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true},
...                    {name: 'readWriteAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true},
...                    {name: 'dbAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true}]});
{
	"user" : "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US",
	"roles" : [
		{
			"name" : "clusterAdmin",
			"source" : "admin",
			"hasRole" : true,
			"canDelegate" : true
		},
		{
			"name" : "userAdminAnyDatabase",
			"source" : "admin",
			"hasRole" : true,
			"canDelegate" : true
		},
		{
			"name" : "readWriteAnyDatabase",
			"source" : "admin",
			"hasRole" : true,
			"canDelegate" : true
		},
		{
			"name" : "dbAdminAnyDatabase",
			"source" : "admin",
			"hasRole" : true,
			"canDelegate" : true
		}
	]
}
> db.auth({ user:"CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US",
... mechanism:"MONGODB-X509"})
1

Participants:

 Description   

Users can be created and authenticate with an invalid x509 certificate (see example certificate attached). The provided certificate (client_invalid.pem) is invalid because the "Validity Not Before" is set to a date that has not yet arrived and the "Validity Not After" is a date already passed. The second provided certificate (client_invalid2.pem) has invalid values for public key algorithm, public key modulus, exponent, x509v3 extensions, signature algorithm, as well as negative values for version and serial number. Expected behavior is that mongod should not allow clients to connect who have an invalid x509 certificate.



 Comments   
Comment by Andreas Nilsson [ 07/Oct/13 ]

luke.lovett both these certificates looks valid to me. I checked the content using:

openssl x509 -inform PEM -in client_invalid.pem -text

the first one for instance has validity
Not Before: Aug 23 14:55:32 2013 GMT
Not After : Jan 7 14:55:32 2041 GMT

Which commands did you use to generate the certs?

Generated at Thu Feb 08 03:24:38 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.