Analysis / Design - CLIENT_CERT without users certificates database

Version 2

    Analysis

    Summary

    CLIENT_CERT http-authentication-mechanism currently requires to provide security-realm, which will contain identity for given certificate and will verify X509Evidence for it. This does not provide replacement for legacy truststore auth, which allows to use only CA certificate to authenticate users by certificates signed by CA, without any database of them.

    Requirements

    • Should be possible to authenticate users by certificate without database of all certificates - does not matter if in LDAP, keystore or anything, CA certificate should be sufficient.
    • To provide replacement for legacy truststore authentication (see Client-Cert SSL Authentication Migration)

    General

    Tracking Issues

    Developer Resources

    To obtain user identity authenticated using SSL certificate it is necessary do use CLIENT_CERT http-authentication-mechanism. It requires to provide security-realm, which will contain given identity and will verify X509Evidence for it. There are two realms which allows it:

    • LdapSecurityRealm - which fully supports X509Evidences, but it requires to have certificate serial/digest of something in LDAP
    • KeyStoreBackedSecurityRealm - which requires to have certificates of all users in the keystore.

    To provide legacy truststore authentication replacement it should be possible to authenticate users only by CA signature on their certificate, without database of all certificates. (Event through it is more secure - not everytime is such database desirable or possible.)

    Currently we are able to bypass necessity of identity existence by post-realm-principal-transformer, which will rewrite name for realm to constant (but not for application - application will get original name). This does not solve evidence verification - certificate which is only signed by certificate in keystore is no sufficient for KeyStoreBackedSecurityRealm.

    Possible solutions

    • Provide option in CLIENT_CERT to disable evidence verification. (Users still needs to exist in realm, but no certificate info would be required here.)
    • Provide option in KeyStoreBackedSecurityRealm to verify certificates by their CA - in KeyStore would be only CA certificate, any certificate signed by certificate in KeyStore would be accepted (possibly with allowed defined recursion?)

    Developer Contacts

    Jan Kalina - jkalina@redhat.com