Check webclient cert in EPP when connecting from local network #2765

2025-05-17 17:59:47 +02:00 · 2015-07-13 13:53:12 +03:00 · 2015-07-13 13:53:12 +03:00 · 9fd38f161a
commit 9fd38f161a
parent cac73b1224
2 changed files with 18 additions and 0 deletions
--- a/app/controllers/epp/sessions_controller.rb
+++ b/app/controllers/epp/sessions_controller.rb
@ -13,6 +13,15 @@ class Epp::SessionsController < EppController
    success = true
    @api_user = ApiUser.find_by(login_params)

+    if request.ip == ENV['webclient_ip'] && !Rails.env.test?
+      client_md5 = Certificate.parse_md_from_string(request.env['HTTP_SSL_CLIENT_CERT'])
+      server_md5 = Certificate.parse_md_from_string(File.read(ENV['cert_path']))
+      if client_md5 != server_md5
+        @msg = 'Authentication error; server closing connection (certificate is not valid)'
+        success = false
+      end
+    end
+
    if request.ip != ENV['webclient_ip'] && @api_user
      unless @api_user.api_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN'])
        @msg = 'Authentication error; server closing connection (certificate is not valid)'
--- a/app/models/certificate.rb
+++ b/app/models/certificate.rb
@ -200,5 +200,14 @@ class Certificate < ActiveRecord::Base
      _out, _err, _st = Open3.capture3("sudo /etc/init.d/apache2 reload")
      STDOUT << "#{Time.zone.now.utc} - Apache reloaded\n"
    end
+
+    def parse_md_from_string(crt)
+      return nil if crt.blank?
+      crt = crt.split(' ').join("\n")
+      crt.gsub!("-----BEGIN\nCERTIFICATE-----\n", "-----BEGIN CERTIFICATE-----\n")
+      crt.gsub!("\n-----END\nCERTIFICATE-----", "\n-----END CERTIFICATE-----")
+      cert = OpenSSL::X509::Certificate.new(crt)
+      OpenSSL::Digest::MD5.new(cert.to_der).to_s
+    end
  end
 end