Merge pull request ClickHouse#36724 from ClickHouse/backport/22.3/36487

alexey-milovidov · web-flow · commit 3e44e824cffe · 2022-05-06T01:51:56.000+03:00
Backport ClickHouse#36487 to 22.3: Add passphrase for certificates
diff --git a/src/Server/CertificateReloader.cpp b/src/Server/CertificateReloader.cpp
@@ -81,11 +81,12 @@ void CertificateReloader::tryLoad(const Poco::Util::AbstractConfiguration & conf
     {
         bool cert_file_changed = cert_file.changeIfModified(std::move(new_cert_path), log);
         bool key_file_changed = key_file.changeIfModified(std::move(new_key_path), log);
+        std::string pass_phrase = config.getString("openSSL.server.privateKeyPassphraseHandler.options.password", "");
 
         if (cert_file_changed || key_file_changed)
         {
             LOG_DEBUG(log, "Reloading certificate ({}) and key ({}).", cert_file.path, key_file.path);
-            data.set(std::make_unique<const Data>(cert_file.path, key_file.path));
+            data.set(std::make_unique<const Data>(cert_file.path, key_file.path, pass_phrase));
             LOG_INFO(log, "Reloaded certificate ({}) and key ({}).", cert_file.path, key_file.path);
         }
 
@@ -104,8 +105,8 @@ void CertificateReloader::tryLoad(const Poco::Util::AbstractConfiguration & conf
 }
 
 
-CertificateReloader::Data::Data(std::string cert_path, std::string key_path)
-    : cert(cert_path), key(/* public key */ "", /* private key */ key_path)
+CertificateReloader::Data::Data(std::string cert_path, std::string key_path, std::string pass_phrase)
+    : cert(cert_path), key(/* public key */ "", /* private key */ key_path, pass_phrase)
 {
 }
 
diff --git a/src/Server/CertificateReloader.h b/src/Server/CertificateReloader.h
@@ -51,16 +51,14 @@ class CertificateReloader
     int setCertificate(SSL * ssl);
 
 private:
-    CertificateReloader()
-    {
-    }
+    CertificateReloader() = default;
 
     Poco::Logger * log = &Poco::Logger::get("CertificateReloader");
 
     struct File
     {
         const char * description;
-        File(const char * description_) : description(description_) {}
+        explicit File(const char * description_) : description(description_) {}
 
         std::string path;
         std::filesystem::file_time_type modification_time;
@@ -76,7 +74,7 @@ class CertificateReloader
         Poco::Crypto::X509Certificate cert;
         Poco::Crypto::EVPPKey key;
 
-        Data(std::string cert_path, std::string key_path);
+        Data(std::string cert_path, std::string key_path, std::string pass_phrase);
     };
 
     MultiVersion<Data> data;
diff --git a/tests/integration/test_reload_certificate/configs/WithPassPhrase.crt b/tests/integration/test_reload_certificate/configs/WithPassPhrase.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPDCCAiQCFBXNOvsLA+dqmX/TkYG9JXdD5m72MA0GCSqGSIb3DQEBCwUAMFox
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
+cm5ldCBXaWRnaXRzIFB0eSBMdGQxEzARBgNVBAMMCmNsaWNraG91c2UwIBcNMjIw
+NDIxMTAzNDU1WhgPMjEyMjAzMjgxMDM0NTVaMFkxCzAJBgNVBAYTAkFVMRMwEQYD
+VQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBM
+dGQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAKaXz596N4NC2zZdIqdwZbSYAtNdBCsBVPt5YT9F640aF5zOogPZyxGP
+ENyOZwABi/7HhwFbH657xyRvi8lTau8dZL+0tbakyoIn1Tw6j+/3GXTjLduJSy6C
+mOf4OzsrFC8mYgU+7p5ijvWVlO9h5NMbLdAPSIB5WSHhmSORH5LgjoK6oMOYdRod
+GmfHqSbwPVwy3Li5SXlniCQmJsM0zl64LFbJ/NU+13qETmhBiDgmh0Svi+wzSzqZ
+q1PIX92T3k44IXNZbvF7lKbUOS9Xb3BoxA4cDqRcTx4x73xRDwodSmqiuQOC99HI
+A0C/tZJ25VNAGjLKukPSHqYscq2PAsUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
+IDQwjf/ja3TfOXrz+Gn1eErSKnWS3asjRT9rYWQsy3tzVUkMIcszrG+FqTR16g5H
+ZWyuEOi6KIRmda3SYKdLKmtQLrgx6/d/jvH5TQ0LTFZrp6vh0lo3pV+L6fLo1ZRD
+V1i8jW/7HHNyqJamUXOjwA0DpPOMkdtwuyV+rJ+2bTG1ZSK33O4Ae2CY5+dad6zy
+YI6b1c9flWfDznuNEMH7jDDjKgXwjZGeU53FiuuhHiNyRchsr/B9eIBsom8oykiD
+kch4cnAxx2E+m3hLYzupkXHOVQ5CNpVk8PGUCIGcyqDxPt+fOj1WbDQ9laEcfhmV
+kR+vHmzOqWZnHU4QeMqDig==
+-----END CERTIFICATE-----
diff --git a/tests/integration/test_reload_certificate/configs/WithPassPhrase.key b/tests/integration/test_reload_certificate/configs/WithPassPhrase.key
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,4E14FF586022476CD22AAFB662BB0E40
+
+dpJZKq5k+fMuC7XECfTSRjPeOEl9wNuVtZkcjEWaHN8ky4umND7ARyRyuU1Nk7cy
+fpCFlFKOqDfCkT5zVK/fB6pF32wqAI7sqeSuYPfQY0+L77yRdwM6L46WslzVKZYE
+lXD1AmqKT/LgF3+eBY5slkAAJo10zYDgKEwnoQVBp31YW2/+6oAGaY/O6x3p7aTG
+dw9CP+SFc0o8lPl1lsSovdNXDUiVCftvClog7hwyDv8AhHyGgynw3UJXX8UlyWu+
+Zz5zpgrvB2gvDLeoZZ6qjMGvtpEwlYBh4de9ZOsvQUpXEEfkQFtJV0j613OCQune
+LoTxKpYV1V/mZX4HPaJ1oC0OJ7XcliAOSS9K49YobTuz7Kg5Wg3bVGo9xRfYDjch
+rVeMP4u5RXSGuHL23FPMfK6EqcldrFyRwLaY/IV1Yl6UNUMKAphn/WMtWVuT3TiT
+QMCI2VRt7ItwZwwFn5RgyDweWdFf5v3AmN/lOhATDBqosahkPxDZ1VZ6OBPoJLPM
+UrDWH/lqrByeEjtAOwr5UsWKwLuJ8qUxQ4TchHwFKOwy6VsrRwMQ3ZWi2govPF9I
+W0sfLj5Ulfjx6zHdqnF48a1Elit4JH6inBEWFuj7bmlOotq+PHoeT61zAwW+gnrG
+3JTo3XnaE2WwRDpqvKYHWLv/J218rq8PtIaq9gjr55odPfIt8lkJ1XzF4WQ21rIJ
+GNWZ3xz4fxpvrKnQyAKGu0ZcdjA1nqs16oiVr+UnJoXmkM5yBCic4fZYwPTSQHYS
+ZxwaTzEjfeGxrSeLrN9CgoweucvogOvUjJOBcW/py80du8vWz0YyzMhg3o0YeGME
+C+Kts/YWxmyfw4DaWt8RtWCKl85hEmz8RODvkMLGtLzvVoSyLQWqp1NhGIlFtzXs
+7sPLulUeyD2avTC/RB/Pu9Nk80c0368BxCoeYbiFWZpaN70SJmCUE5H59J2d0olw
+5v2RVjLBi8wqnzoa0+2L8wnG7IQGadS97dj0eBR+JXNtoJhVrurS80RJ6B0bNxdu
+gX8otfnJYsZyK5hbEhcQqLdnyGhDEE8YHe7Hv9stWwLAFOfOMzyzC06lFS1eNiw4
+FJyXJUhDieb8EqetouAC8dNVXz4Q1zOTlGuAbGoKm5v0U5IhCQap9GUSW5QiUgOQ
+AEMs9aGfd91R+IcDf19mZptsQLYA6MGBN6fm+3O2iZImKIbF+ZZo0S6liFFmn6lm
+M+diTzaoiqgEkiXOuRhdQUMaiGV8BMZxv8qUH6/vyC3gSueoTio0f9PfASDYfvXD
+A3GuI87P6LF1it2UlN6ssFoXTZdfQQZwRmNuqOqw+BJOJHrR6trcXOCZOQ77Qnvd
+M5a348gIzluVUkExAPGCsySQWMx4Of5NBF28jEC3+TAwkRqBV2ZHmfGLWnvwaB+A
+YUeKtpWblfG1lsrDAdwL2dilU95oby+35sExX7M2dCrL9Y2P5oTCW3u12//ZSLeL
+Yhi1Rzol6LAuesZCVF0Zv/YYDhzAckJfT/qXK5B5pz9saswxCUBEpiKlLpVsjOFJ
+2bHm8NgOMD5b3cdh1kvts4wZe+giry7LHsn46f+9VqN+gA6XxeVsPyb4uO1KW3SN
+-----END RSA PRIVATE KEY-----
diff --git a/tests/integration/test_reload_certificate/test.py b/tests/integration/test_reload_certificate/test.py
@@ -13,9 +13,18 @@
         "configs/second.key",
         "configs/ECcert.crt",
         "configs/ECcert.key",
+        "configs/WithPassPhrase.crt",
+        "configs/WithPassPhrase.key",
         "configs/cert.xml",
     ],
 )
+PASS_PHRASE_TEMPLATE = """<privateKeyPassphraseHandler>
+                <name>KeyFileHandler</name>
+                <options>
+                <password>{pass_phrase}</password>
+                </options>
+            </privateKeyPassphraseHandler>
+"""
 
 
 @pytest.fixture(scope="module", autouse=True)
@@ -27,7 +36,7 @@ def started_cluster():
         cluster.shutdown()
 
 
-def change_config_to_key(name):
+def change_config_to_key(name, pass_phrase=""):
     """
     * Generate config with certificate/key name from args.
     * Reload config.
@@ -48,21 +57,23 @@ def change_config_to_key(name):
             <cacheSessions>true</cacheSessions>
             <disableProtocols>sslv2,sslv3</disableProtocols>
             <preferServerCiphers>true</preferServerCiphers>
+            {pass_phrase}
         </server>
     </openSSL>
 </clickhouse>
 EOF""".format(
-                cur_name=name
+                cur_name=name, pass_phrase=pass_phrase
             ),
         ]
     )
     node.query("SYSTEM RELOAD CONFIG")
 
 
-def test_first_than_second_cert():
-    """Consistently set first key and check that only it will be accepted, then repeat same for second key."""
+def check_certificate_switch(
+    first, second, pass_phrase_first="", pass_phrase_second=""
+):
     # Set first key
-    change_config_to_key("first")
+    change_config_to_key(first, pass_phrase_first)
 
     # Command with correct certificate
     assert (
@@ -71,9 +82,7 @@ def test_first_than_second_cert():
                 "curl",
                 "--silent",
                 "--cacert",
-                "/etc/clickhouse-server/config.d/{cur_name}.crt".format(
-                    cur_name="first"
-                ),
+                "/etc/clickhouse-server/config.d/{cur_name}.crt".format(cur_name=first),
                 "https://localhost:8443/",
             ]
         )
@@ -90,7 +99,7 @@ def test_first_than_second_cert():
                 "--silent",
                 "--cacert",
                 "/etc/clickhouse-server/config.d/{cur_name}.crt".format(
-                    cur_name="second"
+                    cur_name=second
                 ),
                 "https://localhost:8443/",
             ]
@@ -100,7 +109,7 @@ def test_first_than_second_cert():
         assert True
 
     # Change to other key
-    change_config_to_key("second")
+    change_config_to_key(second, pass_phrase_second)
 
     # Command with correct certificate
     assert (
@@ -110,7 +119,7 @@ def test_first_than_second_cert():
                 "--silent",
                 "--cacert",
                 "/etc/clickhouse-server/config.d/{cur_name}.crt".format(
-                    cur_name="second"
+                    cur_name=second
                 ),
                 "https://localhost:8443/",
             ]
@@ -126,9 +135,7 @@ def test_first_than_second_cert():
                 "curl",
                 "--silent",
                 "--cacert",
-                "/etc/clickhouse-server/config.d/{cur_name}.crt".format(
-                    cur_name="first"
-                ),
+                "/etc/clickhouse-server/config.d/{cur_name}.crt".format(cur_name=first),
                 "https://localhost:8443/",
             ]
         )
@@ -137,59 +144,18 @@ def test_first_than_second_cert():
         assert True
 
 
-def test_ECcert_reload():
-    # Set first key
-    change_config_to_key("first")
+def test_first_than_second_cert():
+    """Consistently set first key and check that only it will be accepted, then repeat same for second key."""
+    check_certificate_switch("first", "second")
 
-    # Command with correct certificate
-    assert (
-        node.exec_in_container(
-            [
-                "curl",
-                "--silent",
-                "--cacert",
-                "/etc/clickhouse-server/config.d/{cur_name}.crt".format(
-                    cur_name="first"
-                ),
-                "https://localhost:8443/",
-            ]
-        )
-        == "Ok.\n"
-    )
 
-    # Change to other key
-    change_config_to_key("ECcert")
+def test_ECcert_reload():
+    """Check EC certificate"""
+    check_certificate_switch("first", "ECcert")
 
-    # Command with correct certificate
-    assert (
-        node.exec_in_container(
-            [
-                "curl",
-                "--silent",
-                "--cacert",
-                "/etc/clickhouse-server/config.d/{cur_name}.crt".format(
-                    cur_name="ECcert"
-                ),
-                "https://localhost:8443/",
-            ]
-        )
-        == "Ok.\n"
-    )
 
-    # Command with wrong certificate
-    # Same as previous
-    try:
-        node.exec_in_container(
-            [
-                "curl",
-                "--silent",
-                "--cacert",
-                "/etc/clickhouse-server/config.d/{cur_name}.crt".format(
-                    cur_name="first"
-                ),
-                "https://localhost:8443/",
-            ]
-        )
-        assert False
-    except:
-        assert True
+def test_cert_with_pass_phrase():
+    pass_phrase_for_cert = PASS_PHRASE_TEMPLATE.format(pass_phrase="test")
+    check_certificate_switch(
+        "first", "WithPassPhrase", pass_phrase_second=pass_phrase_for_cert
+    )

Original file line number	Diff line number	Diff line change
`@@ -81,11 +81,12 @@ void CertificateReloader::tryLoad(const Poco::Util::AbstractConfiguration & conf`
`81`	`81`	`{`
`82`	`82`	`bool cert_file_changed = cert_file.changeIfModified(std::move(new_cert_path), log);`
`83`	`83`	`bool key_file_changed = key_file.changeIfModified(std::move(new_key_path), log);`
	`84`	`+ std::string pass_phrase = config.getString("openSSL.server.privateKeyPassphraseHandler.options.password", "");`
`84`	`85`
`85`	`86`	`if (cert_file_changed \|\| key_file_changed)`
`86`	`87`	`{`
`87`	`88`	`LOG_DEBUG(log, "Reloading certificate ({}) and key ({}).", cert_file.path, key_file.path);`
`88`		`- data.set(std::make_unique<const Data>(cert_file.path, key_file.path));`
	`89`	`+ data.set(std::make_unique<const Data>(cert_file.path, key_file.path, pass_phrase));`
`89`	`90`	`LOG_INFO(log, "Reloaded certificate ({}) and key ({}).", cert_file.path, key_file.path);`
`90`	`91`	`}`
`91`	`92`
`@@ -104,8 +105,8 @@ void CertificateReloader::tryLoad(const Poco::Util::AbstractConfiguration & conf`
`104`	`105`	`}`
`105`	`106`
`106`	`107`
`107`		`-CertificateReloader::Data::Data(std::string cert_path, std::string key_path)`
`108`		`- : cert(cert_path), key(/* public key / "", / private key */ key_path)`
	`108`	`+CertificateReloader::Data::Data(std::string cert_path, std::string key_path, std::string pass_phrase)`
	`109`	`+ : cert(cert_path), key(/* public key / "", / private key */ key_path, pass_phrase)`
`109`	`110`	`{`
`110`	`111`	`}`
`111`	`112`