crl provider: Static and FileWatcher provider implementations

security/advancedtls/advancedtls_test.go

@@ -371,6 +371,31 @@ func (s) TestClientServerHandshake(t *testing.T) {
 	getRootCAsForServerBad := func(params *GetRootCAsParams) (*GetRootCAsResults, error) {
 		return nil, fmt.Errorf("bad root certificate reloading")
 	}
+
+	getRootCAsForClientCRL := func(params *GetRootCAsParams) (*GetRootCAsResults, error) {
+		return &GetRootCAsResults{TrustCerts: cs.ClientTrust3}, nil
+	}
+
+	getRootCAsForServerCRL := func(params *GetRootCAsParams) (*GetRootCAsResults, error) {
+		return &GetRootCAsResults{TrustCerts: cs.ServerTrust3}, nil
+	}
+
+	makeStaticCRLProvider := func(containsRevoked bool) *RevocationConfig {
+		cRLProvider := MakeStaticCRLProvider()
+		var crl *CRL
+		if containsRevoked {
+			crl = loadCRL(t, testdata.Path("crl/provider/crl_server_revoked.pem"))
+		} else {
+			crl = loadCRL(t, testdata.Path("crl/provider/crl_empty.pem"))
+		}
+		cRLProvider.AddCRL(crl)
+
+		return &RevocationConfig{
+			AllowUndetermined: true,
+			CRLProvider:       cRLProvider,
+		}
+	}
+
 	cache, err := lru.New(5)
 	if err != nil {
 		t.Fatalf("lru.New: err = %v", err)
@@ -594,14 +619,14 @@ func (s) TestClientServerHandshake(t *testing.T) {
 		// server custom check fails
 		{
 			desc:                       "Client sets peer cert, reload root function with verifyFuncGood; Server sets bad custom check; mutualTLS",
-			clientCert:                 []tls.Certificate{cs.ClientCert1},
-			clientGetRoot:              getRootCAsForClient,
+			clientCert:                 []tls.Certificate{cs.ClientCert3},
+			clientGetRoot:              getRootCAsForClientCRL,
 			clientVerifyFunc:           clientVerifyFuncGood,
 			clientVType:                CertVerification,
 			clientExpectHandshakeError: true,
 			serverMutualTLS:            true,
-			serverCert:                 []tls.Certificate{cs.ServerCert1},
-			serverGetRoot:              getRootCAsForServer,
+			serverCert:                 []tls.Certificate{cs.ServerCert3},
+			serverGetRoot:              getRootCAsForServerCRL,
 			serverVerifyFunc:           verifyFuncBad,
 			serverVType:                CertVerification,
 			serverExpectError:          true,
@@ -704,6 +729,37 @@ func (s) TestClientServerHandshake(t *testing.T) {
 				Cache:             cache,
 			},
 		},
+		// Client: set valid credentials with the revocation config
+		// Server: set valid credentials with the revocation config
+		// Expected Behavior: success, because non of the certificate chains sent in the connection are revoked
+		{
+			desc:                   "Client sets peer cert, reload root function with verifyFuncGood; Server sets peer cert, reload root function; Client uses CRL; mutualTLS",
+			clientCert:             []tls.Certificate{cs.ClientCert3},
+			clientGetRoot:          getRootCAsForClientCRL,
+			clientVerifyFunc:       clientVerifyFuncGood,
+			clientVType:            CertVerification,
+			clientRevocationConfig: makeStaticCRLProvider(false),
+			serverMutualTLS:        true,
+			serverCert:             []tls.Certificate{cs.ServerCert3},
+			serverGetRoot:          getRootCAsForServerCRL,
+			serverVType:            CertVerification,
+		},
+		// Client: set valid credentials with the revocation config
+		// Server: set revoked credentials with the revocation config
+		// Expected Behavior: fail, server creds are revoked
+		{
+			desc:                   "Client sets peer cert, reload root function with verifyFuncGood; Server sets revoked cert; Client uses CRL; mutualTLS",
+			clientCert:             []tls.Certificate{cs.ClientCert3},
+			clientGetRoot:          getRootCAsForClientCRL,
+			clientVerifyFunc:       clientVerifyFuncGood,
+			clientVType:            CertVerification,
+			clientRevocationConfig: makeStaticCRLProvider(true),
+			serverMutualTLS:        true,
+			serverCert:             []tls.Certificate{cs.ServerCert3},
+			serverGetRoot:          getRootCAsForServerCRL,
+			serverVType:            CertVerification,
+			serverExpectError:      true,
+		},
 	} {
 		test := test
 		t.Run(test.desc, func(t *testing.T) {

security/advancedtls/crl.go

@@ -65,6 +65,11 @@ type RevocationConfig struct {
 	AllowUndetermined bool
 	// Cache will store CRL files if not nil, otherwise files are reloaded for every lookup.
 	Cache Cache
+	// CRLProvider is an alternative to using RootDir directly for the
+	// X509_LOOKUP_hash_dir approach to CRL files. If set, the CRLProvider's CRL
+	// function will be called when looking up and fetching CRLs during the
+	// handshake.
+	CRLProvider CRLProvider
 }
 
 // RevocationStatus is the revocation status for a certificate or chain.
@@ -83,15 +88,48 @@ func (s RevocationStatus) String() string {
 	return [...]string{"RevocationUndetermined", "RevocationUnrevoked", "RevocationRevoked"}[s]
 }
 
-// certificateListExt contains a pkix.CertificateList and parsed
+// CRL contains a pkix.CertificateList and parsed
 // extensions that aren't provided by the golang CRL parser.
-type certificateListExt struct {
+// GRPC requires certain specifics for CRLs - all CRLs should be loaded using
+// NewCRL() for bytes directly or ReadCRLFile() to read directly from a filepath
+type CRL struct {
 	CertList *x509.RevocationList
 	// RFC5280, 5.2.1, all conforming CRLs must have a AKID with the ID method.
 	AuthorityKeyID []byte
 	RawIssuer      []byte
 }
 
+// NewCRL constructs new CRL from provided byte array.
+func NewCRL(b []byte) (*CRL, error) {
+	crl, err := parseRevocationList(b)
+	if err != nil {
+		return nil, fmt.Errorf("parseCrl() failed err = %v", err)
+	}
+	crlExt, err := parseCRLExtensions(crl)
+	if err != nil {
+		return nil, fmt.Errorf("parseCRLExtensions() failed err = %v", err)
+	}
+	crlExt.RawIssuer, err = extractCRLIssuer(b)
+	if err != nil {
+		return nil, fmt.Errorf("extractCRLIssuer() failed err= %v", err)
+	}
+	return crlExt, nil
+}
+
+// ReadCRLFile reads a file from the provided path, and returns constructed
+// from it.
+func ReadCRLFile(path string) (*CRL, error) {
+	b, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("readFile(%v) failed err = %v", path, err)
+	}
+	crl, err := NewCRL(b)
+	if err != nil {
+		return nil, fmt.Errorf("ReadCRLFile(%v) failed err = %v", path, err)
+	}
+	return crl, nil
+}
+
 const tagDirectoryName = 4
 
 var (
@@ -215,12 +253,12 @@ func checkChain(chain []*x509.Certificate, cfg RevocationConfig) RevocationStatu
 	return chainStatus
 }
 
-func cachedCrl(rawIssuer []byte, cache Cache) (*certificateListExt, bool) {
+func cachedCrl(rawIssuer []byte, cache Cache) (*CRL, bool) {
 	val, ok := cache.Get(hex.EncodeToString(rawIssuer))
 	if !ok {
 		return nil, false
 	}
-	crl, ok := val.(*certificateListExt)
+	crl, ok := val.(*CRL)
 	if !ok {
 		return nil, false
 	}
@@ -232,14 +270,14 @@ func cachedCrl(rawIssuer []byte, cache Cache) (*certificateListExt, bool) {
 }
 
 // fetchIssuerCRL fetches and verifies the CRL for rawIssuer from disk or cache if configured in cfg.
-func fetchIssuerCRL(rawIssuer []byte, crlVerifyCrt []*x509.Certificate, cfg RevocationConfig) (*certificateListExt, error) {
+func fetchIssuerCRL(rawIssuer []byte, crlVerifyCrt []*x509.Certificate, cfg RevocationConfig) (*CRL, error) {
 	if cfg.Cache != nil {
 		if crl, ok := cachedCrl(rawIssuer, cfg.Cache); ok {
 			return crl, nil
 		}
 	}
 
-	crl, err := fetchCRL(rawIssuer, cfg)
+	crl, err := fetchCRLOpenSSLHashDir(rawIssuer, cfg)
 	if err != nil {
 		return nil, fmt.Errorf("fetchCRL() failed: %v", err)
 	}
@@ -253,16 +291,35 @@ func fetchIssuerCRL(rawIssuer []byte, crlVerifyCrt []*x509.Certificate, cfg Revo
 	return crl, nil
 }
 
+func fetchCRL(c *x509.Certificate, crlVerifyCrt []*x509.Certificate, cfg RevocationConfig) (*CRL, error) {
+	if cfg.CRLProvider != nil {
+		crl, err := cfg.CRLProvider.CRL(c)
+		if err != nil {
+			return nil, fmt.Errorf("CrlProvider failed err = %v", err)
+		}
+		if crl == nil {
+			// TODO print out cert info here? What cert contents are okay to have in a log?
+			return nil, fmt.Errorf("no CRL found for certificate's issuer")
+		}
+		return crl, nil
+	}
+	return fetchIssuerCRL(c.RawIssuer, crlVerifyCrt, cfg)
+}
+
 // checkCert checks a single certificate against the CRL defined in the certificate.
 // It will fetch and verify the CRL(s) defined in the root directory specified by cfg.
 // If we can't load any authoritative CRL files, the status is RevocationUndetermined.
 // c is the certificate to check.
 // crlVerifyCrt is the group of possible certificates to verify the crl.
 func checkCert(c *x509.Certificate, crlVerifyCrt []*x509.Certificate, cfg RevocationConfig) RevocationStatus {
-	crl, err := fetchIssuerCRL(c.RawIssuer, crlVerifyCrt, cfg)
+	crl, err := fetchCRL(c, crlVerifyCrt, cfg)
 	if err != nil {
-		// We couldn't load any CRL files for the certificate, so we don't know if it's RevocationUnrevoked or not.
-		grpclogLogger.Warningf("getIssuerCRL(%v) err = %v", c.Issuer, err)
+		// We couldn't load any CRL files for the certificate, so we don't know
+		// if it's RevocationUnrevoked or not.  This is not necessarily a
+		// problem - it's not invalid to have no CRLs if you don't have any
+		// revocations for an issuer. We just return RevocationUndetermined and
+		// there is a setting for the user to control the handling of that.
+		grpclogLogger.Warningf("fetchCRL(%v) err = %v", c.Issuer, err)
 		return RevocationUndetermined
 	}
 	revocation, err := checkCertRevocation(c, crl)
@@ -277,7 +334,7 @@ func checkCert(c *x509.Certificate, crlVerifyCrt []*x509.Certificate, cfg Revoca
 	return revocation
 }
 
-func checkCertRevocation(c *x509.Certificate, crl *certificateListExt) (RevocationStatus, error) {
+func checkCertRevocation(c *x509.Certificate, crl *CRL) (RevocationStatus, error) {
 	// Per section 5.3.3 we prime the certificate issuer with the CRL issuer.
 	// Subsequent entries use the previous entry's issuer.
 	rawEntryIssuer := crl.RawIssuer
@@ -375,11 +432,11 @@ type issuingDistributionPoint struct {
 
 // parseCRLExtensions parses the extensions for a CRL
 // and checks that they're supported by the parser.
-func parseCRLExtensions(c *x509.RevocationList) (*certificateListExt, error) {
+func parseCRLExtensions(c *x509.RevocationList) (*CRL, error) {
 	if c == nil {
 		return nil, errors.New("c is nil, expected any value")
 	}
-	certList := &certificateListExt{CertList: c}
+	certList := &CRL{CertList: c}
 
 	for _, ext := range c.Extensions {
 		switch {
@@ -424,8 +481,8 @@ func parseCRLExtensions(c *x509.RevocationList) (*certificateListExt, error) {
 	return certList, nil
 }
 
-func fetchCRL(rawIssuer []byte, cfg RevocationConfig) (*certificateListExt, error) {
-	var parsedCRL *certificateListExt
+func fetchCRLOpenSSLHashDir(rawIssuer []byte, cfg RevocationConfig) (*CRL, error) {
+	var parsedCRL *CRL
 	// 6.3.3 (a) (1) (ii)
 	// According to X509_LOOKUP_hash_dir the format is issuer_hash.rN where N is an increasing number.
 	// There are no gaps, so we break when we can't find a file.
@@ -449,7 +506,7 @@ func fetchCRL(rawIssuer []byte, cfg RevocationConfig) (*certificateListExt, erro
 			// Parsing errors for a CRL shouldn't happen so fail.
 			return nil, fmt.Errorf("parseRevocationList(%v) failed: %v", crlPath, err)
 		}
-		var certList *certificateListExt
+		var certList *CRL
 		if certList, err = parseCRLExtensions(crl); err != nil {
 			grpclogLogger.Infof("fetchCRL: unsupported crl %v: %v", crlPath, err)
 			// Continue to find a supported CRL
@@ -475,7 +532,7 @@ func fetchCRL(rawIssuer []byte, cfg RevocationConfig) (*certificateListExt, erro
 	return parsedCRL, nil
 }
 
-func verifyCRL(crl *certificateListExt, rawIssuer []byte, chain []*x509.Certificate) error {
+func verifyCRL(crl *CRL, rawIssuer []byte, chain []*x509.Certificate) error {
 	// RFC5280, 6.3.3 (f) Obtain and validateate the certification path for the issuer of the complete CRL
 	// We intentionally limit our CRLs to be signed with the same certificate path as the certificate
 	// so we can use the chain from the connection.

security/advancedtls/crl_deprecated.go

@@ -83,9 +83,9 @@ func (s RevocationStatus) String() string {
 	return [...]string{"RevocationUndetermined", "RevocationUnrevoked", "RevocationRevoked"}[s]
 }
 
-// certificateListExt contains a pkix.CertificateList and parsed
+// CRL contains a pkix.CertificateList and parsed
 // extensions that aren't provided by the golang CRL parser.
-type certificateListExt struct {
+type CRL struct {
 	CertList *pkix.CertificateList
 	// RFC5280, 5.2.1, all conforming CRLs must have a AKID with the ID method.
 	AuthorityKeyID []byte
@@ -215,12 +215,12 @@ func checkChain(chain []*x509.Certificate, cfg RevocationConfig) RevocationStatu
 	return chainStatus
 }
 
-func cachedCrl(rawIssuer []byte, cache Cache) (*certificateListExt, bool) {
+func cachedCrl(rawIssuer []byte, cache Cache) (*CRL, bool) {
 	val, ok := cache.Get(hex.EncodeToString(rawIssuer))
 	if !ok {
 		return nil, false
 	}
-	crl, ok := val.(*certificateListExt)
+	crl, ok := val.(*CRL)
 	if !ok {
 		return nil, false
 	}
@@ -232,7 +232,7 @@ func cachedCrl(rawIssuer []byte, cache Cache) (*certificateListExt, bool) {
 }
 
 // fetchIssuerCRL fetches and verifies the CRL for rawIssuer from disk or cache if configured in cfg.
-func fetchIssuerCRL(rawIssuer []byte, crlVerifyCrt []*x509.Certificate, cfg RevocationConfig) (*certificateListExt, error) {
+func fetchIssuerCRL(rawIssuer []byte, crlVerifyCrt []*x509.Certificate, cfg RevocationConfig) (*CRL, error) {
 	if cfg.Cache != nil {
 		if crl, ok := cachedCrl(rawIssuer, cfg.Cache); ok {
 			return crl, nil
@@ -277,7 +277,7 @@ func checkCert(c *x509.Certificate, crlVerifyCrt []*x509.Certificate, cfg Revoca
 	return revocation
 }
 
-func checkCertRevocation(c *x509.Certificate, crl *certificateListExt) (RevocationStatus, error) {
+func checkCertRevocation(c *x509.Certificate, crl *CRL) (RevocationStatus, error) {
 	// Per section 5.3.3 we prime the certificate issuer with the CRL issuer.
 	// Subsequent entries use the previous entry's issuer.
 	rawEntryIssuer := crl.RawIssuer
@@ -375,11 +375,11 @@ type issuingDistributionPoint struct {
 
 // parseCRLExtensions parses the extensions for a CRL
 // and checks that they're supported by the parser.
-func parseCRLExtensions(c *pkix.CertificateList) (*certificateListExt, error) {
+func parseCRLExtensions(c *pkix.CertificateList) (*CRL, error) {
 	if c == nil {
 		return nil, errors.New("c is nil, expected any value")
 	}
-	certList := &certificateListExt{CertList: c}
+	certList := &CRL{CertList: c}
 
 	for _, ext := range c.TBSCertList.Extensions {
 		switch {
@@ -424,8 +424,8 @@ func parseCRLExtensions(c *pkix.CertificateList) (*certificateListExt, error) {
 	return certList, nil
 }
 
-func fetchCRL(rawIssuer []byte, cfg RevocationConfig) (*certificateListExt, error) {
-	var parsedCRL *certificateListExt
+func fetchCRL(rawIssuer []byte, cfg RevocationConfig) (*CRL, error) {
+	var parsedCRL *CRL
 	// 6.3.3 (a) (1) (ii)
 	// According to X509_LOOKUP_hash_dir the format is issuer_hash.rN where N is an increasing number.
 	// There are no gaps, so we break when we can't find a file.
@@ -449,7 +449,7 @@ func fetchCRL(rawIssuer []byte, cfg RevocationConfig) (*certificateListExt, erro
 			// Parsing errors for a CRL shouldn't happen so fail.
 			return nil, fmt.Errorf("x509.ParseCrl(%v) failed: %v", crlPath, err)
 		}
-		var certList *certificateListExt
+		var certList *CRL
 		if certList, err = parseCRLExtensions(crl); err != nil {
 			grpclogLogger.Infof("fetchCRL: unsupported crl %v: %v", crlPath, err)
 			// Continue to find a supported CRL
@@ -475,7 +475,7 @@ func fetchCRL(rawIssuer []byte, cfg RevocationConfig) (*certificateListExt, erro
 	return parsedCRL, nil
 }
 
-func verifyCRL(crl *certificateListExt, rawIssuer []byte, chain []*x509.Certificate) error {
+func verifyCRL(crl *CRL, rawIssuer []byte, chain []*x509.Certificate) error {
 	// RFC5280, 6.3.3 (f) Obtain and validateate the certification path for the issuer of the complete CRL
 	// We intentionally limit our CRLs to be signed with the same certificate path as the certificate
 	// so we can use the chain from the connection.