Add support for certification revocation list files

Signed-off-by: Hormoz Kheradmand <[email protected]>
planetscale · Oct 13, 2021 · 8e06dc7 · 8e06dc7
1 parent 6b31715
commit 8e06dc7
Show file tree

Hide file tree

Showing 28 changed files with 538 additions and 65 deletions.
diff --git a/data/test/mysql_ldap_auth_config.json b/data/test/mysql_ldap_auth_config.json
@@ -3,6 +3,7 @@
 		"LdapCert": "path/to/ldap-client-cert.pem",
 		"LdapKey": "path/to/ldap-client-key.pem",
 		"LdapCA": "path/to/ldap-client-ca.pem",
+		"LdapCRL": "path/to/ldap-client-crl.pem",
 		"User": "uid=vitessROuser,ou=users,ou=people,dc=example,dc=com",
 		"Password": "sUpErSeCuRe1",
 		"GroupQuery": "ou=groups,ou=people,dc=example,dc=com",

diff --git a/go/cmd/vttlstest/vttlstest.go b/go/cmd/vttlstest/vttlstest.go
@@ -48,7 +48,9 @@ var cmdMap map[string]cmdFunc
 func init() {
 	cmdMap = map[string]cmdFunc{
 		"CreateCA":         cmdCreateCA,
+		"CreateCRL":        cmdCreateCRL,
 		"CreateSignedCert": cmdCreateSignedCert,
+		"RevokeCert":       cmdRevokeCert,
 	}
 }
 
@@ -65,6 +67,28 @@ func cmdCreateCA(subFlags *flag.FlagSet, args []string) {
 	tlstest.CreateCA(*root)
 }
 
+func cmdCreateCRL(subFlags *flag.FlagSet, args []string) {
+	subFlags.Parse(args)
+	if subFlags.NArg() != 1 {
+		log.Fatalf("CreateCRL command takes a single CA name as a parameter")
+	}
+
+	ca := subFlags.Arg(0)
+	tlstest.CreateCRL(*root, ca)
+}
+
+func cmdRevokeCert(subFlags *flag.FlagSet, args []string) {
+	parent := subFlags.String("parent", "ca", "Parent cert name to use. Use 'ca' for the toplevel CA.")
+
+	subFlags.Parse(args)
+	if subFlags.NArg() != 1 {
+		log.Fatalf("RevokeCert command takes a single name as a parameter")
+	}
+
+	name := subFlags.Arg(0)
+	tlstest.RevokeCertAndRegenerateCRL(*root, *parent, name)
+}
+
 func cmdCreateSignedCert(subFlags *flag.FlagSet, args []string) {
 	parent := subFlags.String("parent", "ca", "Parent cert name to use. Use 'ca' for the toplevel CA.")
 	serial := subFlags.String("serial", "01", "Serial number for the certificate to create. Should be different for two certificates with the same parent.")
@@ -74,11 +98,13 @@ func cmdCreateSignedCert(subFlags *flag.FlagSet, args []string) {
 	if subFlags.NArg() != 1 {
 		log.Fatalf("CreateSignedCert command takes a single name as a parameter")
 	}
+
+	name := subFlags.Arg(0)
 	if *commonName == "" {
-		*commonName = subFlags.Arg(0)
+		*commonName = name
 	}
 
-	tlstest.CreateSignedCert(*root, *parent, *serial, subFlags.Arg(0), *commonName)
+	tlstest.CreateSignedCert(*root, *parent, *serial, name, *commonName)
 }
 
 func main() {

diff --git a/go/mysql/auth_server_clientcert_test.go b/go/mysql/auth_server_clientcert_test.go
@@ -54,12 +54,14 @@ func TestValidCert(t *testing.T) {
 	tlstest.CreateCA(root)
 	tlstest.CreateSignedCert(root, tlstest.CA, "01", "server", "server.example.com")
 	tlstest.CreateSignedCert(root, tlstest.CA, "02", "client", clientCertUsername)
+	tlstest.CreateCRL(root, tlstest.CA)
 
 	// Create the server with TLS config.
 	serverConfig, err := vttls.ServerConfig(
 		path.Join(root, "server-cert.pem"),
 		path.Join(root, "server-key.pem"),
 		path.Join(root, "ca-cert.pem"),
+		path.Join(root, "ca-crl.pem"),
 		"",
 		tls.VersionTLS12)
 	if err != nil {
@@ -136,12 +138,14 @@ func TestNoCert(t *testing.T) {
 	defer os.RemoveAll(root)
 	tlstest.CreateCA(root)
 	tlstest.CreateSignedCert(root, tlstest.CA, "01", "server", "server.example.com")
+	tlstest.CreateCRL(root, tlstest.CA)
 
 	// Create the server with TLS config.
 	serverConfig, err := vttls.ServerConfig(
 		path.Join(root, "server-cert.pem"),
 		path.Join(root, "server-key.pem"),
 		path.Join(root, "ca-cert.pem"),
+		path.Join(root, "ca-crl.pem"),
 		"",
 		tls.VersionTLS12)
 	if err != nil {

diff --git a/go/mysql/client.go b/go/mysql/client.go
@@ -282,7 +282,7 @@ func (c *Conn) clientHandshake(characterSet uint8, params *ConnParams) error {
 		}
 
 		// Build the TLS config.
-		clientConfig, err := vttls.ClientConfig(params.EffectiveSslMode(), params.SslCert, params.SslKey, params.SslCa, serverName, tlsVersion)
+		clientConfig, err := vttls.ClientConfig(params.EffectiveSslMode(), params.SslCert, params.SslKey, params.SslCa, params.SslCrl, serverName, tlsVersion)
 		if err != nil {
 			return NewSQLError(CRSSLConnectionError, SSUnknownSQLState, "error loading client cert and ca: %v", err)
 		}

diff --git a/go/mysql/client_test.go b/go/mysql/client_test.go
@@ -187,6 +187,7 @@ func TestTLSClientDisabled(t *testing.T) {
 		path.Join(root, "server-key.pem"),
 		"",
 		"",
+		"",
 		tls.VersionTLS12)
 	require.NoError(t, err)
 	l.TLSConfig.Store(serverConfig)
@@ -260,6 +261,7 @@ func TestTLSClientPreferredDefault(t *testing.T) {
 		path.Join(root, "server-key.pem"),
 		"",
 		"",
+		"",
 		tls.VersionTLS12)
 	require.NoError(t, err)
 	l.TLSConfig.Store(serverConfig)
@@ -381,6 +383,7 @@ func TestTLSClientVerifyCA(t *testing.T) {
 		path.Join(root, "server-key.pem"),
 		"",
 		"",
+		"",
 		tls.VersionTLS12)
 	require.NoError(t, err)
 	l.TLSConfig.Store(serverConfig)
@@ -465,6 +468,7 @@ func TestTLSClientVerifyIdentity(t *testing.T) {
 		path.Join(root, "server-key.pem"),
 		"",
 		"",
+		"",
 		tls.VersionTLS12)
 	require.NoError(t, err)
 	l.TLSConfig.Store(serverConfig)
@@ -511,4 +515,12 @@ func TestTLSClientVerifyIdentity(t *testing.T) {
 	if conn != nil {
 		conn.Close()
 	}
+
+	// Now revoke the server certificate and make sure we can't connect
+	tlstest.RevokeCertAndRegenerateCRL(root, tlstest.CA, "server")
+
+	params.SslCrl = path.Join(root, "ca-crl.pem")
+	_, err = Connect(context.Background(), params)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "Certificate revoked: CommonName=server.example.com")
 }
diff --git a/go/mysql/conn_params.go b/go/mysql/conn_params.go
@@ -39,6 +39,7 @@ type ConnParams struct {
 	SslCa            string        `json:"ssl_ca"`
 	SslCaPath        string        `json:"ssl_ca_path"`
 	SslCert          string        `json:"ssl_cert"`
+	SslCrl           string        `json:"ssl_crl"`
 	SslKey           string        `json:"ssl_key"`
 	TLSMinVersion    string        `json:"tls_min_version"`
 	ServerName       string        `json:"server_name"`

diff --git a/go/mysql/handshake_test.go b/go/mysql/handshake_test.go
@@ -126,6 +126,7 @@ func TestSSLConnection(t *testing.T) {
 		path.Join(root, "server-key.pem"),
 		path.Join(root, "ca-cert.pem"),
 		"",
+		"",
 		tls.VersionTLS12)
 	if err != nil {
 		t.Fatalf("TLSServerConfig failed: %v", err)

diff --git a/go/mysql/ldapauthserver/auth_server_ldap.go b/go/mysql/ldapauthserver/auth_server_ldap.go
@@ -215,6 +215,7 @@ type ServerConfig struct {
 	LdapCert          string
 	LdapKey           string
 	LdapCA            string
+	LdapCRL           string
 	LdapTLSMinVersion string
 }
 
@@ -250,7 +251,7 @@ func (lci *ClientImpl) Connect(network string, config *ServerConfig) error {
 		return err
 	}
 
-	tlsConfig, err := vttls.ClientConfig(vttls.VerifyIdentity, config.LdapCert, config.LdapKey, config.LdapCA, serverName, tlsVersion)
+	tlsConfig, err := vttls.ClientConfig(vttls.VerifyIdentity, config.LdapCert, config.LdapKey, config.LdapCA, config.LdapCRL, serverName, tlsVersion)
 	if err != nil {
 		return err
 	}

diff --git a/go/mysql/mysql_fuzzer.go b/go/mysql/mysql_fuzzer.go
@@ -357,6 +357,7 @@ func FuzzTLSServer(data []byte) int {
 		path.Join(root, "server-key.pem"),
 		path.Join(root, "ca-cert.pem"),
 		"",
+		"",
 		tls.VersionTLS12)
 	if err != nil {
 		return -1

diff --git a/go/mysql/server_test.go b/go/mysql/server_test.go
@@ -833,6 +833,7 @@ func TestTLSServer(t *testing.T) {
 		path.Join(root, "server-key.pem"),
 		path.Join(root, "ca-cert.pem"),
 		"",
+		"",
 		tls.VersionTLS12)
 	require.NoError(t, err)
 	l.TLSConfig.Store(serverConfig)
@@ -924,12 +925,16 @@ func TestTLSRequired(t *testing.T) {
 	defer os.RemoveAll(root)
 	tlstest.CreateCA(root)
 	tlstest.CreateSignedCert(root, tlstest.CA, "01", "server", "server.example.com")
+	tlstest.CreateSignedCert(root, tlstest.CA, "02", "client", "Client Cert")
+	tlstest.CreateSignedCert(root, tlstest.CA, "03", "revoked-client", "Revoked Client Cert")
+	tlstest.RevokeCertAndRegenerateCRL(root, tlstest.CA, "revoked-client")
 
 	// Create the server with TLS config.
 	serverConfig, err := vttls.ServerConfig(
 		path.Join(root, "server-cert.pem"),
 		path.Join(root, "server-key.pem"),
 		path.Join(root, "ca-cert.pem"),
+		path.Join(root, "ca-crl.pem"),
 		"",
 		tls.VersionTLS12)
 	require.NoError(t, err)
@@ -966,7 +971,6 @@ func TestTLSRequired(t *testing.T) {
 	}
 
 	// setup conn params with TLS
-	tlstest.CreateSignedCert(root, tlstest.CA, "02", "client", "Client Cert")
 	params.SslMode = vttls.VerifyIdentity
 	params.SslCa = path.Join(root, "ca-cert.pem")
 	params.SslCert = path.Join(root, "client-cert.pem")
@@ -977,6 +981,16 @@ func TestTLSRequired(t *testing.T) {
 	if conn != nil {
 		conn.Close()
 	}
+
+	// setup conn params with TLS, but with a revoked client certificate
+	params.SslCert = path.Join(root, "revoked-client-cert.pem")
+	params.SslKey = path.Join(root, "revoked-client-key.pem")
+	conn, err = Connect(context.Background(), params)
+	require.NotNil(t, err)
+	require.Contains(t, err.Error(), "remote error: tls: bad certificate")
+	if conn != nil {
+		conn.Close()
+	}
 }
 
 func TestCachingSha2PasswordAuthWithTLS(t *testing.T) {
@@ -1013,6 +1027,7 @@ func TestCachingSha2PasswordAuthWithTLS(t *testing.T) {
 		path.Join(root, "server-key.pem"),
 		path.Join(root, "ca-cert.pem"),
 		"",
+		"",
 		tls.VersionTLS12)
 	if err != nil {
 		t.Fatalf("TLSServerConfig failed: %v", err)

diff --git a/go/test/endtoend/encryption/encryptedtransport/encrypted_transport_test.go b/go/test/endtoend/encryption/encryptedtransport/encrypted_transport_test.go
@@ -374,7 +374,7 @@ func tabletConnExtraArgs(name string) []string {
 }
 
 func getVitessClient(addr string) (vtgateservicepb.VitessClient, error) {
-	opt, err := grpcclient.SecureDialOption(grpcCert, grpcKey, grpcCa, grpcName)
+	opt, err := grpcclient.SecureDialOption(grpcCert, grpcKey, grpcCa, "", grpcName)
 	if err != nil {
 		return nil, err
 	}

diff --git a/go/vt/binlog/grpcbinlogplayer/player.go b/go/vt/binlog/grpcbinlogplayer/player.go
@@ -36,6 +36,7 @@ var (
 	cert = flag.String("binlog_player_grpc_cert", "", "the cert to use to connect")
 	key  = flag.String("binlog_player_grpc_key", "", "the key to use to connect")
 	ca   = flag.String("binlog_player_grpc_ca", "", "the server ca to use to validate servers when connecting")
+	crl  = flag.String("binlog_player_grpc_crl", "", "the server crl to use to validate server certificates when connecting")
 	name = flag.String("binlog_player_grpc_server_name", "", "the server name to use to validate server certificate")
 )
 
@@ -48,7 +49,7 @@ type client struct {
 func (client *client) Dial(tablet *topodatapb.Tablet) error {
 	addr := netutil.JoinHostPort(tablet.Hostname, tablet.PortMap["grpc"])
 	var err error
-	opt, err := grpcclient.SecureDialOption(*cert, *key, *ca, *name)
+	opt, err := grpcclient.SecureDialOption(*cert, *key, *ca, *crl, *name)
 	if err != nil {
 		return err
 	}

diff --git a/go/vt/grpcclient/client.go b/go/vt/grpcclient/client.go
@@ -125,15 +125,15 @@ func interceptors() []grpc.DialOption {
 // SecureDialOption returns the gRPC dial option to use for the
 // given client connection. It is either using TLS, or Insecure if
 // nothing is set.
-func SecureDialOption(cert, key, ca, name string) (grpc.DialOption, error) {
+func SecureDialOption(cert, key, ca, crl, name string) (grpc.DialOption, error) {
 	// No security options set, just return.
 	if (cert == "" || key == "") && ca == "" {
 		return grpc.WithInsecure(), nil
 	}
 
 	// Load the config. At this point we know
 	// we want a strict config with verify identity.
-	config, err := vttls.ClientConfig(vttls.VerifyIdentity, cert, key, ca, name, tls.VersionTLS12)
+	config, err := vttls.ClientConfig(vttls.VerifyIdentity, cert, key, ca, crl, name, tls.VersionTLS12)
 	if err != nil {
 		return nil, err
 	}

diff --git a/go/vt/servenv/grpc_server.go b/go/vt/servenv/grpc_server.go
@@ -67,6 +67,9 @@ var (
 	// GRPCCA is the CA to use if TLS is enabled
 	GRPCCA = flag.String("grpc_ca", "", "server CA to use for gRPC connections, requires TLS, and enforces client certificate check")
 
+	// GRPCCRL is the CRL (Certificate Revocation List) to use if TLS is enabled
+	GRPCCRL = flag.String("grpc_crl", "", "path to a certificate revocation list in PEM format, client certificates will be further verified against this file during TLS handshake")
+
 	GRPCEnableOptionalTLS = flag.Bool("grpc_enable_optional_tls", false, "enable optional TLS mode when a server accepts both TLS and plain-text connections on the same port")
 
 	// GRPCServerCA if specified will combine server cert and server CA
@@ -133,7 +136,7 @@ func createGRPCServer() {
 
 	var opts []grpc.ServerOption
 	if GRPCPort != nil && *GRPCCert != "" && *GRPCKey != "" {
-		config, err := vttls.ServerConfig(*GRPCCert, *GRPCKey, *GRPCCA, *GRPCServerCA, tls.VersionTLS12)
+		config, err := vttls.ServerConfig(*GRPCCert, *GRPCKey, *GRPCCA, *GRPCCRL, *GRPCServerCA, tls.VersionTLS12)
 		if err != nil {
 			log.Exitf("Failed to log gRPC cert/key/ca: %v", err)
 		}

diff --git a/go/vt/throttler/grpcthrottlerclient/grpcthrottlerclient.go b/go/vt/throttler/grpcthrottlerclient/grpcthrottlerclient.go
@@ -36,6 +36,7 @@ var (
 	cert = flag.String("throttler_client_grpc_cert", "", "the cert to use to connect")
 	key  = flag.String("throttler_client_grpc_key", "", "the key to use to connect")
 	ca   = flag.String("throttler_client_grpc_ca", "", "the server ca to use to validate servers when connecting")
+	crl  = flag.String("throttler_client_grpc_crl", "", "the server crl to use to validate server certificates when connecting")
 	name = flag.String("throttler_client_grpc_server_name", "", "the server name to use to validate server certificate")
 )
 
@@ -45,7 +46,7 @@ type client struct {
 }
 
 func factory(addr string) (throttlerclient.Client, error) {
-	opt, err := grpcclient.SecureDialOption(*cert, *key, *ca, *name)
+	opt, err := grpcclient.SecureDialOption(*cert, *key, *ca, *crl, *name)
 	if err != nil {
 		return nil, err
 	}