Skip to content

Commit 1c1988f

Browse files
erm-germ-g
committed
Address PR comments
1 parent f8aa79f commit 1c1988f

File tree

7 files changed

+31
-25
lines changed

7 files changed

+31
-25
lines changed

security/advancedtls/advancedtls_test.go

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -381,7 +381,7 @@ func (s) TestClientServerHandshake(t *testing.T) {
381381
return &GetRootCAsResults{TrustCerts: cs.ServerTrust3}, nil
382382
}
383383

384-
makeStaticCRLProvider := func(crlPath string, allowUndetermined bool) *RevocationConfig {
384+
makeStaticCRLRevocationConfig := func(crlPath string, allowUndetermined bool) *RevocationConfig {
385385
rawCRL, err := os.ReadFile(crlPath)
386386
if err != nil {
387387
t.Fatalf("readFile(%v) failed err = %v", crlPath, err)
@@ -731,13 +731,13 @@ func (s) TestClientServerHandshake(t *testing.T) {
731731
// Expected Behavior: success, because none of the certificate chains sent in the connection are revoked
732732
{
733733
desc: "Client sets peer cert, reload root function with verifyFuncGood; Server sets peer cert, reload root function; Client uses CRL; mutualTLS",
734-
clientCert: []tls.Certificate{cs.ClientCert3},
734+
clientCert: []tls.Certificate{cs.ClientCertForCRL},
735735
clientGetRoot: getRootCAsForClientCRL,
736736
clientVerifyFunc: clientVerifyFuncGood,
737737
clientVType: CertVerification,
738-
clientRevocationConfig: makeStaticCRLProvider(testdata.Path("crl/provider_crl_empty.pem"), true),
738+
clientRevocationConfig: makeStaticCRLRevocationConfig(testdata.Path("crl/provider_crl_empty.pem"), true),
739739
serverMutualTLS: true,
740-
serverCert: []tls.Certificate{cs.ServerCert3},
740+
serverCert: []tls.Certificate{cs.ServerCertForCRL},
741741
serverGetRoot: getRootCAsForServerCRL,
742742
serverVType: CertVerification,
743743
},
@@ -746,13 +746,13 @@ func (s) TestClientServerHandshake(t *testing.T) {
746746
// Expected Behavior: fail, server creds are revoked
747747
{
748748
desc: "Client sets peer cert, reload root function with verifyFuncGood; Server sets revoked cert; Client uses CRL; mutualTLS",
749-
clientCert: []tls.Certificate{cs.ClientCert3},
749+
clientCert: []tls.Certificate{cs.ClientCertForCRL},
750750
clientGetRoot: getRootCAsForClientCRL,
751751
clientVerifyFunc: clientVerifyFuncGood,
752752
clientVType: CertVerification,
753-
clientRevocationConfig: makeStaticCRLProvider(testdata.Path("crl/provider_crl_server_revoked.pem"), true),
753+
clientRevocationConfig: makeStaticCRLRevocationConfig(testdata.Path("crl/provider_crl_server_revoked.pem"), true),
754754
serverMutualTLS: true,
755-
serverCert: []tls.Certificate{cs.ServerCert3},
755+
serverCert: []tls.Certificate{cs.ServerCertForCRL},
756756
serverGetRoot: getRootCAsForServerCRL,
757757
serverVType: CertVerification,
758758
serverExpectError: true,
@@ -763,13 +763,13 @@ func (s) TestClientServerHandshake(t *testing.T) {
763763
// can't be properly processed, and we don't allow RevocationUndetermined.
764764
{
765765
desc: "Client sets peer cert, reload root function with verifyFuncGood; Server sets peer cert, reload root function; Client uses CRL; mutualTLS",
766-
clientCert: []tls.Certificate{cs.ClientCert3},
766+
clientCert: []tls.Certificate{cs.ClientCertForCRL},
767767
clientGetRoot: getRootCAsForClientCRL,
768768
clientVerifyFunc: clientVerifyFuncGood,
769769
clientVType: CertVerification,
770-
clientRevocationConfig: makeStaticCRLProvider(testdata.Path("crl/provider_malicious_crl_empty.pem"), false),
770+
clientRevocationConfig: makeStaticCRLRevocationConfig(testdata.Path("crl/provider_malicious_crl_empty.pem"), false),
771771
serverMutualTLS: true,
772-
serverCert: []tls.Certificate{cs.ServerCert3},
772+
serverCert: []tls.Certificate{cs.ServerCertForCRL},
773773
serverGetRoot: getRootCAsForServerCRL,
774774
serverVType: CertVerification,
775775
serverExpectError: true,

security/advancedtls/crl.go

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -313,8 +313,9 @@ func fetchCRL(c *x509.Certificate, crlVerifyCrt []*x509.Certificate, cfg Revocat
313313

314314
// checkCert checks a single certificate against the CRL defined in the
315315
// certificate. It will fetch and verify the CRL(s) defined in the root
316-
// directory (or a CRLProvider) specified by cfg. If we can't load any valid
317-
// authoritative CRL files, the status is RevocationUndetermined.
316+
// directory (or a CRLProvider) specified by cfg. If we can't load (and verify -
317+
// see verifyCRL) any valid authoritative CRL files, the status is
318+
// RevocationUndetermined.
318319
// c is the certificate to check.
319320
// crlVerifyCrt is the group of possible certificates to verify the crl.
320321
func checkCert(c *x509.Certificate, crlVerifyCrt []*x509.Certificate, cfg RevocationConfig) RevocationStatus {
@@ -323,8 +324,8 @@ func checkCert(c *x509.Certificate, crlVerifyCrt []*x509.Certificate, cfg Revoca
323324
// We couldn't load any valid CRL files for the certificate, so we don't
324325
// know if it's RevocationUnrevoked or not. This is not necessarily a
325326
// problem - it's not invalid to have no CRLs if you don't have any
326-
// revocations for an issuer. It also might be an indication of CRL file to
327-
// be invalid.
327+
// revocations for an issuer. It also might be an indication that the CRL
328+
// file to is invalid.
328329
// We just return RevocationUndetermined and there is a setting for the user
329330
// to control the handling of that.
330331
grpclogLogger.Warningf("fetchCRL() err = %v", err)
@@ -555,7 +556,7 @@ func verifyCRL(crl *CRL, rawIssuer []byte, chain []*x509.Certificate) error {
555556
if bytes.Equal(c.SubjectKeyId, crl.authorityKeyID) && bytes.Equal(c.RawSubject, crl.rawIssuer) {
556557
// RFC5280, 6.3.3 (f) Key usage and cRLSign bit.
557558
if c.KeyUsage != 0 && c.KeyUsage&x509.KeyUsageCRLSign == 0 {
558-
return fmt.Errorf("verifyCRL: The trust anchor can't be used for issuing CRLs")
559+
return fmt.Errorf("verifyCRL: The certificate can't be used for issuing CRLs")
559560
}
560561
// RFC5280, 6.3.3 (g) Validate signature.
561562
return crl.certList.CheckSignatureFrom(c)

security/advancedtls/crl_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -509,7 +509,7 @@ func TestVerifyCrl(t *testing.T) {
509509
crl: loadCRL(t, testdata.Path("crl/provider_malicious_crl_empty.pem")),
510510
certs: makeChain(t, testdata.Path("crl/provider_malicious_client_trust_cert.pem")),
511511
cert: makeChain(t, testdata.Path("crl/provider_malicious_client_trust_cert.pem"))[0],
512-
errWant: "trust anchor can't be used",
512+
errWant: "certificate can't be used",
513513
},
514514
}
515515

security/advancedtls/internal/testutils/testutils.go

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -35,18 +35,18 @@ type CertStore struct {
3535
// ClientCert2 is the certificate sent by client to prove its identity.
3636
// It is trusted by ServerTrust2.
3737
ClientCert2 tls.Certificate
38-
// ClientCert3 is the certificate sent by client to prove its identity.
38+
// ClientCertForCRL is the certificate sent by client to prove its identity.
3939
// It is trusted by ServerTrust3. Used in CRL tests
40-
ClientCert3 tls.Certificate
40+
ClientCertForCRL tls.Certificate
4141
// ServerCert1 is the certificate sent by server to prove its identity.
4242
// It is trusted by ClientTrust1.
4343
ServerCert1 tls.Certificate
4444
// ServerCert2 is the certificate sent by server to prove its identity.
4545
// It is trusted by ClientTrust2.
4646
ServerCert2 tls.Certificate
47-
// ServerCert3 is a revoked certificate
48-
// (this info is stored in crl_server_revoked.pem).
49-
ServerCert3 tls.Certificate
47+
// ServerCertForCRL is a revoked certificate
48+
// (this info is stored in provider_crl_server_revoked.pem).
49+
ServerCertForCRL tls.Certificate
5050
// ServerPeer3 is the certificate sent by server to prove its identity.
5151
ServerPeer3 tls.Certificate
5252
// ServerPeerLocalhost1 is the certificate sent by server to prove its
@@ -89,7 +89,7 @@ func (cs *CertStore) LoadCerts() error {
8989
if cs.ClientCert2, err = tls.LoadX509KeyPair(testdata.Path("client_cert_2.pem"), testdata.Path("client_key_2.pem")); err != nil {
9090
return err
9191
}
92-
if cs.ClientCert3, err = tls.LoadX509KeyPair(testdata.Path("crl/provider_client_cert.pem"), testdata.Path("crl/provider_client_cert.key")); err != nil {
92+
if cs.ClientCertForCRL, err = tls.LoadX509KeyPair(testdata.Path("crl/provider_client_cert.pem"), testdata.Path("crl/provider_client_cert.key")); err != nil {
9393
return err
9494
}
9595
if cs.ServerCert1, err = tls.LoadX509KeyPair(testdata.Path("server_cert_1.pem"), testdata.Path("server_key_1.pem")); err != nil {
@@ -98,7 +98,7 @@ func (cs *CertStore) LoadCerts() error {
9898
if cs.ServerCert2, err = tls.LoadX509KeyPair(testdata.Path("server_cert_2.pem"), testdata.Path("server_key_2.pem")); err != nil {
9999
return err
100100
}
101-
if cs.ServerCert3, err = tls.LoadX509KeyPair(testdata.Path("crl/provider_server_cert.pem"), testdata.Path("crl/provider_server_cert.key")); err != nil {
101+
if cs.ServerCertForCRL, err = tls.LoadX509KeyPair(testdata.Path("crl/provider_server_cert.pem"), testdata.Path("crl/provider_server_cert.key")); err != nil {
102102
return err
103103
}
104104
if cs.ServerPeer3, err = tls.LoadX509KeyPair(testdata.Path("server_cert_3.pem"), testdata.Path("server_key_3.pem")); err != nil {

security/advancedtls/testdata/crl/README.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -121,7 +121,9 @@ $ openssl ca -revoke provider_server_cert.pem -keyfile provider_client_trust_key
121121
$ openssl ca -gencrl -keyfile provider_client_trust_key.pem -cert provider_client_trust_cert.pem -out provider_crl_server_revoked.pem -config provider_crl.cnf
122122
```
123123

124-
The commands to generate CRL file by 'malicious' CA are below.
124+
The commands to generate CRL file by 'malicious' CA are below. Note that we use
125+
Subject Key Identifier from previously generated provider_client_trust_cert.pem
126+
to generate malicious certs / CRL.
125127
```
126128
$ openssl genrsa -out provider_malicious_client_trust_key.pem 4096
127129
$ SKI=$(openssl x509 -in provider_client_trust_cert.pem -noout -text | awk '/Subject Key Identifier/ {getline; print $1;}')

security/advancedtls/testdata/crl/provider_create.sh

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -103,4 +103,7 @@ openssl ca -gencrl \
103103
-out provider_malicious_crl_empty.pem \
104104
-config provider_crl.cnf
105105

106+
sed -i "s/subjectKeyIdentifier = .*/subjectKeyIdentifier = hash/g" \
107+
provider_extensions.conf
108+
106109
rm *.csr

security/advancedtls/testdata/crl/provider_extensions.conf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
[extensions]
2-
subjectKeyIdentifier = 54:1B:29:00:6E:3C:B1:54:68:75:C2:F8:26:90:BB:46:D5:70:45:E9
2+
subjectKeyIdentifier = hash
33
authorityKeyIdentifier = keyid,issuer
44
basicConstraints = CA:FALSE
55
keyUsage = digitalSignature, keyEncipherment

0 commit comments

Comments
 (0)