WIP: client certificate revocation checking support. #323
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Previously only the `tests/server.c` code needed to load a `rustls_certified_key` (for the server cert/keypair). In a subsequent commit the `tests/client.c` code will need to do the same for optionally providing a `rustls_certified_key` for client certificate authentication. In preparation, this commit lifts the `read_file` and `load_cert_and_key` helper functions from `tests/server.c` into `tests/common.c` (updating `tests/common.h` to match) where both client and server test programs can use the shared code.
This commit updates `tests/client.c` to allow setting two new env vars, `AUTH_CERT` and `AUTH_KEY`. If neither are set, the program works as it did before: no client certificate is sent for mTLS. If one but not both of these env vars are set, the program will error: they must both be provided. If both are set, the `AUTH_CERT` and `AUTH_KEY` files are loaded into a `rustls_certified_key` and the built `rustls_client_config` will be configured to offer client certificate authentication with the server using the cert/key pair.
This commit updates the `tests/server.c` program so that if an `AUTH_CERT` env var is provided the server will be configured to require clients provide a client certificate issued that chains to the `AUTH_CERT` certificate authority. If no `AUTH_CERT` env var is set the server works as it did before, ignoring client certificate authentication.
Tests that: * A client w/ AUTH_KEY + AUTH_CERT can connect to a server that doesn't require mTLS without error. * A client w/ AUTH_KEY + AUTH_CERT can connect to a server that requires mTLS without error. * A client w/o AUTH_KEY + AUTH_CERT errors when connecting to a server that requires mTLS.
Updates `pemfile` from 0.2.1 to 1.0.3 to pick up support for reading DER encoded CRLs from .pem files. Updates webpki to use tip of main, picking up unreleased CRL support. Updates rustls to use a fork/branch that adds WIP CRL support.
The upstream Rustls project has dropped the minimal SCT support it offered. This commit tracks that change in rustls-ffi, removing the dep on the `sct` crate and removing related features.
In order to support adding CRLs to a constructed `rustls_client_cert_verifier` or `rustls_client_cert_verifier_optional` we need to change the constructor return type from `*const` to `*mut`. Corresponding destructors are updated as well.
This commit updates the `rustls_client_cert_verifier` and `rustls_client_cert_verifier_optional` API surface to include a function for loading CRLs from a PEM file.
This commit updates the `tests/server.c` example program to support reading one or more CRLs from a single PEM encoded CRL file, provided via `AUTH_CRL`. This option is only processed when the server is performing mandatory client authentication (e.g. `AUTH_CERT` was provided).
This commit adds a simple test CRL (`testdata/test.crl.pem`) that lists the `testdata/localhost/cert.pem` certificate as revoked, but _not_ the `testdata/example.com/cert.pem` certificate. The `client-server.py` integration test driver is then updated with a suite that will start the server binary in a mode that requires mTLS, and that loads the test crl. Two connection attempts are made with the client binary: one using the `example.com` client cert that isn't expected to error, and one using the `localhost` client cert that _is_ expected to error (since it's revoked).
cpu
commented
Jul 3, 2023
| type RustType = AllowAnyAuthenticatedClient; | ||
| } | ||
|
|
||
| impl BoxCastPtr for rustls_client_cert_verifier {} | ||
| impl ArcCastPtr for rustls_client_cert_verifier {} |
There was a problem hiding this comment.
I'm a little bit skeptical these cahnges to the *Ptr traits for the verifiers are correct. Earmarked to dig into the associated macros for closer study.
In particular: worried the change from Arc -> Box on the constructor side will interact poorly with multiple handles to a verifier being used to add CRLs, then being turned back to Arc to give to Webpki 🤔
|
Going to close this WIP and replace it with a new one. We ended up dropping the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Note to reviews: this is a draft, it builds on yet-to-be-merged work. Notably, #321.
Content new to this branch begins at be8730c
I would recommend holding off reviewing this PR while the upstream Rustls portion is still in-flux.
TODO:
rustls_result.mainbranch of Rustls.chore: ignore clion/jetbrains dir, venv dir.
deps: update pemfile, use unreleased Rustls, webpki.
Updates
pemfilefrom 0.2.1 to 1.0.3 to pick up support for reading DERencoded CRLs from .pem files.
Updates webpki to use tip of main, picking up unreleased CRL support.
Updates rustls to use a fork/branch that adds WIP CRL support.
tidy: remove usage of removed upstream SCT features.
The upstream Rustls project has dropped the minimal SCT support it offered. This commit tracks that change in rustls-ffi, removing the dep on the
sctcrate and removing related features.cipher: switch client cert verifiers to mutable ptrs.
In order to support adding CRLs to a constructed
rustls_client_cert_verifierorrustls_client_cert_verifier_optionalwe need to change the constructor return type from*constto*mut. Corresponding destructors are updated as well.cipher: add client verifier CRL pem fns.
This commit updates the
rustls_client_cert_verifierandrustls_client_cert_verifier_optionalAPI surface to include a function for loading CRLs from a PEM file.server: support reading CRL PEM for client auth.
This commit updates the
tests/server.cexample program to support reading one or more CRLs from a single PEM encoded CRL file, provided viaAUTH_CRL. This option is only processed when the server is performing mandatory client authentication (e.g.AUTH_CERTwas provided).tests: add CRL mTLS test.
This commit adds a simple test CRL (
testdata/test.crl.pem) that lists thetestdata/localhost/cert.pemcertificate as revoked, but not thetestdata/example.com/cert.pemcertificate.The
client-server.pyintegration test driver is then updated with a suite that will start the server binary in a mode that requires mTLS, and that loads the test crl. Two connection attempts are made with the client binary: one using theexample.comclient cert that isn't expected to error, and one using thelocalhostclient cert that is expected to error (since it's revoked).