grpc
/
grpc-go
mirror of https://github.com/grpc/grpc-go.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

advancedTLS: Rename get root certs related pieces (#7207)

This commit is contained in:
Gregory Cooke 2024-05-08 10:59:33 -04:00 committed by GitHub
parent f591e3b82f
commit c76f686c51
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 152 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
security/advancedtls/advancedtls.go
View File

@ -87,31 +87,52 @@ type PostHandshakeVerificationFunc func(params *HandshakeVerificationInfo) (*Pos
// Deprecated: use PostHandshakeVerificationFunc instead.
type CustomVerificationFunc = PostHandshakeVerificationFunc
// ConnectionInfo contains the parameters available to users when
// implementing GetRootCertificates.
type ConnectionInfo struct {
// RawConn is the raw net.Conn representing a connection.
RawConn net.Conn
// RawCerts is the byte representation of the presented peer cert chain.
RawCerts [][]byte
}
// GetRootCAsParams contains the parameters available to users when
// implementing GetRootCAs.
type GetRootCAsParams struct {
RawConn net.Conn
RawCerts [][]byte
//
// Deprecated: use ConnectionInfo instead.
type GetRootCAsParams = ConnectionInfo
// RootCertificates is the result of GetRootCertificates.
// If users want to reload the root trust certificate, it is required to return
// the proper TrustCerts in GetRootCAs.
type RootCertificates struct {
// TrustCerts is the pool of trusted certificates.
TrustCerts *x509.CertPool
}
// GetRootCAsResults contains the results of GetRootCAs.
// If users want to reload the root trust certificate, it is required to return
// the proper TrustCerts in GetRootCAs.
type GetRootCAsResults struct {
TrustCerts *x509.CertPool
}
//
// Deprecated: use RootCertificates instead.
type GetRootCAsResults = RootCertificates
// RootCertificateOptions contains options to obtain root trust certificates
// for both the client and the server.
// At most one option could be set. If none of them are set, we
// use the system default trust certificates.
type RootCertificateOptions struct {
// If RootCertificates is set, it will be used every time when verifying
// the peer certificates, without performing root certificate reloading.
RootCertificates *x509.CertPool
// If RootCACerts is set, it will be used every time when verifying
// the peer certificates, without performing root certificate reloading.
//
// Deprecated: use RootCertificates instead.
RootCACerts *x509.CertPool
// If GetRootCertificates is set, it will be invoked to obtain root certs for
// every new connection.
GetRootCertificates func(params *GetRootCAsParams) (*GetRootCAsResults, error)
GetRootCertificates func(params *ConnectionInfo) (*RootCertificates, error)
// If RootProvider is set, we will use the root certs from the Provider's
// KeyMaterial() call in the new connections. The Provider must have initial
// credentials if specified. Otherwise, KeyMaterial() will block forever.
@ -277,6 +298,12 @@ func (o *Options) clientConfig() (*tls.Config, error) {
if o.MaxTLSVersion == 0 {
o.MaxTLSVersion = o.MaxVersion
}
// TODO(gtcooke94) RootCACerts is deprecated, eventually remove this block.
// This will ensure that users still explicitly setting RootCACerts will get
// the setting int the right place.
if o.RootOptions.RootCACerts != nil {
o.RootOptions.RootCertificates = o.RootOptions.RootCACerts
}
if o.VerificationType == SkipVerification && o.AdditionalPeerVerification == nil {
return nil, fmt.Errorf("client needs to provide custom verification mechanism if choose to skip default verification")
}
@ -312,19 +339,19 @@ func (o *Options) clientConfig() (*tls.Config, error) {
}
// Propagate root-certificate-related fields in tls.Config.
switch {
case o.RootOptions.RootCACerts != nil:
config.RootCAs = o.RootOptions.RootCACerts
case o.RootOptions.RootCertificates != nil:
config.RootCAs = o.RootOptions.RootCertificates
case o.RootOptions.GetRootCertificates != nil:
// In cases when users provide GetRootCertificates callback, since this
// callback is not contained in tls.Config, we have nothing to set here.
// We will invoke the callback in ClientHandshake.
case o.RootOptions.RootProvider != nil:
o.RootOptions.GetRootCertificates = func(*GetRootCAsParams) (*GetRootCAsResults, error) {
o.RootOptions.GetRootCertificates = func(*ConnectionInfo) (*RootCertificates, error) {
km, err := o.RootOptions.RootProvider.KeyMaterial(context.Background())
if err != nil {
return nil, err
}
return &GetRootCAsResults{TrustCerts: km.Roots}, nil
return &RootCertificates{TrustCerts: km.Roots}, nil
}
default:
// No root certificate options specified by user. Use the certificates
@ -381,6 +408,12 @@ func (o *Options) serverConfig() (*tls.Config, error) {
if o.MaxTLSVersion == 0 {
o.MaxTLSVersion = o.MaxVersion
}
// TODO(gtcooke94) RootCACerts is deprecated, eventually remove this block.
// This will ensure that users still explicitly setting RootCACerts will get
// the setting int the right place.
if o.RootOptions.RootCACerts != nil {
o.RootOptions.RootCertificates = o.RootOptions.RootCACerts
}
if o.RequireClientCert && o.VerificationType == SkipVerification && o.AdditionalPeerVerification == nil {
return nil, fmt.Errorf("server needs to provide custom verification mechanism if choose to skip default verification, but require client certificate(s)")
}
@ -420,19 +453,19 @@ func (o *Options) serverConfig() (*tls.Config, error) {
}
// Propagate root-certificate-related fields in tls.Config.
switch {
case o.RootOptions.RootCACerts != nil:
config.ClientCAs = o.RootOptions.RootCACerts
case o.RootOptions.RootCertificates != nil:
config.ClientCAs = o.RootOptions.RootCertificates
case o.RootOptions.GetRootCertificates != nil:
// In cases when users provide GetRootCertificates callback, since this
// callback is not contained in tls.Config, we have nothing to set here.
// We will invoke the callback in ServerHandshake.
case o.RootOptions.RootProvider != nil:
o.RootOptions.GetRootCertificates = func(*GetRootCAsParams) (*GetRootCAsResults, error) {
o.RootOptions.GetRootCertificates = func(*ConnectionInfo) (*RootCertificates, error) {
km, err := o.RootOptions.RootProvider.KeyMaterial(context.Background())
if err != nil {
return nil, err
}
return &GetRootCAsResults{TrustCerts: km.Roots}, nil
return &RootCertificates{TrustCerts: km.Roots}, nil
}
default:
// No root certificate options specified by user. Use the certificates
@ -477,12 +510,12 @@ func (o *Options) serverConfig() (*tls.Config, error) {
// advancedTLSCreds is the credentials required for authenticating a connection
// using TLS.
type advancedTLSCreds struct {
config *tls.Config
verifyFunc PostHandshakeVerificationFunc
getRootCAs func(params *GetRootCAsParams) (*GetRootCAsResults, error)
isClient bool
revocationOptions *RevocationOptions
verificationType VerificationType
config *tls.Config
verifyFunc PostHandshakeVerificationFunc
getRootCertificates func(params *ConnectionInfo) (*RootCertificates, error)
isClient bool
revocationOptions *RevocationOptions
verificationType VerificationType
}
func (c advancedTLSCreds) Info() credentials.ProtocolInfo {
@ -548,10 +581,10 @@ func (c *advancedTLSCreds) ServerHandshake(rawConn net.Conn) (net.Conn, credenti
func (c *advancedTLSCreds) Clone() credentials.TransportCredentials {
return &advancedTLSCreds{
config: credinternal.CloneTLSConfig(c.config),
verifyFunc: c.verifyFunc,
getRootCAs: c.getRootCAs,
isClient: c.isClient,
config: credinternal.CloneTLSConfig(c.config),
verifyFunc: c.verifyFunc,
getRootCertificates: c.getRootCertificates,
isClient: c.isClient,
}
}
@ -588,8 +621,8 @@ func buildVerifyFunc(c *advancedTLSCreds,
rootCAs = c.config.ClientCAs
}
// Reload root CA certs.
if rootCAs == nil && c.getRootCAs != nil {
results, err := c.getRootCAs(&GetRootCAsParams{
if rootCAs == nil && c.getRootCertificates != nil {
results, err := c.getRootCertificates(&ConnectionInfo{
RawConn: rawConn,
RawCerts: rawCerts,
})
@ -661,12 +694,12 @@ func NewClientCreds(o *Options) (credentials.TransportCredentials, error) {
return nil, err
}
tc := &advancedTLSCreds{
config: conf,
isClient: true,
getRootCAs: o.RootOptions.GetRootCertificates,
verifyFunc: o.AdditionalPeerVerification,
revocationOptions: o.RevocationOptions,
verificationType: o.VerificationType,
config: conf,
isClient: true,
getRootCertificates: o.RootOptions.GetRootCertificates,
verifyFunc: o.AdditionalPeerVerification,
revocationOptions: o.RevocationOptions,
verificationType: o.VerificationType,
}
tc.config.NextProtos = credinternal.AppendH2ToNextProtos(tc.config.NextProtos)
return tc, nil
@ -680,12 +713,12 @@ func NewServerCreds(o *Options) (credentials.TransportCredentials, error) {
return nil, err
}
tc := &advancedTLSCreds{
config: conf,
isClient: false,
getRootCAs: o.RootOptions.GetRootCertificates,
verifyFunc: o.AdditionalPeerVerification,
revocationOptions: o.RevocationOptions,
verificationType: o.VerificationType,
config: conf,
isClient: false,
getRootCertificates: o.RootOptions.GetRootCertificates,
verifyFunc: o.AdditionalPeerVerification,
revocationOptions: o.RevocationOptions,
verificationType: o.VerificationType,
}
tc.config.NextProtos = credinternal.AppendH2ToNextProtos(tc.config.NextProtos)
return tc, nil

30
security/advancedtls/advancedtls_integration_test.go
View File

@ -142,13 +142,13 @@ func (s) TestEnd2End(t *testing.T) {
clientCert []tls.Certificate
clientGetCert func(*tls.CertificateRequestInfo) (*tls.Certificate, error)
clientRoot *x509.CertPool
clientGetRoot func(params *GetRootCAsParams) (*GetRootCAsResults, error)
clientGetRoot func(params *ConnectionInfo) (*RootCertificates, error)
clientVerifyFunc PostHandshakeVerificationFunc
clientVerificationType VerificationType
serverCert []tls.Certificate
serverGetCert func(*tls.ClientHelloInfo) ([]*tls.Certificate, error)
serverRoot *x509.CertPool
serverGetRoot func(params *GetRootCAsParams) (*GetRootCAsResults, error)
serverGetRoot func(params *ConnectionInfo) (*RootCertificates, error)
serverVerifyFunc PostHandshakeVerificationFunc
serverVerificationType VerificationType
}{
@ -180,12 +180,12 @@ func (s) TestEnd2End(t *testing.T) {
},
clientVerificationType: CertVerification,
serverCert: []tls.Certificate{cs.ServerCert1},
serverGetRoot: func(params *GetRootCAsParams) (*GetRootCAsResults, error) {
serverGetRoot: func(params *ConnectionInfo) (*RootCertificates, error) {
switch stage.read() {
case 0, 1:
return &GetRootCAsResults{TrustCerts: cs.ServerTrust1}, nil
return &RootCertificates{TrustCerts: cs.ServerTrust1}, nil
default:
return &GetRootCAsResults{TrustCerts: cs.ServerTrust2}, nil
return &RootCertificates{TrustCerts: cs.ServerTrust2}, nil
}
},
serverVerifyFunc: func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) {
@ -208,12 +208,12 @@ func (s) TestEnd2End(t *testing.T) {
{
desc: "test the reloading feature for server identity callback and client trust callback",
clientCert: []tls.Certificate{cs.ClientCert1},
clientGetRoot: func(params *GetRootCAsParams) (*GetRootCAsResults, error) {
clientGetRoot: func(params *ConnectionInfo) (*RootCertificates, error) {
switch stage.read() {
case 0, 1:
return &GetRootCAsResults{TrustCerts: cs.ClientTrust1}, nil
return &RootCertificates{TrustCerts: cs.ClientTrust1}, nil
default:
return &GetRootCAsResults{TrustCerts: cs.ClientTrust2}, nil
return &RootCertificates{TrustCerts: cs.ClientTrust2}, nil
}
},
clientVerifyFunc: func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) {
@ -250,12 +250,12 @@ func (s) TestEnd2End(t *testing.T) {
{
desc: "test client custom verification",
clientCert: []tls.Certificate{cs.ClientCert1},
clientGetRoot: func(params *GetRootCAsParams) (*GetRootCAsResults, error) {
clientGetRoot: func(params *ConnectionInfo) (*RootCertificates, error) {
switch stage.read() {
case 0:
return &GetRootCAsResults{TrustCerts: cs.ClientTrust1}, nil
return &RootCertificates{TrustCerts: cs.ClientTrust1}, nil
default:
return &GetRootCAsResults{TrustCerts: cs.ClientTrust2}, nil
return &RootCertificates{TrustCerts: cs.ClientTrust2}, nil
}
},
clientVerifyFunc: func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) {
@ -342,7 +342,7 @@ func (s) TestEnd2End(t *testing.T) {
GetIdentityCertificatesForServer: test.serverGetCert,
},
RootOptions: RootCertificateOptions{
RootCACerts: test.serverRoot,
RootCertificates: test.serverRoot,
GetRootCertificates: test.serverGetRoot,
},
RequireClientCert: true,
@ -370,7 +370,7 @@ func (s) TestEnd2End(t *testing.T) {
},
AdditionalPeerVerification: test.clientVerifyFunc,
RootOptions: RootCertificateOptions{
RootCACerts: test.clientRoot,
RootCertificates: test.clientRoot,
GetRootCertificates: test.clientGetRoot,
},
VerificationType: test.clientVerificationType,
@ -787,7 +787,7 @@ func (s) TestDefaultHostNameCheck(t *testing.T) {
go s.Serve(lis)
clientOptions := &Options{
RootOptions: RootCertificateOptions{
RootCACerts: test.clientRoot,
RootCertificates: test.clientRoot,
},
VerificationType: test.clientVerificationType,
}
@ -927,7 +927,7 @@ func (s) TestTLSVersions(t *testing.T) {
go s.Serve(lis)
clientOptions := &Options{
RootOptions: RootCertificateOptions{
RootCACerts: cs.ClientTrust1,
RootCertificates: cs.ClientTrust1,
},
VerificationType: CertAndHostVerification,
MinTLSVersion: test.clientMinVersion,

111
security/advancedtls/advancedtls_test.go
View File

@ -103,8 +103,8 @@ func (s) TestClientOptionsConfigErrorCases(t *testing.T) {
desc: "More than one fields in RootCertificateOptions is specified",
clientVerificationType: CertVerification,
RootOptions: RootCertificateOptions{
RootCACerts: x509.NewCertPool(),
RootProvider: fakeProvider{},
RootCertificates: x509.NewCertPool(),
RootProvider: fakeProvider{},
},
},
{
@ -205,7 +205,7 @@ func (s) TestClientOptionsConfigSuccessCases(t *testing.T) {
}
// Verify that the system-provided certificates would be used
// when no verification method was set in clientOptions.
if clientOptions.RootOptions.RootCACerts == nil &&
if clientOptions.RootOptions.RootCertificates == nil &&
clientOptions.RootOptions.GetRootCertificates == nil && clientOptions.RootOptions.RootProvider == nil {
if clientConfig.RootCAs == nil {
t.Fatalf("Failed to assign system-provided certificates on the client side.")
@ -253,8 +253,8 @@ func (s) TestServerOptionsConfigErrorCases(t *testing.T) {
requireClientCert: true,
serverVerificationType: CertVerification,
RootOptions: RootCertificateOptions{
RootCACerts: x509.NewCertPool(),
GetRootCertificates: func(*GetRootCAsParams) (*GetRootCAsResults, error) {
RootCertificates: x509.NewCertPool(),
GetRootCertificates: func(*ConnectionInfo) (*RootCertificates, error) {
return nil, nil
},
},
@ -369,7 +369,7 @@ func (s) TestServerOptionsConfigSuccessCases(t *testing.T) {
}
// Verify that the system-provided certificates would be used
// when no verification method was set in serverOptions.
if serverOptions.RootOptions.RootCACerts == nil &&
if serverOptions.RootOptions.RootCertificates == nil &&
serverOptions.RootOptions.GetRootCertificates == nil && serverOptions.RootOptions.RootProvider == nil {
if serverConfig.ClientCAs == nil {
t.Fatalf("Failed to assign system-provided certificates on the server side.")
@ -384,9 +384,14 @@ func (s) TestClientServerHandshake(t *testing.T) {
if err := cs.LoadCerts(); err != nil {
t.Fatalf("cs.LoadCerts() failed, err: %v", err)
}
getRootCAsForClient := func(params *GetRootCAsParams) (*GetRootCAsResults, error) {
getRootCertificatesForClient := func(params *ConnectionInfo) (*RootCertificates, error) {
return &RootCertificates{TrustCerts: cs.ClientTrust1}, nil
}
getRootCertificatesForClientDeprecatedTypes := func(params *GetRootCAsParams) (*GetRootCAsResults, error) {
return &GetRootCAsResults{TrustCerts: cs.ClientTrust1}, nil
}
clientVerifyFuncGood := func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) {
if params.ServerName == "" {
return nil, errors.New("client side server name should have a value")
@ -401,8 +406,8 @@ func (s) TestClientServerHandshake(t *testing.T) {
verifyFuncBad := func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) {
return nil, fmt.Errorf("custom verification function failed")
}
getRootCAsForServer := func(params *GetRootCAsParams) (*GetRootCAsResults, error) {
return &GetRootCAsResults{TrustCerts: cs.ServerTrust1}, nil
getRootCertificatesForServer := func(params *ConnectionInfo) (*RootCertificates, error) {
return &RootCertificates{TrustCerts: cs.ServerTrust1}, nil
}
serverVerifyFunc := func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) {
if params.ServerName != "" {
@ -415,16 +420,16 @@ func (s) TestClientServerHandshake(t *testing.T) {
return &PostHandshakeVerificationResults{}, nil
}
getRootCAsForServerBad := func(params *GetRootCAsParams) (*GetRootCAsResults, error) {
getRootCertificatesForServerBad := func(params *ConnectionInfo) (*RootCertificates, error) {
return nil, fmt.Errorf("bad root certificate reloading")
}
getRootCAsForClientCRL := func(params *GetRootCAsParams) (*GetRootCAsResults, error) {
return &GetRootCAsResults{TrustCerts: cs.ClientTrust3}, nil
getRootCertificatesForClientCRL := func(params *ConnectionInfo) (*RootCertificates, error) {
return &RootCertificates{TrustCerts: cs.ClientTrust3}, nil
}
getRootCAsForServerCRL := func(params *GetRootCAsParams) (*GetRootCAsResults, error) {
return &GetRootCAsResults{TrustCerts: cs.ServerTrust3}, nil
getRootCertificatesForServerCRL := func(params *ConnectionInfo) (*RootCertificates, error) {
return &RootCertificates{TrustCerts: cs.ServerTrust3}, nil
}
makeStaticCRLRevocationOptions := func(crlPath string, denyUndetermined bool) *RevocationOptions {
@ -448,7 +453,7 @@ func (s) TestClientServerHandshake(t *testing.T) {
clientCert []tls.Certificate
clientGetCert func(*tls.CertificateRequestInfo) (*tls.Certificate, error)
clientRoot *x509.CertPool
clientGetRoot func(params *GetRootCAsParams) (*GetRootCAsResults, error)
clientGetRoot func(params *ConnectionInfo) (*RootCertificates, error)
clientVerifyFunc PostHandshakeVerificationFunc
clientVerificationType VerificationType
clientRootProvider certprovider.Provider
@ -459,7 +464,7 @@ func (s) TestClientServerHandshake(t *testing.T) {
serverCert []tls.Certificate
serverGetCert func(*tls.ClientHelloInfo) ([]*tls.Certificate, error)
serverRoot *x509.CertPool
serverGetRoot func(params *GetRootCAsParams) (*GetRootCAsResults, error)
serverGetRoot func(params *ConnectionInfo) (*RootCertificates, error)
serverVerifyFunc PostHandshakeVerificationFunc
serverVerificationType VerificationType
serverRootProvider certprovider.Provider
@ -484,7 +489,7 @@ func (s) TestClientServerHandshake(t *testing.T) {
// Expected Behavior: success
{
desc: "Client sets reload root function with verifyFuncGood; server sends peer cert",
clientGetRoot: getRootCAsForClient,
clientGetRoot: getRootCertificatesForClient,
clientVerifyFunc: clientVerifyFuncGood,
clientVerificationType: CertVerification,
serverCert: []tls.Certificate{cs.ServerCert1},
@ -496,7 +501,7 @@ func (s) TestClientServerHandshake(t *testing.T) {
// Reason: custom verification function is bad
{
desc: "Client sets reload root function with verifyFuncBad; server sends peer cert",
clientGetRoot: getRootCAsForClient,
clientGetRoot: getRootCertificatesForClient,
clientVerifyFunc: verifyFuncBad,
clientVerificationType: CertVerification,
clientExpectHandshakeError: true,
@ -504,13 +509,27 @@ func (s) TestClientServerHandshake(t *testing.T) {
serverVerificationType: CertVerification,
serverExpectError: true,
},
// Client: set clientGetRoot with deprecated types, clientVerifyFunc and
// clientCert Server: set serverRoot and serverCert with mutual TLS on
// Expected Behavior: success
{
desc: "Client sets peer cert, reload root function with deprecatd types with verifyFuncGood; server sets peer cert and root cert; mutualTLS",
clientCert: []tls.Certificate{cs.ClientCert1},
clientGetRoot: getRootCertificatesForClientDeprecatedTypes,
clientVerifyFunc: clientVerifyFuncGood,
clientVerificationType: CertVerification,
serverMutualTLS: true,
serverCert: []tls.Certificate{cs.ServerCert1},
serverRoot: cs.ServerTrust1,
serverVerificationType: CertVerification,
},
// Client: set clientGetRoot, clientVerifyFunc and clientCert
// Server: set serverRoot and serverCert with mutual TLS on
// Expected Behavior: success
{
desc: "Client sets peer cert, reload root function with verifyFuncGood; server sets peer cert and root cert; mutualTLS",
clientCert: []tls.Certificate{cs.ClientCert1},
clientGetRoot: getRootCAsForClient,
clientGetRoot: getRootCertificatesForClient,
clientVerifyFunc: clientVerifyFuncGood,
clientVerificationType: CertVerification,
serverMutualTLS: true,
@ -524,12 +543,12 @@ func (s) TestClientServerHandshake(t *testing.T) {
{
desc: "Client sets peer cert, reload root function with verifyFuncGood; Server sets peer cert, reload root function; mutualTLS",
clientCert: []tls.Certificate{cs.ClientCert1},
clientGetRoot: getRootCAsForClient,
clientGetRoot: getRootCertificatesForClient,
clientVerifyFunc: clientVerifyFuncGood,
clientVerificationType: CertVerification,
serverMutualTLS: true,
serverCert: []tls.Certificate{cs.ServerCert1},
serverGetRoot: getRootCAsForServer,
serverGetRoot: getRootCertificatesForServer,
serverVerificationType: CertVerification,
},
// Client: set clientGetRoot, clientVerifyFunc and clientCert
@ -540,12 +559,12 @@ func (s) TestClientServerHandshake(t *testing.T) {
{
desc: "Client sets peer cert, reload root function with verifyFuncGood; Server sets peer cert, bad reload root function; mutualTLS",
clientCert: []tls.Certificate{cs.ClientCert1},
clientGetRoot: getRootCAsForClient,
clientGetRoot: getRootCertificatesForClient,
clientVerifyFunc: clientVerifyFuncGood,
clientVerificationType: CertVerification,
serverMutualTLS: true,
serverCert: []tls.Certificate{cs.ServerCert1},
serverGetRoot: getRootCAsForServerBad,
serverGetRoot: getRootCertificatesForServerBad,
serverVerificationType: CertVerification,
serverExpectError: true,
},
@ -557,14 +576,14 @@ func (s) TestClientServerHandshake(t *testing.T) {
clientGetCert: func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
return &cs.ClientCert1, nil
},
clientGetRoot: getRootCAsForClient,
clientGetRoot: getRootCertificatesForClient,
clientVerifyFunc: clientVerifyFuncGood,
clientVerificationType: CertVerification,
serverMutualTLS: true,
serverGetCert: func(info *tls.ClientHelloInfo) ([]*tls.Certificate, error) {
return []*tls.Certificate{&cs.ServerCert1}, nil
},
serverGetRoot: getRootCAsForServer,
serverGetRoot: getRootCertificatesForServer,
serverVerifyFunc: serverVerifyFunc,
serverVerificationType: CertVerification,
},
@ -578,14 +597,14 @@ func (s) TestClientServerHandshake(t *testing.T) {
clientGetCert: func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
return &cs.ServerCert1, nil
},
clientGetRoot: getRootCAsForClient,
clientGetRoot: getRootCertificatesForClient,
clientVerifyFunc: clientVerifyFuncGood,
clientVerificationType: CertVerification,
serverMutualTLS: true,
serverGetCert: func(info *tls.ClientHelloInfo) ([]*tls.Certificate, error) {
return []*tls.Certificate{&cs.ServerCert1}, nil
},
serverGetRoot: getRootCAsForServer,
serverGetRoot: getRootCertificatesForServer,
serverVerifyFunc: serverVerifyFunc,
serverVerificationType: CertVerification,
serverExpectError: true,
@ -599,7 +618,7 @@ func (s) TestClientServerHandshake(t *testing.T) {
clientGetCert: func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
return &cs.ClientCert1, nil
},
clientGetRoot: getRootCAsForServer,
clientGetRoot: getRootCertificatesForServer,
clientVerifyFunc: clientVerifyFuncGood,
clientVerificationType: CertVerification,
clientExpectHandshakeError: true,
@ -607,7 +626,7 @@ func (s) TestClientServerHandshake(t *testing.T) {
serverGetCert: func(info *tls.ClientHelloInfo) ([]*tls.Certificate, error) {
return []*tls.Certificate{&cs.ServerCert1}, nil
},
serverGetRoot: getRootCAsForServer,
serverGetRoot: getRootCertificatesForServer,
serverVerifyFunc: serverVerifyFunc,
serverVerificationType: CertVerification,
serverExpectError: true,
@ -622,14 +641,14 @@ func (s) TestClientServerHandshake(t *testing.T) {
clientGetCert: func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
return &cs.ClientCert1, nil
},
clientGetRoot: getRootCAsForClient,
clientGetRoot: getRootCertificatesForClient,
clientVerifyFunc: clientVerifyFuncGood,
clientVerificationType: CertVerification,
serverMutualTLS: true,
serverGetCert: func(info *tls.ClientHelloInfo) ([]*tls.Certificate, error) {
return []*tls.Certificate{&cs.ClientCert1}, nil
},
serverGetRoot: getRootCAsForServer,
serverGetRoot: getRootCertificatesForServer,
serverVerifyFunc: serverVerifyFunc,
serverVerificationType: CertVerification,
serverExpectError: true,
@ -643,7 +662,7 @@ func (s) TestClientServerHandshake(t *testing.T) {
clientGetCert: func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
return &cs.ClientCert1, nil
},
clientGetRoot: getRootCAsForClient,
clientGetRoot: getRootCertificatesForClient,
clientVerifyFunc: clientVerifyFuncGood,
clientVerificationType: CertVerification,
clientExpectHandshakeError: true,
@ -651,7 +670,7 @@ func (s) TestClientServerHandshake(t *testing.T) {
serverGetCert: func(info *tls.ClientHelloInfo) ([]*tls.Certificate, error) {
return []*tls.Certificate{&cs.ServerCert1}, nil
},
serverGetRoot: getRootCAsForClient,
serverGetRoot: getRootCertificatesForClient,
serverVerifyFunc: serverVerifyFunc,
serverVerificationType: CertVerification,
serverExpectError: true,
@ -663,13 +682,13 @@ func (s) TestClientServerHandshake(t *testing.T) {
{
desc: "Client sets peer cert, reload root function with verifyFuncGood; Server sets bad custom check; mutualTLS",
clientCert: []tls.Certificate{cs.ClientCert1},
clientGetRoot: getRootCAsForClient,
clientGetRoot: getRootCertificatesForClient,
clientVerifyFunc: clientVerifyFuncGood,
clientVerificationType: CertVerification,
clientExpectHandshakeError: true,
serverMutualTLS: true,
serverCert: []tls.Certificate{cs.ServerCert1},
serverGetRoot: getRootCAsForServer,
serverGetRoot: getRootCertificatesForServer,
serverVerifyFunc: verifyFuncBad,
serverVerificationType: CertVerification,
serverExpectError: true,
@ -754,7 +773,7 @@ func (s) TestClientServerHandshake(t *testing.T) {
{
desc: "Client sets peer cert, reload root function with verifyFuncGood; Server sets peer cert, reload root function; mutualTLS",
clientCert: []tls.Certificate{cs.ClientCert1},
clientGetRoot: getRootCAsForClient,
clientGetRoot: getRootCertificatesForClient,
clientVerifyFunc: clientVerifyFuncGood,
clientVerificationType: CertVerification,
clientRevocationOptions: &RevocationOptions{
@ -764,7 +783,7 @@ func (s) TestClientServerHandshake(t *testing.T) {
},
serverMutualTLS: true,
serverCert: []tls.Certificate{cs.ServerCert1},
serverGetRoot: getRootCAsForServer,
serverGetRoot: getRootCertificatesForServer,
serverVerificationType: CertVerification,
serverRevocationOptions: &RevocationOptions{
RootDir: testdata.Path("crl"),
@ -778,13 +797,13 @@ func (s) TestClientServerHandshake(t *testing.T) {
{
desc: "Client sets peer cert, reload root function with verifyFuncGood; Server sets peer cert, reload root function; Client uses CRL; mutualTLS",
clientCert: []tls.Certificate{cs.ClientCertForCRL},
clientGetRoot: getRootCAsForClientCRL,
clientGetRoot: getRootCertificatesForClientCRL,
clientVerifyFunc: clientVerifyFuncGood,
clientVerificationType: CertVerification,
clientRevocationOptions: makeStaticCRLRevocationOptions(testdata.Path("crl/provider_crl_empty.pem"), true),
serverMutualTLS: true,
serverCert: []tls.Certificate{cs.ServerCertForCRL},
serverGetRoot: getRootCAsForServerCRL,
serverGetRoot: getRootCertificatesForServerCRL,
serverVerificationType: CertVerification,
},
// Client: set valid credentials with the revocation config
@ -793,13 +812,13 @@ func (s) TestClientServerHandshake(t *testing.T) {
{
desc: "Client sets peer cert, reload root function with verifyFuncGood; Server sets revoked cert; Client uses CRL; mutualTLS",
clientCert: []tls.Certificate{cs.ClientCertForCRL},
clientGetRoot: getRootCAsForClientCRL,
clientGetRoot: getRootCertificatesForClientCRL,
clientVerifyFunc: clientVerifyFuncGood,
clientVerificationType: CertVerification,
clientRevocationOptions: makeStaticCRLRevocationOptions(testdata.Path("crl/provider_crl_server_revoked.pem"), true),
serverMutualTLS: true,
serverCert: []tls.Certificate{cs.ServerCertForCRL},
serverGetRoot: getRootCAsForServerCRL,
serverGetRoot: getRootCertificatesForServerCRL,
serverVerificationType: CertVerification,
serverExpectError: true,
},
@ -810,13 +829,13 @@ func (s) TestClientServerHandshake(t *testing.T) {
{
desc: "Client sets peer cert, reload root function with verifyFuncGood; Server sets peer cert, reload root function; Client uses CRL; mutualTLS",
clientCert: []tls.Certificate{cs.ClientCertForCRL},
clientGetRoot: getRootCAsForClientCRL,
clientGetRoot: getRootCertificatesForClientCRL,
clientVerifyFunc: clientVerifyFuncGood,
clientVerificationType: CertVerification,
clientRevocationOptions: makeStaticCRLRevocationOptions(testdata.Path("crl/provider_malicious_crl_empty.pem"), true),
serverMutualTLS: true,
serverCert: []tls.Certificate{cs.ServerCertForCRL},
serverGetRoot: getRootCAsForServerCRL,
serverGetRoot: getRootCertificatesForServerCRL,
serverVerificationType: CertVerification,
serverExpectError: true,
},
@ -836,7 +855,7 @@ func (s) TestClientServerHandshake(t *testing.T) {
IdentityProvider: test.serverIdentityProvider,
},
RootOptions: RootCertificateOptions{
RootCACerts: test.serverRoot,
RootCertificates: test.serverRoot,
GetRootCertificates: test.serverGetRoot,
RootProvider: test.serverRootProvider,
},
@ -881,7 +900,7 @@ func (s) TestClientServerHandshake(t *testing.T) {
},
AdditionalPeerVerification: test.clientVerifyFunc,
RootOptions: RootCertificateOptions{
RootCACerts: test.clientRoot,
RootCertificates: test.clientRoot,
GetRootCertificates: test.clientGetRoot,
RootProvider: test.clientRootProvider,
},
@ -946,7 +965,7 @@ func (s) TestAdvancedTLSOverrideServerName(t *testing.T) {
}
clientOptions := &Options{
RootOptions: RootCertificateOptions{
RootCACerts: cs.ClientTrust1,
RootCertificates: cs.ClientTrust1,
},
serverNameOverride: expectedServerName,
}