build(deps): bump github.com/stretchr/objx in /tools/mod

Bumps [github.com/stretchr/objx](https://github.com/stretchr/objx) from 0.5.0 to 0.5.1. - [Release notes](https://github.com/stretchr/objx/releases) - [Commits](https://github.com/stretchr/objx/compare/v0.5.0...v0.5.1) --- updated-dependencies: - dependency-name: github.com/stretchr/objx dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Merge pull request #17106 from ivanvc/cert_20231103
2024-01-01 17:02:52 +00:00 · 2023-12-29 19:57:41 +00:00 · 2023-12-28 21:18:26 +00:00 · 2023-12-23 09:23:17 -08:00 · 2023-12-12 14:47:49 -08:00
5 changed files with 167 additions and 5 deletions
--- a/client/pkg/transport/listener.go
+++ b/client/pkg/transport/listener.go
@ -264,9 +264,10 @@ func SelfCert(lg *zap.Logger, dirpath string, hosts []string, selfSignedCertVali
 		NotBefore:    time.Now(),
 		NotAfter:     time.Now().Add(time.Duration(selfSignedCertValidity) * 365 * (24 * time.Hour)),

-		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCRLSign,
 		ExtKeyUsage:           append([]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, additionalUsages...),
 		BasicConstraintsValid: true,
+		IsCA:                  true,
 	}

 	if info.Logger != nil {
--- a/client/pkg/transport/listener_test.go
+++ b/client/pkg/transport/listener_test.go
@ -15,12 +15,17 @@
 package transport

 import (
+	"crypto/rand"
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/pem"
 	"errors"
+	"math/big"
 	"net"
 	"net/http"
 	"os"
+	"path/filepath"
+	"sync"
 	"testing"
 	"time"

@ -573,3 +578,157 @@ func TestSocktOptsEmpty(t *testing.T) {
 		}
 	}
 }
+
+// TestNewListenerWithACRLFile tests when a revocation list is present.
+func TestNewListenerWithACRLFile(t *testing.T) {
+	clientTLSInfo, err := createSelfCertEx(t, "127.0.0.1", x509.ExtKeyUsageClientAuth)
+	if err != nil {
+		t.Fatalf("unable to create client cert: %v", err)
+	}
+
+	loadFileAsPEM := func(fileName string) []byte {
+		loaded, readErr := os.ReadFile(fileName)
+		if readErr != nil {
+			t.Fatalf("unable to read file %q: %v", fileName, readErr)
+		}
+		block, _ := pem.Decode(loaded)
+		return block.Bytes
+	}
+
+	clientCert, err := x509.ParseCertificate(loadFileAsPEM(clientTLSInfo.CertFile))
+	if err != nil {
+		t.Fatalf("unable to parse client cert: %v", err)
+	}
+
+	tests := map[string]struct {
+		expectHandshakeError      bool
+		revokedCertificateEntries []x509.RevocationListEntry
+		revocationListContents    []byte
+	}{
+		"empty revocation list": {
+			expectHandshakeError: false,
+		},
+		"client cert is revoked": {
+			expectHandshakeError: true,
+			revokedCertificateEntries: []x509.RevocationListEntry{
+				{
+					SerialNumber:   clientCert.SerialNumber,
+					RevocationTime: time.Now(),
+				},
+			},
+		},
+		"invalid CRL file content": {
+			expectHandshakeError:   true,
+			revocationListContents: []byte("@invalidcontent"),
+		},
+	}
+
+	for testName, test := range tests {
+		t.Run(testName, func(t *testing.T) {
+			tmpdir := t.TempDir()
+			tlsInfo, err := createSelfCert(t)
+			if err != nil {
+				t.Fatalf("unable to create server cert: %v", err)
+			}
+			tlsInfo.TrustedCAFile = clientTLSInfo.CertFile
+			tlsInfo.CRLFile = filepath.Join(tmpdir, "revoked.r0")
+
+			cert, err := x509.ParseCertificate(loadFileAsPEM(tlsInfo.CertFile))
+			if err != nil {
+				t.Fatalf("unable to decode server cert: %v", err)
+			}
+
+			key, err := x509.ParseECPrivateKey(loadFileAsPEM(tlsInfo.KeyFile))
+			if err != nil {
+				t.Fatalf("unable to parse server key: %v", err)
+			}
+
+			revocationListContents := test.revocationListContents
+			if len(revocationListContents) == 0 {
+				tmpl := &x509.RevocationList{
+					RevokedCertificateEntries: test.revokedCertificateEntries,
+					ThisUpdate:                time.Now(),
+					NextUpdate:                time.Now().Add(time.Hour),
+					Number:                    big.NewInt(1),
+				}
+				revocationListContents, err = x509.CreateRevocationList(rand.Reader, tmpl, cert, key)
+				if err != nil {
+					t.Fatalf("unable to create revocation list: %v", err)
+				}
+			}
+
+			if err = os.WriteFile(tlsInfo.CRLFile, revocationListContents, 0600); err != nil {
+				t.Fatalf("unable to write revocation list: %v", err)
+			}
+
+			chHandshakeFailure := make(chan error, 1)
+			tlsInfo.HandshakeFailure = func(_ *tls.Conn, err error) {
+				if err != nil {
+					chHandshakeFailure <- err
+				}
+			}
+
+			rootCAs := x509.NewCertPool()
+			rootCAs.AddCert(cert)
+
+			clientCert, err := tls.LoadX509KeyPair(clientTLSInfo.CertFile, clientTLSInfo.KeyFile)
+			if err != nil {
+				t.Fatalf("unable to create peer cert: %v", err)
+			}
+
+			ln, err := NewListener("127.0.0.1:0", "https", tlsInfo)
+			if err != nil {
+				t.Fatalf("unable to start listener: %v", err)
+			}
+
+			tlsConfig := &tls.Config{}
+			tlsConfig.InsecureSkipVerify = false
+			tlsConfig.Certificates = []tls.Certificate{clientCert}
+			tlsConfig.RootCAs = rootCAs
+
+			tr := &http.Transport{TLSClientConfig: tlsConfig}
+			cli := &http.Client{Transport: tr, Timeout: 5 * time.Second}
+			var wg sync.WaitGroup
+			wg.Add(2)
+			go func() {
+				defer wg.Done()
+				if _, gerr := cli.Get("https://" + ln.Addr().String()); gerr != nil {
+					t.Logf("http GET failed: %v", gerr)
+				}
+			}()
+
+			chAcceptConn := make(chan net.Conn, 1)
+			go func() {
+				defer wg.Done()
+				conn, err := ln.Accept()
+				if err == nil {
+					chAcceptConn <- conn
+				}
+			}()
+
+			timer := time.NewTimer(5 * time.Second)
+			defer func() {
+				if !timer.Stop() {
+					<-timer.C
+				}
+			}()
+
+			select {
+			case err := <-chHandshakeFailure:
+				if !test.expectHandshakeError {
+					t.Errorf("expecting no handshake error, got: %v", err)
+				}
+			case conn := <-chAcceptConn:
+				if test.expectHandshakeError {
+					t.Errorf("expecting handshake error, got nothing")
+				}
+				conn.Close()
+			case <-timer.C:
+				t.Error("timed out waiting for closed connection or handshake error")
+			}
+
+			ln.Close()
+			wg.Wait()
+		})
+	}
+}
--- a/client/pkg/transport/listener_tls.go
+++ b/client/pkg/transport/listener_tls.go
@ -172,12 +172,12 @@ func checkCRL(crlPath string, cert []*x509.Certificate) error {
 	if err != nil {
 		return err
 	}
-	certList, err := x509.ParseCRL(crlBytes)
+	certList, err := x509.ParseRevocationList(crlBytes)
 	if err != nil {
 		return err
 	}
 	revokedSerials := make(map[string]struct{})
-	for _, rc := range certList.TBSCertList.RevokedCertificates {
+	for _, rc := range certList.RevokedCertificateEntries {
 		revokedSerials[string(rc.SerialNumber.Bytes())] = struct{}{}
 	}
 	for _, c := range cert {
--- a/tools/mod/go.mod
+++ b/tools/mod/go.mod
@ -187,7 +187,7 @@ require (
 	github.com/spf13/viper v1.12.0 // indirect
 	github.com/ssgreg/nlreturn/v2 v2.2.1 // indirect
 	github.com/stbenjam/no-sprintf-host-port v0.1.1 // indirect
-	github.com/stretchr/objx v0.5.0 // indirect
+	github.com/stretchr/objx v0.5.1 // indirect
 	github.com/stretchr/testify v1.8.4 // indirect
 	github.com/subosito/gotenv v1.4.1 // indirect
 	github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c // indirect
--- a/tools/mod/go.sum
+++ b/tools/mod/go.sum
@ -610,8 +610,9 @@ github.com/stbenjam/no-sprintf-host-port v0.1.1/go.mod h1:TLhvtIvONRzdmkFiio4O8L
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.1 h1:4VhoImhV/Bm0ToFkXFi8hXNXwpDRZ/ynw3amt82mzq0=
+github.com/stretchr/objx v0.5.1/go.mod h1:/iHQpkQwBD6DLUmQ4pE+s1TXdob1mORJ4/UFdrifcy0=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
@ -619,6 +620,7 @@ github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/subosito/gotenv v1.4.1 h1:jyEFiXpy21Wm81FBN71l9VoMMV8H8jG+qIK3GCpY6Qs=
Author	SHA1	Message	Date
dependabot[bot]	d3bfe3812d	build(deps): bump github.com/stretchr/objx in /tools/mod Bumps [github.com/stretchr/objx](https://github.com/stretchr/objx) from 0.5.0 to 0.5.1. - [Release notes](https://github.com/stretchr/objx/releases) - [Commits](https://github.com/stretchr/objx/compare/v0.5.0...v0.5.1) --- updated-dependencies: - dependency-name: github.com/stretchr/objx dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2024-01-01 17:02:52 +00:00
Benjamin Wang	f8d5ba9a3f	Merge pull request #17106 from ivanvc/cert_20231103 Replace the deprecated `x509.ParseCRL` with `x509.ParseRevocationList`	2023-12-29 19:57:41 +00:00
Benjamin Wang	dc26e816fd	Merge pull request #17156 from etcd-io/ptabor-patch-1 Update OWNERS: Retire ptabor	2023-12-28 21:18:26 +00:00
Ivan Valdes	e9434c9455	client: implement TLS CRL tests Signed-off-by: Ivan Valdes <ivan@vald.es>	2023-12-23 09:23:17 -08:00
Benjamin Wang	16d1ef949c	replace the deprecated x509.ParseCRL with x509.ParseRevocationList Signed-off-by: Benjamin Wang <wachao@vmware.com>	2023-12-12 14:47:49 -08:00