Add cert CRL support. #269
Conversation
|
Will verify this change with sonic-net/sonic-buildimage#19536 |
liuh-80
changed the title
| return ctx, nil | ||
| } | ||
|
|
||
| func TryDownload(url string) bool { |
There was a problem hiding this comment.
If we want to download crl from external url, we need to make sure dns is working.
There was a problem hiding this comment.
There is no external url, I verified the dns is working.
gnmi_server/clientCertAuth.go
Outdated
| func VerifyCertCrl(tlsConnState tls.ConnectionState) error { | ||
| // Check if any CRL already exist in local | ||
| crlUriArray := GetCrlUrls(*tlsConnState.VerifiedChains[0][0]) | ||
| downloaded := DownloadNotCachedCrl(crlUriArray) |
There was a problem hiding this comment.
If crl is enabled, but we failed to download crl, all the gnmi requests will be rejected.
Is this acceptable?
There was a problem hiding this comment.
It's by design:
If a cert does not contains any CRL distribution points, cert will not verify by CRL.
If a cert contains multiple CRL distribution points, and download from all distribution points failed, then the cert should be blocked, because we can't verify it.
|
/azpw run sonic-net.sonic-gnmi |
|
/AzurePipelines run sonic-net.sonic-gnmi |
|
Azure Pipelines successfully started running 1 pipeline(s). |
liuh-80
changed the title
|
/azpw run sonic-net.sonic-gnmi |
|
/AzurePipelines run sonic-net.sonic-gnmi |
|
Azure Pipelines successfully started running 1 pipeline(s). |
liuh-80
force-pushed
the
dev/liuh/disable-crl-cert-access
branch
from
a9de39f
to
65e9e5f
Compare
|
Will verify with this image: |
Add cert CRL support.
Why I did it
Support certificate revocation list.
How I did it
Download CRL and verify cert with CRL.
How to verify it
Manually test:
I1119 06:45:56.678454 139 server.go:201] Created Server on localhost:50052, read-only: true
I1119 06:45:56.678478 139 telemetry.go:465] Auth Modes: cert
I1119 06:45:56.678495 139 telemetry.go:466] Starting RPC server on address: localhost:50052
I1119 06:45:56.678532 139 telemetry.go:469] GNMI Server started serving
I1119 06:46:14.936024 139 clientCertAuth.go:183] Get Crl Urls for cert: []
I1119 06:46:14.936363 139 clientCertAuth.go:224] Cert does not contains and CRL distribution points
I1119 06:46:14.936375 139 server.go:278] authenticate user , roles [role1]
I1119 06:46:21.524943 139 clientCertAuth.go:183] Get Crl Urls for cert: [http://10.250.0.102:1234/crl]
I1119 06:46:21.526022 139 clientCertAuth.go:93] SearchCrlCache not found cache for url: http://10.250.0.102:1234/crl
I1119 06:46:21.526138 139 clientCertAuth.go:158] Download CRL start: http://10.250.0.102:1234/crl
I1119 06:46:21.533821 139 clientCertAuth.go:176] Download CRL: http://10.250.0.102:1234/crl successed
I1119 06:46:21.534318 139 clientCertAuth.go:66] CrlExpired expireTime: Wed Nov 20 06:46:21 2024, now: Tue Nov 19 06:46:21 2024
I1119 06:46:21.534337 139 clientCertAuth.go:211] CreateStaticCRLProvider add crl: http://10.250.0.102:1234/crl content: [...]
I1119 06:46:21.535269 139 clientCertAuth.go:244] VerifyCertCrl peer certificate revoked: no unrevoked chains found: map[2:1]
I1119 06:46:21.535289 139 clientCertAuth.go:149] [TELEMETRY-2] Failed to verify cert with CRL; rpc error: code = Unauthenticated desc = Peer certificate revoked
Add new UT.
Work item tracking
Microsoft ADO (number only): 27146924
Which release branch to backport (provide reason below if selected)
Description for the changelog
Add cert CRL support.
Link to config_db schema for YANG module changes
A picture of a cute animal (not mandatory but encouraged)