prometheus · RoryKirsi · Jul 31, 2023 · Aug 3, 2023
diff --git a/config/crl.go b/config/crl.go
@@ -0,0 +1,75 @@
+// Copyright 2016 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// This file is built for It provides functionalities to parse raw CRLs,
+// check their validity and verify their signatures against provided
+// certificates (CAs). It also allows checking the revocation status of the
+// provided certificates.
+
+// It is built for Go versions after and include Go version 1.19 as there
+// are new functionality related to CRL handling.
+
+//go:build go1.19
+// +build go1.19
+
+package config
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"time"
+)
+
+// Parse all CRLs and return a slice of valid CRLs.
+func parseCRLs(rawCRL []byte, cAs []*x509.Certificate) ([]*x509.RevocationList, error) {
+	var crls []*x509.RevocationList
+	for p, r := pem.Decode(rawCRL); p != nil; p, r = pem.Decode(r) {
+		if p.Type != "X509 CRL" {
+			return nil, fmt.Errorf("unable to decode raw certificate revocation list")
+		}
+		crl, err := x509.ParseRevocationList(p.Bytes)
+		if err != nil {
+			return nil, err
+		}
+
+		// Check CRL exipry status.
+		if crl.NextUpdate.Before(time.Now()) {
+			return nil, fmt.Errorf("certificate revocation list is outdated")
+		}
+
+		// Check each CRL is signed by any CA, if not, ignore the CRL.
+		// Otherwise, append to the valid slice of CRL.
+		for _, ca := range cAs {
+			err = crl.CheckSignatureFrom(ca)
+			if err == nil {
+				crls = append(crls, crl)
+				break
+			}
+		}
+	}
+	return crls, nil
+}
+
+func validRevocationStatus(cAs []*x509.Certificate, cRLs []*x509.RevocationList) error {
+	for _, cert := range cAs {
+		for _, crl := range cRLs {
+			for _, revokedCertificate := range crl.RevokedCertificates {
+				if revokedCertificate.SerialNumber.Cmp(cert.SerialNumber) == 0 {
+					return fmt.Errorf("certificate was revoked")
+				}
+			}
+		}
+	}
+	return nil
+}
diff --git a/config/crl_deprecated.go b/config/crl_deprecated.go
@@ -0,0 +1,76 @@
+// Copyright 2016 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// This file is built for It provides functionalities to parse raw CRLs,
+// check their validity and verify their signatures against provided
+// certificates (CAs). It also allows checking the revocation status of the
+// provided certificates.
+
+// It is built for Go versions before 1.19 as there are deprecated
+// functionality related to CRL handling.
+
+//go:build !go1.19
+// +build !go1.19
+
+package config
+
+import (
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"time"
+)
+
+// Parse all CRLs and return a slice of valid CRLs.
+func parseCRLs(rawCRL []byte, cAs []*x509.Certificate) ([]*pkix.CertificateList, error) {
+	var crls []*pkix.CertificateList
+	for p, r := pem.Decode(rawCRL); p != nil; p, r = pem.Decode(r) {
+		if p.Type != "X509 CRL" {
+			return nil, fmt.Errorf("unable to decode raw certificate revocation list")
+		}
+		crl, err := x509.ParseCRL(p.Bytes)
+		if err != nil {
+			return nil, err
+		}
+
+		// Check CRL exipry status.
+		if crl.TBSCertList.NextUpdate.Before(time.Now()) {
+			return nil, fmt.Errorf("certificate revocation list is outdated")
+		}
+
+		// Check each CRL is signed by any CA, if not, ignore the CRL.
+		// Otherwise, append to the valid slice of CRL.
+		for _, ca := range cAs {
+			err = ca.CheckCRLSignature(crl)
+			if err == nil {
+				crls = append(crls, crl)
+				break
+			}
+		}
+	}
+	return crls, nil
+}
+
+func validRevocationStatus(cAs []*x509.Certificate, cRLs []*pkix.CertificateList) error {
+	for _, cert := range cAs {
+		for _, crl := range cRLs {
+			for _, revokedCertificate := range crl.TBSCertList.RevokedCertificates {
+				if revokedCertificate.SerialNumber.Cmp(cert.SerialNumber) == 0 {
+					return fmt.Errorf("certificate was revoked")
+				}
+			}
+		}
+	}
+	return nil
+}
diff --git a/config/generate.go b/config/generate.go
@@ -92,7 +92,7 @@ func GenerateCertificateAuthority(commonName string, parentCert *x509.Certificat
 		},
 		NotBefore:             now,
 		NotAfter:              now.Add(validityPeriod),
-		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageCertSign,
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
 		IsCA:                  true,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
 		BasicConstraintsValid: true,
@@ -186,6 +186,51 @@ func writeCertificateAndKey(path string, cert *x509.Certificate, key *rsa.Privat
 	return nil
 }
 
+func GenerateCRL(cert *x509.Certificate, privateKey *rsa.PrivateKey, revokedCerts []pkix.RevokedCertificate, isExpired bool) ([]byte, error) {
+	now := time.Now()
+
+	next := now.AddDate(30, 0, 0)
+	if isExpired {
+		next = now
+	}
+
+	crl := &x509.RevocationList{
+		SignatureAlgorithm:  x509.SHA256WithRSA,
+		ThisUpdate:          now,
+		NextUpdate:          next,
+		RevokedCertificates: revokedCerts,
+		Number:              big.NewInt(1),
+		Issuer:              cert.Subject,
+	}
+
+	crlBytes, err := x509.CreateRevocationList(rand.Reader, crl, cert, privateKey)
+	if err != nil {
+		return nil, fmt.Errorf("cannot create revocation list: %v", err)
+	}
+
+	return crlBytes, nil
+}
+
+func writeCRLs(filename string, crlData [][]byte) error {
+	crlPemBytes := new(bytes.Buffer)
+	for _, data := range crlData {
+		crlPem := &pem.Block{
+			Type:  "X509 CRL",
+			Bytes: data,
+		}
+		err := pem.Encode(crlPemBytes, crlPem)
+		if err != nil {
+			return err
+		}
+	}
+
+	if crlPemBytes == nil {
+		return fmt.Errorf("empty CRL to write")
+	}
+
+	return os.WriteFile(filename, crlPemBytes.Bytes(), 0644)
+}
+
 func main() {
 	log.Println("Generating root CA")
 	rootCert, rootKey, err := GenerateCertificateAuthority("Prometheus Root CA", nil, nil)
@@ -199,6 +244,12 @@ func main() {
 		log.Fatal(err)
 	}
 
+	log.Println("Generating Irrelevant CA")
+	irlvtCert, irlvtKey, err := GenerateCertificateAuthority("Prometheus TLS Irrelevant CA", nil, nil)
+	if err != nil {
+		log.Fatal(err)
+	}
+
 	log.Println("Generating server certificate")
 	cert, key, err := GenerateCertificate(caCert, caKey, true, "localhost", net.IPv4(127, 0, 0, 1), net.IPv4(127, 0, 0, 0))
 	if err != nil {
@@ -209,6 +260,16 @@ func main() {
 		log.Fatal(err)
 	}
 
+	log.Println("Generating revoked server certificate")
+	revokedCert, revokedKey, err := GenerateCertificate(caCert, caKey, true, "localhost", net.IPv4(127, 0, 0, 1), net.IPv4(127, 0, 0, 0))
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	if err := writeCertificateAndKey("testdata/server_revoked", revokedCert, revokedKey); err != nil {
+		log.Fatal(err)
+	}
+
 	log.Println("Generating client certificate")
 	cert, key, err = GenerateCertificate(caCert, caKey, false, "localhost")
 	if err != nil {
@@ -235,11 +296,108 @@ func main() {
 		log.Fatal(err)
 	}
 
+	if err := os.WriteFile("testdata/tls-ca-no-root.pem", b.Bytes(), 0644); err != nil {
+		log.Fatal(err)
+	}
+
 	if err := EncodeCertificate(&b, rootCert); err != nil {
 		log.Fatal(err)
 	}
 
 	if err := os.WriteFile("testdata/tls-ca-chain.pem", b.Bytes(), 0644); err != nil {
 		log.Fatal(err)
 	}
+
+	if err := EncodeCertificate(&b, irlvtCert); err != nil {
+		log.Fatal(err)
+	}
+
+	if err := os.WriteFile("testdata/tls-ca-chain-add-irlvt-ca.pem", b.Bytes(), 0644); err != nil {
+		log.Fatal(err)
+	}
+
+	log.Println("Generating CRLs")
+	crlProp_revokedCert := []pkix.RevokedCertificate{
+		{
+			SerialNumber:   revokedCert.SerialNumber,
+			RevocationTime: time.Now(),
+		},
+	}
+
+	crl_RevokedCert, err := GenerateCRL(caCert, caKey, crlProp_revokedCert, false)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	if err := writeCRLs("testdata/crl_cert_revoked.pem", [][]byte{crl_RevokedCert}); err != nil {
+		log.Fatal(err)
+	}
+
+	crl_RevokedCert_expired, err := GenerateCRL(caCert, caKey, crlProp_revokedCert, true)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	if err := writeCRLs("testdata/crl_cert_revoked_expired.pem", [][]byte{crl_RevokedCert_expired}); err != nil {
+		log.Fatal(err)
+	}
+
+	crl_irlvtRevokedCert, err := GenerateCRL(irlvtCert, irlvtKey, crlProp_revokedCert, false)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	crlProp_empty := []pkix.RevokedCertificate{
+		{
+			SerialNumber:   big.NewInt(1),
+			RevocationTime: time.Now(),
+		},
+	}
+
+	crl_InterCA_Empty, err := GenerateCRL(caCert, caKey, crlProp_empty, false)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	if err := writeCRLs("testdata/crl_inter_empty.pem", [][]byte{crl_InterCA_Empty}); err != nil {
+		log.Fatal(err)
+	}
+
+	crlProp_RevokedInterCA := []pkix.RevokedCertificate{
+		{
+			SerialNumber:   caCert.SerialNumber,
+			RevocationTime: time.Now(),
+		},
+	}
+
+	crl_revokedInterCA, err := GenerateCRL(rootCert, rootKey, crlProp_RevokedInterCA, false)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	crl_Root_Empty, err := GenerateCRL(rootCert, rootKey, crlProp_empty, false)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	if err := writeCRLs("testdata/crl_root_empty.pem", [][]byte{crl_Root_Empty}); err != nil {
+		log.Fatal(err)
+	}
+
+	if err := writeCRLs("testdata/crl_chain_all_empty.pem", [][]byte{crl_InterCA_Empty, crl_Root_Empty}); err != nil {
+		log.Fatal(err)
+	}
+
+	if err := writeCRLs("testdata/crl_chain_cert_revoked.pem", [][]byte{crl_Root_Empty, crl_RevokedCert}); err != nil {
+		log.Fatal(err)
+	}
+
+	if err := writeCRLs("testdata/crl_chain_inter_ca_cert_revoked.pem", [][]byte{crl_revokedInterCA, crl_InterCA_Empty}); err != nil {
+		log.Fatal(err)
+	}
+
+	if err := writeCRLs("testdata/crl_chain_irlvt_cert_revoked.pem", [][]byte{crl_InterCA_Empty, crl_irlvtRevokedCert}); err != nil {
+		log.Fatal(err)
+	}
+
 }