Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[THREESCALE-11404] Adding support for CRL and OCSP #1503

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

[THREESCALE-11404] Adding support for CRL and OCSP #1503

wants to merge 5 commits into from

Conversation

tkan145
Copy link
Contributor

@tkan145 tkan145 commented Oct 30, 2024
edited
Loading

What

https://issues.redhat.com/browse/THREESCALE-11404

Notes

Verification steps

  • Checkout this branch and build a new runtime-image
make runtime-image IMAGE_NAME=apicast-test
  • Get into dev-environment
cd dev-environments/listen-tls

Prepare cert

  • Prepare files
cd cert
touch index.txt
echo 1000 > serial
echo 1000 > crlnumber
  • Edit Makefile as follow
diff --git a/dev-environments/listen-tls/cert/Makefile b/dev-environments/listen-tls/cert/Makefile
index 1739aa70..291fc0a9 100644
--- a/dev-environments/listen-tls/cert/Makefile
+++ b/dev-environments/listen-tls/cert/Makefile
@@ -1,15 +1,83 @@
+DOMAIN=example.com
+
 clean:
 	- rm *.crt *.key *.pem *.csr
 
-ca: 
-	openssl genrsa -out rootCA.key 2048 
-	openssl req -batch -new -x509 -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
+all: ca intermediate ca-chain crl ocsp server client revoked_client
 
-clientcerts:	
+ca:
+	openssl genrsa -out rootCA.key.pem 2048
+	openssl req -config root-ca.cnf \
+	  -key rootCA.key.pem \
+	  -new -x509 -days 3650 -sha256 -extensions v3_ca \
+      -out rootCA.cert.pem \
+	  -subj "/C=US/CN=ca.$(DOMAIN)"
+
+intermediate:
+	openssl genrsa -out intermediate.key.pem 2048
+	openssl req -config root-ca.cnf \
+      -key intermediate.key.pem \
+      -new -sha256 \
+      -out intermediate.csr.pem \
+      -subj "/C=US/CN=intermediate.cert.$(DOMAIN)"
+	openssl ca -config root-ca.cnf \
+	  -extensions v3_intermediate_ca -days 2650 -notext -batch \
+	  -in intermediate.csr.pem \
+	  -out intermediate.cert.pem
+
+ca-chain:
+	cat intermediate.cert.pem rootCA.cert.pem > ca-chain.cert.pem
+
+crl:
+	openssl ca -config root-ca.cnf \
+	  -gencrl -out intermediate.crl.pem
+
+ocsp:
+	openssl genrsa -out ocsp.key.pem 2048
+	openssl req -config root-ca.cnf -new -sha256 \
+      -key ocsp.key.pem \
+      -out ocsp.csr.pem \
+      -nodes \
+      -subj "/CN=ocsp-cert.$(DOMAIN)"
+	openssl ca -config root-ca.cnf \
+	  -extensions v3_intermediate_ca -days 2650 -notext -batch \
+	  -in ocsp.csr.pem \
+	  -out ocsp.cert.pem
+
+server:
 	openssl req -subj '/CN=$(DOMAIN)'  -newkey rsa:4096 -nodes \
 			-sha256 \
 			-days 3650 \
 			-keyout $(DOMAIN).key \
-			-out $(DOMAIN).csr 
+			-out $(DOMAIN).csr
 	chmod +r $(DOMAIN).key
-	openssl x509 -req -in $(DOMAIN).csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out $(DOMAIN).crt -days 500 -sha256
+	openssl ca -config root-ca.cnf \
+	  -extensions v3_intermediate_ca -days 2650 -notext -batch \
+	  -in $(DOMAIN).csr \
+	  -out $(DOMAIN).pem
+
+client:
+	openssl req -subj '/CN=client.$(DOMAIN)'  -newkey rsa:4096 -nodes \
+			-sha256 \
+			-days 3650 \
+			-keyout client.key \
+			-out client.csr
+	chmod +r client.key
+	openssl ca -config root-ca.cnf \
+	  -extensions v3_intermediate_ca -days 2650 -notext -batch \
+	  -in client.csr \
+	  -out client.pem
+
+revoked_client:
+	openssl req -subj '/CN=revoked_client.$(DOMAIN)'  -newkey rsa:4096 -nodes \
+			-sha256 \
+			-days 3650 \
+			-keyout revoked-client.key \
+			-out revoked-client.csr
+	chmod +r revoked-client.key
+	openssl ca -config root-ca.cnf \
+	  -extensions v3_intermediate_ca -days 2650 -notext -batch \
+	  -in revoked-client.csr \
+	  -out revoked-client.pem
+	openssl ca -config root-ca.cnf -revoke revoked-client.pem
+
  • Create root-ca.cnf
[ ca ]
default_ca      = CA_default            # The default ca section

[ CA_default ]
dir             = .             # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
database        = $dir/index.txt        # database index file.
                                        # several certs with same subject.
new_certs_dir   = $dir            # default place for new certs.
certificate     = $dir/rootCA.cert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
private_key     = $dir/rootCA.key.pem # The private key

name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = sha256                # use SHA-256 by default
preserve        = no                    # keep passed DN ordering
policy          = policy_match

[ policy_match ]
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
default_bits            = 4096
default_md              = sha256
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
x509_extensions         = v3_ca
string_mask             = nombstr

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = US
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = CA
localityName                    = Locality Name (eg, city)
localityName_default            = Testland
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Testers
organizationalUnitName          = Organizational Unit Name (eg, section)
commonName                      = Common Name (eg, your name or your server\'s hostname)
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_max                = 64
emailAddress_default            = [email protected]

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true

[ v3_intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
  • Generate certs
make all

Verify CRL

  • Generate crl.pem
cd cert 
openssl ca -config root-ca.cnf -gencrl -out crl.pem -crldays 3650
  • Edit docker-compose.yaml as follow
diff --git a/dev-environments/listen-tls/docker-compose.yml b/dev-environments/listen-tls/docker-compose.yml
index 476ca81f..ae286cd8 100644
--- a/dev-environments/listen-tls/docker-compose.yml
+++ b/dev-environments/listen-tls/docker-compose.yml
@@ -10,7 +10,7 @@ services:
     - two.upstream
     environment:
       APICAST_HTTPS_PORT: 8443
-      APICAST_HTTPS_CERTIFICATE: /var/run/secrets/apicast/example.com.crt
+      APICAST_HTTPS_CERTIFICATE: /var/run/secrets/apicast/example.com.pem
       APICAST_HTTPS_CERTIFICATE_KEY: /var/run/secrets/apicast/example.com.key
       THREESCALE_CONFIG_FILE: /tmp/config.json
       THREESCALE_DEPLOYMENT_ENV: staging
  • Edit apicast-config.json
diff --git a/dev-environments/listen-tls/apicast-config.json b/dev-environments/listen-tls/apicast-config.json
index 06014cab..79dcc31d 100644
--- a/dev-environments/listen-tls/apicast-config.json
+++ b/dev-environments/listen-tls/apicast-config.json
@@ -11,6 +11,18 @@
           "host": "backend"
         },
         "policy_chain": [
+          {
+            "name": "apicast.policy.tls_validation",
+            "configuration": {
+                "whitelist": [
+                    {"pem_certificate": " <intermediate_cert> "}
+                ],
+                "revoke_list": [
+                    {"pem_certificate": "<crl_cert>"}
+                ],
+                "revocation_check_type": "crl"
+            }
+          },
           {
             "name": "apicast.policy.apicast"
           }

Replace <intermediate_cert> with the content from cert/intermediate.cert.pem and <crl_cert> with content from cert/intermediate.crl.pem

  • Start the gateway
make gateway IMAGE_NAME=apicast-test
  • Send request
curl --resolve example.com:8443:127.0.0.1 -v --cacert cert/rootCA.cert.pem --cert cert/client.pem --key cert/client.key "https://example.com:8443/?user_key=123"

Verify OCSP

@tkan145 tkan145 requested a review from a team as a code owner October 30, 2024 06:43
@tkan145 tkan145 force-pushed the THREESCALE-11404-crl-and-ocsp branch 4 times, most recently from cd952f8 to 680ea5f Compare February 5, 2025 06:54
@tkan145 tkan145 changed the title WIP - [THREESCALE-11404] Adding support for CRL and OCSP [THREESCALE-11404] Adding support for CRL and OCSP Feb 10, 2025
@tkan145 tkan145 force-pushed the THREESCALE-11404-crl-and-ocsp branch from 680ea5f to 3f595c0 Compare February 10, 2025 05:51
@tkan145 tkan145 force-pushed the THREESCALE-11404-crl-and-ocsp branch 4 times, most recently from 20e5708 to 5bad578 Compare March 3, 2025 07:12
@tkan145 tkan145 force-pushed the THREESCALE-11404-crl-and-ocsp branch from 5bad578 to 8b1cb6b Compare March 3, 2025 08:01
@tkan145 tkan145 force-pushed the THREESCALE-11404-crl-and-ocsp branch from 635d76c to b03fc49 Compare March 3, 2025 09:13
eguzki
eguzki reviewed Mar 4, 2025
View reviewed changes
gateway/src/apicast/policy/tls_validation/apicast-policy.json
@@ -24,13 +24,99 @@
"items": {
"$ref": "#/definitions/certificate"
}
},
"revoke": {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this being used?

gateway/src/apicast/policy/tls_validation/apicast-policy.json
"description": "Allow certificate verification with only an intermediate certificate",
"type": "boolean",
"default": true
},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe revoke_list and ocsp_responder_url are missing?

gateway/src/apicast/policy/tls_validation/apicast-policy.json
}
},
"properties": {
"whitelist": {
"$ref": "#/definitions/store",
"title": "Certificate Whitelist",
"description": "Individual certificates and CA certificates to be whitelisted."
},
"allow_partial_chain": {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should be documented somewhere

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eguzki eguzki eguzki left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tkan145 @eguzki