feat: add CRL support (#22)

Currently, octo-proxy lacks the capability to verify the peer certificate against the CRL. This PR introduces CRL validation during the TLS handshake.

This CRL validation will only occur if the user enables the crl configuration by defining the CRL path in the tls field.

This validation can be used in both server and client.

Issue: #19

Author: nothinux

.github/workflows/release.yml

@@ -19,7 +19,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.17
+          go-version: 1.21
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
         with:

.github/workflows/test.yml

@@ -12,7 +12,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.17
+          go-version: 1.21
 
       - name: Check out code
         uses: actions/checkout@v2

docs/CONFIGURATION.md

@@ -36,6 +36,7 @@
 | cert     | `<string>`    | The path to the Certificate file, this option need to be set if the mode is `mutual` to authenticate/verify the server/client.                   | yes      |
 | key      | `<string>`    | The path to the Private key file, this option need to be set if the mode is `mutual`.                  | yes      |
 | sni      | `<string>`    | Set SNI during TLS handshake                  | no      |
+| crl      | `<string>`    | The path to CRL file, If the CRL is configured, the server/client will verify the peer's certificate against the CRL     | no      |
 
 ## tlsMode
 | Field     | Type          | Description                     |
@@ -46,6 +47,6 @@
 > Currently, in mutual mode octo-proxy will only verify the ip address of it's client and try to match it with ip sans in certificate. In the future we will adding more alternative names verification.
 
 ## Metrics
-| Field    | Type          | Description                     |                                                 | Required |
-| -------- | ------------- | ------------------------------- | ----------------------------------------------- | -------- |
+| Field    | Type          | Description                     | Required |
+| -------- | ------------- | ------------------------------- | -------- |
 | metrics  | [HostConfig]  | Configures the host and port for the metrics server, currently doesn't support tls settings | no       |

go.mod

@@ -1,6 +1,6 @@
 module github.com/nothinux/octo-proxy
 
-go 1.17
+go 1.21
 
 require (
 	github.com/kavu/go_reuseport v1.5.0

pkg/config/config.go

@@ -56,6 +56,7 @@ type TLSConfig struct {
 	Cert            string   `yaml:"cert"`
 	Key             string   `yaml:"key"`
 	SNI             string   `yaml:"sni"`
+	CRL             string   `yaml:"crl"`
 	Mode            string   `yaml:"mode"`
 	SubjectAltNames []string `yaml:"subjectAltNames"`
 	SubjectAltName

pkg/proxy/helper.go

@@ -1,11 +1,16 @@
 package proxy
 
 import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
 	"net"
+	"os"
 
 	goerrors "errors"
 
 	"github.com/nothinux/octo-proxy/pkg/config"
+	"github.com/nothinux/octo-proxy/pkg/errors"
 	"github.com/prometheus/client_golang/prometheus"
 )
 
@@ -25,3 +30,64 @@ func errCopy(err error, tConf config.HostConfig) error {
 func timeoutIsZero(c config.HostConfig) bool {
 	return c.ConnectionConfig.TimeoutDuration == 0
 }
+
+func getCACertPool(c config.TLSConfig) (*x509.CertPool, error) {
+	cacert, err := os.ReadFile(c.CaCert)
+	if err != nil {
+		return nil, err
+	}
+
+	pool := x509.NewCertPool()
+	if ok := pool.AppendCertsFromPEM(cacert); !ok {
+		return nil, errors.New("tlsConfig", "can't add CA to pool")
+	}
+
+	return pool, nil
+}
+
+func getCACertificate(c config.TLSConfig) (*x509.Certificate, error) {
+	cacert, err := os.ReadFile(c.CaCert)
+	if err != nil {
+		return nil, err
+	}
+
+	b, _ := pem.Decode(cacert)
+	if b == nil {
+		return nil, goerrors.New("error: can't decode CA file")
+	}
+
+	return x509.ParseCertificate(b.Bytes)
+}
+
+func getCACRL(c config.TLSConfig) (*x509.RevocationList, error) {
+	rawCRL, err := os.ReadFile(c.CRL)
+	if err != nil {
+		return nil, err
+	}
+
+	b, _ := pem.Decode(rawCRL)
+	if b == nil {
+		return nil, goerrors.New("error: can't decode CRL file")
+	}
+
+	return x509.ParseRevocationList(b.Bytes)
+}
+
+func getCertKeyPair(c config.TLSConfig) (tls.Certificate, error) {
+	pcert, err := os.ReadFile(c.Cert)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+
+	pkey, err := os.ReadFile(c.Key)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+
+	cert, err := tls.X509KeyPair(pcert, pkey)
+	if err != nil {
+		return tls.Certificate{}, errors.New("tlsConfig", "can't parse public & private key pair "+err.Error())
+	}
+
+	return cert, nil
+}

pkg/proxy/helper_test.go

@@ -1,6 +1,8 @@
 package proxy
 
 import (
+	"errors"
+	"strings"
 	"testing"
 	"time"
 
@@ -43,3 +45,171 @@ func TestTimeoutIsZero(t *testing.T) {
 		})
 	}
 }
+
+func TestGetCACertPool(t *testing.T) {
+	tests := []struct {
+		Name      string
+		Config    config.TLSConfig
+		wantError error
+	}{
+		{
+			Name:      "Check ca-cert file",
+			Config:    config.TLSConfig{CaCert: "../testdata/ca-cert.pem"},
+			wantError: nil,
+		},
+		{
+			Name:      "Check if ca-cert file not found",
+			Config:    config.TLSConfig{CaCert: "/tmp/zzz"},
+			wantError: errors.New("no such file or directory"),
+		},
+		{
+			Name:      "Check not ca-cert file",
+			Config:    config.TLSConfig{CaCert: "../testdata/file"},
+			wantError: errors.New("can't add CA to pool"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.Name, func(t *testing.T) {
+			_, err := getCACertPool(tt.Config)
+			if err != tt.wantError {
+				if !strings.Contains(err.Error(), tt.wantError.Error()) {
+					t.Fatalf("got %v, want %v", err, tt.wantError)
+				}
+			}
+		})
+	}
+}
+
+func TestGetCertKeyPair(t *testing.T) {
+	tests := []struct {
+		Name      string
+		Config    config.TLSConfig
+		wantError error
+	}{
+		{
+			Name: "Check if cert file not found",
+			Config: config.TLSConfig{
+				Cert: "../testdata/zzzz",
+			},
+			wantError: errors.New("no such file or directory"),
+		},
+		{
+			Name: "Check if key file not found",
+			Config: config.TLSConfig{
+				Cert: "../testdata/cert.pem",
+				Key:  "../testdata/zzzz",
+			},
+			wantError: errors.New("no such file or directory"),
+		},
+		{
+			Name: "Check if cert and key is not match",
+			Config: config.TLSConfig{
+				Cert: "../testdata/cert.pem",
+				Key:  "../testdata/ca-key.pem",
+			},
+			wantError: errors.New("can't parse public & private key pair tls: private key does not match public key"),
+		},
+		{
+			Name: "Check if cert and key is match",
+			Config: config.TLSConfig{
+				Cert: "../testdata/cert.pem",
+				Key:  "../testdata/cert-key.pem",
+			},
+			wantError: nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.Name, func(t *testing.T) {
+			_, err := getCertKeyPair(tt.Config)
+			if err != tt.wantError {
+				if !strings.Contains(err.Error(), tt.wantError.Error()) {
+					t.Fatalf("got %v, want %v", err, tt.wantError)
+				}
+			}
+		})
+	}
+}
+
+func TestGetCACertificate(t *testing.T) {
+	tests := []struct {
+		Name      string
+		Config    config.TLSConfig
+		wantError error
+	}{
+		{
+			Name: "Test if cert file not found",
+			Config: config.TLSConfig{
+				CaCert: "../testdata/zzzz",
+			},
+			wantError: errors.New("no such file or directory"),
+		},
+		{
+			Name: "Test invalid certificate file",
+			Config: config.TLSConfig{
+				CaCert: "../testdata/file",
+			},
+			wantError: errors.New("can't decode CA file"),
+		},
+		{
+			Name: "Test valid certificate file",
+			Config: config.TLSConfig{
+				CaCert: "../testdata/ca-cert.pem",
+			},
+			wantError: nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.Name, func(t *testing.T) {
+			_, err := getCACertificate(tt.Config)
+			if err != tt.wantError {
+				if !strings.Contains(err.Error(), tt.wantError.Error()) {
+					t.Fatalf("got %v, want %v", err, tt.wantError)
+				}
+			}
+		})
+	}
+}
+
+func TestGetCACRL(t *testing.T) {
+	tests := []struct {
+		Name      string
+		Config    config.TLSConfig
+		wantError error
+	}{
+		{
+			Name: "Test if cert file not found",
+			Config: config.TLSConfig{
+				CRL: "../testdata/zzzz",
+			},
+			wantError: errors.New("no such file or directory"),
+		},
+		{
+			Name: "Test invalid certificate file",
+			Config: config.TLSConfig{
+				CRL: "../testdata/file",
+			},
+			wantError: errors.New("can't decode CRL file"),
+		},
+		{
+			Name: "Test valid certificate file",
+			Config: config.TLSConfig{
+				CRL: "../testdata/ca-crl.pem",
+			},
+			wantError: nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.Name, func(t *testing.T) {
+			_, err := getCACRL(tt.Config)
+			if err != tt.wantError {
+				if !strings.Contains(err.Error(), tt.wantError.Error()) {
+					t.Fatalf("got %v, want %v", err, tt.wantError)
+				}
+			}
+		})
+	}
+}