advancedtls: add new module for advanced TLS handshaker #3187
Conversation
ZhenLian
force-pushed
the
zhen_spiffe_1
branch
from
fc76a15 to
7c9f9a4
Compare
dfawley
added
Type: Feature
ZhenLian
force-pushed
the
zhen_spiffe_1
branch
from
7c9f9a4 to
906d1f3
Compare
|
@jiangtaoli2016 Could you please take a first round of review on the API design? Thank you so much for the help! |
| serverRoot *x509.CertPool | ||
| serverGetRoot func(rawConn net.Conn, rawCerts [][]byte) (*x509.CertPool, error) | ||
| serverExpectError bool | ||
| }{ |
There was a problem hiding this comment.
We may want to test the cases where the root CA certs do not match the peer certificates. E.g., server provides a valid certificate, but server's CA cert is different from client Root cert.
There was a problem hiding this comment.
Added the following test cases:
- Client_reload_both_certs_verifyFunc_Server_reload_both_certs_mutualTLS
- Client_wrong_peer_cert_Server_reload_both_certs_mutualTLS
- Client_wrong_trust_cert_Server_reload_both_certs_mutualTLS
- Client_reload_both_certs_verifyFunc_Server_wrong_peer_cert
- Client_reload_both_certs_verifyFunc_Server_wrong_trust_cert
|
In current implementation, client has to provide either RootCA or GetRootCA. We see use case grpc/grpc#20530 that client does not know root CA certs in advance. In that case, we give the power to client to validate via VerifyPeer function (since application can access target name and server certain chain). Thus, if client does not provide RootCA or GetRootCA, instead of failing, we just don't validate the server cert and let application decide via VerifyPeer. @ZhenLian Could update your implementation as well? |
ZhenLian
force-pushed
the
zhen_spiffe_1
branch
2 times, most recently
from
128795a to
781f1c0
Compare
|
Thanks @ZhenLian for the implementation. |
|
The API is now updated as: |
ZhenLian
force-pushed
the
zhen_spiffe_1
branch
5 times, most recently
from
74939ed to
43d11d8
Compare
|
@cesarghali Thank you so much for the review! I left a few more comments. Please let me know if anything could be further improved :-) |
|
@cesarghali |
|
Friendly ping :-) |
ZhenLian
force-pushed
the
zhen_spiffe_1
branch
from
d4ad63c to
2e3e312
Compare
ZhenLian
force-pushed
the
zhen_spiffe_1
branch
from
2e3e312 to
850dad9
Compare
ZhenLian
force-pushed
the
zhen_spiffe_1
branch
3 times, most recently
from
35fa648 to
67ad997
Compare
|
@dfawley |
ZhenLian
force-pushed
the
zhen_spiffe_1
branch
from
f3c727d to
aa767af
Compare
|
@dfawley |
ZhenLian
force-pushed
the
zhen_spiffe_1
branch
from
aa767af to
8d72f23
Compare
dfawley
changed the title
This PR contains the implementation and tests of a utility library for some advanced TLS features, including:
Credential Reloading: users are able to reload their credentials without restarting the app. Note that the "credential" here can be a private key, its corresponding certificate bundle, or trusted CA certificate bundle.
Server Authorization: on client side, we let users specify their own functions to check peers' identities when handshakes are finished. This feature is sometimes also referred to as "secure name checking" or "hostname verification".
There are some previous discussions in this deprecated PR: #3044. The goal of this PR remains the same, but change the APIs to provide better functionalities.
This PR includes the implementation and unit tests and integration tests for the client and server without credential reloading. Next PR will cover the integration tests for credential reloading.