ocsp stapling working

baalajimaestro: Forward ported to v2.9+

Signed-off-by: baalajimaestro <me@baalajimaestro.me>
This commit is contained in:
Alessandro Chitolina 2021-08-23 10:13:31 +02:00 committed by baalajimaestro
parent 194247caae
commit b82f7f6a44
Signed by: baalajimaestro
GPG key ID: F93C394FE9BBAFD5
15 changed files with 172 additions and 24 deletions

2
go.mod
View file

@ -72,6 +72,7 @@ require (
github.com/vulcand/predicate v1.2.0 github.com/vulcand/predicate v1.2.0
go.elastic.co/apm v1.13.1 go.elastic.co/apm v1.13.1
go.elastic.co/apm/module/apmot v1.13.1 go.elastic.co/apm/module/apmot v1.13.1
golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f
golang.org/x/mod v0.4.2 golang.org/x/mod v0.4.2
golang.org/x/net v0.0.0-20220927171203-f486391704dc golang.org/x/net v0.0.0-20220927171203-f486391704dc
golang.org/x/text v0.3.7 golang.org/x/text v0.3.7
@ -323,7 +324,6 @@ require (
go.uber.org/multierr v1.6.0 // indirect go.uber.org/multierr v1.6.0 // indirect
go.uber.org/ratelimit v0.2.0 // indirect go.uber.org/ratelimit v0.2.0 // indirect
go.uber.org/zap v1.18.1 // indirect go.uber.org/zap v1.18.1 // indirect
golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f // indirect
golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 // indirect golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 // indirect
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect

View file

@ -1154,7 +1154,9 @@ func (in *ServersTransport) DeepCopyInto(out *ServersTransport) {
if in.Certificates != nil { if in.Certificates != nil {
in, out := &in.Certificates, &out.Certificates in, out := &in.Certificates, &out.Certificates
*out = make(tls.Certificates, len(*in)) *out = make(tls.Certificates, len(*in))
copy(*out, *in) for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
} }
if in.ForwardingTimeouts != nil { if in.ForwardingTimeouts != nil {
in, out := &in.ForwardingTimeouts, &out.ForwardingTimeouts in, out := &in.ForwardingTimeouts, &out.ForwardingTimeouts

View file

@ -781,6 +781,9 @@ func (p *Provider) buildMessage() dynamic.Message {
Certificate: traefiktls.Certificate{ Certificate: traefiktls.Certificate{
CertFile: traefiktls.FileOrContent(cert.Certificate.Certificate), CertFile: traefiktls.FileOrContent(cert.Certificate.Certificate),
KeyFile: traefiktls.FileOrContent(cert.Key), KeyFile: traefiktls.FileOrContent(cert.Key),
OCSP: traefiktls.OCSPConfig{
DisableStapling: true,
},
}, },
Stores: []string{cert.Store}, Stores: []string{cert.Store},
} }

View file

@ -26,6 +26,9 @@ func (c *connectCert) getLeaf() traefiktls.Certificate {
return traefiktls.Certificate{ return traefiktls.Certificate{
CertFile: traefiktls.FileOrContent(c.leaf.cert), CertFile: traefiktls.FileOrContent(c.leaf.cert),
KeyFile: traefiktls.FileOrContent(c.leaf.key), KeyFile: traefiktls.FileOrContent(c.leaf.key),
OCSP: traefiktls.OCSPConfig{
DisableStapling: false,
},
} }
} }

View file

@ -328,6 +328,9 @@ func (p *Provider) loadConfigurationFromCRD(ctx context.Context, client Client)
certs = append(certs, tls.Certificate{ certs = append(certs, tls.Certificate{
CertFile: tls.FileOrContent(tlsSecret), CertFile: tls.FileOrContent(tlsSecret),
KeyFile: tls.FileOrContent(tlsKey), KeyFile: tls.FileOrContent(tlsKey),
OCSP: tls.OCSPConfig{
DisableStapling: false,
},
}) })
} }
@ -940,6 +943,9 @@ func buildTLSStores(ctx context.Context, client Client) (map[string]tls.Store, m
tlsStore.DefaultCertificate = &tls.Certificate{ tlsStore.DefaultCertificate = &tls.Certificate{
CertFile: tls.FileOrContent(cert), CertFile: tls.FileOrContent(cert),
KeyFile: tls.FileOrContent(key), KeyFile: tls.FileOrContent(key),
OCSP: tls.OCSPConfig{
DisableStapling: false,
},
} }
} }
@ -1026,6 +1032,9 @@ func getTLS(k8sClient Client, secretName, namespace string) (*tls.CertAndStores,
Certificate: tls.Certificate{ Certificate: tls.Certificate{
CertFile: tls.FileOrContent(cert), CertFile: tls.FileOrContent(cert),
KeyFile: tls.FileOrContent(key), KeyFile: tls.FileOrContent(key),
OCSP: tls.OCSPConfig{
DisableStapling: false,
},
}, },
}, nil }, nil
} }

View file

@ -1357,6 +1357,9 @@ func getTLS(k8sClient Client, secretName v1alpha2.ObjectName, namespace string)
Certificate: tls.Certificate{ Certificate: tls.Certificate{
CertFile: tls.FileOrContent(cert), CertFile: tls.FileOrContent(cert),
KeyFile: tls.FileOrContent(key), KeyFile: tls.FileOrContent(key),
OCSP: tls.OCSPConfig{
DisableStapling: false,
},
}, },
}, nil }, nil
} }

View file

@ -428,6 +428,9 @@ func getCertificates(ctx context.Context, ingress *networkingv1.Ingress, k8sClie
Certificate: tls.Certificate{ Certificate: tls.Certificate{
CertFile: tls.FileOrContent(cert), CertFile: tls.FileOrContent(cert),
KeyFile: tls.FileOrContent(key), KeyFile: tls.FileOrContent(key),
OCSP: tls.OCSPConfig{
DisableStapling: false,
},
}, },
} }
} }

View file

@ -829,6 +829,9 @@ func Test_buildConfiguration(t *testing.T) {
Certificate: tls.Certificate{ Certificate: tls.Certificate{
CertFile: tls.FileOrContent("foobar"), CertFile: tls.FileOrContent("foobar"),
KeyFile: tls.FileOrContent("foobar"), KeyFile: tls.FileOrContent("foobar"),
OCSP: tls.OCSPConfig{
DisableStapling: false,
},
}, },
Stores: []string{ Stores: []string{
"foobar", "foobar",
@ -839,6 +842,9 @@ func Test_buildConfiguration(t *testing.T) {
Certificate: tls.Certificate{ Certificate: tls.Certificate{
CertFile: tls.FileOrContent("foobar"), CertFile: tls.FileOrContent("foobar"),
KeyFile: tls.FileOrContent("foobar"), KeyFile: tls.FileOrContent("foobar"),
OCSP: tls.OCSPConfig{
DisableStapling: false,
},
}, },
Stores: []string{ Stores: []string{
"foobar", "foobar",
@ -903,12 +909,18 @@ func Test_buildConfiguration(t *testing.T) {
DefaultCertificate: &tls.Certificate{ DefaultCertificate: &tls.Certificate{
CertFile: tls.FileOrContent("foobar"), CertFile: tls.FileOrContent("foobar"),
KeyFile: tls.FileOrContent("foobar"), KeyFile: tls.FileOrContent("foobar"),
OCSP: tls.OCSPConfig{
DisableStapling: false,
},
}, },
}, },
"Store1": { "Store1": {
DefaultCertificate: &tls.Certificate{ DefaultCertificate: &tls.Certificate{
CertFile: tls.FileOrContent("foobar"), CertFile: tls.FileOrContent("foobar"),
KeyFile: tls.FileOrContent("foobar"), KeyFile: tls.FileOrContent("foobar"),
OCSP: tls.OCSPConfig{
DisableStapling: false,
},
}, },
}, },
}, },

View file

@ -348,7 +348,8 @@
"certificates": [ "certificates": [
{ {
"certFile": "xxxx", "certFile": "xxxx",
"keyFile": "xxxx" "keyFile": "xxxx",
"ocsp": {}
} }
], ],
"maxIdleConnsPerHost": 42, "maxIdleConnsPerHost": 42,
@ -447,6 +448,7 @@
{ {
"certFile": "xxxx", "certFile": "xxxx",
"keyFile": "xxxx", "keyFile": "xxxx",
"ocsp": {},
"stores": [ "stores": [
"foo" "foo"
] ]
@ -470,7 +472,8 @@
"foo": { "foo": {
"defaultCertificate": { "defaultCertificate": {
"certFile": "xxxx", "certFile": "xxxx",
"keyFile": "xxxx" "keyFile": "xxxx",
"ocsp": {}
} }
} }
} }

View file

@ -1,16 +1,22 @@
package tls package tls
import ( import (
"bytes"
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"errors" "errors"
"fmt" "fmt"
"io"
"io/ioutil"
"net/http"
"net/url" "net/url"
"os" "os"
"sort" "sort"
"strings" "strings"
"time"
"github.com/traefik/traefik/v2/pkg/log" "github.com/traefik/traefik/v2/pkg/log"
"golang.org/x/crypto/ocsp"
) )
var ( var (
@ -45,11 +51,22 @@ var (
} }
) )
// OCSPConfig configures how OCSP is handled.
type OCSPConfig struct {
DisableStapling bool `json:"disableStapling,omitempty" toml:"disableStapling,omitempty" yaml:"disableStapling,omitempty"`
}
// Certificate holds a SSL cert/key pair // Certificate holds a SSL cert/key pair
// Certs and Key could be either a file path, or the file content itself. // Certs and Key could be either a file path, or the file content itself.
type Certificate struct { type Certificate struct {
CertFile FileOrContent `json:"certFile,omitempty" toml:"certFile,omitempty" yaml:"certFile,omitempty"` CertFile FileOrContent `json:"certFile,omitempty" toml:"certFile,omitempty" yaml:"certFile,omitempty"`
KeyFile FileOrContent `json:"keyFile,omitempty" toml:"keyFile,omitempty" yaml:"keyFile,omitempty" loggable:"false"` KeyFile FileOrContent `json:"keyFile,omitempty" toml:"keyFile,omitempty" yaml:"keyFile,omitempty" loggable:"false"`
OCSP OCSPConfig `json:"ocsp,omitempty" toml:"ocsp,omitempty" yaml:"ocsp,omitempty" label:"allowEmpty" file:"allowEmpty"`
Certificate *tls.Certificate `json:"-" toml:"-" yaml:"-"`
SANs []string `json:"-" toml:"-" yaml:"-"`
OCSPServer []string `json:"-" toml:"-" yaml:"-"`
OCSPResponse *ocsp.Response `json:"-" toml:"-" yaml:"-"`
} }
// Certificates defines traefik certificates type // Certificates defines traefik certificates type
@ -101,7 +118,7 @@ func (f FileOrContent) Read() ([]byte, error) {
} }
// AppendCertificate appends a Certificate to a certificates map keyed by store name. // AppendCertificate appends a Certificate to a certificates map keyed by store name.
func (c *Certificate) AppendCertificate(certs map[string]map[string]*tls.Certificate, storeName string) error { func (c *Certificate) AppendCertificate(certs map[string]map[string]*Certificate, storeName string) error {
certContent, err := c.CertFile.Read() certContent, err := c.CertFile.Read()
if err != nil { if err != nil {
return fmt.Errorf("unable to read CertFile : %w", err) return fmt.Errorf("unable to read CertFile : %w", err)
@ -143,7 +160,7 @@ func (c *Certificate) AppendCertificate(certs map[string]map[string]*tls.Certifi
certExists := false certExists := false
if certs[storeName] == nil { if certs[storeName] == nil {
certs[storeName] = make(map[string]*tls.Certificate) certs[storeName] = make(map[string]*Certificate)
} else { } else {
for domains := range certs[storeName] { for domains := range certs[storeName] {
if domains == certKey { if domains == certKey {
@ -152,16 +169,98 @@ func (c *Certificate) AppendCertificate(certs map[string]map[string]*tls.Certifi
} }
} }
} }
if certExists { if certExists {
log.Debugf("Skipping addition of certificate for domain(s) %q, to TLS Store %s, as it already exists for this store.", certKey, storeName) log.Debugf("Skipping addition of certificate for domain(s) %q, to TLS Store %s, as it already exists for this store.", certKey, storeName)
} else { } else {
log.Debugf("Adding certificate for domain(s) %s", certKey) log.Debugf("Adding certificate for domain(s) %s", certKey)
certs[storeName][certKey] = &tlsCert
certs[storeName][certKey] = &Certificate{
Certificate: &tlsCert,
SANs: SANs,
OCSPServer: parsedCert.OCSPServer,
OCSP: OCSPConfig{
DisableStapling: false,
},
}
} }
return err return err
} }
func getOCSPForCert(certificate *Certificate, issuedCertificate *x509.Certificate, issuerCertificate *x509.Certificate) ([]byte, *ocsp.Response, error) {
if len(certificate.OCSPServer) == 0 {
return nil, nil, fmt.Errorf("no OCSP server specified in certificate")
}
respURL := certificate.OCSPServer[0]
ocspReq, err := ocsp.CreateRequest(issuedCertificate, issuerCertificate, nil)
if err != nil {
return nil, nil, fmt.Errorf("creating OCSP request: %w", err)
}
reader := bytes.NewReader(ocspReq)
req, err := http.Post(respURL, "application/ocsp-request", reader)
if err != nil {
return nil, nil, fmt.Errorf("making OCSP request: %w", err)
}
defer req.Body.Close()
ocspResBytes, err := ioutil.ReadAll(io.LimitReader(req.Body, 1024*1024))
if err != nil {
return nil, nil, fmt.Errorf("reading OCSP response: %w", err)
}
ocspRes, err := ocsp.ParseResponse(ocspResBytes, issuerCertificate)
if err != nil {
return nil, nil, fmt.Errorf("parsing OCSP response: %w", err)
}
return ocspResBytes, ocspRes, nil
}
// StapleOCSP populates the ocsp response of the certificate if needed and not disabled by configuration.
func (c *Certificate) StapleOCSP() error {
if c.OCSP.DisableStapling {
return nil
}
ocspResponse := c.OCSPResponse
if ocspResponse != nil && time.Now().Before(ocspResponse.ThisUpdate.Add(ocspResponse.NextUpdate.Sub(ocspResponse.ThisUpdate)/2)) {
return nil
}
leaf, _ := x509.ParseCertificate(c.Certificate.Certificate[0])
var issuerCertificate *x509.Certificate
if len(c.Certificate.Certificate) == 1 {
issuerCertificate = leaf
} else {
ic, err := x509.ParseCertificate(c.Certificate.Certificate[1])
if err != nil {
return fmt.Errorf("cannot parse issuer certificate for %v: %w", c.SANs, err)
}
issuerCertificate = ic
}
ocspBytes, ocspResp, ocspErr := getOCSPForCert(c, leaf, issuerCertificate)
if ocspErr != nil {
return fmt.Errorf("no OCSP stapling for %v: %w", c.SANs, ocspErr)
}
log.WithoutContext().Debugf("ocsp response: %v", ocspResp)
if ocspResp.Status == ocsp.Good {
if ocspResp.NextUpdate.After(leaf.NotAfter) {
return fmt.Errorf("invalid: OCSP response for %v valid after certificate expiration (%s)", c.SANs, leaf.NotAfter.Sub(ocspResp.NextUpdate))
}
c.Certificate.OCSPStaple = ocspBytes
c.OCSPResponse = ocspResp
}
return nil
}
// GetCertificate returns a tls.Certificate matching the configured CertFile and KeyFile. // GetCertificate returns a tls.Certificate matching the configured CertFile and KeyFile.
func (c *Certificate) GetCertificate() (tls.Certificate, error) { func (c *Certificate) GetCertificate() (tls.Certificate, error) {
certContent, err := c.CertFile.Read() certContent, err := c.CertFile.Read()
@ -231,6 +330,9 @@ func (c *Certificates) Set(value string) error {
*c = append(*c, Certificate{ *c = append(*c, Certificate{
CertFile: FileOrContent(files[0]), CertFile: FileOrContent(files[0]),
KeyFile: FileOrContent(files[1]), KeyFile: FileOrContent(files[1]),
OCSP: OCSPConfig{
DisableStapling: false,
},
}) })
} }
return nil return nil

View file

@ -63,7 +63,7 @@ func (c CertificateStore) GetAllDomains() []string {
// Get dynamic certificates // Get dynamic certificates
if c.DynamicCerts != nil && c.DynamicCerts.Get() != nil { if c.DynamicCerts != nil && c.DynamicCerts.Get() != nil {
for domain := range c.DynamicCerts.Get().(map[string]*tls.Certificate) { for domain := range c.DynamicCerts.Get().(map[string]*Certificate) {
allDomains = append(allDomains, domain) allDomains = append(allDomains, domain)
} }
} }
@ -72,7 +72,7 @@ func (c CertificateStore) GetAllDomains() []string {
} }
// GetBestCertificate returns the best match certificate, and caches the response. // GetBestCertificate returns the best match certificate, and caches the response.
func (c *CertificateStore) GetBestCertificate(clientHello *tls.ClientHelloInfo) *tls.Certificate { func (c *CertificateStore) GetBestCertificate(clientHello *tls.ClientHelloInfo) *Certificate {
if c == nil { if c == nil {
return nil return nil
} }
@ -87,12 +87,12 @@ func (c *CertificateStore) GetBestCertificate(clientHello *tls.ClientHelloInfo)
} }
if cert, ok := c.CertCache.Get(serverName); ok { if cert, ok := c.CertCache.Get(serverName); ok {
return cert.(*tls.Certificate) return cert.(*Certificate)
} }
matchedCerts := map[string]*tls.Certificate{} matchedCerts := map[string]*Certificate{}
if c.DynamicCerts != nil && c.DynamicCerts.Get() != nil { if c.DynamicCerts != nil && c.DynamicCerts.Get() != nil {
for domains, cert := range c.DynamicCerts.Get().(map[string]*tls.Certificate) { for domains, cert := range c.DynamicCerts.Get().(map[string]*Certificate) {
for _, certDomain := range strings.Split(domains, ",") { for _, certDomain := range strings.Split(domains, ",") {
if matchDomain(serverName, certDomain) { if matchDomain(serverName, certDomain) {
matchedCerts[certDomain] = cert matchedCerts[certDomain] = cert

View file

@ -59,7 +59,7 @@ func TestGetBestCertificate(t *testing.T) {
test := test test := test
t.Run(test.desc, func(t *testing.T) { t.Run(test.desc, func(t *testing.T) {
t.Parallel() t.Parallel()
dynamicMap := map[string]*tls.Certificate{} dynamicMap := map[string]*Certificate{}
if test.dynamicCert != "" { if test.dynamicCert != "" {
cert, err := loadTestCert(test.dynamicCert, test.uppercase) cert, err := loadTestCert(test.dynamicCert, test.uppercase)
@ -72,7 +72,7 @@ func TestGetBestCertificate(t *testing.T) {
CertCache: cache.New(1*time.Hour, 10*time.Minute), CertCache: cache.New(1*time.Hour, 10*time.Minute),
} }
var expected *tls.Certificate var expected *Certificate
if test.expectedCert != "" { if test.expectedCert != "" {
cert, err := loadTestCert(test.expectedCert, test.uppercase) cert, err := loadTestCert(test.expectedCert, test.uppercase)
require.NoError(t, err) require.NoError(t, err)
@ -89,7 +89,7 @@ func TestGetBestCertificate(t *testing.T) {
} }
} }
func loadTestCert(certName string, uppercase bool) (*tls.Certificate, error) { func loadTestCert(certName string, uppercase bool) (*Certificate, error) {
replacement := "wildcard" replacement := "wildcard"
if uppercase { if uppercase {
replacement = "uppercase_wildcard" replacement = "uppercase_wildcard"
@ -103,5 +103,8 @@ func loadTestCert(certName string, uppercase bool) (*tls.Certificate, error) {
return nil, err return nil, err
} }
return &staticCert, nil return &Certificate{
Certificate: &staticCert,
SANs: []string{},
}, nil
} }

View file

@ -201,12 +201,17 @@ func (m *Manager) Get(storeName, configName string) (*tls.Config, error) {
return nil, nil return nil, nil
} }
return certificate, nil return certificate.Certificate, nil
} }
bestCertificate := store.GetBestCertificate(clientHello) bestCertificate := store.GetBestCertificate(clientHello)
if bestCertificate != nil { if bestCertificate != nil {
return bestCertificate, nil err := bestCertificate.StapleOCSP()
if err != nil {
log.WithoutContext().Warnf("ocsp - error during stable: %w", err)
}
return bestCertificate.Certificate, nil
} }
if sniStrict { if sniStrict {
@ -236,8 +241,8 @@ func (m *Manager) GetCertificates() []*x509.Certificate {
// We iterate over all the certificates. // We iterate over all the certificates.
for _, store := range m.stores { for _, store := range m.stores {
if store.DynamicCerts != nil && store.DynamicCerts.Get() != nil { if store.DynamicCerts != nil && store.DynamicCerts.Get() != nil {
for _, cert := range store.DynamicCerts.Get().(map[string]*tls.Certificate) { for _, cert := range store.DynamicCerts.Get().(map[string]*Certificate) {
x509Cert, err := x509.ParseCertificate(cert.Certificate[0]) x509Cert, err := x509.ParseCertificate(cert.Certificate.Certificate[0])
if err != nil { if err != nil {
continue continue
} }

View file

@ -79,7 +79,7 @@ func TestTLSInStore(t *testing.T) {
tlsManager := NewManager() tlsManager := NewManager()
tlsManager.UpdateConfigs(context.Background(), nil, nil, dynamicConfigs) tlsManager.UpdateConfigs(context.Background(), nil, nil, dynamicConfigs)
certs := tlsManager.GetStore("default").DynamicCerts.Get().(map[string]*tls.Certificate) certs := tlsManager.GetStore("default").DynamicCerts.Get().(map[string]*Certificate)
if len(certs) == 0 { if len(certs) == 0 {
t.Fatal("got error: default store must have TLS certificates.") t.Fatal("got error: default store must have TLS certificates.")
} }
@ -104,7 +104,7 @@ func TestTLSInvalidStore(t *testing.T) {
}, },
}, nil, dynamicConfigs) }, nil, dynamicConfigs)
certs := tlsManager.GetStore("default").DynamicCerts.Get().(map[string]*tls.Certificate) certs := tlsManager.GetStore("default").DynamicCerts.Get().(map[string]*Certificate)
if len(certs) == 0 { if len(certs) == 0 {
t.Fatal("got error: default store must have TLS certificates.") t.Fatal("got error: default store must have TLS certificates.")
} }

View file

@ -36,7 +36,7 @@ import (
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CertAndStores) DeepCopyInto(out *CertAndStores) { func (in *CertAndStores) DeepCopyInto(out *CertAndStores) {
*out = *in *out = *in
out.Certificate = in.Certificate in.Certificate.DeepCopyInto(&out.Certificate)
if in.Stores != nil { if in.Stores != nil {
in, out := &in.Stores, &out.Stores in, out := &in.Stores, &out.Stores
*out = make([]string, len(*in)) *out = make([]string, len(*in))
@ -135,7 +135,7 @@ func (in *Store) DeepCopyInto(out *Store) {
if in.DefaultCertificate != nil { if in.DefaultCertificate != nil {
in, out := &in.DefaultCertificate, &out.DefaultCertificate in, out := &in.DefaultCertificate, &out.DefaultCertificate
*out = new(Certificate) *out = new(Certificate)
**out = **in (*in).DeepCopyInto(*out)
} }
if in.DefaultGeneratedCert != nil { if in.DefaultGeneratedCert != nil {
in, out := &in.DefaultGeneratedCert, &out.DefaultGeneratedCert in, out := &in.DefaultGeneratedCert, &out.DefaultGeneratedCert