diff --git a/embed/etcd.go b/embed/etcd.go index f9cdc0ca9b27..8a885e4dec6d 100644 --- a/embed/etcd.go +++ b/embed/etcd.go @@ -16,15 +16,18 @@ package embed import ( "crypto/tls" + "errors" "fmt" "net" "net/http" "path" + "github.com/cloudflare/cfssl/revoke" "github.com/coreos/etcd/etcdserver" "github.com/coreos/etcd/etcdserver/api/v2http" "github.com/coreos/etcd/pkg/cors" runtimeutil "github.com/coreos/etcd/pkg/runtime" + "github.com/coreos/etcd/pkg/tlsutil" "github.com/coreos/etcd/pkg/transport" "github.com/coreos/etcd/pkg/types" "github.com/coreos/etcd/rafthttp" @@ -272,6 +275,27 @@ func startClientListeners(cfg *Config) (sctxs map[string]*serveCtx, err error) { return sctxs, nil } +func (e *Etcd) revokeCheckHandler(req *http.Request, CRLpath string) error { + if req.TLS == nil { + return nil + } + for _, cert := range req.TLS.PeerCertificates { + var revoked, ok bool + if CRLpath != "" { + revoked, ok = revoke.VerifyCertificateByCRLPath(cert, CRLpath) + } else { + revoked, ok = revoke.VerifyCertificate(cert) + } + if !ok { + return errors.New("Cert check failed") + } + if revoked { + return errors.New("Cert if revoked") + } + } + return nil +} + func (e *Etcd) serve() (err error) { var ctlscfg *tls.Config if !e.cfg.ClientTLSInfo.Empty() { @@ -286,16 +310,23 @@ func (e *Etcd) serve() (err error) { } // Start the peer server in a goroutine - ph := v2http.NewPeerHandler(e.Server) + ph := tlsutil.RevocationCheck( + v2http.NewPeerHandler(e.Server), + e.revokeCheckHandler, + e.cfg.PeerTLSInfo.CRLFile) for _, l := range e.Peers { go func(l net.Listener) { e.errc <- servePeerHTTP(l, ph) }(l) } + clientHandler := tlsutil.RevocationCheck( + v2http.NewClientHandler(e.Server, e.Server.Cfg.ReqTimeout()), + e.revokeCheckHandler, + e.cfg.ClientTLSInfo.CRLFile) // Start a client server goroutine for each listen address ch := http.Handler(&cors.CORSHandler{ - Handler: v2http.NewClientHandler(e.Server, e.Server.Cfg.ReqTimeout()), + Handler: clientHandler, Info: e.cfg.CorsInfo, }) for _, sctx := range e.sctxs { diff --git a/etcdmain/config.go b/etcdmain/config.go index 5fb4dea4934b..40fc472b53d8 100644 --- a/etcdmain/config.go +++ b/etcdmain/config.go @@ -173,12 +173,14 @@ func newConfig() *config { fs.StringVar(&cfg.ClientTLSInfo.KeyFile, "key-file", "", "Path to the client server TLS key file.") fs.BoolVar(&cfg.ClientTLSInfo.ClientCertAuth, "client-cert-auth", false, "Enable client cert authentication.") fs.StringVar(&cfg.ClientTLSInfo.TrustedCAFile, "trusted-ca-file", "", "Path to the client server TLS trusted CA key file.") + fs.StringVar(&cfg.ClientTLSInfo.CRLFile, "crl-file", "", "Path to the client server certificate revocation list file.") fs.BoolVar(&cfg.ClientAutoTLS, "auto-tls", false, "Client TLS using generated certificates") fs.StringVar(&cfg.PeerTLSInfo.CAFile, "peer-ca-file", "", "DEPRECATED: Path to the peer server TLS CA file.") fs.StringVar(&cfg.PeerTLSInfo.CertFile, "peer-cert-file", "", "Path to the peer server TLS cert file.") fs.StringVar(&cfg.PeerTLSInfo.KeyFile, "peer-key-file", "", "Path to the peer server TLS key file.") fs.BoolVar(&cfg.PeerTLSInfo.ClientCertAuth, "peer-client-cert-auth", false, "Enable peer client cert authentication.") fs.StringVar(&cfg.PeerTLSInfo.TrustedCAFile, "peer-trusted-ca-file", "", "Path to the peer server TLS trusted CA file.") + fs.StringVar(&cfg.PeerTLSInfo.CRLFile, "peer-crl-file", "", "Path to the peer server certificate revocation list file.") fs.BoolVar(&cfg.PeerAutoTLS, "peer-auto-tls", false, "Peer TLS using generated certificates") // logging diff --git a/etcdmain/help.go b/etcdmain/help.go index e425a90cd36a..b3fd8ef8ee1e 100644 --- a/etcdmain/help.go +++ b/etcdmain/help.go @@ -118,6 +118,8 @@ security flags: enable client cert authentication. --trusted-ca-file '' path to the client server TLS trusted CA key file. + --crl-file '' + path to the client server certificate revocation list file. --auto-tls 'false' client TLS using generated certificates. --peer-ca-file '' [DEPRECATED] @@ -130,6 +132,8 @@ security flags: enable peer client cert authentication. --peer-trusted-ca-file '' path to the peer server TLS trusted CA file. + --peer-crl-file '' + path to the peer server certificate revocation list file. --peer-auto-tls 'false' peer TLS using self-generated certificates if --peer-key-file and --peer-cert-file are not provided. diff --git a/pkg/tlsutil/tlsutil.go b/pkg/tlsutil/tlsutil.go index 79b1f632ed51..1cca0ae0c22a 100644 --- a/pkg/tlsutil/tlsutil.go +++ b/pkg/tlsutil/tlsutil.go @@ -18,7 +18,11 @@ import ( "crypto/tls" "crypto/x509" "encoding/pem" + "fmt" "io/ioutil" + "net/http" + + etcdErr "github.com/coreos/etcd/error" ) // NewCertPool creates x509 certPool with provided CA files. @@ -70,3 +74,16 @@ func NewCert(certfile, keyfile string, parseFunc func([]byte, []byte) (tls.Certi } return &tlsCert, nil } + +func RevocationCheck(handler http.Handler, checker func(*http.Request, string) error, CRLpath string) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { + err := checker(req, CRLpath) + if err == nil { + handler.ServeHTTP(w, req) + return + } + w.WriteHeader(http.StatusForbidden) + e := etcdErr.NewError(etcdErr.EcodeUnauthorized, fmt.Sprint(err), 0) + e.WriteTo(w) + }) +} diff --git a/pkg/transport/listener.go b/pkg/transport/listener.go index d94757b2c52b..3ba4ab82e41b 100644 --- a/pkg/transport/listener.go +++ b/pkg/transport/listener.go @@ -62,6 +62,7 @@ type TLSInfo struct { KeyFile string CAFile string TrustedCAFile string + CRLFile string ClientCertAuth bool selfCert bool @@ -72,7 +73,7 @@ type TLSInfo struct { } func (info TLSInfo) String() string { - return fmt.Sprintf("cert = %s, key = %s, ca = %s, trusted-ca = %s, client-cert-auth = %v", info.CertFile, info.KeyFile, info.CAFile, info.TrustedCAFile, info.ClientCertAuth) + return fmt.Sprintf("cert = %s, key = %s, ca = %s, trusted-ca = %s, cert-auth = %v, crl-file = %s", info.CertFile, info.KeyFile, info.CAFile, info.TrustedCAFile, info.ClientCertAuth, info.CRLFile) } func (info TLSInfo) Empty() bool {