git-echo/linux_patch_api
Private
Public Access
1
0
Fork 0
Code Releases 32 Wiki Activity

feat(crl): add CRL consumption and custom verifier for mTLS revocation enforcement

Browse Source 
Implements agent-side CRL consumption for mTLS certificate revocation
checking, as specified in issue #20.

Changes:
- NEW: src/auth/crl.rs - CRL loading, parsing, signature verification,
  in-memory revoked serial index (HashSet), 24h background refresh task
- MODIFY: src/auth/mtls.rs - CrlAwareVerifier wrapping WebPkiClientVerifier
  with post-chain CRL serial lookup; fails closed on invalid signature,
  degrades gracefully when CRL is missing
- MODIFY: src/auth/mod.rs - Register crl module, re-export CrlState/CrlStatus
- MODIFY: src/config/loader.rs - Add crl_path field to TlsConfig
- MODIFY: src/main.rs - Load CRL on startup, spawn refresh task, wire
  SharedCrlState into server and health endpoint
- MODIFY: src/api/handlers/system.rs - Add crl_status and crl_age_seconds
  to health check response
- MODIFY: Cargo.toml - Add arc-swap, base64 deps; enable x509-parser
  verify feature for CRL signature verification

Design decisions:
- ArcSwap for lock-free atomic CRL state swaps on the hot path
- O(1) serial lookup via HashSet<String> of hex-encoded serials
- Stale CRL = continue serving + warn + health reports degraded
- Invalid CRL signature = refuse to start (fail-closed)
- Missing CRL = fall back to WebPKI-only (backward compatible)

Companion to PR #26 in linux-patch-manager (manager-side CRL generation)

Refs: #20
This commit is contained in:
git-echo
2026-06-05 13:42:35 -05:00
parent 734b55b292
commit fe9bdce3c1
8 changed files with 650 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
Cargo.lock generated
View File

@ -390,6 +390,15 @@ version = "1.0.102"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c"
[[package]]
name = "arc-swap"
version = "1.9.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6a3a1fd6f75306b68087b831f025c712524bcb19aad54e557b1129cfa0a2b207"
dependencies = [
"rustversion",
]
[[package]]
name = "arraydeque"
version = "0.5.1"
@ -1925,7 +1934,9 @@ dependencies = [
"actix-web-actors",
"addr",
"anyhow",
"arc-swap",
"async-channel",
"base64 0.22.1",
"chrono",
"clap",
"config",
@ -4271,6 +4282,7 @@ dependencies = [
"lazy_static",
"nom",
"oid-registry",
"ring",
"rusticata-macros",
"thiserror 1.0.69",
"time",

8
Cargo.toml
View File

@ -23,7 +23,7 @@ tokio = { version = "1", features = ["full"] }
rustls = { version = "0.23", features = ["aws_lc_rs"] }
rustls-pemfile = "2"
tokio-rustls = "0.26"
x509-parser = "0.16"
x509-parser = { version = "0.16", features = ["verify"] }
# WebSocket support (actix-web-actors provides WebSocket for Actix-web)
tokio-tungstenite = "0.21"
@ -83,6 +83,12 @@ socket2 = { version = "0.5", features = ["all"] }
# File locking for concurrent-safe whitelist modifications
fs2 = "0.4"
# Atomic swapping for CRL state updates without rebuilding ServerConfig
arc-swap = "1"
# Base64 decoding for PEM CRL parsing
base64 = "0.22"
[dev-dependencies]
actix-rt = "2"
tokio-test = "0.4"

27
src/api/handlers/system.rs
View File

@ -12,6 +12,7 @@ use tracing::{error, info, warn};
use uuid::Uuid;
use super::packages::ApiResponse;
use crate::auth::crl::{CrlStatus, SharedCrlState};
use crate::jobs::manager::{JobManager, JobOperation, JobStatus};
use crate::packages::PackageManagerBackend;
@ -47,6 +48,8 @@ pub struct HealthData {
pub version: String,
pub last_cache_update: Option<String>, // RFC3339 timestamp
pub cache_status: String, // "fresh", "stale", "unknown", "failed"
pub crl_status: Option<String>, // "valid", "expired", "missing", "invalid", "degraded"
pub crl_age_seconds: Option<u64>, // age of on-disk CRL file
}
/// Service status response data
@ -113,6 +116,7 @@ pub async fn get_system_info(
pub async fn health_check(
backend: web::Data<Box<dyn PackageManagerBackend>>,
cache_state: web::Data<crate::packages::cache::PackageCacheState>,
crl_state: web::Data<SharedCrlState>,
_req: HttpRequest,
) -> impl Responder {
let _request_id = Uuid::new_v4().to_string();
@ -134,7 +138,7 @@ pub async fn health_check(
// Check cache status and refresh if stale
let cache_status_val = cache_state.status();
let (status, cache_status_str, last_cache_update) = if cache_state.is_stale() {
let (mut status, cache_status_str, last_cache_update) = if cache_state.is_stale() {
match backend.refresh_package_cache(&cache_state) {
Ok(_) => {
let updated = cache_state.status();
@ -161,12 +165,31 @@ pub async fn health_check(
)
};
// CRL status from shared state
let crl = crl_state.load();
let crl_status_str = match crl.status {
CrlStatus::Valid
| CrlStatus::Expired
| CrlStatus::Missing
| CrlStatus::Invalid
| CrlStatus::Degraded => {
// Downgrade overall health if CRL is invalid
if crl.status == CrlStatus::Invalid {
status = "degraded".to_string();
}
crl.status.to_string()
}
};
let crl_age = crl.crl_age_seconds();
let response = ApiResponse::success(HealthData {
status,
uptime_seconds,
version,
last_cache_update,
cache_status: cache_status_str,
crl_status: Some(crl_status_str),
crl_age_seconds: crl_age,
});
HttpResponse::Ok().json(response)
@ -386,6 +409,8 @@ mod tests {
version: "0.1.0".to_string(),
last_cache_update: Some("2026-05-27T14:00:00+00:00".to_string()),
cache_status: "fresh".to_string(),
crl_status: Some("valid".to_string()),
crl_age_seconds: Some(3600),
};
let json = serde_json::to_string(&health).unwrap();
assert!(json.contains("healthy"));

413
src/auth/crl.rs Normal file
View File

@ -0,0 +1,413 @@
//! CRL (Certificate Revocation List) Loading, Parsing, and Refresh
//!
//! Provides CRL consumption for agent-side mTLS revocation enforcement.
//! Parses CRL from disk, verifies signature against pinned CA,
//! builds an in-memory revoked-serial index, and refreshes from the manager.
use arc_swap::ArcSwap;
use std::collections::HashSet;
use std::fs;
use std::path::{Path, PathBuf};
use std::sync::Arc;
use std::time::{Duration, SystemTime};
use tracing::{debug, error, info, warn};
use x509_parser::prelude::FromDer;
use x509_parser::revocation_list::CertificateRevocationList;
/// CRL status reported via the health endpoint.
#[derive(Debug, Clone, PartialEq, Eq, serde::Serialize)]
#[serde(rename_all = "snake_case")]
pub enum CrlStatus {
/// CRL loaded, signature valid, not expired.
Valid,
/// CRL loaded and signature valid, but nextUpdate has passed.
Expired,
/// No CRL file found on disk.
Missing,
/// CRL exists but failed signature verification -- fail-closed.
Invalid,
/// CRL fetch or load failed; operating in degraded (WebPKI-only) mode.
Degraded,
}
impl std::fmt::Display for CrlStatus {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
match self {
CrlStatus::Valid => write!(f, "valid"),
CrlStatus::Expired => write!(f, "expired"),
CrlStatus::Missing => write!(f, "missing"),
CrlStatus::Invalid => write!(f, "invalid"),
CrlStatus::Degraded => write!(f, "degraded"),
}
}
}
/// In-memory CRL state, atomically swapped on refresh via ArcSwap.
#[derive(Debug, Clone)]
pub struct CrlState {
/// Hex-encoded serial numbers of revoked certificates (lowercase, no prefix).
pub revoked_serials: HashSet<String>,
/// CRL status for health reporting.
pub status: CrlStatus,
/// Time the CRL file was last modified (used to compute age).
pub crl_mtime: Option<SystemTime>,
/// When this CrlState was loaded into memory.
pub loaded_at: SystemTime,
}
impl Default for CrlState {
fn default() -> Self {
Self {
revoked_serials: HashSet::new(),
status: CrlStatus::Missing,
crl_mtime: None,
loaded_at: SystemTime::now(),
}
}
}
impl CrlState {
/// Check whether a certificate serial is revoked.
pub fn is_revoked(&self, serial_hex: &str) -> bool {
self.revoked_serials.contains(serial_hex)
}
/// Age of the on-disk CRL file in seconds.
pub fn crl_age_seconds(&self) -> Option<u64> {
self.crl_mtime.and_then(|mtime| {
SystemTime::now()
.duration_since(mtime)
.ok()
.map(|d| d.as_secs())
})
}
}
/// Shared, atomically-swappable CRL handle.
pub type SharedCrlState = Arc<ArcSwap<CrlState>>;
/// Create a new shared CRL state (initially missing).
pub fn new_shared_state() -> SharedCrlState {
Arc::new(ArcSwap::from_pointee(CrlState::default()))
}
/// Extract the hex-encoded serial from a DER-encoded X.509 certificate.
/// Returns lowercase hex with no separators or prefix.
pub fn cert_serial_hex(cert_der: &[u8]) -> Option<String> {
x509_parser::parse_x509_certificate(cert_der)
.ok()
.map(|(_, cert)| format_serial_hex(&cert.serial))
}
/// Format a BigUint serial as lowercase hex string (no 0x prefix, no colons).
fn format_serial_hex(serial: &x509_parser::num_bigint::BigUint) -> String {
let bytes = serial.to_bytes_be();
bytes.iter().map(|b| format!("{:02x}", b)).collect()
}
/// Load and validate a CRL from disk.
///
/// Steps:
/// 1. Read PEM file
/// 2. Parse CRL with x509-parser
/// 3. Verify CRL signature against the CA certificate
/// 4. Build in-memory revoked-serial index
/// 5. Check nextUpdate for staleness
///
/// Returns the new CrlState. On signature failure, returns CrlStatus::Invalid (fail-closed).
/// On missing file, returns CrlStatus::Missing. On parse error, returns CrlStatus::Degraded.
pub fn load_crl(crl_path: &Path, ca_cert_der: &[u8]) -> CrlState {
let crl_bytes = match fs::read(crl_path) {
Ok(b) => b,
Err(e) => {
if e.kind() == std::io::ErrorKind::NotFound {
info!(path = %crl_path.display(), "No CRL file found -- operating in WebPKI-only mode");
return CrlState {
status: CrlStatus::Missing,
crl_mtime: None,
loaded_at: SystemTime::now(),
revoked_serials: HashSet::new(),
};
}
warn!(path = %crl_path.display(), error = %e, "Failed to read CRL file");
return CrlState {
status: CrlStatus::Degraded,
crl_mtime: None,
loaded_at: SystemTime::now(),
revoked_serials: HashSet::new(),
};
}
};
let crl_mtime = fs::metadata(crl_path).ok().and_then(|m| m.modified().ok());
// Parse PEM: extract the DER block between BEGIN/END X509 CRL markers
let crl_der = match extract_pem_crl_der(&crl_bytes) {
Some(der) => der,
None => {
// Try parsing as raw DER
crl_bytes.clone()
}
};
// Parse CRL
let (_, crl) = match CertificateRevocationList::from_der(&crl_der) {
Ok(r) => r,
Err(e) => {
error!(error = %e, "Failed to parse CRL -- marking as invalid");
return CrlState {
status: CrlStatus::Invalid,
crl_mtime,
loaded_at: SystemTime::now(),
revoked_serials: HashSet::new(),
};
}
};
// Verify CRL signature against CA
let (_, ca_cert) = match x509_parser::parse_x509_certificate(ca_cert_der) {
Ok(r) => r,
Err(e) => {
error!(error = %e, "Failed to parse CA cert for CRL signature verification");
return CrlState {
status: CrlStatus::Invalid,
crl_mtime,
loaded_at: SystemTime::now(),
revoked_serials: HashSet::new(),
};
}
};
let verify_result = crl.verify_signature(ca_cert.public_key());
if let Err(e) = verify_result {
error!(error = %e, "CRL signature verification FAILED -- refusing to use this CRL (fail-closed)");
return CrlState {
status: CrlStatus::Invalid,
crl_mtime,
loaded_at: SystemTime::now(),
revoked_serials: HashSet::new(),
};
}
// Build revoked serial index
let revoked_serials: HashSet<String> = crl
.iter_revoked_certificates()
.map(|revoked| format_serial_hex(revoked.serial()))
.collect();
info!(
revoked_count = revoked_serials.len(),
"CRL loaded and signature verified"
);
// Check nextUpdate for staleness
let now = x509_parser::time::ASN1Time::now();
let is_expired = crl.next_update().map(|next| next < now).unwrap_or(false);
let status = if is_expired {
warn!("CRL nextUpdate has passed -- CRL is stale, continuing with degraded status");
CrlStatus::Expired
} else {
CrlStatus::Valid
};
CrlState {
revoked_serials,
status,
crl_mtime,
loaded_at: SystemTime::now(),
}
}
/// Extract DER bytes from a PEM-encoded CRL.
/// Looks for `-----BEGIN X509 CRL-----` / `-----END X509 CRL-----` blocks.
fn extract_pem_crl_der(pem_bytes: &[u8]) -> Option<Vec<u8>> {
let pem_str = String::from_utf8_lossy(pem_bytes);
let begin_marker = "-----BEGIN X509 CRL-----";
let end_marker = "-----END X509 CRL-----";
let begin_idx = pem_str.find(begin_marker)?;
let after_begin = begin_idx + begin_marker.len();
let end_idx = pem_str[after_begin..].find(end_marker)?;
let b64_block = pem_str[after_begin..after_begin + end_idx].trim();
use base64::Engine;
base64::engine::general_purpose::STANDARD
.decode(b64_block)
.ok()
}
/// Fetch the CRL from the manager, verify, persist, and update in-memory state.
///
/// The CRL endpoint is public (no auth): GET {manager_url}/api/v1/pki/crl.pem
pub async fn refresh_crl(
manager_url: &str,
crl_path: &Path,
ca_cert_der: &[u8],
shared_state: &SharedCrlState,
) -> Result<(), String> {
let crl_url = format!("{}/api/v1/pki/crl.pem", manager_url.trim_end_matches('/'));
info!(url = %crl_url, "Fetching CRL from manager");
let response = reqwest::get(&crl_url)
.await
.map_err(|e| format!("CRL fetch request failed: {}", e))?;
if !response.status().is_success() {
let status = response.status();
return Err(format!("CRL fetch returned HTTP {}", status));
}
let crl_pem = response
.text()
.await
.map_err(|e| format!("Failed to read CRL response body: {}", e))?;
// Persist to disk (atomic write via temp file)
let parent = crl_path.parent().unwrap_or(Path::new("/tmp"));
if !parent.exists() {
fs::create_dir_all(parent).map_err(|e| format!("Failed to create CRL directory: {}", e))?;
}
let tmp_path = crl_path.with_extension("pem.tmp");
fs::write(&tmp_path, &crl_pem).map_err(|e| format!("Failed to write temp CRL file: {}", e))?;
fs::rename(&tmp_path, crl_path)
.map_err(|e| format!("Failed to rename temp CRL file: {}", e))?;
debug!(path = %crl_path.display(), "CRL persisted to disk");
// Load the freshly written CRL to get a validated CrlState
let new_state = load_crl(crl_path, ca_cert_der);
if new_state.status == CrlStatus::Invalid {
return Err("CRL signature verification failed after fetch".to_string());
}
info!(
status = %new_state.status,
revoked = new_state.revoked_serials.len(),
"CRL refreshed successfully"
);
// Atomically swap the in-memory state
shared_state.store(Arc::new(new_state));
Ok(())
}
/// Spawn the CRL refresh background task.
///
/// Runs on a 24-hour interval. On failure, logs a warning and continues
/// serving with the existing (possibly stale) CRL.
pub fn spawn_crl_refresh_task(
manager_url: String,
crl_path: PathBuf,
ca_cert_der: Vec<u8>,
shared_state: SharedCrlState,
) {
let interval = Duration::from_secs(24 * 60 * 60); // 24 hours
tokio::spawn(async move {
// Initial small delay to let the server finish binding
tokio::time::sleep(Duration::from_secs(30)).await;
loop {
let result = refresh_crl(&manager_url, &crl_path, &ca_cert_der, &shared_state).await;
match result {
Ok(()) => {
info!("CRL background refresh completed successfully");
}
Err(e) => {
warn!(
error = %e,
"CRL background refresh failed -- continuing with current CRL"
);
}
}
tokio::time::sleep(interval).await;
}
});
info!(
interval_secs = interval.as_secs(),
"CRL refresh background task spawned"
);
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_format_serial_hex() {
use x509_parser::num_bigint::BigUint;
let serial = BigUint::from(0x0123_abcdu64);
let hex = format_serial_hex(&serial);
assert_eq!(hex, "0123abcd");
}
#[test]
fn test_format_serial_hex_single_byte() {
use x509_parser::num_bigint::BigUint;
let serial = BigUint::from(0x42u64);
let hex = format_serial_hex(&serial);
assert_eq!(hex, "42");
}
#[test]
fn test_crl_state_default_is_missing() {
let state = CrlState::default();
assert_eq!(state.status, CrlStatus::Missing);
assert!(state.revoked_serials.is_empty());
assert!(state.crl_mtime.is_none());
}
#[test]
fn test_crl_state_is_revoked() {
let mut state = CrlState::default();
state.revoked_serials.insert("deadbeef".to_string());
assert!(state.is_revoked("deadbeef"));
assert!(!state.is_revoked("cafef00d"));
}
#[test]
fn test_crl_status_display() {
assert_eq!(CrlStatus::Valid.to_string(), "valid");
assert_eq!(CrlStatus::Expired.to_string(), "expired");
assert_eq!(CrlStatus::Missing.to_string(), "missing");
assert_eq!(CrlStatus::Invalid.to_string(), "invalid");
assert_eq!(CrlStatus::Degraded.to_string(), "degraded");
}
#[test]
fn test_extract_pem_crl_der_invalid() {
// Not PEM
assert!(extract_pem_crl_der(b"not pem").is_none());
// PEM but wrong type
assert!(extract_pem_crl_der(
b"-----BEGIN CERTIFICATE-----\nAA==\n-----END CERTIFICATE-----"
)
.is_none());
}
#[test]
fn test_shared_crl_state_swap() {
let shared = new_shared_state();
let initial = shared.load();
assert_eq!(initial.status, CrlStatus::Missing);
let mut new_state = CrlState::default();
new_state.status = CrlStatus::Valid;
new_state.revoked_serials.insert("abc".to_string());
shared.store(Arc::new(new_state));
let updated = shared.load();
assert_eq!(updated.status, CrlStatus::Valid);
assert!(updated.is_revoked("abc"));
}
}

2
src/auth/mod.rs
View File

@ -6,9 +6,11 @@
//! - Silent drop for non-compliant connections
//! - Comprehensive audit logging
pub mod crl;
pub mod mtls;
pub mod whitelist;
pub use crl::{new_shared_state, CrlState, CrlStatus, SharedCrlState};
pub use mtls::{ClientCertInfo, MtlsConfig, MtlsError, MtlsMiddleware};
pub use whitelist::{WhitelistConfig, WhitelistEntry, WhitelistManager, WhitelistMiddleware};

139
src/auth/mtls.rs
View File

@ -2,6 +2,7 @@
//!
//! Provides mutual TLS authentication middleware for Actix-web.
//! Non-mTLS connections are silently dropped (no response).
//! Supports CRL-aware client certificate verification when CRL is available.
use actix_web::{
dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform},
@ -11,14 +12,21 @@ use actix_web::{
use chrono::{DateTime, Duration, Utc};
use futures_util::future::LocalBoxFuture;
use rustls::{
client::danger::HandshakeSignatureValid,
crypto::aws_lc_rs,
server::{ServerConfig, WebPkiClientVerifier},
pki_types::{CertificateDer, UnixTime},
server::{
danger::{ClientCertVerified, ClientCertVerifier},
ServerConfig, WebPkiClientVerifier,
},
version::TLS13,
RootCertStore,
DigitallySignedStruct, DistinguishedName, Error as RustlsError, RootCertStore, SignatureScheme,
};
use rustls_pemfile::{certs, private_key};
use std::{fs::File, io::BufReader, sync::Arc};
use tracing::{debug, info, warn};
use tracing::{debug, error, info, warn};
use super::crl::{cert_serial_hex, SharedCrlState};
/// Check for duplicate critical headers (VULN-006)
/// Returns true if duplicate headers are detected
@ -45,6 +53,107 @@ fn has_duplicate_critical_headers(req: &ServiceRequest) -> bool {
false
}
/// CRL-aware client certificate verifier.
///
/// Wraps WebPkiClientVerifier for chain validation, then checks the
/// end-entity certificate serial against the in-memory CRL index.
/// If CRL is unavailable (Missing/Degraded), falls back to WebPKI-only.
#[derive(Debug)]
struct CrlAwareVerifier {
inner: Arc<dyn ClientCertVerifier>,
crl_state: SharedCrlState,
}
impl CrlAwareVerifier {
fn new(inner: Arc<dyn ClientCertVerifier>, crl_state: SharedCrlState) -> Self {
Self { inner, crl_state }
}
}
impl ClientCertVerifier for CrlAwareVerifier {
fn offer_client_auth(&self) -> bool {
self.inner.offer_client_auth()
}
fn client_auth_mandatory(&self) -> bool {
self.inner.client_auth_mandatory()
}
fn root_hint_subjects(&self) -> &[DistinguishedName] {
self.inner.root_hint_subjects()
}
fn verify_client_cert(
&self,
end_entity: &CertificateDer<'_>,
intermediates: &[CertificateDer<'_>],
now: UnixTime,
) -> Result<ClientCertVerified, RustlsError> {
// 1. Delegate chain validation to WebPKI
self.inner
.verify_client_cert(end_entity, intermediates, now)?;
// 2. Check CRL revocation status
let crl = self.crl_state.load();
match crl.status {
super::crl::CrlStatus::Valid | super::crl::CrlStatus::Expired => {
// CRL is available -- check serial
if let Some(serial_hex) = cert_serial_hex(end_entity.as_ref()) {
if crl.is_revoked(&serial_hex) {
warn!(
serial = %serial_hex,
"Client certificate is revoked per CRL -- rejecting connection"
);
return Err(RustlsError::InvalidCertificate(
rustls::CertificateError::Revoked,
));
}
}
Ok(ClientCertVerified::assertion())
}
super::crl::CrlStatus::Missing | super::crl::CrlStatus::Degraded => {
// No CRL available -- fall back to WebPKI-only (already passed above)
warn!(
status = %crl.status,
"CRL not available -- allowing connection with WebPKI-only verification"
);
Ok(ClientCertVerified::assertion())
}
super::crl::CrlStatus::Invalid => {
// Invalid CRL signature -- fail-closed
error!(
"CRL signature is invalid -- refusing all client certificates (fail-closed)"
);
Err(RustlsError::InvalidCertificate(
rustls::CertificateError::Revoked,
))
}
}
}
fn verify_tls12_signature(
&self,
message: &[u8],
cert: &CertificateDer<'_>,
dss: &DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, RustlsError> {
self.inner.verify_tls12_signature(message, cert, dss)
}
fn verify_tls13_signature(
&self,
message: &[u8],
cert: &CertificateDer<'_>,
dss: &DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, RustlsError> {
self.inner.verify_tls13_signature(message, cert, dss)
}
fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
self.inner.supported_verify_schemes()
}
}
/// mTLS Configuration
#[derive(Debug, Clone)]
pub struct MtlsConfig {
@ -71,12 +180,30 @@ impl MtlsMiddleware {
})
}
/// Build rustls server configuration with client certificate verification
pub fn build_rustls_config(&self) -> Result<Arc<ServerConfig>, MtlsError> {
let client_verifier = WebPkiClientVerifier::builder(self.cert_store.clone())
/// Build rustls server configuration with client certificate verification.
///
/// When `crl_state` is provided and the CRL is available, wraps the
/// WebPkiClientVerifier with CrlAwareVerifier for revocation checking.
/// When CRL is missing/degraded, falls back to WebPKI-only verification.
pub fn build_rustls_config(
&self,
crl_state: Option<SharedCrlState>,
) -> Result<Arc<ServerConfig>, MtlsError> {
let webpki_verifier = WebPkiClientVerifier::builder(self.cert_store.clone())
.build()
.map_err(|e| MtlsError::ClientVerifierError(e.to_string()))?;
let client_verifier: Arc<dyn ClientCertVerifier> = match crl_state {
Some(state) => {
info!("CRL-aware client verification enabled");
Arc::new(CrlAwareVerifier::new(webpki_verifier, state))
}
None => {
info!("No CRL state provided -- using WebPKI-only client verification");
webpki_verifier
}
};
let server_cert = load_certs(&self.config.server_cert_path)?;
let server_key = load_private_key(&self.config.server_key_path)?;

8
src/config/loader.rs
View File

@ -35,6 +35,14 @@ pub struct TlsConfig {
pub server_key: String,
#[serde(default = "default_tls_version")]
pub min_tls_version: String,
/// Path to persist the CRL fetched from the manager.
/// Defaults to /etc/linux_patch_api/certs/crl.pem
#[serde(default = "default_crl_path")]
pub crl_path: String,
}
fn default_crl_path() -> String {
"/etc/linux_patch_api/certs/crl.pem".to_string()
}
fn default_true() -> bool {

52
src/main.rs
View File

@ -27,6 +27,7 @@ use std::sync::Arc;
use tracing::{error, info, warn};
use linux_patch_api::api::{configure_api_routes, configure_health_route};
use linux_patch_api::auth::crl::{self, CrlStatus};
use linux_patch_api::auth::{mtls, MtlsMiddleware, WhitelistManager};
use linux_patch_api::config::loader::{validate_certs, CertStatus};
use linux_patch_api::enroll;
@ -297,6 +298,10 @@ async fn main() -> Result<()> {
let cache_state = web::Data::new(PackageCacheState::new());
info!("Package cache state initialized");
// Initialize shared CRL state (available even when TLS is off for health reporting)
let shared_crl_state = crl::new_shared_state();
let crl_state_data = web::Data::new(shared_crl_state.clone());
// Configure bind address
let bind_address = format!("{}:{}", config.server.bind, config.server.port);
@ -306,7 +311,8 @@ async fn main() -> Result<()> {
.wrap(Logger::default())
.app_data(job_manager_data.clone())
.app_data(backend_data.clone())
.app_data(cache_state.clone());
.app_data(cache_state.clone())
.app_data(crl_state_data.clone());
// Configure API routes
app = app.configure(|cfg| {
@ -345,6 +351,7 @@ async fn main() -> Result<()> {
server_cert = %tls_config.server_cert,
server_key = %tls_config.server_key,
min_tls_version = %tls_config.min_tls_version,
crl_path = %tls_config.crl_path,
"Initializing mTLS authentication with TLS binding"
);
@ -355,11 +362,50 @@ async fn main() -> Result<()> {
min_tls_version: tls_config.min_tls_version.clone(),
};
// Load CRL from disk into the shared CRL state
let crl_path = std::path::PathBuf::from(&tls_config.crl_path);
let ca_cert_der = std::fs::read(&tls_config.ca_cert).unwrap_or_default();
// Load initial CRL from disk (missing is OK -- degraded mode)
let initial_crl = crl::load_crl(&crl_path, &ca_cert_der);
match initial_crl.status {
CrlStatus::Invalid => {
error!("CRL signature is invalid -- refusing to start (fail-closed)");
std::process::exit(ExitCode::Error as i32);
}
CrlStatus::Valid | CrlStatus::Expired => {
info!(
status = %initial_crl.status,
revoked = initial_crl.revoked_serials.len(),
"CRL loaded from disk"
);
shared_crl_state.store(std::sync::Arc::new(initial_crl));
}
CrlStatus::Missing => {
info!("No CRL on disk -- starting in WebPKI-only mode");
}
CrlStatus::Degraded => {
warn!("CRL load failed -- starting in degraded (WebPKI-only) mode");
}
}
// Spawn CRL refresh background task if manager URL is configured
if let Some(manager_url) = config.enrollment_manager_url() {
crl::spawn_crl_refresh_task(
manager_url.to_string(),
crl_path,
ca_cert_der,
shared_crl_state.clone(),
);
} else {
info!("No manager URL configured -- CRL auto-refresh disabled");
}
match MtlsMiddleware::new(mtls_config.clone()) {
Ok(middleware) => {
// Build rustls server configuration
// Build rustls server configuration with CRL-aware verifier
let rustls_config = middleware
.build_rustls_config()
.build_rustls_config(Some(shared_crl_state.clone()))
.map_err(|e| anyhow::anyhow!("Failed to build rustls config: {}", e))?;
info!("mTLS middleware and rustls config initialized successfully");