From c76f686c517261380b0a9a98d16510f271e4895e Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Wed, 8 May 2024 10:59:33 -0400 Subject: [PATCH] advancedTLS: Rename get root certs related pieces (#7207) --- security/advancedtls/advancedtls.go | 111 ++++++++++++------ .../advancedtls_integration_test.go | 30 ++--- security/advancedtls/advancedtls_test.go | 111 ++++++++++-------- 3 files changed, 152 insertions(+), 100 deletions(-) diff --git a/security/advancedtls/advancedtls.go b/security/advancedtls/advancedtls.go index 0a353c39ff7b..4becabc830de 100644 --- a/security/advancedtls/advancedtls.go +++ b/security/advancedtls/advancedtls.go @@ -87,31 +87,52 @@ type PostHandshakeVerificationFunc func(params *HandshakeVerificationInfo) (*Pos // Deprecated: use PostHandshakeVerificationFunc instead. type CustomVerificationFunc = PostHandshakeVerificationFunc -// GetRootCAsParams contains the parameters available to users when -// implementing GetRootCAs. -type GetRootCAsParams struct { - RawConn net.Conn +// ConnectionInfo contains the parameters available to users when +// implementing GetRootCertificates. +type ConnectionInfo struct { + // RawConn is the raw net.Conn representing a connection. + RawConn net.Conn + // RawCerts is the byte representation of the presented peer cert chain. RawCerts [][]byte } -// GetRootCAsResults contains the results of GetRootCAs. +// GetRootCAsParams contains the parameters available to users when +// implementing GetRootCAs. +// +// Deprecated: use ConnectionInfo instead. +type GetRootCAsParams = ConnectionInfo + +// RootCertificates is the result of GetRootCertificates. // If users want to reload the root trust certificate, it is required to return // the proper TrustCerts in GetRootCAs. -type GetRootCAsResults struct { +type RootCertificates struct { + // TrustCerts is the pool of trusted certificates. TrustCerts *x509.CertPool } +// GetRootCAsResults contains the results of GetRootCAs. +// If users want to reload the root trust certificate, it is required to return +// the proper TrustCerts in GetRootCAs. +// +// Deprecated: use RootCertificates instead. +type GetRootCAsResults = RootCertificates + // RootCertificateOptions contains options to obtain root trust certificates // for both the client and the server. // At most one option could be set. If none of them are set, we // use the system default trust certificates. type RootCertificateOptions struct { + // If RootCertificates is set, it will be used every time when verifying + // the peer certificates, without performing root certificate reloading. + RootCertificates *x509.CertPool // If RootCACerts is set, it will be used every time when verifying // the peer certificates, without performing root certificate reloading. + // + // Deprecated: use RootCertificates instead. RootCACerts *x509.CertPool // If GetRootCertificates is set, it will be invoked to obtain root certs for // every new connection. - GetRootCertificates func(params *GetRootCAsParams) (*GetRootCAsResults, error) + GetRootCertificates func(params *ConnectionInfo) (*RootCertificates, error) // If RootProvider is set, we will use the root certs from the Provider's // KeyMaterial() call in the new connections. The Provider must have initial // credentials if specified. Otherwise, KeyMaterial() will block forever. @@ -277,6 +298,12 @@ func (o *Options) clientConfig() (*tls.Config, error) { if o.MaxTLSVersion == 0 { o.MaxTLSVersion = o.MaxVersion } + // TODO(gtcooke94) RootCACerts is deprecated, eventually remove this block. + // This will ensure that users still explicitly setting RootCACerts will get + // the setting int the right place. + if o.RootOptions.RootCACerts != nil { + o.RootOptions.RootCertificates = o.RootOptions.RootCACerts + } if o.VerificationType == SkipVerification && o.AdditionalPeerVerification == nil { return nil, fmt.Errorf("client needs to provide custom verification mechanism if choose to skip default verification") } @@ -312,19 +339,19 @@ func (o *Options) clientConfig() (*tls.Config, error) { } // Propagate root-certificate-related fields in tls.Config. switch { - case o.RootOptions.RootCACerts != nil: - config.RootCAs = o.RootOptions.RootCACerts + case o.RootOptions.RootCertificates != nil: + config.RootCAs = o.RootOptions.RootCertificates case o.RootOptions.GetRootCertificates != nil: // In cases when users provide GetRootCertificates callback, since this // callback is not contained in tls.Config, we have nothing to set here. // We will invoke the callback in ClientHandshake. case o.RootOptions.RootProvider != nil: - o.RootOptions.GetRootCertificates = func(*GetRootCAsParams) (*GetRootCAsResults, error) { + o.RootOptions.GetRootCertificates = func(*ConnectionInfo) (*RootCertificates, error) { km, err := o.RootOptions.RootProvider.KeyMaterial(context.Background()) if err != nil { return nil, err } - return &GetRootCAsResults{TrustCerts: km.Roots}, nil + return &RootCertificates{TrustCerts: km.Roots}, nil } default: // No root certificate options specified by user. Use the certificates @@ -381,6 +408,12 @@ func (o *Options) serverConfig() (*tls.Config, error) { if o.MaxTLSVersion == 0 { o.MaxTLSVersion = o.MaxVersion } + // TODO(gtcooke94) RootCACerts is deprecated, eventually remove this block. + // This will ensure that users still explicitly setting RootCACerts will get + // the setting int the right place. + if o.RootOptions.RootCACerts != nil { + o.RootOptions.RootCertificates = o.RootOptions.RootCACerts + } if o.RequireClientCert && o.VerificationType == SkipVerification && o.AdditionalPeerVerification == nil { return nil, fmt.Errorf("server needs to provide custom verification mechanism if choose to skip default verification, but require client certificate(s)") } @@ -420,19 +453,19 @@ func (o *Options) serverConfig() (*tls.Config, error) { } // Propagate root-certificate-related fields in tls.Config. switch { - case o.RootOptions.RootCACerts != nil: - config.ClientCAs = o.RootOptions.RootCACerts + case o.RootOptions.RootCertificates != nil: + config.ClientCAs = o.RootOptions.RootCertificates case o.RootOptions.GetRootCertificates != nil: // In cases when users provide GetRootCertificates callback, since this // callback is not contained in tls.Config, we have nothing to set here. // We will invoke the callback in ServerHandshake. case o.RootOptions.RootProvider != nil: - o.RootOptions.GetRootCertificates = func(*GetRootCAsParams) (*GetRootCAsResults, error) { + o.RootOptions.GetRootCertificates = func(*ConnectionInfo) (*RootCertificates, error) { km, err := o.RootOptions.RootProvider.KeyMaterial(context.Background()) if err != nil { return nil, err } - return &GetRootCAsResults{TrustCerts: km.Roots}, nil + return &RootCertificates{TrustCerts: km.Roots}, nil } default: // No root certificate options specified by user. Use the certificates @@ -477,12 +510,12 @@ func (o *Options) serverConfig() (*tls.Config, error) { // advancedTLSCreds is the credentials required for authenticating a connection // using TLS. type advancedTLSCreds struct { - config *tls.Config - verifyFunc PostHandshakeVerificationFunc - getRootCAs func(params *GetRootCAsParams) (*GetRootCAsResults, error) - isClient bool - revocationOptions *RevocationOptions - verificationType VerificationType + config *tls.Config + verifyFunc PostHandshakeVerificationFunc + getRootCertificates func(params *ConnectionInfo) (*RootCertificates, error) + isClient bool + revocationOptions *RevocationOptions + verificationType VerificationType } func (c advancedTLSCreds) Info() credentials.ProtocolInfo { @@ -548,10 +581,10 @@ func (c *advancedTLSCreds) ServerHandshake(rawConn net.Conn) (net.Conn, credenti func (c *advancedTLSCreds) Clone() credentials.TransportCredentials { return &advancedTLSCreds{ - config: credinternal.CloneTLSConfig(c.config), - verifyFunc: c.verifyFunc, - getRootCAs: c.getRootCAs, - isClient: c.isClient, + config: credinternal.CloneTLSConfig(c.config), + verifyFunc: c.verifyFunc, + getRootCertificates: c.getRootCertificates, + isClient: c.isClient, } } @@ -588,8 +621,8 @@ func buildVerifyFunc(c *advancedTLSCreds, rootCAs = c.config.ClientCAs } // Reload root CA certs. - if rootCAs == nil && c.getRootCAs != nil { - results, err := c.getRootCAs(&GetRootCAsParams{ + if rootCAs == nil && c.getRootCertificates != nil { + results, err := c.getRootCertificates(&ConnectionInfo{ RawConn: rawConn, RawCerts: rawCerts, }) @@ -661,12 +694,12 @@ func NewClientCreds(o *Options) (credentials.TransportCredentials, error) { return nil, err } tc := &advancedTLSCreds{ - config: conf, - isClient: true, - getRootCAs: o.RootOptions.GetRootCertificates, - verifyFunc: o.AdditionalPeerVerification, - revocationOptions: o.RevocationOptions, - verificationType: o.VerificationType, + config: conf, + isClient: true, + getRootCertificates: o.RootOptions.GetRootCertificates, + verifyFunc: o.AdditionalPeerVerification, + revocationOptions: o.RevocationOptions, + verificationType: o.VerificationType, } tc.config.NextProtos = credinternal.AppendH2ToNextProtos(tc.config.NextProtos) return tc, nil @@ -680,12 +713,12 @@ func NewServerCreds(o *Options) (credentials.TransportCredentials, error) { return nil, err } tc := &advancedTLSCreds{ - config: conf, - isClient: false, - getRootCAs: o.RootOptions.GetRootCertificates, - verifyFunc: o.AdditionalPeerVerification, - revocationOptions: o.RevocationOptions, - verificationType: o.VerificationType, + config: conf, + isClient: false, + getRootCertificates: o.RootOptions.GetRootCertificates, + verifyFunc: o.AdditionalPeerVerification, + revocationOptions: o.RevocationOptions, + verificationType: o.VerificationType, } tc.config.NextProtos = credinternal.AppendH2ToNextProtos(tc.config.NextProtos) return tc, nil diff --git a/security/advancedtls/advancedtls_integration_test.go b/security/advancedtls/advancedtls_integration_test.go index 8682fe696ee5..1eb6a31797c7 100644 --- a/security/advancedtls/advancedtls_integration_test.go +++ b/security/advancedtls/advancedtls_integration_test.go @@ -142,13 +142,13 @@ func (s) TestEnd2End(t *testing.T) { clientCert []tls.Certificate clientGetCert func(*tls.CertificateRequestInfo) (*tls.Certificate, error) clientRoot *x509.CertPool - clientGetRoot func(params *GetRootCAsParams) (*GetRootCAsResults, error) + clientGetRoot func(params *ConnectionInfo) (*RootCertificates, error) clientVerifyFunc PostHandshakeVerificationFunc clientVerificationType VerificationType serverCert []tls.Certificate serverGetCert func(*tls.ClientHelloInfo) ([]*tls.Certificate, error) serverRoot *x509.CertPool - serverGetRoot func(params *GetRootCAsParams) (*GetRootCAsResults, error) + serverGetRoot func(params *ConnectionInfo) (*RootCertificates, error) serverVerifyFunc PostHandshakeVerificationFunc serverVerificationType VerificationType }{ @@ -180,12 +180,12 @@ func (s) TestEnd2End(t *testing.T) { }, clientVerificationType: CertVerification, serverCert: []tls.Certificate{cs.ServerCert1}, - serverGetRoot: func(params *GetRootCAsParams) (*GetRootCAsResults, error) { + serverGetRoot: func(params *ConnectionInfo) (*RootCertificates, error) { switch stage.read() { case 0, 1: - return &GetRootCAsResults{TrustCerts: cs.ServerTrust1}, nil + return &RootCertificates{TrustCerts: cs.ServerTrust1}, nil default: - return &GetRootCAsResults{TrustCerts: cs.ServerTrust2}, nil + return &RootCertificates{TrustCerts: cs.ServerTrust2}, nil } }, serverVerifyFunc: func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) { @@ -208,12 +208,12 @@ func (s) TestEnd2End(t *testing.T) { { desc: "test the reloading feature for server identity callback and client trust callback", clientCert: []tls.Certificate{cs.ClientCert1}, - clientGetRoot: func(params *GetRootCAsParams) (*GetRootCAsResults, error) { + clientGetRoot: func(params *ConnectionInfo) (*RootCertificates, error) { switch stage.read() { case 0, 1: - return &GetRootCAsResults{TrustCerts: cs.ClientTrust1}, nil + return &RootCertificates{TrustCerts: cs.ClientTrust1}, nil default: - return &GetRootCAsResults{TrustCerts: cs.ClientTrust2}, nil + return &RootCertificates{TrustCerts: cs.ClientTrust2}, nil } }, clientVerifyFunc: func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) { @@ -250,12 +250,12 @@ func (s) TestEnd2End(t *testing.T) { { desc: "test client custom verification", clientCert: []tls.Certificate{cs.ClientCert1}, - clientGetRoot: func(params *GetRootCAsParams) (*GetRootCAsResults, error) { + clientGetRoot: func(params *ConnectionInfo) (*RootCertificates, error) { switch stage.read() { case 0: - return &GetRootCAsResults{TrustCerts: cs.ClientTrust1}, nil + return &RootCertificates{TrustCerts: cs.ClientTrust1}, nil default: - return &GetRootCAsResults{TrustCerts: cs.ClientTrust2}, nil + return &RootCertificates{TrustCerts: cs.ClientTrust2}, nil } }, clientVerifyFunc: func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) { @@ -342,7 +342,7 @@ func (s) TestEnd2End(t *testing.T) { GetIdentityCertificatesForServer: test.serverGetCert, }, RootOptions: RootCertificateOptions{ - RootCACerts: test.serverRoot, + RootCertificates: test.serverRoot, GetRootCertificates: test.serverGetRoot, }, RequireClientCert: true, @@ -370,7 +370,7 @@ func (s) TestEnd2End(t *testing.T) { }, AdditionalPeerVerification: test.clientVerifyFunc, RootOptions: RootCertificateOptions{ - RootCACerts: test.clientRoot, + RootCertificates: test.clientRoot, GetRootCertificates: test.clientGetRoot, }, VerificationType: test.clientVerificationType, @@ -787,7 +787,7 @@ func (s) TestDefaultHostNameCheck(t *testing.T) { go s.Serve(lis) clientOptions := &Options{ RootOptions: RootCertificateOptions{ - RootCACerts: test.clientRoot, + RootCertificates: test.clientRoot, }, VerificationType: test.clientVerificationType, } @@ -927,7 +927,7 @@ func (s) TestTLSVersions(t *testing.T) { go s.Serve(lis) clientOptions := &Options{ RootOptions: RootCertificateOptions{ - RootCACerts: cs.ClientTrust1, + RootCertificates: cs.ClientTrust1, }, VerificationType: CertAndHostVerification, MinTLSVersion: test.clientMinVersion, diff --git a/security/advancedtls/advancedtls_test.go b/security/advancedtls/advancedtls_test.go index 27f74721fcf3..34c69058b8b2 100644 --- a/security/advancedtls/advancedtls_test.go +++ b/security/advancedtls/advancedtls_test.go @@ -103,8 +103,8 @@ func (s) TestClientOptionsConfigErrorCases(t *testing.T) { desc: "More than one fields in RootCertificateOptions is specified", clientVerificationType: CertVerification, RootOptions: RootCertificateOptions{ - RootCACerts: x509.NewCertPool(), - RootProvider: fakeProvider{}, + RootCertificates: x509.NewCertPool(), + RootProvider: fakeProvider{}, }, }, { @@ -205,7 +205,7 @@ func (s) TestClientOptionsConfigSuccessCases(t *testing.T) { } // Verify that the system-provided certificates would be used // when no verification method was set in clientOptions. - if clientOptions.RootOptions.RootCACerts == nil && + if clientOptions.RootOptions.RootCertificates == nil && clientOptions.RootOptions.GetRootCertificates == nil && clientOptions.RootOptions.RootProvider == nil { if clientConfig.RootCAs == nil { t.Fatalf("Failed to assign system-provided certificates on the client side.") @@ -253,8 +253,8 @@ func (s) TestServerOptionsConfigErrorCases(t *testing.T) { requireClientCert: true, serverVerificationType: CertVerification, RootOptions: RootCertificateOptions{ - RootCACerts: x509.NewCertPool(), - GetRootCertificates: func(*GetRootCAsParams) (*GetRootCAsResults, error) { + RootCertificates: x509.NewCertPool(), + GetRootCertificates: func(*ConnectionInfo) (*RootCertificates, error) { return nil, nil }, }, @@ -369,7 +369,7 @@ func (s) TestServerOptionsConfigSuccessCases(t *testing.T) { } // Verify that the system-provided certificates would be used // when no verification method was set in serverOptions. - if serverOptions.RootOptions.RootCACerts == nil && + if serverOptions.RootOptions.RootCertificates == nil && serverOptions.RootOptions.GetRootCertificates == nil && serverOptions.RootOptions.RootProvider == nil { if serverConfig.ClientCAs == nil { t.Fatalf("Failed to assign system-provided certificates on the server side.") @@ -384,9 +384,14 @@ func (s) TestClientServerHandshake(t *testing.T) { if err := cs.LoadCerts(); err != nil { t.Fatalf("cs.LoadCerts() failed, err: %v", err) } - getRootCAsForClient := func(params *GetRootCAsParams) (*GetRootCAsResults, error) { + getRootCertificatesForClient := func(params *ConnectionInfo) (*RootCertificates, error) { + return &RootCertificates{TrustCerts: cs.ClientTrust1}, nil + } + + getRootCertificatesForClientDeprecatedTypes := func(params *GetRootCAsParams) (*GetRootCAsResults, error) { return &GetRootCAsResults{TrustCerts: cs.ClientTrust1}, nil } + clientVerifyFuncGood := func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) { if params.ServerName == "" { return nil, errors.New("client side server name should have a value") @@ -401,8 +406,8 @@ func (s) TestClientServerHandshake(t *testing.T) { verifyFuncBad := func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) { return nil, fmt.Errorf("custom verification function failed") } - getRootCAsForServer := func(params *GetRootCAsParams) (*GetRootCAsResults, error) { - return &GetRootCAsResults{TrustCerts: cs.ServerTrust1}, nil + getRootCertificatesForServer := func(params *ConnectionInfo) (*RootCertificates, error) { + return &RootCertificates{TrustCerts: cs.ServerTrust1}, nil } serverVerifyFunc := func(params *HandshakeVerificationInfo) (*PostHandshakeVerificationResults, error) { if params.ServerName != "" { @@ -415,16 +420,16 @@ func (s) TestClientServerHandshake(t *testing.T) { return &PostHandshakeVerificationResults{}, nil } - getRootCAsForServerBad := func(params *GetRootCAsParams) (*GetRootCAsResults, error) { + getRootCertificatesForServerBad := func(params *ConnectionInfo) (*RootCertificates, error) { return nil, fmt.Errorf("bad root certificate reloading") } - getRootCAsForClientCRL := func(params *GetRootCAsParams) (*GetRootCAsResults, error) { - return &GetRootCAsResults{TrustCerts: cs.ClientTrust3}, nil + getRootCertificatesForClientCRL := func(params *ConnectionInfo) (*RootCertificates, error) { + return &RootCertificates{TrustCerts: cs.ClientTrust3}, nil } - getRootCAsForServerCRL := func(params *GetRootCAsParams) (*GetRootCAsResults, error) { - return &GetRootCAsResults{TrustCerts: cs.ServerTrust3}, nil + getRootCertificatesForServerCRL := func(params *ConnectionInfo) (*RootCertificates, error) { + return &RootCertificates{TrustCerts: cs.ServerTrust3}, nil } makeStaticCRLRevocationOptions := func(crlPath string, denyUndetermined bool) *RevocationOptions { @@ -448,7 +453,7 @@ func (s) TestClientServerHandshake(t *testing.T) { clientCert []tls.Certificate clientGetCert func(*tls.CertificateRequestInfo) (*tls.Certificate, error) clientRoot *x509.CertPool - clientGetRoot func(params *GetRootCAsParams) (*GetRootCAsResults, error) + clientGetRoot func(params *ConnectionInfo) (*RootCertificates, error) clientVerifyFunc PostHandshakeVerificationFunc clientVerificationType VerificationType clientRootProvider certprovider.Provider @@ -459,7 +464,7 @@ func (s) TestClientServerHandshake(t *testing.T) { serverCert []tls.Certificate serverGetCert func(*tls.ClientHelloInfo) ([]*tls.Certificate, error) serverRoot *x509.CertPool - serverGetRoot func(params *GetRootCAsParams) (*GetRootCAsResults, error) + serverGetRoot func(params *ConnectionInfo) (*RootCertificates, error) serverVerifyFunc PostHandshakeVerificationFunc serverVerificationType VerificationType serverRootProvider certprovider.Provider @@ -484,7 +489,7 @@ func (s) TestClientServerHandshake(t *testing.T) { // Expected Behavior: success { desc: "Client sets reload root function with verifyFuncGood; server sends peer cert", - clientGetRoot: getRootCAsForClient, + clientGetRoot: getRootCertificatesForClient, clientVerifyFunc: clientVerifyFuncGood, clientVerificationType: CertVerification, serverCert: []tls.Certificate{cs.ServerCert1}, @@ -496,7 +501,7 @@ func (s) TestClientServerHandshake(t *testing.T) { // Reason: custom verification function is bad { desc: "Client sets reload root function with verifyFuncBad; server sends peer cert", - clientGetRoot: getRootCAsForClient, + clientGetRoot: getRootCertificatesForClient, clientVerifyFunc: verifyFuncBad, clientVerificationType: CertVerification, clientExpectHandshakeError: true, @@ -504,13 +509,27 @@ func (s) TestClientServerHandshake(t *testing.T) { serverVerificationType: CertVerification, serverExpectError: true, }, + // Client: set clientGetRoot with deprecated types, clientVerifyFunc and + // clientCert Server: set serverRoot and serverCert with mutual TLS on + // Expected Behavior: success + { + desc: "Client sets peer cert, reload root function with deprecatd types with verifyFuncGood; server sets peer cert and root cert; mutualTLS", + clientCert: []tls.Certificate{cs.ClientCert1}, + clientGetRoot: getRootCertificatesForClientDeprecatedTypes, + clientVerifyFunc: clientVerifyFuncGood, + clientVerificationType: CertVerification, + serverMutualTLS: true, + serverCert: []tls.Certificate{cs.ServerCert1}, + serverRoot: cs.ServerTrust1, + serverVerificationType: CertVerification, + }, // Client: set clientGetRoot, clientVerifyFunc and clientCert // Server: set serverRoot and serverCert with mutual TLS on // Expected Behavior: success { desc: "Client sets peer cert, reload root function with verifyFuncGood; server sets peer cert and root cert; mutualTLS", clientCert: []tls.Certificate{cs.ClientCert1}, - clientGetRoot: getRootCAsForClient, + clientGetRoot: getRootCertificatesForClient, clientVerifyFunc: clientVerifyFuncGood, clientVerificationType: CertVerification, serverMutualTLS: true, @@ -524,12 +543,12 @@ func (s) TestClientServerHandshake(t *testing.T) { { desc: "Client sets peer cert, reload root function with verifyFuncGood; Server sets peer cert, reload root function; mutualTLS", clientCert: []tls.Certificate{cs.ClientCert1}, - clientGetRoot: getRootCAsForClient, + clientGetRoot: getRootCertificatesForClient, clientVerifyFunc: clientVerifyFuncGood, clientVerificationType: CertVerification, serverMutualTLS: true, serverCert: []tls.Certificate{cs.ServerCert1}, - serverGetRoot: getRootCAsForServer, + serverGetRoot: getRootCertificatesForServer, serverVerificationType: CertVerification, }, // Client: set clientGetRoot, clientVerifyFunc and clientCert @@ -540,12 +559,12 @@ func (s) TestClientServerHandshake(t *testing.T) { { desc: "Client sets peer cert, reload root function with verifyFuncGood; Server sets peer cert, bad reload root function; mutualTLS", clientCert: []tls.Certificate{cs.ClientCert1}, - clientGetRoot: getRootCAsForClient, + clientGetRoot: getRootCertificatesForClient, clientVerifyFunc: clientVerifyFuncGood, clientVerificationType: CertVerification, serverMutualTLS: true, serverCert: []tls.Certificate{cs.ServerCert1}, - serverGetRoot: getRootCAsForServerBad, + serverGetRoot: getRootCertificatesForServerBad, serverVerificationType: CertVerification, serverExpectError: true, }, @@ -557,14 +576,14 @@ func (s) TestClientServerHandshake(t *testing.T) { clientGetCert: func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) { return &cs.ClientCert1, nil }, - clientGetRoot: getRootCAsForClient, + clientGetRoot: getRootCertificatesForClient, clientVerifyFunc: clientVerifyFuncGood, clientVerificationType: CertVerification, serverMutualTLS: true, serverGetCert: func(info *tls.ClientHelloInfo) ([]*tls.Certificate, error) { return []*tls.Certificate{&cs.ServerCert1}, nil }, - serverGetRoot: getRootCAsForServer, + serverGetRoot: getRootCertificatesForServer, serverVerifyFunc: serverVerifyFunc, serverVerificationType: CertVerification, }, @@ -578,14 +597,14 @@ func (s) TestClientServerHandshake(t *testing.T) { clientGetCert: func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) { return &cs.ServerCert1, nil }, - clientGetRoot: getRootCAsForClient, + clientGetRoot: getRootCertificatesForClient, clientVerifyFunc: clientVerifyFuncGood, clientVerificationType: CertVerification, serverMutualTLS: true, serverGetCert: func(info *tls.ClientHelloInfo) ([]*tls.Certificate, error) { return []*tls.Certificate{&cs.ServerCert1}, nil }, - serverGetRoot: getRootCAsForServer, + serverGetRoot: getRootCertificatesForServer, serverVerifyFunc: serverVerifyFunc, serverVerificationType: CertVerification, serverExpectError: true, @@ -599,7 +618,7 @@ func (s) TestClientServerHandshake(t *testing.T) { clientGetCert: func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) { return &cs.ClientCert1, nil }, - clientGetRoot: getRootCAsForServer, + clientGetRoot: getRootCertificatesForServer, clientVerifyFunc: clientVerifyFuncGood, clientVerificationType: CertVerification, clientExpectHandshakeError: true, @@ -607,7 +626,7 @@ func (s) TestClientServerHandshake(t *testing.T) { serverGetCert: func(info *tls.ClientHelloInfo) ([]*tls.Certificate, error) { return []*tls.Certificate{&cs.ServerCert1}, nil }, - serverGetRoot: getRootCAsForServer, + serverGetRoot: getRootCertificatesForServer, serverVerifyFunc: serverVerifyFunc, serverVerificationType: CertVerification, serverExpectError: true, @@ -622,14 +641,14 @@ func (s) TestClientServerHandshake(t *testing.T) { clientGetCert: func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) { return &cs.ClientCert1, nil }, - clientGetRoot: getRootCAsForClient, + clientGetRoot: getRootCertificatesForClient, clientVerifyFunc: clientVerifyFuncGood, clientVerificationType: CertVerification, serverMutualTLS: true, serverGetCert: func(info *tls.ClientHelloInfo) ([]*tls.Certificate, error) { return []*tls.Certificate{&cs.ClientCert1}, nil }, - serverGetRoot: getRootCAsForServer, + serverGetRoot: getRootCertificatesForServer, serverVerifyFunc: serverVerifyFunc, serverVerificationType: CertVerification, serverExpectError: true, @@ -643,7 +662,7 @@ func (s) TestClientServerHandshake(t *testing.T) { clientGetCert: func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) { return &cs.ClientCert1, nil }, - clientGetRoot: getRootCAsForClient, + clientGetRoot: getRootCertificatesForClient, clientVerifyFunc: clientVerifyFuncGood, clientVerificationType: CertVerification, clientExpectHandshakeError: true, @@ -651,7 +670,7 @@ func (s) TestClientServerHandshake(t *testing.T) { serverGetCert: func(info *tls.ClientHelloInfo) ([]*tls.Certificate, error) { return []*tls.Certificate{&cs.ServerCert1}, nil }, - serverGetRoot: getRootCAsForClient, + serverGetRoot: getRootCertificatesForClient, serverVerifyFunc: serverVerifyFunc, serverVerificationType: CertVerification, serverExpectError: true, @@ -663,13 +682,13 @@ func (s) TestClientServerHandshake(t *testing.T) { { desc: "Client sets peer cert, reload root function with verifyFuncGood; Server sets bad custom check; mutualTLS", clientCert: []tls.Certificate{cs.ClientCert1}, - clientGetRoot: getRootCAsForClient, + clientGetRoot: getRootCertificatesForClient, clientVerifyFunc: clientVerifyFuncGood, clientVerificationType: CertVerification, clientExpectHandshakeError: true, serverMutualTLS: true, serverCert: []tls.Certificate{cs.ServerCert1}, - serverGetRoot: getRootCAsForServer, + serverGetRoot: getRootCertificatesForServer, serverVerifyFunc: verifyFuncBad, serverVerificationType: CertVerification, serverExpectError: true, @@ -754,7 +773,7 @@ func (s) TestClientServerHandshake(t *testing.T) { { desc: "Client sets peer cert, reload root function with verifyFuncGood; Server sets peer cert, reload root function; mutualTLS", clientCert: []tls.Certificate{cs.ClientCert1}, - clientGetRoot: getRootCAsForClient, + clientGetRoot: getRootCertificatesForClient, clientVerifyFunc: clientVerifyFuncGood, clientVerificationType: CertVerification, clientRevocationOptions: &RevocationOptions{ @@ -764,7 +783,7 @@ func (s) TestClientServerHandshake(t *testing.T) { }, serverMutualTLS: true, serverCert: []tls.Certificate{cs.ServerCert1}, - serverGetRoot: getRootCAsForServer, + serverGetRoot: getRootCertificatesForServer, serverVerificationType: CertVerification, serverRevocationOptions: &RevocationOptions{ RootDir: testdata.Path("crl"), @@ -778,13 +797,13 @@ func (s) TestClientServerHandshake(t *testing.T) { { desc: "Client sets peer cert, reload root function with verifyFuncGood; Server sets peer cert, reload root function; Client uses CRL; mutualTLS", clientCert: []tls.Certificate{cs.ClientCertForCRL}, - clientGetRoot: getRootCAsForClientCRL, + clientGetRoot: getRootCertificatesForClientCRL, clientVerifyFunc: clientVerifyFuncGood, clientVerificationType: CertVerification, clientRevocationOptions: makeStaticCRLRevocationOptions(testdata.Path("crl/provider_crl_empty.pem"), true), serverMutualTLS: true, serverCert: []tls.Certificate{cs.ServerCertForCRL}, - serverGetRoot: getRootCAsForServerCRL, + serverGetRoot: getRootCertificatesForServerCRL, serverVerificationType: CertVerification, }, // Client: set valid credentials with the revocation config @@ -793,13 +812,13 @@ func (s) TestClientServerHandshake(t *testing.T) { { desc: "Client sets peer cert, reload root function with verifyFuncGood; Server sets revoked cert; Client uses CRL; mutualTLS", clientCert: []tls.Certificate{cs.ClientCertForCRL}, - clientGetRoot: getRootCAsForClientCRL, + clientGetRoot: getRootCertificatesForClientCRL, clientVerifyFunc: clientVerifyFuncGood, clientVerificationType: CertVerification, clientRevocationOptions: makeStaticCRLRevocationOptions(testdata.Path("crl/provider_crl_server_revoked.pem"), true), serverMutualTLS: true, serverCert: []tls.Certificate{cs.ServerCertForCRL}, - serverGetRoot: getRootCAsForServerCRL, + serverGetRoot: getRootCertificatesForServerCRL, serverVerificationType: CertVerification, serverExpectError: true, }, @@ -810,13 +829,13 @@ func (s) TestClientServerHandshake(t *testing.T) { { desc: "Client sets peer cert, reload root function with verifyFuncGood; Server sets peer cert, reload root function; Client uses CRL; mutualTLS", clientCert: []tls.Certificate{cs.ClientCertForCRL}, - clientGetRoot: getRootCAsForClientCRL, + clientGetRoot: getRootCertificatesForClientCRL, clientVerifyFunc: clientVerifyFuncGood, clientVerificationType: CertVerification, clientRevocationOptions: makeStaticCRLRevocationOptions(testdata.Path("crl/provider_malicious_crl_empty.pem"), true), serverMutualTLS: true, serverCert: []tls.Certificate{cs.ServerCertForCRL}, - serverGetRoot: getRootCAsForServerCRL, + serverGetRoot: getRootCertificatesForServerCRL, serverVerificationType: CertVerification, serverExpectError: true, }, @@ -836,7 +855,7 @@ func (s) TestClientServerHandshake(t *testing.T) { IdentityProvider: test.serverIdentityProvider, }, RootOptions: RootCertificateOptions{ - RootCACerts: test.serverRoot, + RootCertificates: test.serverRoot, GetRootCertificates: test.serverGetRoot, RootProvider: test.serverRootProvider, }, @@ -881,7 +900,7 @@ func (s) TestClientServerHandshake(t *testing.T) { }, AdditionalPeerVerification: test.clientVerifyFunc, RootOptions: RootCertificateOptions{ - RootCACerts: test.clientRoot, + RootCertificates: test.clientRoot, GetRootCertificates: test.clientGetRoot, RootProvider: test.clientRootProvider, }, @@ -946,7 +965,7 @@ func (s) TestAdvancedTLSOverrideServerName(t *testing.T) { } clientOptions := &Options{ RootOptions: RootCertificateOptions{ - RootCACerts: cs.ClientTrust1, + RootCertificates: cs.ClientTrust1, }, serverNameOverride: expectedServerName, }