tls: add intermediate ca crl tests and documentation (#12788)

Adds intermediate certificate authority revocation list documentation and tests that cover revoked, unrevoked and incomplete certificate revocation list chains. Signed-off-by: Joshua Rutherford <joshua.rutherford@greymatter.io> Mirrored from https://github.com/envoyproxy/envoy @ 969711e8c7f6b4cdc8fbc9f1f8d9c81a4df94adb
4 years ago · d684924dd2
parent 31aa7c7afd
commit d684924dd2
2 changed files with 18 additions and 4 deletions
--- a/envoy/extensions/transport_sockets/tls/v3/common.proto
+++ b/envoy/extensions/transport_sockets/tls/v3/common.proto
@ -224,7 +224,10 @@ message CertificateValidationContext {
  // specified.
  //
  // It can optionally contain certificate revocation lists, in which case Envoy will verify
-  // that the presented peer certificate has not been revoked by one of the included CRLs.
+  // that the presented peer certificate has not been revoked by one of the included CRLs. Note
+  // that if a CRL is provided for any certificate authority in a trust chain, a CRL must be
+  // provided for all certificate authorities in that chain. Failure to do so will result in
+  // verification failure for both revoked and unrevoked certificates from that chain.
  //
  // See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
  // system CA locations.
@ -322,7 +325,11 @@ message CertificateValidationContext {
  // <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
  // (in PEM format). If specified, Envoy will verify that the presented peer
  // certificate has not been revoked by this CRL. If this DataSource contains
-  // multiple CRLs, all of them will be used.
+  // multiple CRLs, all of them will be used. Note that if a CRL is provided
+  // for any certificate authority in a trust chain, a CRL must be provided
+  // for all certificate authorities in that chain. Failure to do so will
+  // result in verification failure for both revoked and unrevoked certificates
+  // from that chain.
  config.core.v3.DataSource crl = 7;

  // If specified, Envoy will not reject expired certificates.
--- a/envoy/extensions/transport_sockets/tls/v4alpha/common.proto
+++ b/envoy/extensions/transport_sockets/tls/v4alpha/common.proto
@ -226,7 +226,10 @@ message CertificateValidationContext {
  // specified.
  //
  // It can optionally contain certificate revocation lists, in which case Envoy will verify
-  // that the presented peer certificate has not been revoked by one of the included CRLs.
+  // that the presented peer certificate has not been revoked by one of the included CRLs. Note
+  // that if a CRL is provided for any certificate authority in a trust chain, a CRL must be
+  // provided for all certificate authorities in that chain. Failure to do so will result in
+  // verification failure for both revoked and unrevoked certificates from that chain.
  //
  // See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
  // system CA locations.
@ -324,7 +327,11 @@ message CertificateValidationContext {
  // <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
  // (in PEM format). If specified, Envoy will verify that the presented peer
  // certificate has not been revoked by this CRL. If this DataSource contains
-  // multiple CRLs, all of them will be used.
+  // multiple CRLs, all of them will be used. Note that if a CRL is provided
+  // for any certificate authority in a trust chain, a CRL must be provided
+  // for all certificate authorities in that chain. Failure to do so will
+  // result in verification failure for both revoked and unrevoked certificates
+  // from that chain.
  config.core.v4alpha.DataSource crl = 7;

  // If specified, Envoy will not reject expired certificates.