Revert "Enable CRL checking in gRPC core (#26287)" (#28416)

This reverts commit 7d8c9ae890.

CMakeLists.txt

@@ -825,9 +825,6 @@ if(gRPC_BUILD_TESTS)
   add_dependencies(buildtests_cxx context_test)
   add_dependencies(buildtests_cxx core_configuration_test)
   add_dependencies(buildtests_cxx cpp_impl_of_test)
-  if(_gRPC_PLATFORM_LINUX OR _gRPC_PLATFORM_MAC OR _gRPC_PLATFORM_POSIX)
-    add_dependencies(buildtests_cxx crl_ssl_transport_security_test)
-  endif()
   add_dependencies(buildtests_cxx delegating_channel_test)
   add_dependencies(buildtests_cxx destroy_grpclb_channel_with_active_connect_stress_test)
   add_dependencies(buildtests_cxx dual_ref_counted_test)
@@ -9734,44 +9731,6 @@ target_link_libraries(cpp_impl_of_test
 )
 
 
-endif()
-if(gRPC_BUILD_TESTS)
-if(_gRPC_PLATFORM_LINUX OR _gRPC_PLATFORM_MAC OR _gRPC_PLATFORM_POSIX)
-
-  add_executable(crl_ssl_transport_security_test
-    test/core/tsi/crl_ssl_transport_security_test.cc
-    test/core/tsi/transport_security_test_lib.cc
-    third_party/googletest/googletest/src/gtest-all.cc
-    third_party/googletest/googlemock/src/gmock-all.cc
-  )
-
-  target_include_directories(crl_ssl_transport_security_test
-    PRIVATE
-      ${CMAKE_CURRENT_SOURCE_DIR}
-      ${CMAKE_CURRENT_SOURCE_DIR}/include
-      ${_gRPC_ADDRESS_SORTING_INCLUDE_DIR}
-      ${_gRPC_RE2_INCLUDE_DIR}
-      ${_gRPC_SSL_INCLUDE_DIR}
-      ${_gRPC_UPB_GENERATED_DIR}
-      ${_gRPC_UPB_GRPC_GENERATED_DIR}
-      ${_gRPC_UPB_INCLUDE_DIR}
-      ${_gRPC_XXHASH_INCLUDE_DIR}
-      ${_gRPC_ZLIB_INCLUDE_DIR}
-      third_party/googletest/googletest/include
-      third_party/googletest/googletest
-      third_party/googletest/googlemock/include
-      third_party/googletest/googlemock
-      ${_gRPC_PROTO_GENS_DIR}
-  )
-
-  target_link_libraries(crl_ssl_transport_security_test
-    ${_gRPC_PROTOBUF_LIBRARIES}
-    ${_gRPC_ALLTARGETS_LIBRARIES}
-    grpc_test_util
-  )
-
-
-endif()
 endif()
 if(gRPC_BUILD_TESTS)
 

build_autogenerated.yaml

@@ -5392,21 +5392,6 @@ targets:
   - test/core/gprpp/cpp_impl_of_test.cc
   deps: []
   uses_polling: false
-- name: crl_ssl_transport_security_test
-  gtest: true
-  build: test
-  language: c++
-  headers:
-  - test/core/tsi/transport_security_test_lib.h
-  src:
-  - test/core/tsi/crl_ssl_transport_security_test.cc
-  - test/core/tsi/transport_security_test_lib.cc
-  deps:
-  - grpc_test_util
-  platforms:
-  - linux
-  - posix
-  - mac
 - name: delegating_channel_test
   gtest: true
   build: test

grpc.def

@@ -155,7 +155,6 @@ EXPORTS
     grpc_tls_credentials_options_watch_identity_key_cert_pairs
     grpc_tls_credentials_options_set_identity_cert_name
     grpc_tls_credentials_options_set_cert_request_type
-    grpc_tls_credentials_options_set_crl_directory
     grpc_tls_credentials_options_set_verify_server_cert
     grpc_tls_credentials_options_set_check_call_host
     grpc_xds_credentials_create

include/grpc/grpc_security.h

@@ -920,16 +920,6 @@ GRPCAPI void grpc_tls_credentials_options_set_identity_cert_name(
 GRPCAPI void grpc_tls_credentials_options_set_cert_request_type(
     grpc_tls_credentials_options* options,
     grpc_ssl_client_certificate_request_type type);
-/**
- * EXPERIMENTAL API - Subject to change
- *
- * If set, gRPC will read all hashed x.509 CRL files in the directory and
- * enforce the CRL files on all TLS handshakes. Only supported for OpenSSL
- * version > 1.1.
- * It is used for experimental purpose for now and subject to change.
- */
-GRPCAPI void grpc_tls_credentials_options_set_crl_directory(
-    grpc_tls_credentials_options* options, const char* crl_directory);
 
 /**
  * EXPERIMENTAL API - Subject to change

src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc

@@ -91,12 +91,6 @@ void grpc_tls_credentials_options_set_certificate_verifier(
   options->set_certificate_verifier(verifier->Ref());
 }
 
-void grpc_tls_credentials_options_set_crl_directory(
-    grpc_tls_credentials_options* options, const char* crl_directory) {
-  GPR_ASSERT(options != nullptr);
-  options->set_crl_directory(crl_directory);
-}
-
 void grpc_tls_credentials_options_set_check_call_host(
     grpc_tls_credentials_options* options, int check_call_host) {
   GPR_ASSERT(options != nullptr);

src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h

@@ -60,7 +60,6 @@ struct grpc_tls_credentials_options
   const std::string& root_cert_name() { return root_cert_name_; }
   bool watch_identity_pair() { return watch_identity_pair_; }
   const std::string& identity_cert_name() { return identity_cert_name_; }
-  const std::string& crl_directory() { return crl_directory_; }
 
   // Setters for member fields.
   void set_cert_request_type(
@@ -113,11 +112,6 @@ struct grpc_tls_credentials_options
     identity_cert_name_ = std::move(identity_cert_name);
   }
 
-  // gRPC will enforce CRLs on all handshakes from all hashed CRL files inside
-  // of the crl_directory. If not set, an empty string will be used, which will
-  // not enable CRL checking. Only supported for OpenSSL version > 1.1.
-  void set_crl_directory(std::string path) { crl_directory_ = std::move(path); }
-
  private:
   grpc_ssl_client_certificate_request_type cert_request_type_ =
       GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE;
@@ -131,7 +125,6 @@ struct grpc_tls_credentials_options
   std::string root_cert_name_;
   bool watch_identity_pair_ = false;
   std::string identity_cert_name_;
-  std::string crl_directory_;
 };
 
 #endif  // GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CREDENTIALS_OPTIONS_H

src/core/lib/security/security_connector/ssl_utils.cc

@@ -423,7 +423,6 @@ grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
     tsi_ssl_pem_key_cert_pair* pem_key_cert_pair, const char* pem_root_certs,
     bool skip_server_certificate_verification, tsi_tls_version min_tls_version,
     tsi_tls_version max_tls_version, tsi_ssl_session_cache* ssl_session_cache,
-    const char* crl_directory,
     tsi_ssl_client_handshaker_factory** handshaker_factory) {
   const char* root_certs;
   const tsi_ssl_root_certs_store* root_store;
@@ -460,7 +459,6 @@ grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
       skip_server_certificate_verification;
   options.min_tls_version = min_tls_version;
   options.max_tls_version = max_tls_version;
-  options.crl_directory = crl_directory;
   const tsi_result result =
       tsi_create_ssl_client_handshaker_factory_with_options(&options,
                                                             handshaker_factory);
@@ -478,7 +476,6 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
     const char* pem_root_certs,
     grpc_ssl_client_certificate_request_type client_certificate_request,
     tsi_tls_version min_tls_version, tsi_tls_version max_tls_version,
-    const char* crl_directory,
     tsi_ssl_server_handshaker_factory** handshaker_factory) {
   size_t num_alpn_protocols = 0;
   const char** alpn_protocol_strings =
@@ -494,7 +491,6 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
   options.num_alpn_protocols = static_cast<uint16_t>(num_alpn_protocols);
   options.min_tls_version = min_tls_version;
   options.max_tls_version = max_tls_version;
-  options.crl_directory = crl_directory;
   const tsi_result result =
       tsi_create_ssl_server_handshaker_factory_with_options(&options,
                                                             handshaker_factory);

src/core/lib/security/security_connector/ssl_utils.h

@@ -91,7 +91,6 @@ grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
     tsi_ssl_pem_key_cert_pair* key_cert_pair, const char* pem_root_certs,
     bool skip_server_certificate_verification, tsi_tls_version min_tls_version,
     tsi_tls_version max_tls_version, tsi_ssl_session_cache* ssl_session_cache,
-    const char* crl_directory,
     tsi_ssl_client_handshaker_factory** handshaker_factory);
 
 grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
@@ -99,7 +98,6 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
     const char* pem_root_certs,
     grpc_ssl_client_certificate_request_type client_certificate_request,
     tsi_tls_version min_tls_version, tsi_tls_version max_tls_version,
-    const char* crl_directory,
     tsi_ssl_server_handshaker_factory** handshaker_factory);
 
 /* Exposed for testing only. */

src/core/lib/security/security_connector/tls/tls_security_connector.cc

@@ -538,7 +538,7 @@ TlsChannelSecurityConnector::UpdateHandshakerFactoryLocked() {
       skip_server_certificate_verification,
       grpc_get_tsi_tls_version(options_->min_tls_version()),
       grpc_get_tsi_tls_version(options_->max_tls_version()), ssl_session_cache_,
-      options_->crl_directory().c_str(), &client_handshaker_factory_);
+      &client_handshaker_factory_);
   /* Free memory. */
   if (pem_key_cert_pair != nullptr) {
     grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pair, 1);
@@ -806,7 +806,7 @@ TlsServerSecurityConnector::UpdateHandshakerFactoryLocked() {
       options_->cert_request_type(),
       grpc_get_tsi_tls_version(options_->min_tls_version()),
       grpc_get_tsi_tls_version(options_->max_tls_version()),
-      options_->crl_directory().c_str(), &server_handshaker_factory_);
+      &server_handshaker_factory_);
   /* Free memory. */
   grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pairs,
                                           num_key_cert_pairs);

src/core/tsi/ssl_transport_security.cc

@@ -1921,14 +1921,6 @@ static int server_handshaker_factory_new_session_callback(
   return 1;
 }
 
-static int verify_cb(int ok, X509_STORE_CTX* ctx) {
-  int cert_error = X509_STORE_CTX_get_error(ctx);
-  if (cert_error != 0) {
-    gpr_log(GPR_ERROR, "Certificate verify failed with code %d", cert_error);
-  }
-  return ok;
-}
-
 /* --- tsi_ssl_handshaker_factory constructors. --- */
 
 static tsi_ssl_handshaker_factory_vtable client_handshaker_factory_vtable = {
@@ -2049,24 +2041,7 @@ tsi_result tsi_create_ssl_client_handshaker_factory_with_options(
   } else {
     SSL_CTX_set_verify(ssl_context, SSL_VERIFY_PEER, nullptr);
   }
-
-#if OPENSSL_VERSION_NUMBER >= 0x10100000
-  if (options->crl_directory != nullptr &&
-      strcmp(options->crl_directory, "") != 0) {
-    gpr_log(GPR_INFO, "enabling client CRL checking with path: %s",
-            options->crl_directory);
-    X509_STORE* cert_store = SSL_CTX_get_cert_store(ssl_context);
-    X509_STORE_set_verify_cb(cert_store, verify_cb);
-    if (!X509_STORE_load_locations(cert_store, nullptr,
-                                   options->crl_directory)) {
-      gpr_log(GPR_ERROR, "Failed to load CRL File from directory.");
-    } else {
-      X509_VERIFY_PARAM* param = X509_STORE_get0_param(cert_store);
-      X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
-      gpr_log(GPR_INFO, "enabled client side CRL checking.");
-    }
-  }
-#endif
+  /* TODO(jboeuf): Add revocation verification. */
 
   *factory = impl;
   return TSI_OK;
@@ -2228,24 +2203,7 @@ tsi_result tsi_create_ssl_server_handshaker_factory_with_options(
                              nullptr);
           break;
       }
-
-#if OPENSSL_VERSION_NUMBER >= 0x10100000
-      if (options->crl_directory != nullptr &&
-          strcmp(options->crl_directory, "") != 0) {
-        gpr_log(GPR_INFO, "enabling server CRL checking with path %s",
-                options->crl_directory);
-        X509_STORE* cert_store = SSL_CTX_get_cert_store(impl->ssl_contexts[i]);
-        X509_STORE_set_verify_cb(cert_store, verify_cb);
-        if (!X509_STORE_load_locations(cert_store, nullptr,
-                                       options->crl_directory)) {
-          gpr_log(GPR_ERROR, "Failed to load CRL File from directory.");
-        } else {
-          X509_VERIFY_PARAM* param = X509_STORE_get0_param(cert_store);
-          X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
-          gpr_log(GPR_INFO, "enabled server CRL checking.");
-        }
-      }
-#endif
+      /* TODO(jboeuf): Add revocation verification. */
 
       result = tsi_ssl_extract_x509_subject_names_from_pem_cert(
           options->pem_key_cert_pairs[i].cert_chain,

src/core/tsi/ssl_transport_security.h

@@ -157,12 +157,6 @@ struct tsi_ssl_client_handshaker_options {
   tsi_tls_version min_tls_version;
   tsi_tls_version max_tls_version;
 
-  /* The directory where all hashed CRL files enforced by the handshaker are
-     located. If the directory is invalid, CRL checking will fail open and just
-     log. An empty directory will not enable crl checking. Only OpenSSL version
-     > 1.1 is supported for CRL checking*/
-  const char* crl_directory;
-
   tsi_ssl_client_handshaker_options()
       : pem_key_cert_pair(nullptr),
         pem_root_certs(nullptr),
@@ -173,8 +167,7 @@ struct tsi_ssl_client_handshaker_options {
         session_cache(nullptr),
         skip_server_certificate_verification(false),
         min_tls_version(tsi_tls_version::TSI_TLS1_2),
-        max_tls_version(tsi_tls_version::TSI_TLS1_3),
-        crl_directory(nullptr) {}
+        max_tls_version(tsi_tls_version::TSI_TLS1_3) {}
 };
 
 /* Creates a client handshaker factory.
@@ -294,12 +287,6 @@ struct tsi_ssl_server_handshaker_options {
   tsi_tls_version min_tls_version;
   tsi_tls_version max_tls_version;
 
-  /* The directory where all hashed CRL files are cached in the x.509 store and
-   * enforced by the handshaker are located. If the directory is invalid, CRL
-   * checking will fail open and just log. An empty directory will not enable
-   * crl checking. Only OpenSSL version > 1.1 is supported for CRL checking */
-  const char* crl_directory;
-
   tsi_ssl_server_handshaker_options()
       : pem_key_cert_pairs(nullptr),
         num_key_cert_pairs(0),
@@ -311,8 +298,7 @@ struct tsi_ssl_server_handshaker_options {
         session_ticket_key(nullptr),
         session_ticket_key_size(0),
         min_tls_version(tsi_tls_version::TSI_TLS1_2),
-        max_tls_version(tsi_tls_version::TSI_TLS1_3),
-        crl_directory(nullptr) {}
+        max_tls_version(tsi_tls_version::TSI_TLS1_3) {}
 };
 
 /* Creates a server handshaker factory.

src/ruby/ext/grpc/rb_grpc_imports.generated.c

@@ -178,7 +178,6 @@ grpc_tls_credentials_options_set_root_cert_name_type grpc_tls_credentials_option
 grpc_tls_credentials_options_watch_identity_key_cert_pairs_type grpc_tls_credentials_options_watch_identity_key_cert_pairs_import;
 grpc_tls_credentials_options_set_identity_cert_name_type grpc_tls_credentials_options_set_identity_cert_name_import;
 grpc_tls_credentials_options_set_cert_request_type_type grpc_tls_credentials_options_set_cert_request_type_import;
-grpc_tls_credentials_options_set_crl_directory_type grpc_tls_credentials_options_set_crl_directory_import;
 grpc_tls_credentials_options_set_verify_server_cert_type grpc_tls_credentials_options_set_verify_server_cert_import;
 grpc_tls_credentials_options_set_check_call_host_type grpc_tls_credentials_options_set_check_call_host_import;
 grpc_xds_credentials_create_type grpc_xds_credentials_create_import;
@@ -467,7 +466,6 @@ void grpc_rb_load_imports(HMODULE library) {
   grpc_tls_credentials_options_watch_identity_key_cert_pairs_import = (grpc_tls_credentials_options_watch_identity_key_cert_pairs_type) GetProcAddress(library, "grpc_tls_credentials_options_watch_identity_key_cert_pairs");
   grpc_tls_credentials_options_set_identity_cert_name_import = (grpc_tls_credentials_options_set_identity_cert_name_type) GetProcAddress(library, "grpc_tls_credentials_options_set_identity_cert_name");
   grpc_tls_credentials_options_set_cert_request_type_import = (grpc_tls_credentials_options_set_cert_request_type_type) GetProcAddress(library, "grpc_tls_credentials_options_set_cert_request_type");
-  grpc_tls_credentials_options_set_crl_directory_import = (grpc_tls_credentials_options_set_crl_directory_type) GetProcAddress(library, "grpc_tls_credentials_options_set_crl_directory");
   grpc_tls_credentials_options_set_verify_server_cert_import = (grpc_tls_credentials_options_set_verify_server_cert_type) GetProcAddress(library, "grpc_tls_credentials_options_set_verify_server_cert");
   grpc_tls_credentials_options_set_check_call_host_import = (grpc_tls_credentials_options_set_check_call_host_type) GetProcAddress(library, "grpc_tls_credentials_options_set_check_call_host");
   grpc_xds_credentials_create_import = (grpc_xds_credentials_create_type) GetProcAddress(library, "grpc_xds_credentials_create");

src/ruby/ext/grpc/rb_grpc_imports.generated.h

@@ -509,9 +509,6 @@ extern grpc_tls_credentials_options_set_identity_cert_name_type grpc_tls_credent
 typedef void(*grpc_tls_credentials_options_set_cert_request_type_type)(grpc_tls_credentials_options* options, grpc_ssl_client_certificate_request_type type);
 extern grpc_tls_credentials_options_set_cert_request_type_type grpc_tls_credentials_options_set_cert_request_type_import;
 #define grpc_tls_credentials_options_set_cert_request_type grpc_tls_credentials_options_set_cert_request_type_import
-typedef void(*grpc_tls_credentials_options_set_crl_directory_type)(grpc_tls_credentials_options* options, const char* crl_directory);
-extern grpc_tls_credentials_options_set_crl_directory_type grpc_tls_credentials_options_set_crl_directory_import;
-#define grpc_tls_credentials_options_set_crl_directory grpc_tls_credentials_options_set_crl_directory_import
 typedef void(*grpc_tls_credentials_options_set_verify_server_cert_type)(grpc_tls_credentials_options* options, int verify_server_cert);
 extern grpc_tls_credentials_options_set_verify_server_cert_type grpc_tls_credentials_options_set_verify_server_cert_import;
 #define grpc_tls_credentials_options_set_verify_server_cert grpc_tls_credentials_options_set_verify_server_cert_import

test/core/surface/public_headers_must_be_c89.c

@@ -222,7 +222,6 @@ int main(int argc, char **argv) {
   printf("%lx", (unsigned long) grpc_tls_credentials_options_watch_identity_key_cert_pairs);
   printf("%lx", (unsigned long) grpc_tls_credentials_options_set_identity_cert_name);
   printf("%lx", (unsigned long) grpc_tls_credentials_options_set_cert_request_type);
-  printf("%lx", (unsigned long) grpc_tls_credentials_options_set_crl_directory);
   printf("%lx", (unsigned long) grpc_tls_credentials_options_set_verify_server_cert);
   printf("%lx", (unsigned long) grpc_tls_credentials_options_set_check_call_host);
   printf("%lx", (unsigned long) grpc_xds_credentials_create);

test/core/tsi/BUILD

@@ -88,31 +88,6 @@ grpc_cc_test(
     ],
 )
 
-grpc_cc_test(
-    name = "crl_ssl_transport_security_test",
-    srcs = ["crl_ssl_transport_security_test.cc"],
-    data = [
-        "//test/core/tsi/test_creds/crl_data:ab06acdd.r0",
-        "//test/core/tsi/test_creds/crl_data:ca.pem",
-        "//test/core/tsi/test_creds/crl_data:revoked.key",
-        "//test/core/tsi/test_creds/crl_data:revoked.pem",
-        "//test/core/tsi/test_creds/crl_data:valid.key",
-        "//test/core/tsi/test_creds/crl_data:valid.pem",
-    ],
-    external_deps = [
-        "gtest",
-    ],
-    language = "C++",
-    tags = ["no_windows"],
-    deps = [
-        ":transport_security_test_lib",
-        "//:gpr",
-        "//:grpc",
-        "//:tsi",
-        "//test/core/util:grpc_test_util",
-    ],
-)
-
 grpc_cc_test(
     name = "transport_security_test",
     srcs = ["transport_security_test.cc"],

test/core/tsi/crl_ssl_transport_security_test.cc

@@ -1,279 +0,0 @@
-// Copyright 2021 gRPC authors.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#include <stdbool.h>
-#include <stdio.h>
-#include <string.h>
-
-#include <gmock/gmock.h>
-#include <gtest/gtest.h>
-
-#include <grpc/grpc.h>
-#include <grpc/support/alloc.h>
-#include <grpc/support/log.h>
-#include <grpc/support/string_util.h>
-
-#include "src/core/lib/iomgr/load_file.h"
-#include "src/core/lib/security/security_connector/security_connector.h"
-#include "src/core/tsi/ssl_transport_security.h"
-#include "src/core/tsi/transport_security.h"
-#include "src/core/tsi/transport_security_interface.h"
-#include "test/core/tsi/transport_security_test_lib.h"
-#include "test/core/util/test_config.h"
-
-extern "C" {
-#include <openssl/crypto.h>
-#include <openssl/pem.h>
-}
-
-namespace {
-
-const int kSslTsiTestRevokedKeyCertPairsNum = 1;
-const int kSslTsiTestValidKeyCertPairsNum = 1;
-const char* kSslTsiTestCrlSupportedCredentialsDir =
-    "test/core/tsi/test_creds/crl_data/";
-
-class CrlSslTransportSecurityTest
-    : public testing::TestWithParam<tsi_tls_version> {
- protected:
-  // A tsi_test_fixture implementation.
-  class SslTsiTestFixture {
-   public:
-    static SslTsiTestFixture* Create(bool use_revoked_server_cert,
-                                     bool use_revoked_client_cert) {
-      return new SslTsiTestFixture(use_revoked_server_cert,
-                                   use_revoked_client_cert);
-    }
-
-    void Run() {
-      tsi_test_do_handshake(&base_);
-      tsi_test_fixture_destroy(&base_);
-    }
-
-   private:
-    SslTsiTestFixture(bool use_revoked_server_cert,
-                      bool use_revoked_client_cert)
-        : use_revoked_server_cert_(use_revoked_server_cert),
-          use_revoked_client_cert_(use_revoked_client_cert) {
-      tsi_test_fixture_init(&base_);
-      base_.test_unused_bytes = true;
-      base_.vtable = &kVtable;
-      // Load cert data.
-      revoked_pem_key_cert_pairs_ = static_cast<tsi_ssl_pem_key_cert_pair*>(
-          gpr_malloc(sizeof(tsi_ssl_pem_key_cert_pair) *
-                     kSslTsiTestRevokedKeyCertPairsNum));
-      revoked_pem_key_cert_pairs_[0].private_key = LoadFile(
-          absl::StrCat(kSslTsiTestCrlSupportedCredentialsDir, "revoked.key"));
-      revoked_pem_key_cert_pairs_[0].cert_chain = LoadFile(
-          absl::StrCat(kSslTsiTestCrlSupportedCredentialsDir, "revoked.pem"));
-      valid_pem_key_cert_pairs_ = static_cast<tsi_ssl_pem_key_cert_pair*>(
-          gpr_malloc(sizeof(tsi_ssl_pem_key_cert_pair) *
-                     kSslTsiTestValidKeyCertPairsNum));
-      valid_pem_key_cert_pairs_[0].private_key = LoadFile(
-          absl::StrCat(kSslTsiTestCrlSupportedCredentialsDir, "valid.key"));
-      valid_pem_key_cert_pairs_[0].cert_chain = LoadFile(
-          absl::StrCat(kSslTsiTestCrlSupportedCredentialsDir, "valid.pem"));
-      root_cert_ = LoadFile(
-          absl::StrCat(kSslTsiTestCrlSupportedCredentialsDir, "ca.pem"));
-      root_store_ = tsi_ssl_root_certs_store_create(root_cert_);
-      GPR_ASSERT(root_store_ != nullptr);
-    }
-
-    ~SslTsiTestFixture() {
-      for (size_t i = 0; i < kSslTsiTestValidKeyCertPairsNum; i++) {
-        PemKeyCertPairDestroy(valid_pem_key_cert_pairs_[i]);
-      }
-      gpr_free(valid_pem_key_cert_pairs_);
-      for (size_t i = 0; i < kSslTsiTestRevokedKeyCertPairsNum; i++) {
-        PemKeyCertPairDestroy(revoked_pem_key_cert_pairs_[i]);
-      }
-      gpr_free(revoked_pem_key_cert_pairs_);
-      gpr_free(root_cert_);
-      tsi_ssl_root_certs_store_destroy(root_store_);
-      tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_);
-      tsi_ssl_client_handshaker_factory_unref(client_handshaker_factory_);
-    }
-
-    static void SetupHandshakers(tsi_test_fixture* fixture) {
-      GPR_ASSERT(fixture != nullptr);
-      auto* self = reinterpret_cast<SslTsiTestFixture*>(fixture);
-      self->SetupHandshakers();
-    }
-
-    void SetupHandshakers() {
-      // Create client handshaker factory.
-      tsi_ssl_client_handshaker_options client_options;
-      client_options.pem_root_certs = root_cert_;
-      if (use_revoked_client_cert_) {
-        client_options.pem_key_cert_pair = revoked_pem_key_cert_pairs_;
-      } else {
-        client_options.pem_key_cert_pair = valid_pem_key_cert_pairs_;
-      }
-      client_options.crl_directory = kSslTsiTestCrlSupportedCredentialsDir;
-      client_options.root_store = root_store_;
-      client_options.min_tls_version = GetParam();
-      client_options.max_tls_version = GetParam();
-      EXPECT_EQ(tsi_create_ssl_client_handshaker_factory_with_options(
-                    &client_options, &client_handshaker_factory_),
-                TSI_OK);
-      // Create server handshaker factory.
-      tsi_ssl_server_handshaker_options server_options;
-      if (use_revoked_server_cert_) {
-        server_options.pem_key_cert_pairs = revoked_pem_key_cert_pairs_;
-        server_options.num_key_cert_pairs = kSslTsiTestRevokedKeyCertPairsNum;
-      } else {
-        server_options.pem_key_cert_pairs = valid_pem_key_cert_pairs_;
-        server_options.num_key_cert_pairs = kSslTsiTestValidKeyCertPairsNum;
-      }
-      server_options.pem_client_root_certs = root_cert_;
-      server_options.crl_directory = kSslTsiTestCrlSupportedCredentialsDir;
-      server_options.client_certificate_request =
-          TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY;
-      server_options.session_ticket_key = nullptr;
-      server_options.session_ticket_key_size = 0;
-      server_options.min_tls_version = GetParam();
-      server_options.max_tls_version = GetParam();
-      EXPECT_EQ(tsi_create_ssl_server_handshaker_factory_with_options(
-                    &server_options, &server_handshaker_factory_),
-                TSI_OK);
-      // Create server and client handshakers.
-      EXPECT_EQ(
-          tsi_ssl_client_handshaker_factory_create_handshaker(
-              client_handshaker_factory_, nullptr, &base_.client_handshaker),
-          TSI_OK);
-      EXPECT_EQ(tsi_ssl_server_handshaker_factory_create_handshaker(
-                    server_handshaker_factory_, &base_.server_handshaker),
-                TSI_OK);
-    }
-
-    static void CheckHandshakerPeers(tsi_test_fixture* fixture) {
-      GPR_ASSERT(fixture != nullptr);
-      auto* self = reinterpret_cast<SslTsiTestFixture*>(fixture);
-      self->CheckHandshakerPeers();
-    }
-
-    void CheckHandshakerPeers() {
-      // In TLS 1.3, the client-side handshake succeeds even if the client
-      // sends a revoked certificate. In such a case, the server would fail
-      // the TLS handshake and send an alert to the client as the first
-      // application data message. In TLS 1.2, the client-side handshake will
-      // fail if the client sends a revoked certificate.
-      //
-      // For OpenSSL versions < 1.1, TLS 1.3 is not supported, so the
-      // client-side handshake should succeed precisely when the server-side
-      // handshake succeeds.
-      bool expect_server_success =
-          !(use_revoked_server_cert_ || use_revoked_client_cert_);
-#if OPENSSL_VERSION_NUMBER >= 0x10100000
-      bool expect_client_success = GetParam() == tsi_tls_version::TSI_TLS1_2
-                                       ? expect_server_success
-                                       : !use_revoked_server_cert_;
-#else
-      bool expect_client_success = expect_server_success;
-#endif
-      tsi_peer peer;
-      if (expect_client_success) {
-        EXPECT_EQ(
-            tsi_handshaker_result_extract_peer(base_.client_result, &peer),
-            TSI_OK);
-        tsi_peer_destruct(&peer);
-      } else {
-        EXPECT_EQ(base_.client_result, nullptr);
-      }
-      if (expect_server_success) {
-        EXPECT_EQ(
-            tsi_handshaker_result_extract_peer(base_.server_result, &peer),
-            TSI_OK);
-        tsi_peer_destruct(&peer);
-      } else {
-        EXPECT_EQ(base_.server_result, nullptr);
-      }
-    }
-
-    static void PemKeyCertPairDestroy(tsi_ssl_pem_key_cert_pair kp) {
-      gpr_free(const_cast<char*>(kp.private_key));
-      gpr_free(const_cast<char*>(kp.cert_chain));
-    }
-
-    static void Destruct(tsi_test_fixture* fixture) {
-      auto* self = reinterpret_cast<SslTsiTestFixture*>(fixture);
-      delete self;
-    }
-
-    static char* LoadFile(absl::string_view file_path) {
-      grpc_slice slice;
-      GPR_ASSERT(grpc_load_file(file_path.data(), 1, &slice) ==
-                 GRPC_ERROR_NONE);
-      char* data = grpc_slice_to_c_string(slice);
-      grpc_slice_unref(slice);
-      return data;
-    }
-
-    static struct tsi_test_fixture_vtable kVtable;
-
-    tsi_test_fixture base_;
-    bool use_revoked_server_cert_;
-    bool use_revoked_client_cert_;
-    char* root_cert_;
-    tsi_ssl_root_certs_store* root_store_;
-    tsi_ssl_pem_key_cert_pair* revoked_pem_key_cert_pairs_;
-    tsi_ssl_pem_key_cert_pair* valid_pem_key_cert_pairs_;
-    tsi_ssl_server_handshaker_factory* server_handshaker_factory_;
-    tsi_ssl_client_handshaker_factory* client_handshaker_factory_;
-  };
-};
-
-struct tsi_test_fixture_vtable
-    CrlSslTransportSecurityTest::SslTsiTestFixture::kVtable = {
-        &CrlSslTransportSecurityTest::SslTsiTestFixture::SetupHandshakers,
-        &CrlSslTransportSecurityTest::SslTsiTestFixture::CheckHandshakerPeers,
-        &CrlSslTransportSecurityTest::SslTsiTestFixture::Destruct};
-
-TEST_P(CrlSslTransportSecurityTest, RevokedServerCert) {
-  auto* fixture = SslTsiTestFixture::Create(/*use_revoked_server_cert=*/true,
-                                            /*use_revoked_client_cert=*/false);
-  fixture->Run();
-}
-
-TEST_P(CrlSslTransportSecurityTest, RevokedClientCert) {
-  auto* fixture = SslTsiTestFixture::Create(/*use_revoked_server_cert=*/false,
-                                            /*use_revoked_client_cert=*/true);
-  fixture->Run();
-}
-
-TEST_P(CrlSslTransportSecurityTest, ValidCerts) {
-  auto* fixture = SslTsiTestFixture::Create(/*use_revoked_server_cert=*/false,
-                                            /*use_revoked_client_cert=*/false);
-  fixture->Run();
-}
-
-std::string TestNameSuffix(
-    const ::testing::TestParamInfo<tsi_tls_version>& version) {
-  if (version.param == tsi_tls_version::TSI_TLS1_2) return "TLS_1_2";
-  GPR_ASSERT(version.param == tsi_tls_version::TSI_TLS1_3);
-  return "TLS_1_3";
-}
-
-INSTANTIATE_TEST_SUITE_P(TLSVersionsTest, CrlSslTransportSecurityTest,
-                         testing::Values(tsi_tls_version::TSI_TLS1_2,
-                                         tsi_tls_version::TSI_TLS1_3),
-                         &TestNameSuffix);
-
-}  // namespace
-
-int main(int argc, char** argv) {
-  grpc::testing::TestEnvironment env(argc, argv);
-  ::testing::InitGoogleTest(&argc, argv);
-  return RUN_ALL_TESTS();
-}

test/core/tsi/test_creds/crl_data/demoCA/index.txt.attr.old

@@ -1 +0,0 @@
-unique_subject = yes

test/core/tsi/test_creds/demoCA/crlnumber

@@ -1 +0,0 @@
-1001

test/core/tsi/test_creds/demoCA/index.txt

@@ -1 +0,0 @@
-R	310920052448Z	211102205058Z	8B24B0063265547C	unknown	/CN=revoked

test/core/tsi/test_creds/demoCA/index.txt.attr

@@ -1 +0,0 @@
-unique_subject = yes

test/core/tsi/transport_security_test_lib.cc

@@ -605,7 +605,6 @@ static void tsi_test_channel_destroy(tsi_test_channel* channel) {
 }
 
 void tsi_test_fixture_init(tsi_test_fixture* fixture) {
-  memset(fixture, 0, sizeof(tsi_test_fixture));
   fixture->config = tsi_test_frame_protector_config_create(
       true, true, true, true, true, true, true);
   fixture->handshake_buffer_size = TSI_TEST_DEFAULT_BUFFER_SIZE;

tools/run_tests/generated/tests.json

@@ -3951,28 +3951,6 @@
     ],
     "uses_polling": false
   },
-  {
-    "args": [],
-    "benchmark": false,
-    "ci_platforms": [
-      "linux",
-      "mac",
-      "posix"
-    ],
-    "cpu_cost": 1.0,
-    "exclude_configs": [],
-    "exclude_iomgrs": [],
-    "flaky": false,
-    "gtest": true,
-    "language": "c++",
-    "name": "crl_ssl_transport_security_test",
-    "platforms": [
-      "linux",
-      "mac",
-      "posix"
-    ],
-    "uses_polling": true
-  },
   {
     "args": [],
     "benchmark": false,