feat: setup configuration for CRL certificate revocation

Author: guillaumesala

gravitee-apim-gateway/gravitee-apim-gateway-services/gravitee-apim-gateway-services-debug/src/main/java/io/gravitee/gateway/debug/vertx/VertxDebugConfiguration.java

@@ -17,6 +17,7 @@
 
 import io.gravitee.gateway.reactive.debug.vertx.DebugHttpProtocolVerticle;
 import io.gravitee.gateway.reactive.reactor.HttpRequestDispatcher;
+import io.gravitee.node.api.certificate.CRLLoaderFactoryRegistry;
 import io.gravitee.node.api.certificate.KeyStoreLoaderFactoryRegistry;
 import io.gravitee.node.api.certificate.KeyStoreLoaderOptions;
 import io.gravitee.node.api.certificate.TrustStoreLoaderOptions;
@@ -57,9 +58,10 @@ public VertxDebugHttpClientConfiguration debugHttpClientConfiguration(
     public VertxHttpServerFactory debugHttpServerFactory(
         Vertx vertx,
         KeyStoreLoaderFactoryRegistry<KeyStoreLoaderOptions> keyStoreLoaderFactoryRegistry,
-        KeyStoreLoaderFactoryRegistry<TrustStoreLoaderOptions> truststoreLoaderFactoryRegistry
+        KeyStoreLoaderFactoryRegistry<TrustStoreLoaderOptions> truststoreLoaderFactoryRegistry,
+        CRLLoaderFactoryRegistry crlLoaderFactoryRegistry
     ) {
-        return new VertxHttpServerFactory(vertx, keyStoreLoaderFactoryRegistry, truststoreLoaderFactoryRegistry);
+        return new VertxHttpServerFactory(vertx, keyStoreLoaderFactoryRegistry, truststoreLoaderFactoryRegistry, crlLoaderFactoryRegistry);
     }
 
     @Bean("debugServer")

gravitee-apim-gateway/gravitee-apim-gateway-standalone/gravitee-apim-gateway-standalone-distribution/src/main/resources/config/gravitee.yml

@@ -109,6 +109,9 @@ secrets:
 #      path: ${gravitee.home}/security/truststore.jks
 #      password: secret
 #      watch: true # Watch for any updates on the keystore and reload it. Default is true.
+#    crl:
+#      path: # Path to the CRL file or folder. CRL checking is disabled if not set. Supports DER and PEM formats.
+#      watch: true # Watch for any updates on the CRL and reload it. Default is true.
 #    sni: false
 #    openssl: false # Used to rely on OpenSSL Engine instead of default JDK SSL Engine
 #  websocket:
@@ -158,6 +161,9 @@ secrets:
 #      path: ${gravitee.home}/security/truststore.jks
 #      password: secret
 #      watch: true # Watch for any updates on the keystore/pem and reload it. Default is true.
+#    crl:
+#      path: # Path to the CRL file or folder. CRL checking is disabled if not set. Supports DER and PEM formats.
+#      watch: true # Watch for any updates on the CRL and reload it. Default is true.
 #    openssl: false # Used to rely on OpenSSL Engine instead of default JDK SSL Engine
 #  haproxy: # Support for https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
 #    proxyProtocol: false

gravitee-apim-gateway/gravitee-apim-gateway-tests-sdk/src/main/java/io/gravitee/apim/gateway/tests/sdk/utils/TLSUtils.java

@@ -20,26 +20,45 @@
 import java.math.BigInteger;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.security.*;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.PrivateKey;
+import java.security.Security;
 import java.security.cert.Certificate;
+import java.security.cert.X509CRL;
 import java.security.cert.X509Certificate;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
 import java.util.Collections;
 import java.util.Date;
+import java.util.concurrent.atomic.AtomicLong;
+import javax.security.auth.x500.X500Principal;
 import org.bouncycastle.asn1.x500.X500Name;
 import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.asn1.x509.BasicConstraints;
+import org.bouncycastle.asn1.x509.CRLReason;
+import org.bouncycastle.asn1.x509.Extension;
+import org.bouncycastle.asn1.x509.ExtensionsGenerator;
+import org.bouncycastle.asn1.x509.KeyUsage;
 import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
 import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.X509v2CRLBuilder;
 import org.bouncycastle.cert.X509v3CertificateBuilder;
+import org.bouncycastle.cert.jcajce.JcaX509CRLConverter;
 import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
+import org.bouncycastle.cert.jcajce.JcaX509v2CRLBuilder;
+import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
 import org.bouncycastle.crypto.util.PrivateKeyFactory;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
 import org.bouncycastle.operator.ContentSigner;
 import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
 import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
 import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
 
 /**
  * @author Benoit BORDIGONI (benoit.bordigoni at graviteesource.com)
@@ -49,6 +68,8 @@
 @SuppressWarnings("java:S112") // only used in tests
 public class TLSUtils {
 
+    private static final AtomicLong SERIAL_COUNTER = new AtomicLong(System.nanoTime());
+
     static {
         Security.addProvider(new BouncyCastleProvider());
     }
@@ -168,7 +189,7 @@ public static KeyStore createKeyStore(String alias, Object data, char[] password
     }
 
     /**
-     * Happen data to an existing keystore.
+     * Append data to an existing keystore.
      * @param keystore the keystore to happen
      * @param alias the alias used to add <code>data</code> to the keystore
      * @param data a {@link X509Pair} or {@link X509Cert} instance
@@ -212,4 +233,135 @@ private static void addEntry(KeyStore ks, String alias, Object data, char[] pass
             throw new IllegalArgumentException("%s cannot be added to a key store".formatted(data));
         }
     }
+
+    /**
+     * Create a Certificate Authority certificate with proper CA extensions.
+     * @param commonName the CA common name
+     * @return a key pair with a CA certificate
+     * @throws Exception when something wrong happened when generating the CA certificate
+     */
+    public static X509Pair createCA(String commonName) throws Exception {
+        final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", new BouncyCastleProvider());
+        keyPairGenerator.initialize(2048);
+        final KeyPair caKeyPair = keyPairGenerator.genKeyPair();
+
+        X500Principal subject = new X500Principal("C=FR, O=Gravitee, OU=IntegrationTests, CN=%s".formatted(commonName));
+
+        X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(
+            subject,
+            calculateSerialNumber(),
+            Date.from(Instant.now().minus(1, ChronoUnit.DAYS)),
+            Date.from(Instant.now().plus(365, ChronoUnit.DAYS)),
+            subject,
+            caKeyPair.getPublic()
+        );
+
+        certBuilder
+            .addExtension(Extension.basicConstraints, true, new BasicConstraints(true))
+            .addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign));
+
+        ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider("BC").build(caKeyPair.getPrivate());
+
+        JcaX509CertificateConverter converter = new JcaX509CertificateConverter().setProvider("BC");
+
+        X509Certificate certificate = converter.getCertificate(certBuilder.build(signer));
+
+        return new X509Pair(new X509Cert(certificate), new X509Key(caKeyPair.getPrivate()));
+    }
+
+    /**
+     * Create an End Entity certificate signed by a CA.
+     * @param caKeyPair the CA key pair to sign the certificate
+     * @param clientCN the client common name
+     * @return a key pair with an end entity certificate signed by the CA
+     * @throws Exception when something wrong happened when generating the certificate
+     */
+    public static X509Pair createCASignedCertificate(X509Pair caKeyPair, String clientCN) throws Exception {
+        final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", new BouncyCastleProvider());
+        keyPairGenerator.initialize(2048);
+        final KeyPair clientKeyPair = keyPairGenerator.genKeyPair();
+
+        X500Principal subject = new X500Principal("C=FR, O=Gravitee, OU=IntegrationTests, CN=%s".formatted(clientCN));
+
+        X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(
+            caKeyPair.certificate().data().getSubjectX500Principal(),
+            calculateSerialNumber(),
+            Date.from(Instant.now().minus(1, ChronoUnit.DAYS)),
+            Date.from(Instant.now().plus(365, ChronoUnit.DAYS)),
+            subject,
+            clientKeyPair.getPublic()
+        );
+
+        certBuilder
+            .addExtension(Extension.basicConstraints, true, new BasicConstraints(false))
+            .addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature));
+
+        ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSAEncryption")
+            .setProvider("BC")
+            .build(caKeyPair.privateKey().data());
+
+        JcaX509CertificateConverter converter = new JcaX509CertificateConverter().setProvider("BC");
+
+        X509Certificate certificate = converter.getCertificate(certBuilder.build(signer));
+
+        return new X509Pair(new X509Cert(certificate), new X509Key(clientKeyPair.getPrivate()));
+    }
+
+    /**
+     * Generate a Certificate Revocation List (CRL) with optional revoked certificates.
+     * @param caKeyPair the CA key pair used to sign the CRL
+     * @param revokedCerts optional array of certificates to mark as revoked
+     * @return an X509CRL object
+     * @throws Exception when something wrong happened when generating the CRL
+     */
+    public static X509CRL generateCRL(X509Pair caKeyPair, X509Certificate... revokedCerts) throws Exception {
+        X509v2CRLBuilder crlBuilder = new JcaX509v2CRLBuilder(
+            caKeyPair.certificate().data().getSubjectX500Principal(),
+            Date.from(Instant.now().minus(1, ChronoUnit.DAYS))
+        );
+
+        crlBuilder.setNextUpdate(Date.from(Instant.now().plus(7, ChronoUnit.DAYS)));
+
+        JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
+        crlBuilder.addExtension(
+            Extension.authorityKeyIdentifier,
+            false,
+            extUtils.createAuthorityKeyIdentifier(caKeyPair.certificate().data())
+        );
+
+        if (revokedCerts.length > 0) {
+            ExtensionsGenerator extGen = new ExtensionsGenerator();
+            extGen.addExtension(Extension.reasonCode, false, CRLReason.lookup(CRLReason.privilegeWithdrawn));
+            var extensions = extGen.generate();
+            for (X509Certificate cert : revokedCerts) {
+                crlBuilder.addCRLEntry(cert.getSerialNumber(), new Date(), extensions);
+            }
+        }
+
+        ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSAEncryption")
+            .setProvider("BC")
+            .build(caKeyPair.privateKey().data());
+
+        JcaX509CRLConverter converter = new JcaX509CRLConverter().setProvider("BC");
+
+        return converter.getCRL(crlBuilder.build(signer));
+    }
+
+    /**
+     * Write a CRL to a PEM file.
+     * @param crl the CRL to write
+     * @param path the file path
+     * @throws Exception when something wrong happened when writing the CRL
+     */
+    public static void writeCrlToPemFile(X509CRL crl, Path path) throws Exception {
+        try (var writer = new StringWriter(); var pemWriter = new JcaPEMWriter(writer)) {
+            pemWriter.writeObject(crl);
+            pemWriter.flush();
+            Files.writeString(path, writer.toString());
+        }
+    }
+
+    private static BigInteger calculateSerialNumber() {
+        return BigInteger.valueOf(SERIAL_COUNTER.incrementAndGet());
+    }
 }

gravitee-apim-gateway/gravitee-apim-gateway-tests-sdk/src/test/java/io/gravitee/apim/gateway/tests/sdk/utils/TLSUtilsTest.java

@@ -95,4 +95,77 @@ void should_convert_keystore_to_truststore() throws Exception {
         assertThat(trustStore.isKeyEntry("foo")).isFalse();
         assertThatCode(() -> trustStore.getEntry("foo", null)).doesNotThrowAnyException();
     }
+
+    @Test
+    void should_create_CA_certificate() throws Exception {
+        TLSUtils.X509Pair ca = TLSUtils.createCA("Test CA");
+        assertThat(ca.certificate()).isNotNull();
+        assertThat(ca.certificate().data()).isNotNull();
+        assertThat(ca.certificate().data().getSubjectX500Principal().getName()).contains("CN=Test CA");
+        assertThat(ca.privateKey()).isNotNull();
+        assertThat(ca.privateKey().data()).isNotNull();
+        assertThat(ca.privateKey().data().getAlgorithm()).isEqualTo("RSA");
+
+        assertThat(ca.certificate().data().getBasicConstraints()).isGreaterThanOrEqualTo(0); // is CA
+        assertThat(ca.certificate().data().getKeyUsage()).isNotNull();
+        assertThat(ca.certificate().data().getKeyUsage()[5]).isTrue(); // keyCertSign
+        assertThat(ca.certificate().data().getKeyUsage()[6]).isTrue(); // cRLSign
+    }
+
+    @Test
+    void should_create_CA_signed_certificate() throws Exception {
+        TLSUtils.X509Pair ca = TLSUtils.createCA("Test CA");
+        TLSUtils.X509Pair client = TLSUtils.createCASignedCertificate(ca, "client");
+
+        assertThat(client.certificate()).isNotNull();
+        assertThat(client.certificate().data()).isNotNull();
+        assertThat(client.certificate().data().getSubjectX500Principal().getName()).contains("CN=client");
+        assertThat(client.privateKey()).isNotNull();
+
+        assertThatCode(() -> client.certificate().data().verify(ca.certificate().data().getPublicKey())).doesNotThrowAnyException();
+
+        assertThat(client.certificate().data().getBasicConstraints()).isEqualTo(-1);
+    }
+
+    @Test
+    void should_generate_empty_CRL() throws Exception {
+        TLSUtils.X509Pair ca = TLSUtils.createCA("Test CA");
+        var crl = TLSUtils.generateCRL(ca);
+
+        assertThat(crl).isNotNull();
+        assertThat(crl.getIssuerX500Principal()).isEqualTo(ca.certificate().data().getSubjectX500Principal());
+        assertThat(crl.getRevokedCertificates()).isNullOrEmpty();
+
+        assertThatCode(() -> crl.verify(ca.certificate().data().getPublicKey())).doesNotThrowAnyException();
+    }
+
+    @Test
+    void should_generate_CRL_with_revoked_certificates() throws Exception {
+        TLSUtils.X509Pair ca = TLSUtils.createCA("Test CA");
+        TLSUtils.X509Pair client1 = TLSUtils.createCASignedCertificate(ca, "client1");
+        TLSUtils.X509Pair client2 = TLSUtils.createCASignedCertificate(ca, "client2");
+
+        var crl = TLSUtils.generateCRL(ca, client1.certificate().data(), client2.certificate().data());
+
+        assertThat(crl).isNotNull();
+        assertThat(crl.getRevokedCertificates()).hasSize(2);
+        assertThat(crl.isRevoked(client1.certificate().data())).isTrue();
+        assertThat(crl.isRevoked(client2.certificate().data())).isTrue();
+
+        // Verify CRL is signed by CA
+        assertThatCode(() -> crl.verify(ca.certificate().data().getPublicKey())).doesNotThrowAnyException();
+    }
+
+    @Test
+    void should_write_CRL_to_PEM_file() throws Exception {
+        TLSUtils.X509Pair ca = TLSUtils.createCA("Test CA");
+        TLSUtils.X509Pair client = TLSUtils.createCASignedCertificate(ca, "revoked-client");
+        var crl = TLSUtils.generateCRL(ca, client.certificate().data());
+
+        Path crlFile = Files.createTempFile("test-crl", ".pem");
+        TLSUtils.writeCrlToPemFile(crl, crlFile);
+
+        assertThat(crlFile).exists();
+        assertThat(crlFile).content().startsWith("-----BEGIN X509 CRL").endsWith("-----END X509 CRL-----\n");
+    }
 }