WIP on the safely rotate of root and federated certificates.

Fixes smallstep#23

Author: maraino

ca/mutable_tls_config.go

@@ -0,0 +1,109 @@
+package ca
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"sync"
+
+	"github.com/smallstep/certificates/api"
+)
+
+// mutableTLSConfig allows to use a tls.Config with mutable cert pools.
+type mutableTLSConfig struct {
+	sync.RWMutex
+	config         *tls.Config
+	clientCerts    []*x509.Certificate
+	rootCerts      []*x509.Certificate
+	mutClientCerts []*x509.Certificate
+	mutRootCerts   []*x509.Certificate
+}
+
+// newMutableTLSConfig creates a new mutableTLSConfig using the passed one as
+// the base one.
+func newMutableTLSConfig() *mutableTLSConfig {
+	return &mutableTLSConfig{
+		clientCerts:    []*x509.Certificate{},
+		rootCerts:      []*x509.Certificate{},
+		mutClientCerts: []*x509.Certificate{},
+		mutRootCerts:   []*x509.Certificate{},
+	}
+}
+
+// Init initializes the mutable tls.Config with the given tls.Config.
+func (c *mutableTLSConfig) Init(base *tls.Config) {
+	c.Lock()
+	c.config = base.Clone()
+	c.Unlock()
+}
+
+// TLSConfig returns the updated tls.Config it it has changed. It's is used in
+// the tls.Config GetConfigForClient.
+func (c *mutableTLSConfig) TLSConfig() (config *tls.Config) {
+	c.RLock()
+	config = c.config
+	c.RUnlock()
+	return
+}
+
+// Reload reloads the tls.Config with the new CAs.
+func (c *mutableTLSConfig) Reload() {
+	// Prepare new pools
+	c.RLock()
+	rootCAs := x509.NewCertPool()
+	clientCAs := x509.NewCertPool()
+	// Fixed certs
+	for _, cert := range c.rootCerts {
+		rootCAs.AddCert(cert)
+	}
+	for _, cert := range c.clientCerts {
+		clientCAs.AddCert(cert)
+	}
+	// Mutable certs
+	for _, cert := range c.mutRootCerts {
+		rootCAs.AddCert(cert)
+	}
+	for _, cert := range c.mutClientCerts {
+		clientCAs.AddCert(cert)
+	}
+	c.RUnlock()
+
+	// Set new pool
+	c.Lock()
+	c.config.RootCAs = rootCAs
+	c.config.ClientCAs = clientCAs
+	c.mutRootCerts = []*x509.Certificate{}
+	c.mutClientCerts = []*x509.Certificate{}
+	c.Unlock()
+}
+
+// AddFixedClientCACert add an in-mutable cert to ClientCAs.
+func (c *mutableTLSConfig) AddInmutableClientCACert(cert *x509.Certificate) {
+	c.Lock()
+	c.clientCerts = append(c.clientCerts, cert)
+	c.Unlock()
+}
+
+// AddInmutableRootCACert add an in-mutable cert to RootCas.
+func (c *mutableTLSConfig) AddInmutableRootCACert(cert *x509.Certificate) {
+	c.Lock()
+	c.rootCerts = append(c.rootCerts, cert)
+	c.Unlock()
+}
+
+// AddClientCAs add mutable certs to ClientCAs.
+func (c *mutableTLSConfig) AddClientCAs(certs []api.Certificate) {
+	c.Lock()
+	for _, cert := range certs {
+		c.mutClientCerts = append(c.mutClientCerts, cert.Certificate)
+	}
+	c.Unlock()
+}
+
+// AddRootCAs add mutable certs to RootCAs.
+func (c *mutableTLSConfig) AddRootCAs(certs []api.Certificate) {
+	c.Lock()
+	for _, cert := range certs {
+		c.mutRootCerts = append(c.mutRootCerts, cert.Certificate)
+	}
+	c.Unlock()
+}

ca/tls.go

@@ -21,13 +21,21 @@ import (
 // sign certificate, and a new certificate pool with the sign root certificate.
 // The client certificate will automatically rotate before expiring.
 func (c *Client) GetClientTLSConfig(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey, options ...TLSOption) (*tls.Config, error) {
-	cert, err := TLSCertificate(sign, pk)
+	tlsConfig, _, err := c.getClientTLSConfig(ctx, sign, pk, options)
 	if err != nil {
 		return nil, err
 	}
+	return tlsConfig, nil
+}
+
+func (c *Client) getClientTLSConfig(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey, options []TLSOption) (*tls.Config, *http.Transport, error) {
+	cert, err := TLSCertificate(sign, pk)
+	if err != nil {
+		return nil, nil, err
+	}
 	renewer, err := NewTLSRenewer(cert, nil)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	tlsConfig := getDefaultTLSConfig(sign)
@@ -43,22 +51,24 @@ func (c *Client) GetClientTLSConfig(ctx context.Context, sign *api.SignResponse,
 	// Apply options if given
 	tlsCtx := newTLSOptionCtx(c, tlsConfig)
 	if err := tlsCtx.apply(options); err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	// Update renew function with transport
 	tr, err := getDefaultTransport(tlsConfig)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
+	// Use mutable tls.Config on renew
+	tr.DialTLS = c.buildDialTLS(tlsCtx)
 	renewer.RenewCertificate = getRenewFunc(tlsCtx, c, tr, pk)
 
 	// Update client transport
 	c.client.Transport = tr
 
 	// Start renewer
 	renewer.RunContext(ctx)
-	return tlsConfig, nil
+	return tlsConfig, tr, nil
 }
 
 // GetServerTLSConfig returns a tls.Config for server use configured with the
@@ -96,11 +106,18 @@ func (c *Client) GetServerTLSConfig(ctx context.Context, sign *api.SignResponse,
 		return nil, err
 	}
 
+	// GetConfigForClient allows seamless root and federated roots rotation.
+	// If the return of the callback is not-nil, it will use the returned
+	// tls.Config instead of the default one.
+	tlsConfig.GetConfigForClient = c.buildGetConfigForClient(tlsCtx)
+
 	// Update renew function with transport
 	tr, err := getDefaultTransport(tlsConfig)
 	if err != nil {
 		return nil, err
 	}
+	// Use mutable tls.Config on renew
+	tr.DialTLS = c.buildDialTLS(tlsCtx)
 	renewer.RenewCertificate = getRenewFunc(tlsCtx, c, tr, pk)
 
 	// Update client transport
@@ -113,11 +130,34 @@ func (c *Client) GetServerTLSConfig(ctx context.Context, sign *api.SignResponse,
 
 // Transport returns an http.Transport configured to use the client certificate from the sign response.
 func (c *Client) Transport(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey, options ...TLSOption) (*http.Transport, error) {
-	tlsConfig, err := c.GetClientTLSConfig(ctx, sign, pk, options...)
+	_, tr, err := c.getClientTLSConfig(ctx, sign, pk, options)
 	if err != nil {
 		return nil, err
 	}
-	return getDefaultTransport(tlsConfig)
+	return tr, nil
+}
+
+// buildGetConfigForClient returns an implementation of GetConfigForClient
+// callback in tls.Config.
+//
+// If the implementation returns a nil tls.Config, the original Config will be
+// used, but if it's non-nil, the returned Config will be used to handle this
+// connection.
+func (c *Client) buildGetConfigForClient(ctx *TLSOptionCtx) func(*tls.ClientHelloInfo) (*tls.Config, error) {
+	return func(*tls.ClientHelloInfo) (*tls.Config, error) {
+		return ctx.mutableConfig.TLSConfig(), nil
+	}
+}
+
+// buildDialTLS returns an implementation of DialTLS callback in http.Transport.
+func (c *Client) buildDialTLS(ctx *TLSOptionCtx) func(network, addr string) (net.Conn, error) {
+	return func(network, addr string) (net.Conn, error) {
+		return tls.DialWithDialer(&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+			DualStack: true,
+		}, network, addr, ctx.mutableConfig.TLSConfig())
+	}
 }
 
 // Certificate returns the server or client certificate from the sign response.