fix(edge): add server certificate revalidation for mTLS connections [BE-11609] (#456)

Viktor Pettersson · web-flow · commit 6dfaf504f8f2 · 2025-02-26T16:11:53.000+01:00
diff --git a/edge/client/build.go b/edge/client/build.go
@@ -18,14 +18,16 @@ import (
 )
 
 type edgeHTTPClient struct {
-	httpClient    *http.Client
-	options       *agent.Options
-	revokeService *revoke.Service
-	certMTime     time.Time
-	keyMTime      time.Time
-	caMTime       time.Time
-	mu            sync.RWMutex
-	localAddr     *net.TCPAddr
+	httpClient       *http.Client
+	options          *agent.Options
+	revokeService    *revoke.Service
+	certMTime        time.Time
+	keyMTime         time.Time
+	caMTime          time.Time
+	mu               sync.RWMutex
+	localAddr        *net.TCPAddr
+	verifiedChains   [][]*x509.Certificate // verifiedChains is used to store the verified certificate chains from the mTLS handshake
+	verifiedChainsMu sync.RWMutex
 }
 
 func BuildHTTPClient(timeout float64, options *agent.Options) *edgeHTTPClient {
@@ -55,6 +57,15 @@ func (c *edgeHTTPClient) Do(req *http.Request) (*http.Response, error) {
 		c.mu.Unlock()
 	}
 
+	// If mTLS is enforced and there is an established connection, check validity of server certificates
+	if !c.options.EdgeInsecurePoll {
+		if err := c.verifyPeerCertificate(nil, c.getVerifiedChains()); err != nil {
+			c.mu.Lock()
+			c.httpClient.Transport = c.buildTransport()
+			c.mu.Unlock()
+		}
+	}
+
 	c.mu.RLock()
 	defer c.mu.RUnlock()
 
@@ -139,22 +150,54 @@ func (c *edgeHTTPClient) buildTransport() *http.Transport {
 		return &cert, err
 	}
 
-	transport.TLSClientConfig.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-		for _, chain := range verifiedChains {
-			for _, cert := range chain {
-				revoked, err := c.revokeService.VerifyCertificate(cert)
-				if err != nil {
-					return err
-				}
-
-				if revoked {
-					return errors.New("certificate has been revoked")
-				}
-			}
-		}
+	transport.TLSClientConfig.VerifyPeerCertificate = c.verifyPeerCertificate
+
+	transport.TLSClientConfig.VerifyConnection = func(state tls.ConnectionState) error {
+		// Note, this callback is called during the TLS handshake, but after the VerifyPeerCertificate callback.
+		// The state argument contains the verified chains, which are used to check if certificates have been revoked, or expired.
+		c.setVerifiedChains(state.VerifiedChains)
 
 		return nil
 	}
 
 	return transport
 }
+
+// verifyPeerCertificate is a callback that adheres to the tls.Config.VerifyPeerCertificate signature. It is used to
+// verify the peer certificate chain and check if the certificate has been revoked.
+func (c *edgeHTTPClient) verifyPeerCertificate(_ [][]byte, verifiedChains [][]*x509.Certificate) error {
+	for _, chain := range verifiedChains {
+		for _, cert := range chain {
+			revoked, err := c.revokeService.VerifyCertificate(cert)
+			if err != nil {
+				return err
+			}
+
+			if revoked {
+				return errors.New("certificate has been revoked")
+			}
+		}
+	}
+
+	return nil
+}
+
+func (c *edgeHTTPClient) setVerifiedChains(chains [][]*x509.Certificate) {
+	c.verifiedChainsMu.Lock()
+	defer c.verifiedChainsMu.Unlock()
+
+	c.verifiedChains = chains
+}
+
+func (c *edgeHTTPClient) getVerifiedChains() [][]*x509.Certificate {
+	c.verifiedChainsMu.RLock()
+	defer c.verifiedChainsMu.RUnlock()
+
+	verifiedChains := make([][]*x509.Certificate, len(c.verifiedChains))
+	for i, chain := range c.verifiedChains {
+		verifiedChains[i] = make([]*x509.Certificate, len(chain))
+		copy(verifiedChains[i], chain)
+	}
+
+	return verifiedChains
+}
diff --git a/edge/revoke/revoke.go b/edge/revoke/revoke.go
@@ -123,8 +123,6 @@ func (service *Service) certIsRevokedCRL(cert *x509.Certificate, url string) (re
 		}
 	}
 
-	issuer := service.getIssuer(cert)
-
 	if shouldFetchCRL {
 		var err error
 		crl, err = service.fetchCRL(url)
@@ -135,7 +133,7 @@ func (service *Service) certIsRevokedCRL(cert *x509.Certificate, url string) (re
 		}
 
 		// check CRL signature
-		if issuer != nil {
+		if issuer := service.getIssuer(cert); issuer != nil {
 			err = issuer.CheckCRLSignature(crl)
 			if err != nil {
 				log.Warn().Str("url", url).Err(err).Msg("failed verifying CRL")

Original file line number	Diff line number	Diff line change
`@@ -123,8 +123,6 @@ func (service Service) certIsRevokedCRL(cert x509.Certificate, url string) (re`
`123`	`123`	`}`
`124`	`124`	`}`
`125`	`125`
`126`		`- issuer := service.getIssuer(cert)`
`127`		`-`
`128`	`126`	`if shouldFetchCRL {`
`129`	`127`	`var err error`
`130`	`128`	`crl, err = service.fetchCRL(url)`
`@@ -135,7 +133,7 @@ func (service Service) certIsRevokedCRL(cert x509.Certificate, url string) (re`
`135`	`133`	`}`
`136`	`134`
`137`	`135`	`// check CRL signature`
`138`		`- if issuer != nil {`
	`136`	`+ if issuer := service.getIssuer(cert); issuer != nil {`
`139`	`137`	`err = issuer.CheckCRLSignature(crl)`
`140`	`138`	`if err != nil {`
`141`	`139`	`log.Warn().Str("url", url).Err(err).Msg("failed verifying CRL")`