Added support for CRL check (#62)

Add support for CRL to check for the server certificate is revocation status.

Co-authored-by: @tsaarni

Author: tsaarni

CHANGELOG.md

@@ -2,6 +2,7 @@
   - Change codec instance comparison [#69](https://github.com/logstash-plugins/logstash-output-syslog/pull/69)
   - Added support for RFC5424 structured data [#67](https://github.com/logstash-plugins/logstash-output-syslog/pull/67)
   - The SNI (Server Name Indication) extension is now used when connecting to syslog server with TLS and `host` is set to FQDN (Fully Qualified Domain Name) [#66](https://github.com/logstash-plugins/logstash-output-syslog/pull/66)
+  - Add support for CRL to check for the server certificate is revocation status [#62](https://github.com/logstash-plugins/logstash-output-syslog/pull/62)
 
 ## 3.0.5
   - Docs: Set the default_codec doc attribute.

docs/index.asciidoc

@@ -58,6 +58,8 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
 | <<plugins-{type}s-{plugin}-ssl_verify>> |<<boolean,boolean>>|No
+| <<plugins-{type}s-{plugin}-ssl_crl>> |a valid filesystem path|No
+| <<plugins-{type}s-{plugin}-ssl_crl_check_all>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-use_labels>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-structured_data>> |<<string,string>>|No
 |=======================================================================
@@ -226,6 +228,24 @@ SSL key passphrase
 
 Verify the identity of the other end of the SSL connection against the CA.
 
+[id="plugins-{type}s-{plugin}-ssl_crl"]
+===== `ssl_crl`
+
+  * Value type is <<path,path>>
+  * There is no default value for this setting.
+
+SSL CRL path for checking the revocation status of the server certificate.
+File may contain one or more PEM encoded CRLs.
+
+[id="plugins-{type}s-{plugin}-ssl_crl_check_all"]
+===== `ssl_crl_check_all`
+
+  * Value type is <<boolean,boolean>>
+  * Default value is `false`
+
+If this option is set to false, only the certificate at the end of the certificate chain will be subject to validation by CRL.
+If set to true the complete chain is validated. CRLs must be available from all CAs.
+
 [id="plugins-{type}s-{plugin}-use_labels"]
 ===== `use_labels` 
 

lib/logstash/outputs/syslog.rb

@@ -54,6 +54,8 @@ class LogStash::Outputs::Syslog < LogStash::Outputs::Base
     "debug",
   ]
 
+  CRL_END_TAG = "\n-----END X509 CRL-----\n"
+
   # syslog server address to connect to
   config :host, :validate => :string, :required => true
 
@@ -81,6 +83,12 @@ class LogStash::Outputs::Syslog < LogStash::Outputs::Base
   # SSL key passphrase
   config :ssl_key_passphrase, :validate => :password, :default => nil
 
+  # CRL file or bundle of CRLs
+  config :ssl_crl, :validate => :path
+
+  # Check CRL for only leaf certificate (false) or require CRL check for the complete chain (true)
+  config :ssl_crl_check_all, :validate => :boolean, :default => false
+
   # use label parsing for severity and facility levels
   # use priority field if set to false
   config :use_labels, :validate => :boolean, :default => true
@@ -248,6 +256,14 @@ def setup_ssl
       else
         cert_store.add_file(@ssl_cacert)
       end
+      if @ssl_crl
+        # copy the behavior of X509_load_crl_file() which supports loading bundles of CRLs.
+        File.read(@ssl_crl).split(CRL_END_TAG).each do |crl|
+          crl << CRL_END_TAG
+          cert_store.add_crl(OpenSSL::X509::CRL.new(crl))
+        end
+        cert_store.flags = @ssl_crl_check_all ? OpenSSL::X509::V_FLAG_CRL_CHECK|OpenSSL::X509::V_FLAG_CRL_CHECK_ALL : OpenSSL::X509::V_FLAG_CRL_CHECK
+      end
       ssl_context.cert_store = cert_store
       ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
     end

spec/fixtures/README.txt

@@ -0,0 +1 @@
+To regenerate the test certificates, you can use https://github.com/tsaarni/certyaml.

spec/fixtures/ca-crl.pem

@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBmDCBgQIBATANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJjYRcNMjMwOTEz
+MTEwOTA4WhcNMjMwOTIwMTEwOTA4WjAbMBkCCBeEcMRQn525Fw0yMzA5MTMxMTA5
+MDhaoCMwITAfBgNVHSMEGDAWgBRNukfgtxJMkwu7XMvQ8ETWqi5BVTANBgkqhkiG
+9w0BAQsFAAOCAQEAEMhDOnI3Nh8ggAty32gkGwVd4ypGrVu8dI0CvD+PjnYRAHfK
+Ngs4ByGOM5mKVTN63To6MulytSRR2WtW4JwcfHq1N9lQiL3qLePcU0CNYfcpRK48
+yRVV9qXV2jQAT2halBEhAqlyOH6+enFklCQNUdeCO38jWGPwFOyS4zR+PYWYuymq
+WhtScDaHqk/8DZmY/nblabZ4BIDmActqtfpjR+nF8xhTwThgPpETJkQFh3N4PCy+
+UHp46T5hMlib1Dj1JN/TvSW9XsW40QSJGhqOaaEB0tZKRnGWzpABgcMylrtmuVW/
+du7jT9nrGVczZYoaxF9HVRNHs5d9jUgqfDVETg==
+-----END X509 CRL-----

spec/fixtures/ca-key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC1bRafVn9FLMBV
+sxq49Zv69XJIMPkm7jr6c67jXIw+V7H1xYrwsPhtpnu4naM185T6F4IStFuBu0Kt
+gAw61t3xk0EIwEIN0ESG6g1DUVnk0lamvN/qjgg92sFrsb14L16rO8hEF5x2EGho
+pq4+0irCggUjG2CiJ7PYQhMW8PQU3XSZT3K6H+Csegvt5wjDYLcxtxcptRdBHlvl
+WAQACg1e2qQ36KL+3tRwVFkbv2zwvAu55DzHHoGlOwfyd4iyLnk9Bw1GIp8gJaqi
+odSESvOAxkHLeVUqq8vzr3kRN+pNN6lWADxcOTyATiwzkPKje+5WJn44ROvombtm
+9l++KT+VAgMBAAECggEBALJDD7lb+g10HT+XjigyXCLHzJSWWhkgdx7jT/HiW4Je
+FGPSx+QbXt4OeP47FcTLI5RgSNQsFsVvw+JKMLoXqVfWQk5g6gY8nziY/JMqedNV
+wQJwDuuexwZPzUEOEYbntHM3eF0/feKb2JsLO6ZKRu17Z6TJH7f0nsdclPkzpABi
+uJUChSVmHvcI7lK2aKrrW7NLgO05VDKNp0Z+9f7m3qpsputdc01+S50D9+I6FXOv
+zPBdjNz4LYvKLqdBkJZerBeViTvQ+YcoovxQzy6g5gaWfknVy/vvUG7DXN1yptJ0
+si4ZLT0WbSRX0NU7tAuaaQ2dCVgzYEheYQwDBqFq/4ECgYEA3pRFsyW4doAbY3R7
+598LZjoMGr8LzllOxJEjEPnQiC4sSn2kP2HJ9YQBHt/oZ9Sixx5RmLF05jbWVpEE
+FKxNqPj3B1Ny11lMTUYc8nmu6040u1F30XrG3fRB7bPUSMq7+SfeM9CBMiDlMsJG
+CqJUt6Mf4HiwBIY9cQn8HB5KBbECgYEA0KrusLgxzquF/I7eFEzVdf4u2GlRB8lw
+QDFZNkx4AmHca+dVDUb/QWRGvaHN6Mn9vS1CC1GqO7Vpx6FD6BOm/+ZMHTEFpXmz
+CkDTjXv3oivzfJmec/YCaSSx/xjaYPdz9xesfNhBzraAh1c+KeG4ilYZ/z9H1yAV
++03o+dxffSUCgYEAra1A3dM3JrA7rtU7wehW+sOcolokmjUxs0wU8rAbucddpBp5
+yUNC1aLVRQQuUqanBXxw6xa9Qs3TXeT2LDNuvcTW7Q5+c+8oDLwC5mlwxgdWOjwN
+pJWLC7IGp7ZElTAskPQ8/G1cAoOMlJjnEnEsbcaJnxxNLJqa4tOJt18jH2ECgYA4
+cgSfSTQv87YK25q3YxFbGacSY2rH8HWs56x6Q7Uy78XwamNXdB0YU0fPhDVvAzTg
+N53l8fFatXgnyDfWT3qdPm7YdqpQWNtVqrOPUjlqZPk4e1WhiKqeRo7fsplgIY/9
+Byphmx4yDKw38CGgsq54vVHK+hM03jkUAb9D15j9AQKBgF+mgmL8teGiKPM6u932
+O5zX/vwvcdxdT/BInliJA2I/gJZ0wYEIMcFlTSl8DI52nBZIssjPpNRp4W3fKWR3
+tnbBzFiFXU88l6QOd3NotINFh/br0LOaJ550zyepcx9z6mN1Z5vv0iYgsZE78nCg
+Z6Tlk4gYoS3xG1q5V1f0JJee
+-----END PRIVATE KEY-----

spec/fixtures/ca.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4DCCAcigAwIBAgIIF4RwxEiEg+UwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UE
+AxMCY2EwIBcNNzAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMA0xCzAJBgNV
+BAMTAmNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtW0Wn1Z/RSzA
+VbMauPWb+vVySDD5Ju46+nOu41yMPlex9cWK8LD4baZ7uJ2jNfOU+heCErRbgbtC
+rYAMOtbd8ZNBCMBCDdBEhuoNQ1FZ5NJWprzf6o4IPdrBa7G9eC9eqzvIRBecdhBo
+aKauPtIqwoIFIxtgoiez2EITFvD0FN10mU9yuh/grHoL7ecIw2C3MbcXKbUXQR5b
+5VgEAAoNXtqkN+ii/t7UcFRZG79s8LwLueQ8xx6BpTsH8neIsi55PQcNRiKfICWq
+oqHUhErzgMZBy3lVKqvL8695ETfqTTepVgA8XDk8gE4sM5Dyo3vuViZ+OETr6Jm7
+ZvZfvik/lQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB
+/zAdBgNVHQ4EFgQUTbpH4LcSTJMLu1zL0PBE1qouQVUwDQYJKoZIhvcNAQELBQAD
+ggEBADG3pp79VsvFqR3dAznHtMmprya6gLbh6/oFLGeSaYRZG/eIQQFdnGBxhBu/
+7YfYsZ385ATRvPB5diwpbPZ0u6PVLkXhE2RbYwV3EtPTvRHoTAB1/jdzAp5OoKlx
+DEpN45KiGgkwknkBz0NEPKoOPc++dTnPn1SD3mqdIPSBD+nDrQibCKODAhN+TjfZ
+Fith6yp+RIgst62RrFML56/EhKF4TgCXPKQBvXTXhwyBKeMlXglxhxghXXa+9Pw6
+X6PL238t3iGJm/ClZd+nyifPjR1DUNVJQXDC/ZDsI6qHe5TNZyYBBwC6ymDd/sCU
+L/SfQIFGjFAc2GP3DCiZM5HgvFg=
+-----END CERTIFICATE-----

spec/fixtures/certs.yaml

@@ -0,0 +1,34 @@
+subject: cn=ca
+key_type: RSA
+not_before: 1970-01-01T00:00:00Z
+not_after: 2100-01-01T00:00:00Z
+---
+subject: cn=valid-server
+issuer: cn=ca
+key_type: RSA
+not_before: 1970-01-01T00:00:00Z
+not_after: 2100-01-01T00:00:00Z
+sans:
+- DNS:localhost
+---
+subject: cn=revoked-server
+issuer: cn=ca
+key_type: RSA
+revoked: true
+not_before: 1970-01-01T00:00:00Z
+not_after: 2100-01-01T00:00:00Z
+sans:
+- DNS:localhost
+---
+subject: cn=untrusted-server
+key_type: RSA
+ca: false
+not_before: 1970-01-01T00:00:00Z
+not_after: 2100-01-01T00:00:00Z
+sans:
+- DNS:localhost
+---
+subject: cn=client
+issuer: cn=ca
+key_type: RSA
+---

spec/fixtures/client-key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCnPqjlJMF4uvsN
+t1kdrVP/Zi3KS3dvCg2Dpg1BAyo0nhe8vKHAAK0TE9//peTOqt5P+hps7fw4SG3N
+ZNmmkOk8u6B0I15FLHywTsMPU9H+gLrte8Y/yZC4AbdmVrYFml83Q41wGj8UM05t
+pslVMfkveNkG/LBzKrPENo2Wb2+2/Um/BzNsaX0bhg7MGesD8TjhMFmh+kvChUMp
+jFK4dKDOlXFMBLd43wtNVeWDz7duNx/oz6LyQ5JsAmVCHCMxlgc4GQEeUJ2lEnkI
+Jw+lwDCKutwIQ4lm6pWAm4KU/BTcA7h6PWM0ku6XnfW7/xbT0FdeKnga8uTO8+vM
+7/GqawGLAgMBAAECggEAdJl38QG2LTDXNVHdvJYKGOapB/+jTfQJRf5wASJuu255
+CCnO72jJQaK6qaaEJh30jnfFEqq9DJRakTc9kyY2phP9otrBr6J7cAQJdFcw8anY
+KRgBOJmT3uW7cosDrlZZCdN7+WsjDTdT95ivh0km/JTZYkir0C82U5bhEb+xeDZv
+f/76b1gDYz3ZrvQMnb4x+60vb9U7iVrnXNEVxle/FhpLNbA9tsFLoSsm/6SbEnju
+cyimwmkMnQhPdiN5wmdTzXaTTsM3Ayomtj2bZZMTM9VSrFYAFPYAh2GwX7xn1hmo
+gacYqZcXgqu+uIE812hbWEAFmaS3vrxNVAXwa7IjkQKBgQDeR9EdabphDryvgjgA
+MUm5TxKKp5Wm9Cz+FiEUASFxoduuCdSb4vq2YGL5PL22MNxmMtYq2oc/dZOMtr45
+hruq0IZmVBNlViqjjcY1J3zvBRWSn93JdSY32o3g3rpgx6/6AZvUzfJmbwVcZBZR
+VimCf6oknoNt3lADEJXaVtYBAwKBgQDAnYyGPrufS52dRinnuFVImKX/FvbFDYJI
+F31cfi2y4y+g0tFFh0vjG0qVkxkBII5Cy5y1brLYColVWd8gWKibQMJ0TVZfV1ez
+gAkR69XIdMLlHl5oXzwyaMYLnsx6MYgzPRHB2ojhtGiEym0dUUrzovl4zB9+LpRd
+z6hpMoti2QKBgQDPWo9osMh84hKCZyd2hoQPqgPR9KNWK1INdPdGggeAyUz0/Zao
+FQVsPF4XwuH2o332mFXRhCnGuRf7nD23zEglAIFf0+6ECe2cxRSxYTTahBOrxBZR
+aEdOs0LHEv8qaR1wSy/jRHtrswV9OqDXH1l5sz41CunwBAL/2Ojx1S+toQKBgQCB
+iPK6TXIMXOPwowEHjtX77nykIqNuPfmB1ho+m7TL+zFKrLyET8rfPrlYAgbs1SIX
+Faub8Ihh9iQJvFjr/fPWBSVA5cnScIDQfKic3sd0+eEgCN5gvrtTA1c89Vx6SNlZ
+7BYHEpq/f35S33emIceQNegkLtJ3H4gz1rVhmdZXcQKBgQCl1OvIJI7FmBzG1XPz
+VNkE1nCPhXZEnrR3csZsiJiHCkI+t7izoIwFZZnEaW/+rqrZAWjMdFu11hy0Fz1n
+y74CmHrlupOoSbNZlB7w7MfqZydqXT6XXgjHdlnR9+celzkS7HnZ/jxwJChCnznm
+JR8q9KOY82PMpTHNnlEoUDqCJA==
+-----END PRIVATE KEY-----

spec/fixtures/client.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0zCCAbugAwIBAgIIF4RwxFvwiMEwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UE
+AxMCY2EwHhcNMjMwOTEzMTEwOTA4WhcNMjQwOTEyMTEwOTA4WjARMQ8wDQYDVQQD
+EwZjbGllbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnPqjlJMF4
+uvsNt1kdrVP/Zi3KS3dvCg2Dpg1BAyo0nhe8vKHAAK0TE9//peTOqt5P+hps7fw4
+SG3NZNmmkOk8u6B0I15FLHywTsMPU9H+gLrte8Y/yZC4AbdmVrYFml83Q41wGj8U
+M05tpslVMfkveNkG/LBzKrPENo2Wb2+2/Um/BzNsaX0bhg7MGesD8TjhMFmh+kvC
+hUMpjFK4dKDOlXFMBLd43wtNVeWDz7duNx/oz6LyQ5JsAmVCHCMxlgc4GQEeUJ2l
+EnkIJw+lwDCKutwIQ4lm6pWAm4KU/BTcA7h6PWM0ku6XnfW7/xbT0FdeKnga8uTO
+8+vM7/GqawGLAgMBAAGjMzAxMA4GA1UdDwEB/wQEAwIFoDAfBgNVHSMEGDAWgBRN
+ukfgtxJMkwu7XMvQ8ETWqi5BVTANBgkqhkiG9w0BAQsFAAOCAQEAkyK273ywVTm8
+SFssX0igt/sGDD/PMy9D9X5ovg7083g6FFYqdP9bWrkIasXzVb5s0feeV/tAV+DO
+sDjHcR7K5SwBjsNdYA+wie5WC1XaKAxSVNfe+VnwbZcgXaHcKPeqG7S3ZHJ3riRh
+GTPMArnb/w9+RqWTTSsxEvzw1lPVVbqFDiAPHsg6FTKetNEr83xbOzk4EOAnD2Hq
+CgKstcxl+lm8kaIhz1Jd5wVZ68i/+wDLRtk16inkoKIQYFvksdoMjNQLfhc5Cx+h
+4+3gOylszUF92SSbipFmEBs5LJ88G3U35xHS/imI9OdsMNdj4HE9Tk7TiuYH3Kt7
+DUOgg4S+0w==
+-----END CERTIFICATE-----