Search code examples
javasslx509certificatevert.xcertificate-revocation

Certificate Revocation handling with CRL in Vertx and Java

I'm using Vertx v3.4.1 with vertx-rx-java to run my server. I have to enable certificate based authentication (mutual authentication), hence trying to handle certificate revocation check in the server side.

I'm trying to use addCrlPath method of HttpServerOptions. However, it looks like, it doesn't reload the CRL from given 'path' or certificate's CRL Distribution Point (CDP) even after already loaded CRL is expired. I can't find any API/documentation on how can I achieve it programmatically using Vertx.

I had a look at the implementation of getTrustMgrFactory method in SSLHelper class, and I'm getting a feeling that it will pick the CRLs provided only at the server launch.

So, my queries are:

  1. Am I missing some configuration which ensures latest CRLs are automatically downloaded from CDP, once the currently loaded CRLs expire?
  2. If not automatically download from CDP, any other configuration which can reload CRL from same path which is provided in addCrlPath method?
  3. If there is no in-built support in Vertx for #1 and #2, is there any other API which provides such support, in-built?

Otherwise my only option would be to handle these myself.

Below is the code how I'm initializing my server

import io.vertx.core.http.ClientAuth;
import io.vertx.core.http.HttpServerOptions;
import io.vertx.core.net.PfxOptions;
import io.vertx.rxjava.core.Vertx;
import io.vertx.rxjava.ext.web.Router;
import io.vertx.rxjava.ext.web.RoutingContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class VertxServer {

private static final Logger LOGGER = LoggerFactory.getLogger(VertxServer.class);

private Vertx vertx;

public VertxServer(final Vertx v) {
    this.vertx = v;
}

public void init() {
    vertx.createHttpServer(getHttpServerOptions())
             // getRouter() method handles router configuration.
            .requestHandler(req -> getRouter().accept(req))
            .rxListen()
            .doOnSuccess(server -> LOGGER.info("Started listening to server..."))
            .doOnError(e -> LOGGER.error("Unable to listen. Server launch failed", e))
            .subscribe(
                    server -> LOGGER.info("Server launched successfully. {}", server),
                    e -> LOGGER.error("Server launch failed", e))
    ;
}

private HttpServerOptions getHttpServerOptions() {
    HttpServerOptions options = new HttpServerOptions()
            .setHost("127.0.0.1")
            .setPort(8085);
            .setSsl(true)
            .setPfxKeyCertOptions(
                    new PfxOptions()
                            .setPath("E:\\temp\\certs\\server.pfx")
                            .setPassword("servercertpass".toCharArray())
            )

    setTrustStoreOptions(options);
    return options;
}

private void setTrustStoreOptions(final HttpServerOptions options) {
    PfxOptions pfxOptions = new PfxOptions()
           .setPath("E:\\temp\\certs\\client-cert-root.p12")
           .setPassword("clientcertrootpass".toCharArray());
    options.setPfxTrustOptions(pfxOptions)
           .addCrlPath("E:\\temp\\certs\\crls\\client-certs.crl")
           .setClientAuth(ClientAuth.REQUEST);
}

  // Other methods here, which are not relevant for this question.
}
Solution

  • At the time of writing this query, the option to reload CRLs was not present in Vertx. As per the Vertx google group discussion, it would require some improvement. This feature may probably be available after corresponding changes are implemented.