proposal: crypto/tls: Config adds an option to get RootCAs

[shaj13]

Proposal Details

The tls.config provides several callback functions such as GetCertificate, GetClientCertificate, and GetConfigForClient, which enable dynamic behavior during the TLS handshake. These callbacks are particularly useful for scenarios involving certificate rotation, both on the client and server sides.

However, tls.Config currently lacks an option for dynamically managing the Root CAs used to verify server certificates on the client side. Since x509.CertPool methods cannot be invoked concurrently by multiple goroutines, it becomes challenging to update or reload the Root CA pool at runtime without risking data races or inconsistent state.

Motivation:

• Root CA Certificate rotation
• Dynamic trust policies

This proposal seeks to introduce a new callback in tls.Config that allows for dynamically retrieving the latest CertPool, similar to the existing callback functions.

// GetRootCAs returns  the set of root certificate authorities
// that clients use when verifying server certificates.
// 
// If GetRootCAs is nil, then the RootCAs is used. 
GetRootCAs func() (*x509.CertPool)

The client handshake will work with the proposed changes as follows:

func (c *Config) rootCAs() *x509.CertPool{
	if c.GetRootCAs == nil {
		return c.RootCAs
	}
        
        return c.GetRootCAs()
}

func (c *Conn) verifyServerCertificate(certificates [][]byte) error {
	} else if !c.config.InsecureSkipVerify {
		opts := x509.VerifyOptions{
			Roots:         c.config.rootCAs(),
			CurrentTime:   c.config.time(),
			DNSName:       c.config.ServerName,
			Intermediates: x509.NewCertPool(),
		}

		for _, cert := range certs[1:] {
			opts.Intermediates.AddCert(cert)
		}
		chains, err := certs[0].Verify(opts)
		if err != nil {
			c.sendAlert(alertBadCertificate)
			return &CertificateVerificationError{UnverifiedCertificates: certs, Err: err}
		}

		c.verifiedChains, err = fipsAllowedChains(chains)
		if err != nil {
			c.sendAlert(alertBadCertificate)
			return &CertificateVerificationError{UnverifiedCertificates: certs, Err: err}
		}
	}
}

[gabyhelp]

Related Issues

• proposal: crypto/tls: dynamically reload root certificate authorities #64796
• proposal: crypto/tls: add GetConfigForServer callback to *tls.Config #22836 (closed)
• proposal: x509.Certificate.Verify should provide an option for both using the host's root CA set and an additional set of user-provided root CAs #34937 (closed)
• proposal: Add GetClientCAs to tls.Config #16066 (closed)
• crypto/x509: add ability to reload root certificates #41888
• crypto/tls: add VerifyPeerCertificate to tls.Config #16363 (closed)
• proposal: crypto/x509: reloading certificates from disk #35887

Related Code Changes

• crypto/tls: add GetClientCAs to Config
• crypto/tls: add Config.GetClientCerticate in tls.Config

Related Documentation

• Package tls > type Config ¶

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[Jorropo]

Thx to https://go-review.googlesource.com/c/go/+/28773#related-content I think that dup of #16066
can be reopened if this is different.

[shaj13]

Thx to https://go-review.googlesource.com/c/go/+/28773#related-content I think that dup of #16066 can be reopened if this is different.

Its a dup of #64796, #16066 is for server-side where GetConfigForClient is introduced later.

[Jorropo]

I see thx, this could be reopened but I see you posted there #64796 (comment) I guess both works.