advancedtls package does not set VerifiedChains in TLSInfo.State

[mudhireddy]

NOTE: if you are reporting is a potential security vulnerability or a crash,
please follow our CVE process at
https://github.com/grpc/proposal/blob/master/P4-grpc-cve-process.md instead of
filing an issue here.

Please see the FAQ in our main README.md, then answer the questions below
before submitting your issue.

What version of gRPC are you using?

1.60.0

What version of Go are you using (go version)?

go1.22.1

What operating system (Linux, Windows, …) and version?

linux/amd64

What did you do?

If possible, provide a recipe for reproducing the error.

// The function buildVerifyFunc is used when users want root cert reloading,
// and possibly custom verification check.
// We have to build our own verification function here because current
// tls module:
// 1. does not have a good support on root cert reloading.
// 2. will ignore basic certificate check when setting InsecureSkipVerify
// to true.

When using buildVerifyFunc() here https://github.com/grpc/grpc-go/blob/e4a6ce3a5489/security/advancedtls/advancedtls.go#L516
it verifies the client certificate chain correctly as expected but it doesn't expose the verifiedChains to the upper layer to make use of them like how tls package does.

What did you expect to see?

I expect it to set the VerifiedChains in TLSInfo.State structure.

patch for this is at: mudhireddy/grpc-go@9d07858#diff-e8cdf2d70ced71ce723591cf60921a380bd6f007888f8883cbb20df4ef406680L444

it sets TLSInfo.State.VerifiedChains so that application can read the necessary information from VerifiedChains.

https://github.com/grpc/grpc-go/blob/e4a6ce3a5489/security/advancedtls/advancedtls.go#L514
514: func (c *advancedTLSCreds) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) {
cfg := credinternal.CloneTLSConfig(c.config)
- cfg.VerifyPeerCertificate = buildVerifyFunc(c, "", rawConn)
+ peerVerifiedChains := [][]*x509.Certificate{}
+ cfg.VerifyPeerCertificate = buildVerifyFunc(c, "", rawConn, &peerVerifiedChains)

https://github.com/grpc/grpc-go/blob/e4a6ce3a5489/security/advancedtls/advancedtls.go#L528
info.SPIFFEID = credinternal.SPIFFEIDFromState(conn.ConnectionState())
+ info.State.VerifiedChains = peerVerifiedChains
return credinternal.WrapSyscallConn(rawConn, conn), info, nil

https://github.com/grpc/grpc-go/blob/e4a6ce3a5489/security/advancedtls/advancedtls.go#L553
func buildVerifyFunc(c *advancedTLSCreds,
serverName string,
- rawConn net.Conn) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+ rawConn net.Conn,
+ peerVerifiedChains *[][]*x509.Certificate) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {

https://github.com/grpc/grpc-go/blob/e4a6ce3a5489/security/advancedtls/advancedtls.go#L613 (set the peerVerifiedChains)
leafCert = rawCertList[0]
+ *peerVerifiedChains = chains

What did you see instead?

info.State.VerifiedChains is empty.

[mudhireddy]

sorry gave the incorrect link earlier, actual patch is at. mudhireddy@54a29d7

[mudhireddy]

also created a pull request #7181 appreciate any help to get that moving

[purnesh42H]

also created a pull request #7181 appreciate any help to get that moving

Thanks @mudhireddy. I will take a look

[mudhireddy]

PR is merged but this is still open, do I need to close this manually ?

#7181

[gtcooke94]

Thanks for the report and the PR @mudhireddy!