[POC] Test CRL

Makefile

@@ -44,6 +44,12 @@ $(GO_DEPS): go.mod $(PATCHES) swsscommon_wrap
 	$(GO) mod vendor
 	$(GO) mod download golang.org/x/[email protected]
 	$(GO) mod download github.com/jipanyang/[email protected]
+
+	$(GO) mod download github.com/agiledragon/gomonkey/v2
+	$(GO) mod download github.com/godbus/dbus/v5
+	$(GO) mod download github.com/maruel/natural
+	$(GO) mod tidy
+
 	cp -r $(GOPATH)/pkg/mod/golang.org/x/[email protected]/* vendor/golang.org/x/crypto/
 	cp -r $(GOPATH)/pkg/mod/github.com/jipanyang/[email protected]/* vendor/github.com/jipanyang/gnxi/
 	$(MGMT_COMMON_DIR)/patches/apply.sh vendor

azure-pipelines.yml

@@ -154,6 +154,10 @@ stages:
 
         popd
 
+        apt list --installed | grep golang
+
+        apt-cache policy golang
+
         pushd sonic-gnmi
 
         dpkg-buildpackage -rfakeroot -us -uc -b -j$(nproc) && cp ../*.deb $(Build.ArtifactStagingDirectory)/

gnmi_server/clientCertAuth.go

@@ -1,6 +1,7 @@
 package gnmi
 
 import (
+	"os"
 	"github.com/sonic-net/sonic-gnmi/common_utils"
 	"github.com/golang/glog"
 	"golang.org/x/net/context"
@@ -24,6 +25,23 @@ func ClientCertAuthenAndAuthor(ctx context.Context) (context.Context, error) {
 		return ctx, status.Error(codes.Unauthenticated, "could not verify peer certificate")
 	}
 
+	// [Hua] POC to verify CRL can work
+	rawCRLs := make([][]byte, 6)
+	rawCRL, err := os.ReadFile("/etc/sonic/crl/test.crl")
+	if err == nil {
+		rawCRLs = append(rawCRLs, rawCRL)
+		cRLProvider := NewStaticCRLProvider(rawCRLs)
+		err := checkRevocation(tlsAuth.State, RevocationConfig{
+			AllowUndetermined: true,
+			CRLProvider:       cRLProvider,
+		})
+		if err != nil {
+			return ctx, status.Error(codes.Unauthenticated, "Peer certificate revoked")
+		}
+	} else {
+		glog.Infof("[%s] [CRL] load /etc/sonic/crl/test.crl failed ; %v", rc.ID, err)
+	}
+
 	var username string
 
 	username = tlsAuth.State.VerifiedChains[0][0].Subject.CommonName