SNOW-2117143: Add CRL verification (#2287)

Author: sfc-gh-rkowalski

TestOnly/pom.xml

@@ -23,6 +23,7 @@
     <mockito.version>3.5.6</mockito.version>
     <netty.version>4.1.118.Final</netty.version>
     <apache.httpclient.version>4.5.14</apache.httpclient.version>
+    <bouncycastle.version>1.78.1</bouncycastle.version>
     <shadeBase>net.snowflake.client.jdbc.internal</shadeBase>
   </properties>
 
@@ -257,6 +258,11 @@
       <artifactId>jna-platform</artifactId>
       <version>${jna.version}</version>
     </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcpkix-jdk18on</artifactId>
+      <version>${bouncycastle.version}</version>
+    </dependency>
   </dependencies>
 
   <build>

src/main/java/net/snowflake/client/core/crl/CRLValidationConfig.java

@@ -0,0 +1,73 @@
+package net.snowflake.client.core.crl;
+
+class CRLValidationConfig {
+
+  enum CertRevocationCheckMode {
+    DISABLED,
+    ENABLED,
+    ADVISORY
+  }
+
+  private final CertRevocationCheckMode certRevocationCheckMode;
+  private final boolean allowCertificatesWithoutCrlUrl;
+  private final int connectionTimeoutMs;
+  private final int readTimeoutMs;
+
+  private CRLValidationConfig(Builder builder) {
+    this.certRevocationCheckMode = builder.certRevocationCheckMode;
+    this.allowCertificatesWithoutCrlUrl = builder.allowCertificatesWithoutCrlUrl;
+    this.connectionTimeoutMs = builder.connectionTimeoutMs;
+    this.readTimeoutMs = builder.readTimeoutMs;
+  }
+
+  CertRevocationCheckMode getCertRevocationCheckMode() {
+    return certRevocationCheckMode;
+  }
+
+  boolean isAllowCertificatesWithoutCrlUrl() {
+    return allowCertificatesWithoutCrlUrl;
+  }
+
+  int getConnectionTimeoutMs() {
+    return connectionTimeoutMs;
+  }
+
+  int getReadTimeoutMs() {
+    return readTimeoutMs;
+  }
+
+  static Builder builder() {
+    return new Builder();
+  }
+
+  static class Builder {
+    private CertRevocationCheckMode certRevocationCheckMode = CertRevocationCheckMode.DISABLED;
+    private boolean allowCertificatesWithoutCrlUrl = false;
+    private int connectionTimeoutMs = 30000; // 30 seconds
+    private int readTimeoutMs = 30000; // 30 seconds
+
+    Builder certRevocationCheckMode(CertRevocationCheckMode mode) {
+      this.certRevocationCheckMode = mode;
+      return this;
+    }
+
+    Builder allowCertificatesWithoutCrlUrl(boolean allow) {
+      this.allowCertificatesWithoutCrlUrl = allow;
+      return this;
+    }
+
+    Builder connectionTimeoutMs(int timeoutMs) {
+      this.connectionTimeoutMs = timeoutMs;
+      return this;
+    }
+
+    Builder readTimeoutMs(int timeoutMs) {
+      this.readTimeoutMs = timeoutMs;
+      return this;
+    }
+
+    CRLValidationConfig build() {
+      return new CRLValidationConfig(this);
+    }
+  }
+}

src/main/java/net/snowflake/client/core/crl/CRLValidationResult.java

@@ -0,0 +1,7 @@
+package net.snowflake.client.core.crl;
+
+enum CRLValidationResult {
+  CHAIN_UNREVOKED,
+  CHAIN_REVOKED,
+  CHAIN_ERROR
+}

src/main/java/net/snowflake/client/core/crl/CRLValidationUtils.java

@@ -0,0 +1,175 @@
+package net.snowflake.client.core.crl;
+
+import java.security.cert.X509CRL;
+import java.security.cert.X509Certificate;
+import java.time.LocalDate;
+import java.time.ZoneId;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Date;
+import java.util.List;
+import java.util.stream.Collectors;
+import net.snowflake.client.log.SFLogger;
+import net.snowflake.client.log.SFLoggerFactory;
+import org.bouncycastle.asn1.ASN1OctetString;
+import org.bouncycastle.asn1.ASN1Primitive;
+import org.bouncycastle.asn1.DERIA5String;
+import org.bouncycastle.asn1.x509.CRLDistPoint;
+import org.bouncycastle.asn1.x509.DistributionPoint;
+import org.bouncycastle.asn1.x509.DistributionPointName;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.asn1.x509.IssuingDistributionPoint;
+
+class CRLValidationUtils {
+
+  private static final SFLogger logger = SFLoggerFactory.getLogger(CRLValidationUtils.class);
+
+  // CA/Browser Forum Baseline Requirements date thresholds (using UTC for consistency)
+  private static final Date MARCH_15_2024 =
+      Date.from(LocalDate.of(2024, 3, 15).atStartOfDay(ZoneId.of("UTC")).toInstant());
+  private static final Date MARCH_15_2026 =
+      Date.from(LocalDate.of(2026, 3, 15).atStartOfDay(ZoneId.of("UTC")).toInstant());
+
+  static List<String> extractCRLDistributionPoints(X509Certificate cert) {
+    List<String> crlUrls = new ArrayList<>();
+
+    try {
+      byte[] extensionBytes = cert.getExtensionValue("2.5.29.31");
+      if (extensionBytes == null) {
+        logger.debug(
+            "No CRL Distribution Points extension found for certificate: {}",
+            cert.getSubjectX500Principal());
+        return crlUrls;
+      }
+
+      ASN1OctetString octetString = (ASN1OctetString) ASN1Primitive.fromByteArray(extensionBytes);
+      CRLDistPoint crlDistPoint =
+          CRLDistPoint.getInstance(ASN1Primitive.fromByteArray(octetString.getOctets()));
+
+      DistributionPoint[] distributionPoints = crlDistPoint.getDistributionPoints();
+      if (distributionPoints != null) {
+        for (DistributionPoint dp : distributionPoints) {
+          DistributionPointName dpName = dp.getDistributionPoint();
+          if (dpName != null && dpName.getType() == DistributionPointName.FULL_NAME) {
+            GeneralNames generalNames = (GeneralNames) dpName.getName();
+            for (GeneralName generalName : generalNames.getNames()) {
+              if (generalName.getTagNo() == GeneralName.uniformResourceIdentifier) {
+                String url = ((DERIA5String) generalName.getName()).getString();
+                if (url.toLowerCase().startsWith("http://")
+                    || url.toLowerCase().startsWith("https://")) {
+                  logger.debug("Found CRL URL: {}", url);
+                  crlUrls.add(url);
+                }
+              }
+            }
+          }
+        }
+      }
+    } catch (Exception e) {
+      logger.debug(
+          "Failed to extract CRL distribution points from certificate {}: {}",
+          cert.getSubjectX500Principal(),
+          e.getMessage());
+    }
+
+    logger.debug(
+        "Extracted {} CRL URLs for certificate: {}",
+        crlUrls.size(),
+        cert.getSubjectX500Principal());
+    return crlUrls;
+  }
+
+  /**
+   * Determines if a certificate is short-lived according to CA/Browser Forum Baseline Requirements.
+   */
+  static boolean isShortLived(X509Certificate cert) {
+    Date notBefore = cert.getNotBefore();
+    Date notAfter = cert.getNotAfter();
+
+    // Certificates issued before March 15, 2024 are not considered short-lived
+    if (notBefore.before(MARCH_15_2024)) {
+      return false;
+    }
+
+    // Determine the maximum validity period based on issuance date
+    long maxValidityPeriodMs;
+    if (notBefore.before(MARCH_15_2026)) {
+      maxValidityPeriodMs =
+          10L * 24 * 60 * 60 * 1000; // 10 days for certificates before March 15, 2026
+    } else {
+      maxValidityPeriodMs =
+          7L * 24 * 60 * 60 * 1000; // 7 days for certificates after March 15, 2026
+    }
+
+    maxValidityPeriodMs += 60 * 1000;
+
+    long actualValidityPeriodMs = notAfter.getTime() - notBefore.getTime();
+    return actualValidityPeriodMs <= maxValidityPeriodMs;
+  }
+
+  static boolean verifyIssuingDistributionPoint(X509CRL crl, X509Certificate cert, String crlUrl) {
+    try {
+      byte[] extensionBytes = crl.getExtensionValue("2.5.29.28");
+      if (extensionBytes == null) {
+        logger.debug("No IDP extension found - CRL covers all certificates");
+        return true;
+      }
+
+      ASN1OctetString octetString = (ASN1OctetString) ASN1Primitive.fromByteArray(extensionBytes);
+      IssuingDistributionPoint idp =
+          IssuingDistributionPoint.getInstance(
+              ASN1Primitive.fromByteArray(octetString.getOctets()));
+
+      // Check if this CRL only covers user certificates
+      if (idp.onlyContainsUserCerts() && cert.getBasicConstraints() != -1) {
+        logger.debug("CRL only covers user certificates, but certificate is a CA certificate");
+        return false;
+      }
+
+      // Check if this CRL only covers CA certificates
+      if (idp.onlyContainsCACerts() && cert.getBasicConstraints() == -1) {
+        logger.debug("CRL only covers CA certificates, but certificate is not a CA certificate");
+        return false;
+      }
+
+      DistributionPointName dpName = idp.getDistributionPoint();
+      if (dpName != null) {
+        if (dpName.getType() == DistributionPointName.FULL_NAME) {
+          GeneralNames generalNames = (GeneralNames) dpName.getName();
+          boolean foundMatch = false;
+
+          for (GeneralName generalName : generalNames.getNames()) {
+            if (generalName.getTagNo() == GeneralName.uniformResourceIdentifier) {
+              String idpUrl = ((DERIA5String) generalName.getName()).getString();
+              if (idpUrl.equals(crlUrl)) {
+                foundMatch = true;
+                break;
+              }
+            }
+          }
+
+          if (!foundMatch) {
+            logger.debug(
+                "CRL URL {} not found in IDP distribution points - this CRL is not authorized for this certificate",
+                crlUrl);
+            return false;
+          }
+        }
+      }
+
+      logger.debug("IDP extension verification passed");
+      return true;
+    } catch (Exception e) {
+      logger.debug("Failed to verify IDP extension: {}", e.getMessage());
+      return false;
+    }
+  }
+
+  static String getCertChainSubjects(List<X509Certificate[]> certificateChains) {
+    return certificateChains.stream()
+        .flatMap(Arrays::stream)
+        .map(cert -> cert.getSubjectX500Principal().getName())
+        .collect(Collectors.joining(", "));
+  }
+}