From 7cd4dff14cdde2eec459ee68372377308ba3e749 Mon Sep 17 00:00:00 2001
From: Michael Boquard <michael@redpanda.com>
Date: Mon, 17 Jun 2024 14:24:23 -0400
Subject: [PATCH] dt/tls: Create chain of CRLs

The TLSChainCACertManager class in ducktape is updated to chain CRLs for
each individual CA.

Signed-off-by: Michael Boquard <michael@redpanda.com>
---
 tests/rptest/services/tls.py           | 25 +++++++++++++++++++------
 tests/rptest/tests/tls_metrics_test.py |  6 ++++--
 2 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/tests/rptest/services/tls.py b/tests/rptest/services/tls.py
index 7f1cc988aa2a5..9084510c67bca 100644
--- a/tests/rptest/services/tls.py
+++ b/tests/rptest/services/tls.py
@@ -461,7 +461,7 @@ def __init__(self,
         self._dir = tempfile.TemporaryDirectory()
         self.cert_expiry_days = cert_expiry_days
         self.ca_expiry_days = ca_expiry_days
-        self._cas = []
+        self._cas: list[CertificateAuthority] = []
         self._cas.append(
             self._create_ca(
                 'root-ca',
@@ -477,8 +477,7 @@ def __init__(self,
                     parent_cfg=self._cas[-1].cfg,
                     ext='signing_ca_ext',
                 ))
-        self._cert_chain = self._create_ca_cert_chain(
-            [ca.crt for ca in self._cas])
+        self._cert_chain = self._create_ca_cert_chain()
         self.certs = {}
 
     @property
@@ -534,18 +533,32 @@ def _create_ca(self,
 
         return CertificateAuthority(cfg, key, crt, crl)
 
-    def _create_ca_cert_chain(self, files: list[str]) -> CertificateAuthority:
+    def _create_ca_cert_chain(self) -> CertificateAuthority:
+        # First create the signing ca chain
+        ca_files = [ca.crt for ca in self._cas]
         out = self._with_dir('ca', 'signing-ca-chain.pem')
         pathlib.Path(out).touch()
         with open(out, 'w') as outfile:
-            for fname in reversed(files):
+            for fname in reversed(ca_files):
                 with open(fname, 'r') as infile:
                     outfile.write(infile.read())
 
         with open(out, 'r') as f:
             self._logger.debug(f"CA chain: {f.read()}")
 
-        return CertificateAuthority(None, None, out, self._cas[-1].crl)
+        # Now do the same for the CRLs
+        crl_files = [ca.crl for ca in self._cas]
+        crl_out = self._with_dir('ca', 'signing-crl-chain.crl')
+        pathlib.Path(out).touch()
+        with open(crl_out, 'w') as outfile:
+            for fname in reversed(crl_files):
+                with open(fname, 'r') as infile:
+                    outfile.write(infile.read())
+
+        with open(crl_out, 'r') as f:
+            self._logger.debug(f"CRL chain: {f.read()}")
+
+        return CertificateAuthority(None, None, out, crl_out)
 
     def create_cert(self,
                     host: str,
diff --git a/tests/rptest/tests/tls_metrics_test.py b/tests/rptest/tests/tls_metrics_test.py
index ec6a4ec2ab643..3eaf474152f75 100644
--- a/tests/rptest/tests/tls_metrics_test.py
+++ b/tests/rptest/tests/tls_metrics_test.py
@@ -30,14 +30,16 @@
                       require_client_auth=True,
                       key_file=RedpandaService.TLS_SERVER_KEY_FILE,
                       cert_file=RedpandaService.TLS_SERVER_CRT_FILE,
-                      truststore_file=RedpandaService.TLS_CA_CRT_FILE)
+                      truststore_file=RedpandaService.TLS_CA_CRT_FILE,
+                      crl_file=RedpandaService.TLS_CA_CRL_FILE)
 
 ADMIN_TLS_CONFIG = dict(name='iplistener',
                         enabled=True,
                         require_client_auth=True,
                         key_file=RedpandaService.TLS_SERVER_KEY_FILE,
                         cert_file=RedpandaService.TLS_SERVER_CRT_FILE,
-                        truststore_file=RedpandaService.TLS_CA_CRT_FILE)
+                        truststore_file=RedpandaService.TLS_CA_CRT_FILE,
+                        crl_file=RedpandaService.TLS_CA_CRL_FILE)
 
 
 class FaketimeTLSProvider(TLSProvider):