Documentation ¶
Overview ¶
Package certchecker contains implementation of CertChecker.
CertChecker knows how to check certificate signatures and revocation status.
Uses datastore entities managed by 'certconfig' package.
Index ¶
Constants ¶
const ( // RefetchCAPeriod is how often to check CA entity in the datastore. // // A big value here is acceptable, since CA is changing only when service // config is changing (which happens infrequently). RefetchCAPeriod = 5 * time.Minute // RefetchCRLPeriod is how often to check CRL entities in the datastore. // // CRL changes pretty frequently, caching it for too long is harmful // (increases delay between a cert is revoked by CA and no longer accepted by // the token server). RefetchCRLPeriod = 15 * time.Second )
Variables ¶
This section is empty.
Functions ¶
func CheckCertificate ¶
func CheckCertificate(c context.Context, cert *x509.Certificate) (*certconfig.CA, error)
CheckCertificate checks validity of a given certificate.
It looks at the cert issuer, loads corresponding CertChecker and calls its CheckCertificate method. See CertChecker.CheckCertificate documentation for explanation of return values.
func IsCertInvalidError ¶
IsCertInvalidError returns true for errors from CheckCertificate that indicate revoked or expired or otherwise invalid certificates.
Such errors can be safely cast to Error.
func NewError ¶
func NewError(e error, reason ErrorReason) error
NewError instantiates Error.
It is needed because initializing 'error' field on Error is not allowed outside of this package (it is lowercase - "unexported").
Types ¶
type CertChecker ¶
type CertChecker struct { CN string // Common Name of the CA CRL *certconfig.CRLChecker // knows how to query certificate revocation list // contains filtered or unexported fields }
CertChecker knows how to check certificate signatures and revocation status.
It is associated with single CA and assumes all certs needing a check are signed by that CA directly (i.e. there is no intermediate CAs).
It caches CRL lists internally and must be treated as a heavy global object. Use GetCertChecker to grab a global instance of CertChecker for some CA.
CertChecker is safe for concurrent use.
func GetCertChecker ¶
func GetCertChecker(c context.Context, cn string) (*CertChecker, error)
GetCertChecker returns an instance of CertChecker for given CA.
It caches CertChecker objects in local memory and reuses them between requests.
func (*CertChecker) CheckCertificate ¶
func (ch *CertChecker) CheckCertificate(c context.Context, cert *x509.Certificate) (*certconfig.CA, error)
CheckCertificate checks certificate's signature, validity period and revocation status.
It returns nil error iff cert was directly signed by the CA, not expired yet, and its serial number is not in the CA's CRL.
On success also returns *certconfig.CA instance used to check the certificate, since 'GetCA' may return another instance (in case certconfig.CA cache happened to expire between the calls).
func (*CertChecker) GetCA ¶
func (ch *CertChecker) GetCA(c context.Context) (*certconfig.CA, error)
GetCA returns CA entity with ParsedConfig and ParsedCert fields set.
type CheckCertificateRPC ¶
type CheckCertificateRPC struct { }
CheckCertificateRPC implements CertificateAuthorities.CheckCertificate RPC method.
func (*CheckCertificateRPC) CheckCertificate ¶
func (r *CheckCertificateRPC) CheckCertificate(c context.Context, req *admin.CheckCertificateRequest) (*admin.CheckCertificateResponse, error)
CheckCertificate says whether a certificate is valid or not.
type Error ¶
type Error struct { Reason ErrorReason // enumeration that can be used in switches // contains filtered or unexported fields }
Error is returned by CertChecker methods in case the certificate is invalid.
Datastore errors and not wrapped in Error, but returned as is. You may use type cast to Error to distinguish certificate related errors from other kinds of errors.
type ErrorReason ¶
type ErrorReason int
ErrorReason is part of Error struct.
const ( // NoSuchCA is returned by GetCertChecker or GetCA if requested CA is not // defined in the config. NoSuchCA ErrorReason = iota // UnknownCA is returned by CheckCertificate if the cert was signed by an // unexpected CA (i.e. a CA CertChecker is not configured with). UnknownCA // NotReadyCA is returned by CheckCertificate if the CA's CRL hasn't been // fetched yet (and thus CheckCertificate can't verify certificate's // revocation status). NotReadyCA // CertificateExpired is returned by CheckCertificate if the cert has // expired already or not yet active. CertificateExpired // SignatureCheckError is returned by CheckCertificate if the certificate // signature is not valid. SignatureCheckError // CertificateRevoked is returned by CheckCertificate if the certificate is // in the CA's Certificate Revocation List. CertificateRevoked )
type IsRevokedCertRPC ¶
type IsRevokedCertRPC struct { }
IsRevokedCertRPC implements CertificateAuthorities.IsRevokedCert RPC method.
func (*IsRevokedCertRPC) IsRevokedCert ¶
func (r *IsRevokedCertRPC) IsRevokedCert(c context.Context, req *admin.IsRevokedCertRequest) (*admin.IsRevokedCertResponse, error)
IsRevokedCert says whether a certificate serial number is in the CRL.