certidp

package
v2.10.24 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 17, 2024 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Index

Constants

View Source
const (
	DefaultAllowedClockSkew     = 30 * time.Second
	DefaultOCSPResponderTimeout = 2 * time.Second
	DefaultTTLUnsetNextUpdate   = 1 * time.Hour
)

Variables

View Source
var (
	StatusAssertionStrToVal = map[string]StatusAssertion{
		"good":    ocsp.Good,
		"revoked": ocsp.Revoked,
		"unknown": ocsp.Unknown,
	}
	StatusAssertionValToStr = map[StatusAssertion]string{
		ocsp.Good:    "good",
		ocsp.Revoked: "revoked",
		ocsp.Unknown: "unknown",
	}
	StatusAssertionIntToVal = map[int]StatusAssertion{
		0: ocsp.Good,
		1: ocsp.Revoked,
		2: ocsp.Unknown,
	}
)
View Source
var (
	// Returned errors
	ErrIllegalPeerOptsConfig              = "expected map to define OCSP peer options, got [%T]"
	ErrIllegalCacheOptsConfig             = "expected map to define OCSP peer cache options, got [%T]"
	ErrParsingPeerOptFieldGeneric         = "error parsing tls peer config, unknown field [%q]"
	ErrParsingPeerOptFieldTypeConversion  = "error parsing tls peer config, conversion error: %s"
	ErrParsingCacheOptFieldTypeConversion = "error parsing OCSP peer cache config, conversion error: %s"
	ErrUnableToPlugTLSEmptyConfig         = "unable to plug TLS verify connection, config is nil"
	ErrMTLSRequired                       = "OCSP peer verification for client connections requires TLS verify (mTLS) to be enabled"
	ErrUnableToPlugTLSClient              = "unable to register client OCSP verification"
	ErrUnableToPlugTLSServer              = "unable to register server OCSP verification"
	ErrCannotWriteCompressed              = "error writing to compression writer: %w"
	ErrCannotReadCompressed               = "error reading compression reader: %w"
	ErrTruncatedWrite                     = "short write on body (%d != %d)"
	ErrCannotCloseWriter                  = "error closing compression writer: %w"
	ErrParsingCacheOptFieldGeneric        = "error parsing OCSP peer cache config, unknown field [%q]"
	ErrUnknownCacheType                   = "error parsing OCSP peer cache config, unknown type [%s]"
	ErrInvalidChainlink                   = "invalid chain link"
	ErrBadResponderHTTPStatus             = "bad OCSP responder http status: [%d]"
	ErrNoAvailOCSPServers                 = "no available OCSP servers"
	ErrFailedWithAllRequests              = "exhausted OCSP responders: %w"

	// Direct logged errors
	ErrLoadCacheFail          = "Unable to load OCSP peer cache: %s"
	ErrSaveCacheFail          = "Unable to save OCSP peer cache: %s"
	ErrBadCacheTypeConfig     = "Unimplemented OCSP peer cache type [%v]"
	ErrResponseCompressFail   = "Unable to compress OCSP response for key [%s]: %s"
	ErrResponseDecompressFail = "Unable to decompress OCSP response for key [%s]: %s"
	ErrPeerEmptyNoEvent       = "Peer certificate is nil, cannot send OCSP peer reject event"
	ErrPeerEmptyAutoReject    = "Peer certificate is nil, rejecting OCSP peer"

	// Debug information
	DbgPlugTLSForKind        = "Plugging TLS OCSP peer for [%s]"
	DbgNumServerChains       = "Peer OCSP enabled: %d TLS server chain(s) will be evaluated"
	DbgNumClientChains       = "Peer OCSP enabled: %d TLS client chain(s) will be evaluated"
	DbgLinksInChain          = "Chain [%d]: %d total link(s)"
	DbgSelfSignedValid       = "Chain [%d] is self-signed, thus peer is valid"
	DbgValidNonOCSPChain     = "Chain [%d] has no OCSP eligible links, thus peer is valid"
	DbgChainIsOCSPEligible   = "Chain [%d] has %d OCSP eligible link(s)"
	DbgChainIsOCSPValid      = "Chain [%d] is OCSP valid for all eligible links, thus peer is valid"
	DbgNoOCSPValidChains     = "No OCSP valid chains, thus peer is invalid"
	DbgCheckingCacheForCert  = "Checking OCSP peer cache for [%s], key [%s]"
	DbgCurrentResponseCached = "Cached OCSP response is current, status [%s]"
	DbgExpiredResponseCached = "Cached OCSP response is expired, status [%s]"
	DbgOCSPValidPeerLink     = "OCSP verify pass for [%s]"
	DbgCachingResponse       = "Caching OCSP response for [%s], key [%s]"
	DbgAchievedCompression   = "OCSP response compression ratio: [%f]"
	DbgCacheHit              = "OCSP peer cache hit for key [%s]"
	DbgCacheMiss             = "OCSP peer cache miss for key [%s]"
	DbgPreservedRevocation   = "Revoked OCSP response for key [%s] preserved by cache policy"
	DbgDeletingCacheResponse = "Deleting OCSP peer cached response for key [%s]"
	DbgStartingCache         = "Starting OCSP peer cache"
	DbgStoppingCache         = "Stopping OCSP peer cache"
	DbgLoadingCache          = "Loading OCSP peer cache [%s]"
	DbgNoCacheFound          = "No OCSP peer cache found, starting with empty cache"
	DbgSavingCache           = "Saving OCSP peer cache [%s]"
	DbgCacheSaved            = "Saved OCSP peer cache successfully (%d bytes)"
	DbgMakingCARequest       = "Trying OCSP responder url [%s]"
	DbgResponseExpired       = "OCSP response NextUpdate [%s] is before now [%s] with clockskew [%s]"
	DbgResponseTTLExpired    = "OCSP response cache expiry [%s] is before now [%s] with clockskew [%s]"
	DbgResponseFutureDated   = "OCSP response ThisUpdate [%s] is before now [%s] with clockskew [%s]"
	DbgCacheSaveTimerExpired = "OCSP peer cache save timer expired"
	DbgCacheDirtySave        = "OCSP peer cache is dirty, saving"

	// Returned to peer as TLS reject reason
	MsgTLSClientRejectConnection = "client not OCSP valid"
	MsgTLSServerRejectConnection = "server not OCSP valid"

	// Expected runtime errors (direct logged)
	ErrCAResponderCalloutFail  = "Attempt to obtain OCSP response from CA responder for [%s] failed: %s"
	ErrNewCAResponseNotCurrent = "New OCSP CA response obtained for [%s] but not current"
	ErrCAResponseParseFailed   = "Could not parse OCSP CA response for [%s]: %s"
	ErrOCSPInvalidPeerLink     = "OCSP verify fail for [%s] with CA status [%s]"

	// Policy override warnings (direct logged)
	MsgAllowWhenCAUnreachableOccurred             = "Failed to obtain OCSP CA response for [%s] but AllowWhenCAUnreachable set; no cached revocation so allowing"
	MsgAllowWhenCAUnreachableOccurredCachedRevoke = "Failed to obtain OCSP CA response for [%s] but AllowWhenCAUnreachable set; cached revocation exists so rejecting"
	MsgAllowWarnOnlyOccurred                      = "OCSP verify fail for [%s] but WarnOnly is true so allowing"

	// Info (direct logged)
	MsgCacheOnline  = "OCSP peer cache online, type [%s]"
	MsgCacheOffline = "OCSP peer cache offline, type [%s]"

	// OCSP cert invalid reasons (debug and event reasons)
	MsgFailedOCSPResponseFetch       = "Failed OCSP response fetch"
	MsgOCSPResponseNotEffective      = "OCSP response not in effectivity window"
	MsgFailedOCSPResponseParse       = "Failed OCSP response parse"
	MsgOCSPResponseInvalidStatus     = "Invalid OCSP response status: %s"
	MsgOCSPResponseDelegationInvalid = "Invalid OCSP response delegation: %s"
	MsgCachedOCSPResponseInvalid     = "Invalid cached OCSP response for [%s] with fingerprint [%s]"
)
View Source
var OCSPPeerUsage = `` /* 1384-byte string literal not displayed */

Functions

func CertOCSPEligible

func CertOCSPEligible(link *ChainLink) bool

CertOCSPEligible checks if the certificate's issuer has populated AIA with OCSP responder endpoint(s) and is thus eligible for OCSP validation

func FetchOCSPResponse

func FetchOCSPResponse(link *ChainLink, opts *OCSPPeerConfig, log *Log) ([]byte, error)

func GenerateFingerprint

func GenerateFingerprint(cert *x509.Certificate) string

GenerateFingerprint returns a base64-encoded SHA256 hash of the raw certificate

func GetIssuerDNForm

func GetIssuerDNForm(cert *x509.Certificate) string

GetIssuerDNForm returns RDN sequence concatenation of the certificate's issuer to be used in logs, events, etc. Should never be used for reliable cache matching or other crypto purposes.

func GetLeafIssuerCert

func GetLeafIssuerCert(chain []*x509.Certificate, leafPos int) *x509.Certificate

GetLeafIssuerCert returns the issuer certificate of the leaf (positional) certificate in the chain

func GetStatusAssertionStr

func GetStatusAssertionStr(sa int) string

GetStatusAssertionStr returns the corresponding string representation of the StatusAssertion.

func GetSubjectDNForm

func GetSubjectDNForm(cert *x509.Certificate) string

GetSubjectDNForm returns RDN sequence concatenation of the certificate's subject to be used in logs, events, etc. Should never be used for reliable cache matching or other crypto purposes.

func OCSPResponseCurrent

func OCSPResponseCurrent(ocspr *ocsp.Response, opts *OCSPPeerConfig, log *Log) bool

OCSPResponseCurrent checks if the OCSP response is current (i.e. not expired and not future effective)

func ValidDelegationCheck

func ValidDelegationCheck(iss *x509.Certificate, ocspr *ocsp.Response) bool

ValidDelegationCheck checks if the CA OCSP Response was signed by a valid CA Issuer delegate as per (RFC 6960, section 4.2.2.2) If a valid delegate or direct-signed by CA Issuer, true returned.

Types

type CertInfo

type CertInfo struct {
	Subject     string `json:"subject,omitempty"`
	Issuer      string `json:"issuer,omitempty"`
	Fingerprint string `json:"fingerprint,omitempty"`
	Raw         []byte `json:"raw,omitempty"`
}
type ChainLink struct {
	Leaf             *x509.Certificate
	Issuer           *x509.Certificate
	OCSPWebEndpoints *[]*url.URL
}

type Log

type Log struct {
	Debugf  func(format string, v ...any)
	Noticef func(format string, v ...any)
	Warnf   func(format string, v ...any)
	Errorf  func(format string, v ...any)
	Tracef  func(format string, v ...any)
}

Log is a neutral method of passing server loggers to plugins

type OCSPPeerConfig

type OCSPPeerConfig struct {
	Verify                 bool
	Timeout                float64
	ClockSkew              float64
	WarnOnly               bool
	UnknownIsGood          bool
	AllowWhenCAUnreachable bool
	TTLUnsetNextUpdate     float64
}

OCSPPeerConfig holds the parsed OCSP peer configuration section of TLS configuration

func NewOCSPPeerConfig

func NewOCSPPeerConfig() *OCSPPeerConfig

type StatusAssertion

type StatusAssertion int

func (StatusAssertion) MarshalJSON

func (sa StatusAssertion) MarshalJSON() ([]byte, error)

func (*StatusAssertion) UnmarshalJSON

func (sa *StatusAssertion) UnmarshalJSON(in []byte) error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL