certchecker

package
v0.0.0-...-cffb334 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 14, 2025 License: Apache-2.0 Imports: 18 Imported by: 12

Documentation

Overview

Package certchecker contains implementation of CertChecker.

CertChecker knows how to check certificate signatures and revocation status.

Uses datastore entities managed by 'certconfig' package.

Index

Constants

View Source
const (
	// RefetchCAPeriod is how often to check CA entity in the datastore.
	//
	// A big value here is acceptable, since CA is changing only when service
	// config is changing (which happens infrequently).
	RefetchCAPeriod = 5 * time.Minute

	// RefetchCRLPeriod is how often to check CRL entities in the datastore.
	//
	// CRL changes pretty frequently, caching it for too long is harmful
	// (increases delay between a cert is revoked by CA and no longer accepted by
	// the token server).
	RefetchCRLPeriod = 15 * time.Second
)

Variables

This section is empty.

Functions

func CheckCertificate

func CheckCertificate(c context.Context, cert *x509.Certificate) (*certconfig.CA, error)

CheckCertificate checks validity of a given certificate.

It looks at the cert issuer, loads corresponding CertChecker and calls its CheckCertificate method. See CertChecker.CheckCertificate documentation for explanation of return values.

func IsCertInvalidError

func IsCertInvalidError(err error) bool

IsCertInvalidError returns true for errors from CheckCertificate that indicate revoked or expired or otherwise invalid certificates.

Such errors can be safely cast to Error.

func NewError

func NewError(e error, reason ErrorReason) error

NewError instantiates Error.

It is needed because initializing 'error' field on Error is not allowed outside of this package (it is lowercase - "unexported").

Types

type CertChecker

type CertChecker struct {
	CN  string                 // Common Name of the CA
	CRL *certconfig.CRLChecker // knows how to query certificate revocation list
	// contains filtered or unexported fields
}

CertChecker knows how to check certificate signatures and revocation status.

It is associated with single CA and assumes all certs needing a check are signed by that CA directly (i.e. there is no intermediate CAs).

It caches CRL lists internally and must be treated as a heavy global object. Use GetCertChecker to grab a global instance of CertChecker for some CA.

CertChecker is safe for concurrent use.

func GetCertChecker

func GetCertChecker(c context.Context, cn string) (*CertChecker, error)

GetCertChecker returns an instance of CertChecker for given CA.

It caches CertChecker objects in local memory and reuses them between requests.

func (*CertChecker) CheckCertificate

func (ch *CertChecker) CheckCertificate(c context.Context, cert *x509.Certificate) (*certconfig.CA, error)

CheckCertificate checks certificate's signature, validity period and revocation status.

It returns nil error iff cert was directly signed by the CA, not expired yet, and its serial number is not in the CA's CRL (if CA's CRL is configured).

On success also returns *certconfig.CA instance used to check the certificate, since 'GetCA' may return another instance (in case certconfig.CA cache happened to expire between the calls).

func (*CertChecker) GetCA

func (ch *CertChecker) GetCA(c context.Context) (*certconfig.CA, error)

GetCA returns CA entity with ParsedConfig and ParsedCert fields set.

type CheckCertificateRPC

type CheckCertificateRPC struct {
}

CheckCertificateRPC implements CertificateAuthorities.CheckCertificate RPC method.

func (*CheckCertificateRPC) CheckCertificate

func (r *CheckCertificateRPC) CheckCertificate(c context.Context, req *admin.CheckCertificateRequest) (*admin.CheckCertificateResponse, error)

CheckCertificate says whether a certificate is valid or not.

type Error

type Error struct {
	Reason ErrorReason // enumeration that can be used in switches
	// contains filtered or unexported fields
}

Error is returned by CertChecker methods in case the certificate is invalid.

Datastore errors and not wrapped in Error, but returned as is. You may use type cast to Error to distinguish certificate related errors from other kinds of errors.

type ErrorReason

type ErrorReason int

ErrorReason is part of Error struct.

const (
	// NoSuchCA is returned by GetCertChecker or GetCA if requested CA is not
	// defined in the config.
	NoSuchCA ErrorReason = iota

	// UnknownCA is returned by CheckCertificate if the cert was signed by an
	// unexpected CA (i.e. a CA CertChecker is not configured with).
	UnknownCA

	// NotReadyCA is returned by CheckCertificate if the CA's CRL hasn't been
	// fetched yet (and thus CheckCertificate can't verify certificate's
	// revocation status).
	NotReadyCA

	// CertificateExpired is returned by CheckCertificate if the cert has
	// expired already or not yet active.
	CertificateExpired

	// SignatureCheckError is returned by CheckCertificate if the certificate
	// signature is not valid.
	SignatureCheckError

	// CertificateRevoked is returned by CheckCertificate if the certificate is
	// in the CA's Certificate Revocation List.
	CertificateRevoked
)

type IsRevokedCertRPC

type IsRevokedCertRPC struct {
}

IsRevokedCertRPC implements CertificateAuthorities.IsRevokedCert RPC method.

func (*IsRevokedCertRPC) IsRevokedCert

func (r *IsRevokedCertRPC) IsRevokedCert(c context.Context, req *admin.IsRevokedCertRequest) (*admin.IsRevokedCertResponse, error)

IsRevokedCert says whether a certificate serial number is in the CRL.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL