195 lines
5.9 KiB
Go
195 lines
5.9 KiB
Go
|
// Copyright (C) 2019 Storj Labs, Inc.
|
||
|
// See LICENSE for copying information.
|
||
|
|
||
|
package tlsopts
|
||
|
|
||
|
import (
|
||
|
"crypto/tls"
|
||
|
"crypto/x509"
|
||
|
"crypto/x509/pkix"
|
||
|
"io/ioutil"
|
||
|
|
||
|
"github.com/spacemonkeygo/monkit/v3"
|
||
|
"github.com/zeebo/errs"
|
||
|
|
||
|
"storj.io/common/identity"
|
||
|
"storj.io/common/peertls"
|
||
|
"storj.io/common/peertls/extensions"
|
||
|
"storj.io/common/pkcrypto"
|
||
|
)
|
||
|
|
||
|
var (
|
||
|
mon = monkit.Package()
|
||
|
// Error is error for tlsopts
|
||
|
Error = errs.Class("tlsopts error")
|
||
|
)
|
||
|
|
||
|
// Options holds config, identity, and peer verification function data for use with tls.
|
||
|
type Options struct {
|
||
|
Config Config
|
||
|
Ident *identity.FullIdentity
|
||
|
RevDB extensions.RevocationDB
|
||
|
PeerCAWhitelist []*x509.Certificate
|
||
|
VerificationFuncs *VerificationFuncs
|
||
|
Cert *tls.Certificate
|
||
|
}
|
||
|
|
||
|
// VerificationFuncs keeps track of of client and server peer certificate verification
|
||
|
// functions for use in tls handshakes.
|
||
|
type VerificationFuncs struct {
|
||
|
client []peertls.PeerCertVerificationFunc
|
||
|
server []peertls.PeerCertVerificationFunc
|
||
|
}
|
||
|
|
||
|
// ExtensionMap maps `pkix.Extension`s to their respective asn1 object ID string.
|
||
|
type ExtensionMap map[string]pkix.Extension
|
||
|
|
||
|
// NewOptions is a constructor for `tls options` given an identity, config, and
|
||
|
// revocation DB. A caller may pass a nil revocation DB if the revocation
|
||
|
// extension is disabled.
|
||
|
func NewOptions(i *identity.FullIdentity, c Config, revocationDB extensions.RevocationDB) (*Options, error) {
|
||
|
opts := &Options{
|
||
|
Config: c,
|
||
|
RevDB: revocationDB,
|
||
|
Ident: i,
|
||
|
VerificationFuncs: new(VerificationFuncs),
|
||
|
}
|
||
|
|
||
|
err := opts.configure()
|
||
|
if err != nil {
|
||
|
return nil, err
|
||
|
}
|
||
|
|
||
|
return opts, nil
|
||
|
}
|
||
|
|
||
|
// NewExtensionsMap builds an `ExtensionsMap` from the extensions in the passed certificate(s).
|
||
|
func NewExtensionsMap(chain ...*x509.Certificate) ExtensionMap {
|
||
|
extensionMap := make(ExtensionMap)
|
||
|
for _, cert := range chain {
|
||
|
for _, ext := range cert.Extensions {
|
||
|
extensionMap[ext.Id.String()] = ext
|
||
|
}
|
||
|
}
|
||
|
return extensionMap
|
||
|
}
|
||
|
|
||
|
// ExtensionOptions converts options for use in extension handling.
|
||
|
func (opts *Options) ExtensionOptions() *extensions.Options {
|
||
|
return &extensions.Options{
|
||
|
PeerCAWhitelist: opts.PeerCAWhitelist,
|
||
|
RevocationDB: opts.RevDB,
|
||
|
PeerIDVersions: opts.Config.PeerIDVersions,
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// configure adds peer certificate verification functions and data structures
|
||
|
// required for completing TLS handshakes to the options.
|
||
|
func (opts *Options) configure() (err error) {
|
||
|
if opts.Config.UsePeerCAWhitelist {
|
||
|
whitelist := []byte(DefaultPeerCAWhitelist)
|
||
|
if opts.Config.PeerCAWhitelistPath != "" {
|
||
|
whitelist, err = ioutil.ReadFile(opts.Config.PeerCAWhitelistPath)
|
||
|
if err != nil {
|
||
|
return Error.New("unable to find whitelist file %v: %v", opts.Config.PeerCAWhitelistPath, err)
|
||
|
}
|
||
|
}
|
||
|
opts.PeerCAWhitelist, err = pkcrypto.CertsFromPEM(whitelist)
|
||
|
if err != nil {
|
||
|
return Error.Wrap(err)
|
||
|
}
|
||
|
opts.VerificationFuncs.ClientAdd(peertls.VerifyCAWhitelist(opts.PeerCAWhitelist))
|
||
|
}
|
||
|
|
||
|
handlers := make(extensions.HandlerFactories, len(extensions.DefaultHandlers))
|
||
|
copy(handlers, extensions.DefaultHandlers)
|
||
|
|
||
|
if opts.Config.Extensions.Revocation {
|
||
|
handlers.Register(
|
||
|
extensions.RevocationCheckHandler,
|
||
|
extensions.RevocationUpdateHandler,
|
||
|
)
|
||
|
}
|
||
|
|
||
|
if opts.Config.Extensions.WhitelistSignedLeaf {
|
||
|
handlers.Register(extensions.CAWhitelistSignedLeafHandler)
|
||
|
}
|
||
|
|
||
|
opts.handleExtensions(handlers)
|
||
|
|
||
|
opts.Cert, err = peertls.TLSCert(opts.Ident.RawChain(), opts.Ident.Leaf, opts.Ident.Key)
|
||
|
return err
|
||
|
}
|
||
|
|
||
|
// handleExtensions combines and wraps all extension handler functions into a peer
|
||
|
// certificate verification function. This allows extension handling via the
|
||
|
// `VerifyPeerCertificate` field in a `tls.Config` during a TLS handshake.
|
||
|
func (opts *Options) handleExtensions(handlers extensions.HandlerFactories) {
|
||
|
if len(handlers) == 0 {
|
||
|
return
|
||
|
}
|
||
|
|
||
|
handlerFuncMap := handlers.WithOptions(opts.ExtensionOptions())
|
||
|
|
||
|
combinedHandlerFunc := func(_ [][]byte, parsedChains [][]*x509.Certificate) error {
|
||
|
extensionMap := NewExtensionsMap(parsedChains[0]...)
|
||
|
return extensionMap.HandleExtensions(handlerFuncMap, parsedChains)
|
||
|
}
|
||
|
|
||
|
opts.VerificationFuncs.Add(combinedHandlerFunc)
|
||
|
}
|
||
|
|
||
|
// HandleExtensions calls each `extensions.HandlerFunc` with its respective extension
|
||
|
// and the certificate chain where its object ID string matches the extension's.
|
||
|
func (extensionMap ExtensionMap) HandleExtensions(handlerFuncMap extensions.HandlerFuncMap, chain [][]*x509.Certificate) error {
|
||
|
for idStr, extension := range extensionMap {
|
||
|
for id, handlerFunc := range handlerFuncMap {
|
||
|
if idStr == id.String() {
|
||
|
err := handlerFunc(extension, chain)
|
||
|
if err != nil {
|
||
|
return Error.Wrap(err)
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
return nil
|
||
|
}
|
||
|
|
||
|
// Client returns the client verification functions.
|
||
|
func (vf *VerificationFuncs) Client() []peertls.PeerCertVerificationFunc {
|
||
|
return vf.client
|
||
|
}
|
||
|
|
||
|
// Server returns the server verification functions.
|
||
|
func (vf *VerificationFuncs) Server() []peertls.PeerCertVerificationFunc {
|
||
|
return vf.server
|
||
|
}
|
||
|
|
||
|
// Add adds verification functions so the client and server lists.
|
||
|
func (vf *VerificationFuncs) Add(verificationFuncs ...peertls.PeerCertVerificationFunc) {
|
||
|
vf.ClientAdd(verificationFuncs...)
|
||
|
vf.ServerAdd(verificationFuncs...)
|
||
|
}
|
||
|
|
||
|
// ClientAdd adds verification functions so the client list.
|
||
|
func (vf *VerificationFuncs) ClientAdd(verificationFuncs ...peertls.PeerCertVerificationFunc) {
|
||
|
verificationFuncs = removeNils(verificationFuncs)
|
||
|
vf.client = append(vf.client, verificationFuncs...)
|
||
|
}
|
||
|
|
||
|
// ServerAdd adds verification functions so the server list.
|
||
|
func (vf *VerificationFuncs) ServerAdd(verificationFuncs ...peertls.PeerCertVerificationFunc) {
|
||
|
verificationFuncs = removeNils(verificationFuncs)
|
||
|
vf.server = append(vf.server, verificationFuncs...)
|
||
|
}
|
||
|
|
||
|
func removeNils(verificationFuncs []peertls.PeerCertVerificationFunc) []peertls.PeerCertVerificationFunc {
|
||
|
result := verificationFuncs[:0]
|
||
|
for _, f := range verificationFuncs {
|
||
|
if f != nil {
|
||
|
result = append(result, f)
|
||
|
}
|
||
|
}
|
||
|
return result
|
||
|
}
|