From 51cb9495c607f2f358b68299912f10e5027fb7a5 Mon Sep 17 00:00:00 2001
From: Gerard Snaauw <gerard.snaauw@nedap.com>
Date: Tue, 3 Dec 2024 14:37:36 +0100
Subject: [PATCH] Rename pki.Validate to pki.CheckCRL for clarity on its
 purpose

---
 network/network.go                           |  2 +-
 network/transport/grpc/connection_manager.go |  2 +-
 network/transport/grpc/tls_offloading.go     |  2 +-
 pki/interface.go                             | 16 ++++++-------
 pki/mock.go                                  | 24 ++++++++++----------
 pki/validator.go                             | 12 +++++-----
 pki/validator_test.go                        |  4 ++--
 vdr/didx509/resolver.go                      |  2 +-
 8 files changed, 32 insertions(+), 32 deletions(-)

diff --git a/network/network.go b/network/network.go
index be8618bdd8..12718c4e11 100644
--- a/network/network.go
+++ b/network/network.go
@@ -128,7 +128,7 @@ func (n *Network) checkNodeTLSHealth() core.Health {
 		}
 	}
 	// check if the configured certificate is revoked / denied.
-	err = n.pkiValidator.Validate([]*x509.Certificate{n.certificate.Leaf})
+	err = n.pkiValidator.CheckCRL([]*x509.Certificate{n.certificate.Leaf})
 	if err != nil {
 		return core.Health{
 			Status:  core.HealthStatusDown,
diff --git a/network/transport/grpc/connection_manager.go b/network/transport/grpc/connection_manager.go
index f738a56fe4..213d5da93b 100644
--- a/network/transport/grpc/connection_manager.go
+++ b/network/transport/grpc/connection_manager.go
@@ -571,7 +571,7 @@ func (s *grpcConnectionManager) revalidatePeers() {
 			conn.disconnect()
 			return
 		}
-		err = s.config.pkiValidator.Validate([]*x509.Certificate{peerCert})
+		err = s.config.pkiValidator.CheckCRL([]*x509.Certificate{peerCert})
 		if err != nil {
 			log.Logger().WithError(err).WithFields(conn.Peer().ToFields()).Warn("Disconnected peer")
 			conn.disconnect()
diff --git a/network/transport/grpc/tls_offloading.go b/network/transport/grpc/tls_offloading.go
index 89223b87c1..f114bc05ef 100644
--- a/network/transport/grpc/tls_offloading.go
+++ b/network/transport/grpc/tls_offloading.go
@@ -60,7 +60,7 @@ func (t *tlsOffloadingAuthenticator) intercept(srv interface{}, serverStream grp
 	}
 
 	// Validate revocation/deny list status
-	if err = t.pkiValidator.Validate(certificates); err != nil {
+	if err = t.pkiValidator.CheckCRL(certificates); err != nil {
 		log.Logger().
 			WithError(err).
 			Warnf("Validation of offloaded TLS certificate failed")
diff --git a/pki/interface.go b/pki/interface.go
index 3d4907748d..7b26e3776c 100644
--- a/pki/interface.go
+++ b/pki/interface.go
@@ -58,28 +58,28 @@ type Denylist interface {
 }
 
 type Validator interface {
-	// Validate returns an error if any of the certificates in the chain has been revoked, or if the request cannot be processed.
+	// CheckCRL returns an error if any of the certificates in the chain has been revoked, or if the request cannot be processed.
 	// ErrCertRevoked and ErrCertUntrusted indicate that at least one of the certificates is revoked, or signed by a CA that is not in the truststore.
 	// ErrCRLMissing and ErrCRLExpired signal that at least one of the certificates cannot be validated reliably.
 	// If the certificate was revoked on an expired CRL, it wil return ErrCertRevoked.
-	// Validate uses the configured soft-/hard-fail strategy
+	// CheckCRL uses the configured soft-/hard-fail strategy
 	// If set to soft-fail it ignores ErrCRLMissing and ErrCRLExpired errors.
 	// The certificate chain is expected to be sorted leaf to root.
-	Validate(chain []*x509.Certificate) error
+	CheckCRL(chain []*x509.Certificate) error
 
-	// ValidateStrict does the same as Validate, except it always uses the hard-fail strategy.
-	ValidateStrict(chain []*x509.Certificate) error
+	// CheckCRLStrict does the same as CheckCRL, except it always uses the hard-fail strategy.
+	CheckCRLStrict(chain []*x509.Certificate) error
 
-	// SetVerifyPeerCertificateFunc sets config.ValidatePeerCertificate to use Validate.
+	// SetVerifyPeerCertificateFunc sets config.ValidatePeerCertificate to use CheckCRL.
 	SetVerifyPeerCertificateFunc(config *tls.Config) error
 
 	// AddTruststore adds all CAs to the truststore for validation of CRL signatures. It also adds all CRL Distribution Endpoints found in the chain.
-	// CRL Distribution Points encountered during operation, such as on end user certificates, are only added to the monitored CRLs if their issuer is in the truststore.
+	// CRL Distribution Points encountered at runtime, such as on end user certificates when calling CheckCRL, are only added to the monitored CRLs if their issuer is in the truststore.
 	// This fails if any of the issuers mentioned in the chain is not also in the chain or already in the truststore
 	AddTruststore(chain []*x509.Certificate) error
 
 	// SubscribeDenied registers a callback that is triggered everytime the denylist is updated.
-	// This can be used to revalidate all certificates on long-lasting connections by calling Validate on them again.
+	// This can be used to revalidate all certificates on long-lasting connections by calling CheckCRL on them again.
 	SubscribeDenied(f func())
 }
 
diff --git a/pki/mock.go b/pki/mock.go
index 21d8c97a3e..37fa11b80d 100644
--- a/pki/mock.go
+++ b/pki/mock.go
@@ -176,9 +176,9 @@ func (mr *MockValidatorMockRecorder) SubscribeDenied(f any) *gomock.Call {
 }
 
 // Validate mocks base method.
-func (m *MockValidator) Validate(chain []*x509.Certificate) error {
+func (m *MockValidator) CheckCRL(chain []*x509.Certificate) error {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Validate", chain)
+	ret := m.ctrl.Call(m, "CheckCRL", chain)
 	ret0, _ := ret[0].(error)
 	return ret0
 }
@@ -186,13 +186,13 @@ func (m *MockValidator) Validate(chain []*x509.Certificate) error {
 // Validate indicates an expected call of Validate.
 func (mr *MockValidatorMockRecorder) Validate(chain any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Validate", reflect.TypeOf((*MockValidator)(nil).Validate), chain)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CheckCRL", reflect.TypeOf((*MockValidator)(nil).CheckCRL), chain)
 }
 
 // ValidateStrict mocks base method.
-func (m *MockValidator) ValidateStrict(chain []*x509.Certificate) error {
+func (m *MockValidator) CheckCRLStrict(chain []*x509.Certificate) error {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "ValidateStrict", chain)
+	ret := m.ctrl.Call(m, "CheckCRLStrict", chain)
 	ret0, _ := ret[0].(error)
 	return ret0
 }
@@ -200,7 +200,7 @@ func (m *MockValidator) ValidateStrict(chain []*x509.Certificate) error {
 // ValidateStrict indicates an expected call of ValidateStrict.
 func (mr *MockValidatorMockRecorder) ValidateStrict(chain any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ValidateStrict", reflect.TypeOf((*MockValidator)(nil).ValidateStrict), chain)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CheckCRLStrict", reflect.TypeOf((*MockValidator)(nil).CheckCRLStrict), chain)
 }
 
 // MockProvider is a mock of Provider interface.
@@ -283,9 +283,9 @@ func (mr *MockProviderMockRecorder) SubscribeDenied(f any) *gomock.Call {
 }
 
 // Validate mocks base method.
-func (m *MockProvider) Validate(chain []*x509.Certificate) error {
+func (m *MockProvider) CheckCRL(chain []*x509.Certificate) error {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Validate", chain)
+	ret := m.ctrl.Call(m, "CheckCRL", chain)
 	ret0, _ := ret[0].(error)
 	return ret0
 }
@@ -293,13 +293,13 @@ func (m *MockProvider) Validate(chain []*x509.Certificate) error {
 // Validate indicates an expected call of Validate.
 func (mr *MockProviderMockRecorder) Validate(chain any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Validate", reflect.TypeOf((*MockProvider)(nil).Validate), chain)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CheckCRL", reflect.TypeOf((*MockProvider)(nil).CheckCRL), chain)
 }
 
 // ValidateStrict mocks base method.
-func (m *MockProvider) ValidateStrict(chain []*x509.Certificate) error {
+func (m *MockProvider) CheckCRLStrict(chain []*x509.Certificate) error {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "ValidateStrict", chain)
+	ret := m.ctrl.Call(m, "CheckCRLStrict", chain)
 	ret0, _ := ret[0].(error)
 	return ret0
 }
@@ -307,5 +307,5 @@ func (m *MockProvider) ValidateStrict(chain []*x509.Certificate) error {
 // ValidateStrict indicates an expected call of ValidateStrict.
 func (mr *MockProviderMockRecorder) ValidateStrict(chain any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ValidateStrict", reflect.TypeOf((*MockProvider)(nil).ValidateStrict), chain)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CheckCRLStrict", reflect.TypeOf((*MockProvider)(nil).CheckCRLStrict), chain)
 }
diff --git a/pki/validator.go b/pki/validator.go
index d08a37c13c..2ea0e523da 100644
--- a/pki/validator.go
+++ b/pki/validator.go
@@ -127,15 +127,15 @@ func (v *validator) syncLoop(ctx context.Context) {
 	}
 }
 
-func (v *validator) Validate(chain []*x509.Certificate) error {
-	return v.validate(chain, v.softfail)
+func (v *validator) CheckCRL(chain []*x509.Certificate) error {
+	return v.checkCRL(chain, v.softfail)
 }
 
-func (v *validator) ValidateStrict(chain []*x509.Certificate) error {
-	return v.validate(chain, false)
+func (v *validator) CheckCRLStrict(chain []*x509.Certificate) error {
+	return v.checkCRL(chain, false)
 }
 
-func (v *validator) validate(chain []*x509.Certificate, softfail bool) error {
+func (v *validator) checkCRL(chain []*x509.Certificate, softfail bool) error {
 	var cert *x509.Certificate
 	var err error
 	for i := range chain {
@@ -159,7 +159,7 @@ func (v *validator) SetVerifyPeerCertificateFunc(config *tls.Config) error {
 		// rawCerts contain all certificates provided by the peer, in our case only the leaf cert, while verifiedChains is guaranteed to include the CA's.
 		// rawCerts are ignored since we would only be checking revocation status on a cert whose issuer is not in the truststore. failure mode is then determined by v.softfail.
 		for _, chain := range verifiedChains {
-			if err := v.Validate(chain); err != nil {
+			if err := v.CheckCRL(chain); err != nil {
 				return &tls.CertificateVerificationError{
 					UnverifiedCertificates: chain,
 					Err:                    err,
diff --git a/pki/validator_test.go b/pki/validator_test.go
index 751089a30f..8935c8d04e 100644
--- a/pki/validator_test.go
+++ b/pki/validator_test.go
@@ -103,7 +103,7 @@ func TestValidator_Validate(t *testing.T) {
 	testSoftHard := func(t *testing.T, val *validator, cert *x509.Certificate, softfailReturn error, hardfailReturn error) {
 		fn := func(softbool bool, expected error) {
 			val.softfail = softbool
-			err = val.Validate([]*x509.Certificate{cert})
+			err = val.CheckCRL([]*x509.Certificate{cert})
 			if expected == nil {
 				assert.NoError(t, err)
 			} else {
@@ -112,7 +112,7 @@ func TestValidator_Validate(t *testing.T) {
 		}
 		fnStrict := func(expected error) {
 			val.softfail = true // make sure it ignores the configured value
-			err = val.ValidateStrict([]*x509.Certificate{cert})
+			err = val.CheckCRLStrict([]*x509.Certificate{cert})
 			if expected == nil {
 				assert.NoError(t, err)
 			} else {
diff --git a/vdr/didx509/resolver.go b/vdr/didx509/resolver.go
index 12f524fdfe..b523ec711a 100644
--- a/vdr/didx509/resolver.go
+++ b/vdr/didx509/resolver.go
@@ -120,7 +120,7 @@ func (r Resolver) Resolve(id did.DID, metadata *resolver.ResolveMetadata) (*did.
 		return nil, nil, err
 	}
 
-	err = r.pkiValidator.ValidateStrict(chain)
+	err = r.pkiValidator.CheckCRLStrict(chain)
 	if err != nil {
 		return nil, nil, err
 	}