Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rename pki.Validate to pki.CheckCRL for clarity on its purpose #3586

Merged
merged 1 commit into from
Dec 5, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion network/network.go
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,7 @@ func (n *Network) checkNodeTLSHealth() core.Health {
}
}
// check if the configured certificate is revoked / denied.
err = n.pkiValidator.Validate([]*x509.Certificate{n.certificate.Leaf})
err = n.pkiValidator.CheckCRL([]*x509.Certificate{n.certificate.Leaf})
if err != nil {
return core.Health{
Status: core.HealthStatusDown,
Expand Down
2 changes: 1 addition & 1 deletion network/transport/grpc/connection_manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -571,7 +571,7 @@ func (s *grpcConnectionManager) revalidatePeers() {
conn.disconnect()
return
}
err = s.config.pkiValidator.Validate([]*x509.Certificate{peerCert})
err = s.config.pkiValidator.CheckCRL([]*x509.Certificate{peerCert})
if err != nil {
log.Logger().WithError(err).WithFields(conn.Peer().ToFields()).Warn("Disconnected peer")
conn.disconnect()
Expand Down
2 changes: 1 addition & 1 deletion network/transport/grpc/tls_offloading.go
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ func (t *tlsOffloadingAuthenticator) intercept(srv interface{}, serverStream grp
}

// Validate revocation/deny list status
if err = t.pkiValidator.Validate(certificates); err != nil {
if err = t.pkiValidator.CheckCRL(certificates); err != nil {
log.Logger().
WithError(err).
Warnf("Validation of offloaded TLS certificate failed")
Expand Down
16 changes: 8 additions & 8 deletions pki/interface.go
Original file line number Diff line number Diff line change
Expand Up @@ -58,28 +58,28 @@ type Denylist interface {
}

type Validator interface {
// Validate returns an error if any of the certificates in the chain has been revoked, or if the request cannot be processed.
// CheckCRL returns an error if any of the certificates in the chain has been revoked, or if the request cannot be processed.
// ErrCertRevoked and ErrCertUntrusted indicate that at least one of the certificates is revoked, or signed by a CA that is not in the truststore.
// ErrCRLMissing and ErrCRLExpired signal that at least one of the certificates cannot be validated reliably.
// If the certificate was revoked on an expired CRL, it wil return ErrCertRevoked.
// Validate uses the configured soft-/hard-fail strategy
// CheckCRL uses the configured soft-/hard-fail strategy
// If set to soft-fail it ignores ErrCRLMissing and ErrCRLExpired errors.
// The certificate chain is expected to be sorted leaf to root.
Validate(chain []*x509.Certificate) error
CheckCRL(chain []*x509.Certificate) error

// ValidateStrict does the same as Validate, except it always uses the hard-fail strategy.
ValidateStrict(chain []*x509.Certificate) error
// CheckCRLStrict does the same as CheckCRL, except it always uses the hard-fail strategy.
CheckCRLStrict(chain []*x509.Certificate) error

// SetVerifyPeerCertificateFunc sets config.ValidatePeerCertificate to use Validate.
// SetVerifyPeerCertificateFunc sets config.ValidatePeerCertificate to use CheckCRL.
SetVerifyPeerCertificateFunc(config *tls.Config) error

// AddTruststore adds all CAs to the truststore for validation of CRL signatures. It also adds all CRL Distribution Endpoints found in the chain.
// CRL Distribution Points encountered during operation, such as on end user certificates, are only added to the monitored CRLs if their issuer is in the truststore.
// CRL Distribution Points encountered at runtime, such as on end user certificates when calling CheckCRL, are only added to the monitored CRLs if their issuer is in the truststore.
// This fails if any of the issuers mentioned in the chain is not also in the chain or already in the truststore
AddTruststore(chain []*x509.Certificate) error

// SubscribeDenied registers a callback that is triggered everytime the denylist is updated.
// This can be used to revalidate all certificates on long-lasting connections by calling Validate on them again.
// This can be used to revalidate all certificates on long-lasting connections by calling CheckCRL on them again.
SubscribeDenied(f func())
}

Expand Down
24 changes: 12 additions & 12 deletions pki/mock.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 6 additions & 6 deletions pki/validator.go
Original file line number Diff line number Diff line change
Expand Up @@ -127,15 +127,15 @@ func (v *validator) syncLoop(ctx context.Context) {
}
}

func (v *validator) Validate(chain []*x509.Certificate) error {
return v.validate(chain, v.softfail)
func (v *validator) CheckCRL(chain []*x509.Certificate) error {
return v.checkCRL(chain, v.softfail)
}

func (v *validator) ValidateStrict(chain []*x509.Certificate) error {
return v.validate(chain, false)
func (v *validator) CheckCRLStrict(chain []*x509.Certificate) error {
return v.checkCRL(chain, false)
}

func (v *validator) validate(chain []*x509.Certificate, softfail bool) error {
func (v *validator) checkCRL(chain []*x509.Certificate, softfail bool) error {
var cert *x509.Certificate
var err error
for i := range chain {
Expand All @@ -159,7 +159,7 @@ func (v *validator) SetVerifyPeerCertificateFunc(config *tls.Config) error {
// rawCerts contain all certificates provided by the peer, in our case only the leaf cert, while verifiedChains is guaranteed to include the CA's.
// rawCerts are ignored since we would only be checking revocation status on a cert whose issuer is not in the truststore. failure mode is then determined by v.softfail.
for _, chain := range verifiedChains {
if err := v.Validate(chain); err != nil {
if err := v.CheckCRL(chain); err != nil {
return &tls.CertificateVerificationError{
UnverifiedCertificates: chain,
Err: err,
Expand Down
4 changes: 2 additions & 2 deletions pki/validator_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ func TestValidator_Validate(t *testing.T) {
testSoftHard := func(t *testing.T, val *validator, cert *x509.Certificate, softfailReturn error, hardfailReturn error) {
fn := func(softbool bool, expected error) {
val.softfail = softbool
err = val.Validate([]*x509.Certificate{cert})
err = val.CheckCRL([]*x509.Certificate{cert})
if expected == nil {
assert.NoError(t, err)
} else {
Expand All @@ -112,7 +112,7 @@ func TestValidator_Validate(t *testing.T) {
}
fnStrict := func(expected error) {
val.softfail = true // make sure it ignores the configured value
err = val.ValidateStrict([]*x509.Certificate{cert})
err = val.CheckCRLStrict([]*x509.Certificate{cert})
if expected == nil {
assert.NoError(t, err)
} else {
Expand Down
2 changes: 1 addition & 1 deletion vdr/didx509/resolver.go
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ func (r Resolver) Resolve(id did.DID, metadata *resolver.ResolveMetadata) (*did.
return nil, nil, err
}

err = r.pkiValidator.ValidateStrict(chain)
err = r.pkiValidator.CheckCRLStrict(chain)
if err != nil {
return nil, nil, err
}
Expand Down
Loading