vitess.io/vitess@v0.16.2/go/vt/vttls/crl.go

vitess.io/vitess@v0.16.2/go/vt/vttls/crl.go (about)

     1  /*
     2  Copyright 2021 The Vitess Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package vttls
    18  
    19  import (
    20  	"crypto/x509"
    21  	"encoding/pem"
    22  	"fmt"
    23  	"os"
    24  	"time"
    25  
    26  	"vitess.io/vitess/go/vt/log"
    27  )
    28  
    29  type verifyPeerCertificateFunc func([][]byte, [][]*x509.Certificate) error
    30  
    31  func certIsRevoked(cert *x509.Certificate, crl *x509.RevocationList) bool {
    32  	if !time.Now().Before(crl.NextUpdate) {
    33  		log.Warningf("The current Certificate Revocation List (CRL) is past expiry date and must be updated. Revoked certificates will still be rejected in this state.")
    34  	}
    35  
    36  	for _, revoked := range crl.RevokedCertificates {
    37  		if cert.SerialNumber.Cmp(revoked.SerialNumber) == 0 {
    38  			return true
    39  		}
    40  	}
    41  	return false
    42  }
    43  
    44  func verifyPeerCertificateAgainstCRL(crl string) (verifyPeerCertificateFunc, error) {
    45  	crlSet, err := loadCRLSet(crl)
    46  	if err != nil {
    47  		return nil, err
    48  	}
    49  
    50  	return func(_ [][]byte, verifiedChains [][]*x509.Certificate) error {
    51  		for _, chain := range verifiedChains {
    52  			for i := 0; i < len(chain)-1; i++ {
    53  				cert := chain[i]
    54  				issuerCert := chain[i+1]
    55  				for _, crl := range crlSet {
    56  					if crl.CheckSignatureFrom(issuerCert) == nil {
    57  						if certIsRevoked(cert, crl) {
    58  							return fmt.Errorf("Certificate revoked: CommonName=%v", cert.Subject.CommonName)
    59  						}
    60  					}
    61  				}
    62  			}
    63  		}
    64  		return nil
    65  	}, nil
    66  }
    67  
    68  func loadCRLSet(crl string) ([]*x509.RevocationList, error) {
    69  	body, err := os.ReadFile(crl)
    70  	if err != nil {
    71  		return nil, err
    72  	}
    73  
    74  	crlSet := make([]*x509.RevocationList, 0)
    75  	for len(body) > 0 {
    76  		var block *pem.Block
    77  		block, body = pem.Decode(body)
    78  		if block == nil {
    79  			break
    80  		}
    81  		if block.Type != "X509 CRL" {
    82  			continue
    83  		}
    84  
    85  		parsedCRL, err := x509.ParseRevocationList(block.Bytes)
    86  		if err != nil {
    87  			return nil, err
    88  		}
    89  		crlSet = append(crlSet, parsedCRL)
    90  	}
    91  	return crlSet, nil
    92  }