2019-01-24 20:15:10 +00:00
|
|
|
// Copyright (C) 2019 Storj Labs, Inc.
|
2018-07-09 18:43:13 +01:00
|
|
|
// See LICENSE for copying information.
|
|
|
|
|
|
|
|
package peertls
|
|
|
|
|
|
|
|
import (
|
2018-12-13 20:01:43 +00:00
|
|
|
"bytes"
|
2018-07-09 18:43:13 +01:00
|
|
|
"crypto"
|
|
|
|
"crypto/ecdsa"
|
2018-08-13 09:39:45 +01:00
|
|
|
"crypto/rand"
|
2018-07-09 18:43:13 +01:00
|
|
|
"crypto/tls"
|
|
|
|
"crypto/x509"
|
2018-12-18 11:55:55 +00:00
|
|
|
"encoding/asn1"
|
2018-08-13 09:39:45 +01:00
|
|
|
"encoding/pem"
|
|
|
|
"io"
|
2018-07-09 18:43:13 +01:00
|
|
|
|
|
|
|
"github.com/zeebo/errs"
|
2018-12-18 11:55:55 +00:00
|
|
|
|
|
|
|
"storj.io/storj/pkg/utils"
|
2018-07-09 18:43:13 +01:00
|
|
|
)
|
|
|
|
|
2018-08-13 09:39:45 +01:00
|
|
|
const (
|
|
|
|
// BlockTypeEcPrivateKey is the value to define a block type of private key
|
|
|
|
BlockTypeEcPrivateKey = "EC PRIVATE KEY"
|
2018-12-18 11:55:55 +00:00
|
|
|
// BlockTypeCertificate is the value to define a block type of certificates
|
2018-08-13 09:39:45 +01:00
|
|
|
BlockTypeCertificate = "CERTIFICATE"
|
2018-12-18 11:55:55 +00:00
|
|
|
// BlockTypeExtension is the value to define a block type of certificate extensions
|
|
|
|
BlockTypeExtension = "EXTENSION"
|
2018-08-13 09:39:45 +01:00
|
|
|
)
|
|
|
|
|
2018-07-09 18:43:13 +01:00
|
|
|
var (
|
2018-12-07 13:44:25 +00:00
|
|
|
// ErrNotExist is used when a file or directory doesn't exist.
|
2018-07-09 18:43:13 +01:00
|
|
|
ErrNotExist = errs.Class("file or directory not found error")
|
2018-12-07 13:44:25 +00:00
|
|
|
// ErrGenerate is used when an error occurred during cert/key generation.
|
2018-07-09 18:43:13 +01:00
|
|
|
ErrGenerate = errs.Class("tls generation error")
|
2018-12-07 13:44:25 +00:00
|
|
|
// ErrUnsupportedKey is used when key type is not supported.
|
2018-08-13 09:39:45 +01:00
|
|
|
ErrUnsupportedKey = errs.Class("unsupported key type")
|
2018-12-07 13:44:25 +00:00
|
|
|
// ErrTLSTemplate is used when an error occurs during tls template generation.
|
2018-07-09 18:43:13 +01:00
|
|
|
ErrTLSTemplate = errs.Class("tls template error")
|
2018-12-07 13:44:25 +00:00
|
|
|
// ErrVerifyPeerCert is used when an error occurs during `VerifyPeerCertificate`.
|
2018-07-09 18:43:13 +01:00
|
|
|
ErrVerifyPeerCert = errs.Class("tls peer certificate verification error")
|
2018-12-07 13:44:25 +00:00
|
|
|
// ErrParseCerts is used when an error occurs while parsing a certificate or cert chain.
|
2018-10-26 14:52:37 +01:00
|
|
|
ErrParseCerts = errs.Class("unable to parse certificate")
|
2018-12-07 13:44:25 +00:00
|
|
|
// ErrVerifySignature is used when a cert-chain signature verificaion error occurs.
|
2018-07-09 18:43:13 +01:00
|
|
|
ErrVerifySignature = errs.Class("tls certificate signature verification error")
|
2018-10-26 14:52:37 +01:00
|
|
|
// ErrVerifyCertificateChain is used when a certificate chain can't be verified from leaf to root
|
2018-12-07 13:44:25 +00:00
|
|
|
// (i.e.: each cert in the chain should be signed by the preceding cert and the root should be self-signed).
|
2018-10-26 14:52:37 +01:00
|
|
|
ErrVerifyCertificateChain = errs.Class("certificate chain signature verification failed")
|
2018-12-13 20:01:43 +00:00
|
|
|
// ErrVerifyCAWhitelist is used when a signature wasn't produced by any CA in the whitelist.
|
2018-12-07 13:44:25 +00:00
|
|
|
ErrVerifyCAWhitelist = errs.Class("not signed by any CA in the whitelist")
|
|
|
|
// ErrSign is used when something goes wrong while generating a signature.
|
2018-11-01 15:48:43 +00:00
|
|
|
ErrSign = errs.Class("unable to generate signature")
|
2018-07-09 18:43:13 +01:00
|
|
|
)
|
|
|
|
|
2018-08-13 09:39:45 +01:00
|
|
|
// PeerCertVerificationFunc is the signature for a `*tls.Config{}`'s
|
|
|
|
// `VerifyPeerCertificate` function.
|
|
|
|
type PeerCertVerificationFunc func([][]byte, [][]*x509.Certificate) error
|
2018-07-09 18:43:13 +01:00
|
|
|
|
2018-08-27 18:28:16 +01:00
|
|
|
// NewKey returns a new PrivateKey
|
2019-01-07 18:02:22 +00:00
|
|
|
func NewKey() (*ecdsa.PrivateKey, error) {
|
|
|
|
return ecdsa.GenerateKey(authECCurve, rand.Reader)
|
2018-07-09 18:43:13 +01:00
|
|
|
}
|
|
|
|
|
2018-08-13 09:39:45 +01:00
|
|
|
// VerifyPeerFunc combines multiple `*tls.Config#VerifyPeerCertificate`
|
|
|
|
// functions and adds certificate parsing.
|
|
|
|
func VerifyPeerFunc(next ...PeerCertVerificationFunc) PeerCertVerificationFunc {
|
|
|
|
return func(chain [][]byte, _ [][]*x509.Certificate) error {
|
|
|
|
c, err := parseCertificateChains(chain)
|
|
|
|
if err != nil {
|
2018-10-26 14:52:37 +01:00
|
|
|
return ErrVerifyPeerCert.Wrap(err)
|
2018-07-09 18:43:13 +01:00
|
|
|
}
|
|
|
|
|
2018-08-13 09:39:45 +01:00
|
|
|
for _, n := range next {
|
|
|
|
if n != nil {
|
|
|
|
if err := n(chain, [][]*x509.Certificate{c}); err != nil {
|
2018-10-26 14:52:37 +01:00
|
|
|
return ErrVerifyPeerCert.Wrap(err)
|
2018-08-13 09:39:45 +01:00
|
|
|
}
|
|
|
|
}
|
2018-07-09 18:43:13 +01:00
|
|
|
}
|
2018-08-13 09:39:45 +01:00
|
|
|
return nil
|
2018-07-09 18:43:13 +01:00
|
|
|
}
|
2018-08-13 09:39:45 +01:00
|
|
|
}
|
2018-07-09 18:43:13 +01:00
|
|
|
|
2018-08-27 23:23:48 +01:00
|
|
|
// VerifyPeerCertChains verifies that the first certificate chain contains certificates
|
2018-12-07 13:44:25 +00:00
|
|
|
// which are signed by their respective parents, ending with a self-signed root.
|
2018-08-13 09:39:45 +01:00
|
|
|
func VerifyPeerCertChains(_ [][]byte, parsedChains [][]*x509.Certificate) error {
|
|
|
|
return verifyChainSignatures(parsedChains[0])
|
2018-07-09 18:43:13 +01:00
|
|
|
}
|
|
|
|
|
2018-12-13 20:01:43 +00:00
|
|
|
// VerifyCAWhitelist verifies that the peer identity's CA was signed by any one
|
|
|
|
// of the (certificate authority) certificates in the provided whitelist.
|
2018-12-07 13:44:25 +00:00
|
|
|
func VerifyCAWhitelist(cas []*x509.Certificate) PeerCertVerificationFunc {
|
2018-10-26 14:52:37 +01:00
|
|
|
if cas == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return func(_ [][]byte, parsedChains [][]*x509.Certificate) error {
|
|
|
|
for _, ca := range cas {
|
2018-12-13 20:01:43 +00:00
|
|
|
err := verifyCertSignature(ca, parsedChains[0][CAIndex])
|
2018-10-26 14:52:37 +01:00
|
|
|
if err == nil {
|
2018-12-07 13:44:25 +00:00
|
|
|
return nil
|
2018-10-26 14:52:37 +01:00
|
|
|
}
|
|
|
|
}
|
2018-12-13 20:01:43 +00:00
|
|
|
return ErrVerifyCAWhitelist.New("CA cert")
|
2018-10-26 14:52:37 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-08-13 09:39:45 +01:00
|
|
|
// NewKeyBlock converts an ASN1/DER-encoded byte-slice of a private key into
|
2018-12-07 13:44:25 +00:00
|
|
|
// a `pem.Block` pointer.
|
2018-08-13 09:39:45 +01:00
|
|
|
func NewKeyBlock(b []byte) *pem.Block {
|
|
|
|
return &pem.Block{Type: BlockTypeEcPrivateKey, Bytes: b}
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewCertBlock converts an ASN1/DER-encoded byte-slice of a tls certificate
|
2018-12-07 13:44:25 +00:00
|
|
|
// into a `pem.Block` pointer.
|
2018-08-13 09:39:45 +01:00
|
|
|
func NewCertBlock(b []byte) *pem.Block {
|
|
|
|
return &pem.Block{Type: BlockTypeCertificate, Bytes: b}
|
|
|
|
}
|
2018-07-09 18:43:13 +01:00
|
|
|
|
2018-12-18 11:55:55 +00:00
|
|
|
// NewExtensionBlock converts an ASN1/DER-encoded byte-slice of a tls certificate
|
|
|
|
// extension into a `pem.Block` pointer.
|
|
|
|
func NewExtensionBlock(b []byte) *pem.Block {
|
|
|
|
return &pem.Block{Type: BlockTypeExtension, Bytes: b}
|
|
|
|
}
|
|
|
|
|
2018-12-07 13:44:25 +00:00
|
|
|
// TLSCert creates a tls.Certificate from chains, key and leaf.
|
2018-08-13 09:39:45 +01:00
|
|
|
func TLSCert(chain [][]byte, leaf *x509.Certificate, key crypto.PrivateKey) (*tls.Certificate, error) {
|
|
|
|
var err error
|
|
|
|
if leaf == nil {
|
|
|
|
leaf, err = x509.ParseCertificate(chain[0])
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2018-07-09 18:43:13 +01:00
|
|
|
}
|
|
|
|
|
2018-08-13 09:39:45 +01:00
|
|
|
return &tls.Certificate{
|
|
|
|
Leaf: leaf,
|
|
|
|
Certificate: chain,
|
|
|
|
PrivateKey: key,
|
|
|
|
}, nil
|
2018-07-09 18:43:13 +01:00
|
|
|
}
|
|
|
|
|
2018-08-13 09:39:45 +01:00
|
|
|
// WriteChain writes the certificate chain (leaf-first) to the writer, PEM-encoded.
|
|
|
|
func WriteChain(w io.Writer, chain ...*x509.Certificate) error {
|
|
|
|
if len(chain) < 1 {
|
|
|
|
return errs.New("expected at least one certificate for writing")
|
2018-07-09 18:43:13 +01:00
|
|
|
}
|
|
|
|
|
2018-12-18 11:55:55 +00:00
|
|
|
var extErrs utils.ErrorGroup
|
2018-08-13 09:39:45 +01:00
|
|
|
for _, c := range chain {
|
|
|
|
if err := pem.Encode(w, NewCertBlock(c.Raw)); err != nil {
|
|
|
|
return errs.Wrap(err)
|
|
|
|
}
|
2018-12-18 11:55:55 +00:00
|
|
|
|
|
|
|
for _, e := range c.ExtraExtensions {
|
|
|
|
extBytes, err := asn1.Marshal(e)
|
|
|
|
if err != nil {
|
|
|
|
extErrs.Add(errs.Wrap(err))
|
|
|
|
}
|
|
|
|
if err := pem.Encode(w, NewExtensionBlock(extBytes)); err != nil {
|
|
|
|
extErrs.Add(errs.Wrap(err))
|
|
|
|
}
|
|
|
|
}
|
captplanet (#159)
* captplanet
I kind of went overboard this weekend.
The major goal of this changeset is to provide an environment
for local development where all of the various services can
be easily run together. Developing on Storj v3 should be as
easy as running a setup command and a run command!
To do this, this changeset introduces a new tool called
captplanet, which combines the powers of the Overlay Cache,
the PointerDB, the PieceStore, Kademlia, the Minio Gateway,
etc.
Running 40 farmers and a heavy client inside the same process
forced a rethinking of the "services" that we had. To
avoid confusion by reusing prior terms, this changeset
introduces two new types: Providers and Responsibilities.
I wanted to avoid as many merge conflicts as possible, so
I left the existing Services and code for now, but if people
like this route we can clean up the duplication.
A Responsibility is a collection of gRPC methods and
corresponding state. The following systems are examples of
Responsibilities:
* Kademlia
* OverlayCache
* PointerDB
* StatDB
* PieceStore
* etc.
A Provider is a collection of Responsibilities that
share an Identity, such as:
* The heavy client
* The farmer
* The gateway
An Identity is a public/private key pair, a node id, etc.
Farmers all need different Identities, so captplanet
needs to support running multiple concurrent Providers
with different Identities.
Each Responsibility and Provider should allow for configuration
of multiple copies on its own so creating Responsibilities and
Providers use a new workflow.
To make a Responsibility, one should create a "config"
struct, such as:
```
type Config struct {
RepairThreshold int `help:"If redundancy falls below this number of
pieces, repair is triggered" default:"30"`
SuccessThreshold int `help:"If redundancy is above this number then
no additional uploads are needed" default:"40"`
}
```
To use "config" structs, this changeset introduces another
new library called 'cfgstruct', which allows for the configuration
of arbitrary structs through flagsets, and thus through cobra and
viper.
cfgstruct relies on Go's "struct tags" feature to document
help information and default values. Config structs can be
configured via cfgstruct.Bind for binding the struct to a flagset.
Because this configuration system makes setup and configuration
easier *in general*, additional commands are provided that allow
for easy standup of separate Providers. Please make sure to
check out:
* cmd/captplanet/farmer/main.go (a new farmer binary)
* cmd/captplanet/hc/main.go (a new heavy client binary)
* cmd/captplanet/gw/main.go (a new minio gateway binary)
Usage:
```
$ go install -v storj.io/storj/cmd/captplanet
$ captplanet setup
$ captplanet run
```
Configuration is placed by default in `~/.storj/capt/`
Other changes:
* introduces new config structs for currently existing
Responsibilities that conform to the new Responsibility
interface. Please see the `pkg/*/config.go` files for
examples.
* integrates the PointerDB API key with other global
configuration via flags, instead of through environment
variables through viper like it's been doing. (ultimately
this should also change to use the PointerDB config
struct but this is an okay shortterm solution).
* changes the Overlay cache to use a URL for database
configuration instead of separate redis and bolt config
settings.
* stubs out some peer identity skeleton code (but not the
meat).
* Fixes the SegmentStore to use the overlay client and
pointerdb clients instead of gRPC client code directly
* Leaves a very clear spot where we need to tie the object to
stream to segment store together. There's sort of a "golden
spike" opportunity to connect all the train tracks together
at the bottom of pkg/miniogw/config.go, labeled with a
bunch of TODOs.
Future stuff:
* I now prefer this design over the original
pkg/process.Service thing I had been pushing before (sorry!)
* The experience of trying to have multiple farmers
configurable concurrently led me to prefer config structs
over global flags (I finally came around) or using viper
directly. I think global flags are okay sometimes but in
general going forward we should try and get all relevant
config into config structs.
* If you all like this direction, I think we can go delete my
old Service interfaces and a bunch of flags and clean up a
bunch of stuff.
* If you don't like this direction, it's no sweat at all, and
despite how much code there is here I'm not very tied to any
of this! Considering a lot of this was written between midnight
and 6 am, it might not be any good!
* bind tests
2018-07-24 17:08:28 +01:00
|
|
|
}
|
2018-12-18 11:55:55 +00:00
|
|
|
return extErrs.Finish()
|
2018-07-09 18:43:13 +01:00
|
|
|
}
|
|
|
|
|
2018-12-17 15:09:52 +00:00
|
|
|
// ChainBytes returns bytes of the certificate chain (leaf-first) to the writer, PEM-encoded.
|
|
|
|
func ChainBytes(chain ...*x509.Certificate) ([]byte, error) {
|
|
|
|
var data bytes.Buffer
|
|
|
|
err := WriteChain(&data, chain...)
|
|
|
|
return data.Bytes(), err
|
|
|
|
}
|
|
|
|
|
2018-08-27 18:28:16 +01:00
|
|
|
// WriteKey writes the private key to the writer, PEM-encoded.
|
2018-08-13 09:39:45 +01:00
|
|
|
func WriteKey(w io.Writer, key crypto.PrivateKey) error {
|
|
|
|
var (
|
|
|
|
kb []byte
|
|
|
|
err error
|
|
|
|
)
|
|
|
|
|
|
|
|
switch k := key.(type) {
|
|
|
|
case *ecdsa.PrivateKey:
|
|
|
|
kb, err = x509.MarshalECPrivateKey(k)
|
|
|
|
if err != nil {
|
|
|
|
return errs.Wrap(err)
|
|
|
|
}
|
|
|
|
default:
|
|
|
|
return ErrUnsupportedKey.New("%T", k)
|
2018-07-09 18:43:13 +01:00
|
|
|
}
|
|
|
|
|
2018-08-13 09:39:45 +01:00
|
|
|
if err := pem.Encode(w, NewKeyBlock(kb)); err != nil {
|
|
|
|
return errs.Wrap(err)
|
|
|
|
}
|
|
|
|
return nil
|
2018-07-09 18:43:13 +01:00
|
|
|
}
|
2018-12-07 13:44:25 +00:00
|
|
|
|
2018-12-17 15:09:52 +00:00
|
|
|
// KeyBytes returns bytes of the private key to the writer, PEM-encoded.
|
|
|
|
func KeyBytes(key crypto.PrivateKey) ([]byte, error) {
|
|
|
|
var data bytes.Buffer
|
|
|
|
err := WriteKey(&data, key)
|
|
|
|
return data.Bytes(), err
|
|
|
|
}
|
|
|
|
|
2018-12-07 13:44:25 +00:00
|
|
|
// NewCert returns a new x509 certificate using the provided templates and key,
|
|
|
|
// signed by the parent cert if provided; otherwise, self-signed.
|
|
|
|
func NewCert(key, parentKey crypto.PrivateKey, template, parent *x509.Certificate) (*x509.Certificate, error) {
|
|
|
|
p, ok := key.(*ecdsa.PrivateKey)
|
|
|
|
if !ok {
|
|
|
|
return nil, ErrUnsupportedKey.New("%T", key)
|
|
|
|
}
|
|
|
|
|
|
|
|
var signingKey crypto.PrivateKey
|
|
|
|
if parentKey != nil {
|
|
|
|
signingKey = parentKey
|
|
|
|
} else {
|
|
|
|
signingKey = key
|
|
|
|
}
|
|
|
|
|
|
|
|
if parent == nil {
|
|
|
|
parent = template
|
|
|
|
}
|
|
|
|
|
|
|
|
cb, err := x509.CreateCertificate(
|
|
|
|
rand.Reader,
|
|
|
|
template,
|
|
|
|
parent,
|
|
|
|
&p.PublicKey,
|
|
|
|
signingKey,
|
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
return nil, errs.Wrap(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
cert, err := x509.ParseCertificate(cb)
|
|
|
|
if err != nil {
|
|
|
|
return nil, errs.Wrap(err)
|
|
|
|
}
|
|
|
|
return cert, nil
|
|
|
|
}
|
|
|
|
|
2018-12-13 20:01:43 +00:00
|
|
|
// VerifyUnrevokedChainFunc returns a peer certificate verification function which
|
|
|
|
// returns an error if the incoming cert chain contains a revoked CA or leaf.
|
|
|
|
func VerifyUnrevokedChainFunc(revDB *RevocationDB) PeerCertVerificationFunc {
|
|
|
|
return func(_ [][]byte, chains [][]*x509.Certificate) error {
|
|
|
|
leaf := chains[0][LeafIndex]
|
|
|
|
ca := chains[0][CAIndex]
|
|
|
|
lastRev, lastRevErr := revDB.Get(chains[0])
|
|
|
|
if lastRevErr != nil {
|
|
|
|
return ErrExtension.Wrap(lastRevErr)
|
|
|
|
}
|
|
|
|
if lastRev == nil {
|
|
|
|
return nil
|
|
|
|
}
|
2018-12-07 13:44:25 +00:00
|
|
|
|
2018-12-13 20:01:43 +00:00
|
|
|
if bytes.Equal(lastRev.CertHash, ca.Raw) || bytes.Equal(lastRev.CertHash, leaf.Raw) {
|
|
|
|
lastRevErr := lastRev.Verify(ca)
|
|
|
|
if lastRevErr != nil {
|
|
|
|
return ErrExtension.Wrap(lastRevErr)
|
|
|
|
}
|
|
|
|
return ErrRevokedCert
|
|
|
|
}
|
2018-12-07 13:44:25 +00:00
|
|
|
|
2018-12-13 20:01:43 +00:00
|
|
|
return nil
|
2018-12-07 13:44:25 +00:00
|
|
|
}
|
|
|
|
}
|