2019-01-24 20:15:10 +00:00
|
|
|
// Copyright (C) 2019 Storj Labs, Inc.
|
2018-08-13 09:39:45 +01:00
|
|
|
// See LICENSE for copying information.
|
|
|
|
|
|
|
|
|
|
package peertls
|
|
|
|
|
|
|
|
|
|
// Many cryptography standards use ASN.1 to define their data structures,
|
|
|
|
|
// and Distinguished Encoding Rules (DER) to serialize those structures.
|
|
|
|
|
// Because DER produces binary output, it can be challenging to transmit
|
|
|
|
|
// the resulting files through systems, like electronic mail, that only
|
|
|
|
|
// support ASCII. The PEM format solves this problem by encoding the
|
|
|
|
|
// binary data using base64.
|
|
|
|
|
// (see https://en.wikipedia.org/wiki/Privacy-enhanced_Electronic_Mail)
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"crypto/rand"
|
|
|
|
|
"crypto/x509"
|
2018-12-13 20:01:43 +00:00
|
|
|
"crypto/x509/pkix"
|
2018-08-13 09:39:45 +01:00
|
|
|
"math/big"
|
|
|
|
|
|
|
|
|
|
"github.com/zeebo/errs"
|
|
|
|
|
|
2019-02-07 09:04:29 +00:00
|
|
|
"storj.io/storj/pkg/pkcrypto"
|
|
|
|
|
)
|
2018-08-13 09:39:45 +01:00
|
|
|
|
2019-02-26 18:35:16 +00:00
|
|
|
// NonTemporaryError is an error with a `Temporary` method which always returns false.
|
|
|
|
|
// It is intended for use with grpc.
|
|
|
|
|
//
|
|
|
|
|
// (see https://godoc.org/google.golang.org/grpc#WithDialer
|
|
|
|
|
// and https://godoc.org/google.golang.org/grpc#FailOnNonTempDialError).
|
|
|
|
|
type NonTemporaryError struct{ error }
|
|
|
|
|
|
|
|
|
|
// NewNonTemporaryError returns a new temporary error for use with grpc.
|
|
|
|
|
func NewNonTemporaryError(err error) NonTemporaryError {
|
|
|
|
|
return NonTemporaryError{
|
|
|
|
|
error: errs.Wrap(err),
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Temporary returns false to indicate that is is a non-temporary error
|
|
|
|
|
func (nte NonTemporaryError) Temporary() bool {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Err returns the underlying error
|
|
|
|
|
func (nte NonTemporaryError) Err() error {
|
|
|
|
|
return nte.error
|
|
|
|
|
}
|
|
|
|
|
|
2018-08-13 09:39:45 +01:00
|
|
|
func verifyChainSignatures(certs []*x509.Certificate) error {
|
|
|
|
|
for i, cert := range certs {
|
|
|
|
|
j := len(certs)
|
|
|
|
|
if i+1 < j {
|
2018-10-26 14:52:37 +01:00
|
|
|
err := verifyCertSignature(certs[i+1], cert)
|
2018-08-13 09:39:45 +01:00
|
|
|
if err != nil {
|
2018-10-26 14:52:37 +01:00
|
|
|
return ErrVerifyCertificateChain.Wrap(err)
|
2018-08-13 09:39:45 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-26 14:52:37 +01:00
|
|
|
err := verifyCertSignature(cert, cert)
|
2018-08-13 09:39:45 +01:00
|
|
|
if err != nil {
|
2018-10-26 14:52:37 +01:00
|
|
|
return ErrVerifyCertificateChain.Wrap(err)
|
2018-08-13 09:39:45 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-26 14:52:37 +01:00
|
|
|
func verifyCertSignature(parentCert, childCert *x509.Certificate) error {
|
2019-02-07 20:39:20 +00:00
|
|
|
return pkcrypto.HashAndVerifySignature(parentCert.PublicKey, childCert.RawTBSCertificate, childCert.Signature)
|
2018-08-13 09:39:45 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func newSerialNumber() (*big.Int, error) {
|
|
|
|
|
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
|
|
|
|
|
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errs.New("failed to generateServerTls serial number: %s", err.Error())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return serialNumber, nil
|
|
|
|
|
}
|
2019-02-07 09:04:29 +00:00
|
|
|
|
2018-12-13 20:01:43 +00:00
|
|
|
func uniqueExts(exts []pkix.Extension) bool {
|
|
|
|
|
seen := make(map[string]struct{}, len(exts))
|
|
|
|
|
for _, e := range exts {
|
|
|
|
|
s := e.Id.String()
|
|
|
|
|
if _, ok := seen[s]; ok {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
seen[s] = struct{}{}
|
|
|
|
|
}
|
|
|
|
|
return true
|
|
|
|
|
}
|
