storj/private/testpeertls/revocations.go

102 lines
3.1 KiB
Go
Raw Normal View History

// Copyright (C) 2019 Storj Labs, Inc.
// See LICENSE for copying information.
package testpeertls
import (
"crypto"
"crypto/x509"
"crypto/x509/pkix"
2019-04-03 16:03:53 +01:00
"storj.io/storj/pkg/identity"
"storj.io/storj/pkg/peertls"
"storj.io/storj/pkg/peertls/extensions"
2019-04-03 16:03:53 +01:00
"storj.io/storj/pkg/peertls/tlsopts"
2019-04-08 19:15:19 +01:00
"storj.io/storj/pkg/storj"
)
// RevokeLeaf revokes the leaf certificate in the passed chain and replaces it
// with a "revoking" certificate, which contains a revocation extension recording
// this action.
2019-04-03 16:03:53 +01:00
func RevokeLeaf(caKey crypto.PrivateKey, chain []*x509.Certificate) ([]*x509.Certificate, pkix.Extension, error) {
if len(chain) < 2 {
return nil, pkix.Extension{}, extensions.Error.New("revoking leaf implies a CA exists; chain too short")
}
ca := &identity.FullCertificateAuthority{
Key: caKey,
Cert: chain[peertls.CAIndex],
RestChain: chain[:peertls.CAIndex+1],
}
2019-04-03 16:03:53 +01:00
var err error
2019-04-08 19:15:19 +01:00
ca.ID, err = identity.NodeIDFromKey(ca.Cert.PublicKey, storj.LatestIDVersion())
if err != nil {
2019-04-03 16:03:53 +01:00
return nil, pkix.Extension{}, err
}
2019-04-03 16:03:53 +01:00
ident := &identity.FullIdentity{
Leaf: chain[peertls.LeafIndex],
CA: ca.Cert,
ID: ca.ID,
RestChain: ca.RestChain,
}
2019-04-03 16:03:53 +01:00
manageableIdent := identity.NewManageableFullIdentity(ident, ca)
if err := manageableIdent.Revoke(); err != nil {
return nil, pkix.Extension{}, err
}
2019-04-03 16:03:53 +01:00
revokingCert := manageableIdent.Leaf
var revocationExt *pkix.Extension
for _, ext := range revokingCert.Extensions {
if extensions.RevocationExtID.Equal(ext.Id) {
revocationExt = &ext // nolint: scopelint
2019-04-03 16:03:53 +01:00
break
}
}
if revocationExt == nil {
return nil, pkix.Extension{}, extensions.ErrRevocation.New("no revocation extension found")
}
return append([]*x509.Certificate{revokingCert}, chain[peertls.CAIndex:]...), *revocationExt, nil
}
// RevokeCA revokes the CA certificate in the passed chain and adds a revocation
// extension to that certificate, recording this action.
2019-04-03 16:03:53 +01:00
func RevokeCA(caKey crypto.PrivateKey, chain []*x509.Certificate) ([]*x509.Certificate, pkix.Extension, error) {
2019-04-08 19:15:19 +01:00
nodeID, err := identity.NodeIDFromCert(chain[peertls.CAIndex])
if err != nil {
return nil, pkix.Extension{}, err
}
2019-04-03 16:03:53 +01:00
ca := &identity.FullCertificateAuthority{
ID: nodeID,
2019-04-08 19:15:19 +01:00
Cert: chain[peertls.CAIndex],
2019-04-03 16:03:53 +01:00
Key: caKey,
RestChain: chain[peertls.CAIndex+1:],
}
if err = ca.Revoke(); err != nil {
return nil, pkix.Extension{}, err
}
extMap := tlsopts.NewExtensionsMap(ca.Cert)
revocationExt, ok := extMap[extensions.RevocationExtID.String()]
if !ok {
return nil, pkix.Extension{}, extensions.ErrRevocation.New("no revocation extension found")
}
return append([]*x509.Certificate{chain[peertls.LeafIndex], ca.Cert}, ca.RestChain...), revocationExt, nil
}
// NewRevokedLeafChain creates a certificate chain (of length 2) with a leaf
// that contains a valid revocation extension.
func NewRevokedLeafChain() ([]crypto.PrivateKey, []*x509.Certificate, pkix.Extension, error) {
2019-04-08 19:15:19 +01:00
keys, certs, err := NewCertChain(2, storj.LatestIDVersion().Number)
if err != nil {
return nil, nil, pkix.Extension{}, err
}
2019-04-08 19:15:19 +01:00
newChain, revocation, err := RevokeLeaf(keys[peertls.CAIndex], certs)
return keys, newChain, revocation, err
}