2019-02-06 16:40:55 +00:00
|
|
|
// Copyright (C) 2019 Storj Labs, Inc.
|
|
|
|
// See LICENSE for copying information.
|
|
|
|
|
2019-08-19 23:10:38 +01:00
|
|
|
package revocation
|
2019-02-06 16:40:55 +00:00
|
|
|
|
|
|
|
import (
|
2019-06-04 12:36:27 +01:00
|
|
|
"context"
|
2019-02-06 16:40:55 +00:00
|
|
|
"crypto/x509"
|
|
|
|
"crypto/x509/pkix"
|
|
|
|
|
2019-08-19 23:10:38 +01:00
|
|
|
"github.com/zeebo/errs"
|
|
|
|
"gopkg.in/spacemonkeygo/monkit.v2"
|
|
|
|
|
2019-02-13 21:54:59 +00:00
|
|
|
"storj.io/storj/internal/dbutil"
|
2019-08-19 23:10:38 +01:00
|
|
|
"storj.io/storj/pkg/identity"
|
2019-02-06 16:40:55 +00:00
|
|
|
"storj.io/storj/pkg/peertls"
|
2019-03-25 21:52:12 +00:00
|
|
|
"storj.io/storj/pkg/peertls/extensions"
|
2019-08-19 23:10:38 +01:00
|
|
|
"storj.io/storj/pkg/peertls/tlsopts"
|
2019-02-06 16:40:55 +00:00
|
|
|
"storj.io/storj/storage"
|
|
|
|
"storj.io/storj/storage/boltdb"
|
|
|
|
"storj.io/storj/storage/redis"
|
|
|
|
)
|
|
|
|
|
2019-08-19 23:10:38 +01:00
|
|
|
var (
|
|
|
|
mon = monkit.Package()
|
|
|
|
|
|
|
|
// Error is a pkg/revocation error
|
|
|
|
Error = errs.Class("revocation error")
|
|
|
|
)
|
|
|
|
|
|
|
|
// DB stores the most recently seen revocation for each nodeID
|
2019-02-06 16:40:55 +00:00
|
|
|
// (i.e. nodeID [CA certificate's public key hash] is the key, values is
|
|
|
|
// the most recently seen revocation).
|
2019-08-19 23:10:38 +01:00
|
|
|
type DB struct {
|
|
|
|
KVStore storage.KeyValueStore
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewDBFromCfg is a convenience method to create a revocation DB
|
|
|
|
// directly from a config. If the revocation extension option is not set, it
|
|
|
|
// returns a nil db with no error.
|
|
|
|
func NewDBFromCfg(cfg tlsopts.Config) (*DB, error) {
|
|
|
|
if !cfg.Extensions.Revocation {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
return NewDB(cfg.RevocationDBURL)
|
2019-02-06 16:40:55 +00:00
|
|
|
}
|
|
|
|
|
2019-08-19 23:10:38 +01:00
|
|
|
// NewDB returns a new revocation database given the URL
|
|
|
|
func NewDB(dbURL string) (*DB, error) {
|
|
|
|
driver, source, err := dbutil.SplitConnstr(dbURL)
|
2019-03-25 21:52:12 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, extensions.ErrRevocationDB.Wrap(err)
|
|
|
|
}
|
|
|
|
|
2019-08-19 23:10:38 +01:00
|
|
|
var db *DB
|
2019-03-25 21:52:12 +00:00
|
|
|
switch driver {
|
|
|
|
case "bolt":
|
2019-08-19 23:10:38 +01:00
|
|
|
db, err = newDBBolt(source)
|
2019-03-25 21:52:12 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, extensions.ErrRevocationDB.Wrap(err)
|
|
|
|
}
|
|
|
|
case "redis":
|
2019-08-19 23:10:38 +01:00
|
|
|
db, err = newDBRedis(dbURL)
|
2019-03-25 21:52:12 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, extensions.ErrRevocationDB.Wrap(err)
|
|
|
|
}
|
|
|
|
default:
|
|
|
|
return nil, extensions.ErrRevocationDB.New("database scheme not supported: %s", driver)
|
|
|
|
}
|
|
|
|
|
|
|
|
return db, nil
|
|
|
|
}
|
|
|
|
|
2019-08-19 23:10:38 +01:00
|
|
|
// newDBBolt creates a bolt-backed DB
|
|
|
|
func newDBBolt(path string) (*DB, error) {
|
2019-03-25 21:52:12 +00:00
|
|
|
client, err := boltdb.New(path, extensions.RevocationBucket)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2019-08-19 23:10:38 +01:00
|
|
|
return &DB{
|
|
|
|
KVStore: client,
|
2019-03-25 21:52:12 +00:00
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
2019-08-19 23:10:38 +01:00
|
|
|
// newDBRedis creates a redis-backed DB.
|
|
|
|
func newDBRedis(address string) (*DB, error) {
|
2019-03-25 21:52:12 +00:00
|
|
|
client, err := redis.NewClientFrom(address)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2019-08-19 23:10:38 +01:00
|
|
|
return &DB{
|
|
|
|
KVStore: client,
|
2019-03-25 21:52:12 +00:00
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
2019-02-06 16:40:55 +00:00
|
|
|
// Get attempts to retrieve the most recent revocation for the given cert chain
|
|
|
|
// (the key used in the underlying database is the nodeID of the certificate chain).
|
2019-08-19 23:10:38 +01:00
|
|
|
func (db DB) Get(ctx context.Context, chain []*x509.Certificate) (_ *extensions.Revocation, err error) {
|
2019-06-04 12:36:27 +01:00
|
|
|
defer mon.Task()(&ctx)(&err)
|
2019-08-19 23:10:38 +01:00
|
|
|
nodeID, err := identity.NodeIDFromCert(chain[peertls.CAIndex])
|
2019-02-06 16:40:55 +00:00
|
|
|
if err != nil {
|
2019-03-25 21:52:12 +00:00
|
|
|
return nil, extensions.ErrRevocation.Wrap(err)
|
2019-02-06 16:40:55 +00:00
|
|
|
}
|
|
|
|
|
2019-08-19 23:10:38 +01:00
|
|
|
revBytes, err := db.KVStore.Get(ctx, nodeID.Bytes())
|
2019-02-06 16:40:55 +00:00
|
|
|
if err != nil && !storage.ErrKeyNotFound.Has(err) {
|
2019-03-25 21:52:12 +00:00
|
|
|
return nil, extensions.ErrRevocationDB.Wrap(err)
|
2019-02-06 16:40:55 +00:00
|
|
|
}
|
|
|
|
if revBytes == nil {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2019-03-25 21:52:12 +00:00
|
|
|
rev := new(extensions.Revocation)
|
2019-02-06 16:40:55 +00:00
|
|
|
if err = rev.Unmarshal(revBytes); err != nil {
|
2019-03-25 21:52:12 +00:00
|
|
|
return rev, extensions.ErrRevocationDB.Wrap(err)
|
2019-02-06 16:40:55 +00:00
|
|
|
}
|
|
|
|
return rev, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Put stores the most recent revocation for the given cert chain IF the timestamp
|
|
|
|
// is newer than the current value (the key used in the underlying database is
|
|
|
|
// the nodeID of the certificate chain).
|
2019-08-19 23:10:38 +01:00
|
|
|
func (db DB) Put(ctx context.Context, chain []*x509.Certificate, revExt pkix.Extension) (err error) {
|
2019-06-04 12:36:27 +01:00
|
|
|
defer mon.Task()(&ctx)(&err)
|
2019-02-06 16:40:55 +00:00
|
|
|
ca := chain[peertls.CAIndex]
|
2019-03-25 21:52:12 +00:00
|
|
|
var rev extensions.Revocation
|
2019-02-06 16:40:55 +00:00
|
|
|
if err := rev.Unmarshal(revExt.Value); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// TODO: do we care if cert/timestamp/sig is empty/garbage?
|
|
|
|
// TODO(bryanchriswhite): test empty/garbage cert/timestamp/sig
|
|
|
|
|
|
|
|
if err := rev.Verify(ca); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2019-08-19 23:10:38 +01:00
|
|
|
lastRev, err := db.Get(ctx, chain)
|
2019-02-06 16:40:55 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
} else if lastRev != nil && lastRev.Timestamp >= rev.Timestamp {
|
2019-03-25 21:52:12 +00:00
|
|
|
return extensions.ErrRevocationTimestamp
|
2019-02-06 16:40:55 +00:00
|
|
|
}
|
|
|
|
|
2019-08-19 23:10:38 +01:00
|
|
|
nodeID, err := identity.NodeIDFromCert(ca)
|
2019-02-06 16:40:55 +00:00
|
|
|
if err != nil {
|
2019-03-25 21:52:12 +00:00
|
|
|
return extensions.ErrRevocationDB.Wrap(err)
|
2019-02-06 16:40:55 +00:00
|
|
|
}
|
2019-08-19 23:10:38 +01:00
|
|
|
if err := db.KVStore.Put(ctx, nodeID.Bytes(), revExt.Value); err != nil {
|
2019-03-25 21:52:12 +00:00
|
|
|
return extensions.ErrRevocationDB.Wrap(err)
|
2019-02-06 16:40:55 +00:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// List lists all revocations in the store
|
2019-08-19 23:10:38 +01:00
|
|
|
func (db DB) List(ctx context.Context) (revs []*extensions.Revocation, err error) {
|
2019-06-04 12:36:27 +01:00
|
|
|
defer mon.Task()(&ctx)(&err)
|
2019-08-19 23:10:38 +01:00
|
|
|
keys, err := db.KVStore.List(ctx, []byte{}, 0)
|
2019-02-06 16:40:55 +00:00
|
|
|
if err != nil {
|
2019-03-25 21:52:12 +00:00
|
|
|
return nil, extensions.ErrRevocationDB.Wrap(err)
|
2019-02-06 16:40:55 +00:00
|
|
|
}
|
|
|
|
|
2019-08-19 23:10:38 +01:00
|
|
|
marshaledRevs, err := db.KVStore.GetAll(ctx, keys)
|
2019-02-06 16:40:55 +00:00
|
|
|
if err != nil {
|
2019-03-25 21:52:12 +00:00
|
|
|
return nil, extensions.ErrRevocationDB.Wrap(err)
|
2019-02-06 16:40:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
for _, revBytes := range marshaledRevs {
|
2019-03-25 21:52:12 +00:00
|
|
|
rev := new(extensions.Revocation)
|
2019-02-06 16:40:55 +00:00
|
|
|
if err := rev.Unmarshal(revBytes); err != nil {
|
2019-03-25 21:52:12 +00:00
|
|
|
return nil, extensions.ErrRevocationDB.Wrap(err)
|
2019-02-06 16:40:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
revs = append(revs, rev)
|
|
|
|
}
|
|
|
|
return revs, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Close closes the underlying store
|
2019-08-19 23:10:38 +01:00
|
|
|
func (db DB) Close() error {
|
|
|
|
return db.KVStore.Close()
|
2019-02-06 16:40:55 +00:00
|
|
|
}
|