storj/pkg/peertls/tlsopts/options.go

// Copyright (C) 2019 Storj Labs, Inc.
// See LICENSE for copying information.

package tlsopts

import (
	"crypto/tls"
	"io/ioutil"

	"github.com/zeebo/errs"
	monkit "gopkg.in/spacemonkeygo/monkit.v2"

	"storj.io/storj/pkg/identity"
	"storj.io/storj/pkg/peertls"
	"storj.io/storj/pkg/pkcrypto"
)

var (
	mon = monkit.Package()
	// Error is error for tlsopts
	Error = errs.Class("tlsopts error")
)

// Options holds config, identity, and peer verification function data for use with tls.
type Options struct {
	Config            Config
	Ident             *identity.FullIdentity
	RevDB             *identity.RevocationDB
	VerificationFuncs *VerificationFuncs
	Cert              *tls.Certificate
}

// VerificationFuncs keeps track of of client and server peer certificate verification
// functions for use in tls handshakes.
type VerificationFuncs struct {
	client []peertls.PeerCertVerificationFunc
	server []peertls.PeerCertVerificationFunc
}

// NewOptions is a constructor for `tls options` given an identity and config
func NewOptions(i *identity.FullIdentity, c Config) (*Options, error) {
	opts := &Options{
		Config:            c,
		Ident:             i,
		VerificationFuncs: new(VerificationFuncs),
	}

	err := opts.configure(c)
	if err != nil {
		return nil, err
	}

	return opts, nil
}

// configure adds peer certificate verification functions and revocation
// database to the config.
func (opts *Options) configure(c Config) (err error) {
	parseOpts := peertls.ParseExtOptions{}

	if c.UsePeerCAWhitelist {
		whitelist := []byte(DefaultPeerCAWhitelist)
		if c.PeerCAWhitelistPath != "" {
			whitelist, err = ioutil.ReadFile(c.PeerCAWhitelistPath)
			if err != nil {
				return Error.New("unable to find whitelist file %v: %v", c.PeerCAWhitelistPath, err)
			}
		}
		parsed, err := pkcrypto.CertsFromPEM(whitelist)
		if err != nil {
			return Error.Wrap(err)
		}
		parseOpts.CAWhitelist = parsed
		opts.VerificationFuncs.ClientAdd(peertls.VerifyCAWhitelist(parsed))
	}

	if c.Extensions.Revocation {
		opts.RevDB, err = identity.NewRevDB(c.RevocationDBURL)
		if err != nil {
			return err
		}
		opts.VerificationFuncs.Add(identity.VerifyUnrevokedChainFunc(opts.RevDB))
	}

	exts := peertls.ParseExtensions(c.Extensions, parseOpts)
	opts.VerificationFuncs.Add(exts.VerifyFunc())

	opts.Cert, err = peertls.TLSCert(opts.Ident.RawChain(), opts.Ident.Leaf, opts.Ident.Key)
	return err
}

// Client returns the client verification functions.
func (vf *VerificationFuncs) Client() []peertls.PeerCertVerificationFunc {
	return vf.client
}

// Server returns the server verification functions.
func (vf *VerificationFuncs) Server() []peertls.PeerCertVerificationFunc {
	return vf.server
}

// Add adds verification functions so the client and server lists.
func (vf *VerificationFuncs) Add(verificationFuncs ...peertls.PeerCertVerificationFunc) {
	vf.ClientAdd(verificationFuncs...)
	vf.ServerAdd(verificationFuncs...)
}

// ClientAdd adds verification functions so the client list.
func (vf *VerificationFuncs) ClientAdd(verificationFuncs ...peertls.PeerCertVerificationFunc) {
	verificationFuncs = removeNils(verificationFuncs)
	vf.client = append(vf.client, verificationFuncs...)
}

// ServerAdd adds verification functions so the server list.
func (vf *VerificationFuncs) ServerAdd(verificationFuncs ...peertls.PeerCertVerificationFunc) {
	verificationFuncs = removeNils(verificationFuncs)
	vf.server = append(vf.server, verificationFuncs...)
}

func removeNils(verificationFuncs []peertls.PeerCertVerificationFunc) []peertls.PeerCertVerificationFunc {
	for i, f := range verificationFuncs {
		if f == nil {
			copy(verificationFuncs[i:], verificationFuncs[i+1:])
			verificationFuncs = verificationFuncs[:len(verificationFuncs)-1]
		}
	}
	return verificationFuncs
}
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`// Copyright (C) 2019 Storj Labs, Inc.`
			`// See LICENSE for copying information.`

pkg/transport: require tls configuration for dialing (#1286) * separate TLS options from server options (because we need them for dialing too) * stop creating transports in multiple places * ensure that we actually check revocation, whitelists, certificate signing, etc, for all connections. 2019-02-11 11:17:32 +00:00			`package tlsopts`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00
			`import (`
pkg/transport: require tls configuration for dialing (#1286) * separate TLS options from server options (because we need them for dialing too) * stop creating transports in multiple places * ensure that we actually check revocation, whitelists, certificate signing, etc, for all connections. 2019-02-11 11:17:32 +00:00			`"crypto/tls"`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`"io/ioutil"`

pkg/transport: require tls configuration for dialing (#1286) * separate TLS options from server options (because we need them for dialing too) * stop creating transports in multiple places * ensure that we actually check revocation, whitelists, certificate signing, etc, for all connections. 2019-02-11 11:17:32 +00:00			`"github.com/zeebo/errs"`
			`monkit "gopkg.in/spacemonkeygo/monkit.v2"`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00
			`"storj.io/storj/pkg/identity"`
			`"storj.io/storj/pkg/peertls"`
Consolidate key/cert/signature encoding and decoding (#1243) 2019-02-07 18:40:28 +00:00			`"storj.io/storj/pkg/pkcrypto"`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`)`

pkg/transport: require tls configuration for dialing (#1286) * separate TLS options from server options (because we need them for dialing too) * stop creating transports in multiple places * ensure that we actually check revocation, whitelists, certificate signing, etc, for all connections. 2019-02-11 11:17:32 +00:00			`var (`
			`mon = monkit.Package()`
			`// Error is error for tlsopts`
			`Error = errs.Class("tlsopts error")`
			`)`

			`// Options holds config, identity, and peer verification function data for use with tls.`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`type Options struct {`
tlsconfig refactor / cleanup (#1399) 2019-03-04 20:40:18 +00:00			`Config Config`
			`Ident *identity.FullIdentity`
			`RevDB *identity.RevocationDB`
[V3-1147] Ensure certificate validation happens properly (#1403) * add regression test & update transport tests * separate client and server verificiation functions * goimports 2019-03-06 14:42:34 +00:00			`VerificationFuncs *VerificationFuncs`
tlsconfig refactor / cleanup (#1399) 2019-03-04 20:40:18 +00:00			`Cert *tls.Certificate`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`}`

[V3-1147] Ensure certificate validation happens properly (#1403) * add regression test & update transport tests * separate client and server verificiation functions * goimports 2019-03-06 14:42:34 +00:00			`// VerificationFuncs keeps track of of client and server peer certificate verification`
			`// functions for use in tls handshakes.`
			`type VerificationFuncs struct {`
			`client []peertls.PeerCertVerificationFunc`
			`server []peertls.PeerCertVerificationFunc`
			`}`

pkg/transport: require tls configuration for dialing (#1286) * separate TLS options from server options (because we need them for dialing too) * stop creating transports in multiple places * ensure that we actually check revocation, whitelists, certificate signing, etc, for all connections. 2019-02-11 11:17:32 +00:00			// NewOptions is a constructor for `tls options` given an identity and config
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`func NewOptions(i identity.FullIdentity, c Config) (Options, error) {`
			`opts := &Options{`
[V3-1147] Ensure certificate validation happens properly (#1403) * add regression test & update transport tests * separate client and server verificiation functions * goimports 2019-03-06 14:42:34 +00:00			`Config: c,`
			`Ident: i,`
			`VerificationFuncs: new(VerificationFuncs),`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`}`

			`err := opts.configure(c)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return opts, nil`
			`}`

			`// configure adds peer certificate verification functions and revocation`
			`// database to the config.`
			`func (opts *Options) configure(c Config) (err error) {`
			`parseOpts := peertls.ParseExtOptions{}`

pkg/server: include production cert (#1082) Change-Id: Ie8e6fe78550be83c3bd797db7a1e58d37c684792 2019-01-17 17:36:45 +00:00			`if c.UsePeerCAWhitelist {`
			`whitelist := []byte(DefaultPeerCAWhitelist)`
			`if c.PeerCAWhitelistPath != "" {`
			`whitelist, err = ioutil.ReadFile(c.PeerCAWhitelistPath)`
			`if err != nil {`
			`return Error.New("unable to find whitelist file %v: %v", c.PeerCAWhitelistPath, err)`
			`}`
			`}`
Consolidate key/cert/signature encoding and decoding (#1243) 2019-02-07 18:40:28 +00:00			`parsed, err := pkcrypto.CertsFromPEM(whitelist)`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`if err != nil {`
pkg/server: include production cert (#1082) Change-Id: Ie8e6fe78550be83c3bd797db7a1e58d37c684792 2019-01-17 17:36:45 +00:00			`return Error.Wrap(err)`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`}`
pkg/server: include production cert (#1082) Change-Id: Ie8e6fe78550be83c3bd797db7a1e58d37c684792 2019-01-17 17:36:45 +00:00			`parseOpts.CAWhitelist = parsed`
[V3-1147] Ensure certificate validation happens properly (#1403) * add regression test & update transport tests * separate client and server verificiation functions * goimports 2019-03-06 14:42:34 +00:00			`opts.VerificationFuncs.ClientAdd(peertls.VerifyCAWhitelist(parsed))`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`}`

			`if c.Extensions.Revocation {`
identity improvements: (#1215) 2019-02-06 16:40:55 +00:00			`opts.RevDB, err = identity.NewRevDB(c.RevocationDBURL)`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`if err != nil {`
			`return err`
			`}`
[V3-1147] Ensure certificate validation happens properly (#1403) * add regression test & update transport tests * separate client and server verificiation functions * goimports 2019-03-06 14:42:34 +00:00			`opts.VerificationFuncs.Add(identity.VerifyUnrevokedChainFunc(opts.RevDB))`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`}`

			`exts := peertls.ParseExtensions(c.Extensions, parseOpts)`
[V3-1147] Ensure certificate validation happens properly (#1403) * add regression test & update transport tests * separate client and server verificiation functions * goimports 2019-03-06 14:42:34 +00:00			`opts.VerificationFuncs.Add(exts.VerifyFunc())`

			`opts.Cert, err = peertls.TLSCert(opts.Ident.RawChain(), opts.Ident.Leaf, opts.Ident.Key)`
			`return err`
			`}`

			`// Client returns the client verification functions.`
			`func (vf *VerificationFuncs) Client() []peertls.PeerCertVerificationFunc {`
			`return vf.client`
			`}`

			`// Server returns the server verification functions.`
			`func (vf *VerificationFuncs) Server() []peertls.PeerCertVerificationFunc {`
			`return vf.server`
			`}`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00
[V3-1147] Ensure certificate validation happens properly (#1403) * add regression test & update transport tests * separate client and server verificiation functions * goimports 2019-03-06 14:42:34 +00:00			`// Add adds verification functions so the client and server lists.`
			`func (vf *VerificationFuncs) Add(verificationFuncs ...peertls.PeerCertVerificationFunc) {`
			`vf.ClientAdd(verificationFuncs...)`
			`vf.ServerAdd(verificationFuncs...)`
			`}`

			`// ClientAdd adds verification functions so the client list.`
			`func (vf *VerificationFuncs) ClientAdd(verificationFuncs ...peertls.PeerCertVerificationFunc) {`
			`verificationFuncs = removeNils(verificationFuncs)`
			`vf.client = append(vf.client, verificationFuncs...)`
			`}`

			`// ServerAdd adds verification functions so the server list.`
			`func (vf *VerificationFuncs) ServerAdd(verificationFuncs ...peertls.PeerCertVerificationFunc) {`
			`verificationFuncs = removeNils(verificationFuncs)`
			`vf.server = append(vf.server, verificationFuncs...)`
			`}`

			`func removeNils(verificationFuncs []peertls.PeerCertVerificationFunc) []peertls.PeerCertVerificationFunc {`
			`for i, f := range verificationFuncs {`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`if f == nil {`
[V3-1147] Ensure certificate validation happens properly (#1403) * add regression test & update transport tests * separate client and server verificiation functions * goimports 2019-03-06 14:42:34 +00:00			`copy(verificationFuncs[i:], verificationFuncs[i+1:])`
			`verificationFuncs = verificationFuncs[:len(verificationFuncs)-1]`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`}`
			`}`
[V3-1147] Ensure certificate validation happens properly (#1403) * add regression test & update transport tests * separate client and server verificiation functions * goimports 2019-03-06 14:42:34 +00:00			`return verificationFuncs`
pkg/provider: split into pkg/server, pkg/identity (#953) 2019-01-02 10:23:25 +00:00			`}`