storj/pkg/peertls/utils.go

// Copyright (C) 2018 Storj Labs, Inc.
// See LICENSE for copying information.

package peertls

// Many cryptography standards use ASN.1 to define their data structures,
// and Distinguished Encoding Rules (DER) to serialize those structures.
// Because DER produces binary output, it can be challenging to transmit
// the resulting files through systems, like electronic mail, that only
// support ASCII. The PEM format solves this problem by encoding the
// binary data using base64.
// (see https://en.wikipedia.org/wiki/Privacy-enhanced_Electronic_Mail)

import (
	"crypto"
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"crypto/x509"
	"encoding/asn1"
	"math/big"

	"github.com/zeebo/errs"
)

type ecdsaSignature struct {
	R, S *big.Int
}

var authECCurve = elliptic.P256()

func parseCertificateChains(rawCerts [][]byte) ([]*x509.Certificate, error) {
	parsedCerts, err := parseCerts(rawCerts)
	if err != nil {
		return nil, err
	}

	return parsedCerts, nil
}

func parseCerts(rawCerts [][]byte) ([]*x509.Certificate, error) {
	certs := make([]*x509.Certificate, len(rawCerts))
	for i, c := range rawCerts {
		var err error
		certs[i], err = x509.ParseCertificate(c)
		if err != nil {
			return nil, ErrVerifyPeerCert.New("unable to parse certificate: %v", err)
		}
	}
	return certs, nil
}

func verifyChainSignatures(certs []*x509.Certificate) error {
	for i, cert := range certs {
		j := len(certs)
		if i+1 < j {
			isValid, err := verifyCertSignature(certs[i+1], cert)
			if err != nil {
				return ErrVerifyPeerCert.Wrap(err)
			}

			if !isValid {
				return ErrVerifyPeerCert.New("certificate chain signature verification failed")
			}

			continue
		}

		rootIsValid, err := verifyCertSignature(cert, cert)
		if err != nil {
			return ErrVerifyPeerCert.Wrap(err)
		}

		if !rootIsValid {
			return ErrVerifyPeerCert.New("certificate chain signature verification failed")
		}
	}

	return nil
}

func verifyCertSignature(parentCert, childCert *x509.Certificate) (bool, error) {
	pubKey, ok := parentCert.PublicKey.(*ecdsa.PublicKey)
	if !ok {
		return false, ErrUnsupportedKey.New("%T", parentCert.PublicKey)
	}

	signature := new(ecdsaSignature)

	if _, err := asn1.Unmarshal(childCert.Signature, signature); err != nil {
		return false, ErrVerifySignature.New("unable to unmarshal ecdsa signature: %v", err)
	}

	h := crypto.SHA256.New()
	_, err := h.Write(childCert.RawTBSCertificate)
	if err != nil {
		return false, err
	}
	digest := h.Sum(nil)

	isValid := ecdsa.Verify(pubKey, digest, signature.R, signature.S)

	return isValid, nil
}

func newSerialNumber() (*big.Int, error) {
	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
	if err != nil {
		return nil, errs.New("failed to generateServerTls serial number: %s", err.Error())
	}

	return serialNumber, nil
}
Node Identity (#193) * peertls: don't log errors for double close understood that this part of the code is undergoing heavy change right now, but just want to make sure this fix gets incorporated somewhere * git cleanup: node-id stuff * cleanup * rename identity_util.go * wip `CertificateAuthority` refactor * refactoring * gitignore update * wip * Merge remote-tracking branch 'storj/doubleclose' into node-id3 * storj/doubleclose: peertls: don't log errors for double close * add peertls tests & gomports * wip: + refactor + style changes + cleanup + [wip] add version to CA and identity configs + [wip] heavy client setup * refactor * wip: + refactor + style changes + add `CAConfig.Load` + add `CAConfig.Save` * wip: + add `LoadOrCreate` and `Create` to CA and Identity configs + add overwrite to CA and identity configs + heavy client setup + refactor + style changes + cleanup * wip * fixing things * fixing things * wip hc setup * hc setup: + refactor + bugfixing * improvements based on reveiw feedback * goimports * improvements: + responding to review feedback + refactor * feedback-based improvements * feedback-based improvements * feedback-based improvements * feedback-based improvements * feedback-based improvements * feedback-based improvements * cleanup * refactoring CA and Identity structs * Merge branch 'master' into node-id3 * move version field to setup config structs for CA and identity * fix typo * responding to revieiw feedback * responding to revieiw feedback * responding to revieiw feedback * responding to revieiw feedback * responding to revieiw feedback * responding to revieiw feedback * Merge branch 'master' into node-id3 * fix gateway setup finally * go imports * fix `FullCertificateAuthority.GenerateIdentity` * cleanup overlay tests * bugfixing * update ca/identity setup * go imports * fix peertls test copy/paste fail * responding to review feedback * setup tweaking * update farmer setup 2018-08-13 09:39:45 +01:00			`// Copyright (C) 2018 Storj Labs, Inc.`
			`// See LICENSE for copying information.`

			`package peertls`

			`// Many cryptography standards use ASN.1 to define their data structures,`
			`// and Distinguished Encoding Rules (DER) to serialize those structures.`
			`// Because DER produces binary output, it can be challenging to transmit`
			`// the resulting files through systems, like electronic mail, that only`
			`// support ASCII. The PEM format solves this problem by encoding the`
			`// binary data using base64.`
			`// (see https://en.wikipedia.org/wiki/Privacy-enhanced_Electronic_Mail)`

			`import (`
			`"crypto"`
			`"crypto/ecdsa"`
			`"crypto/elliptic"`
			`"crypto/rand"`
			`"crypto/x509"`
			`"encoding/asn1"`
			`"math/big"`

			`"github.com/zeebo/errs"`
			`)`

			`type ecdsaSignature struct {`
			`R, S *big.Int`
			`}`

			`var authECCurve = elliptic.P256()`

			`func parseCertificateChains(rawCerts [][]byte) ([]*x509.Certificate, error) {`
			`parsedCerts, err := parseCerts(rawCerts)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return parsedCerts, nil`
			`}`

			`func parseCerts(rawCerts [][]byte) ([]*x509.Certificate, error) {`
			`certs := make([]*x509.Certificate, len(rawCerts))`
			`for i, c := range rawCerts {`
			`var err error`
			`certs[i], err = x509.ParseCertificate(c)`
			`if err != nil {`
all: fix govet warnings (#255) Fixes go1.11 vet warnings. Cancel on WithTimeout must always be called to avoid memory leak: pkg/provider/provider.go:73: the cancel function returned by context.WithTimeout should be called, not discarded, to avoid a context leak Range over non-copyable things: pkg/pool/connection_pool_test.go:32: range var v copies lock: struct{pool pool.ConnectionPool; key string; expected pool.TestFoo; expectedError error} contains pool.ConnectionPool contains sync.RWMutex pkg/pool/connection_pool_test.go:56: range var v copies lock: struct{pool pool.ConnectionPool; key string; value pool.TestFoo; expected pool.TestFoo; expectedError error} contains pool.ConnectionPool contains sync.RWMutex pkg/pool/connection_pool_test.go:83: range var v copies lock: struct{pool pool.ConnectionPool; key string; value pool.TestFoo; expected interface{}; expectedError error} contains pool.ConnectionPool contains sync.RWMutex zeebo/errs package always requires formatting directives: pkg/peertls/peertls.go:50: Class.New call has arguments but no formatting directives pkg/peertls/utils.go:47: Class.New call has arguments but no formatting directives pkg/peertls/utils.go:87: Class.New call has arguments but no formatting directives pkg/overlay/cache.go:94: Class.New call has arguments but no formatting directives pkg/provider/certificate_authority.go:98: New call has arguments but no formatting directives pkg/provider/identity.go:96: New call has arguments but no formatting directives pkg/provider/utils.go:124: New call needs 1 arg but has 2 args pkg/provider/utils.go:136: New call needs 1 arg but has 2 args storage/redis/client.go:44: Class.New call has arguments but no formatting directives storage/redis/client.go:64: Class.New call has arguments but no formatting directives storage/redis/client.go:75: Class.New call has arguments but no formatting directives storage/redis/client.go:80: Class.New call has arguments but no formatting directives storage/redis/client.go:92: Class.New call has arguments but no formatting directives storage/redis/client.go:96: Class.New call has arguments but no formatting directives storage/redis/client.go:102: Class.New call has arguments but no formatting directives storage/redis/client.go:126: Class.New call has arguments but no formatting directives 2018-08-22 07:39:57 +01:00			`return nil, ErrVerifyPeerCert.New("unable to parse certificate: %v", err)`
Node Identity (#193) * peertls: don't log errors for double close understood that this part of the code is undergoing heavy change right now, but just want to make sure this fix gets incorporated somewhere * git cleanup: node-id stuff * cleanup * rename identity_util.go * wip `CertificateAuthority` refactor * refactoring * gitignore update * wip * Merge remote-tracking branch 'storj/doubleclose' into node-id3 * storj/doubleclose: peertls: don't log errors for double close * add peertls tests & gomports * wip: + refactor + style changes + cleanup + [wip] add version to CA and identity configs + [wip] heavy client setup * refactor * wip: + refactor + style changes + add `CAConfig.Load` + add `CAConfig.Save` * wip: + add `LoadOrCreate` and `Create` to CA and Identity configs + add overwrite to CA and identity configs + heavy client setup + refactor + style changes + cleanup * wip * fixing things * fixing things * wip hc setup * hc setup: + refactor + bugfixing * improvements based on reveiw feedback * goimports * improvements: + responding to review feedback + refactor * feedback-based improvements * feedback-based improvements * feedback-based improvements * feedback-based improvements * feedback-based improvements * feedback-based improvements * cleanup * refactoring CA and Identity structs * Merge branch 'master' into node-id3 * move version field to setup config structs for CA and identity * fix typo * responding to revieiw feedback * responding to revieiw feedback * responding to revieiw feedback * responding to revieiw feedback * responding to revieiw feedback * responding to revieiw feedback * Merge branch 'master' into node-id3 * fix gateway setup finally * go imports * fix `FullCertificateAuthority.GenerateIdentity` * cleanup overlay tests * bugfixing * update ca/identity setup * go imports * fix peertls test copy/paste fail * responding to review feedback * setup tweaking * update farmer setup 2018-08-13 09:39:45 +01:00			`}`
			`}`
			`return certs, nil`
			`}`

			`func verifyChainSignatures(certs []*x509.Certificate) error {`
			`for i, cert := range certs {`
			`j := len(certs)`
			`if i+1 < j {`
Identity fixes+: (#270) * identity fixes+: + fix `peertls.NewCert` public key issue + fix `peertls.verfiyChain` issue + fix identity dial option + rename `GenerateCA` to `NewCA` and `generateCAWorker` to `newCAWorker` for better consistency/convention 2018-08-23 15:08:26 +01:00			`isValid, err := verifyCertSignature(certs[i+1], cert)`
Node Identity (#193) * peertls: don't log errors for double close understood that this part of the code is undergoing heavy change right now, but just want to make sure this fix gets incorporated somewhere * git cleanup: node-id stuff * cleanup * rename identity_util.go * wip `CertificateAuthority` refactor * refactoring * gitignore update * wip * Merge remote-tracking branch 'storj/doubleclose' into node-id3 * storj/doubleclose: peertls: don't log errors for double close * add peertls tests & gomports * wip: + refactor + style changes + cleanup + [wip] add version to CA and identity configs + [wip] heavy client setup * refactor * wip: + refactor + style changes + add `CAConfig.Load` + add `CAConfig.Save` * wip: + add `LoadOrCreate` and `Create` to CA and Identity configs + add overwrite to CA and identity configs + heavy client setup + refactor + style changes + cleanup * wip * fixing things * fixing things * wip hc setup * hc setup: + refactor + bugfixing * improvements based on reveiw feedback * goimports * improvements: + responding to review feedback + refactor * feedback-based improvements * feedback-based improvements * feedback-based improvements * feedback-based improvements * feedback-based improvements * feedback-based improvements * cleanup * refactoring CA and Identity structs * Merge branch 'master' into node-id3 * move version field to setup config structs for CA and identity * fix typo * responding to revieiw feedback * responding to revieiw feedback * responding to revieiw feedback * responding to revieiw feedback * responding to revieiw feedback * responding to revieiw feedback * Merge branch 'master' into node-id3 * fix gateway setup finally * go imports * fix `FullCertificateAuthority.GenerateIdentity` * cleanup overlay tests * bugfixing * update ca/identity setup * go imports * fix peertls test copy/paste fail * responding to review feedback * setup tweaking * update farmer setup 2018-08-13 09:39:45 +01:00			`if err != nil {`
			`return ErrVerifyPeerCert.Wrap(err)`
			`}`

			`if !isValid {`
			`return ErrVerifyPeerCert.New("certificate chain signature verification failed")`
			`}`

			`continue`
			`}`

			`rootIsValid, err := verifyCertSignature(cert, cert)`
			`if err != nil {`
			`return ErrVerifyPeerCert.Wrap(err)`
			`}`

			`if !rootIsValid {`
			`return ErrVerifyPeerCert.New("certificate chain signature verification failed")`
			`}`
			`}`

			`return nil`
			`}`

			`func verifyCertSignature(parentCert, childCert *x509.Certificate) (bool, error) {`
CA and identity commands (#235) * wip ca/ident cmds * minor improvements and commenting * combine id and ca commands and add $CONFDIR * add `NewIdenity` test * refactor `NewCA` benchmarks * linter fixes 2018-08-27 23:23:48 +01:00			`pubKey, ok := parentCert.PublicKey.(*ecdsa.PublicKey)`
			`if !ok {`
			`return false, ErrUnsupportedKey.New("%T", parentCert.PublicKey)`
			`}`

Node Identity (#193) * peertls: don't log errors for double close understood that this part of the code is undergoing heavy change right now, but just want to make sure this fix gets incorporated somewhere * git cleanup: node-id stuff * cleanup * rename identity_util.go * wip `CertificateAuthority` refactor * refactoring * gitignore update * wip * Merge remote-tracking branch 'storj/doubleclose' into node-id3 * storj/doubleclose: peertls: don't log errors for double close * add peertls tests & gomports * wip: + refactor + style changes + cleanup + [wip] add version to CA and identity configs + [wip] heavy client setup * refactor * wip: + refactor + style changes + add `CAConfig.Load` + add `CAConfig.Save` * wip: + add `LoadOrCreate` and `Create` to CA and Identity configs + add overwrite to CA and identity configs + heavy client setup + refactor + style changes + cleanup * wip * fixing things * fixing things * wip hc setup * hc setup: + refactor + bugfixing * improvements based on reveiw feedback * goimports * improvements: + responding to review feedback + refactor * feedback-based improvements * feedback-based improvements * feedback-based improvements * feedback-based improvements * feedback-based improvements * feedback-based improvements * cleanup * refactoring CA and Identity structs * Merge branch 'master' into node-id3 * move version field to setup config structs for CA and identity * fix typo * responding to revieiw feedback * responding to revieiw feedback * responding to revieiw feedback * responding to revieiw feedback * responding to revieiw feedback * responding to revieiw feedback * Merge branch 'master' into node-id3 * fix gateway setup finally * go imports * fix `FullCertificateAuthority.GenerateIdentity` * cleanup overlay tests * bugfixing * update ca/identity setup * go imports * fix peertls test copy/paste fail * responding to review feedback * setup tweaking * update farmer setup 2018-08-13 09:39:45 +01:00			`signature := new(ecdsaSignature)`

			`if _, err := asn1.Unmarshal(childCert.Signature, signature); err != nil {`
all: fix govet warnings (#255) Fixes go1.11 vet warnings. Cancel on WithTimeout must always be called to avoid memory leak: pkg/provider/provider.go:73: the cancel function returned by context.WithTimeout should be called, not discarded, to avoid a context leak Range over non-copyable things: pkg/pool/connection_pool_test.go:32: range var v copies lock: struct{pool pool.ConnectionPool; key string; expected pool.TestFoo; expectedError error} contains pool.ConnectionPool contains sync.RWMutex pkg/pool/connection_pool_test.go:56: range var v copies lock: struct{pool pool.ConnectionPool; key string; value pool.TestFoo; expected pool.TestFoo; expectedError error} contains pool.ConnectionPool contains sync.RWMutex pkg/pool/connection_pool_test.go:83: range var v copies lock: struct{pool pool.ConnectionPool; key string; value pool.TestFoo; expected interface{}; expectedError error} contains pool.ConnectionPool contains sync.RWMutex zeebo/errs package always requires formatting directives: pkg/peertls/peertls.go:50: Class.New call has arguments but no formatting directives pkg/peertls/utils.go:47: Class.New call has arguments but no formatting directives pkg/peertls/utils.go:87: Class.New call has arguments but no formatting directives pkg/overlay/cache.go:94: Class.New call has arguments but no formatting directives pkg/provider/certificate_authority.go:98: New call has arguments but no formatting directives pkg/provider/identity.go:96: New call has arguments but no formatting directives pkg/provider/utils.go:124: New call needs 1 arg but has 2 args pkg/provider/utils.go:136: New call needs 1 arg but has 2 args storage/redis/client.go:44: Class.New call has arguments but no formatting directives storage/redis/client.go:64: Class.New call has arguments but no formatting directives storage/redis/client.go:75: Class.New call has arguments but no formatting directives storage/redis/client.go:80: Class.New call has arguments but no formatting directives storage/redis/client.go:92: Class.New call has arguments but no formatting directives storage/redis/client.go:96: Class.New call has arguments but no formatting directives storage/redis/client.go:102: Class.New call has arguments but no formatting directives storage/redis/client.go:126: Class.New call has arguments but no formatting directives 2018-08-22 07:39:57 +01:00			`return false, ErrVerifySignature.New("unable to unmarshal ecdsa signature: %v", err)`
Node Identity (#193) * peertls: don't log errors for double close understood that this part of the code is undergoing heavy change right now, but just want to make sure this fix gets incorporated somewhere * git cleanup: node-id stuff * cleanup * rename identity_util.go * wip `CertificateAuthority` refactor * refactoring * gitignore update * wip * Merge remote-tracking branch 'storj/doubleclose' into node-id3 * storj/doubleclose: peertls: don't log errors for double close * add peertls tests & gomports * wip: + refactor + style changes + cleanup + [wip] add version to CA and identity configs + [wip] heavy client setup * refactor * wip: + refactor + style changes + add `CAConfig.Load` + add `CAConfig.Save` * wip: + add `LoadOrCreate` and `Create` to CA and Identity configs + add overwrite to CA and identity configs + heavy client setup + refactor + style changes + cleanup * wip * fixing things * fixing things * wip hc setup * hc setup: + refactor + bugfixing * improvements based on reveiw feedback * goimports * improvements: + responding to review feedback + refactor * feedback-based improvements * feedback-based improvements * feedback-based improvements * feedback-based improvements * feedback-based improvements * feedback-based improvements * cleanup * refactoring CA and Identity structs * Merge branch 'master' into node-id3 * move version field to setup config structs for CA and identity * fix typo * responding to revieiw feedback * responding to revieiw feedback * responding to revieiw feedback * responding to revieiw feedback * responding to revieiw feedback * responding to revieiw feedback * Merge branch 'master' into node-id3 * fix gateway setup finally * go imports * fix `FullCertificateAuthority.GenerateIdentity` * cleanup overlay tests * bugfixing * update ca/identity setup * go imports * fix peertls test copy/paste fail * responding to review feedback * setup tweaking * update farmer setup 2018-08-13 09:39:45 +01:00			`}`

			`h := crypto.SHA256.New()`
			`_, err := h.Write(childCert.RawTBSCertificate)`
			`if err != nil {`
			`return false, err`
			`}`
			`digest := h.Sum(nil)`

			`isValid := ecdsa.Verify(pubKey, digest, signature.R, signature.S)`

			`return isValid, nil`
			`}`

			`func newSerialNumber() (*big.Int, error) {`
			`serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)`
			`serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)`
			`if err != nil {`
			`return nil, errs.New("failed to generateServerTls serial number: %s", err.Error())`
			`}`

			`return serialNumber, nil`
			`}`