revoke

package module
v0.1.10 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 14, 2023 License: BSD-2-Clause Imports: 17 Imported by: 1

README

revoke

A fork of github.com/cloudflare/cfssl/revoke primarily intent on implementing functionality needed by github.com/go-webauthn/webauthn

Documentation

Overview

Package pkcs7 implements the subset of the CMS PKCS #7 datatype that is typically used to package certificates and CRLs. Using openssl, every certificate converted to PKCS #7 format from another encoding such as PEM conforms to this implementation. reference: https://www.openssl.org/docs/man1.1.0/apps/crl2pkcs7.html

PKCS #7 Data type, reference: https://tools.ietf.org/html/rfc2315

The full pkcs#7 cryptographic message syntax allows for cryptographic enhancements, for example data can be encrypted and signed and then packaged through pkcs#7 to be sent over a network and then verified and decrypted. It is asn1, and the type of PKCS #7 ContentInfo, which comprises the PKCS #7 structure, is:

ContentInfo ::= SEQUENCE {
	contentType ContentType,
	content [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL
}

There are 6 possible ContentTypes, data, signedData, envelopedData, signedAndEnvelopedData, digestedData, and encryptedData. Here signedData, Data, and encrypted Data are implemented, as the degenerate case of signedData without a signature is the typical format for transferring certificates and CRLS, and Data and encryptedData are used in PKCS #12 formats. The ContentType signedData has the form:

signedData ::= SEQUENCE {
	version Version,
	digestAlgorithms DigestAlgorithmIdentifiers,
	contentInfo ContentInfo,
	certificates [0] IMPLICIT ExtendedCertificatesAndCertificates OPTIONAL
	crls [1] IMPLICIT CertificateRevocationLists OPTIONAL,
	signerInfos SignerInfos
}

As of yet signerInfos and digestAlgorithms are not parsed, as they are not relevant to this system's use of PKCS #7 data. Version is an integer type, note that PKCS #7 is recursive, this second layer of ContentInfo is similar ignored for our degenerate usage. The ExtendedCertificatesAndCertificates type consists of a sequence of choices between PKCS #6 extended certificates and x509 certificates. Any sequence consisting of any number of extended certificates is not yet supported in this implementation.

The ContentType Data is simply a raw octet string and is parsed directly into a Go []byte slice.

The ContentType encryptedData is the most complicated and its form can be gathered by the go type below. It essentially contains a raw octet string of encrypted data and an algorithm identifier for use in decrypting this data.

Package revoke provides functionality for checking the validity of a cert. Specifically, the temporal validity of the certificate is checked first, then any CRL and OCSP url in the cert is checked.

Index

Constants

View Source
const (
	BundleExpiringBit      int = 1 << iota // 0x01
	BundleNotUbiquitousBit                 // 0x02
)

Warning code for a success

View Source
const (
	// PrecertSubmissionFailed occurs when submitting a precertificate to
	// a log server fails
	PrecertSubmissionFailed = 100 * (iota + 1)
	// CTClientConstructionFailed occurs when the construction of a new
	// github.com/google/certificate-transparency client fails.
	CTClientConstructionFailed
	// PrecertMissingPoison occurs when a precert is passed to SignFromPrecert
	// and is missing the CT poison extension.
	PrecertMissingPoison
	// PrecertInvalidPoison occurs when a precert is passed to SignFromPrecert
	// and has a invalid CT poison extension value or the extension is not
	// critical.
	PrecertInvalidPoison
)

Certificate transparency related errors specified with CTError

View Source
const (
	// InsertionFailed occurs when a SQL insert query failes to complete.
	InsertionFailed = 100 * (iota + 1)
	// RecordNotFound occurs when a SQL query targeting on one unique
	// record failes to update the specified row in the table.
	RecordNotFound
)

Certificate persistence related errors specified with CertStoreError

View Source
const (
	ObjIDData          = "1.2.840.113549.1.7.1"
	ObjIDSignedData    = "1.2.840.113549.1.7.2"
	ObjIDEncryptedData = "1.2.840.113549.1.7.6"
)

Object identifier strings of the three implemented PKCS7 types.

Variables

View Source
var CRLSet = map[string]*pkix.CertificateList{}

CRLSet associates a PKIX certificate list with the URL the CRL is fetched from.

View Source
var HTTPClient = http.DefaultClient

HTTPClient is an instance of http.Client that will be used for all HTTP requests.

View Source
var HardFail = false

HardFail determines whether the failure to check the revocation status of a certificate (i.e. due to network failure) causes verification to fail (a hard failure).

Functions

func ParseCertificatePEM

func ParseCertificatePEM(certPEM []byte) (*x509.Certificate, error)

ParseCertificatePEM parses and returns a PEM-encoded certificate, can handle PEM encoded PKCS #7 structures.

func ParseOneCertificateFromPEM

func ParseOneCertificateFromPEM(certsPEM []byte) ([]*x509.Certificate, []byte, error)

ParseOneCertificateFromPEM attempts to parse one PEM encoded certificate object, either a raw x509 certificate or a PKCS #7 structure possibly containing multiple certificates, from the top of certsPEM, which itself may contain multiple PEM encoded certificate objects.

func SetCRLFetcher

func SetCRLFetcher(fn func(io.Reader) ([]byte, error))

SetCRLFetcher sets the function to use to read from the http response body

func SetOCSPFetcher

func SetOCSPFetcher(fn func(io.Reader) ([]byte, error))

SetOCSPFetcher sets the function to use to read from the http response body

func SetRemoteFetcher

func SetRemoteFetcher(fn func(io.Reader) ([]byte, error))

SetRemoteFetcher sets the function to use to read from the http response body

func VerifyCertificate

func VerifyCertificate(cert *x509.Certificate) (revoked, ok bool)

VerifyCertificate ensures that the certificate passed in hasn't expired and checks the CRL for the server.

func VerifyCertificateError

func VerifyCertificateError(cert *x509.Certificate) (revoked, ok bool, err error)

VerifyCertificateError ensures that the certificate passed in hasn't expired and checks the CRL for the server.

Types

type Category

type Category int

Category is the most significant digit of the error code.

const (
	// Success indicates no error occurred.
	Success Category = 1000 * iota // 0XXX

	// CertificateError indicates a fault in a certificate.
	CertificateError // 1XXX

	// PrivateKeyError indicates a fault in a private key.
	PrivateKeyError // 2XXX

	// IntermediatesError indicates a fault in an intermediate.
	IntermediatesError // 3XXX

	// RootError indicates a fault in a root.
	RootError // 4XXX

	// PolicyError indicates an error arising from a malformed or
	// non-existent policy, or a breach of policy.
	PolicyError // 5XXX

	// DialError indicates a network fault.
	DialError // 6XXX

	// APIClientError indicates a problem with the API client.
	APIClientError // 7XXX

	// OCSPError indicates a problem with OCSP signing
	OCSPError // 8XXX

	// CSRError indicates a problem with CSR parsing
	CSRError // 9XXX

	// CTError indicates a problem with the certificate transparency process
	CTError // 10XXX

	// CertStoreError indicates a problem with the certificate store
	CertStoreError // 11XXX
)

type Content

type Content struct {
	Data          []byte
	SignedData    SignedData
	EncryptedData EncryptedData
}

Content implements three of the six possible PKCS7 data types. Only one is non-nil.

type Data

type Data struct {
	Bytes []byte
}

Data contains raw bytes. Used as a subtype in PKCS12.

type EncryptedContentInfo

type EncryptedContentInfo struct {
	Raw                        asn1.RawContent
	ContentType                asn1.ObjectIdentifier
	ContentEncryptionAlgorithm pkix.AlgorithmIdentifier
	EncryptedContent           []byte `asn1:"tag:0,optional"`
}

EncryptedContentInfo is a subtype of PKCS7EncryptedData.

type EncryptedData

type EncryptedData struct {
	Raw                  asn1.RawContent
	Version              int
	EncryptedContentInfo EncryptedContentInfo
}

EncryptedData contains encrypted data. Used as a subtype in PKCS12.

type Error

type Error struct {
	ErrorCode int    `json:"code"`
	Message   string `json:"message"`
}

Error is the error type usually returned by functions in CF SSL package. It contains a 4-digit error code where the most significant digit describes the category where the error occurred and the rest 3 digits describe the specific error reason.

func NewError

func NewError(category Category, reason Reason) *Error

the given category, reason. Currently, to avoid confusion, it is not allowed to create an error of category Success

func WrapError

func WrapError(category Category, reason Reason, err error) *Error

Wrap returns an error that contains the given error and an error code derived from the given category, reason and the error. Currently, to avoid confusion, it is not allowed to create an error of category Success

func (*Error) Error

func (e *Error) Error() string

The error interface implementation, which formats to a JSON object string.

type PKCS7

type PKCS7 struct {
	Raw         asn1.RawContent
	ContentInfo string
	Content     Content
}

PKCS7 represents the ASN1 PKCS #7 Content type. It contains one of three possible types of Content objects, as denoted by the object identifier in the ContentInfo field, the other two being nil. SignedData is the degenerate SignedData Content info without signature used to hold certificates and crls. Data is raw bytes, and EncryptedData is as defined in PKCS #7 standard.

func ParsePKCS7

func ParsePKCS7(raw []byte) (msg *PKCS7, err error)

ParsePKCS7 attempts to parse the DER encoded bytes of a PKCS7 structure.

type Reason

type Reason int

Reason is the last 3 digits of the error code.

const (
	Unknown      Reason = iota // X000
	ReadFailed                 // X001
	DecodeFailed               // X002
	ParseFailed                // X003
)

Parsing errors

const (
	// SelfSigned indicates that a certificate is self-signed and
	// cannot be used in the manner being attempted.
	SelfSigned Reason = 100 * (iota + 1) // Code 11XX

	// VerifyFailed is an X.509 verification failure. The least two
	// significant digits of 12XX is determined as the actual x509
	// error is examined.
	VerifyFailed // Code 12XX

	// BadRequest indicates that the certificate request is invalid.
	BadRequest // Code 13XX

	// MissingSerial indicates that the profile specified
	// 'ClientProvidesSerialNumbers', but the SignRequest did not include a serial
	// number.
	MissingSerial // Code 14XX
)

The following represent certificate non-parsing errors, and must be specified along with CertificateError.

const (
	// Encrypted indicates that the private key is a PKCS #8 encrypted
	// private key. At this time, CFSSL does not support decrypting
	// these keys.
	Encrypted Reason = 100 * (iota + 1) //21XX

	// NotRSAOrECC indicates that they key is not an RSA or ECC
	// private key; these are the only two private key types supported
	// at this time by CFSSL.
	NotRSAOrECC //22XX

	// KeyMismatch indicates that the private key does not match
	// the public key or certificate being presented with the key.
	KeyMismatch //23XX

	// GenerationFailed indicates that a private key could not
	// be generated.
	GenerationFailed //24XX

	// Unavailable indicates that a private key mechanism (such as
	// PKCS #11) was requested but support for that mechanism is
	// not available.
	Unavailable
)

The following represent private-key non-parsing errors, and must be specified with PrivateKeyError.

const (
	// NoKeyUsages indicates that the profile does not permit any
	// key usages for the certificate.
	NoKeyUsages Reason = 100 * (iota + 1) // 51XX

	// InvalidPolicy indicates that policy being requested is not
	// a valid policy or does not exist.
	InvalidPolicy // 52XX

	// InvalidRequest indicates a certificate request violated the
	// constraints of the policy being applied to the request.
	InvalidRequest // 53XX

	// UnknownProfile indicates that the profile does not exist.
	UnknownProfile // 54XX

	UnmatchedWhitelist // 55xx
)

The following are policy-related non-parsing errors, and must be specified along with PolicyError.

const (
	// AuthenticationFailure occurs when the client is unable
	// to obtain an authentication token for the request.
	AuthenticationFailure Reason = 100 * (iota + 1)

	// JSONError wraps an encoding/json error.
	JSONError

	// IOError wraps an io/ioutil error.
	IOError

	// ClientHTTPError wraps a net/http error.
	ClientHTTPError

	// ServerRequestFailed covers any other failures from the API
	// client.
	ServerRequestFailed
)

The following are API client related errors, and should be specified with APIClientError.

const (
	// IssuerMismatch ocurs when the certificate in the OCSP signing
	// request was not issued by the CA that this responder responds for.
	IssuerMismatch Reason = 100 * (iota + 1) // 81XX

	// InvalidStatus occurs when the OCSP signing requests includes an
	// invalid value for the certificate status.
	InvalidStatus
)

The following are OCSP related errors, and should be specified with OCSPError

const (
	None Reason = iota
)

None is a non-specified error.

type SignedData

type SignedData struct {
	Raw          asn1.RawContent
	Version      int
	Certificates []*x509.Certificate
	Crl          *pkix.CertificateList
}

SignedData defines the typical carrier of certificates and crls.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL