Documentation

Overview

    Package certchecker contains implementation of CertChecker.

    CertChecker knows how to check certificate signatures and revocation status.

    Uses datastore entities managed by 'certconfig' package.

    Index

    Constants

    View Source
    const (
    	// RefetchCAPeriod is how often to check CA entity in the datastore.
    	//
    	// A big value here is acceptable, since CA is changing only when service
    	// config is changing (which happens infrequently).
    	RefetchCAPeriod = 5 * time.Minute
    
    	// RefetchCRLPeriod is how often to check CRL entities in the datastore.
    	//
    	// CRL changes pretty frequently, caching it for too long is harmful
    	// (increases delay between a cert is revoked by CA and no longer accepted by
    	// the token server).
    	RefetchCRLPeriod = 15 * time.Second
    )

    Variables

    This section is empty.

    Functions

    func CheckCertificate

    func CheckCertificate(c context.Context, cert *x509.Certificate) (*certconfig.CA, error)

      CheckCertificate checks validity of a given certificate.

      It looks at the cert issuer, loads corresponding CertChecker and calls its CheckCertificate method. See CertChecker.CheckCertificate documentation for explanation of return values.

      func IsCertInvalidError

      func IsCertInvalidError(err error) bool

        IsCertInvalidError returns true for errors from CheckCertificate that indicate revoked or expired or otherwise invalid certificates.

        Such errors can be safely cast to Error.

        func NewError

        func NewError(e error, reason ErrorReason) error

          NewError instantiates Error.

          It is needed because initializing 'error' field on Error is not allowed outside of this package (it is lowercase - "unexported").

          Types

          type CertChecker

          type CertChecker struct {
          	CN  string                 // Common Name of the CA
          	CRL *certconfig.CRLChecker // knows how to query certificate revocation list
          	// contains filtered or unexported fields
          }

            CertChecker knows how to check certificate signatures and revocation status.

            It is associated with single CA and assumes all certs needing a check are signed by that CA directly (i.e. there is no intermediate CAs).

            It caches CRL lists internally and must be treated as a heavy global object. Use GetCertChecker to grab a global instance of CertChecker for some CA.

            CertChecker is safe for concurrent use.

            func GetCertChecker

            func GetCertChecker(c context.Context, cn string) (*CertChecker, error)

              GetCertChecker returns an instance of CertChecker for given CA.

              It caches CertChecker objects in local memory and reuses them between requests.

              func (*CertChecker) CheckCertificate

              func (ch *CertChecker) CheckCertificate(c context.Context, cert *x509.Certificate) (*certconfig.CA, error)

                CheckCertificate checks certificate's signature, validity period and revocation status.

                It returns nil error iff cert was directly signed by the CA, not expired yet, and its serial number is not in the CA's CRL.

                On success also returns *certconfig.CA instance used to check the certificate, since 'GetCA' may return another instance (in case certconfig.CA cache happened to expire between the calls).

                func (*CertChecker) GetCA

                func (ch *CertChecker) GetCA(c context.Context) (*certconfig.CA, error)

                  GetCA returns CA entity with ParsedConfig and ParsedCert fields set.

                  type CheckCertificateRPC

                  type CheckCertificateRPC struct {
                  }

                    CheckCertificateRPC implements CertificateAuthorities.CheckCertificate RPC method.

                    func (*CheckCertificateRPC) CheckCertificate

                    func (r *CheckCertificateRPC) CheckCertificate(c context.Context, req *admin.CheckCertificateRequest) (*admin.CheckCertificateResponse, error)

                      CheckCertificate says whether a certificate is valid or not.

                      type Error

                      type Error struct {
                      	Reason ErrorReason // enumeration that can be used in switches
                      	// contains filtered or unexported fields
                      }

                        Error is returned by CertChecker methods in case the certificate is invalid.

                        Datastore errors and not wrapped in Error, but returned as is. You may use type cast to Error to distinguish certificate related errors from other kinds of errors.

                        type ErrorReason

                        type ErrorReason int

                          ErrorReason is part of Error struct.

                          const (
                          	// NoSuchCA is returned by GetCertChecker or GetCA if requested CA is not
                          	// defined in the config.
                          	NoSuchCA ErrorReason = iota
                          
                          	// UnknownCA is returned by CheckCertificate if the cert was signed by an
                          	// unexpected CA (i.e. a CA CertChecker is not configured with).
                          	UnknownCA
                          
                          	// NotReadyCA is returned by CheckCertificate if the CA's CRL hasn't been
                          	// fetched yet (and thus CheckCertificate can't verify certificate's
                          	// revocation status).
                          	NotReadyCA
                          
                          	// CertificateExpired is returned by CheckCertificate if the cert has
                          	// expired already or not yet active.
                          	CertificateExpired
                          
                          	// SignatureCheckError is returned by CheckCertificate if the certificate
                          	// signature is not valid.
                          	SignatureCheckError
                          
                          	// CertificateRevoked is returned by CheckCertificate if the certificate is
                          	// in the CA's Certificate Revocation List.
                          	CertificateRevoked
                          )

                          type IsRevokedCertRPC

                          type IsRevokedCertRPC struct {
                          }

                            IsRevokedCertRPC implements CertificateAuthorities.IsRevokedCert RPC method.

                            func (*IsRevokedCertRPC) IsRevokedCert

                            func (r *IsRevokedCertRPC) IsRevokedCert(c context.Context, req *admin.IsRevokedCertRequest) (*admin.IsRevokedCertResponse, error)

                              IsRevokedCert says whether a certificate serial number is in the CRL.