Use RootCAs or ClientCAs as appropriate

ansible · Jan 12, 2021 · ca33ade · ca33ade
1 parent 0999510
commit ca33ade
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 8 deletions.
diff --git a/pkg/netceptor/conn.go b/pkg/netceptor/conn.go
@@ -61,7 +61,7 @@ func (s *Netceptor) listen(ctx context.Context, service string, tlscfg *tls.Conf
 		if tlscfg.ClientAuth == tls.RequireAndVerifyClientCert {
 			tlscfg.GetConfigForClient = func(hi *tls.ClientHelloInfo) (*tls.Config, error) {
 				remoteNode := strings.Split(hi.Conn.RemoteAddr().String(), ":")[0]
-				tlscfg.VerifyPeerCertificate = s.receptorVerifyFunc(tlscfg, remoteNode, []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth})
+				tlscfg.VerifyPeerCertificate = s.receptorVerifyFunc(tlscfg, remoteNode, VerifyClient)
 				return tlscfg, nil
 			}
 		}

diff --git a/pkg/netceptor/netceptor.go b/pkg/netceptor/netceptor.go
@@ -758,35 +758,57 @@ func (rce ReceptorCertNameError) Error() string {
 		plural, strings.Join(rce.ValidNodes, ", "), rce.ExpectedNode)
 }
 
+const (
+	// VerifyServer indicates we are the client, verifying a server
+	VerifyServer = 1
+	// VerifyClient indicates we are the server, verifying a client
+	VerifyClient = 2
+)
+
 // receptorVerifyFunc generates a function that verifies a Receptor node ID
 func (s *Netceptor) receptorVerifyFunc(tlscfg *tls.Config, expectedNodeID string,
-	allowedUsages []x509.ExtKeyUsage) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+	VerifyType int) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
 	return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
 		certs := make([]*x509.Certificate, len(rawCerts))
 		for i, asn1Data := range rawCerts {
 			cert, err := x509.ParseCertificate(asn1Data)
 			if err != nil {
+				logger.Error("RVF failed to parse: %s", err)
 				return fmt.Errorf("failed to parse certificate from server: " + err.Error())
 			}
 			certs[i] = cert
 		}
-		opts := x509.VerifyOptions{
-			Intermediates: x509.NewCertPool(),
-			Roots:         tlscfg.RootCAs,
-			CurrentTime:   time.Now(),
-			KeyUsages:     allowedUsages,
+		var opts x509.VerifyOptions
+		if VerifyType == VerifyServer {
+			opts = x509.VerifyOptions{
+				Intermediates: x509.NewCertPool(),
+				Roots:         tlscfg.RootCAs,
+				CurrentTime:   time.Now(),
+				KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+			}
+		} else if VerifyType == VerifyClient {
+			opts = x509.VerifyOptions{
+				Intermediates: x509.NewCertPool(),
+				Roots:         tlscfg.ClientCAs,
+				CurrentTime:   time.Now(),
+				KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+			}
+		} else {
+			return fmt.Errorf("invalid verification type: must be client or server")
 		}
 		for _, cert := range certs[1:] {
 			opts.Intermediates.AddCert(cert)
 		}
 		var err error
 		verifiedChains, err = certs[0].Verify(opts)
 		if err != nil {
+			logger.Error("RVF failed verify: %s\nRootCAs: %v\nServerName: %s", err, tlscfg.RootCAs, tlscfg.ServerName)
 			return err
 		}
 		var receptorNames []string
 		receptorNames, err = utils.ReceptorNames(certs[0].Extensions)
 		if err != nil {
+			logger.Error("RVF failed to get ReceptorNames: %s", err)
 			return err
 		}
 		found := false
@@ -797,6 +819,7 @@ func (s *Netceptor) receptorVerifyFunc(tlscfg *tls.Config, expectedNodeID string
 			}
 		}
 		if !found {
+			logger.Error("RVF ReceptorNameError: %s", err)
 			return ReceptorCertNameError{ValidNodes: receptorNames, ExpectedNode: expectedNodeID}
 		}
 		return nil
@@ -818,7 +841,7 @@ func (s *Netceptor) GetClientTLSConfig(name string, expectedHostName string, exp
 		// noop
 	} else if expectedHostNameType == "receptor" {
 		tlscfg.InsecureSkipVerify = true
-		tlscfg.VerifyPeerCertificate = s.receptorVerifyFunc(tlscfg, expectedHostName, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth})
+		tlscfg.VerifyPeerCertificate = s.receptorVerifyFunc(tlscfg, expectedHostName, VerifyServer)
 	} else {
 		tlscfg.ServerName = expectedHostName
 	}