Skip to content

Commit

Permalink
Rename pki.Validate to pki.CheckCRL for clarity on its purpose (#3586)
Browse files Browse the repository at this point in the history
  • Loading branch information
@gerardsn
gerardsn authored Dec 5, 2024
1 parent 4219e78 commit f8410bc
Show file tree
Hide file tree
Showing 8 changed files with 32 additions and 32 deletions.
2 changes: 1 addition & 1 deletion network/network.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,7 @@ func (n *Network) checkNodeTLSHealth() core.Health {
}
}
// check if the configured certificate is revoked / denied.
err = n.pkiValidator.Validate([]*x509.Certificate{n.certificate.Leaf})
err = n.pkiValidator.CheckCRL([]*x509.Certificate{n.certificate.Leaf})
if err != nil {
return core.Health{
Status: core.HealthStatusDown,
Expand Down
2 changes: 1 addition & 1 deletion network/transport/grpc/connection_manager.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -571,7 +571,7 @@ func (s *grpcConnectionManager) revalidatePeers() {
conn.disconnect()
return
}
err = s.config.pkiValidator.Validate([]*x509.Certificate{peerCert})
err = s.config.pkiValidator.CheckCRL([]*x509.Certificate{peerCert})
if err != nil {
log.Logger().WithError(err).WithFields(conn.Peer().ToFields()).Warn("Disconnected peer")
conn.disconnect()
Expand Down
2 changes: 1 addition & 1 deletion network/transport/grpc/tls_offloading.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ func (t *tlsOffloadingAuthenticator) intercept(srv interface{}, serverStream grp
}

// Validate revocation/deny list status
if err = t.pkiValidator.Validate(certificates); err != nil {
if err = t.pkiValidator.CheckCRL(certificates); err != nil {
log.Logger().
WithError(err).
Warnf("Validation of offloaded TLS certificate failed")
Expand Down
16 changes: 8 additions & 8 deletions pki/interface.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,28 +58,28 @@ type Denylist interface {
}

type Validator interface {
// Validate returns an error if any of the certificates in the chain has been revoked, or if the request cannot be processed.
// CheckCRL returns an error if any of the certificates in the chain has been revoked, or if the request cannot be processed.
// ErrCertRevoked and ErrCertUntrusted indicate that at least one of the certificates is revoked, or signed by a CA that is not in the truststore.
// ErrCRLMissing and ErrCRLExpired signal that at least one of the certificates cannot be validated reliably.
// If the certificate was revoked on an expired CRL, it wil return ErrCertRevoked.
// Validate uses the configured soft-/hard-fail strategy
// CheckCRL uses the configured soft-/hard-fail strategy
// If set to soft-fail it ignores ErrCRLMissing and ErrCRLExpired errors.
// The certificate chain is expected to be sorted leaf to root.
Validate(chain []*x509.Certificate) error
CheckCRL(chain []*x509.Certificate) error

// ValidateStrict does the same as Validate, except it always uses the hard-fail strategy.
ValidateStrict(chain []*x509.Certificate) error
// CheckCRLStrict does the same as CheckCRL, except it always uses the hard-fail strategy.
CheckCRLStrict(chain []*x509.Certificate) error

// SetVerifyPeerCertificateFunc sets config.ValidatePeerCertificate to use Validate.
// SetVerifyPeerCertificateFunc sets config.ValidatePeerCertificate to use CheckCRL.
SetVerifyPeerCertificateFunc(config *tls.Config) error

// AddTruststore adds all CAs to the truststore for validation of CRL signatures. It also adds all CRL Distribution Endpoints found in the chain.
// CRL Distribution Points encountered during operation, such as on end user certificates, are only added to the monitored CRLs if their issuer is in the truststore.
// CRL Distribution Points encountered at runtime, such as on end user certificates when calling CheckCRL, are only added to the monitored CRLs if their issuer is in the truststore.
// This fails if any of the issuers mentioned in the chain is not also in the chain or already in the truststore
AddTruststore(chain []*x509.Certificate) error

// SubscribeDenied registers a callback that is triggered everytime the denylist is updated.
// This can be used to revalidate all certificates on long-lasting connections by calling Validate on them again.
// This can be used to revalidate all certificates on long-lasting connections by calling CheckCRL on them again.
SubscribeDenied(f func())
}

Expand Down
24 changes: 12 additions & 12 deletions pki/mock.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 6 additions & 6 deletions pki/validator.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,15 +127,15 @@ func (v *validator) syncLoop(ctx context.Context) {
}
}

func (v *validator) Validate(chain []*x509.Certificate) error {
return v.validate(chain, v.softfail)
func (v *validator) CheckCRL(chain []*x509.Certificate) error {
return v.checkCRL(chain, v.softfail)
}

func (v *validator) ValidateStrict(chain []*x509.Certificate) error {
return v.validate(chain, false)
func (v *validator) CheckCRLStrict(chain []*x509.Certificate) error {
return v.checkCRL(chain, false)
}

func (v *validator) validate(chain []*x509.Certificate, softfail bool) error {
func (v *validator) checkCRL(chain []*x509.Certificate, softfail bool) error {
var cert *x509.Certificate
var err error
for i := range chain {
Expand All @@ -159,7 +159,7 @@ func (v *validator) SetVerifyPeerCertificateFunc(config *tls.Config) error {
// rawCerts contain all certificates provided by the peer, in our case only the leaf cert, while verifiedChains is guaranteed to include the CA's.
// rawCerts are ignored since we would only be checking revocation status on a cert whose issuer is not in the truststore. failure mode is then determined by v.softfail.
for _, chain := range verifiedChains {
if err := v.Validate(chain); err != nil {
if err := v.CheckCRL(chain); err != nil {
return &tls.CertificateVerificationError{
UnverifiedCertificates: chain,
Err: err,
Expand Down
4 changes: 2 additions & 2 deletions pki/validator_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ func TestValidator_Validate(t *testing.T) {
testSoftHard := func(t *testing.T, val *validator, cert *x509.Certificate, softfailReturn error, hardfailReturn error) {
fn := func(softbool bool, expected error) {
val.softfail = softbool
err = val.Validate([]*x509.Certificate{cert})
err = val.CheckCRL([]*x509.Certificate{cert})
if expected == nil {
assert.NoError(t, err)
} else {
Expand All @@ -112,7 +112,7 @@ func TestValidator_Validate(t *testing.T) {
}
fnStrict := func(expected error) {
val.softfail = true // make sure it ignores the configured value
err = val.ValidateStrict([]*x509.Certificate{cert})
err = val.CheckCRLStrict([]*x509.Certificate{cert})
if expected == nil {
assert.NoError(t, err)
} else {
Expand Down
2 changes: 1 addition & 1 deletion vdr/didx509/resolver.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ func (r Resolver) Resolve(id did.DID, metadata *resolver.ResolveMetadata) (*did.
return nil, nil, err
}

err = r.pkiValidator.ValidateStrict(chain)
err = r.pkiValidator.CheckCRLStrict(chain)
if err != nil {
return nil, nil, err
}
Expand Down

0 comments on commit f8410bc

Please sign in to comment.