luci: go.chromium.org/luci/tokenserver/appengine/impl/certchecker Index | Files

package certchecker

import "go.chromium.org/luci/tokenserver/appengine/impl/certchecker"

Package certchecker contains implementation of CertChecker.

CertChecker knows how to check certificate signatures and revocation status.

Uses datastore entities managed by 'certconfig' package.

Index

Package Files

certchecker.go rpc_check_certificate.go rpc_is_revoked_cert.go warmup.go

Constants

const (
    // RefetchCAPeriod is how often to check CA entity in the datastore.
    //
    // A big value here is acceptable, since CA is changing only when service
    // config is changing (which happens infrequently).
    RefetchCAPeriod = 5 * time.Minute

    // RefetchCRLPeriod is how often to check CRL entities in the datastore.
    //
    // CRL changes pretty frequently, caching it for too long is harmful
    // (increases delay between a cert is revoked by CA and no longer accepted by
    // the token server).
    RefetchCRLPeriod = 15 * time.Second
)

func CheckCertificate Uses

func CheckCertificate(c context.Context, cert *x509.Certificate) (*certconfig.CA, error)

CheckCertificate checks validity of a given certificate.

It looks at the cert issuer, loads corresponding CertChecker and calls its CheckCertificate method. See CertChecker.CheckCertificate documentation for explanation of return values.

func IsCertInvalidError Uses

func IsCertInvalidError(err error) bool

IsCertInvalidError returns true for errors from CheckCertificate that indicate revoked or expired or otherwise invalid certificates.

Such errors can be safely cast to Error.

func NewError Uses

func NewError(e error, reason ErrorReason) error

NewError instantiates Error.

It is needed because initializing 'error' field on Error is not allowed outside of this package (it is lowercase - "unexported").

type CertChecker Uses

type CertChecker struct {
    CN  string                 // Common Name of the CA
    CRL *certconfig.CRLChecker // knows how to query certificate revocation list
    // contains filtered or unexported fields
}

CertChecker knows how to check certificate signatures and revocation status.

It is associated with single CA and assumes all certs needing a check are signed by that CA directly (i.e. there is no intermediate CAs).

It caches CRL lists internally and must be treated as a heavy global object. Use GetCertChecker to grab a global instance of CertChecker for some CA.

CertChecker is safe for concurrent use.

func GetCertChecker Uses

func GetCertChecker(c context.Context, cn string) (*CertChecker, error)

GetCertChecker returns an instance of CertChecker for given CA.

It caches CertChecker objects in local memory and reuses them between requests.

func (*CertChecker) CheckCertificate Uses

func (ch *CertChecker) CheckCertificate(c context.Context, cert *x509.Certificate) (*certconfig.CA, error)

CheckCertificate checks certificate's signature, validity period and revocation status.

It returns nil error iff cert was directly signed by the CA, not expired yet, and its serial number is not in the CA's CRL.

On success also returns *certconfig.CA instance used to check the certificate, since 'GetCA' may return another instance (in case certconfig.CA cache happened to expire between the calls).

func (*CertChecker) GetCA Uses

func (ch *CertChecker) GetCA(c context.Context) (*certconfig.CA, error)

GetCA returns CA entity with ParsedConfig and ParsedCert fields set.

type CheckCertificateRPC Uses

type CheckCertificateRPC struct {
}

CheckCertificateRPC implements CertificateAuthorities.CheckCertificate RPC method.

func (*CheckCertificateRPC) CheckCertificate Uses

func (r *CheckCertificateRPC) CheckCertificate(c context.Context, req *admin.CheckCertificateRequest) (*admin.CheckCertificateResponse, error)

CheckCertificate says whether a certificate is valid or not.

type Error Uses

type Error struct {
    Reason ErrorReason // enumeration that can be used in switches
    // contains filtered or unexported fields
}

Error is returned by CertChecker methods in case the certificate is invalid.

Datastore errors and not wrapped in Error, but returned as is. You may use type cast to Error to distinguish certificate related errors from other kinds of errors.

type ErrorReason Uses

type ErrorReason int

ErrorReason is part of Error struct.

const (
    // NoSuchCA is returned by GetCertChecker or GetCA if requested CA is not
    // defined in the config.
    NoSuchCA ErrorReason = iota

    // UnknownCA is returned by CheckCertificate if the cert was signed by an
    // unexpected CA (i.e. a CA CertChecker is not configured with).
    UnknownCA

    // NotReadyCA is returned by CheckCertificate if the CA's CRL hasn't been
    // fetched yet (and thus CheckCertificate can't verify certificate's
    // revocation status).
    NotReadyCA

    // CertificateExpired is returned by CheckCertificate if the cert has
    // expired already or not yet active.
    CertificateExpired

    // SignatureCheckError is returned by CheckCertificate if the certificate
    // signature is not valid.
    SignatureCheckError

    // CertificateRevoked is returned by CheckCertificate if the certificate is
    // in the CA's Certificate Revocation List.
    CertificateRevoked
)

type IsRevokedCertRPC Uses

type IsRevokedCertRPC struct {
}

IsRevokedCertRPC implements CertificateAuthorities.IsRevokedCert RPC method.

func (*IsRevokedCertRPC) IsRevokedCert Uses

func (r *IsRevokedCertRPC) IsRevokedCert(c context.Context, req *admin.IsRevokedCertRequest) (*admin.IsRevokedCertResponse, error)

IsRevokedCert says whether a certificate serial number is in the CRL.

Package certchecker imports 19 packages (graph) and is imported by 6 packages. Updated 2018-08-15. Refresh now. Tools for package owners.