143 lines
4.3 KiB
Go
143 lines
4.3 KiB
Go
/*
|
|
Copyright IBM Corp. All Rights Reserved.
|
|
|
|
SPDX-License-Identifier: Apache-2.0
|
|
*/
|
|
|
|
package crypto
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/x509"
|
|
"encoding/pem"
|
|
"time"
|
|
|
|
"github.com/golang/protobuf/proto"
|
|
"github.com/hyperledger/fabric-protos-go/msp"
|
|
"github.com/pkg/errors"
|
|
)
|
|
|
|
// ExpiresAt returns when the given identity expires, or a zero time.Time
|
|
// in case we cannot determine that
|
|
func ExpiresAt(identityBytes []byte) time.Time {
|
|
sId := &msp.SerializedIdentity{}
|
|
// If protobuf parsing failed, we make no decisions about the expiration time
|
|
if err := proto.Unmarshal(identityBytes, sId); err != nil {
|
|
return time.Time{}
|
|
}
|
|
return certExpirationTime(sId.IdBytes)
|
|
}
|
|
|
|
func certExpirationTime(pemBytes []byte) time.Time {
|
|
bl, _ := pem.Decode(pemBytes)
|
|
if bl == nil {
|
|
// If the identity isn't a PEM block, we make no decisions about the expiration time
|
|
return time.Time{}
|
|
}
|
|
cert, err := x509.ParseCertificate(bl.Bytes)
|
|
if err != nil {
|
|
return time.Time{}
|
|
}
|
|
return cert.NotAfter
|
|
}
|
|
|
|
// MessageFunc notifies a message happened with the given format, and can be replaced with Warnf or Infof of a logger.
|
|
type MessageFunc func(format string, args ...interface{})
|
|
|
|
// Scheduler invokes f after d time, and can be replaced with time.AfterFunc.
|
|
type Scheduler func(d time.Duration, f func()) *time.Timer
|
|
|
|
// TrackExpiration warns a week before one of the certificates expires
|
|
func TrackExpiration(tls bool, serverCert []byte, clientCertChain [][]byte, sIDBytes []byte, info MessageFunc, warn MessageFunc, now time.Time, s Scheduler) {
|
|
sID := &msp.SerializedIdentity{}
|
|
if err := proto.Unmarshal(sIDBytes, sID); err != nil {
|
|
return
|
|
}
|
|
|
|
trackCertExpiration(sID.IdBytes, "enrollment", info, warn, now, s)
|
|
|
|
if !tls {
|
|
return
|
|
}
|
|
|
|
trackCertExpiration(serverCert, "server TLS", info, warn, now, s)
|
|
|
|
if len(clientCertChain) == 0 || len(clientCertChain[0]) == 0 {
|
|
return
|
|
}
|
|
|
|
trackCertExpiration(clientCertChain[0], "client TLS", info, warn, now, s)
|
|
}
|
|
|
|
func trackCertExpiration(rawCert []byte, certRole string, info MessageFunc, warn MessageFunc, now time.Time, sched Scheduler) {
|
|
expirationTime := certExpirationTime(rawCert)
|
|
if expirationTime.IsZero() {
|
|
// If the certificate expiration time cannot be classified, return.
|
|
return
|
|
}
|
|
|
|
timeLeftUntilExpiration := expirationTime.Sub(now)
|
|
oneWeek := time.Hour * 24 * 7
|
|
|
|
if timeLeftUntilExpiration < 0 {
|
|
warn("The %s certificate has expired", certRole)
|
|
return
|
|
}
|
|
|
|
info("The %s certificate will expire on %s", certRole, expirationTime)
|
|
|
|
if timeLeftUntilExpiration < oneWeek {
|
|
days := timeLeftUntilExpiration / (time.Hour * 24)
|
|
hours := (timeLeftUntilExpiration - (days * time.Hour * 24)) / time.Hour
|
|
warn("The %s certificate expires within %d days and %d hours", certRole, days, hours)
|
|
return
|
|
}
|
|
|
|
timeLeftUntilOneWeekBeforeExpiration := timeLeftUntilExpiration - oneWeek
|
|
|
|
sched(timeLeftUntilOneWeekBeforeExpiration, func() {
|
|
warn("The %s certificate will expire within one week", certRole)
|
|
})
|
|
}
|
|
|
|
// ErrPubKeyMismatch is used by CertificatesWithSamePublicKey to indicate the two public keys mismatch
|
|
var ErrPubKeyMismatch = errors.New("public keys do not match")
|
|
|
|
// LogNonPubKeyMismatchErr logs an error which is not an ErrPubKeyMismatch error
|
|
func LogNonPubKeyMismatchErr(log func(template string, args ...interface{}), err error, cert1DER, cert2DER []byte) {
|
|
cert1PEM := &pem.Block{Type: "CERTIFICATE", Bytes: cert1DER}
|
|
cert2PEM := &pem.Block{Type: "CERTIFICATE", Bytes: cert2DER}
|
|
log("Failed determining if public key of %s matches public key of %s: %s",
|
|
string(pem.EncodeToMemory(cert1PEM)),
|
|
string(pem.EncodeToMemory(cert2PEM)),
|
|
err)
|
|
}
|
|
|
|
// CertificatesWithSamePublicKey returns nil if both byte slices
|
|
// are valid DER encoding of certificates with the same public key.
|
|
func CertificatesWithSamePublicKey(der1, der2 []byte) error {
|
|
cert1canonized, err := publicKeyFromCertificate(der1)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
cert2canonized, err := publicKeyFromCertificate(der2)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if bytes.Equal(cert1canonized, cert2canonized) {
|
|
return nil
|
|
}
|
|
return ErrPubKeyMismatch
|
|
}
|
|
|
|
// publicKeyFromCertificate returns the public key of the given ASN1 DER certificate.
|
|
func publicKeyFromCertificate(der []byte) ([]byte, error) {
|
|
cert, err := x509.ParseCertificate(der)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return x509.MarshalPKIXPublicKey(cert.PublicKey)
|
|
}
|