Skip to content

Commit

Permalink
crl changes from upstream
Browse files Browse the repository at this point in the history 
Signed-off-by: 'Stanislav Maksimov' <[email protected]>
  • Loading branch information
@maksimov
maksimov committed Apr 16, 2024
1 parent 8c7d0bb commit eec8c0c
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 14 deletions.
4 changes: 2 additions & 2 deletions .golangci.yml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
run:
go: 1.18
go: 1.20
timeout: 10m
skip-dirs:
- go/vt/topo/k8stopo/client
Expand Down Expand Up @@ -157,4 +157,4 @@ issues:

# https://github.com/golangci/golangci/wiki/Configuration
service:
golangci-lint-version: 1.45.0 # use the fixed version to not introduce new linters unexpectedly
golangci-lint-version: 1.51.2 # use the fixed version to not introduce new linters unexpectedly
13 changes: 10 additions & 3 deletions go/vt/tlstest/tlstest.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -337,12 +337,18 @@ func RevokeCertAndRegenerateCRL(root, parent, name string) {
if err != nil {
log.Fatal(err)
}
crlList, err := x509.ParseCRL(data)

block, _ := pem.Decode(data)
if block == nil || block.Type != "X509 CRL" {
log.Fatal("failed to parse CRL PEM")
}

crlList, err := x509.ParseRevocationList(block.Bytes)
if err != nil {
log.Fatal(err)
}

revoked := crlList.TBSCertList.RevokedCertificates
revoked := crlList.RevokedCertificates
revoked = append(revoked, pkix.RevokedCertificate{
SerialNumber: certificate.SerialNumber,
RevocationTime: time.Now(),
Expand All @@ -357,9 +363,10 @@ func RevokeCertAndRegenerateCRL(root, parent, name string) {
log.Fatal(err)
}

var crlNumber big.Int
newCrl, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{
RevokedCertificates: revoked,
Number: big.NewInt(int64(crlList.TBSCertList.Version) + 1),
Number: crlNumber.Add(crlList.Number, big.NewInt(1)),
}, caCert, caKey.(crypto.Signer))
if err != nil {
log.Fatal(err)
Expand Down
15 changes: 7 additions & 8 deletions go/vt/vttls/crl.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ package vttls

import (
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"fmt"
"os"
Expand All @@ -29,12 +28,12 @@ import (

type verifyPeerCertificateFunc func([][]byte, [][]*x509.Certificate) error

func certIsRevoked(cert *x509.Certificate, crl *pkix.CertificateList) bool {
if crl.HasExpired(time.Now()) {
func certIsRevoked(cert *x509.Certificate, crl *x509.RevocationList) bool {
if !time.Now().Before(crl.NextUpdate) {
log.Warningf("The current Certificate Revocation List (CRL) is past expiry date and must be updated. Revoked certificates will still be rejected in this state.")
}

for _, revoked := range crl.TBSCertList.RevokedCertificates {
for _, revoked := range crl.RevokedCertificates {
if cert.SerialNumber.Cmp(revoked.SerialNumber) == 0 {
return true
}
Expand All @@ -54,7 +53,7 @@ func verifyPeerCertificateAgainstCRL(crl string) (verifyPeerCertificateFunc, err
cert := chain[i]
issuerCert := chain[i+1]
for _, crl := range crlSet {
if issuerCert.CheckCRLSignature(crl) == nil {
if crl.CheckSignatureFrom(issuerCert) == nil {
if certIsRevoked(cert, crl) {
return fmt.Errorf("Certificate revoked: CommonName=%v", cert.Subject.CommonName)
}
Expand All @@ -66,13 +65,13 @@ func verifyPeerCertificateAgainstCRL(crl string) (verifyPeerCertificateFunc, err
}, nil
}

func loadCRLSet(crl string) ([]*pkix.CertificateList, error) {
func loadCRLSet(crl string) ([]*x509.RevocationList, error) {
body, err := os.ReadFile(crl)
if err != nil {
return nil, err
}

crlSet := make([]*pkix.CertificateList, 0)
crlSet := make([]*x509.RevocationList, 0)
for len(body) > 0 {
var block *pem.Block
block, body = pem.Decode(body)
Expand All @@ -83,7 +82,7 @@ func loadCRLSet(crl string) ([]*pkix.CertificateList, error) {
continue
}

parsedCRL, err := x509.ParseCRL(block.Bytes)
parsedCRL, err := x509.ParseRevocationList(block.Bytes)
if err != nil {
return nil, err
}
Expand Down
2 changes: 1 addition & 1 deletion misc/git/hooks/golangci-lint
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
GOLANGCI_LINT=$(command -v golangci-lint >/dev/null 2>&1)
if [ $? -eq 1 ]; then
echo "Downloading golangci-lint..."
go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.45.2
go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.51.2
fi

gofiles=$(git diff --cached --name-only --diff-filter=ACM | grep '^go/.*\.go$')
Expand Down

0 comments on commit eec8c0c

Please sign in to comment.