Skip to content

Commit

Permalink
fixup! Verification by CRL
Browse files Browse the repository at this point in the history
  • Loading branch information
Danielius1922 committed Oct 30, 2024
1 parent 86a26a3 commit 333363e
Show file tree
Hide file tree
Showing 6 changed files with 10 additions and 15 deletions.
7 changes: 3 additions & 4 deletions certificate-authority/service/grpc/signer.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import (
"crypto/ecdsa"
"crypto/x509"
"errors"
"path"
"strings"
"time"

"github.com/google/uuid"
Expand Down Expand Up @@ -181,9 +181,8 @@ func (s *Signer) sign(ctx context.Context, isIdentityCertificate bool, csr []byt
}),
}
if s.IsCRLEnabled() {
opts = append(opts, certificateSigner.WithCRLDistributionPoints(
[]string{path.Join(s.crl.serverAddress, uri.SigningRevocationListBase, s.issuerID)},
))
dp := []string{s.crl.serverAddress, uri.SigningRevocationListBase, s.issuerID}
opts = append(opts, certificateSigner.WithCRLDistributionPoints([]string{strings.Join(dp, "/")}))
}
signer, err := s.newCertificateSigner(isIdentityCertificate, opts...)
if err != nil {
Expand Down
2 changes: 1 addition & 1 deletion coap-gateway/service/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,7 @@ func verifyChain(ctx context.Context, chain []*x509.Certificate, capool *x509.Ce

if len(certificate.CRLDistributionPoints) > 0 {
if verifyByCRL == nil {
return errors.New("failed to check certificate validity by CRL")
return errors.New("cannot verify certificate validity by CRL: verification function not provided")
}
if err = verifyByCRL(ctx, certificate, certificate.CRLDistributionPoints); err != nil {
return err
Expand Down
2 changes: 1 addition & 1 deletion coap-gateway/service/auth_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ func TestCertificateWithCRL(t *testing.T) {
shutdown := setUp(t, coapgwCfg)
defer shutdown()

ctx, cancel := context.WithTimeout(context.Background(), time.Second*30*20)
ctx, cancel := context.WithTimeout(context.Background(), time.Second*30)
defer cancel()
tokenWithoutDeviceID := oauthTest.GetDefaultAccessToken(t)
ctx = pkgGrpc.CtxWithToken(ctx, tokenWithoutDeviceID)
Expand Down
2 changes: 1 addition & 1 deletion coap-gateway/test/certificates.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,10 +29,10 @@ func NewLocalCertificateGenerator(sc []*x509.Certificate, sk *ecdsa.PrivateKey)

func getTLSCertificate(certPEMBlock []byte, pk *ecdsa.PrivateKey) (tls.Certificate, error) {
b, err := x509.MarshalECPrivateKey(pk)
key := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: b})
if err != nil {
return tls.Certificate{}, err
}
key := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: b})
crt, err := tls.X509KeyPair(certPEMBlock, key)
if err != nil {
return tls.Certificate{}, err
Expand Down
4 changes: 2 additions & 2 deletions pkg/net/coap/service/udpServer.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,11 +61,11 @@ func (s *udpServer) Close() error {
func newUDPListener(config Config, logger log.Logger) (*udpListerner, error) {
listener, err := net.NewListenUDP("udp", config.Addr)
if err != nil {
return nil, fmt.Errorf("cannot create tcp listener: %w", err)
return nil, fmt.Errorf("cannot create udp listener: %w", err)
}
closeListener := func() {
if err := listener.Close(); err != nil {
logger.Errorf("failed to close tcp listener: %w", err)
logger.Errorf("failed to close udp listener: %w", err)
}
}
return &udpListerner{
Expand Down
8 changes: 2 additions & 6 deletions pkg/security/certManager/general/certManager.go
Original file line number Diff line number Diff line change
Expand Up @@ -414,13 +414,9 @@ func (a *CertManager) downloadCRL(ctx context.Context, cdp string) (*x509.Revoca
return nil, err
}
if resp.StatusCode != http.StatusOK {
return nil, fmt.Errorf("unexpected statusCode %v: '%v'", resp.StatusCode, string(respBody))
return nil, fmt.Errorf("unexpected status code %v while downloading CRL from %s: %v", resp.StatusCode, cdp, string(respBody))
}
crl, err := x509.ParseRevocationList(respBody)
if err != nil {
return nil, err
}
return crl, nil
return x509.ParseRevocationList(respBody)
}

func (a *CertManager) VerifyByCRL(ctx context.Context, certificate *x509.Certificate, cdps []string) error {
Expand Down

0 comments on commit 333363e

Please sign in to comment.