From 333363e2e30bbd495d75a1c6ab39c8deb0c4b4e6 Mon Sep 17 00:00:00 2001
From: Daniel Adam <daniel.adam1922@protonmail.com>
Date: Wed, 30 Oct 2024 19:28:52 +0100
Subject: [PATCH] fixup! Verification by CRL

---
 certificate-authority/service/grpc/signer.go    | 7 +++----
 coap-gateway/service/auth.go                    | 2 +-
 coap-gateway/service/auth_test.go               | 2 +-
 coap-gateway/test/certificates.go               | 2 +-
 pkg/net/coap/service/udpServer.go               | 4 ++--
 pkg/security/certManager/general/certManager.go | 8 ++------
 6 files changed, 10 insertions(+), 15 deletions(-)

diff --git a/certificate-authority/service/grpc/signer.go b/certificate-authority/service/grpc/signer.go
index cdd8161ef..f77168391 100644
--- a/certificate-authority/service/grpc/signer.go
+++ b/certificate-authority/service/grpc/signer.go
@@ -5,7 +5,7 @@ import (
 	"crypto/ecdsa"
 	"crypto/x509"
 	"errors"
-	"path"
+	"strings"
 	"time"
 
 	"github.com/google/uuid"
@@ -181,9 +181,8 @@ func (s *Signer) sign(ctx context.Context, isIdentityCertificate bool, csr []byt
 		}),
 	}
 	if s.IsCRLEnabled() {
-		opts = append(opts, certificateSigner.WithCRLDistributionPoints(
-			[]string{path.Join(s.crl.serverAddress, uri.SigningRevocationListBase, s.issuerID)},
-		))
+		dp := []string{s.crl.serverAddress, uri.SigningRevocationListBase, s.issuerID}
+		opts = append(opts, certificateSigner.WithCRLDistributionPoints([]string{strings.Join(dp, "/")}))
 	}
 	signer, err := s.newCertificateSigner(isIdentityCertificate, opts...)
 	if err != nil {
diff --git a/coap-gateway/service/auth.go b/coap-gateway/service/auth.go
index 3b8d9fee7..2a5f1a3b5 100644
--- a/coap-gateway/service/auth.go
+++ b/coap-gateway/service/auth.go
@@ -128,7 +128,7 @@ func verifyChain(ctx context.Context, chain []*x509.Certificate, capool *x509.Ce
 
 	if len(certificate.CRLDistributionPoints) > 0 {
 		if verifyByCRL == nil {
-			return errors.New("failed to check certificate validity by CRL")
+			return errors.New("cannot verify certificate validity by CRL: verification function not provided")
 		}
 		if err = verifyByCRL(ctx, certificate, certificate.CRLDistributionPoints); err != nil {
 			return err
diff --git a/coap-gateway/service/auth_test.go b/coap-gateway/service/auth_test.go
index 35456d0ae..a6d526b1b 100644
--- a/coap-gateway/service/auth_test.go
+++ b/coap-gateway/service/auth_test.go
@@ -35,7 +35,7 @@ func TestCertificateWithCRL(t *testing.T) {
 	shutdown := setUp(t, coapgwCfg)
 	defer shutdown()
 
-	ctx, cancel := context.WithTimeout(context.Background(), time.Second*30*20)
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*30)
 	defer cancel()
 	tokenWithoutDeviceID := oauthTest.GetDefaultAccessToken(t)
 	ctx = pkgGrpc.CtxWithToken(ctx, tokenWithoutDeviceID)
diff --git a/coap-gateway/test/certificates.go b/coap-gateway/test/certificates.go
index 813717982..c2b7f1089 100644
--- a/coap-gateway/test/certificates.go
+++ b/coap-gateway/test/certificates.go
@@ -29,10 +29,10 @@ func NewLocalCertificateGenerator(sc []*x509.Certificate, sk *ecdsa.PrivateKey)
 
 func getTLSCertificate(certPEMBlock []byte, pk *ecdsa.PrivateKey) (tls.Certificate, error) {
 	b, err := x509.MarshalECPrivateKey(pk)
-	key := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: b})
 	if err != nil {
 		return tls.Certificate{}, err
 	}
+	key := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: b})
 	crt, err := tls.X509KeyPair(certPEMBlock, key)
 	if err != nil {
 		return tls.Certificate{}, err
diff --git a/pkg/net/coap/service/udpServer.go b/pkg/net/coap/service/udpServer.go
index 9d9b9c3e6..fb9b893ae 100644
--- a/pkg/net/coap/service/udpServer.go
+++ b/pkg/net/coap/service/udpServer.go
@@ -61,11 +61,11 @@ func (s *udpServer) Close() error {
 func newUDPListener(config Config, logger log.Logger) (*udpListerner, error) {
 	listener, err := net.NewListenUDP("udp", config.Addr)
 	if err != nil {
-		return nil, fmt.Errorf("cannot create tcp listener: %w", err)
+		return nil, fmt.Errorf("cannot create udp listener: %w", err)
 	}
 	closeListener := func() {
 		if err := listener.Close(); err != nil {
-			logger.Errorf("failed to close tcp listener: %w", err)
+			logger.Errorf("failed to close udp listener: %w", err)
 		}
 	}
 	return &udpListerner{
diff --git a/pkg/security/certManager/general/certManager.go b/pkg/security/certManager/general/certManager.go
index 83337a5ea..96ed94094 100644
--- a/pkg/security/certManager/general/certManager.go
+++ b/pkg/security/certManager/general/certManager.go
@@ -414,13 +414,9 @@ func (a *CertManager) downloadCRL(ctx context.Context, cdp string) (*x509.Revoca
 		return nil, err
 	}
 	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("unexpected statusCode %v: '%v'", resp.StatusCode, string(respBody))
+		return nil, fmt.Errorf("unexpected status code %v while downloading CRL from %s: %v", resp.StatusCode, cdp, string(respBody))
 	}
-	crl, err := x509.ParseRevocationList(respBody)
-	if err != nil {
-		return nil, err
-	}
-	return crl, nil
+	return x509.ParseRevocationList(respBody)
 }
 
 func (a *CertManager) VerifyByCRL(ctx context.Context, certificate *x509.Certificate, cdps []string) error {