Cert interface #1212
Cert interface #1212
Conversation
pki.go
Outdated
| oldIPs := currentCert.Details.Ips | ||
| newIPs := cs.Certificate.Details.Ips | ||
| oldIPs := currentCert.Networks() | ||
| newIPs := cs.Certificate.Networks() | ||
| if len(oldIPs) > 0 && len(newIPs) > 0 && oldIPs[0].String() != newIPs[0].String() { | ||
| return util.NewContextualError( | ||
| "IP in new cert was different from old", |
pki.go
Outdated
| @@ -193,7 +191,7 @@ func newCertStateFromConfig(c *config.C) (*CertState, error) { | |||
| return nil, fmt.Errorf("nebula certificate for this host is expired") | |||
| } | |||
|
|
|||
| if len(nebulaCert.Details.Ips) == 0 { | |||
| if len(nebulaCert.Networks()) == 0 { | |||
| return nil, fmt.Errorf("no IPs encoded in certificate") | |||
nbrownus
force-pushed
the
cert-interface
branch
2 times, most recently
from
64bf64b
to
16914c4
Compare
| @@ -37,15 +37,15 @@ type Control struct { | |||
| } | |||
|
|
|||
| type ControlHostInfo struct { | |||
There was a problem hiding this comment.
Its probably time to ditch this and just export the cert.Certificate interface
nbrownus
force-pushed
the
cert-interface
branch
from
16914c4
to
93c5a8c
Compare
cert/ca_pool.go
Outdated
|
|
||
| // checkCAConstraints is a very generic function allowing both Certificates and TBSCertificates to be tested. | ||
| func checkCAConstraints(signer Certificate, notBefore, notAfter time.Time, groups []string, networks, unsafeNetworks []netip.Prefix) error { | ||
| // Make sure this cert wasn't valid before the root |
There was a problem hiding this comment.
comments look flipped to the logic.
This check reads to me as the host cert must not be valid after the root, and the next check reads as the host cert must not be valid before the signing cert.
| return k.Bytes, r, curve, nil | ||
| } | ||
| // VerifyPrivateKey returns an error if the private key is not a pair with the certificates public key. | ||
| VerifyPrivateKey(curve Curve, privateKey []byte) error |
There was a problem hiding this comment.
when is the curve argument not self.Curve? I think this can be omitted, and a length check of the privateKey is sufficient?
There was a problem hiding this comment.
This is the original API and I believe its primary use case is to catch situations where the private key being tested is of the wrong curve.
Line 725 in 16eaae3
| } | ||
| // Issuer is the fingerprint of the CA that signed this certificate. | ||
| // If IsCA is true then this will be empty. | ||
| Issuer() string //TODO: string or bytes? |
There was a problem hiding this comment.
I would make it the same thing everywhere; so cert.Issuer() result can be directly used with cert.Fingerprint() without additional data transformations.
| case Curve_P256: | ||
| privkey, err := ecdh.P256().NewPrivateKey(key) | ||
| if err != nil { | ||
| return fmt.Errorf("cannot parse private key as P256") |
There was a problem hiding this comment.
want to return the err too?
There was a problem hiding this comment.
We can but this is the original behavior
Lines 744 to 747 in 16eaae3
nbrownus
force-pushed
the
cert-interface
branch
from
93c5a8c
to
2626ff9
Compare
WIP