-
Notifications
You must be signed in to change notification settings - Fork 969
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cert interface #1212
base: master
Are you sure you want to change the base?
Cert interface #1212
Conversation
pki.go
Outdated
oldIPs := currentCert.Details.Ips | ||
newIPs := cs.Certificate.Details.Ips | ||
oldIPs := currentCert.Networks() | ||
newIPs := cs.Certificate.Networks() | ||
if len(oldIPs) > 0 && len(newIPs) > 0 && oldIPs[0].String() != newIPs[0].String() { | ||
return util.NewContextualError( | ||
"IP in new cert was different from old", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Network
pki.go
Outdated
@@ -193,7 +191,7 @@ func newCertStateFromConfig(c *config.C) (*CertState, error) { | |||
return nil, fmt.Errorf("nebula certificate for this host is expired") | |||
} | |||
|
|||
if len(nebulaCert.Details.Ips) == 0 { | |||
if len(nebulaCert.Networks()) == 0 { | |||
return nil, fmt.Errorf("no IPs encoded in certificate") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Networks
64bf64b
to
16914c4
Compare
@@ -37,15 +37,15 @@ type Control struct { | |||
} | |||
|
|||
type ControlHostInfo struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Its probably time to ditch this and just export the cert.Certificate
interface
16914c4
to
93c5a8c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
big pr, posting some stuff now, and continuing to go through it
cert/ca_pool.go
Outdated
|
||
// checkCAConstraints is a very generic function allowing both Certificates and TBSCertificates to be tested. | ||
func checkCAConstraints(signer Certificate, notBefore, notAfter time.Time, groups []string, networks, unsafeNetworks []netip.Prefix) error { | ||
// Make sure this cert wasn't valid before the root |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
comments look flipped to the logic.
This check reads to me as the host cert must not be valid after the root, and the next check reads as the host cert must not be valid before the signing cert.
return k.Bytes, r, curve, nil | ||
} | ||
// VerifyPrivateKey returns an error if the private key is not a pair with the certificates public key. | ||
VerifyPrivateKey(curve Curve, privateKey []byte) error |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
when is the curve
argument not self.Curve
? I think this can be omitted, and a length check of the privateKey is sufficient?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the original API and I believe its primary use case is to catch situations where the private key being tested is of the wrong curve.
Line 725 in 16eaae3
func (nc *NebulaCertificate) VerifyPrivateKey(curve Curve, key []byte) error { |
} | ||
// Issuer is the fingerprint of the CA that signed this certificate. | ||
// If IsCA is true then this will be empty. | ||
Issuer() string //TODO: string or bytes? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would make it the same thing everywhere; so cert.Issuer() result can be directly used with cert.Fingerprint() without additional data transformations.
case Curve_P256: | ||
privkey, err := ecdh.P256().NewPrivateKey(key) | ||
if err != nil { | ||
return fmt.Errorf("cannot parse private key as P256") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
want to return the err too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can but this is the original behavior
Lines 744 to 747 in 16eaae3
privkey, err := ecdh.P256().NewPrivateKey(key) | |
if err != nil { | |
return fmt.Errorf("cannot parse private key as P256") | |
} |
93c5a8c
to
2626ff9
Compare
WIP