....

go.mod

@@ -5,7 +5,7 @@ go 1.20
 require (
 	github.com/go-webauthn/webauthn v0.8.4
 	github.com/golang-jwt/jwt/v5 v5.0.0
-	github.com/leobrada/golang_convenience_tools v0.0.0-20230226145447-cbd5896c5ecf
+	github.com/leobrada/golang_convenience_tools v0.0.0-20231027190949-23729c408209
 	github.com/leobrada/yaml_tools v0.0.0-20220115205103-7f6e1de7ab2e
 	github.com/vs-uulm/ztsfc_http_attributes v0.0.0-20230718145859-e9c5fbffbfa7
 	github.com/vs-uulm/ztsfc_http_logger v0.0.0-20220504121928-852f30c337e5

go.sum

@@ -15,8 +15,8 @@ github.com/google/go-tpm v0.9.0 h1:sQF6YqWMi+SCXpsmS3fd21oPy/vSddwZry4JnmltHVk=
 github.com/google/go-tpm v0.9.0/go.mod h1:FkNVkc6C+IsvDI9Jw1OveJmxGZUUaKxtrpOS47QWKfU=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/leobrada/golang_convenience_tools v0.0.0-20230226145447-cbd5896c5ecf h1:DgdJbknzkbjhDBDLDx8vJwX6l7WxuHNhkJDMJ/m8a1o=
-github.com/leobrada/golang_convenience_tools v0.0.0-20230226145447-cbd5896c5ecf/go.mod h1:dFsd7aKdV12xS9hk+9raiGEYRBsuwbXRjm9mVq2cxoo=
+github.com/leobrada/golang_convenience_tools v0.0.0-20231027190949-23729c408209 h1:LceJohOLR4c3Th+aS9p+XEuTmKWmKtxUSHkrfcs4sz4=
+github.com/leobrada/golang_convenience_tools v0.0.0-20231027190949-23729c408209/go.mod h1:dFsd7aKdV12xS9hk+9raiGEYRBsuwbXRjm9mVq2cxoo=
 github.com/leobrada/yaml_tools v0.0.0-20220115205103-7f6e1de7ab2e h1:n4X/33vxeWGlhENDCMUKufuZifF47Qmo/9hOa8BwBrY=
 github.com/leobrada/yaml_tools v0.0.0-20220115205103-7f6e1de7ab2e/go.mod h1:S7LK9JN09inLOGGcXFCjFHkGaaBG3loTfg+cDfIKUfQ=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=

internal/app/config/config.go

@@ -191,17 +191,18 @@ type ServFunctionT struct {
 
 // ConfigT struct is for parsing the basic structure of the config file
 type ConfigT struct {
-	SysLogger                   sysLoggerT                `yaml:"system_logger"`
-	Blocklists                  BlocklistsT               `yaml:"blocklists"`
-	Pep                         PepT                      `yaml:"pep"`
-	BasicAuth                   BasicAuthT                `yaml:"basic_auth"`
-	Pdp                         PdpT                      `yaml:"pdp"`
-	Pip                         PipT                      `yaml:"pip"`
-	SfpLogic                    SfplT                     `yaml:"sfp_logic"`
-	ServicePool                 map[string]*ServiceT      `yaml:"service_pool"`
-	SfPool                      map[string]*ServFunctionT `yaml:"sf_pool"`
-	CAcertPoolPepAcceptsFromExt *x509.CertPool
-	CRLForExt                   *x509.RevocationList
-	CAcertPoolPepAcceptsFromInt *x509.CertPool
-	ServiceSniMap               map[string]*ServiceT
+	SysLogger                    sysLoggerT                `yaml:"system_logger"`
+	Blocklists                   BlocklistsT               `yaml:"blocklists"`
+	Pep                          PepT                      `yaml:"pep"`
+	BasicAuth                    BasicAuthT                `yaml:"basic_auth"`
+	Pdp                          PdpT                      `yaml:"pdp"`
+	Pip                          PipT                      `yaml:"pip"`
+	SfpLogic                     SfplT                     `yaml:"sfp_logic"`
+	ServicePool                  map[string]*ServiceT      `yaml:"service_pool"`
+	SfPool                       map[string]*ServFunctionT `yaml:"sf_pool"`
+	CAcertPoolPepAcceptsFromExt  *x509.CertPool
+	CACertSlicePEPAcceptsFromExt []*x509.Certificate
+	CRLForExt                    *x509.RevocationList
+	CAcertPoolPepAcceptsFromInt  *x509.CertPool
+	ServiceSniMap                map[string]*ServiceT
 }

internal/app/init/init_config.go

@@ -17,6 +17,7 @@ func InitConfig(sysLogger *logger.Logger) error {
 	// Create Certificate Pools for the CA certificates used by the PEP
 	config.Config.CAcertPoolPepAcceptsFromExt = x509.NewCertPool()
 	config.Config.CAcertPoolPepAcceptsFromInt = x509.NewCertPool()
+	config.Config.CACertSlicePEPAcceptsFromExt = make([]*x509.Certificate, 0)
 
 	if err := initBlocklists(sysLogger); err != nil {
 		return fmt.Errorf("init: InitConfig(): %v", err)

internal/app/init/init_config_pep.go

@@ -5,9 +5,11 @@ package init
 
 import (
 	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"os"
 	"strings"
+	"time"
 
 	gct "github.com/leobrada/golang_convenience_tools"
 	logger "github.com/vs-uulm/ztsfc_http_logger"
@@ -39,9 +41,14 @@ func initPep(sysLogger *logger.Logger) error {
 		if err != nil {
 			return fmt.Errorf("initPep(): could not load certificates PEP accepts from clients: '%s'", err)
 		}
+		config.Config.CACertSlicePEPAcceptsFromExt, err = AppendPEMCertificateToCertSlice(sysLogger, acceptedClientCert,
+			config.Config.CACertSlicePEPAcceptsFromExt)
+		if err != nil {
+			return fmt.Errorf("initPep(): could not add certificates PEP accepts from clients: '%s'", err)
+		}
 	}
 
-	// Read and parse client CRL
+	// Read, parse, and verify client CRL
 	clientCRLBinary, err := os.ReadFile(config.Config.Pep.ClientCRL)
 	if err != nil {
 		return fmt.Errorf("initPep(): could not load client CRL: '%s'", err)
@@ -51,5 +58,51 @@ func initPep(sysLogger *logger.Logger) error {
 		return fmt.Errorf("initPep(): could not parse client CRL: '%s'", err)
 	}
 
+	if (config.Config.CRLForExt.ThisUpdate.Compare(time.Now()) != -1) || (config.Config.CRLForExt.NextUpdate.Compare(time.Now()) != 1) {
+		return fmt.Errorf("initPep(): client CRL lies outside of valid time period")
+	}
+
+	sysLogger.Debugf("Length of config.Config.CACertSlicePEPAcceptsFromExt: %d", len(config.Config.CACertSlicePEPAcceptsFromExt))
+	for _, caCert := range config.Config.CACertSlicePEPAcceptsFromExt {
+		if err = config.Config.CRLForExt.CheckSignatureFrom(caCert); err == nil {
+			sysLogger.Infof("Signature for CRL '%s' could be successfully verified by CA cert '%s'", config.Config.Pep.ClientCRL, caCert.Subject.CommonName)
+			break
+		}
+	}
+	if err != nil {
+		return fmt.Errorf("initPep(): could not verify CRL signature: '%s'", err)
+	}
+
 	return nil
 }
+
+func AppendPEMCertificateToCertSlice(sysLogger *logger.Logger, certfile string, certSlice []*x509.Certificate) ([]*x509.Certificate, error) {
+	certPEM, err := os.ReadFile(certfile)
+	if err != nil {
+		return certSlice, fmt.Errorf("AppendPEMCertificateToCertSlice(): Loading CA certificate from %s error: %v", certfile, err)
+	}
+
+	if certSlice != nil {
+		certDER, _ := pem.Decode(certPEM)
+		if certDER == nil {
+			sysLogger.Debugf("No PEM data could be found")
+			return certSlice, fmt.Errorf("AppendPEMCertificateToCertSlice(): In passed cert slice '%s' no PEM data is found", certfile)
+		}
+
+		if certDER.Type != "CERTIFICATE" {
+			sysLogger.Debugf("Cert is not a CERTIFICATE")
+			return certSlice, fmt.Errorf("AppendPEMCertificateToCertSlice(): In passed cert slice '%s' no CERTIFICATE is found", certfile)
+		}
+
+		cert, err := x509.ParseCertificate(certDER.Bytes)
+		if err != nil {
+			sysLogger.Debugf("Cert could not bet parsed")
+			return certSlice, fmt.Errorf("AppendPEMCertificateToCertSlice(): Decoded PEM CERTIFICATE could not be parsed to X509: %v", err)
+		}
+
+		certSlice = append(certSlice, cert)
+		return certSlice, nil
+	}
+
+	return certSlice, fmt.Errorf("AppendPEMCertificateToCertSlice(): Passed cert slice is nil")
+}

internal/app/router/router.go

@@ -60,7 +60,7 @@ func NewRouter(logger *logger.Logger) (*Router, error) {
 
 			for _, revokedCertificateEntry := range config.Config.CRLForExt.RevokedCertificateEntries {
 				if con.VerifiedChains[0][0].SerialNumber.Cmp(revokedCertificateEntry.SerialNumber) == 0 {
-					return fmt.Errorf("VerifyConnection(): error: client certificate is revoked")
+					return fmt.Errorf("VerifyConnection(): client '%s' certificate is revoked", con.VerifiedChains[0][0].Subject.CommonName)
 				}
 			}