diff --git a/go.mod b/go.mod index 95ecd0f..504061d 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.20 require ( github.com/go-webauthn/webauthn v0.8.4 github.com/golang-jwt/jwt/v5 v5.0.0 - github.com/leobrada/golang_convenience_tools v0.0.0-20230226145447-cbd5896c5ecf + github.com/leobrada/golang_convenience_tools v0.0.0-20231027190949-23729c408209 github.com/leobrada/yaml_tools v0.0.0-20220115205103-7f6e1de7ab2e github.com/vs-uulm/ztsfc_http_attributes v0.0.0-20230718145859-e9c5fbffbfa7 github.com/vs-uulm/ztsfc_http_logger v0.0.0-20220504121928-852f30c337e5 diff --git a/go.sum b/go.sum index fd055c6..ecd8f90 100644 --- a/go.sum +++ b/go.sum @@ -15,8 +15,8 @@ github.com/google/go-tpm v0.9.0 h1:sQF6YqWMi+SCXpsmS3fd21oPy/vSddwZry4JnmltHVk= github.com/google/go-tpm v0.9.0/go.mod h1:FkNVkc6C+IsvDI9Jw1OveJmxGZUUaKxtrpOS47QWKfU= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/leobrada/golang_convenience_tools v0.0.0-20230226145447-cbd5896c5ecf h1:DgdJbknzkbjhDBDLDx8vJwX6l7WxuHNhkJDMJ/m8a1o= -github.com/leobrada/golang_convenience_tools v0.0.0-20230226145447-cbd5896c5ecf/go.mod h1:dFsd7aKdV12xS9hk+9raiGEYRBsuwbXRjm9mVq2cxoo= +github.com/leobrada/golang_convenience_tools v0.0.0-20231027190949-23729c408209 h1:LceJohOLR4c3Th+aS9p+XEuTmKWmKtxUSHkrfcs4sz4= +github.com/leobrada/golang_convenience_tools v0.0.0-20231027190949-23729c408209/go.mod h1:dFsd7aKdV12xS9hk+9raiGEYRBsuwbXRjm9mVq2cxoo= github.com/leobrada/yaml_tools v0.0.0-20220115205103-7f6e1de7ab2e h1:n4X/33vxeWGlhENDCMUKufuZifF47Qmo/9hOa8BwBrY= github.com/leobrada/yaml_tools v0.0.0-20220115205103-7f6e1de7ab2e/go.mod h1:S7LK9JN09inLOGGcXFCjFHkGaaBG3loTfg+cDfIKUfQ= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= diff --git a/internal/app/config/config.go b/internal/app/config/config.go index c994c83..aadb725 100644 --- a/internal/app/config/config.go +++ b/internal/app/config/config.go @@ -191,17 +191,18 @@ type ServFunctionT struct { // ConfigT struct is for parsing the basic structure of the config file type ConfigT struct { - SysLogger sysLoggerT `yaml:"system_logger"` - Blocklists BlocklistsT `yaml:"blocklists"` - Pep PepT `yaml:"pep"` - BasicAuth BasicAuthT `yaml:"basic_auth"` - Pdp PdpT `yaml:"pdp"` - Pip PipT `yaml:"pip"` - SfpLogic SfplT `yaml:"sfp_logic"` - ServicePool map[string]*ServiceT `yaml:"service_pool"` - SfPool map[string]*ServFunctionT `yaml:"sf_pool"` - CAcertPoolPepAcceptsFromExt *x509.CertPool - CRLForExt *x509.RevocationList - CAcertPoolPepAcceptsFromInt *x509.CertPool - ServiceSniMap map[string]*ServiceT + SysLogger sysLoggerT `yaml:"system_logger"` + Blocklists BlocklistsT `yaml:"blocklists"` + Pep PepT `yaml:"pep"` + BasicAuth BasicAuthT `yaml:"basic_auth"` + Pdp PdpT `yaml:"pdp"` + Pip PipT `yaml:"pip"` + SfpLogic SfplT `yaml:"sfp_logic"` + ServicePool map[string]*ServiceT `yaml:"service_pool"` + SfPool map[string]*ServFunctionT `yaml:"sf_pool"` + CAcertPoolPepAcceptsFromExt *x509.CertPool + CACertSlicePEPAcceptsFromExt []*x509.Certificate + CRLForExt *x509.RevocationList + CAcertPoolPepAcceptsFromInt *x509.CertPool + ServiceSniMap map[string]*ServiceT } diff --git a/internal/app/init/init_config.go b/internal/app/init/init_config.go index c4f5270..441f5ee 100644 --- a/internal/app/init/init_config.go +++ b/internal/app/init/init_config.go @@ -17,6 +17,7 @@ func InitConfig(sysLogger *logger.Logger) error { // Create Certificate Pools for the CA certificates used by the PEP config.Config.CAcertPoolPepAcceptsFromExt = x509.NewCertPool() config.Config.CAcertPoolPepAcceptsFromInt = x509.NewCertPool() + config.Config.CACertSlicePEPAcceptsFromExt = make([]*x509.Certificate, 0) if err := initBlocklists(sysLogger); err != nil { return fmt.Errorf("init: InitConfig(): %v", err) diff --git a/internal/app/init/init_config_pep.go b/internal/app/init/init_config_pep.go index e158073..5cc7a50 100644 --- a/internal/app/init/init_config_pep.go +++ b/internal/app/init/init_config_pep.go @@ -5,9 +5,11 @@ package init import ( "crypto/x509" + "encoding/pem" "fmt" "os" "strings" + "time" gct "github.com/leobrada/golang_convenience_tools" logger "github.com/vs-uulm/ztsfc_http_logger" @@ -39,9 +41,14 @@ func initPep(sysLogger *logger.Logger) error { if err != nil { return fmt.Errorf("initPep(): could not load certificates PEP accepts from clients: '%s'", err) } + config.Config.CACertSlicePEPAcceptsFromExt, err = AppendPEMCertificateToCertSlice(sysLogger, acceptedClientCert, + config.Config.CACertSlicePEPAcceptsFromExt) + if err != nil { + return fmt.Errorf("initPep(): could not add certificates PEP accepts from clients: '%s'", err) + } } - // Read and parse client CRL + // Read, parse, and verify client CRL clientCRLBinary, err := os.ReadFile(config.Config.Pep.ClientCRL) if err != nil { return fmt.Errorf("initPep(): could not load client CRL: '%s'", err) @@ -51,5 +58,51 @@ func initPep(sysLogger *logger.Logger) error { return fmt.Errorf("initPep(): could not parse client CRL: '%s'", err) } + if (config.Config.CRLForExt.ThisUpdate.Compare(time.Now()) != -1) || (config.Config.CRLForExt.NextUpdate.Compare(time.Now()) != 1) { + return fmt.Errorf("initPep(): client CRL lies outside of valid time period") + } + + sysLogger.Debugf("Length of config.Config.CACertSlicePEPAcceptsFromExt: %d", len(config.Config.CACertSlicePEPAcceptsFromExt)) + for _, caCert := range config.Config.CACertSlicePEPAcceptsFromExt { + if err = config.Config.CRLForExt.CheckSignatureFrom(caCert); err == nil { + sysLogger.Infof("Signature for CRL '%s' could be successfully verified by CA cert '%s'", config.Config.Pep.ClientCRL, caCert.Subject.CommonName) + break + } + } + if err != nil { + return fmt.Errorf("initPep(): could not verify CRL signature: '%s'", err) + } + return nil } + +func AppendPEMCertificateToCertSlice(sysLogger *logger.Logger, certfile string, certSlice []*x509.Certificate) ([]*x509.Certificate, error) { + certPEM, err := os.ReadFile(certfile) + if err != nil { + return certSlice, fmt.Errorf("AppendPEMCertificateToCertSlice(): Loading CA certificate from %s error: %v", certfile, err) + } + + if certSlice != nil { + certDER, _ := pem.Decode(certPEM) + if certDER == nil { + sysLogger.Debugf("No PEM data could be found") + return certSlice, fmt.Errorf("AppendPEMCertificateToCertSlice(): In passed cert slice '%s' no PEM data is found", certfile) + } + + if certDER.Type != "CERTIFICATE" { + sysLogger.Debugf("Cert is not a CERTIFICATE") + return certSlice, fmt.Errorf("AppendPEMCertificateToCertSlice(): In passed cert slice '%s' no CERTIFICATE is found", certfile) + } + + cert, err := x509.ParseCertificate(certDER.Bytes) + if err != nil { + sysLogger.Debugf("Cert could not bet parsed") + return certSlice, fmt.Errorf("AppendPEMCertificateToCertSlice(): Decoded PEM CERTIFICATE could not be parsed to X509: %v", err) + } + + certSlice = append(certSlice, cert) + return certSlice, nil + } + + return certSlice, fmt.Errorf("AppendPEMCertificateToCertSlice(): Passed cert slice is nil") +} diff --git a/internal/app/router/router.go b/internal/app/router/router.go index 14b6688..a775f0e 100644 --- a/internal/app/router/router.go +++ b/internal/app/router/router.go @@ -60,7 +60,7 @@ func NewRouter(logger *logger.Logger) (*Router, error) { for _, revokedCertificateEntry := range config.Config.CRLForExt.RevokedCertificateEntries { if con.VerifiedChains[0][0].SerialNumber.Cmp(revokedCertificateEntry.SerialNumber) == 0 { - return fmt.Errorf("VerifyConnection(): error: client certificate is revoked") + return fmt.Errorf("VerifyConnection(): client '%s' certificate is revoked", con.VerifiedChains[0][0].Subject.CommonName) } }