diff --git a/network/network.go b/network/network.go index be8618bdd..12718c4e1 100644 --- a/network/network.go +++ b/network/network.go @@ -128,7 +128,7 @@ func (n *Network) checkNodeTLSHealth() core.Health { } } // check if the configured certificate is revoked / denied. - err = n.pkiValidator.Validate([]*x509.Certificate{n.certificate.Leaf}) + err = n.pkiValidator.CheckCRL([]*x509.Certificate{n.certificate.Leaf}) if err != nil { return core.Health{ Status: core.HealthStatusDown, diff --git a/network/transport/grpc/connection_manager.go b/network/transport/grpc/connection_manager.go index f738a56fe..213d5da93 100644 --- a/network/transport/grpc/connection_manager.go +++ b/network/transport/grpc/connection_manager.go @@ -571,7 +571,7 @@ func (s *grpcConnectionManager) revalidatePeers() { conn.disconnect() return } - err = s.config.pkiValidator.Validate([]*x509.Certificate{peerCert}) + err = s.config.pkiValidator.CheckCRL([]*x509.Certificate{peerCert}) if err != nil { log.Logger().WithError(err).WithFields(conn.Peer().ToFields()).Warn("Disconnected peer") conn.disconnect() diff --git a/network/transport/grpc/tls_offloading.go b/network/transport/grpc/tls_offloading.go index 89223b87c..f114bc05e 100644 --- a/network/transport/grpc/tls_offloading.go +++ b/network/transport/grpc/tls_offloading.go @@ -60,7 +60,7 @@ func (t *tlsOffloadingAuthenticator) intercept(srv interface{}, serverStream grp } // Validate revocation/deny list status - if err = t.pkiValidator.Validate(certificates); err != nil { + if err = t.pkiValidator.CheckCRL(certificates); err != nil { log.Logger(). WithError(err). Warnf("Validation of offloaded TLS certificate failed") diff --git a/pki/interface.go b/pki/interface.go index 3d4907748..7b26e3776 100644 --- a/pki/interface.go +++ b/pki/interface.go @@ -58,28 +58,28 @@ type Denylist interface { } type Validator interface { - // Validate returns an error if any of the certificates in the chain has been revoked, or if the request cannot be processed. + // CheckCRL returns an error if any of the certificates in the chain has been revoked, or if the request cannot be processed. // ErrCertRevoked and ErrCertUntrusted indicate that at least one of the certificates is revoked, or signed by a CA that is not in the truststore. // ErrCRLMissing and ErrCRLExpired signal that at least one of the certificates cannot be validated reliably. // If the certificate was revoked on an expired CRL, it wil return ErrCertRevoked. - // Validate uses the configured soft-/hard-fail strategy + // CheckCRL uses the configured soft-/hard-fail strategy // If set to soft-fail it ignores ErrCRLMissing and ErrCRLExpired errors. // The certificate chain is expected to be sorted leaf to root. - Validate(chain []*x509.Certificate) error + CheckCRL(chain []*x509.Certificate) error - // ValidateStrict does the same as Validate, except it always uses the hard-fail strategy. - ValidateStrict(chain []*x509.Certificate) error + // CheckCRLStrict does the same as CheckCRL, except it always uses the hard-fail strategy. + CheckCRLStrict(chain []*x509.Certificate) error - // SetVerifyPeerCertificateFunc sets config.ValidatePeerCertificate to use Validate. + // SetVerifyPeerCertificateFunc sets config.ValidatePeerCertificate to use CheckCRL. SetVerifyPeerCertificateFunc(config *tls.Config) error // AddTruststore adds all CAs to the truststore for validation of CRL signatures. It also adds all CRL Distribution Endpoints found in the chain. - // CRL Distribution Points encountered during operation, such as on end user certificates, are only added to the monitored CRLs if their issuer is in the truststore. + // CRL Distribution Points encountered at runtime, such as on end user certificates when calling CheckCRL, are only added to the monitored CRLs if their issuer is in the truststore. // This fails if any of the issuers mentioned in the chain is not also in the chain or already in the truststore AddTruststore(chain []*x509.Certificate) error // SubscribeDenied registers a callback that is triggered everytime the denylist is updated. - // This can be used to revalidate all certificates on long-lasting connections by calling Validate on them again. + // This can be used to revalidate all certificates on long-lasting connections by calling CheckCRL on them again. SubscribeDenied(f func()) } diff --git a/pki/mock.go b/pki/mock.go index 21d8c97a3..37fa11b80 100644 --- a/pki/mock.go +++ b/pki/mock.go @@ -176,9 +176,9 @@ func (mr *MockValidatorMockRecorder) SubscribeDenied(f any) *gomock.Call { } // Validate mocks base method. -func (m *MockValidator) Validate(chain []*x509.Certificate) error { +func (m *MockValidator) CheckCRL(chain []*x509.Certificate) error { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "Validate", chain) + ret := m.ctrl.Call(m, "CheckCRL", chain) ret0, _ := ret[0].(error) return ret0 } @@ -186,13 +186,13 @@ func (m *MockValidator) Validate(chain []*x509.Certificate) error { // Validate indicates an expected call of Validate. func (mr *MockValidatorMockRecorder) Validate(chain any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Validate", reflect.TypeOf((*MockValidator)(nil).Validate), chain) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CheckCRL", reflect.TypeOf((*MockValidator)(nil).CheckCRL), chain) } // ValidateStrict mocks base method. -func (m *MockValidator) ValidateStrict(chain []*x509.Certificate) error { +func (m *MockValidator) CheckCRLStrict(chain []*x509.Certificate) error { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "ValidateStrict", chain) + ret := m.ctrl.Call(m, "CheckCRLStrict", chain) ret0, _ := ret[0].(error) return ret0 } @@ -200,7 +200,7 @@ func (m *MockValidator) ValidateStrict(chain []*x509.Certificate) error { // ValidateStrict indicates an expected call of ValidateStrict. func (mr *MockValidatorMockRecorder) ValidateStrict(chain any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ValidateStrict", reflect.TypeOf((*MockValidator)(nil).ValidateStrict), chain) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CheckCRLStrict", reflect.TypeOf((*MockValidator)(nil).CheckCRLStrict), chain) } // MockProvider is a mock of Provider interface. @@ -283,9 +283,9 @@ func (mr *MockProviderMockRecorder) SubscribeDenied(f any) *gomock.Call { } // Validate mocks base method. -func (m *MockProvider) Validate(chain []*x509.Certificate) error { +func (m *MockProvider) CheckCRL(chain []*x509.Certificate) error { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "Validate", chain) + ret := m.ctrl.Call(m, "CheckCRL", chain) ret0, _ := ret[0].(error) return ret0 } @@ -293,13 +293,13 @@ func (m *MockProvider) Validate(chain []*x509.Certificate) error { // Validate indicates an expected call of Validate. func (mr *MockProviderMockRecorder) Validate(chain any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Validate", reflect.TypeOf((*MockProvider)(nil).Validate), chain) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CheckCRL", reflect.TypeOf((*MockProvider)(nil).CheckCRL), chain) } // ValidateStrict mocks base method. -func (m *MockProvider) ValidateStrict(chain []*x509.Certificate) error { +func (m *MockProvider) CheckCRLStrict(chain []*x509.Certificate) error { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "ValidateStrict", chain) + ret := m.ctrl.Call(m, "CheckCRLStrict", chain) ret0, _ := ret[0].(error) return ret0 } @@ -307,5 +307,5 @@ func (m *MockProvider) ValidateStrict(chain []*x509.Certificate) error { // ValidateStrict indicates an expected call of ValidateStrict. func (mr *MockProviderMockRecorder) ValidateStrict(chain any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ValidateStrict", reflect.TypeOf((*MockProvider)(nil).ValidateStrict), chain) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CheckCRLStrict", reflect.TypeOf((*MockProvider)(nil).CheckCRLStrict), chain) } diff --git a/pki/validator.go b/pki/validator.go index d08a37c13..2ea0e523d 100644 --- a/pki/validator.go +++ b/pki/validator.go @@ -127,15 +127,15 @@ func (v *validator) syncLoop(ctx context.Context) { } } -func (v *validator) Validate(chain []*x509.Certificate) error { - return v.validate(chain, v.softfail) +func (v *validator) CheckCRL(chain []*x509.Certificate) error { + return v.checkCRL(chain, v.softfail) } -func (v *validator) ValidateStrict(chain []*x509.Certificate) error { - return v.validate(chain, false) +func (v *validator) CheckCRLStrict(chain []*x509.Certificate) error { + return v.checkCRL(chain, false) } -func (v *validator) validate(chain []*x509.Certificate, softfail bool) error { +func (v *validator) checkCRL(chain []*x509.Certificate, softfail bool) error { var cert *x509.Certificate var err error for i := range chain { @@ -159,7 +159,7 @@ func (v *validator) SetVerifyPeerCertificateFunc(config *tls.Config) error { // rawCerts contain all certificates provided by the peer, in our case only the leaf cert, while verifiedChains is guaranteed to include the CA's. // rawCerts are ignored since we would only be checking revocation status on a cert whose issuer is not in the truststore. failure mode is then determined by v.softfail. for _, chain := range verifiedChains { - if err := v.Validate(chain); err != nil { + if err := v.CheckCRL(chain); err != nil { return &tls.CertificateVerificationError{ UnverifiedCertificates: chain, Err: err, diff --git a/pki/validator_test.go b/pki/validator_test.go index 751089a30..8935c8d04 100644 --- a/pki/validator_test.go +++ b/pki/validator_test.go @@ -103,7 +103,7 @@ func TestValidator_Validate(t *testing.T) { testSoftHard := func(t *testing.T, val *validator, cert *x509.Certificate, softfailReturn error, hardfailReturn error) { fn := func(softbool bool, expected error) { val.softfail = softbool - err = val.Validate([]*x509.Certificate{cert}) + err = val.CheckCRL([]*x509.Certificate{cert}) if expected == nil { assert.NoError(t, err) } else { @@ -112,7 +112,7 @@ func TestValidator_Validate(t *testing.T) { } fnStrict := func(expected error) { val.softfail = true // make sure it ignores the configured value - err = val.ValidateStrict([]*x509.Certificate{cert}) + err = val.CheckCRLStrict([]*x509.Certificate{cert}) if expected == nil { assert.NoError(t, err) } else { diff --git a/vdr/didx509/resolver.go b/vdr/didx509/resolver.go index 12f524fdf..b523ec711 100644 --- a/vdr/didx509/resolver.go +++ b/vdr/didx509/resolver.go @@ -120,7 +120,7 @@ func (r Resolver) Resolve(id did.DID, metadata *resolver.ResolveMetadata) (*did. return nil, nil, err } - err = r.pkiValidator.ValidateStrict(chain) + err = r.pkiValidator.CheckCRLStrict(chain) if err != nil { return nil, nil, err }