forked from sloum/bombadillo
Hopefully an improvement to the initial way of dealing with expired certs
This commit is contained in:
parent
cb151f75aa
commit
00313442d4
|
@ -67,10 +67,8 @@ func (t *TofuDigest) Find(host string) (string, error) {
|
||||||
return "", fmt.Errorf("Invalid hostname, no key saved")
|
return "", fmt.Errorf("Invalid hostname, no key saved")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t *TofuDigest) Match(host string, cState *tls.ConnectionState) error {
|
func (t *TofuDigest) Match(host, localCert string, cState *tls.ConnectionState) error {
|
||||||
host = strings.ToLower(host)
|
|
||||||
now := time.Now()
|
now := time.Now()
|
||||||
localCert := strings.SplitN(t.certs[host], "|", -1)[0]
|
|
||||||
|
|
||||||
for _, cert := range cState.PeerCertificates {
|
for _, cert := range cState.PeerCertificates {
|
||||||
if localCert != hashCert(cert.Raw) {
|
if localCert != hashCert(cert.Raw) {
|
||||||
|
@ -126,6 +124,33 @@ func (t *TofuDigest) newCert(host string, cState *tls.ConnectionState) error {
|
||||||
return fmt.Errorf(reasons.String())
|
return fmt.Errorf(reasons.String())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (t *TofuDigest) GetCertAndTimestamp(host string) (string, int64, error) {
|
||||||
|
certTs, err := t.Find(host)
|
||||||
|
if err != nil {
|
||||||
|
return "", -1, err
|
||||||
|
}
|
||||||
|
certTsSplit := strings.SplitN(certTs, "|", -1)
|
||||||
|
if len(certTsSplit) < 2 {
|
||||||
|
_ = t.Purge(host)
|
||||||
|
return certTsSplit[0], -1, fmt.Errorf("Invalid certstring, no delimiter")
|
||||||
|
}
|
||||||
|
ts, err := strconv.ParseInt(certTsSplit[1], 10, 64)
|
||||||
|
if err != nil {
|
||||||
|
_ = t.Purge(host)
|
||||||
|
return certTsSplit[0], -1, err
|
||||||
|
}
|
||||||
|
now := time.Now()
|
||||||
|
if ts < now.Unix() {
|
||||||
|
// Ignore error return here since an error would indicate
|
||||||
|
// the host does not exist and we have already checked for
|
||||||
|
// that and the desired outcome of the action is that the
|
||||||
|
// host will no longer exist, so we are good either way
|
||||||
|
_ = t.Purge(host)
|
||||||
|
return "", -1, fmt.Errorf("Expired cert")
|
||||||
|
}
|
||||||
|
return certTsSplit[0], ts, nil
|
||||||
|
}
|
||||||
|
|
||||||
func (t *TofuDigest) IniDump() string {
|
func (t *TofuDigest) IniDump() string {
|
||||||
if len(t.certs) < 1 {
|
if len(t.certs) < 1 {
|
||||||
return ""
|
return ""
|
||||||
|
@ -133,14 +158,6 @@ func (t *TofuDigest) IniDump() string {
|
||||||
var out strings.Builder
|
var out strings.Builder
|
||||||
out.WriteString("[CERTS]\n")
|
out.WriteString("[CERTS]\n")
|
||||||
for k, v := range t.certs {
|
for k, v := range t.certs {
|
||||||
vals := strings.SplitN(v, "|", -1)
|
|
||||||
now := time.Now()
|
|
||||||
if len(vals) > 1 {
|
|
||||||
ts, err := strconv.ParseInt(vals[1], 10, 64)
|
|
||||||
if err != nil || now.Unix() > ts {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
}
|
|
||||||
out.WriteString(k)
|
out.WriteString(k)
|
||||||
out.WriteString("=")
|
out.WriteString("=")
|
||||||
out.WriteString(v)
|
out.WriteString(v)
|
||||||
|
@ -185,9 +202,11 @@ func Retrieve(host, port, resource string, td *TofuDigest) (string, error) {
|
||||||
return "", fmt.Errorf("Insecure, no certificates offered by server")
|
return "", fmt.Errorf("Insecure, no certificates offered by server")
|
||||||
}
|
}
|
||||||
|
|
||||||
if td.Exists(host) {
|
localCert, localTs, err := td.GetCertAndTimestamp(host)
|
||||||
|
|
||||||
|
if localTs > 0 {
|
||||||
// See if we have a matching cert
|
// See if we have a matching cert
|
||||||
err := td.Match(host, &connState)
|
err := td.Match(host, localCert, &connState)
|
||||||
if err != nil && err.Error() != "EXP" {
|
if err != nil && err.Error() != "EXP" {
|
||||||
// If there is no match and it isnt because of an expiration
|
// If there is no match and it isnt because of an expiration
|
||||||
// just return the error
|
// just return the error
|
||||||
|
|
Loading…
Reference in New Issue