mirror of
https://github.com/slackhq/nebula.git
synced 2026-05-16 21:07:36 +02:00
0ad5c771e9
Some checks failed
gofmt / Run gofmt (push) Failing after 3s
smoke-extra / Run extra smoke tests (push) Failing after 3s
smoke / Run multi node smoke test (push) Failing after 3s
Build and test / Build all and test on ubuntu-linux (push) Failing after 2s
Build and test / Build and test on linux with boringcrypto (push) Failing after 3s
Build and test / Build and test on linux with pkcs11 (push) Failing after 2s
Build and test / Build and test on macos-latest (push) Has been cancelled
Build and test / Build and test on windows-latest (push) Has been cancelled
Co-authored-by: maggie44 <64841595+maggie44@users.noreply.github.com> Co-authored-by: JackDoan <me@jackdoan.com>
91 lines
2.2 KiB
Go
91 lines
2.2 KiB
Go
package main
|
|
|
|
import (
|
|
"errors"
|
|
"flag"
|
|
"fmt"
|
|
"io"
|
|
"os"
|
|
"time"
|
|
|
|
"github.com/slackhq/nebula/cert"
|
|
)
|
|
|
|
type verifyFlags struct {
|
|
set *flag.FlagSet
|
|
caPath *string
|
|
certPath *string
|
|
}
|
|
|
|
func newVerifyFlags() *verifyFlags {
|
|
vf := verifyFlags{set: flag.NewFlagSet("verify", flag.ContinueOnError)}
|
|
vf.set.Usage = func() {}
|
|
vf.caPath = vf.set.String("ca", "", "Required: path to a file containing one or more ca certificates")
|
|
vf.certPath = vf.set.String("crt", "", "Required: path to a file containing a single certificate")
|
|
return &vf
|
|
}
|
|
|
|
func verify(args []string, out io.Writer, errOut io.Writer) error {
|
|
vf := newVerifyFlags()
|
|
err := vf.set.Parse(args)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := mustFlagString("ca", vf.caPath); err != nil {
|
|
return err
|
|
}
|
|
if err := mustFlagString("crt", vf.certPath); err != nil {
|
|
return err
|
|
}
|
|
|
|
caFile, err := os.Open(*vf.caPath)
|
|
if err != nil {
|
|
return fmt.Errorf("error while reading ca: %w", err)
|
|
}
|
|
defer caFile.Close()
|
|
|
|
caPool, err := cert.NewCAPoolFromPEMReader(caFile)
|
|
if err != nil && !errors.Is(err, cert.ErrExpired) {
|
|
return fmt.Errorf("error while adding ca cert to pool: %w", err)
|
|
}
|
|
|
|
rawCert, err := os.ReadFile(*vf.certPath)
|
|
if err != nil {
|
|
return fmt.Errorf("unable to read crt: %w", err)
|
|
}
|
|
var errs []error
|
|
for {
|
|
if len(rawCert) == 0 {
|
|
break
|
|
}
|
|
c, extra, err := cert.UnmarshalCertificateFromPEM(rawCert)
|
|
if err != nil {
|
|
return fmt.Errorf("error while parsing crt: %w", err)
|
|
}
|
|
rawCert = extra
|
|
_, err = caPool.VerifyCertificate(time.Now(), c)
|
|
if err != nil {
|
|
switch {
|
|
case errors.Is(err, cert.ErrCaNotFound):
|
|
errs = append(errs, fmt.Errorf("error while verifying certificate v%d %s with issuer %s: %w", c.Version(), c.Name(), c.Issuer(), err))
|
|
default:
|
|
errs = append(errs, fmt.Errorf("error while verifying certificate %+v: %w", c, err))
|
|
}
|
|
}
|
|
}
|
|
|
|
return errors.Join(errs...)
|
|
}
|
|
|
|
func verifySummary() string {
|
|
return "verify <flags>: verifies a certificate isn't expired and was signed by a trusted authority."
|
|
}
|
|
|
|
func verifyHelp(out io.Writer) {
|
|
vf := newVerifyFlags()
|
|
_, _ = out.Write([]byte("Usage of " + os.Args[0] + " " + verifySummary() + "\n"))
|
|
vf.set.SetOutput(out)
|
|
vf.set.PrintDefaults()
|
|
}
|