From 9f7861ffe1397da514606b189f5b3e383f4e7ed7 Mon Sep 17 00:00:00 2001
From: Mike Crute <mike@crute.us>
Date: Tue, 19 Sep 2017 04:39:36 +0000
Subject: Finish out most of the proxy functionality

---
 key_validator.go | 36 +++++++++++++++++++-----------------
 1 file changed, 19 insertions(+), 17 deletions(-)

(limited to 'key_validator.go')

diff --git a/key_validator.go b/key_validator.go
index fe6eb7b..062d78c 100644
--- a/key_validator.go
+++ b/key_validator.go
@@ -4,11 +4,13 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
-	"fmt"
+	"github.com/pkg/errors"
 	"gopkg.in/square/go-jose.v2"
 	"io/ioutil"
 )
 
+// TODO: CRL validation
+
 type KeyValidator interface {
 	Validate(jose.JSONWebKey) error
 	LoadRootPEM(string) error
@@ -31,17 +33,17 @@ func NewKeyValidator(subject string) KeyValidator {
 func (v *keyValidator) LoadRootPEM(filename string) error {
 	pem_data, err := ioutil.ReadFile(filename)
 	if err != nil {
-		return err
+		return errors.WithStack(err)
 	}
 
 	pem_block, _ := pem.Decode(pem_data)
 	if pem_block == nil {
-		return fmt.Errorf("PEM decode failed")
+		return errors.Errorf("PEM decode failed")
 	}
 
 	cert, err := x509.ParseCertificate(pem_block.Bytes)
 	if err != nil {
-		return err
+		return errors.WithStack(err)
 	}
 
 	v.roots.AddCert(cert)
@@ -52,40 +54,40 @@ func (v *keyValidator) LoadRootPEM(filename string) error {
 func (v *keyValidator) Validate(key jose.JSONWebKey) error {
 	pk, ok := key.Key.(*rsa.PublicKey)
 	if !ok {
-		return fmt.Errorf("Key type is not RSA")
+		return errors.Errorf("Key type is not RSA")
 	}
 
 	if !v.algorithms.Contains(key.Algorithm) {
-		return fmt.Errorf("Key algorithm is not supported")
+		return errors.Errorf("Key algorithm is not supported")
 	}
 
 	cert := key.Certificates[0]
 	cpk, ok := cert.PublicKey.(*rsa.PublicKey)
 	if !ok {
-		return fmt.Errorf("Public key is not RSA")
+		return errors.Errorf("Public key is not RSA")
 	}
 
 	if cpk.N.BitLen() < 2048 {
-		return fmt.Errorf("Key length less than 2048 bits")
+		return errors.Errorf("Key length less than 2048 bits")
 	}
 
 	if cert.KeyUsage&x509.KeyUsageDigitalSignature != 1 {
-		return fmt.Errorf("Certificate not valid for digital signatures")
+		return errors.Errorf("Certificate not valid for digital signatures")
 	}
 
 	err := v.validateCertificateChain(key.Certificates)
 	if err != nil {
-		return err
+		return errors.WithStack(err)
 	}
 
 	err = v.validateCertificateCRL(cert)
 	if err != nil {
-		return err
+		return errors.WithStack(err)
 	}
 
 	err = v.validatePublicKeyInCertificate(pk, cpk)
 	if err != nil {
-		return err
+		return errors.WithStack(err)
 	}
 
 	return nil
@@ -116,15 +118,15 @@ func (v *keyValidator) validateCertificateChain(chain []*x509.Certificate) error
 
 	chains, err := chain[0].Verify(vo)
 	if err != nil {
-		return err
+		return errors.WithStack(err)
 	}
 
 	if len(chains) <= 0 {
-		return fmt.Errorf("No valid certificate chains found")
+		return errors.Errorf("No valid certificate chains found")
 	}
 
 	if chain[0].Subject.CommonName != v.pkiSubject {
-		return fmt.Errorf("Invalid certificate subject name")
+		return errors.Errorf("Invalid certificate subject name")
 	}
 
 	return nil
@@ -133,11 +135,11 @@ func (v *keyValidator) validateCertificateChain(chain []*x509.Certificate) error
 // validate first item of x5c matches n and e
 func (v *keyValidator) validatePublicKeyInCertificate(pk *rsa.PublicKey, cpk *rsa.PublicKey) error {
 	if cpk.E != pk.E {
-		return fmt.Errorf("E in key and E in cert do not match")
+		return errors.Errorf("E in key and E in cert do not match")
 	}
 
 	if pk.N.Cmp(cpk.N) != 0 {
-		return fmt.Errorf("N in key and N in cert do not match")
+		return errors.Errorf("N in key and N in cert do not match")
 	}
 
 	return nil
-- 
cgit v1.2.3