route/vendor/github.com/lucas-clemente/quic-go/internal/crypto/cert_manager.go

package crypto

import (
	"crypto/tls"
	"crypto/x509"
	"errors"
	"hash/fnv"
	"time"

	"github.com/lucas-clemente/quic-go/qerr"
)

// CertManager manages the certificates sent by the server
type CertManager interface {
	SetData([]byte) error
	GetCommonCertificateHashes() []byte
	GetLeafCert() []byte
	GetLeafCertHash() (uint64, error)
	VerifyServerProof(proof, chlo, serverConfigData []byte) bool
	Verify(hostname string) error
	GetChain() []*x509.Certificate
}

type certManager struct {
	chain  []*x509.Certificate
	config *tls.Config
}

var _ CertManager = &certManager{}

var errNoCertificateChain = errors.New("CertManager BUG: No certicifate chain loaded")

// NewCertManager creates a new CertManager
func NewCertManager(tlsConfig *tls.Config) CertManager {
	return &certManager{config: tlsConfig}
}

// SetData takes the byte-slice sent in the SHLO and decompresses it into the certificate chain
func (c *certManager) SetData(data []byte) error {
	byteChain, err := decompressChain(data)
	if err != nil {
		return qerr.Error(qerr.InvalidCryptoMessageParameter, "Certificate data invalid")
	}

	chain := make([]*x509.Certificate, len(byteChain))
	for i, data := range byteChain {
		cert, err := x509.ParseCertificate(data)
		if err != nil {
			return err
		}
		chain[i] = cert
	}

	c.chain = chain
	return nil
}

func (c *certManager) GetChain() []*x509.Certificate {
	return c.chain
}

func (c *certManager) GetCommonCertificateHashes() []byte {
	return getCommonCertificateHashes()
}

// GetLeafCert returns the leaf certificate of the certificate chain
// it returns nil if the certificate chain has not yet been set
func (c *certManager) GetLeafCert() []byte {
	if len(c.chain) == 0 {
		return nil
	}
	return c.chain[0].Raw
}

// GetLeafCertHash calculates the FNV1a_64 hash of the leaf certificate
func (c *certManager) GetLeafCertHash() (uint64, error) {
	leafCert := c.GetLeafCert()
	if leafCert == nil {
		return 0, errNoCertificateChain
	}

	h := fnv.New64a()
	_, err := h.Write(leafCert)
	if err != nil {
		return 0, err
	}
	return h.Sum64(), nil
}

// VerifyServerProof verifies the signature of the server config
// it should only be called after the certificate chain has been set, otherwise it returns false
func (c *certManager) VerifyServerProof(proof, chlo, serverConfigData []byte) bool {
	if len(c.chain) == 0 {
		return false
	}

	return verifyServerProof(proof, c.chain[0], chlo, serverConfigData)
}

// Verify verifies the certificate chain
func (c *certManager) Verify(hostname string) error {
	if len(c.chain) == 0 {
		return errNoCertificateChain
	}

	if c.config != nil && c.config.InsecureSkipVerify {
		return nil
	}

	leafCert := c.chain[0]

	var opts x509.VerifyOptions
	if c.config != nil {
		opts.Roots = c.config.RootCAs
		if c.config.Time == nil {
			opts.CurrentTime = time.Now()
		} else {
			opts.CurrentTime = c.config.Time()
		}
	}
	// we don't need to care about the tls.Config.ServerName here, since hostname has already been set to that value in the session setup
	opts.DNSName = hostname

	// the first certificate is the leaf certificate, all others are intermediates
	if len(c.chain) > 1 {
		intermediates := x509.NewCertPool()
		for i := 1; i < len(c.chain); i++ {
			intermediates.AddCert(c.chain[i])
		}
		opts.Intermediates = intermediates
	}

	_, err := leafCert.Verify(opts)
	return err
}
cmd/routed: add quic support 2017-12-12 02:51:45 +00:00			`package crypto`

			`import (`
			`"crypto/tls"`
			`"crypto/x509"`
			`"errors"`
			`"hash/fnv"`
			`"time"`

			`"github.com/lucas-clemente/quic-go/qerr"`
			`)`

			`// CertManager manages the certificates sent by the server`
			`type CertManager interface {`
			`SetData([]byte) error`
			`GetCommonCertificateHashes() []byte`
			`GetLeafCert() []byte`
			`GetLeafCertHash() (uint64, error)`
			`VerifyServerProof(proof, chlo, serverConfigData []byte) bool`
			`Verify(hostname string) error`
update quic 2018-01-20 18:07:01 +00:00			`GetChain() []*x509.Certificate`
cmd/routed: add quic support 2017-12-12 02:51:45 +00:00			`}`

			`type certManager struct {`
			`chain []*x509.Certificate`
			`config *tls.Config`
			`}`

			`var _ CertManager = &certManager{}`

			`var errNoCertificateChain = errors.New("CertManager BUG: No certicifate chain loaded")`

			`// NewCertManager creates a new CertManager`
			`func NewCertManager(tlsConfig *tls.Config) CertManager {`
			`return &certManager{config: tlsConfig}`
			`}`

			`// SetData takes the byte-slice sent in the SHLO and decompresses it into the certificate chain`
			`func (c *certManager) SetData(data []byte) error {`
			`byteChain, err := decompressChain(data)`
			`if err != nil {`
			`return qerr.Error(qerr.InvalidCryptoMessageParameter, "Certificate data invalid")`
			`}`

upgrade all the dependencies 2018-01-03 19:19:49 +00:00			`chain := make([]*x509.Certificate, len(byteChain))`
cmd/routed: add quic support 2017-12-12 02:51:45 +00:00			`for i, data := range byteChain {`
			`cert, err := x509.ParseCertificate(data)`
			`if err != nil {`
			`return err`
			`}`
			`chain[i] = cert`
			`}`

			`c.chain = chain`
			`return nil`
			`}`

update quic 2018-01-20 18:07:01 +00:00			`func (c certManager) GetChain() []x509.Certificate {`
			`return c.chain`
			`}`

cmd/routed: add quic support 2017-12-12 02:51:45 +00:00			`func (c *certManager) GetCommonCertificateHashes() []byte {`
			`return getCommonCertificateHashes()`
			`}`

			`// GetLeafCert returns the leaf certificate of the certificate chain`
			`// it returns nil if the certificate chain has not yet been set`
			`func (c *certManager) GetLeafCert() []byte {`
			`if len(c.chain) == 0 {`
			`return nil`
			`}`
			`return c.chain[0].Raw`
			`}`

			`// GetLeafCertHash calculates the FNV1a_64 hash of the leaf certificate`
			`func (c *certManager) GetLeafCertHash() (uint64, error) {`
			`leafCert := c.GetLeafCert()`
			`if leafCert == nil {`
			`return 0, errNoCertificateChain`
			`}`

			`h := fnv.New64a()`
			`_, err := h.Write(leafCert)`
			`if err != nil {`
			`return 0, err`
			`}`
			`return h.Sum64(), nil`
			`}`

			`// VerifyServerProof verifies the signature of the server config`
			`// it should only be called after the certificate chain has been set, otherwise it returns false`
			`func (c *certManager) VerifyServerProof(proof, chlo, serverConfigData []byte) bool {`
			`if len(c.chain) == 0 {`
			`return false`
			`}`

			`return verifyServerProof(proof, c.chain[0], chlo, serverConfigData)`
			`}`

			`// Verify verifies the certificate chain`
			`func (c *certManager) Verify(hostname string) error {`
			`if len(c.chain) == 0 {`
			`return errNoCertificateChain`
			`}`

			`if c.config != nil && c.config.InsecureSkipVerify {`
			`return nil`
			`}`

			`leafCert := c.chain[0]`

			`var opts x509.VerifyOptions`
			`if c.config != nil {`
			`opts.Roots = c.config.RootCAs`
			`if c.config.Time == nil {`
			`opts.CurrentTime = time.Now()`
			`} else {`
			`opts.CurrentTime = c.config.Time()`
			`}`
			`}`
upgrade all the dependencies 2018-01-03 19:19:49 +00:00			`// we don't need to care about the tls.Config.ServerName here, since hostname has already been set to that value in the session setup`
			`opts.DNSName = hostname`
cmd/routed: add quic support 2017-12-12 02:51:45 +00:00
			`// the first certificate is the leaf certificate, all others are intermediates`
			`if len(c.chain) > 1 {`
			`intermediates := x509.NewCertPool()`
			`for i := 1; i < len(c.chain); i++ {`
			`intermediates.AddCert(c.chain[i])`
			`}`
			`opts.Intermediates = intermediates`
			`}`

			`_, err := leafCert.Verify(opts)`
			`return err`
			`}`