3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-05 10:58:11 +02:00
Code Issues Projects Releases Packages Wiki Activity

config: add client_crl (#2157)

Browse source 
* config: add client_crl

* address comments

* add ignored file
This commit is contained in:
Caleb Doxsey 2021-04-30 14:36:32 -06:00 committed by GitHub
parent a43d666d56
commit b5b1013947
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 404 additions and 215 deletions
Download patch file Download diff file Expand all files Collapse all files

42
pkg/cryptutil/certificates.go
View file

@ -13,9 +13,12 @@ import (
"fmt"
"math/big"
"net"
"os"
"time"
)
const crlPemType = "X509 CRL"
// CertificateFromBase64 returns an X509 pair from a base64 encoded blob.
func CertificateFromBase64(cert, key string) (*tls.Certificate, error) {
decodedCert, err := base64.StdEncoding.DecodeString(cert)
@ -37,6 +40,45 @@ func CertificateFromFile(certFile, keyFile string) (*tls.Certificate, error) {
return &cert, err
}
// CRLFromBase64 parses a certificate revocation list from a base64 encoded blob.
func CRLFromBase64(rawCRL string) (*pkix.CertificateList, error) {
bs, err := base64.StdEncoding.DecodeString(rawCRL)
if err != nil {
return nil, fmt.Errorf("cryptutil: failed to decode base64 crl: %w", err)
}
return DecodeCRL(bs)
}
// CRLFromFile parses a certificate revocation list from a file.
func CRLFromFile(fileName string) (*pkix.CertificateList, error) {
bs, err := os.ReadFile(fileName)
if err != nil {
return nil, fmt.Errorf("cryptutil: failed to read crl file (%s): %w", fileName, err)
}
return DecodeCRL(bs)
}
// DecodeCRL decodes a PEM-encoded certificate revocation list.
func DecodeCRL(encodedCRL []byte) (*pkix.CertificateList, error) {
data := encodedCRL
for len(data) > 0 {
var block *pem.Block
block, data = pem.Decode(data)
if block == nil {
break
}
if block.Type == crlPemType {
lst, err := x509.ParseDERCRL(block.Bytes)
if err != nil {
return nil, fmt.Errorf("cryptutil: failed to parse crl: %w", err)
}
return lst, nil
}
}
return nil, fmt.Errorf("cryptutil: invalid crl, no %s block found", crlPemType)
}
// DecodePublicKey decodes a PEM-encoded ECDSA public key.
func DecodePublicKey(encodedKey []byte) (*ecdsa.PublicKey, error) {
block, _ := pem.Decode(encodedKey)