Fix certcache to allow self-signed certs. #360
Conversation
|
Note to reviewer: Marking this as "draft" because I'd rather not add another merge conflict for you to deal with in #349, plus maybe you have a better suggestion than my sentinel value hack. |
packager/certloader/certloader.go
Outdated
| @@ -41,7 +41,7 @@ func PopulateCertCache(config *util.Config, key crypto.PrivateKey, developmentMo | |||
| return nil, errors.Wrapf(err, "checking %s", config.CertFile) | |||
| } | |||
| } | |||
| certCache := certcache.New(certs, config.OCSPCache) | |||
| certCache := certcache.New(certs, config.OCSPCache, developmentMode) | |||
There was a problem hiding this comment.
I think you need to modify the certcache instantiation in gateway_server as well.
packager/certcache/certcache.go
Outdated
| @@ -51,6 +51,10 @@ const maxOCSPResponseBytes = 1024 * 1024 | |||
| // How often to check if OCSP stapling needs updating. | |||
| const ocspCheckInterval = 1 * time.Hour | |||
|
|
|||
| // Sentinel value used to communicate that a returned OCSP was fake, and the caller should not attempt to parse it. | |||
| // No, I'm not proud. | |||
| var fakeOCSP = []byte("fake ocsp response") | |||
There was a problem hiding this comment.
It is possible to create a valid OCSP response by using the private key of a self-signed cert such as gateway.go does. But it needs two certs to have the same private key.
amppackager/cmd/gateway_server/server.go
Lines 148 to 161 in c9993b8
Or we can add an additional config to specify the issuer private key file to create a valid OCSP response.
There was a problem hiding this comment.
Thanks for the pointer; I didn't remember that gateway server did that. However, it seems that the gateway server doesn't fully exercise the certcache code, so it succeeds, whereas my attempt to adopt this fails, with "error validating fake response: bad OCSP signature: x509: ECDSA verification failure". Can you take a look at https://play.golang.org/p/8owXw00LsRx and see if you can find the error in my code?
There was a problem hiding this comment.
The error can be resolved with the fix of https://play.golang.org/p/CvVyUD-_tji . The private key needs to be the issuer key which corresponds to the self-signed cert key in this case.
There was a problem hiding this comment.
Ah, yes, that makes perfect sense. Thanks for the bug fix; I've updated this to generate a GOOD OCSP response as suggested.
twifkak
force-pushed
the
self_signed
branch
2 times, most recently
from
ee697b7 to
5f7962d
Compare
If the cert doesn't have an AIA extension with an OCSP responder URL, then the cache will just include a fake (invalid) OCSP response in its cert-chain+cbor. This is sufficient for displaying the SXG in Chrome with --ignore-certificate-errors-spki-list.
If the cert doesn't have an AIA extension with an OCSP responder URL,
then the cache will just include a fake (invalid) OCSP response in its
cert-chain+cbor. This is sufficient for displaying the SXG in Chrome
with --ignore-certificate-errors-spki-list.
Fixes #352.