-
Notifications
You must be signed in to change notification settings - Fork 3.8k
/
certificate_loader.go
512 lines (444 loc) · 15.2 KB
/
certificate_loader.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
// Copyright 2017 The Cockroach Authors.
//
// Use of this software is governed by the Business Source License
// included in the file licenses/BSL.txt.
//
// As of the Change Date specified in that file, in accordance with
// the Business Source License, use of this software will be governed
// by the Apache License, Version 2.0, included in the file
// licenses/APL.txt.
package security
import (
"context"
"crypto/x509"
"io/ioutil"
"os"
"path/filepath"
"runtime"
"strings"
"time"
"github.com/cockroachdb/cockroach/pkg/util/envutil"
"github.com/cockroachdb/cockroach/pkg/util/log"
"github.com/cockroachdb/cockroach/pkg/util/sysutil"
"github.com/cockroachdb/errors"
"github.com/cockroachdb/errors/oserror"
)
func init() {
if runtime.GOOS == "windows" {
// File modes on windows default to 0666 for r/w files:
// https://golang.org/src/os/types_windows.go?#L31
// This would fail any attempt to load keys, so we need to disable permission checks.
skipPermissionChecks = true
} else {
skipPermissionChecks = envutil.EnvOrDefaultBool("COCKROACH_SKIP_KEY_PERMISSION_CHECK", false)
}
}
var skipPermissionChecks bool
// AssetLoader describes the functions necessary to read certificate and key files.
type AssetLoader struct {
ReadDir func(dirname string) ([]os.FileInfo, error)
ReadFile func(filename string) ([]byte, error)
Stat func(name string) (os.FileInfo, error)
}
// defaultAssetLoader uses real filesystem calls.
var defaultAssetLoader = AssetLoader{
ReadDir: ioutil.ReadDir,
ReadFile: ioutil.ReadFile,
Stat: os.Stat,
}
// assetLoaderImpl is used to list/read/stat security assets.
var assetLoaderImpl = defaultAssetLoader
// GetAssetLoader returns the active asset loader.
func GetAssetLoader() AssetLoader {
return assetLoaderImpl
}
// SetAssetLoader overrides the asset loader with the passed-in one.
func SetAssetLoader(al AssetLoader) {
assetLoaderImpl = al
}
// ResetAssetLoader restores the asset loader to the default value.
func ResetAssetLoader() {
assetLoaderImpl = defaultAssetLoader
}
// PemUsage indicates the purpose of a given certificate.
type PemUsage uint32
const (
_ PemUsage = iota
// CAPem describes the main CA certificate.
CAPem
// TenantClientCAPem describes the CA certificate used to broker authN/Z for SQL
// tenants wishing to access the KV layer.
TenantClientCAPem
// ClientCAPem describes the CA certificate used to verify client certificates.
ClientCAPem
// UICAPem describes the CA certificate used to verify the Admin UI server certificate.
UICAPem
// NodePem describes the server certificate for the node, possibly a combined server/client
// certificate for user Node if a separate 'client.node.crt' is not present.
NodePem
// TenantNodePem describes the server certificate for a SQL tenant
// server, for connections across SQL tenant servers.
TenantNodePem
// UIPem describes the server certificate for the admin UI.
UIPem
// ClientPem describes a client certificate.
ClientPem
// TenantClientPem describes a SQL tenant client certificate.
TenantClientPem
// Maximum allowable permissions.
maxKeyPermissions os.FileMode = 0700
// Maximum allowable permissions if file is owned by root.
maxGroupKeyPermissions os.FileMode = 0740
// Filename extenstions.
certExtension = `.crt`
keyExtension = `.key`
// Certificate directory permissions.
defaultCertsDirPerm = 0700
)
func isCA(usage PemUsage) bool {
return usage == CAPem || usage == ClientCAPem || usage == TenantClientCAPem || usage == UICAPem
}
func (p PemUsage) String() string {
switch p {
case CAPem:
return "CA"
case ClientCAPem:
return "Client CA"
case TenantClientCAPem:
return "Tenant Client CA"
case UICAPem:
return "UI CA"
case NodePem:
return "Node"
case TenantNodePem:
return "Tenant Node"
case UIPem:
return "UI"
case ClientPem:
return "Client"
case TenantClientPem:
return "Tenant Client"
default:
return "unknown"
}
}
// CertInfo describe a certificate file and optional key file.
// To obtain the full path, Filename and KeyFilename must be joined
// with the certs directory.
// The key may not be present if this is a CA certificate.
// If Err != nil, the CertInfo must NOT be used.
type CertInfo struct {
// FileUsage describes the use of this certificate.
FileUsage PemUsage
// Filename is the base filename of the certificate.
Filename string
// FileContents is the raw cert file data.
FileContents []byte
// KeyFilename is the base filename of the key, blank if not found (CA certs only).
KeyFilename string
// KeyFileContents is the raw key file data.
KeyFileContents []byte
// Name is the blob in the middle of the filename. eg: username for client certs.
Name string
// Parsed certificates. This is used by debugging/printing/monitoring only,
// TLS config objects are passed raw certificate file contents.
// CA certs may contain (and use) more than one certificate.
// Client/Server certs may contain more than one, but only the first certificate will be used.
ParsedCertificates []*x509.Certificate
// Expiration time is the latest "Not After" date across all parsed certificates.
ExpirationTime time.Time
// Error is any error encountered when loading the certificate/key pair.
// For example: bad permissions on the key will be stored here.
Error error
}
func isCertificateFile(filename string) bool {
return strings.HasSuffix(filename, certExtension)
}
// CertInfoFromFilename takes a filename and attempts to determine the
// certificate usage (ca, node, etc..).
func CertInfoFromFilename(filename string) (*CertInfo, error) {
parts := strings.Split(filename, `.`)
numParts := len(parts)
if numParts < 2 {
return nil, errors.New("not enough parts found")
}
var fileUsage PemUsage
var name string
prefix := parts[0]
switch parts[0] {
case `ca`:
fileUsage = CAPem
if numParts != 2 {
return nil, errors.Errorf("CA certificate filename should match ca%s", certExtension)
}
case `ca-client`:
fileUsage = ClientCAPem
if numParts != 2 {
return nil, errors.Errorf("client CA certificate filename should match ca-client%s", certExtension)
}
case `ca-client-tenant`:
fileUsage = TenantClientCAPem
if numParts != 2 {
return nil, errors.Errorf("tenant CA certificate filename should match ca%s", certExtension)
}
case `ca-ui`:
fileUsage = UICAPem
if numParts != 2 {
return nil, errors.Errorf("UI CA certificate filename should match ca-ui%s", certExtension)
}
case `node`:
fileUsage = NodePem
if numParts != 2 {
return nil, errors.Errorf("node certificate filename should match node%s", certExtension)
}
case `sql-node`:
fileUsage = TenantNodePem
if numParts != 2 {
return nil, errors.Errorf("SQL node certificate filename should match node%s", certExtension)
}
case `ui`:
fileUsage = UIPem
if numParts != 2 {
return nil, errors.Errorf("UI certificate filename should match ui%s", certExtension)
}
case `client`:
fileUsage = ClientPem
// Strip prefix and suffix and re-join middle parts.
name = strings.Join(parts[1:numParts-1], `.`)
if len(name) == 0 {
return nil, errors.Errorf("client certificate filename should match client.<user>%s", certExtension)
}
case `client-tenant`:
fileUsage = TenantClientPem
// Strip prefix and suffix and re-join middle parts.
name = strings.Join(parts[1:numParts-1], `.`)
if len(name) == 0 {
return nil, errors.Errorf("tenant certificate filename should match client-tenant.<tenantid>%s", certExtension)
}
default:
return nil, errors.Errorf("unknown prefix %q", prefix)
}
return &CertInfo{
FileUsage: fileUsage,
Filename: filename,
Name: name,
}, nil
}
// CertificateLoader searches for certificates and keys in the certs directory.
type CertificateLoader struct {
certsDir string
skipPermissionChecks bool
certificates []*CertInfo
}
// Certificates returns the loaded certificates.
func (cl *CertificateLoader) Certificates() []*CertInfo {
return cl.certificates
}
// NewCertificateLoader creates a new instance of the certificate loader.
func NewCertificateLoader(certsDir string) *CertificateLoader {
return &CertificateLoader{
certsDir: certsDir,
skipPermissionChecks: skipPermissionChecks,
certificates: make([]*CertInfo, 0),
}
}
// MaybeCreateCertsDir creates the certificate directory if it does not
// exist. Returns an error if we could not stat or create the directory.
func (cl *CertificateLoader) MaybeCreateCertsDir() error {
dirInfo, err := os.Stat(cl.certsDir)
if err == nil {
if !dirInfo.IsDir() {
return errors.Errorf("certs directory %s exists but is not a directory", cl.certsDir)
}
return nil
}
if !oserror.IsNotExist(err) {
return makeErrorf(err, "could not stat certs directory %s", cl.certsDir)
}
if err := os.Mkdir(cl.certsDir, defaultCertsDirPerm); err != nil {
return makeErrorf(err, "could not create certs directory %s", cl.certsDir)
}
return nil
}
// TestDisablePermissionChecks turns off permissions checks.
// Used by tests only.
func (cl *CertificateLoader) TestDisablePermissionChecks() {
cl.skipPermissionChecks = true
}
// Load examines all .crt files in the certs directory, determines their
// usage, and looks for their keys.
// It populates the certificates field.
func (cl *CertificateLoader) Load() error {
fileInfos, err := assetLoaderImpl.ReadDir(cl.certsDir)
if err != nil {
if oserror.IsNotExist(err) {
// Directory does not exist.
if log.V(3) {
log.Infof(context.Background(), "missing certs directory %s", cl.certsDir)
}
return nil
}
return err
}
if log.V(3) {
log.Infof(context.Background(), "scanning certs directory %s", cl.certsDir)
}
// Walk the directory contents.
for _, info := range fileInfos {
filename := info.Name()
fullPath := filepath.Join(cl.certsDir, filename)
if info.IsDir() {
// Skip subdirectories.
if log.V(3) {
log.Infof(context.Background(), "skipping sub-directory %s", fullPath)
}
continue
}
if !isCertificateFile(filename) {
if log.V(3) {
log.Infof(context.Background(), "skipping non-certificate file %s", filename)
}
continue
}
// Build the info struct from the filename.
ci, err := CertInfoFromFilename(filename)
if err != nil {
log.Warningf(context.Background(), "bad filename %s: %v", fullPath, err)
continue
}
// Read the cert file contents.
fullCertPath := filepath.Join(cl.certsDir, filename)
certPEMBlock, err := assetLoaderImpl.ReadFile(fullCertPath)
if err != nil {
log.Warningf(context.Background(), "could not read certificate file %s: %v", fullPath, err)
}
ci.FileContents = certPEMBlock
// Parse certificate, then look for the private key.
// Errors are persisted for better visibility later.
if err := parseCertificate(ci); err != nil {
log.Warningf(context.Background(), "could not parse certificate for %s: %v", fullPath, err)
ci.Error = err
} else if err := cl.findKey(ci); err != nil {
log.Warningf(context.Background(), "error finding key for %s: %v", fullPath, err)
ci.Error = err
} else if log.V(3) {
log.Infof(context.Background(), "found certificate %s", ci.Filename)
}
cl.certificates = append(cl.certificates, ci)
}
return nil
}
// findKey takes a CertInfo and looks for the corresponding key file.
// If found, sets the 'keyFilename' and returns nil, returns error otherwise.
// Does not load CA keys.
func (cl *CertificateLoader) findKey(ci *CertInfo) error {
if isCA(ci.FileUsage) {
return nil
}
keyFilename := strings.TrimSuffix(ci.Filename, certExtension) + keyExtension
fullKeyPath := filepath.Join(cl.certsDir, keyFilename)
// Stat the file. This follows symlinks.
info, err := assetLoaderImpl.Stat(fullKeyPath)
if err != nil {
return errors.Wrapf(err, "could not stat key file %s", fullKeyPath)
}
// Only regular files are supported (after following symlinks).
fileMode := info.Mode()
if !fileMode.IsRegular() {
return errors.Errorf("key file %s is not a regular file", fullKeyPath)
}
if !cl.skipPermissionChecks {
aclInfo := sysutil.GetFileACLInfo(info)
if err = checkFilePermissions(os.Getgid(), fullKeyPath, aclInfo); err != nil {
return err
}
}
// Read key file.
keyPEMBlock, err := assetLoaderImpl.ReadFile(fullKeyPath)
if err != nil {
return errors.Wrapf(err, "could not read key file %s", fullKeyPath)
}
ci.KeyFilename = keyFilename
ci.KeyFileContents = keyPEMBlock
return nil
}
// parseCertificate attempts to parse the cert file contents into x509 certificate objects.
// The Error field must be nil
func parseCertificate(ci *CertInfo) error {
if ci.Error != nil {
return makeErrorf(ci.Error, "parseCertificate called on bad CertInfo object: %s", ci.Filename)
}
if len(ci.FileContents) == 0 {
return errors.Errorf("empty certificate file: %s", ci.Filename)
}
// PEM-decode the file.
derCerts, err := PEMToCertificates(ci.FileContents)
if err != nil {
return makeErrorf(err, "failed to parse certificate file %s as PEM", ci.Filename)
}
// Make sure we get at least one certificate.
if len(derCerts) == 0 {
return errors.Errorf("no certificates found in %s", ci.Filename)
}
certs := make([]*x509.Certificate, len(derCerts))
var expires time.Time
for i, c := range derCerts {
x509Cert, err := x509.ParseCertificate(c.Bytes)
if err != nil {
return makeErrorf(err, "failed to parse certificate %d in file %s", i, ci.Filename)
}
if i == 0 {
// Only check details of the first certificate.
if err := validateCockroachCertificate(ci, x509Cert); err != nil {
return makeErrorf(err, "failed to validate certificate %d in file %s", i, ci.Filename)
}
// Expiration from the first certificate.
expires = x509Cert.NotAfter
}
certs[i] = x509Cert
}
ci.ParsedCertificates = certs
ci.ExpirationTime = expires
return nil
}
// validateDualPurposeNodeCert takes a CertInfo and a parsed certificate and checks the
// values of certain fields.
// This should only be called on the NodePem CertInfo when there is no specific
// client certificate for the 'node' user.
// Fields required for a valid server certificate are already checked.
func validateDualPurposeNodeCert(ci *CertInfo, nodeUser string) error {
if ci == nil {
return errors.Errorf("no node certificate found")
}
if ci.Error != nil {
return ci.Error
}
// The first certificate is used in client auth.
cert := ci.ParsedCertificates[0]
principals := getCertificatePrincipals(cert)
if !Contains(principals, nodeUser) {
return errors.Errorf("client/server node certificate has principals %q, expected %q",
principals, nodeUser)
}
return nil
}
// validateCockroachCertificate takes a CertInfo and a parsed certificate and checks the
// values of certain fields.
func validateCockroachCertificate(ci *CertInfo, cert *x509.Certificate) error {
switch ci.FileUsage {
case NodePem:
// Common Name is checked only if there is no client certificate for 'node'.
// This is done in validateDualPurposeNodeCert.
case TenantNodePem:
// Common Name is checked only if there is no client certificate for 'sql-node'.
// This is done in validateDualPurposeNodeCert.
case ClientPem:
// Check that CommonName matches the username extracted from the filename.
principals := getCertificatePrincipals(cert)
if !Contains(principals, ci.Name) {
return errors.Errorf("client certificate has principals %q, expected %q",
principals, ci.Name)
}
}
return nil
}