-
Notifications
You must be signed in to change notification settings - Fork 280
/
certificates_index.go
96 lines (84 loc) · 2.09 KB
/
certificates_index.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
package cryptutil
import (
"crypto/x509"
"strings"
)
type certUsage byte
const (
certUsageServerAuth = certUsage(1 << iota)
certUsageClientAuth
)
// A CertificatesIndex indexes certificates to determine if there is overlap between them.
type CertificatesIndex struct {
index map[string]map[string]certUsage
}
// NewCertificatesIndex creates a new CertificatesIndex.
func NewCertificatesIndex() *CertificatesIndex {
return &CertificatesIndex{
index: make(map[string]map[string]certUsage),
}
}
// Add adds a certificate to the index.
func (c *CertificatesIndex) Add(cert *x509.Certificate) {
usage := getCertUsage(cert)
for _, name := range cert.DNSNames {
c.add(name, usage)
}
}
// OverlapsWithExistingCertificate returns true if the certificate overlaps with an existing certificate.
func (c *CertificatesIndex) OverlapsWithExistingCertificate(cert *x509.Certificate) (bool, string) {
if c == nil {
return false, ""
}
usage := getCertUsage(cert)
for _, name := range cert.DNSNames {
if c.match(name, usage) {
return true, name
}
}
return false, ""
}
func (c *CertificatesIndex) add(name string, usage certUsage) {
prefix, suffix := splitDomainName(name)
names := c.index[suffix]
if names == nil {
names = make(map[string]certUsage)
c.index[suffix] = names
}
names[prefix] = usage
}
func (c *CertificatesIndex) match(name string, usage certUsage) bool {
prefix, suffix := splitDomainName(name)
names := c.index[suffix]
if names == nil {
return false
}
if prefix != "*" {
return names["*"]&usage != 0 || names[prefix]&usage != 0
}
for _, u := range names {
if u&usage != 0 {
return true
}
}
return false
}
func splitDomainName(name string) (prefix, suffix string) {
dot := strings.IndexRune(name, '.')
if dot < 0 {
dot = 0 // i.e. `localhost`
}
return name[0:dot], name[dot:]
}
func getCertUsage(cert *x509.Certificate) certUsage {
var usage certUsage
for _, ex := range cert.ExtKeyUsage {
switch ex {
case x509.ExtKeyUsageClientAuth:
usage |= certUsageClientAuth
case x509.ExtKeyUsageServerAuth:
usage |= certUsageServerAuth
}
}
return usage
}