-
Notifications
You must be signed in to change notification settings - Fork 402
/
db.go
143 lines (116 loc) · 3.53 KB
/
db.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
// Copyright (C) 2019 Storj Labs, Inc.
// See LICENSE for copying information.
package revocation
import (
"context"
"crypto/x509"
"crypto/x509/pkix"
"github.com/spacemonkeygo/monkit/v3"
"github.com/zeebo/errs"
"storj.io/common/identity"
"storj.io/common/peertls"
"storj.io/common/peertls/extensions"
"storj.io/storj/storage"
)
var (
mon = monkit.Package()
// Error is a pkg/revocation error
Error = errs.Class("revocation error")
)
// DB stores the most recently seen revocation for each nodeID
// (i.e. nodeID [CA certificate's public key hash] is the key, values is
// the most recently seen revocation).
type DB struct {
store storage.KeyValueStore
}
// Get attempts to retrieve the most recent revocation for the given cert chain
// (the key used in the underlying database is the nodeID of the certificate chain).
func (db *DB) Get(ctx context.Context, chain []*x509.Certificate) (_ *extensions.Revocation, err error) {
defer mon.Task()(&ctx)(&err)
if db.store == nil {
return nil, nil
}
nodeID, err := identity.NodeIDFromCert(chain[peertls.CAIndex])
if err != nil {
return nil, extensions.ErrRevocation.Wrap(err)
}
revBytes, err := db.store.Get(ctx, nodeID.Bytes())
if err != nil && !storage.ErrKeyNotFound.Has(err) {
return nil, extensions.ErrRevocationDB.Wrap(err)
}
if revBytes == nil {
return nil, nil
}
rev := new(extensions.Revocation)
if err = rev.Unmarshal(revBytes); err != nil {
return rev, extensions.ErrRevocationDB.Wrap(err)
}
return rev, nil
}
// Put stores the most recent revocation for the given cert chain IF the timestamp
// is newer than the current value (the key used in the underlying database is
// the nodeID of the certificate chain).
func (db *DB) Put(ctx context.Context, chain []*x509.Certificate, revExt pkix.Extension) (err error) {
defer mon.Task()(&ctx)(&err)
if db.store == nil {
return extensions.ErrRevocationDB.New("not supported")
}
ca := chain[peertls.CAIndex]
var rev extensions.Revocation
if err := rev.Unmarshal(revExt.Value); err != nil {
return err
}
// TODO: do we care if cert/timestamp/sig is empty/garbage?
// TODO(bryanchriswhite): test empty/garbage cert/timestamp/sig
if err := rev.Verify(ca); err != nil {
return err
}
lastRev, err := db.Get(ctx, chain)
if err != nil {
return err
} else if lastRev != nil && lastRev.Timestamp >= rev.Timestamp {
return extensions.ErrRevocationTimestamp
}
nodeID, err := identity.NodeIDFromCert(ca)
if err != nil {
return extensions.ErrRevocationDB.Wrap(err)
}
if err := db.store.Put(ctx, nodeID.Bytes(), revExt.Value); err != nil {
return extensions.ErrRevocationDB.Wrap(err)
}
return nil
}
// List lists all revocations in the store
func (db *DB) List(ctx context.Context) (revs []*extensions.Revocation, err error) {
defer mon.Task()(&ctx)(&err)
if db.store == nil {
return nil, nil
}
keys, err := db.store.List(ctx, []byte{}, 0)
if err != nil {
return nil, extensions.ErrRevocationDB.Wrap(err)
}
marshaledRevs, err := db.store.GetAll(ctx, keys)
if err != nil {
return nil, extensions.ErrRevocationDB.Wrap(err)
}
for _, revBytes := range marshaledRevs {
rev := new(extensions.Revocation)
if err := rev.Unmarshal(revBytes); err != nil {
return nil, extensions.ErrRevocationDB.Wrap(err)
}
revs = append(revs, rev)
}
return revs, nil
}
// TestGetStore returns the internal store for testing.
func (db *DB) TestGetStore() storage.KeyValueStore {
return db.store
}
// Close closes the underlying store
func (db *DB) Close() error {
if db.store == nil {
return nil
}
return db.store.Close()
}