CRL: Update cfssl dependency and fixed remarks

etcd-io · Jul 19, 2016 · 03272cd · 03272cd
1 parent 19dcd0f
commit 03272cd
Show file tree

Hide file tree

Showing 3 changed files with 136 additions and 100 deletions.
diff --git a/cmd/vendor/github.com/cloudflare/cfssl/revoke/revoke.go b/cmd/vendor/github.com/cloudflare/cfssl/revoke/revoke.go
diff --git a/embed/etcd.go b/embed/etcd.go
@@ -16,13 +16,11 @@ package embed
 
 import (
 	"crypto/tls"
-	"errors"
 	"fmt"
 	"net"
 	"net/http"
 	"path"
 
-	"github.com/cloudflare/cfssl/revoke"
 	"github.com/coreos/etcd/etcdserver"
 	"github.com/coreos/etcd/etcdserver/api/v2http"
 	"github.com/coreos/etcd/pkg/cors"
@@ -282,27 +280,6 @@ func startClientListeners(cfg *Config) (sctxs map[string]*serveCtx, err error) {
 	return sctxs, nil
 }
 
-func revokeCheckHandler(req *http.Request, CRLpath string) error {
-	if req.TLS == nil {
-		return nil
-	}
-	for _, cert := range req.TLS.PeerCertificates {
-		var revoked, ok bool
-		if CRLpath != "" {
-			revoked, ok = revoke.VerifyCertificateByCRLPath(cert, CRLpath)
-		} else {
-			revoked, ok = revoke.VerifyCertificate(cert)
-		}
-		if !ok {
-			return errors.New("Cert check failed")
-		}
-		if revoked {
-			return errors.New("Cert if revoked")
-		}
-	}
-	return nil
-}
-
 func (e *Etcd) serve() (err error) {
 	var ctlscfg *tls.Config
 	if !e.cfg.ClientTLSInfo.Empty() {
@@ -317,19 +294,17 @@ func (e *Etcd) serve() (err error) {
 	}
 
 	// Start the peer server in a goroutine
-	ph := tlsutil.RevocationCheck(
+	ph := tlsutil.NewRevokeHandler(
 		v2http.NewPeerHandler(e.Server),
-		revokeCheckHandler,
 		e.cfg.PeerTLSInfo.CRLFile)
 	for _, l := range e.Peers {
 		go func(l net.Listener) {
 			e.errc <- servePeerHTTP(l, ph)
 		}(l)
 	}
 
-	clientHandler := tlsutil.RevocationCheck(
+	clientHandler := tlsutil.NewRevokeHandler(
 		v2http.NewClientHandler(e.Server, e.Server.Cfg.ReqTimeout()),
-		revokeCheckHandler,
 		e.cfg.ClientTLSInfo.CRLFile)
 	// Start a client server goroutine for each listen address
 	ch := http.Handler(&cors.CORSHandler{

diff --git a/pkg/tlsutil/tlsutil.go b/pkg/tlsutil/tlsutil.go
@@ -22,6 +22,8 @@ import (
 	"io/ioutil"
 	"net/http"
 
+	"github.com/cloudflare/cfssl/revoke"
+
 	etcdErr "github.com/coreos/etcd/error"
 )
 
@@ -75,9 +77,31 @@ func NewCert(certfile, keyfile string, parseFunc func([]byte, []byte) (tls.Certi
 	return &tlsCert, nil
 }
 
-func RevocationCheck(handler http.Handler, checker func(*http.Request, string) error, CRLpath string) http.Handler {
+func revokeCheckHandler(req *http.Request, CRLpath string, revokeChecker *revoke.Revoke) error {
+	if req.TLS == nil {
+		return nil
+	}
+	for _, cert := range req.TLS.PeerCertificates {
+		var revoked, ok bool
+		if CRLpath != "" {
+			revoked, ok = revokeChecker.VerifyCertificateByCRLPath(cert, CRLpath)
+		} else {
+			revoked, ok = revokeChecker.VerifyCertificate(cert)
+		}
+		if !ok {
+			return fmt.Errorf("cert check failed (CN=%s, Serial: %s)", cert.Subject.CommonName, cert.SerialNumber.String())
+		}
+		if revoked {
+			return fmt.Errorf("Cert is revoked (CN=%s, Serial: %s)", cert.Subject.CommonName, cert.SerialNumber.String())
+		}
+	}
+	return nil
+}
+
+func NewRevokeHandler(handler http.Handler, CRLpath string) http.Handler {
+	revokeChecker := revoke.NewRevokeChecker()
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-		err := checker(req, CRLpath)
+		err := revokeCheckHandler(req, CRLpath, revokeChecker)
 		if err == nil {
 			handler.ServeHTTP(w, req)
 			return