@@ -26,6 +26,7 @@ import (
2626type VerifySvc struct {
2727 db db.TppRepository
2828 httpClient vhttp.Client
29+ roots * x509.CertPool
2930}
3031
3132func NewVerifySvc (db db.TppRepository , httpClient vhttp.Client ) * VerifySvc {
@@ -47,6 +48,10 @@ type VerifyResult struct {
4748 Reason string `json:"reason,omitempty"`
4849}
4950
51+ func (s * VerifySvc ) SetRoots (roots * x509.CertPool ) {
52+ s .roots = roots
53+ }
54+
5055func (s * VerifySvc ) Verify (c * gin.Context ) {
5156 // 1. Parse the certificate
5257 // 2. Extract the TPP ID
@@ -92,7 +97,7 @@ func (s *VerifySvc) Verify(c *gin.Context) {
9297 }
9398 result .Valid = certVerifyResult .Valid
9499 result .Reason = certVerifyResult .Reason
95- result .Scopes = s .getScopes (cert , tpp )
100+ result .Scopes = s .getScopes (c , cert , tpp )
96101 if len (result .Scopes ) == 0 {
97102 c .JSON (http .StatusBadRequest , gin.H {
98103 "error" : "No valid scopes found in the certificate" ,
@@ -267,7 +272,7 @@ func getSha256(cert *x509.Certificate) string {
267272 return hex .EncodeToString (checksum [:])
268273}
269274
270- func (s * VerifySvc ) isRevoked (c , issuer * x509.Certificate ) bool {
275+ func (s * VerifySvc ) isRevoked (c , issuer * x509.Certificate ) ( bool , error ) {
271276 ocspServer := c .OCSPServer [0 ]
272277 // ocspUrl, err := url.Parse(ocspServer)
273278 // if err != nil {
@@ -277,20 +282,20 @@ func (s *VerifySvc) isRevoked(c, issuer *x509.Certificate) bool {
277282 req , err := ocsp .CreateRequest (c , issuer , nil )
278283 if err != nil {
279284 log .Printf ("Error creating OCSP request: %s" , err )
280- return false
285+ return false , err
281286 }
282287 httpRequest , err := http .NewRequest ("POST" , ocspServer , bytes .NewReader (req ))
283288 if err != nil {
284289 log .Printf ("Error creating OCSP request: %s" , err )
285- return false
290+ return false , err
286291 }
287292 httpRequest .Header .Set ("Content-Type" , "application/ocsp-request" )
288293 httpRequest .Header .Set ("Accept" , "application/ocsp-response" )
289294 // httpRequest.Header.Set("host", ocspUrl.Hostname())
290295 httpResponse , err := s .httpClient .Do (httpRequest )
291296 if err != nil {
292297 log .Printf ("Error sending OCSP request: %s" , err )
293- return false
298+ return false , err
294299 }
295300 defer func (Body io.ReadCloser ) {
296301 err := Body .Close ()
@@ -300,19 +305,41 @@ func (s *VerifySvc) isRevoked(c, issuer *x509.Certificate) bool {
300305 }(httpResponse .Body )
301306 if httpResponse .StatusCode != http .StatusOK {
302307 log .Printf ("OCSP server returned status %d" , httpResponse .StatusCode )
303- return false
308+ return false , errors . New ( "OCSP server returned non-OK status" )
304309 }
305310 body , err := io .ReadAll (httpResponse .Body )
306311 if err != nil {
307312 log .Printf ("Error reading OCSP response: %s" , err )
308- return false
313+ return false , err
309314 }
310315 ocspResponse , err := ocsp .ParseResponseForCert (body , c , issuer )
311316 if err != nil {
312317 log .Printf ("Error parsing OCSP response: %s" , err )
313- return false
318+ return false , err
314319 }
315- return ocspResponse .Status == ocsp .Revoked
320+ return ocspResponse .Status == ocsp .Revoked , nil
321+ }
322+
323+ func (s * VerifySvc ) isTrusted (cert * x509.Certificate , chain []* x509.Certificate ) (bool , error ) {
324+ return true , nil // TODO: Implement certificate trust verification logic
325+ // intermediatePool := x509.NewCertPool()
326+ // for _, intermediate := range chain {
327+ // intermediatePool.AddCert(intermediate)
328+ // }
329+ // opts := x509.VerifyOptions{
330+ // Roots: s.roots,
331+ // Intermediates: intermediatePool,
332+ // }
333+ // _, err := cert.Verify(opts)
334+ // if err != nil {
335+ // log.Printf("Certificate verification failed: %s", err)
336+ // if _, ok := err.(x509.UnknownAuthorityError); ok {
337+ // log.Printf("Certificate is not trusted")
338+ // return false, nil
339+ // }
340+ // }
341+ // log.Printf("Certificate is trusted")
342+ // return true, nil
316343}
317344
318345func formatCertContent (content []byte ) ([]byte , error ) {
@@ -399,8 +426,29 @@ func (s *VerifySvc) verifyCert(c *gin.Context, cert ParsedCert) (certVerifyResul
399426 result .Reason = "No certificate chain found for the certificate"
400427 return result , nil
401428 }
429+ isTrusted , err := s .isTrusted (cert .cert , certChain )
430+ if err != nil {
431+ log .Printf ("Error checking if certificate is trusted: %s" , err )
432+ result .Valid = false
433+ result .Reason = "Error checking if certificate is trusted"
434+ return result , nil
435+ }
436+ if ! isTrusted {
437+ log .Printf ("Certificate is not trusted" )
438+ result .Valid = false
439+ result .Reason = "Certificate is not trusted"
440+ return result , nil
441+ }
402442
403- if s .isRevoked (cert .cert , certChain [len (certChain )- 1 ]) {
443+ isRevoked , err := s .isRevoked (cert .cert , certChain [len (certChain )- 1 ])
444+ if err != nil {
445+ log .Printf ("Error checking certificate revocation: %s" , err )
446+ result .Valid = false
447+ result .Reason = "Error checking certificate revocation"
448+ return result , nil
449+ }
450+ if isRevoked {
451+ log .Printf ("Certificate is revoked" )
404452 result .Valid = false
405453 result .Reason = "Certificate is revoked"
406454 return result , nil
@@ -473,7 +521,7 @@ func loadCerts(_ *gin.Context, body io.ReadCloser) ([]*x509.Certificate, error)
473521 return certs , nil
474522}
475523
476- func (s * VerifySvc ) getScopes (cert ParsedCert , tpp * models.TPP ) map [string ][]string {
524+ func (s * VerifySvc ) getScopes (c * gin. Context , cert ParsedCert , tpp * models.TPP ) map [string ][]string {
477525 certServices := getCertServices (cert )
478526 if len (certServices ) == 0 {
479527 log .Printf ("No services found in the certificate for TPP %s" , tpp .Id )
0 commit comments