fix cert verification (#15)

Author: botsman

Makefile

@@ -0,0 +1,9 @@
+
+MONGO_URL=mongodb://localhost:27017/
+MONGO_DB=tpp
+
+start_server:
+	MONGO_URL=$(MONGO_URL) MONGO_DB=$(MONGO_DB) go run server/run.go
+
+test:
+	go test ./...

app/verify/verify.go

@@ -3,6 +3,7 @@ package verify
 import (
 	"net/http"
 	"slices"
+	"time"
 
 	"github.com/botsman/tppVerifier/app/db"
 	vhttp "github.com/botsman/tppVerifier/app/http"
@@ -48,8 +49,19 @@ type VerifyResult struct {
 	Reason      string              `json:"reason,omitempty"`
 }
 
-func (s *VerifySvc) SetRoots(roots *x509.CertPool) {
-	s.roots = roots
+func (s *VerifySvc) SetRoots(roots []string) {
+	certPool := x509.NewCertPool()
+	for _, rawRoot := range roots {
+		pemBytes, err := RawCertToPEM([]byte(rawRoot))
+		if err != nil {
+			log.Printf("Error converting root certificate to PEM format: %s", err)
+			continue
+		}
+		if !certPool.AppendCertsFromPEM(pemBytes) {
+			panic("Failed to append root certificate")
+		}
+	}
+	s.roots = certPool
 }
 
 func (s *VerifySvc) Verify(c *gin.Context) {
@@ -320,26 +332,42 @@ func (s *VerifySvc) isRevoked(c, issuer *x509.Certificate) (bool, error) {
 	return ocspResponse.Status == ocsp.Revoked, nil
 }
 
+func RawCertToPEM(raw []byte) ([]byte, error) {
+	pemBytes := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: raw,
+	})
+	if pemBytes == nil {
+		return nil, errors.New("error encoding certificate to PEM format")
+	}
+	return pemBytes, nil
+}
+
 func (s *VerifySvc) isTrusted(cert *x509.Certificate, chain []*x509.Certificate) (bool, error) {
-	return true, nil // TODO: Implement certificate trust verification logic
-	// intermediatePool := x509.NewCertPool()
-	// for _, intermediate := range chain {
-	// 	intermediatePool.AddCert(intermediate)
-	// }
-	// opts := x509.VerifyOptions{
-	// 	Roots:         s.roots,
-	// 	Intermediates: intermediatePool,
-	// }
-	// _, err := cert.Verify(opts)
-	// if err != nil {
-	// 	log.Printf("Certificate verification failed: %s", err)
-	// 	if _, ok := err.(x509.UnknownAuthorityError); ok {
-	// 		log.Printf("Certificate is not trusted")
-	// 		return false, nil
-	// 	}
-	// }
-	// log.Printf("Certificate is trusted")
-	// return true, nil
+	intermediatePool := x509.NewCertPool()
+	for _, intermediate := range chain {
+		pemBytes, err := RawCertToPEM(intermediate.Raw)
+		if err != nil {
+			log.Printf("Error converting intermediate certificate to PEM format: %s", err)
+			return false, err
+		}
+		if !intermediatePool.AppendCertsFromPEM(pemBytes) {
+			log.Printf("Failed to append intermediate certificate to pool")
+			return false, errors.New("failed to append intermediate certificate to pool")
+		}
+	}
+	opts := x509.VerifyOptions{
+		Roots:         s.roots,
+		Intermediates: intermediatePool,
+		CurrentTime:   time.Now(),
+	}
+	_, err := cert.Verify(opts)
+	if err != nil {
+		log.Printf("Certificate verification failed: %s", err)
+		return false, err
+	}
+	log.Printf("Certificate is trusted")
+	return true, nil
 }
 
 func formatCertContent(content []byte) ([]byte, error) {

app/verify/verify_test.go

@@ -362,6 +362,23 @@ func TestVerifyCert(t *testing.T) {
 			t.Fatalf("Failed to read certificate file %s: %v", certPath, err)
 			return
 		}
+		caCertPath := filepath.Join(chainsPath, entry.Name(), "ca.pem")
+		caCertContent, err := os.ReadFile(caCertPath)
+		if err != nil {
+			t.Fatalf("Failed to read CA certificate file %s: %v", caCertPath, err)
+			return
+		}
+		caPem, _ := pem.Decode(caCertContent)
+		if caPem == nil {
+			t.Fatalf("Failed to decode CA certificate PEM from %s", caCertPath)
+			return
+		}
+		caCert, err := x509.ParseCertificate(caPem.Bytes)
+		if err != nil {
+			t.Fatalf("Failed to parse CA certificate from %s: %v", caCertPath, err)
+			return
+		}
+		svc.SetRoots([]string{string(caCert.Raw)})
 		cert, err := svc.parseCert(&ctx, []byte(certContent))
 		if err != nil {
 			t.Fatalf("Expected no error, got %v", err)
@@ -430,6 +447,24 @@ func TestVerify_Success(t *testing.T) {
 	if len(certContent) == 0 {
 		t.Fatal("Expected non-empty certificate content")
 	}
+	caCertContent, err := os.ReadFile(getTestDataPath("chains/1/ca.pem"))
+	if err != nil {
+		t.Fatalf("Couldn't read CA certificate file: %v\n", err)
+	}
+	if len(caCertContent) == 0 {
+		t.Fatal("Expected non-empty CA certificate content")
+	}
+	caPem, _ := pem.Decode(caCertContent)
+	if caPem == nil {
+		t.Fatal("Failed to decode CA certificate PEM")
+		return
+	}
+	caCert, err := x509.ParseCertificate(caPem.Bytes)
+		if err != nil {
+			t.Fatalf("Failed to parse CA certificate from %s: %v", "chains/1/ca.pem", err)
+			return
+		}
+		svc.SetRoots([]string{string(caCert.Raw)})
 	// Set the certificate content in the request
 	verifyRequest.Cert = []byte(certContent)
 	body, err := json.Marshal(verifyRequest)

server/run.go

@@ -2,7 +2,6 @@ package main
 
 import (
 	"context"
-	"crypto/x509"
 	"log"
 	"net/http"
 
@@ -30,14 +29,7 @@ func main() {
 	if err != nil {
 		log.Fatalf("Failed to get root certificates: %v", err)
 	}
-	rootPool := x509.NewCertPool()
-	for _, root := range roots {
-		// TODO: check if roots are formatted correctly
-		if !rootPool.AppendCertsFromPEM([]byte(root)) {
-			log.Printf("Failed to append root certificate")
-		}
-	}
-	vs.SetRoots(rootPool)
+	vs.SetRoots(roots)
 	r := app.SetupRouter(vs)
 	r.Run()
 }