Skip to content

Commit

Permalink
refactor: use reference tls verification from akash-api (#239)
Browse files Browse the repository at this point in the history
Signed-off-by: Artur Troian <[email protected]>
  • Loading branch information
troian authored May 1, 2024
1 parent 567267f commit 72ed8bb
Show file tree
Hide file tree
Showing 17 changed files with 158 additions and 253 deletions.
2 changes: 1 addition & 1 deletion cmd/provider-services/cmd/leaseEvents.go
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ func doLeaseEvents(cmd *cobra.Command) error {
for _, lid := range leases {
stream := result{lid: lid}
prov, _ := sdk.AccAddressFromBech32(lid.Provider)
gclient, err := gwrest.NewClient(cl, prov, []tls.Certificate{cert})
gclient, err := gwrest.NewClient(ctx, cl, prov, []tls.Certificate{cert})
if err == nil {
stream.stream, stream.error = gclient.LeaseEvents(ctx, lid, svcs, follow)
} else {
Expand Down
2 changes: 1 addition & 1 deletion cmd/provider-services/cmd/leaseLogs.go
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ func doLeaseLogs(cmd *cobra.Command) error {
for _, lid := range leases {
stream := result{lid: lid}
prov, _ := sdk.AccAddressFromBech32(lid.Provider)
gclient, err := gwrest.NewClient(cl, prov, []tls.Certificate{cert})
gclient, err := gwrest.NewClient(ctx, cl, prov, []tls.Certificate{cert})
if err == nil {
stream.stream, stream.error = gclient.LeaseLogs(ctx, lid, svcs, follow, tailLines)
} else {
Expand Down
2 changes: 1 addition & 1 deletion cmd/provider-services/cmd/leaseStatus.go
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ func doLeaseStatus(cmd *cobra.Command) error {
return markRPCServerError(err)
}

gclient, err := gwrest.NewClient(cl, prov, []tls.Certificate{cert})
gclient, err := gwrest.NewClient(ctx, cl, prov, []tls.Certificate{cert})
if err != nil {
return err
}
Expand Down
4 changes: 2 additions & 2 deletions cmd/provider-services/cmd/manifest.go
Original file line number Diff line number Diff line change
Expand Up @@ -100,12 +100,12 @@ func doSendManifest(cmd *cobra.Command, sdlpath string) error {

for i, lid := range leases {
prov, _ := sdk.AccAddressFromBech32(lid.Provider)
gclient, err := gwrest.NewClient(cl, prov, []tls.Certificate{cert})
gclient, err := gwrest.NewClient(ctx, cl, prov, []tls.Certificate{cert})
if err != nil {
return err
}

err = gclient.SubmitManifest(cmd.Context(), dseq, mani)
err = gclient.SubmitManifest(ctx, dseq, mani)
res := result{
Provider: prov,
Status: "PASS",
Expand Down
2 changes: 1 addition & 1 deletion cmd/provider-services/cmd/migrate_endpoints.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ func migrateEndpoints(cmd *cobra.Command, args []string) error {
return markRPCServerError(err)
}

gclient, err := gwrest.NewClient(cl, prov, []tls.Certificate{cert})
gclient, err := gwrest.NewClient(ctx, cl, prov, []tls.Certificate{cert})
if err != nil {
return err
}
Expand Down
4 changes: 2 additions & 2 deletions cmd/provider-services/cmd/migrate_hostnames.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ func migrateHostnames(cmd *cobra.Command, args []string) error {
return markRPCServerError(err)
}

gclient, err := gwrest.NewClient(cl, prov, []tls.Certificate{cert})
gclient, err := gwrest.NewClient(ctx, cl, prov, []tls.Certificate{cert})
if err != nil {
return err
}
Expand All @@ -58,7 +58,7 @@ func migrateHostnames(cmd *cobra.Command, args []string) error {
return err
}

err = gclient.MigrateHostnames(cmd.Context(), hostnames, dseq, gseq)
err = gclient.MigrateHostnames(ctx, hostnames, dseq, gseq)
if err != nil {
return showErrorToUser(err)
}
Expand Down
2 changes: 1 addition & 1 deletion cmd/provider-services/cmd/serviceStatus.go
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ func doServiceStatus(cmd *cobra.Command) error {
return markRPCServerError(err)
}

gclient, err := gwrest.NewClient(cl, prov, []tls.Certificate{cert})
gclient, err := gwrest.NewClient(ctx, cl, prov, []tls.Certificate{cert})
if err != nil {
return err
}
Expand Down
2 changes: 1 addition & 1 deletion cmd/provider-services/cmd/shell.go
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,7 @@ func doLeaseShell(cmd *cobra.Command, args []string) error {
return markRPCServerError(err)
}

gclient, err := gwrest.NewClient(cl, prov, []tls.Certificate{cert})
gclient, err := gwrest.NewClient(ctx, cl, prov, []tls.Certificate{cert})
if err != nil {
return err
}
Expand Down
2 changes: 1 addition & 1 deletion cmd/provider-services/cmd/status.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ func doStatus(cmd *cobra.Command, addr sdk.Address) error {
return err
}

gclient, err := gwrest.NewClient(cl, addr, nil)
gclient, err := gwrest.NewClient(ctx, cl, addr, nil)
if err != nil {
return err
}
Expand Down
56 changes: 3 additions & 53 deletions gateway/grpc/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,11 @@ package grpc
import (
"crypto/tls"
"crypto/x509"
"errors"
"fmt"
"net"
"time"

atls "github.com/akash-network/akash-api/go/util/tls"
"golang.org/x/net/context"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
Expand Down Expand Up @@ -121,61 +121,11 @@ func mtlsInterceptor() grpc.UnaryServerInterceptor {
certificates := mtls.State.PeerCertificates

if len(certificates) > 0 {
if len(certificates) != 1 {
return nil, fmt.Errorf("tls: invalid certificate chain") // nolint: goerr113
}

cquery := QueryClientFromCtx(ctx)

cert := certificates[0]

// validation
var owner sdk.Address
if owner, err = sdk.AccAddressFromBech32(cert.Subject.CommonName); err != nil {
return nil, fmt.Errorf("tls: invalid certificate's subject common name: %w", err)
}

// 1. CommonName in issuer and Subject must match and be as Bech32 format
if cert.Subject.CommonName != cert.Issuer.CommonName {
return nil, fmt.Errorf("tls: invalid certificate's issuer common name: %w", err)
}

// 2. serial number must be in
if cert.SerialNumber == nil {
return nil, fmt.Errorf("tls: invalid certificate serial number: %w", err)
}

// 3. look up certificate on chain
var resp *ctypes.QueryCertificatesResponse
resp, err = cquery.Certificates(
ctx,
&ctypes.QueryCertificatesRequest{
Filter: ctypes.CertificateFilter{
Owner: owner.String(),
Serial: cert.SerialNumber.String(),
State: "valid",
},
},
)
owner, _, err := atls.ValidatePeerCertificates(ctx, cquery, certificates, []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth})
if err != nil {
return nil, fmt.Errorf("tls: unable to fetch certificate from chain: %w", err)
}
if (len(resp.Certificates) != 1) || !resp.Certificates[0].Certificate.IsState(ctypes.CertificateValid) {
return nil, errors.New("tls: attempt to use non-existing or revoked certificate") // nolint: goerr113
}

clientCertPool := x509.NewCertPool()
clientCertPool.AddCert(cert)

opts := x509.VerifyOptions{
Roots: clientCertPool,
CurrentTime: time.Now(),
KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
MaxConstraintComparisions: 0,
}

if _, err = cert.Verify(opts); err != nil {
return nil, fmt.Errorf("tls: unable to verify certificate: %w", err)
return nil, err
}

ctx = ContextWithOwner(ctx, owner)
Expand Down
Loading

0 comments on commit 72ed8bb

Please sign in to comment.