cmd: refactor cert utils into certlib

2025-11-18 20:21:00 -08:00
parent 25a562865c
commit 3c1d92db6b
7 changed files with 438 additions and 326 deletions
--- a/certlib/dump/dump.go
+++ b/certlib/dump/dump.go
@@ -165,7 +165,7 @@ func certPublic(cert *x509.Certificate) string {
 	}
 }

-func displayName(name pkix.Name) string {
+func DisplayName(name pkix.Name) string {
 	var ns []string

 	if name.CommonName != "" {
@@ -270,8 +270,8 @@ func DisplayCert(w io.Writer, cert *x509.Certificate) {
 	if showHash {
 		fmt.Fprintln(w, wrap(fmt.Sprintf("SHA256: %x", sha256.Sum256(cert.Raw)), 0))
 	}
-	fmt.Fprintln(w, wrap("Subject: "+displayName(cert.Subject), 0))
-	fmt.Fprintln(w, wrap("Issuer: "+displayName(cert.Issuer), 0))
+	fmt.Fprintln(w, wrap("Subject: "+DisplayName(cert.Subject), 0))
+	fmt.Fprintln(w, wrap("Issuer: "+DisplayName(cert.Issuer), 0))
 	fmt.Fprintf(w, "\tSignature algorithm: %s / %s\n", sigAlgoPK(cert.SignatureAlgorithm),
 		sigAlgoHash(cert.SignatureAlgorithm))
 	fmt.Fprintln(w, "Details:")
--- a/certlib/ski/ski.go
+++ b/certlib/ski/ski.go
@@ -0,0 +1,157 @@
+package ski
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/rsa"
+	"crypto/sha1" // #nosec G505 this is the standard
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/asn1"
+	"encoding/pem"
+	"fmt"
+	"os"
+
+	"git.wntrmute.dev/kyle/goutils/certlib"
+	"git.wntrmute.dev/kyle/goutils/die"
+	"git.wntrmute.dev/kyle/goutils/lib"
+)
+
+const (
+	keyTypeRSA     = "RSA"
+	keyTypeECDSA   = "ECDSA"
+	keyTypeEd25519 = "Ed25519"
+)
+
+type subjectPublicKeyInfo struct {
+	Algorithm        pkix.AlgorithmIdentifier
+	SubjectPublicKey asn1.BitString
+}
+
+type KeyInfo struct {
+	PublicKey []byte
+	KeyType   string
+	FileType  string
+}
+
+func (k *KeyInfo) String() string {
+	return fmt.Sprintf("%s (%s)", lib.HexEncode(k.PublicKey, lib.HexEncodeLowerColon), k.KeyType)
+}
+
+func (k *KeyInfo) SKI(displayMode lib.HexEncodeMode) (string, error) {
+	var subPKI subjectPublicKeyInfo
+
+	_, err := asn1.Unmarshal(k.PublicKey, &subPKI)
+	if err != nil {
+		return "", fmt.Errorf("serializing SKI: %w", err)
+	}
+
+	pubHash := sha1.Sum(subPKI.SubjectPublicKey.Bytes) // #nosec G401 this is the standard
+	pubHashString := lib.HexEncode(pubHash[:], displayMode)
+
+	return pubHashString, nil
+}
+
+// ParsePEM parses a PEM file and returns the public key and its type.
+func ParsePEM(path string) (*KeyInfo, error) {
+	material := &KeyInfo{}
+
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("parsing X.509 material %s: %w", path, err)
+	}
+
+	data = bytes.TrimSpace(data)
+	p, rest := pem.Decode(data)
+	if len(rest) > 0 {
+		lib.Warnx("trailing data in PEM file")
+	}
+
+	if p == nil {
+		return nil, fmt.Errorf("no PEM data in %s", path)
+	}
+
+	data = p.Bytes
+
+	switch p.Type {
+	case "PRIVATE KEY", "RSA PRIVATE KEY", "EC PRIVATE KEY":
+		material.PublicKey, material.KeyType = parseKey(data)
+		material.FileType = "private key"
+	case "CERTIFICATE":
+		material.PublicKey, material.KeyType = parseCertificate(data)
+		material.FileType = "certificate"
+	case "CERTIFICATE REQUEST":
+		material.PublicKey, material.KeyType = parseCSR(data)
+		material.FileType = "certificate request"
+	default:
+		return nil, fmt.Errorf("unknown PEM type %s", p.Type)
+	}
+
+	return material, nil
+}
+
+func parseKey(data []byte) ([]byte, string) {
+	priv, err := certlib.ParsePrivateKeyDER(data)
+	if err != nil {
+		die.If(err)
+	}
+
+	var kt string
+	switch priv.Public().(type) {
+	case *rsa.PublicKey:
+		kt = keyTypeRSA
+	case *ecdsa.PublicKey:
+		kt = keyTypeECDSA
+	default:
+		die.With("unknown private key type %T", priv)
+	}
+
+	public, err := x509.MarshalPKIXPublicKey(priv.Public())
+	die.If(err)
+
+	return public, kt
+}
+
+func parseCertificate(data []byte) ([]byte, string) {
+	cert, err := x509.ParseCertificate(data)
+	die.If(err)
+
+	pub := cert.PublicKey
+	var kt string
+	switch pub.(type) {
+	case *rsa.PublicKey:
+		kt = keyTypeRSA
+	case *ecdsa.PublicKey:
+		kt = keyTypeECDSA
+	case *ed25519.PublicKey:
+		kt = keyTypeEd25519
+	default:
+		die.With("unknown public key type %T", pub)
+	}
+
+	public, err := x509.MarshalPKIXPublicKey(pub)
+	die.If(err)
+	return public, kt
+}
+
+func parseCSR(data []byte) ([]byte, string) {
+	// Use certlib to support both PEM and DER and to centralize validation.
+	csr, _, err := certlib.ParseCSR(data)
+	die.If(err)
+
+	pub := csr.PublicKey
+	var kt string
+	switch pub.(type) {
+	case *rsa.PublicKey:
+		kt = keyTypeRSA
+	case *ecdsa.PublicKey:
+		kt = keyTypeECDSA
+	default:
+		die.With("unknown public key type %T", pub)
+	}
+
+	public, err := x509.MarshalPKIXPublicKey(pub)
+	die.If(err)
+	return public, kt
+}
--- a/certlib/verify/check.go
+++ b/certlib/verify/check.go
@@ -0,0 +1,49 @@
+package verify
+
+import (
+	"crypto/x509"
+	"fmt"
+	"time"
+
+	"git.wntrmute.dev/kyle/goutils/certlib/dump"
+)
+
+const DefaultLeeway = 2160 * time.Hour // three months
+
+type CertCheck struct {
+	Cert   *x509.Certificate
+	leeway time.Duration
+}
+
+func NewCertCheck(cert *x509.Certificate, leeway time.Duration) *CertCheck {
+	return &CertCheck{
+		Cert:   cert,
+		leeway: leeway,
+	}
+}
+
+func (c CertCheck) Expiry() time.Duration {
+	return time.Until(c.Cert.NotAfter)
+}
+
+func (c CertCheck) IsExpiring(leeway time.Duration) bool {
+	return c.Expiry() < leeway
+}
+
+// Err returns nil if the certificate is not expiring within the leeway period.
+func (c CertCheck) Err() error {
+	if !c.IsExpiring(c.leeway) {
+		return nil
+	}
+
+	return fmt.Errorf("%s expires in %s", dump.DisplayName(c.Cert.Subject), c.Expiry())
+}
+
+func (c CertCheck) Name() string {
+	return fmt.Sprintf("%s/SN=%s", dump.DisplayName(c.Cert.Subject),
+		c.Cert.SerialNumber)
+}
+
+func (c CertCheck) String() string {
+	return fmt.Sprintf("%s expires on %s (in %s)\n", c.Name(), c.Cert.NotAfter, c.Expiry())
+}
--- a/certlib/verify/verify.go
+++ b/certlib/verify/verify.go
@@ -0,0 +1,141 @@
+package verify
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
+	"fmt"
+	"io"
+
+	"git.wntrmute.dev/kyle/goutils/certlib/revoke"
+	"git.wntrmute.dev/kyle/goutils/lib"
+)
+
+func bundleIntermediates(w io.Writer, chain []*x509.Certificate, pool *x509.CertPool, verbose bool) *x509.CertPool {
+	for _, intermediate := range chain[1:] {
+		if verbose {
+			fmt.Fprintf(w, "[+] adding intermediate with SKI %x\n", intermediate.SubjectKeyId)
+		}
+		pool.AddCert(intermediate)
+	}
+
+	return pool
+}
+
+type Opts struct {
+	Verbose            bool
+	Config             *tls.Config
+	Intermediates      *x509.CertPool
+	ForceIntermediates bool
+	CheckRevocation    bool
+	KeyUsages          []x509.ExtKeyUsage
+}
+
+type verifyResult struct {
+	chain []*x509.Certificate
+	roots *x509.CertPool
+	ints  *x509.CertPool
+}
+
+func prepareVerification(w io.Writer, target string, opts *Opts) (*verifyResult, error) {
+	var (
+		roots, ints *x509.CertPool
+		err         error
+	)
+
+	if opts == nil {
+		opts = &Opts{
+			Config:             lib.StrictBaselineTLSConfig(),
+			ForceIntermediates: false,
+		}
+
+		roots, err = x509.SystemCertPool()
+		if err != nil {
+			return nil, fmt.Errorf("couldn't load system cert pool: %w", err)
+		}
+
+		opts.Config.RootCAs = roots
+	}
+
+	if opts.Intermediates == nil {
+		ints = x509.NewCertPool()
+	} else {
+		ints = opts.Intermediates.Clone()
+	}
+
+	roots = opts.Config.RootCAs.Clone()
+
+	chain, err := lib.GetCertificateChain(target, opts.Config)
+	if err != nil {
+		return nil, fmt.Errorf("fetching certificate chain: %w", err)
+	}
+
+	if opts.Verbose {
+		fmt.Fprintf(w, "[+] %s has %d certificates\n", target, len(chain))
+	}
+
+	if len(chain) > 1 && opts.ForceIntermediates {
+		ints = bundleIntermediates(w, chain, ints, opts.Verbose)
+	}
+
+	return &verifyResult{
+		chain: chain,
+		roots: roots,
+		ints:  ints,
+	}, nil
+}
+
+// Chain fetches the certificate chain for a target and verifies it.
+func Chain(w io.Writer, target string, opts *Opts) ([]*x509.Certificate, error) {
+	result, err := prepareVerification(w, target, opts)
+	if err != nil {
+		return nil, fmt.Errorf("certificate verification failed: %w", err)
+	}
+
+	chains, err := CertWith(result.chain[0], result.roots, result.ints, opts.CheckRevocation, opts.KeyUsages...)
+	if err != nil {
+		return nil, fmt.Errorf("certificate verification failed: %w", err)
+	}
+
+	return chains, nil
+}
+
+// CertWith verifies a certificate against a set of roots and intermediates.
+func CertWith(
+	cert *x509.Certificate,
+	roots, ints *x509.CertPool,
+	checkRevocation bool,
+	keyUses ...x509.ExtKeyUsage,
+) ([]*x509.Certificate, error) {
+	if len(keyUses) == 0 {
+		keyUses = []x509.ExtKeyUsage{x509.ExtKeyUsageAny}
+	}
+
+	opts := x509.VerifyOptions{
+		Intermediates: ints,
+		Roots:         roots,
+		KeyUsages:     keyUses,
+	}
+
+	chains, err := cert.Verify(opts)
+	if err != nil {
+		return nil, err
+	}
+
+	if checkRevocation {
+		revoked, ok := revoke.VerifyCertificate(cert)
+		if !ok {
+			return nil, errors.New("failed to check certificate revocation status")
+		}
+
+		if revoked {
+			return nil, errors.New("certificate is revoked")
+		}
+	}
+
+	if len(chains) == 0 {
+		return nil, errors.New("no valid certificate chain found")
+	}
+
+	return chains[0], nil
+}