(km *certprovider.KeyMaterial, isClient bool, sni string)
| 209 | } |
| 210 | |
| 211 | func (hi *HandshakeInfo) buildVerifyFunc(km *certprovider.KeyMaterial, isClient bool, sni string) func(rawCerts [][]byte, _ [][]*x509.Certificate) error { |
| 212 | return func(rawCerts [][]byte, _ [][]*x509.Certificate) error { |
| 213 | // Parse all raw certificates presented by the peer. |
| 214 | var certs []*x509.Certificate |
| 215 | for _, rc := range rawCerts { |
| 216 | cert, err := x509.ParseCertificate(rc) |
| 217 | if err != nil { |
| 218 | return err |
| 219 | } |
| 220 | certs = append(certs, cert) |
| 221 | } |
| 222 | |
| 223 | // Build the intermediates list and verify that the leaf certificate is |
| 224 | // signed by one of the root certificates. If a SPIFFE Bundle Map is |
| 225 | // configured, it is used to get the root certs. Otherwise, the |
| 226 | // configured roots in the root provider are used. |
| 227 | intermediates := x509.NewCertPool() |
| 228 | for _, cert := range certs[1:] { |
| 229 | intermediates.AddCert(cert) |
| 230 | } |
| 231 | roots := km.Roots |
| 232 | // If a SPIFFE Bundle Map is configured, find the roots for the trust |
| 233 | // domain of the leaf certificate. |
| 234 | if km.SPIFFEBundleMap != nil { |
| 235 | var err error |
| 236 | roots, err = spiffe.GetRootsFromSPIFFEBundleMap(km.SPIFFEBundleMap, certs[0]) |
| 237 | if err != nil { |
| 238 | return err |
| 239 | } |
| 240 | } |
| 241 | opts := x509.VerifyOptions{ |
| 242 | Roots: roots, |
| 243 | Intermediates: intermediates, |
| 244 | KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, |
| 245 | } |
| 246 | if isClient { |
| 247 | opts.KeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth} |
| 248 | } else { |
| 249 | opts.KeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth} |
| 250 | } |
| 251 | if _, err := certs[0].Verify(opts); err != nil { |
| 252 | return err |
| 253 | } |
| 254 | |
| 255 | // If XDSSNIEnabled and AutoSNISANValidation are both true and the SNI is |
| 256 | // non-empty, validate only DNS SANs against the SNI. Otherwise, fallback to |
| 257 | // validating all received SANs against the control plane provided SAN |
| 258 | // matchers. |
| 259 | if envconfig.XDSSNIEnabled && hi.validateSANUsingSNI && sni != "" { |
| 260 | // Verify SAN of leaf certificate with SNI using exact DNS matcher. |
| 261 | for _, san := range certs[0].DNSNames { |
| 262 | if dnsMatch(sni, san) { |
| 263 | return nil |
| 264 | } |
| 265 | } |
| 266 | return fmt.Errorf("xds: received DNS SANs: %v do not match the SNI: %s", certs[0].DNSNames, sni) |
| 267 | } |
| 268 | // The SANs sent by the xDS control plane are encoded as SPIFFE IDs. We need to |
no test coverage detected