Merge pull request #49 from akakou/hotfix/audit-use-only

Hotfix/audit use only
akakou · May 6, 2024 · 23b1714 · 23b1714
2 parents a9d3cbb + a9d9090
commit 23b1714
Show file tree

Hide file tree

Showing 5 changed files with 86 additions and 32 deletions.
diff --git a/ttp/ct/audit.go b/ttp/ct/audit.go
@@ -6,36 +6,32 @@ import (
 	"fmt"
 
 	"github.com/akakou/ra_webs/ttp/core"
+	"github.com/akakou/ra_webs/ttp/ent"
 	"github.com/akakou/ra_webs/ttp/ent/taserver"
 )
 
 func AuditOne(ttp *core.TTP, cert *x509.Certificate) error {
 	domain, err := validateDomains(cert)
 	if err != nil {
-		logViolationsByDomains(cert.DNSNames, ttp.DB)
+		revokeByDomains(cert.DNSNames, ttp.DB)
 		return fmt.Errorf("%s: %w", ERROR_DOMAIN_INVALID, err)
 	}
 
-	// get the last ta from ta server
+	publicKey := x509.MarshalPKCS1PublicKey(cert.PublicKey.(*rsa.PublicKey))
+	lastID := lastValidID(domain, ttp.DB)
+
 	serv, err := ttp.DB.Client.TAServer.
 		Query().
 		Where(taserver.DomainEQ(domain)).
-		Only(*ttp.DB.Ctx)
-
-	if err != nil {
-		return fmt.Errorf("%s: %w", ERROR_SELECT_SERVER, err)
-	}
-
-	expected, err := x509.ParsePKCS1PublicKey(serv.PublicKey)
+		Where(taserver.HasActivated(false)).
+		Where(taserver.PublicKey(publicKey)).
+		Where(taserver.IDGT(lastID - 1)).
+		Order(ent.Desc(taserver.FieldID)).
+		First(*ttp.DB.Ctx)
 
 	if err != nil {
-		logViolationByDomain(domain, ttp.DB)
-	}
-
-	isValid := cert.PublicKey.(*rsa.PublicKey).Equal(expected)
-
-	if !isValid {
-		logViolationByDomain(domain, ttp.DB)
+		revokeByDomain(domain, lastID, ttp.DB)
+		return fmt.Errorf("%v: %v", ERROR_CERTIFICATE_NOT_FOUND, err)
 	}
 
 	if !serv.HasActivated {

diff --git a/ttp/ct/audit_test.go b/ttp/ct/audit_test.go
@@ -5,6 +5,7 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
+	"encoding/pem"
 	"testing"
 
 	golangutils "github.com/akakou/golang-utils"
@@ -46,7 +47,7 @@ func testPass(t *testing.T) {
 	priv, _ := rsa.GenerateKey(rand.Reader, 2048)
 	keyBuf := x509.MarshalPKCS1PublicKey(&priv.PublicKey)
 
-	ttp.DB.Client.TAServer.Create().SetDomain("example.com").SetPublicKey(keyBuf).SetQuote("1").SetHasActivated(true).SaveX(*ttp.DB.Ctx)
+	ttp.DB.Client.TAServer.Create().SetDomain("example.com").SetPublicKey(keyBuf).SetQuote("1").SetHasActivated(false).SaveX(*ttp.DB.Ctx)
 	ttp.DB.Client.TACode.Create().SetUniqueID([]byte{1, 2, 3}).SetRepository("").SetCommitID("").SaveX(*ttp.DB.Ctx)
 
 	err := AuditOne(ttp, &x509.Certificate{
@@ -71,11 +72,11 @@ func testFailTANoServer(t *testing.T) {
 	err := AuditOne(ttp, &x509.Certificate{
 		DNSNames:  []string{"hoge.example.com"},
 		Subject:   pkix.Name{CommonName: "hoge.example.com"},
-		PublicKey: []byte{7, 8, 9},
+		PublicKey: &priv.PublicKey,
 	})
 
 	assert.Error(t, err)
-	assert.Contains(t, err.Error(), ERROR_SELECT_SERVER)
+	assert.Contains(t, err.Error(), ERROR_CERTIFICATE_NOT_FOUND)
 }
 
 func testFailByMissDomains(t *testing.T) {
@@ -104,3 +105,34 @@ func testFailByMissDomains(t *testing.T) {
 	assert.Contains(t, err.Error(), ERROR_DOMAIN_INVALID)
 
 }
+
+func TestRealCert(t *testing.T) {
+	str := `-----BEGIN CERTIFICATE-----
+MIIDLTCCAhWgAwIBAgISA0j8iAuL3Swtl7wnUpn2glJuMA0GCSqGSIb3DQEBCwUA
+MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
+EwJSMzAeFw0yNDA1MDUxOTEzMDdaFw0yNDA4MDMxOTEzMDZaMBoxGDAWBgNVBAMT
+D3Rlc3QyLm9jaGFuby5jbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD5o+Zg0
+4dgfFn4WCdGiIvMKGv6mezTbrbNbe5D/IM/3jmtAf01ynrIpGadUx+jrvcRudqyO
+0Yk+7xBFWrov4X+jggEeMIIBGjAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYI
+KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFIw0jiKg
+ImmIKTV3MA3G2ERyG8WzMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYfr52LFMLG
+MFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iu
+b3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMBoGA1UdEQQT
+MBGCD3Rlc3QyLm9jaGFuby5jbzATBgNVHSAEDDAKMAgGBmeBDAECATATBgorBgEE
+AdZ5AgQDAQH/BAIFADANBgkqhkiG9w0BAQsFAAOCAQEASilPljBjCnU6I6akocU8
+2iBlk5N7sccyE6C0iE5WBiNp49EfEsxvh5EFqqtYWGZ0I82gLy1V38TNp2Y+xCHw
+5gVNQ4IhpGC58yRkKgCREtx6vHbdb6OfZfWEqdiqFrW+xrbJl9qNUKYwO7WFcDa+
+q8VR55lAxm81XMIilEKdxigsm+ZTmtxgqTC/BIicET9G6Eaqj5os1+UvRMxLErED
+oxPKuqFmwydi8Av5EI6bk33GOTlOxtJaOFpkmJ7X6sUiakSLQSpffHzsvsjFYFaW
+6DAIckSIckj41e6jGG4XtiP2j7Rb+4YXtciEJrT8owgV2xgiyw4yV799/8t63d1V
+ww==
+-----END CERTIFICATE-----`
+
+	c, _ := pem.Decode([]byte(str))
+	cert, err := x509.ParseCertificate(c.Bytes)
+	assert.NoError(t, err)
+
+	// ttp := exampleTTP(t)
+	_, err = validateDomains(cert)
+	assert.NoError(t, err)
+}
diff --git a/ttp/ct/errors.go b/ttp/ct/errors.go
@@ -13,5 +13,7 @@ const (
 	ERROR_DOMAIN_INVALID_BY_NUM_DOMAIN                = "number of domain must be 1"
 	ERROR_DOMAIN_INVALID_NOT_MATCH_COMMONNAME_AND_SAT = "CN and SAT must be same"
 
+	ERROR_CERTIFICATE_NOT_FOUND = "certificate not match"
+
 	ERROR_EXTENSION_NOT_FOUND = "extension not found"
 )
diff --git a/ttp/ct/revoke.go b/ttp/ct/revoke.go
@@ -2,31 +2,36 @@ package ct
 
 import (
 	"github.com/akakou/ra_webs/ttp/core"
+	"github.com/akakou/ra_webs/ttp/ent"
 	"github.com/akakou/ra_webs/ttp/ent/taserver"
 )
 
-func logViolationByDomain(domain string, db *core.DB) error {
-	serv, err := db.Client.TAServer.
-		Query().
-		Where(taserver.DomainEQ(domain)).
-		Only(*db.Ctx)
-
-	if err != nil {
-		return nil
-	}
-
+func revoke(serv *ent.TAServer, db *core.DB) {
 	db.Client.TAViolation.Create().
 		SetServer(serv).
 		SaveX(*db.Ctx)
 
 	service := serv.QueryService().FirstX(*db.Ctx)
 	service.Update().SetIsActive(false).SaveX(*db.Ctx)
+}
 
-	return nil
+func revokeByDomain(domain string, last int, db *core.DB) {
+	all, _ := db.Client.TAServer.
+		Query().
+		Where(taserver.DomainEQ(domain)).
+		Where(taserver.IDGT(last - 1)).
+		All(*db.Ctx)
+
+	// todo: error handling
+
+	for _, serv := range all {
+		revoke(serv, db)
+	}
 }
 
-func logViolationsByDomains(domains []string, db *core.DB) {
+func revokeByDomains(domains []string, db *core.DB) {
 	for _, domain := range domains {
-		logViolationByDomain(domain, db)
+		last := lastValidID(domain, db)
+		revokeByDomain(domain, last, db)
 	}
 }
diff --git a/ttp/ct/utils.go b/ttp/ct/utils.go
@@ -4,6 +4,9 @@ import (
 	"crypto/x509"
 
 	metact "github.com/akakou/meta-ct"
+	"github.com/akakou/ra_webs/ttp/core"
+	"github.com/akakou/ra_webs/ttp/ent"
+	"github.com/akakou/ra_webs/ttp/ent/taserver"
 )
 
 func MetaCertsToCerts(cs []metact.MetaCert) ([]x509.Certificate, error) {
@@ -27,3 +30,19 @@ func subscribeCT(domain string, ct *metact.MetaCT) error {
 }
 
 var SubscribeCT = subscribeCT
+
+func lastValidID(domain string, db *core.DB) int {
+	lastValid, err := db.Client.TAServer.
+		Query().
+		Where(taserver.DomainEQ(domain)).
+		Where(taserver.HasActivated(true)).
+		Order(ent.Desc(taserver.FieldID)).
+		First(*db.Ctx)
+
+	var lastID = 0
+	if err == nil {
+		lastID = lastValid.ID
+	}
+
+	return lastID
+}