Skip to content

Commit

Permalink
Preflight openssl verify (#438)
Browse files Browse the repository at this point in the history
* verify only server cert, not intermediate certs at this point
  • Loading branch information
ashwathishiva authored Jun 25, 2020
1 parent 34f702b commit 568012e
Showing 1 changed file with 14 additions and 9 deletions.
23 changes: 14 additions & 9 deletions pkg/preflight/verify_ca.go
Original file line number Diff line number Diff line change
Expand Up @@ -93,25 +93,30 @@ func (qp *QliksensePreflight) extractCertAndVerify(server string, caCertificates
// Get the ConnectionState struct as that's the one which gives us x509.Certificate struct
x509Certificates := conn.ConnectionState().PeerCertificates

var serverCert *x509.Certificate
if len(x509Certificates) == 0 {
return fmt.Errorf("no server certificates retrieved from the server")
}
if len(x509Certificates) > 1 {
return fmt.Errorf("more than 1 server certificate retrieved from the server")
// we retrieve and verify the server certificate, we ignore intermediate certificates at this point.
for _, x509Cert := range x509Certificates {
if !x509Cert.IsCA {
serverCert = x509Cert
break
}
}
if serverCert == nil {
return fmt.Errorf("no valid server certificates retrieved from the server")
}
// execute verify cmd
roots := x509.NewCertPool()
ok := roots.AppendCertsFromPEM([]byte(caCertificates))
if !ok {
if ok := roots.AppendCertsFromPEM([]byte(caCertificates)); !ok {
return fmt.Errorf("failed to parse root certificate.")
}

opts := x509.VerifyOptions{
Roots: roots,
DNSName: u.Hostname(),
Intermediates: x509.NewCertPool(),
Roots: roots,
DNSName: u.Hostname(),
}
if _, err := x509Certificates[0].Verify(opts); err != nil {
if _, err := serverCert.Verify(opts); err != nil {
return fmt.Errorf("failed to verify certificate: " + err.Error())
}
return nil
Expand Down

0 comments on commit 568012e

Please sign in to comment.