Skip to content

Commit

Permalink
make MatchPeerCertificatesFromSecret work with certificate chains (#667)
Browse files Browse the repository at this point in the history
Co-authored-by: Marek Schmidt <[email protected]>
  • Loading branch information
knative-prow-robot and maschmid authored Feb 6, 2024
1 parent 50276df commit e5d2639
Showing 1 changed file with 34 additions and 5 deletions.
39 changes: 34 additions & 5 deletions pkg/eventshub/assert/step.go
Original file line number Diff line number Diff line change
@@ -1,8 +1,10 @@
package assert

import (
"bytes"
"context"
"encoding/json"
"encoding/pem"
"fmt"

cetest "github.com/cloudevents/sdk-go/v2/test"
Expand Down Expand Up @@ -144,13 +146,40 @@ func MatchPeerCertificatesFromSecret(namespace, name string, key string) eventsh
return fmt.Errorf("failed to match peer certificates, connection is not TLS")
}

for _, cert := range info.Connection.TLS.PemPeerCertificates {
if cert == string(value) {
return nil
// secret value can, in general, be a certificate chain (a sequence of PEM-encoded certificate blocks)
valueBlock, valueRest := pem.Decode(value)
if valueBlock == nil {
// error if there's not even a single certificate in the value
return fmt.Errorf("failed to decode secret certificate:\n%s", string(value))
}
// for each certificate in the chain, check if it's present in info.Connection.TLS.PemPeerCertificates
for valueBlock != nil {
found := false
for _, cert := range info.Connection.TLS.PemPeerCertificates {
certBlock, _ := pem.Decode([]byte(cert))
if certBlock == nil {
return fmt.Errorf("failed to decode peer certificate:\n%s", cert)
}

if certBlock.Type == valueBlock.Type && string(certBlock.Bytes) == string(valueBlock.Bytes) {
found = true
break
}
}

if !found {
pemBytes, _ := json.MarshalIndent(info.Connection.TLS.PemPeerCertificates, "", " ")
return fmt.Errorf("failed to find peer certificate with value\n%s\nin:\n%s", string(value), string(pemBytes))
}

valueBlock, valueRest = pem.Decode(valueRest)
}

// any non-whitespace suffix not parsed as a PEM is suspicious, so we treat it as an error:
if "" != string(bytes.TrimSpace(valueRest)) {
return fmt.Errorf("failed to decode secret certificate starting with\n%s\nin:\n%s", string(valueRest), string(value))
}

bytes, _ := json.MarshalIndent(info.Connection.TLS.PemPeerCertificates, "", " ")
return fmt.Errorf("failed to find peer certificate with value\n%s\nin:\n%s", string(value), string(bytes))
return nil
}
}

0 comments on commit e5d2639

Please sign in to comment.