| OLD | NEW |
|---|
| 1 // Copyright 2017 The LUCI Authors. All rights reserved. | 1 // Copyright 2017 The LUCI Authors. All rights reserved. |
| 2 // Use of this source code is governed under the Apache License, Version 2.0 | 2 // Use of this source code is governed under the Apache License, Version 2.0 |
| 3 // that can be found in the LICENSE file. | 3 // that can be found in the LICENSE file. |
| 4 | 4 |
| 5 package tokensigning | 5 package tokensigning |
| 6 | 6 |
| 7 import ( | 7 import ( |
| 8 "crypto/x509" | 8 "crypto/x509" |
| 9 "encoding/base64" | 9 "encoding/base64" |
| 10 "fmt" | 10 "fmt" |
| 11 "strings" | 11 "strings" |
| 12 | 12 |
| 13 "github.com/golang/protobuf/proto" | 13 "github.com/golang/protobuf/proto" |
| 14 "golang.org/x/net/context" | 14 "golang.org/x/net/context" |
| 15 | 15 |
| 16 "github.com/luci/luci-go/common/clock" | 16 "github.com/luci/luci-go/common/clock" |
| 17 » "github.com/luci/luci-go/common/errors" | 17 » "github.com/luci/luci-go/common/retry/transient" |
| 18 "github.com/luci/luci-go/server/auth/signing" | 18 "github.com/luci/luci-go/server/auth/signing" |
| 19 ) | 19 ) |
| 20 | 20 |
| 21 // Inspector knows how to inspect tokens produced by Signer. | 21 // Inspector knows how to inspect tokens produced by Signer. |
| 22 // | 22 // |
| 23 // It is used by Inspect<something>Token RPCs (available only to admins). It | 23 // It is used by Inspect<something>Token RPCs (available only to admins). It |
| 24 // tries to return as much information as possible. In particular, it tries to | 24 // tries to return as much information as possible. In particular, it tries to |
| 25 // deserialize the token body even if the signature is no longer valid. This is | 25 // deserialize the token body even if the signature is no longer valid. This is |
| 26 // useful when debugging broken tokens. | 26 // useful when debugging broken tokens. |
| 27 // | 27 // |
| (...skipping 118 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 146 return "" | 146 return "" |
| 147 } | 147 } |
| 148 } | 148 } |
| 149 | 149 |
| 150 // checkSignature verifies the signature of the token. | 150 // checkSignature verifies the signature of the token. |
| 151 // | 151 // |
| 152 // Returns "" if the signature is correct, or an invalidity reason if it is not. | 152 // Returns "" if the signature is correct, or an invalidity reason if it is not. |
| 153 func (i *Inspector) checkSignature(c context.Context, unwrapped *Unwrapped) (str
ing, error) { | 153 func (i *Inspector) checkSignature(c context.Context, unwrapped *Unwrapped) (str
ing, error) { |
| 154 certsBundle, err := i.Certificates.Certificates(c) | 154 certsBundle, err := i.Certificates.Certificates(c) |
| 155 if err != nil { | 155 if err != nil { |
| 156 » » return "", errors.WrapTransient(err) | 156 » » return "", transient.Tag.Apply(err) |
| 157 } | 157 } |
| 158 cert, err := certsBundle.CertificateForKey(unwrapped.KeyID) | 158 cert, err := certsBundle.CertificateForKey(unwrapped.KeyID) |
| 159 if err != nil { | 159 if err != nil { |
| 160 return fmt.Sprintf("invalid signing key - %s", err), nil | 160 return fmt.Sprintf("invalid signing key - %s", err), nil |
| 161 } | 161 } |
| 162 withCtx := prependSigningContext(unwrapped.Body, i.SigningContext) | 162 withCtx := prependSigningContext(unwrapped.Body, i.SigningContext) |
| 163 err = cert.CheckSignature(x509.SHA256WithRSA, withCtx, unwrapped.RsaSHA2
56Sig) | 163 err = cert.CheckSignature(x509.SHA256WithRSA, withCtx, unwrapped.RsaSHA2
56Sig) |
| 164 if err != nil { | 164 if err != nil { |
| 165 return fmt.Sprintf("bad signature - %s", err), nil | 165 return fmt.Sprintf("bad signature - %s", err), nil |
| 166 } | 166 } |
| 167 return "", nil | 167 return "", nil |
| 168 } | 168 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2951393002:
[errors] de-specialize Transient in favor of Tags. (Closed)
