cert-v2: verify all certificates provided to us. If one or more certs…

… fail, report which ones.
slackhq · Dec 12, 2024 · 66fe4ff · 66fe4ff
1 parent 21a117a
commit 66fe4ff
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 11 deletions.
diff --git a/cert/ca_pool.go b/cert/ca_pool.go
@@ -213,7 +213,7 @@ func (ncp *CAPool) GetCAForCert(c Certificate) (*CachedCertificate, error) {
 		return signer, nil
 	}
 
-	return nil, fmt.Errorf("could not find ca for the certificate")
+	return nil, ErrCaNotFound
 }
 
 // GetFingerprints returns an array of trusted CA fingerprints

diff --git a/cert/errors.go b/cert/errors.go
@@ -17,6 +17,7 @@ var (
 	ErrInvalidPrivateKey          = errors.New("invalid private key")
 	ErrPublicPrivateCurveMismatch = errors.New("public key does not match private key curve")
 	ErrPublicPrivateKeyMismatch   = errors.New("public key and private key are not a pair")
+	ErrCaNotFound                 = errors.New("could not find ca for the certificate")
 
 	ErrPrivateKeyEncrypted = errors.New("private key must be decrypted")
 

diff --git a/cmd/nebula-cert/verify.go b/cmd/nebula-cert/verify.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"errors"
 	"flag"
 	"fmt"
 	"io"
@@ -60,18 +61,28 @@ func verify(args []string, out io.Writer, errOut io.Writer) error {
 	if err != nil {
 		return fmt.Errorf("unable to read crt; %s", err)
 	}
-
-	c, _, err := cert.UnmarshalCertificateFromPEM(rawCert)
-	if err != nil {
-		return fmt.Errorf("error while parsing crt: %s", err)
-	}
-
-	_, err = caPool.VerifyCertificate(time.Now(), c)
-	if err != nil {
-		return err
+	var errs []error
+	for {
+		if len(rawCert) == 0 {
+			break
+		}
+		c, extra, err := cert.UnmarshalCertificateFromPEM(rawCert)
+		if err != nil {
+			return fmt.Errorf("error while parsing crt: %s", err)
+		}
+		rawCert = extra
+		_, err = caPool.VerifyCertificate(time.Now(), c)
+		if err != nil {
+			switch {
+			case errors.Is(err, cert.ErrCaNotFound):
+				errs = append(errs, fmt.Errorf("error while verifying certificate v%d %s with issuer %s: %s", c.Version(), c.Name(), c.Issuer(), err))
+			default:
+				errs = append(errs, fmt.Errorf("error while verifying certificate %+v: %s", c, err))
+			}
+		}
 	}
 
-	return nil
+	return errors.Join(errs...)
 }
 
 func verifySummary() string {