"crypto/x509"
"encoding/hex"
"encoding/pem"
+ "errors"
"fmt"
+ "io/fs"
"log"
"os"
"os/exec"
fifos.LogDANE <- fmt.Sprintf("%s\tNAK", host)
}
}
+ if len(verifiedChains) > 0 {
+ caHashes := make(map[string]struct{})
+ for _, certs := range verifiedChains {
+ for _, cert := range certs {
+ caHashes[spkiHash(cert)] = struct{}{}
+ }
+ }
+ var restrictedHosts []string
+ caches.RestrictedM.RLock()
+ for h := range caHashes {
+ restrictedHosts = append(restrictedHosts, caches.Restricted[h]...)
+ }
+ caches.RestrictedM.RUnlock()
+ if len(restrictedHosts) > 0 {
+ for _, h := range restrictedHosts {
+ if host == h || strings.HasSuffix(host, "."+h) {
+ goto HostIsNotRestricted
+ }
+ }
+ fifos.LogCert <- fmt.Sprintf("Restricted\t%s", host)
+ return ErrRejected{host}
+ }
+ }
+HostIsNotRestricted:
fn := filepath.Join(Certs, host)
certsOur, _, err := ucspi.CertPoolFromFile(fn)
if err == nil || dialErr != nil || (daneExists && !daneMatched) {
return ErrRejected{host}
}
} else {
- if !os.IsNotExist(err) {
+ if !errors.Is(err, fs.ErrNotExist) {
return err
}
fifos.LogCert <- fmt.Sprintf("TOFU\t%s\t%s", host, certTheirHash)