metrics have been added

author: hcpp <hcpp@ydb.tech> 2023-11-08 12:09:41 +0300
committer: hcpp <hcpp@ydb.tech> 2023-11-08 12:56:14 +0300
commit: a361f5b98b98b44ea510d274f6769164640dd5e1 (patch)
tree: c47c80962c6e2e7b06798238752fd3da0191a3f6 /library/go/certifi
parent: 9478806fde1f4d40bd5a45e7cbe77237dab613e9 (diff)
download: ydb-a361f5b98b98b44ea510d274f6769164640dd5e1.tar.gz
7 files changed, 192 insertions, 0 deletions
diff --git a/library/go/certifi/cas.go b/library/go/certifi/cas.go
new file mode 100644
index 0000000000..093ce0b23b
--- /dev/null
+++ b/library/go/certifi/cas.go
@@ -0,0 +1,35 @@
+package certifi
+
+import (
+	"crypto/x509"
+	"sync"
+
+	"github.com/ydb-platform/ydb/library/go/certifi/internal/certs"
+)
+
+var (
+	internalOnce sync.Once
+	commonOnce   sync.Once
+	internalCAs  []*x509.Certificate
+	commonCAs    []*x509.Certificate
+)
+
+// InternalCAs returns list of Yandex Internal certificates
+func InternalCAs() []*x509.Certificate {
+	internalOnce.Do(initInternalCAs)
+	return internalCAs
+}
+
+// CommonCAs returns list of common certificates
+func CommonCAs() []*x509.Certificate {
+	commonOnce.Do(initCommonCAs)
+	return commonCAs
+}
+
+func initInternalCAs() {
+	internalCAs = certsFromPEM(certs.InternalCAs())
+}
+
+func initCommonCAs() {
+	commonCAs = certsFromPEM(certs.CommonCAs())
+}
diff --git a/library/go/certifi/certifi.go b/library/go/certifi/certifi.go
new file mode 100644
index 0000000000..e969263883
--- /dev/null
+++ b/library/go/certifi/certifi.go
@@ -0,0 +1,80 @@
+package certifi
+
+import (
+	"crypto/x509"
+	"os"
+)
+
+var underYaMake = true
+
+// NewCertPool returns a copy of the system or bundled cert pool.
+//
+// Default behavior can be modified with env variable, e.g. use system pool:
+//
+//	CERTIFI_USE_SYSTEM_CA=yes ./my-cool-program
+func NewCertPool() (caCertPool *x509.CertPool, err error) {
+	if forceSystem() {
+		return NewCertPoolSystem()
+	}
+
+	return NewCertPoolBundled()
+}
+
+// NewCertPoolSystem returns a copy of the system cert pool + common CAs + internal CAs
+//
+// WARNING: system cert pool is not available on Windows
+func NewCertPoolSystem() (caCertPool *x509.CertPool, err error) {
+	caCertPool, err = x509.SystemCertPool()
+
+	if err != nil || caCertPool == nil {
+		caCertPool = x509.NewCertPool()
+	}
+
+	for _, cert := range CommonCAs() {
+		caCertPool.AddCert(cert)
+	}
+
+	for _, cert := range InternalCAs() {
+		caCertPool.AddCert(cert)
+	}
+
+	return caCertPool, nil
+}
+
+// NewCertPoolBundled returns a new cert pool with common CAs + internal CAs
+func NewCertPoolBundled() (caCertPool *x509.CertPool, err error) {
+	caCertPool = x509.NewCertPool()
+
+	for _, cert := range CommonCAs() {
+		caCertPool.AddCert(cert)
+	}
+
+	for _, cert := range InternalCAs() {
+		caCertPool.AddCert(cert)
+	}
+
+	return caCertPool, nil
+}
+
+// NewCertPoolInternal returns a new cert pool with internal CAs
+func NewCertPoolInternal() (caCertPool *x509.CertPool, err error) {
+	caCertPool = x509.NewCertPool()
+
+	for _, cert := range InternalCAs() {
+		caCertPool.AddCert(cert)
+	}
+
+	return caCertPool, nil
+}
+
+func forceSystem() bool {
+	if os.Getenv("CERTIFI_USE_SYSTEM_CA") == "yes" {
+		return true
+	}
+
+	if !underYaMake && len(InternalCAs()) == 0 {
+		return true
+	}
+
+	return false
+}
diff --git a/library/go/certifi/doc.go b/library/go/certifi/doc.go
new file mode 100644
index 0000000000..d988ba0563
--- /dev/null
+++ b/library/go/certifi/doc.go
@@ -0,0 +1,4 @@
+// Certifi is a collection of public and internal Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.
+//
+// Certifi use Arcadia Root Certificates for that: https://github.com/ydb-platform/ydb/arc/trunk/arcadia/certs
+package certifi
diff --git a/library/go/certifi/internal/certs/certs.go b/library/go/certifi/internal/certs/certs.go
new file mode 100644
index 0000000000..1e64fe7157
--- /dev/null
+++ b/library/go/certifi/internal/certs/certs.go
@@ -0,0 +1,13 @@
+package certs
+
+import (
+	"github.com/ydb-platform/ydb/library/go/core/resource"
+)
+
+func InternalCAs() []byte {
+	return resource.Get("/certifi/internal.pem")
+}
+
+func CommonCAs() []byte {
+	return resource.Get("/certifi/common.pem")
+}
diff --git a/library/go/certifi/internal/certs/ya.make b/library/go/certifi/internal/certs/ya.make
new file mode 100644
index 0000000000..d16d7ab5ad
--- /dev/null
+++ b/library/go/certifi/internal/certs/ya.make
@@ -0,0 +1,10 @@
+GO_LIBRARY()
+
+RESOURCE(
+    certs/cacert.pem /certifi/common.pem
+    certs/yandex_internal.pem /certifi/internal.pem
+)
+
+SRCS(certs.go)
+
+END()
diff --git a/library/go/certifi/utils.go b/library/go/certifi/utils.go
new file mode 100644
index 0000000000..76d90e3f1f
--- /dev/null
+++ b/library/go/certifi/utils.go
@@ -0,0 +1,29 @@
+package certifi
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+)
+
+func certsFromPEM(pemCerts []byte) []*x509.Certificate {
+	var result []*x509.Certificate
+	for len(pemCerts) > 0 {
+		var block *pem.Block
+		block, pemCerts = pem.Decode(pemCerts)
+		if block == nil {
+			break
+		}
+		if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
+			continue
+		}
+
+		cert, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			continue
+		}
+
+		result = append(result, cert)
+	}
+
+	return result
+}
diff --git a/library/go/certifi/ya.make b/library/go/certifi/ya.make
new file mode 100644
index 0000000000..d8181f1d68
--- /dev/null
+++ b/library/go/certifi/ya.make
@@ -0,0 +1,21 @@
+GO_LIBRARY()
+
+SRCS(
+    cas.go
+    certifi.go
+    doc.go
+    utils.go
+)
+
+GO_XTEST_SRCS(
+    certifi_example_test.go
+    certifi_test.go
+    utils_test.go
+)
+
+END()
+
+RECURSE(
+    gotest
+    internal
+)
author	hcpp <hcpp@ydb.tech>	2023-11-08 12:09:41 +0300
committer	hcpp <hcpp@ydb.tech>	2023-11-08 12:56:14 +0300
commit	a361f5b98b98b44ea510d274f6769164640dd5e1 (patch)
tree	c47c80962c6e2e7b06798238752fd3da0191a3f6 /library/go/certifi
parent	9478806fde1f4d40bd5a45e7cbe77237dab613e9 (diff)
download	ydb-a361f5b98b98b44ea510d274f6769164640dd5e1.tar.gz