From 5be0e82f6cbc4916b9c3681b0625e4c807010dbb Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Tue, 25 Feb 2025 12:37:50 +0000 Subject: [PATCH 01/23] copy verify.go from x509 --- internal/x509util/verify.go | 1603 +++++++++++++++++++++++++++++++++++ 1 file changed, 1603 insertions(+) create mode 100644 internal/x509util/verify.go diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go new file mode 100644 index 00000000..d2384f56 --- /dev/null +++ b/internal/x509util/verify.go @@ -0,0 +1,1603 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package x509 + +import ( + "bytes" + "crypto" + "crypto/x509/pkix" + "errors" + "fmt" + "iter" + "maps" + "net" + "net/url" + "reflect" + "runtime" + "strings" + "time" + "unicode/utf8" +) + +type InvalidReason int + +const ( + // NotAuthorizedToSign results when a certificate is signed by another + // which isn't marked as a CA certificate. + NotAuthorizedToSign InvalidReason = iota + // Expired results when a certificate has expired, based on the time + // given in the VerifyOptions. + Expired + // CANotAuthorizedForThisName results when an intermediate or root + // certificate has a name constraint which doesn't permit a DNS or + // other name (including IP address) in the leaf certificate. + CANotAuthorizedForThisName + // TooManyIntermediates results when a path length constraint is + // violated. + TooManyIntermediates + // IncompatibleUsage results when the certificate's key usage indicates + // that it may only be used for a different purpose. + IncompatibleUsage + // NameMismatch results when the subject name of a parent certificate + // does not match the issuer name in the child. + NameMismatch + // NameConstraintsWithoutSANs is a legacy error and is no longer returned. + NameConstraintsWithoutSANs + // UnconstrainedName results when a CA certificate contains permitted + // name constraints, but leaf certificate contains a name of an + // unsupported or unconstrained type. + UnconstrainedName + // TooManyConstraints results when the number of comparison operations + // needed to check a certificate exceeds the limit set by + // VerifyOptions.MaxConstraintComparisions. This limit exists to + // prevent pathological certificates can consuming excessive amounts of + // CPU time to verify. + TooManyConstraints + // CANotAuthorizedForExtKeyUsage results when an intermediate or root + // certificate does not permit a requested extended key usage. + CANotAuthorizedForExtKeyUsage + // NoValidChains results when there are no valid chains to return. + NoValidChains +) + +// CertificateInvalidError results when an odd error occurs. Users of this +// library probably want to handle all these errors uniformly. +type CertificateInvalidError struct { + Cert *Certificate + Reason InvalidReason + Detail string +} + +func (e CertificateInvalidError) Error() string { + switch e.Reason { + case NotAuthorizedToSign: + return "x509: certificate is not authorized to sign other certificates" + case Expired: + return "x509: certificate has expired or is not yet valid: " + e.Detail + case CANotAuthorizedForThisName: + return "x509: a root or intermediate certificate is not authorized to sign for this name: " + e.Detail + case CANotAuthorizedForExtKeyUsage: + return "x509: a root or intermediate certificate is not authorized for an extended key usage: " + e.Detail + case TooManyIntermediates: + return "x509: too many intermediates for path length constraint" + case IncompatibleUsage: + return "x509: certificate specifies an incompatible key usage" + case NameMismatch: + return "x509: issuer name does not match subject from issuing certificate" + case NameConstraintsWithoutSANs: + return "x509: issuer has name constraints but leaf doesn't have a SAN extension" + case UnconstrainedName: + return "x509: issuer has name constraints but leaf contains unknown or unconstrained name: " + e.Detail + case NoValidChains: + s := "x509: no valid chains built" + if e.Detail != "" { + s = fmt.Sprintf("%s: %s", s, e.Detail) + } + return s + } + return "x509: unknown error" +} + +// HostnameError results when the set of authorized names doesn't match the +// requested name. +type HostnameError struct { + Certificate *Certificate + Host string +} + +func (h HostnameError) Error() string { + c := h.Certificate + + if !c.hasSANExtension() && matchHostnames(c.Subject.CommonName, h.Host) { + return "x509: certificate relies on legacy Common Name field, use SANs instead" + } + + var valid string + if ip := net.ParseIP(h.Host); ip != nil { + // Trying to validate an IP + if len(c.IPAddresses) == 0 { + return "x509: cannot validate certificate for " + h.Host + " because it doesn't contain any IP SANs" + } + for _, san := range c.IPAddresses { + if len(valid) > 0 { + valid += ", " + } + valid += san.String() + } + } else { + valid = strings.Join(c.DNSNames, ", ") + } + + if len(valid) == 0 { + return "x509: certificate is not valid for any names, but wanted to match " + h.Host + } + return "x509: certificate is valid for " + valid + ", not " + h.Host +} + +// UnknownAuthorityError results when the certificate issuer is unknown +type UnknownAuthorityError struct { + Cert *Certificate + // hintErr contains an error that may be helpful in determining why an + // authority wasn't found. + hintErr error + // hintCert contains a possible authority certificate that was rejected + // because of the error in hintErr. + hintCert *Certificate +} + +func (e UnknownAuthorityError) Error() string { + s := "x509: certificate signed by unknown authority" + if e.hintErr != nil { + certName := e.hintCert.Subject.CommonName + if len(certName) == 0 { + if len(e.hintCert.Subject.Organization) > 0 { + certName = e.hintCert.Subject.Organization[0] + } else { + certName = "serial:" + e.hintCert.SerialNumber.String() + } + } + s += fmt.Sprintf(" (possibly because of %q while trying to verify candidate authority certificate %q)", e.hintErr, certName) + } + return s +} + +// SystemRootsError results when we fail to load the system root certificates. +type SystemRootsError struct { + Err error +} + +func (se SystemRootsError) Error() string { + msg := "x509: failed to load system roots and no roots provided" + if se.Err != nil { + return msg + "; " + se.Err.Error() + } + return msg +} + +func (se SystemRootsError) Unwrap() error { return se.Err } + +// errNotParsed is returned when a certificate without ASN.1 contents is +// verified. Platform-specific verification needs the ASN.1 contents. +var errNotParsed = errors.New("x509: missing ASN.1 contents; use ParseCertificate") + +// VerifyOptions contains parameters for Certificate.Verify. +type VerifyOptions struct { + // DNSName, if set, is checked against the leaf certificate with + // Certificate.VerifyHostname or the platform verifier. + DNSName string + + // Intermediates is an optional pool of certificates that are not trust + // anchors, but can be used to form a chain from the leaf certificate to a + // root certificate. + Intermediates *CertPool + // Roots is the set of trusted root certificates the leaf certificate needs + // to chain up to. If nil, the system roots or the platform verifier are used. + Roots *CertPool + + // CurrentTime is used to check the validity of all certificates in the + // chain. If zero, the current time is used. + CurrentTime time.Time + + // KeyUsages specifies which Extended Key Usage values are acceptable. A + // chain is accepted if it allows any of the listed values. An empty list + // means ExtKeyUsageServerAuth. To accept any key usage, include ExtKeyUsageAny. + KeyUsages []ExtKeyUsage + + // MaxConstraintComparisions is the maximum number of comparisons to + // perform when checking a given certificate's name constraints. If + // zero, a sensible default is used. This limit prevents pathological + // certificates from consuming excessive amounts of CPU time when + // validating. It does not apply to the platform verifier. + MaxConstraintComparisions int + + // CertificatePolicies specifies which certificate policy OIDs are + // acceptable during policy validation. An empty CertificatePolices + // field implies any valid policy is acceptable. + CertificatePolicies []OID + + // The following policy fields are unexported, because we do not expect + // users to actually need to use them, but are useful for testing the + // policy validation code. + + // inhibitPolicyMapping indicates if policy mapping should be allowed + // during path validation. + inhibitPolicyMapping bool + + // requireExplicitPolicy indidicates if explicit policies must be present + // for each certificate being validated. + requireExplicitPolicy bool + + // inhibitAnyPolicy indicates if the anyPolicy policy should be + // processed if present in a certificate being validated. + inhibitAnyPolicy bool +} + +const ( + leafCertificate = iota + intermediateCertificate + rootCertificate +) + +// rfc2821Mailbox represents a “mailbox” (which is an email address to most +// people) by breaking it into the “local” (i.e. before the '@') and “domain” +// parts. +type rfc2821Mailbox struct { + local, domain string +} + +// parseRFC2821Mailbox parses an email address into local and domain parts, +// based on the ABNF for a “Mailbox” from RFC 2821. According to RFC 5280, +// Section 4.2.1.6 that's correct for an rfc822Name from a certificate: “The +// format of an rfc822Name is a "Mailbox" as defined in RFC 2821, Section 4.1.2”. +func parseRFC2821Mailbox(in string) (mailbox rfc2821Mailbox, ok bool) { + if len(in) == 0 { + return mailbox, false + } + + localPartBytes := make([]byte, 0, len(in)/2) + + if in[0] == '"' { + // Quoted-string = DQUOTE *qcontent DQUOTE + // non-whitespace-control = %d1-8 / %d11 / %d12 / %d14-31 / %d127 + // qcontent = qtext / quoted-pair + // qtext = non-whitespace-control / + // %d33 / %d35-91 / %d93-126 + // quoted-pair = ("\" text) / obs-qp + // text = %d1-9 / %d11 / %d12 / %d14-127 / obs-text + // + // (Names beginning with “obs-” are the obsolete syntax from RFC 2822, + // Section 4. Since it has been 16 years, we no longer accept that.) + in = in[1:] + QuotedString: + for { + if len(in) == 0 { + return mailbox, false + } + c := in[0] + in = in[1:] + + switch { + case c == '"': + break QuotedString + + case c == '\\': + // quoted-pair + if len(in) == 0 { + return mailbox, false + } + if in[0] == 11 || + in[0] == 12 || + (1 <= in[0] && in[0] <= 9) || + (14 <= in[0] && in[0] <= 127) { + localPartBytes = append(localPartBytes, in[0]) + in = in[1:] + } else { + return mailbox, false + } + + case c == 11 || + c == 12 || + // Space (char 32) is not allowed based on the + // BNF, but RFC 3696 gives an example that + // assumes that it is. Several “verified” + // errata continue to argue about this point. + // We choose to accept it. + c == 32 || + c == 33 || + c == 127 || + (1 <= c && c <= 8) || + (14 <= c && c <= 31) || + (35 <= c && c <= 91) || + (93 <= c && c <= 126): + // qtext + localPartBytes = append(localPartBytes, c) + + default: + return mailbox, false + } + } + } else { + // Atom ("." Atom)* + NextChar: + for len(in) > 0 { + // atext from RFC 2822, Section 3.2.4 + c := in[0] + + switch { + case c == '\\': + // Examples given in RFC 3696 suggest that + // escaped characters can appear outside of a + // quoted string. Several “verified” errata + // continue to argue the point. We choose to + // accept it. + in = in[1:] + if len(in) == 0 { + return mailbox, false + } + fallthrough + + case ('0' <= c && c <= '9') || + ('a' <= c && c <= 'z') || + ('A' <= c && c <= 'Z') || + c == '!' || c == '#' || c == '$' || c == '%' || + c == '&' || c == '\'' || c == '*' || c == '+' || + c == '-' || c == '/' || c == '=' || c == '?' || + c == '^' || c == '_' || c == '`' || c == '{' || + c == '|' || c == '}' || c == '~' || c == '.': + localPartBytes = append(localPartBytes, in[0]) + in = in[1:] + + default: + break NextChar + } + } + + if len(localPartBytes) == 0 { + return mailbox, false + } + + // From RFC 3696, Section 3: + // “period (".") may also appear, but may not be used to start + // or end the local part, nor may two or more consecutive + // periods appear.” + twoDots := []byte{'.', '.'} + if localPartBytes[0] == '.' || + localPartBytes[len(localPartBytes)-1] == '.' || + bytes.Contains(localPartBytes, twoDots) { + return mailbox, false + } + } + + if len(in) == 0 || in[0] != '@' { + return mailbox, false + } + in = in[1:] + + // The RFC species a format for domains, but that's known to be + // violated in practice so we accept that anything after an '@' is the + // domain part. + if _, ok := domainToReverseLabels(in); !ok { + return mailbox, false + } + + mailbox.local = string(localPartBytes) + mailbox.domain = in + return mailbox, true +} + +// domainToReverseLabels converts a textual domain name like foo.example.com to +// the list of labels in reverse order, e.g. ["com", "example", "foo"]. +func domainToReverseLabels(domain string) (reverseLabels []string, ok bool) { + for len(domain) > 0 { + if i := strings.LastIndexByte(domain, '.'); i == -1 { + reverseLabels = append(reverseLabels, domain) + domain = "" + } else { + reverseLabels = append(reverseLabels, domain[i+1:]) + domain = domain[:i] + if i == 0 { // domain == "" + // domain is prefixed with an empty label, append an empty + // string to reverseLabels to indicate this. + reverseLabels = append(reverseLabels, "") + } + } + } + + if len(reverseLabels) > 0 && len(reverseLabels[0]) == 0 { + // An empty label at the end indicates an absolute value. + return nil, false + } + + for _, label := range reverseLabels { + if len(label) == 0 { + // Empty labels are otherwise invalid. + return nil, false + } + + for _, c := range label { + if c < 33 || c > 126 { + // Invalid character. + return nil, false + } + } + } + + return reverseLabels, true +} + +func matchEmailConstraint(mailbox rfc2821Mailbox, constraint string) (bool, error) { + // If the constraint contains an @, then it specifies an exact mailbox + // name. + if strings.Contains(constraint, "@") { + constraintMailbox, ok := parseRFC2821Mailbox(constraint) + if !ok { + return false, fmt.Errorf("x509: internal error: cannot parse constraint %q", constraint) + } + return mailbox.local == constraintMailbox.local && strings.EqualFold(mailbox.domain, constraintMailbox.domain), nil + } + + // Otherwise the constraint is like a DNS constraint of the domain part + // of the mailbox. + return matchDomainConstraint(mailbox.domain, constraint) +} + +func matchURIConstraint(uri *url.URL, constraint string) (bool, error) { + // From RFC 5280, Section 4.2.1.10: + // “a uniformResourceIdentifier that does not include an authority + // component with a host name specified as a fully qualified domain + // name (e.g., if the URI either does not include an authority + // component or includes an authority component in which the host name + // is specified as an IP address), then the application MUST reject the + // certificate.” + + host := uri.Host + if len(host) == 0 { + return false, fmt.Errorf("URI with empty host (%q) cannot be matched against constraints", uri.String()) + } + + if strings.Contains(host, ":") && !strings.HasSuffix(host, "]") { + var err error + host, _, err = net.SplitHostPort(uri.Host) + if err != nil { + return false, err + } + } + + if strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]") || + net.ParseIP(host) != nil { + return false, fmt.Errorf("URI with IP (%q) cannot be matched against constraints", uri.String()) + } + + return matchDomainConstraint(host, constraint) +} + +func matchIPConstraint(ip net.IP, constraint *net.IPNet) (bool, error) { + if len(ip) != len(constraint.IP) { + return false, nil + } + + for i := range ip { + if mask := constraint.Mask[i]; ip[i]&mask != constraint.IP[i]&mask { + return false, nil + } + } + + return true, nil +} + +func matchDomainConstraint(domain, constraint string) (bool, error) { + // The meaning of zero length constraints is not specified, but this + // code follows NSS and accepts them as matching everything. + if len(constraint) == 0 { + return true, nil + } + + domainLabels, ok := domainToReverseLabels(domain) + if !ok { + return false, fmt.Errorf("x509: internal error: cannot parse domain %q", domain) + } + + // RFC 5280 says that a leading period in a domain name means that at + // least one label must be prepended, but only for URI and email + // constraints, not DNS constraints. The code also supports that + // behaviour for DNS constraints. + + mustHaveSubdomains := false + if constraint[0] == '.' { + mustHaveSubdomains = true + constraint = constraint[1:] + } + + constraintLabels, ok := domainToReverseLabels(constraint) + if !ok { + return false, fmt.Errorf("x509: internal error: cannot parse domain %q", constraint) + } + + if len(domainLabels) < len(constraintLabels) || + (mustHaveSubdomains && len(domainLabels) == len(constraintLabels)) { + return false, nil + } + + for i, constraintLabel := range constraintLabels { + if !strings.EqualFold(constraintLabel, domainLabels[i]) { + return false, nil + } + } + + return true, nil +} + +// checkNameConstraints checks that c permits a child certificate to claim the +// given name, of type nameType. The argument parsedName contains the parsed +// form of name, suitable for passing to the match function. The total number +// of comparisons is tracked in the given count and should not exceed the given +// limit. +func (c *Certificate) checkNameConstraints(count *int, + maxConstraintComparisons int, + nameType string, + name string, + parsedName any, + match func(parsedName, constraint any) (match bool, err error), + permitted, excluded any) error { + + excludedValue := reflect.ValueOf(excluded) + + *count += excludedValue.Len() + if *count > maxConstraintComparisons { + return CertificateInvalidError{c, TooManyConstraints, ""} + } + + for i := 0; i < excludedValue.Len(); i++ { + constraint := excludedValue.Index(i).Interface() + match, err := match(parsedName, constraint) + if err != nil { + return CertificateInvalidError{c, CANotAuthorizedForThisName, err.Error()} + } + + if match { + return CertificateInvalidError{c, CANotAuthorizedForThisName, fmt.Sprintf("%s %q is excluded by constraint %q", nameType, name, constraint)} + } + } + + permittedValue := reflect.ValueOf(permitted) + + *count += permittedValue.Len() + if *count > maxConstraintComparisons { + return CertificateInvalidError{c, TooManyConstraints, ""} + } + + ok := true + for i := 0; i < permittedValue.Len(); i++ { + constraint := permittedValue.Index(i).Interface() + + var err error + if ok, err = match(parsedName, constraint); err != nil { + return CertificateInvalidError{c, CANotAuthorizedForThisName, err.Error()} + } + + if ok { + break + } + } + + if !ok { + return CertificateInvalidError{c, CANotAuthorizedForThisName, fmt.Sprintf("%s %q is not permitted by any constraint", nameType, name)} + } + + return nil +} + +// isValid performs validity checks on c given that it is a candidate to append +// to the chain in currentChain. +func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *VerifyOptions) error { + if len(c.UnhandledCriticalExtensions) > 0 { + return UnhandledCriticalExtension{} + } + + if len(currentChain) > 0 { + child := currentChain[len(currentChain)-1] + if !bytes.Equal(child.RawIssuer, c.RawSubject) { + return CertificateInvalidError{c, NameMismatch, ""} + } + } + + now := opts.CurrentTime + if now.IsZero() { + now = time.Now() + } + if now.Before(c.NotBefore) { + return CertificateInvalidError{ + Cert: c, + Reason: Expired, + Detail: fmt.Sprintf("current time %s is before %s", now.Format(time.RFC3339), c.NotBefore.Format(time.RFC3339)), + } + } else if now.After(c.NotAfter) { + return CertificateInvalidError{ + Cert: c, + Reason: Expired, + Detail: fmt.Sprintf("current time %s is after %s", now.Format(time.RFC3339), c.NotAfter.Format(time.RFC3339)), + } + } + + maxConstraintComparisons := opts.MaxConstraintComparisions + if maxConstraintComparisons == 0 { + maxConstraintComparisons = 250000 + } + comparisonCount := 0 + + if certType == intermediateCertificate || certType == rootCertificate { + if len(currentChain) == 0 { + return errors.New("x509: internal error: empty chain when appending CA cert") + } + } + + if (certType == intermediateCertificate || certType == rootCertificate) && + c.hasNameConstraints() { + toCheck := []*Certificate{} + for _, c := range currentChain { + if c.hasSANExtension() { + toCheck = append(toCheck, c) + } + } + for _, sanCert := range toCheck { + err := forEachSAN(sanCert.getSANExtension(), func(tag int, data []byte) error { + switch tag { + case nameTypeEmail: + name := string(data) + mailbox, ok := parseRFC2821Mailbox(name) + if !ok { + return fmt.Errorf("x509: cannot parse rfc822Name %q", mailbox) + } + + if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "email address", name, mailbox, + func(parsedName, constraint any) (bool, error) { + return matchEmailConstraint(parsedName.(rfc2821Mailbox), constraint.(string)) + }, c.PermittedEmailAddresses, c.ExcludedEmailAddresses); err != nil { + return err + } + + case nameTypeDNS: + name := string(data) + if _, ok := domainToReverseLabels(name); !ok { + return fmt.Errorf("x509: cannot parse dnsName %q", name) + } + + if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "DNS name", name, name, + func(parsedName, constraint any) (bool, error) { + return matchDomainConstraint(parsedName.(string), constraint.(string)) + }, c.PermittedDNSDomains, c.ExcludedDNSDomains); err != nil { + return err + } + + case nameTypeURI: + name := string(data) + uri, err := url.Parse(name) + if err != nil { + return fmt.Errorf("x509: internal error: URI SAN %q failed to parse", name) + } + + if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "URI", name, uri, + func(parsedName, constraint any) (bool, error) { + return matchURIConstraint(parsedName.(*url.URL), constraint.(string)) + }, c.PermittedURIDomains, c.ExcludedURIDomains); err != nil { + return err + } + + case nameTypeIP: + ip := net.IP(data) + if l := len(ip); l != net.IPv4len && l != net.IPv6len { + return fmt.Errorf("x509: internal error: IP SAN %x failed to parse", data) + } + + if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "IP address", ip.String(), ip, + func(parsedName, constraint any) (bool, error) { + return matchIPConstraint(parsedName.(net.IP), constraint.(*net.IPNet)) + }, c.PermittedIPRanges, c.ExcludedIPRanges); err != nil { + return err + } + + default: + // Unknown SAN types are ignored. + } + + return nil + }) + + if err != nil { + return err + } + } + } + + // KeyUsage status flags are ignored. From Engineering Security, Peter + // Gutmann: A European government CA marked its signing certificates as + // being valid for encryption only, but no-one noticed. Another + // European CA marked its signature keys as not being valid for + // signatures. A different CA marked its own trusted root certificate + // as being invalid for certificate signing. Another national CA + // distributed a certificate to be used to encrypt data for the + // country’s tax authority that was marked as only being usable for + // digital signatures but not for encryption. Yet another CA reversed + // the order of the bit flags in the keyUsage due to confusion over + // encoding endianness, essentially setting a random keyUsage in + // certificates that it issued. Another CA created a self-invalidating + // certificate by adding a certificate policy statement stipulating + // that the certificate had to be used strictly as specified in the + // keyUsage, and a keyUsage containing a flag indicating that the RSA + // encryption key could only be used for Diffie-Hellman key agreement. + + if certType == intermediateCertificate && (!c.BasicConstraintsValid || !c.IsCA) { + return CertificateInvalidError{c, NotAuthorizedToSign, ""} + } + + if c.BasicConstraintsValid && c.MaxPathLen >= 0 { + numIntermediates := len(currentChain) - 1 + if numIntermediates > c.MaxPathLen { + return CertificateInvalidError{c, TooManyIntermediates, ""} + } + } + + return nil +} + +// Verify attempts to verify c by building one or more chains from c to a +// certificate in opts.Roots, using certificates in opts.Intermediates if +// needed. If successful, it returns one or more chains where the first +// element of the chain is c and the last element is from opts.Roots. +// +// If opts.Roots is nil, the platform verifier might be used, and +// verification details might differ from what is described below. If system +// roots are unavailable the returned error will be of type SystemRootsError. +// +// Name constraints in the intermediates will be applied to all names claimed +// in the chain, not just opts.DNSName. Thus it is invalid for a leaf to claim +// example.com if an intermediate doesn't permit it, even if example.com is not +// the name being validated. Note that DirectoryName constraints are not +// supported. +// +// Name constraint validation follows the rules from RFC 5280, with the +// addition that DNS name constraints may use the leading period format +// defined for emails and URIs. When a constraint has a leading period +// it indicates that at least one additional label must be prepended to +// the constrained name to be considered valid. +// +// Extended Key Usage values are enforced nested down a chain, so an intermediate +// or root that enumerates EKUs prevents a leaf from asserting an EKU not in that +// list. (While this is not specified, it is common practice in order to limit +// the types of certificates a CA can issue.) +// +// Certificates that use SHA1WithRSA and ECDSAWithSHA1 signatures are not supported, +// and will not be used to build chains. +// +// Certificates other than c in the returned chains should not be modified. +// +// WARNING: this function doesn't do any revocation checking. +func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err error) { + // Platform-specific verification needs the ASN.1 contents so + // this makes the behavior consistent across platforms. + if len(c.Raw) == 0 { + return nil, errNotParsed + } + for i := 0; i < opts.Intermediates.len(); i++ { + c, _, err := opts.Intermediates.cert(i) + if err != nil { + return nil, fmt.Errorf("crypto/x509: error fetching intermediate: %w", err) + } + if len(c.Raw) == 0 { + return nil, errNotParsed + } + } + + // Use platform verifiers, where available, if Roots is from SystemCertPool. + if runtime.GOOS == "windows" || runtime.GOOS == "darwin" || runtime.GOOS == "ios" { + // Don't use the system verifier if the system pool was replaced with a non-system pool, + // i.e. if SetFallbackRoots was called with x509usefallbackroots=1. + systemPool := systemRootsPool() + if opts.Roots == nil && (systemPool == nil || systemPool.systemPool) { + return c.systemVerify(&opts) + } + if opts.Roots != nil && opts.Roots.systemPool { + platformChains, err := c.systemVerify(&opts) + // If the platform verifier succeeded, or there are no additional + // roots, return the platform verifier result. Otherwise, continue + // with the Go verifier. + if err == nil || opts.Roots.len() == 0 { + return platformChains, err + } + } + } + + if opts.Roots == nil { + opts.Roots = systemRootsPool() + if opts.Roots == nil { + return nil, SystemRootsError{systemRootsErr} + } + } + + err = c.isValid(leafCertificate, nil, &opts) + if err != nil { + return + } + + if len(opts.DNSName) > 0 { + err = c.VerifyHostname(opts.DNSName) + if err != nil { + return + } + } + + var candidateChains [][]*Certificate + if opts.Roots.contains(c) { + candidateChains = [][]*Certificate{{c}} + } else { + candidateChains, err = c.buildChains([]*Certificate{c}, nil, &opts) + if err != nil { + return nil, err + } + } + + if len(opts.KeyUsages) == 0 { + opts.KeyUsages = []ExtKeyUsage{ExtKeyUsageServerAuth} + } + + for _, eku := range opts.KeyUsages { + if eku == ExtKeyUsageAny { + // If any key usage is acceptable, no need to check the chain for + // key usages. + return candidateChains, nil + } + } + + chains = make([][]*Certificate, 0, len(candidateChains)) + var incompatibleKeyUsageChains, invalidPoliciesChains int + for _, candidate := range candidateChains { + if !checkChainForKeyUsage(candidate, opts.KeyUsages) { + incompatibleKeyUsageChains++ + continue + } + if !policiesValid(candidate, opts) { + invalidPoliciesChains++ + continue + } + chains = append(chains, candidate) + } + if len(chains) == 0 { + var details []string + if incompatibleKeyUsageChains > 0 { + if invalidPoliciesChains == 0 { + return nil, CertificateInvalidError{c, IncompatibleUsage, ""} + } + details = append(details, fmt.Sprintf("%d chains with incompatible key usage", incompatibleKeyUsageChains)) + } + if invalidPoliciesChains > 0 { + details = append(details, fmt.Sprintf("%d chains with invalid policies", invalidPoliciesChains)) + } + err = CertificateInvalidError{c, NoValidChains, strings.Join(details, ", ")} + return nil, err + } + + return chains, nil +} + +func appendToFreshChain(chain []*Certificate, cert *Certificate) []*Certificate { + n := make([]*Certificate, len(chain)+1) + copy(n, chain) + n[len(chain)] = cert + return n +} + +// alreadyInChain checks whether a candidate certificate is present in a chain. +// Rather than doing a direct byte for byte equivalency check, we check if the +// subject, public key, and SAN, if present, are equal. This prevents loops that +// are created by mutual cross-signatures, or other cross-signature bridge +// oddities. +func alreadyInChain(candidate *Certificate, chain []*Certificate) bool { + type pubKeyEqual interface { + Equal(crypto.PublicKey) bool + } + + var candidateSAN *pkix.Extension + for _, ext := range candidate.Extensions { + if ext.Id.Equal(oidExtensionSubjectAltName) { + candidateSAN = &ext + break + } + } + + for _, cert := range chain { + if !bytes.Equal(candidate.RawSubject, cert.RawSubject) { + continue + } + if !candidate.PublicKey.(pubKeyEqual).Equal(cert.PublicKey) { + continue + } + var certSAN *pkix.Extension + for _, ext := range cert.Extensions { + if ext.Id.Equal(oidExtensionSubjectAltName) { + certSAN = &ext + break + } + } + if candidateSAN == nil && certSAN == nil { + return true + } else if candidateSAN == nil || certSAN == nil { + return false + } + if bytes.Equal(candidateSAN.Value, certSAN.Value) { + return true + } + } + return false +} + +// maxChainSignatureChecks is the maximum number of CheckSignatureFrom calls +// that an invocation of buildChains will (transitively) make. Most chains are +// less than 15 certificates long, so this leaves space for multiple chains and +// for failed checks due to different intermediates having the same Subject. +const maxChainSignatureChecks = 100 + +func (c *Certificate) buildChains(currentChain []*Certificate, sigChecks *int, opts *VerifyOptions) (chains [][]*Certificate, err error) { + var ( + hintErr error + hintCert *Certificate + ) + + considerCandidate := func(certType int, candidate potentialParent) { + if candidate.cert.PublicKey == nil || alreadyInChain(candidate.cert, currentChain) { + return + } + + if sigChecks == nil { + sigChecks = new(int) + } + *sigChecks++ + if *sigChecks > maxChainSignatureChecks { + err = errors.New("x509: signature check attempts limit reached while verifying certificate chain") + return + } + + if err := c.CheckSignatureFrom(candidate.cert); err != nil { + if hintErr == nil { + hintErr = err + hintCert = candidate.cert + } + return + } + + err = candidate.cert.isValid(certType, currentChain, opts) + if err != nil { + if hintErr == nil { + hintErr = err + hintCert = candidate.cert + } + return + } + + if candidate.constraint != nil { + if err := candidate.constraint(currentChain); err != nil { + if hintErr == nil { + hintErr = err + hintCert = candidate.cert + } + return + } + } + + switch certType { + case rootCertificate: + chains = append(chains, appendToFreshChain(currentChain, candidate.cert)) + case intermediateCertificate: + var childChains [][]*Certificate + childChains, err = candidate.cert.buildChains(appendToFreshChain(currentChain, candidate.cert), sigChecks, opts) + chains = append(chains, childChains...) + } + } + + for _, root := range opts.Roots.findPotentialParents(c) { + considerCandidate(rootCertificate, root) + } + for _, intermediate := range opts.Intermediates.findPotentialParents(c) { + considerCandidate(intermediateCertificate, intermediate) + } + + if len(chains) > 0 { + err = nil + } + if len(chains) == 0 && err == nil { + err = UnknownAuthorityError{c, hintErr, hintCert} + } + + return +} + +func validHostnamePattern(host string) bool { return validHostname(host, true) } +func validHostnameInput(host string) bool { return validHostname(host, false) } + +// validHostname reports whether host is a valid hostname that can be matched or +// matched against according to RFC 6125 2.2, with some leniency to accommodate +// legacy values. +func validHostname(host string, isPattern bool) bool { + if !isPattern { + host = strings.TrimSuffix(host, ".") + } + if len(host) == 0 { + return false + } + if host == "*" { + // Bare wildcards are not allowed, they are not valid DNS names, + // nor are they allowed per RFC 6125. + return false + } + + for i, part := range strings.Split(host, ".") { + if part == "" { + // Empty label. + return false + } + if isPattern && i == 0 && part == "*" { + // Only allow full left-most wildcards, as those are the only ones + // we match, and matching literal '*' characters is probably never + // the expected behavior. + continue + } + for j, c := range part { + if 'a' <= c && c <= 'z' { + continue + } + if '0' <= c && c <= '9' { + continue + } + if 'A' <= c && c <= 'Z' { + continue + } + if c == '-' && j != 0 { + continue + } + if c == '_' { + // Not a valid character in hostnames, but commonly + // found in deployments outside the WebPKI. + continue + } + return false + } + } + + return true +} + +func matchExactly(hostA, hostB string) bool { + if hostA == "" || hostA == "." || hostB == "" || hostB == "." { + return false + } + return toLowerCaseASCII(hostA) == toLowerCaseASCII(hostB) +} + +func matchHostnames(pattern, host string) bool { + pattern = toLowerCaseASCII(pattern) + host = toLowerCaseASCII(strings.TrimSuffix(host, ".")) + + if len(pattern) == 0 || len(host) == 0 { + return false + } + + patternParts := strings.Split(pattern, ".") + hostParts := strings.Split(host, ".") + + if len(patternParts) != len(hostParts) { + return false + } + + for i, patternPart := range patternParts { + if i == 0 && patternPart == "*" { + continue + } + if patternPart != hostParts[i] { + return false + } + } + + return true +} + +// toLowerCaseASCII returns a lower-case version of in. See RFC 6125 6.4.1. We use +// an explicitly ASCII function to avoid any sharp corners resulting from +// performing Unicode operations on DNS labels. +func toLowerCaseASCII(in string) string { + // If the string is already lower-case then there's nothing to do. + isAlreadyLowerCase := true + for _, c := range in { + if c == utf8.RuneError { + // If we get a UTF-8 error then there might be + // upper-case ASCII bytes in the invalid sequence. + isAlreadyLowerCase = false + break + } + if 'A' <= c && c <= 'Z' { + isAlreadyLowerCase = false + break + } + } + + if isAlreadyLowerCase { + return in + } + + out := []byte(in) + for i, c := range out { + if 'A' <= c && c <= 'Z' { + out[i] += 'a' - 'A' + } + } + return string(out) +} + +// VerifyHostname returns nil if c is a valid certificate for the named host. +// Otherwise it returns an error describing the mismatch. +// +// IP addresses can be optionally enclosed in square brackets and are checked +// against the IPAddresses field. Other names are checked case insensitively +// against the DNSNames field. If the names are valid hostnames, the certificate +// fields can have a wildcard as the complete left-most label (e.g. *.example.com). +// +// Note that the legacy Common Name field is ignored. +func (c *Certificate) VerifyHostname(h string) error { + // IP addresses may be written in [ ]. + candidateIP := h + if len(h) >= 3 && h[0] == '[' && h[len(h)-1] == ']' { + candidateIP = h[1 : len(h)-1] + } + if ip := net.ParseIP(candidateIP); ip != nil { + // We only match IP addresses against IP SANs. + // See RFC 6125, Appendix B.2. + for _, candidate := range c.IPAddresses { + if ip.Equal(candidate) { + return nil + } + } + return HostnameError{c, candidateIP} + } + + candidateName := toLowerCaseASCII(h) // Save allocations inside the loop. + validCandidateName := validHostnameInput(candidateName) + + for _, match := range c.DNSNames { + // Ideally, we'd only match valid hostnames according to RFC 6125 like + // browsers (more or less) do, but in practice Go is used in a wider + // array of contexts and can't even assume DNS resolution. Instead, + // always allow perfect matches, and only apply wildcard and trailing + // dot processing to valid hostnames. + if validCandidateName && validHostnamePattern(match) { + if matchHostnames(match, candidateName) { + return nil + } + } else { + if matchExactly(match, candidateName) { + return nil + } + } + } + + return HostnameError{c, h} +} + +func checkChainForKeyUsage(chain []*Certificate, keyUsages []ExtKeyUsage) bool { + usages := make([]ExtKeyUsage, len(keyUsages)) + copy(usages, keyUsages) + + if len(chain) == 0 { + return false + } + + usagesRemaining := len(usages) + + // We walk down the list and cross out any usages that aren't supported + // by each certificate. If we cross out all the usages, then the chain + // is unacceptable. + +NextCert: + for i := len(chain) - 1; i >= 0; i-- { + cert := chain[i] + if len(cert.ExtKeyUsage) == 0 && len(cert.UnknownExtKeyUsage) == 0 { + // The certificate doesn't have any extended key usage specified. + continue + } + + for _, usage := range cert.ExtKeyUsage { + if usage == ExtKeyUsageAny { + // The certificate is explicitly good for any usage. + continue NextCert + } + } + + const invalidUsage ExtKeyUsage = -1 + + NextRequestedUsage: + for i, requestedUsage := range usages { + if requestedUsage == invalidUsage { + continue + } + + for _, usage := range cert.ExtKeyUsage { + if requestedUsage == usage { + continue NextRequestedUsage + } + } + + usages[i] = invalidUsage + usagesRemaining-- + if usagesRemaining == 0 { + return false + } + } + } + + return true +} + +func mustNewOIDFromInts(ints []uint64) OID { + oid, err := OIDFromInts(ints) + if err != nil { + panic(fmt.Sprintf("OIDFromInts(%v) unexpected error: %v", ints, err)) + } + return oid +} + +type policyGraphNode struct { + validPolicy OID + expectedPolicySet []OID + // we do not implement qualifiers, so we don't track qualifier_set + + parents map[*policyGraphNode]bool + children map[*policyGraphNode]bool +} + +func newPolicyGraphNode(valid OID, parents []*policyGraphNode) *policyGraphNode { + n := &policyGraphNode{ + validPolicy: valid, + expectedPolicySet: []OID{valid}, + children: map[*policyGraphNode]bool{}, + parents: map[*policyGraphNode]bool{}, + } + for _, p := range parents { + p.children[n] = true + n.parents[p] = true + } + return n +} + +type policyGraph struct { + strata []map[string]*policyGraphNode + // map of OID -> nodes at strata[depth-1] with OID in their expectedPolicySet + parentIndex map[string][]*policyGraphNode + depth int +} + +var anyPolicyOID = mustNewOIDFromInts([]uint64{2, 5, 29, 32, 0}) + +func newPolicyGraph() *policyGraph { + root := policyGraphNode{ + validPolicy: anyPolicyOID, + expectedPolicySet: []OID{anyPolicyOID}, + children: map[*policyGraphNode]bool{}, + parents: map[*policyGraphNode]bool{}, + } + return &policyGraph{ + depth: 0, + strata: []map[string]*policyGraphNode{{string(anyPolicyOID.der): &root}}, + } +} + +func (pg *policyGraph) insert(n *policyGraphNode) { + pg.strata[pg.depth][string(n.validPolicy.der)] = n +} + +func (pg *policyGraph) parentsWithExpected(expected OID) []*policyGraphNode { + if pg.depth == 0 { + return nil + } + return pg.parentIndex[string(expected.der)] +} + +func (pg *policyGraph) parentWithAnyPolicy() *policyGraphNode { + if pg.depth == 0 { + return nil + } + return pg.strata[pg.depth-1][string(anyPolicyOID.der)] +} + +func (pg *policyGraph) parents() iter.Seq[*policyGraphNode] { + if pg.depth == 0 { + return nil + } + return maps.Values(pg.strata[pg.depth-1]) +} + +func (pg *policyGraph) leaves() map[string]*policyGraphNode { + return pg.strata[pg.depth] +} + +func (pg *policyGraph) leafWithPolicy(policy OID) *policyGraphNode { + return pg.strata[pg.depth][string(policy.der)] +} + +func (pg *policyGraph) deleteLeaf(policy OID) { + n := pg.strata[pg.depth][string(policy.der)] + if n == nil { + return + } + for p := range n.parents { + delete(p.children, n) + } + for c := range n.children { + delete(c.parents, n) + } + delete(pg.strata[pg.depth], string(policy.der)) +} + +func (pg *policyGraph) validPolicyNodes() []*policyGraphNode { + var validNodes []*policyGraphNode + for i := pg.depth; i >= 0; i-- { + for _, n := range pg.strata[i] { + if n.validPolicy.Equal(anyPolicyOID) { + continue + } + + if len(n.parents) == 1 { + for p := range n.parents { + if p.validPolicy.Equal(anyPolicyOID) { + validNodes = append(validNodes, n) + } + } + } + } + } + return validNodes +} + +func (pg *policyGraph) prune() { + for i := pg.depth - 1; i > 0; i-- { + for _, n := range pg.strata[i] { + if len(n.children) == 0 { + for p := range n.parents { + delete(p.children, n) + } + delete(pg.strata[i], string(n.validPolicy.der)) + } + } + } +} + +func (pg *policyGraph) incrDepth() { + pg.parentIndex = map[string][]*policyGraphNode{} + for _, n := range pg.strata[pg.depth] { + for _, e := range n.expectedPolicySet { + pg.parentIndex[string(e.der)] = append(pg.parentIndex[string(e.der)], n) + } + } + + pg.depth++ + pg.strata = append(pg.strata, map[string]*policyGraphNode{}) +} + +func policiesValid(chain []*Certificate, opts VerifyOptions) bool { + // The following code implements the policy verification algorithm as + // specified in RFC 5280 and updated by RFC 9618. In particular the + // following sections are replaced by RFC 9618: + // * 6.1.2 (a) + // * 6.1.3 (d) + // * 6.1.3 (e) + // * 6.1.3 (f) + // * 6.1.4 (b) + // * 6.1.5 (g) + + if len(chain) == 1 { + return true + } + + // n is the length of the chain minus the trust anchor + n := len(chain) - 1 + + pg := newPolicyGraph() + var inhibitAnyPolicy, explicitPolicy, policyMapping int + if !opts.inhibitAnyPolicy { + inhibitAnyPolicy = n + 1 + } + if !opts.requireExplicitPolicy { + explicitPolicy = n + 1 + } + if !opts.inhibitPolicyMapping { + policyMapping = n + 1 + } + + initialUserPolicySet := map[string]bool{} + for _, p := range opts.CertificatePolicies { + initialUserPolicySet[string(p.der)] = true + } + // If the user does not pass any policies, we consider + // that equivalent to passing anyPolicyOID. + if len(initialUserPolicySet) == 0 { + initialUserPolicySet[string(anyPolicyOID.der)] = true + } + + for i := n - 1; i >= 0; i-- { + cert := chain[i] + + isSelfSigned := bytes.Equal(cert.RawIssuer, cert.RawSubject) + + // 6.1.3 (e) -- as updated by RFC 9618 + if len(cert.Policies) == 0 { + pg = nil + } + + // 6.1.3 (f) -- as updated by RFC 9618 + if explicitPolicy == 0 && pg == nil { + return false + } + + if pg != nil { + pg.incrDepth() + + policies := map[string]bool{} + + // 6.1.3 (d) (1) -- as updated by RFC 9618 + for _, policy := range cert.Policies { + policies[string(policy.der)] = true + + if policy.Equal(anyPolicyOID) { + continue + } + + // 6.1.3 (d) (1) (i) -- as updated by RFC 9618 + parents := pg.parentsWithExpected(policy) + if len(parents) == 0 { + // 6.1.3 (d) (1) (ii) -- as updated by RFC 9618 + if anyParent := pg.parentWithAnyPolicy(); anyParent != nil { + parents = []*policyGraphNode{anyParent} + } + } + if len(parents) > 0 { + pg.insert(newPolicyGraphNode(policy, parents)) + } + } + + // 6.1.3 (d) (2) -- as updated by RFC 9618 + // NOTE: in the check "n-i < n" our i is different from the i in the specification. + // In the specification chains go from the trust anchor to the leaf, whereas our + // chains go from the leaf to the trust anchor, so our i's our inverted. Our + // check here matches the check "i < n" in the specification. + if policies[string(anyPolicyOID.der)] && (inhibitAnyPolicy > 0 || (n-i < n && isSelfSigned)) { + missing := map[string][]*policyGraphNode{} + leaves := pg.leaves() + for p := range pg.parents() { + for _, expected := range p.expectedPolicySet { + if leaves[string(expected.der)] == nil { + missing[string(expected.der)] = append(missing[string(expected.der)], p) + } + } + } + + for oidStr, parents := range missing { + pg.insert(newPolicyGraphNode(OID{der: []byte(oidStr)}, parents)) + } + } + + // 6.1.3 (d) (3) -- as updated by RFC 9618 + pg.prune() + + if i != 0 { + // 6.1.4 (b) -- as updated by RFC 9618 + if len(cert.PolicyMappings) > 0 { + // collect map of issuer -> []subject + mappings := map[string][]OID{} + + for _, mapping := range cert.PolicyMappings { + if policyMapping > 0 { + if mapping.IssuerDomainPolicy.Equal(anyPolicyOID) || mapping.SubjectDomainPolicy.Equal(anyPolicyOID) { + // Invalid mapping + return false + } + mappings[string(mapping.IssuerDomainPolicy.der)] = append(mappings[string(mapping.IssuerDomainPolicy.der)], mapping.SubjectDomainPolicy) + } else { + // 6.1.4 (b) (3) (i) -- as updated by RFC 9618 + pg.deleteLeaf(mapping.IssuerDomainPolicy) + + // 6.1.4 (b) (3) (ii) -- as updated by RFC 9618 + pg.prune() + } + } + + for issuerStr, subjectPolicies := range mappings { + // 6.1.4 (b) (1) -- as updated by RFC 9618 + if matching := pg.leafWithPolicy(OID{der: []byte(issuerStr)}); matching != nil { + matching.expectedPolicySet = subjectPolicies + } else if matching := pg.leafWithPolicy(anyPolicyOID); matching != nil { + // 6.1.4 (b) (2) -- as updated by RFC 9618 + n := newPolicyGraphNode(OID{der: []byte(issuerStr)}, []*policyGraphNode{matching}) + n.expectedPolicySet = subjectPolicies + pg.insert(n) + } + } + } + } + } + + if i != 0 { + // 6.1.4 (h) + if !isSelfSigned { + if explicitPolicy > 0 { + explicitPolicy-- + } + if policyMapping > 0 { + policyMapping-- + } + if inhibitAnyPolicy > 0 { + inhibitAnyPolicy-- + } + } + + // 6.1.4 (i) + if (cert.RequireExplicitPolicy > 0 || cert.RequireExplicitPolicyZero) && cert.RequireExplicitPolicy < explicitPolicy { + explicitPolicy = cert.RequireExplicitPolicy + } + if (cert.InhibitPolicyMapping > 0 || cert.InhibitPolicyMappingZero) && cert.InhibitPolicyMapping < policyMapping { + policyMapping = cert.InhibitPolicyMapping + } + // 6.1.4 (j) + if (cert.InhibitAnyPolicy > 0 || cert.InhibitAnyPolicyZero) && cert.InhibitAnyPolicy < inhibitAnyPolicy { + inhibitAnyPolicy = cert.InhibitAnyPolicy + } + } + } + + // 6.1.5 (a) + if explicitPolicy > 0 { + explicitPolicy-- + } + + // 6.1.5 (b) + if chain[0].RequireExplicitPolicyZero { + explicitPolicy = 0 + } + + // 6.1.5 (g) (1) -- as updated by RFC 9618 + var validPolicyNodeSet []*policyGraphNode + // 6.1.5 (g) (2) -- as updated by RFC 9618 + if pg != nil { + validPolicyNodeSet = pg.validPolicyNodes() + // 6.1.5 (g) (3) -- as updated by RFC 9618 + if currentAny := pg.leafWithPolicy(anyPolicyOID); currentAny != nil { + validPolicyNodeSet = append(validPolicyNodeSet, currentAny) + } + } + + // 6.1.5 (g) (4) -- as updated by RFC 9618 + authorityConstrainedPolicySet := map[string]bool{} + for _, n := range validPolicyNodeSet { + authorityConstrainedPolicySet[string(n.validPolicy.der)] = true + } + // 6.1.5 (g) (5) -- as updated by RFC 9618 + userConstrainedPolicySet := maps.Clone(authorityConstrainedPolicySet) + // 6.1.5 (g) (6) -- as updated by RFC 9618 + if len(initialUserPolicySet) != 1 || !initialUserPolicySet[string(anyPolicyOID.der)] { + // 6.1.5 (g) (6) (i) -- as updated by RFC 9618 + for p := range userConstrainedPolicySet { + if !initialUserPolicySet[p] { + delete(userConstrainedPolicySet, p) + } + } + // 6.1.5 (g) (6) (ii) -- as updated by RFC 9618 + if authorityConstrainedPolicySet[string(anyPolicyOID.der)] { + for policy := range initialUserPolicySet { + userConstrainedPolicySet[policy] = true + } + } + } + + if explicitPolicy == 0 && len(userConstrainedPolicySet) == 0 { + return false + } + + return true +} From 4957875177eb38fcd0dc35b13a946feb8ac7cd1d Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Tue, 25 Feb 2025 12:39:02 +0000 Subject: [PATCH 02/23] migrate packages --- internal/x509util/verify.go | 87 +++++++++++++++++++------------------ 1 file changed, 44 insertions(+), 43 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index d2384f56..e6345412 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -2,11 +2,12 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. -package x509 +package x509util import ( "bytes" "crypto" + "crypto/x509" "crypto/x509/pkix" "errors" "fmt" @@ -65,7 +66,7 @@ const ( // CertificateInvalidError results when an odd error occurs. Users of this // library probably want to handle all these errors uniformly. type CertificateInvalidError struct { - Cert *Certificate + Cert *x509.Certificate Reason InvalidReason Detail string } @@ -103,7 +104,7 @@ func (e CertificateInvalidError) Error() string { // HostnameError results when the set of authorized names doesn't match the // requested name. type HostnameError struct { - Certificate *Certificate + Certificate *x509.Certificate Host string } @@ -138,13 +139,13 @@ func (h HostnameError) Error() string { // UnknownAuthorityError results when the certificate issuer is unknown type UnknownAuthorityError struct { - Cert *Certificate + Cert *x509.Certificate // hintErr contains an error that may be helpful in determining why an // authority wasn't found. hintErr error // hintCert contains a possible authority certificate that was rejected // because of the error in hintErr. - hintCert *Certificate + hintCert *x509.Certificate } func (e UnknownAuthorityError) Error() string { @@ -191,10 +192,10 @@ type VerifyOptions struct { // Intermediates is an optional pool of certificates that are not trust // anchors, but can be used to form a chain from the leaf certificate to a // root certificate. - Intermediates *CertPool + Intermediates *x509.CertPool // Roots is the set of trusted root certificates the leaf certificate needs // to chain up to. If nil, the system roots or the platform verifier are used. - Roots *CertPool + Roots *x509.CertPool // CurrentTime is used to check the validity of all certificates in the // chain. If zero, the current time is used. @@ -203,7 +204,7 @@ type VerifyOptions struct { // KeyUsages specifies which Extended Key Usage values are acceptable. A // chain is accepted if it allows any of the listed values. An empty list // means ExtKeyUsageServerAuth. To accept any key usage, include ExtKeyUsageAny. - KeyUsages []ExtKeyUsage + KeyUsages []x509.ExtKeyUsage // MaxConstraintComparisions is the maximum number of comparisons to // perform when checking a given certificate's name constraints. If @@ -215,7 +216,7 @@ type VerifyOptions struct { // CertificatePolicies specifies which certificate policy OIDs are // acceptable during policy validation. An empty CertificatePolices // field implies any valid policy is acceptable. - CertificatePolicies []OID + CertificatePolicies []x509.OID // The following policy fields are unexported, because we do not expect // users to actually need to use them, but are useful for testing the @@ -591,9 +592,9 @@ func (c *Certificate) checkNameConstraints(count *int, // isValid performs validity checks on c given that it is a candidate to append // to the chain in currentChain. -func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *VerifyOptions) error { +func (c *Certificate) isValid(certType int, currentChain []*x509.Certificate, opts *VerifyOptions) error { if len(c.UnhandledCriticalExtensions) > 0 { - return UnhandledCriticalExtension{} + return x509.UnhandledCriticalExtension{} } if len(currentChain) > 0 { @@ -635,7 +636,7 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V if (certType == intermediateCertificate || certType == rootCertificate) && c.hasNameConstraints() { - toCheck := []*Certificate{} + toCheck := []*x509.Certificate{} for _, c := range currentChain { if c.hasSANExtension() { toCheck = append(toCheck, c) @@ -774,7 +775,7 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V // Certificates other than c in the returned chains should not be modified. // // WARNING: this function doesn't do any revocation checking. -func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err error) { +func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*x509.Certificate, err error) { // Platform-specific verification needs the ASN.1 contents so // this makes the behavior consistent across platforms. if len(c.Raw) == 0 { @@ -828,29 +829,29 @@ func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err e } } - var candidateChains [][]*Certificate + var candidateChains [][]*x509.Certificate if opts.Roots.contains(c) { - candidateChains = [][]*Certificate{{c}} + candidateChains = [][]*x509.Certificate{{c}} } else { - candidateChains, err = c.buildChains([]*Certificate{c}, nil, &opts) + candidateChains, err = c.buildChains([]*x509.Certificate{c}, nil, &opts) if err != nil { return nil, err } } if len(opts.KeyUsages) == 0 { - opts.KeyUsages = []ExtKeyUsage{ExtKeyUsageServerAuth} + opts.KeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth} } for _, eku := range opts.KeyUsages { - if eku == ExtKeyUsageAny { + if eku == x509.ExtKeyUsageAny { // If any key usage is acceptable, no need to check the chain for // key usages. return candidateChains, nil } } - chains = make([][]*Certificate, 0, len(candidateChains)) + chains = make([][]*x509.Certificate, 0, len(candidateChains)) var incompatibleKeyUsageChains, invalidPoliciesChains int for _, candidate := range candidateChains { if !checkChainForKeyUsage(candidate, opts.KeyUsages) { @@ -881,8 +882,8 @@ func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err e return chains, nil } -func appendToFreshChain(chain []*Certificate, cert *Certificate) []*Certificate { - n := make([]*Certificate, len(chain)+1) +func appendToFreshChain(chain []*x509.Certificate, cert *x509.Certificate) []*x509.Certificate { + n := make([]*x509.Certificate, len(chain)+1) copy(n, chain) n[len(chain)] = cert return n @@ -893,7 +894,7 @@ func appendToFreshChain(chain []*Certificate, cert *Certificate) []*Certificate // subject, public key, and SAN, if present, are equal. This prevents loops that // are created by mutual cross-signatures, or other cross-signature bridge // oddities. -func alreadyInChain(candidate *Certificate, chain []*Certificate) bool { +func alreadyInChain(candidate *x509.Certificate, chain []*x509.Certificate) bool { type pubKeyEqual interface { Equal(crypto.PublicKey) bool } @@ -938,10 +939,10 @@ func alreadyInChain(candidate *Certificate, chain []*Certificate) bool { // for failed checks due to different intermediates having the same Subject. const maxChainSignatureChecks = 100 -func (c *Certificate) buildChains(currentChain []*Certificate, sigChecks *int, opts *VerifyOptions) (chains [][]*Certificate, err error) { +func (c *Certificate) buildChains(currentChain []*x509.Certificate, sigChecks *int, opts *VerifyOptions) (chains [][]*x509.Certificate, err error) { var ( hintErr error - hintCert *Certificate + hintCert *x509.Certificate ) considerCandidate := func(certType int, candidate potentialParent) { @@ -989,7 +990,7 @@ func (c *Certificate) buildChains(currentChain []*Certificate, sigChecks *int, o case rootCertificate: chains = append(chains, appendToFreshChain(currentChain, candidate.cert)) case intermediateCertificate: - var childChains [][]*Certificate + var childChains [][]*x509.Certificate childChains, err = candidate.cert.buildChains(appendToFreshChain(currentChain, candidate.cert), sigChecks, opts) chains = append(chains, childChains...) } @@ -1182,8 +1183,8 @@ func (c *Certificate) VerifyHostname(h string) error { return HostnameError{c, h} } -func checkChainForKeyUsage(chain []*Certificate, keyUsages []ExtKeyUsage) bool { - usages := make([]ExtKeyUsage, len(keyUsages)) +func checkChainForKeyUsage(chain []*x509.Certificate, keyUsages []x509.ExtKeyUsage) bool { + usages := make([]x509.ExtKeyUsage, len(keyUsages)) copy(usages, keyUsages) if len(chain) == 0 { @@ -1205,13 +1206,13 @@ NextCert: } for _, usage := range cert.ExtKeyUsage { - if usage == ExtKeyUsageAny { + if usage == x509.ExtKeyUsageAny { // The certificate is explicitly good for any usage. continue NextCert } } - const invalidUsage ExtKeyUsage = -1 + const invalidUsage x509.ExtKeyUsage = -1 NextRequestedUsage: for i, requestedUsage := range usages { @@ -1236,8 +1237,8 @@ NextCert: return true } -func mustNewOIDFromInts(ints []uint64) OID { - oid, err := OIDFromInts(ints) +func mustNewOIDFromInts(ints []uint64) x509.OID { + oid, err := x509.OIDFromInts(ints) if err != nil { panic(fmt.Sprintf("OIDFromInts(%v) unexpected error: %v", ints, err)) } @@ -1245,18 +1246,18 @@ func mustNewOIDFromInts(ints []uint64) OID { } type policyGraphNode struct { - validPolicy OID - expectedPolicySet []OID + validPolicy x509.OID + expectedPolicySet []x509.OID // we do not implement qualifiers, so we don't track qualifier_set parents map[*policyGraphNode]bool children map[*policyGraphNode]bool } -func newPolicyGraphNode(valid OID, parents []*policyGraphNode) *policyGraphNode { +func newPolicyGraphNode(valid x509.OID, parents []*policyGraphNode) *policyGraphNode { n := &policyGraphNode{ validPolicy: valid, - expectedPolicySet: []OID{valid}, + expectedPolicySet: []x509.OID{valid}, children: map[*policyGraphNode]bool{}, parents: map[*policyGraphNode]bool{}, } @@ -1279,7 +1280,7 @@ var anyPolicyOID = mustNewOIDFromInts([]uint64{2, 5, 29, 32, 0}) func newPolicyGraph() *policyGraph { root := policyGraphNode{ validPolicy: anyPolicyOID, - expectedPolicySet: []OID{anyPolicyOID}, + expectedPolicySet: []x509.OID{anyPolicyOID}, children: map[*policyGraphNode]bool{}, parents: map[*policyGraphNode]bool{}, } @@ -1318,11 +1319,11 @@ func (pg *policyGraph) leaves() map[string]*policyGraphNode { return pg.strata[pg.depth] } -func (pg *policyGraph) leafWithPolicy(policy OID) *policyGraphNode { +func (pg *policyGraph) leafWithPolicy(policy x509.OID) *policyGraphNode { return pg.strata[pg.depth][string(policy.der)] } -func (pg *policyGraph) deleteLeaf(policy OID) { +func (pg *policyGraph) deleteLeaf(policy x509.OID) { n := pg.strata[pg.depth][string(policy.der)] if n == nil { return @@ -1381,7 +1382,7 @@ func (pg *policyGraph) incrDepth() { pg.strata = append(pg.strata, map[string]*policyGraphNode{}) } -func policiesValid(chain []*Certificate, opts VerifyOptions) bool { +func policiesValid(chain []*x509.Certificate, opts VerifyOptions) bool { // The following code implements the policy verification algorithm as // specified in RFC 5280 and updated by RFC 9618. In particular the // following sections are replaced by RFC 9618: @@ -1479,7 +1480,7 @@ func policiesValid(chain []*Certificate, opts VerifyOptions) bool { } for oidStr, parents := range missing { - pg.insert(newPolicyGraphNode(OID{der: []byte(oidStr)}, parents)) + pg.insert(newPolicyGraphNode(x509.OID{der: []byte(oidStr)}, parents)) } } @@ -1490,7 +1491,7 @@ func policiesValid(chain []*Certificate, opts VerifyOptions) bool { // 6.1.4 (b) -- as updated by RFC 9618 if len(cert.PolicyMappings) > 0 { // collect map of issuer -> []subject - mappings := map[string][]OID{} + mappings := map[string][]x509.OID{} for _, mapping := range cert.PolicyMappings { if policyMapping > 0 { @@ -1510,11 +1511,11 @@ func policiesValid(chain []*Certificate, opts VerifyOptions) bool { for issuerStr, subjectPolicies := range mappings { // 6.1.4 (b) (1) -- as updated by RFC 9618 - if matching := pg.leafWithPolicy(OID{der: []byte(issuerStr)}); matching != nil { + if matching := pg.leafWithPolicy(x509.OID{der: []byte(issuerStr)}); matching != nil { matching.expectedPolicySet = subjectPolicies } else if matching := pg.leafWithPolicy(anyPolicyOID); matching != nil { // 6.1.4 (b) (2) -- as updated by RFC 9618 - n := newPolicyGraphNode(OID{der: []byte(issuerStr)}, []*policyGraphNode{matching}) + n := newPolicyGraphNode(x509.OID{der: []byte(issuerStr)}, []*policyGraphNode{matching}) n.expectedPolicySet = subjectPolicies pg.insert(n) } From 5f4d8b62a60971b27ca6deaad5b20b4ca538a32f Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 10:19:43 +0000 Subject: [PATCH 03/23] c.checkNameConstraints --> checkNameConstraints(c) --- internal/x509util/verify.go | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index e6345412..b509266f 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -535,7 +535,8 @@ func matchDomainConstraint(domain, constraint string) (bool, error) { // form of name, suitable for passing to the match function. The total number // of comparisons is tracked in the given count and should not exceed the given // limit. -func (c *Certificate) checkNameConstraints(count *int, +func checkNameConstraints(c *x509.Certificate, + count *int, maxConstraintComparisons int, nameType string, name string, @@ -652,7 +653,7 @@ func (c *Certificate) isValid(certType int, currentChain []*x509.Certificate, op return fmt.Errorf("x509: cannot parse rfc822Name %q", mailbox) } - if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "email address", name, mailbox, + if err := checkNameConstraints(c, &comparisonCount, maxConstraintComparisons, "email address", name, mailbox, func(parsedName, constraint any) (bool, error) { return matchEmailConstraint(parsedName.(rfc2821Mailbox), constraint.(string)) }, c.PermittedEmailAddresses, c.ExcludedEmailAddresses); err != nil { @@ -665,7 +666,7 @@ func (c *Certificate) isValid(certType int, currentChain []*x509.Certificate, op return fmt.Errorf("x509: cannot parse dnsName %q", name) } - if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "DNS name", name, name, + if err := checkNameConstraints(c, &comparisonCount, maxConstraintComparisons, "DNS name", name, name, func(parsedName, constraint any) (bool, error) { return matchDomainConstraint(parsedName.(string), constraint.(string)) }, c.PermittedDNSDomains, c.ExcludedDNSDomains); err != nil { @@ -679,7 +680,7 @@ func (c *Certificate) isValid(certType int, currentChain []*x509.Certificate, op return fmt.Errorf("x509: internal error: URI SAN %q failed to parse", name) } - if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "URI", name, uri, + if err := checkNameConstraints(c, &comparisonCount, maxConstraintComparisons, "URI", name, uri, func(parsedName, constraint any) (bool, error) { return matchURIConstraint(parsedName.(*url.URL), constraint.(string)) }, c.PermittedURIDomains, c.ExcludedURIDomains); err != nil { @@ -692,7 +693,7 @@ func (c *Certificate) isValid(certType int, currentChain []*x509.Certificate, op return fmt.Errorf("x509: internal error: IP SAN %x failed to parse", data) } - if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "IP address", ip.String(), ip, + if err := checkNameConstraints(c, &comparisonCount, maxConstraintComparisons, "IP address", ip.String(), ip, func(parsedName, constraint any) (bool, error) { return matchIPConstraint(parsedName.(net.IP), constraint.(*net.IPNet)) }, c.PermittedIPRanges, c.ExcludedIPRanges); err != nil { From 8b99bfd44f8500a0ae398e0bba9306440caa0515 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 10:21:00 +0000 Subject: [PATCH 04/23] c.isValid --> isValid(c) --- internal/x509util/verify.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index b509266f..0fe9697f 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -593,7 +593,7 @@ func checkNameConstraints(c *x509.Certificate, // isValid performs validity checks on c given that it is a candidate to append // to the chain in currentChain. -func (c *Certificate) isValid(certType int, currentChain []*x509.Certificate, opts *VerifyOptions) error { +func isValid(c *x509.Certificate, certType int, currentChain []*x509.Certificate, opts *VerifyOptions) error { if len(c.UnhandledCriticalExtensions) > 0 { return x509.UnhandledCriticalExtension{} } @@ -818,7 +818,7 @@ func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*x509.Certificate, } } - err = c.isValid(leafCertificate, nil, &opts) + err = isValid(c, leafCertificate, nil, &opts) if err != nil { return } @@ -968,7 +968,7 @@ func (c *Certificate) buildChains(currentChain []*x509.Certificate, sigChecks *i return } - err = candidate.cert.isValid(certType, currentChain, opts) + err = isValid(candidate.cert, certType, currentChain, opts) if err != nil { if hintErr == nil { hintErr = err From 9d503e1a337c92073e9f74773c77bb07ad3622c4 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 10:21:52 +0000 Subject: [PATCH 05/23] c.Verify --> Verify(c) --- internal/x509util/verify.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index 0fe9697f..7f23315a 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -776,7 +776,7 @@ func isValid(c *x509.Certificate, certType int, currentChain []*x509.Certificate // Certificates other than c in the returned chains should not be modified. // // WARNING: this function doesn't do any revocation checking. -func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*x509.Certificate, err error) { +func Verify(c *x509.Certificate, opts VerifyOptions) (chains [][]*x509.Certificate, err error) { // Platform-specific verification needs the ASN.1 contents so // this makes the behavior consistent across platforms. if len(c.Raw) == 0 { From 16cd394dd2cff519471c100061ba5f3f6293a671 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 10:23:19 +0000 Subject: [PATCH 06/23] c.buildChains --> buildChains(c) --- internal/x509util/verify.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index 7f23315a..f4165a07 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -834,7 +834,7 @@ func Verify(c *x509.Certificate, opts VerifyOptions) (chains [][]*x509.Certifica if opts.Roots.contains(c) { candidateChains = [][]*x509.Certificate{{c}} } else { - candidateChains, err = c.buildChains([]*x509.Certificate{c}, nil, &opts) + candidateChains, err = buildChains(c, []*x509.Certificate{c}, nil, &opts) if err != nil { return nil, err } @@ -940,7 +940,7 @@ func alreadyInChain(candidate *x509.Certificate, chain []*x509.Certificate) bool // for failed checks due to different intermediates having the same Subject. const maxChainSignatureChecks = 100 -func (c *Certificate) buildChains(currentChain []*x509.Certificate, sigChecks *int, opts *VerifyOptions) (chains [][]*x509.Certificate, err error) { +func buildChains(c *x509.Certificate, currentChain []*x509.Certificate, sigChecks *int, opts *VerifyOptions) (chains [][]*x509.Certificate, err error) { var ( hintErr error hintCert *x509.Certificate @@ -992,7 +992,7 @@ func (c *Certificate) buildChains(currentChain []*x509.Certificate, sigChecks *i chains = append(chains, appendToFreshChain(currentChain, candidate.cert)) case intermediateCertificate: var childChains [][]*x509.Certificate - childChains, err = candidate.cert.buildChains(appendToFreshChain(currentChain, candidate.cert), sigChecks, opts) + childChains, err = buildChains(candidate.cert, appendToFreshChain(currentChain, candidate.cert), sigChecks, opts) chains = append(chains, childChains...) } } From 676da7e7faed91c2b6a980dbb14368439ac2c7a7 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 10:27:55 +0000 Subject: [PATCH 07/23] c.VerifyHostName --> VerifyHostName(c) --- internal/x509util/verify.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index f4165a07..86daf462 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -824,7 +824,7 @@ func Verify(c *x509.Certificate, opts VerifyOptions) (chains [][]*x509.Certifica } if len(opts.DNSName) > 0 { - err = c.VerifyHostname(opts.DNSName) + err = VerifyHostname(c, opts.DNSName) if err != nil { return } @@ -1144,7 +1144,9 @@ func toLowerCaseASCII(in string) string { // fields can have a wildcard as the complete left-most label (e.g. *.example.com). // // Note that the legacy Common Name field is ignored. -func (c *Certificate) VerifyHostname(h string) error { +// TODO(phboneff): can we simply use the exported x509 one? Otherwise make this +// one private. +func VerifyHostname(c *x509.Certificate, h string) error { // IP addresses may be written in [ ]. candidateIP := h if len(h) >= 3 && h[0] == '[' && h[len(h)-1] == ']' { From 7f0c6e44bc43378ca45ab6306278b1d585f3c463 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 10:52:14 +0000 Subject: [PATCH 08/23] delete UnhandledCriticalExtensions --- internal/x509util/verify.go | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index 86daf462..5ec52052 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -594,10 +594,12 @@ func checkNameConstraints(c *x509.Certificate, // isValid performs validity checks on c given that it is a candidate to append // to the chain in currentChain. func isValid(c *x509.Certificate, certType int, currentChain []*x509.Certificate, opts *VerifyOptions) error { - if len(c.UnhandledCriticalExtensions) > 0 { - return x509.UnhandledCriticalExtension{} - } - + // UnhandledCriticalExtension check deleted. + // Precertificates have the poison extension which the Go library code does + // not recognize; also the Go library code does not support the standard + // PolicyConstraints extension (which is required to be marked critical, RFC + // 5280 s4.2.1.11) + // TODO(phboneff): re-evaluate whether PolicyConstraints is still an issue. if len(currentChain) > 0 { child := currentChain[len(currentChain)-1] if !bytes.Equal(child.RawIssuer, c.RawSubject) { From 270cad8a796b221e2957ec5db73d72228d0c2794 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 10:53:52 +0000 Subject: [PATCH 09/23] add TODO --- internal/x509util/verify.go | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index 5ec52052..6c189e6e 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -65,6 +65,7 @@ const ( // CertificateInvalidError results when an odd error occurs. Users of this // library probably want to handle all these errors uniformly. +// TODO(phboneff): consider using the x509 one. type CertificateInvalidError struct { Cert *x509.Certificate Reason InvalidReason From 88f299514d1498a02a9e6b1a161f8e07225f662b Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 10:55:47 +0000 Subject: [PATCH 10/23] delete TooManyIntermediates --- internal/x509util/verify.go | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index 6c189e6e..9e664e8f 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -737,12 +737,9 @@ func isValid(c *x509.Certificate, certType int, currentChain []*x509.Certificate return CertificateInvalidError{c, NotAuthorizedToSign, ""} } - if c.BasicConstraintsValid && c.MaxPathLen >= 0 { - numIntermediates := len(currentChain) - 1 - if numIntermediates > c.MaxPathLen { - return CertificateInvalidError{c, TooManyIntermediates, ""} - } - } + // TooManyIntermediates check deleted. + // Path length checks get confused by the presence of an additional + // pre-issuer intermediate. return nil } From 8f35b0d9c2c684f627b032c91478ced0f6487a07 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 11:02:28 +0000 Subject: [PATCH 11/23] delete CANotAuthorizedForThisName --- internal/x509util/verify.go | 150 ++---------------------------------- 1 file changed, 5 insertions(+), 145 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index 9e664e8f..ec370f00 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -15,7 +15,6 @@ import ( "maps" "net" "net/url" - "reflect" "runtime" "strings" "time" @@ -531,67 +530,6 @@ func matchDomainConstraint(domain, constraint string) (bool, error) { return true, nil } -// checkNameConstraints checks that c permits a child certificate to claim the -// given name, of type nameType. The argument parsedName contains the parsed -// form of name, suitable for passing to the match function. The total number -// of comparisons is tracked in the given count and should not exceed the given -// limit. -func checkNameConstraints(c *x509.Certificate, - count *int, - maxConstraintComparisons int, - nameType string, - name string, - parsedName any, - match func(parsedName, constraint any) (match bool, err error), - permitted, excluded any) error { - - excludedValue := reflect.ValueOf(excluded) - - *count += excludedValue.Len() - if *count > maxConstraintComparisons { - return CertificateInvalidError{c, TooManyConstraints, ""} - } - - for i := 0; i < excludedValue.Len(); i++ { - constraint := excludedValue.Index(i).Interface() - match, err := match(parsedName, constraint) - if err != nil { - return CertificateInvalidError{c, CANotAuthorizedForThisName, err.Error()} - } - - if match { - return CertificateInvalidError{c, CANotAuthorizedForThisName, fmt.Sprintf("%s %q is excluded by constraint %q", nameType, name, constraint)} - } - } - - permittedValue := reflect.ValueOf(permitted) - - *count += permittedValue.Len() - if *count > maxConstraintComparisons { - return CertificateInvalidError{c, TooManyConstraints, ""} - } - - ok := true - for i := 0; i < permittedValue.Len(); i++ { - constraint := permittedValue.Index(i).Interface() - - var err error - if ok, err = match(parsedName, constraint); err != nil { - return CertificateInvalidError{c, CANotAuthorizedForThisName, err.Error()} - } - - if ok { - break - } - } - - if !ok { - return CertificateInvalidError{c, CANotAuthorizedForThisName, fmt.Sprintf("%s %q is not permitted by any constraint", nameType, name)} - } - - return nil -} - // isValid performs validity checks on c given that it is a candidate to append // to the chain in currentChain. func isValid(c *x509.Certificate, certType int, currentChain []*x509.Certificate, opts *VerifyOptions) error { @@ -626,95 +564,17 @@ func isValid(c *x509.Certificate, certType int, currentChain []*x509.Certificate } } - maxConstraintComparisons := opts.MaxConstraintComparisions - if maxConstraintComparisons == 0 { - maxConstraintComparisons = 250000 - } - comparisonCount := 0 - if certType == intermediateCertificate || certType == rootCertificate { if len(currentChain) == 0 { return errors.New("x509: internal error: empty chain when appending CA cert") } } - if (certType == intermediateCertificate || certType == rootCertificate) && - c.hasNameConstraints() { - toCheck := []*x509.Certificate{} - for _, c := range currentChain { - if c.hasSANExtension() { - toCheck = append(toCheck, c) - } - } - for _, sanCert := range toCheck { - err := forEachSAN(sanCert.getSANExtension(), func(tag int, data []byte) error { - switch tag { - case nameTypeEmail: - name := string(data) - mailbox, ok := parseRFC2821Mailbox(name) - if !ok { - return fmt.Errorf("x509: cannot parse rfc822Name %q", mailbox) - } - - if err := checkNameConstraints(c, &comparisonCount, maxConstraintComparisons, "email address", name, mailbox, - func(parsedName, constraint any) (bool, error) { - return matchEmailConstraint(parsedName.(rfc2821Mailbox), constraint.(string)) - }, c.PermittedEmailAddresses, c.ExcludedEmailAddresses); err != nil { - return err - } - - case nameTypeDNS: - name := string(data) - if _, ok := domainToReverseLabels(name); !ok { - return fmt.Errorf("x509: cannot parse dnsName %q", name) - } - - if err := checkNameConstraints(c, &comparisonCount, maxConstraintComparisons, "DNS name", name, name, - func(parsedName, constraint any) (bool, error) { - return matchDomainConstraint(parsedName.(string), constraint.(string)) - }, c.PermittedDNSDomains, c.ExcludedDNSDomains); err != nil { - return err - } - - case nameTypeURI: - name := string(data) - uri, err := url.Parse(name) - if err != nil { - return fmt.Errorf("x509: internal error: URI SAN %q failed to parse", name) - } - - if err := checkNameConstraints(c, &comparisonCount, maxConstraintComparisons, "URI", name, uri, - func(parsedName, constraint any) (bool, error) { - return matchURIConstraint(parsedName.(*url.URL), constraint.(string)) - }, c.PermittedURIDomains, c.ExcludedURIDomains); err != nil { - return err - } - - case nameTypeIP: - ip := net.IP(data) - if l := len(ip); l != net.IPv4len && l != net.IPv6len { - return fmt.Errorf("x509: internal error: IP SAN %x failed to parse", data) - } - - if err := checkNameConstraints(c, &comparisonCount, maxConstraintComparisons, "IP address", ip.String(), ip, - func(parsedName, constraint any) (bool, error) { - return matchIPConstraint(parsedName.(net.IP), constraint.(*net.IPNet)) - }, c.PermittedIPRanges, c.ExcludedIPRanges); err != nil { - return err - } - - default: - // Unknown SAN types are ignored. - } - - return nil - }) - - if err != nil { - return err - } - } - } + // CANotAuthorizedForThisName check deleted. + // Allow to log all certificates, even if they have been isued by a CA that + // is not auhotized to issue certs for a given domain. + // TODO(phboneff): check whether we can add this constraint back to be closer + // to the x509 library. // KeyUsage status flags are ignored. From Engineering Security, Peter // Gutmann: A European government CA marked its signing certificates as From 619ca94c2167ec9015e0958eb842e66df03719a4 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 11:58:45 +0000 Subject: [PATCH 12/23] delete EKU and Policy chain checks --- internal/x509util/verify.go | 26 ++------------------------ 1 file changed, 2 insertions(+), 24 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index ec370f00..f3782091 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -712,35 +712,13 @@ func Verify(c *x509.Certificate, opts VerifyOptions) (chains [][]*x509.Certifica } } - chains = make([][]*x509.Certificate, 0, len(candidateChains)) - var incompatibleKeyUsageChains, invalidPoliciesChains int - for _, candidate := range candidateChains { - if !checkChainForKeyUsage(candidate, opts.KeyUsages) { - incompatibleKeyUsageChains++ - continue - } - if !policiesValid(candidate, opts) { - invalidPoliciesChains++ - continue - } - chains = append(chains, candidate) - } - if len(chains) == 0 { + if len(candidateChains) == 0 { var details []string - if incompatibleKeyUsageChains > 0 { - if invalidPoliciesChains == 0 { - return nil, CertificateInvalidError{c, IncompatibleUsage, ""} - } - details = append(details, fmt.Sprintf("%d chains with incompatible key usage", incompatibleKeyUsageChains)) - } - if invalidPoliciesChains > 0 { - details = append(details, fmt.Sprintf("%d chains with invalid policies", invalidPoliciesChains)) - } err = CertificateInvalidError{c, NoValidChains, strings.Join(details, ", ")} return nil, err } - return chains, nil + return candidateChains, nil } func appendToFreshChain(chain []*x509.Certificate, cert *x509.Certificate) []*x509.Certificate { From 3656294cc9ee22842ce7e28bcb691a8eaf5620ba Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 12:00:34 +0000 Subject: [PATCH 13/23] delete unused code --- internal/x509util/verify.go | 422 ------------------------------------ 1 file changed, 422 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index f3782091..b527545f 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -11,8 +11,6 @@ import ( "crypto/x509/pkix" "errors" "fmt" - "iter" - "maps" "net" "net/url" "runtime" @@ -1023,423 +1021,3 @@ func VerifyHostname(c *x509.Certificate, h string) error { return HostnameError{c, h} } - -func checkChainForKeyUsage(chain []*x509.Certificate, keyUsages []x509.ExtKeyUsage) bool { - usages := make([]x509.ExtKeyUsage, len(keyUsages)) - copy(usages, keyUsages) - - if len(chain) == 0 { - return false - } - - usagesRemaining := len(usages) - - // We walk down the list and cross out any usages that aren't supported - // by each certificate. If we cross out all the usages, then the chain - // is unacceptable. - -NextCert: - for i := len(chain) - 1; i >= 0; i-- { - cert := chain[i] - if len(cert.ExtKeyUsage) == 0 && len(cert.UnknownExtKeyUsage) == 0 { - // The certificate doesn't have any extended key usage specified. - continue - } - - for _, usage := range cert.ExtKeyUsage { - if usage == x509.ExtKeyUsageAny { - // The certificate is explicitly good for any usage. - continue NextCert - } - } - - const invalidUsage x509.ExtKeyUsage = -1 - - NextRequestedUsage: - for i, requestedUsage := range usages { - if requestedUsage == invalidUsage { - continue - } - - for _, usage := range cert.ExtKeyUsage { - if requestedUsage == usage { - continue NextRequestedUsage - } - } - - usages[i] = invalidUsage - usagesRemaining-- - if usagesRemaining == 0 { - return false - } - } - } - - return true -} - -func mustNewOIDFromInts(ints []uint64) x509.OID { - oid, err := x509.OIDFromInts(ints) - if err != nil { - panic(fmt.Sprintf("OIDFromInts(%v) unexpected error: %v", ints, err)) - } - return oid -} - -type policyGraphNode struct { - validPolicy x509.OID - expectedPolicySet []x509.OID - // we do not implement qualifiers, so we don't track qualifier_set - - parents map[*policyGraphNode]bool - children map[*policyGraphNode]bool -} - -func newPolicyGraphNode(valid x509.OID, parents []*policyGraphNode) *policyGraphNode { - n := &policyGraphNode{ - validPolicy: valid, - expectedPolicySet: []x509.OID{valid}, - children: map[*policyGraphNode]bool{}, - parents: map[*policyGraphNode]bool{}, - } - for _, p := range parents { - p.children[n] = true - n.parents[p] = true - } - return n -} - -type policyGraph struct { - strata []map[string]*policyGraphNode - // map of OID -> nodes at strata[depth-1] with OID in their expectedPolicySet - parentIndex map[string][]*policyGraphNode - depth int -} - -var anyPolicyOID = mustNewOIDFromInts([]uint64{2, 5, 29, 32, 0}) - -func newPolicyGraph() *policyGraph { - root := policyGraphNode{ - validPolicy: anyPolicyOID, - expectedPolicySet: []x509.OID{anyPolicyOID}, - children: map[*policyGraphNode]bool{}, - parents: map[*policyGraphNode]bool{}, - } - return &policyGraph{ - depth: 0, - strata: []map[string]*policyGraphNode{{string(anyPolicyOID.der): &root}}, - } -} - -func (pg *policyGraph) insert(n *policyGraphNode) { - pg.strata[pg.depth][string(n.validPolicy.der)] = n -} - -func (pg *policyGraph) parentsWithExpected(expected OID) []*policyGraphNode { - if pg.depth == 0 { - return nil - } - return pg.parentIndex[string(expected.der)] -} - -func (pg *policyGraph) parentWithAnyPolicy() *policyGraphNode { - if pg.depth == 0 { - return nil - } - return pg.strata[pg.depth-1][string(anyPolicyOID.der)] -} - -func (pg *policyGraph) parents() iter.Seq[*policyGraphNode] { - if pg.depth == 0 { - return nil - } - return maps.Values(pg.strata[pg.depth-1]) -} - -func (pg *policyGraph) leaves() map[string]*policyGraphNode { - return pg.strata[pg.depth] -} - -func (pg *policyGraph) leafWithPolicy(policy x509.OID) *policyGraphNode { - return pg.strata[pg.depth][string(policy.der)] -} - -func (pg *policyGraph) deleteLeaf(policy x509.OID) { - n := pg.strata[pg.depth][string(policy.der)] - if n == nil { - return - } - for p := range n.parents { - delete(p.children, n) - } - for c := range n.children { - delete(c.parents, n) - } - delete(pg.strata[pg.depth], string(policy.der)) -} - -func (pg *policyGraph) validPolicyNodes() []*policyGraphNode { - var validNodes []*policyGraphNode - for i := pg.depth; i >= 0; i-- { - for _, n := range pg.strata[i] { - if n.validPolicy.Equal(anyPolicyOID) { - continue - } - - if len(n.parents) == 1 { - for p := range n.parents { - if p.validPolicy.Equal(anyPolicyOID) { - validNodes = append(validNodes, n) - } - } - } - } - } - return validNodes -} - -func (pg *policyGraph) prune() { - for i := pg.depth - 1; i > 0; i-- { - for _, n := range pg.strata[i] { - if len(n.children) == 0 { - for p := range n.parents { - delete(p.children, n) - } - delete(pg.strata[i], string(n.validPolicy.der)) - } - } - } -} - -func (pg *policyGraph) incrDepth() { - pg.parentIndex = map[string][]*policyGraphNode{} - for _, n := range pg.strata[pg.depth] { - for _, e := range n.expectedPolicySet { - pg.parentIndex[string(e.der)] = append(pg.parentIndex[string(e.der)], n) - } - } - - pg.depth++ - pg.strata = append(pg.strata, map[string]*policyGraphNode{}) -} - -func policiesValid(chain []*x509.Certificate, opts VerifyOptions) bool { - // The following code implements the policy verification algorithm as - // specified in RFC 5280 and updated by RFC 9618. In particular the - // following sections are replaced by RFC 9618: - // * 6.1.2 (a) - // * 6.1.3 (d) - // * 6.1.3 (e) - // * 6.1.3 (f) - // * 6.1.4 (b) - // * 6.1.5 (g) - - if len(chain) == 1 { - return true - } - - // n is the length of the chain minus the trust anchor - n := len(chain) - 1 - - pg := newPolicyGraph() - var inhibitAnyPolicy, explicitPolicy, policyMapping int - if !opts.inhibitAnyPolicy { - inhibitAnyPolicy = n + 1 - } - if !opts.requireExplicitPolicy { - explicitPolicy = n + 1 - } - if !opts.inhibitPolicyMapping { - policyMapping = n + 1 - } - - initialUserPolicySet := map[string]bool{} - for _, p := range opts.CertificatePolicies { - initialUserPolicySet[string(p.der)] = true - } - // If the user does not pass any policies, we consider - // that equivalent to passing anyPolicyOID. - if len(initialUserPolicySet) == 0 { - initialUserPolicySet[string(anyPolicyOID.der)] = true - } - - for i := n - 1; i >= 0; i-- { - cert := chain[i] - - isSelfSigned := bytes.Equal(cert.RawIssuer, cert.RawSubject) - - // 6.1.3 (e) -- as updated by RFC 9618 - if len(cert.Policies) == 0 { - pg = nil - } - - // 6.1.3 (f) -- as updated by RFC 9618 - if explicitPolicy == 0 && pg == nil { - return false - } - - if pg != nil { - pg.incrDepth() - - policies := map[string]bool{} - - // 6.1.3 (d) (1) -- as updated by RFC 9618 - for _, policy := range cert.Policies { - policies[string(policy.der)] = true - - if policy.Equal(anyPolicyOID) { - continue - } - - // 6.1.3 (d) (1) (i) -- as updated by RFC 9618 - parents := pg.parentsWithExpected(policy) - if len(parents) == 0 { - // 6.1.3 (d) (1) (ii) -- as updated by RFC 9618 - if anyParent := pg.parentWithAnyPolicy(); anyParent != nil { - parents = []*policyGraphNode{anyParent} - } - } - if len(parents) > 0 { - pg.insert(newPolicyGraphNode(policy, parents)) - } - } - - // 6.1.3 (d) (2) -- as updated by RFC 9618 - // NOTE: in the check "n-i < n" our i is different from the i in the specification. - // In the specification chains go from the trust anchor to the leaf, whereas our - // chains go from the leaf to the trust anchor, so our i's our inverted. Our - // check here matches the check "i < n" in the specification. - if policies[string(anyPolicyOID.der)] && (inhibitAnyPolicy > 0 || (n-i < n && isSelfSigned)) { - missing := map[string][]*policyGraphNode{} - leaves := pg.leaves() - for p := range pg.parents() { - for _, expected := range p.expectedPolicySet { - if leaves[string(expected.der)] == nil { - missing[string(expected.der)] = append(missing[string(expected.der)], p) - } - } - } - - for oidStr, parents := range missing { - pg.insert(newPolicyGraphNode(x509.OID{der: []byte(oidStr)}, parents)) - } - } - - // 6.1.3 (d) (3) -- as updated by RFC 9618 - pg.prune() - - if i != 0 { - // 6.1.4 (b) -- as updated by RFC 9618 - if len(cert.PolicyMappings) > 0 { - // collect map of issuer -> []subject - mappings := map[string][]x509.OID{} - - for _, mapping := range cert.PolicyMappings { - if policyMapping > 0 { - if mapping.IssuerDomainPolicy.Equal(anyPolicyOID) || mapping.SubjectDomainPolicy.Equal(anyPolicyOID) { - // Invalid mapping - return false - } - mappings[string(mapping.IssuerDomainPolicy.der)] = append(mappings[string(mapping.IssuerDomainPolicy.der)], mapping.SubjectDomainPolicy) - } else { - // 6.1.4 (b) (3) (i) -- as updated by RFC 9618 - pg.deleteLeaf(mapping.IssuerDomainPolicy) - - // 6.1.4 (b) (3) (ii) -- as updated by RFC 9618 - pg.prune() - } - } - - for issuerStr, subjectPolicies := range mappings { - // 6.1.4 (b) (1) -- as updated by RFC 9618 - if matching := pg.leafWithPolicy(x509.OID{der: []byte(issuerStr)}); matching != nil { - matching.expectedPolicySet = subjectPolicies - } else if matching := pg.leafWithPolicy(anyPolicyOID); matching != nil { - // 6.1.4 (b) (2) -- as updated by RFC 9618 - n := newPolicyGraphNode(x509.OID{der: []byte(issuerStr)}, []*policyGraphNode{matching}) - n.expectedPolicySet = subjectPolicies - pg.insert(n) - } - } - } - } - } - - if i != 0 { - // 6.1.4 (h) - if !isSelfSigned { - if explicitPolicy > 0 { - explicitPolicy-- - } - if policyMapping > 0 { - policyMapping-- - } - if inhibitAnyPolicy > 0 { - inhibitAnyPolicy-- - } - } - - // 6.1.4 (i) - if (cert.RequireExplicitPolicy > 0 || cert.RequireExplicitPolicyZero) && cert.RequireExplicitPolicy < explicitPolicy { - explicitPolicy = cert.RequireExplicitPolicy - } - if (cert.InhibitPolicyMapping > 0 || cert.InhibitPolicyMappingZero) && cert.InhibitPolicyMapping < policyMapping { - policyMapping = cert.InhibitPolicyMapping - } - // 6.1.4 (j) - if (cert.InhibitAnyPolicy > 0 || cert.InhibitAnyPolicyZero) && cert.InhibitAnyPolicy < inhibitAnyPolicy { - inhibitAnyPolicy = cert.InhibitAnyPolicy - } - } - } - - // 6.1.5 (a) - if explicitPolicy > 0 { - explicitPolicy-- - } - - // 6.1.5 (b) - if chain[0].RequireExplicitPolicyZero { - explicitPolicy = 0 - } - - // 6.1.5 (g) (1) -- as updated by RFC 9618 - var validPolicyNodeSet []*policyGraphNode - // 6.1.5 (g) (2) -- as updated by RFC 9618 - if pg != nil { - validPolicyNodeSet = pg.validPolicyNodes() - // 6.1.5 (g) (3) -- as updated by RFC 9618 - if currentAny := pg.leafWithPolicy(anyPolicyOID); currentAny != nil { - validPolicyNodeSet = append(validPolicyNodeSet, currentAny) - } - } - - // 6.1.5 (g) (4) -- as updated by RFC 9618 - authorityConstrainedPolicySet := map[string]bool{} - for _, n := range validPolicyNodeSet { - authorityConstrainedPolicySet[string(n.validPolicy.der)] = true - } - // 6.1.5 (g) (5) -- as updated by RFC 9618 - userConstrainedPolicySet := maps.Clone(authorityConstrainedPolicySet) - // 6.1.5 (g) (6) -- as updated by RFC 9618 - if len(initialUserPolicySet) != 1 || !initialUserPolicySet[string(anyPolicyOID.der)] { - // 6.1.5 (g) (6) (i) -- as updated by RFC 9618 - for p := range userConstrainedPolicySet { - if !initialUserPolicySet[p] { - delete(userConstrainedPolicySet, p) - } - } - // 6.1.5 (g) (6) (ii) -- as updated by RFC 9618 - if authorityConstrainedPolicySet[string(anyPolicyOID.der)] { - for policy := range initialUserPolicySet { - userConstrainedPolicySet[policy] = true - } - } - } - - if explicitPolicy == 0 && len(userConstrainedPolicySet) == 0 { - return false - } - - return true -} From 73937588d6e0707372b3758dbb7ccccc68eaf391 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 11:14:53 +0000 Subject: [PATCH 14/23] copy hasSanExtension --- internal/x509util/verify.go | 2 +- internal/x509util/x509.go | 26 ++++++++++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 internal/x509util/x509.go diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index b527545f..2c03c8f1 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -109,7 +109,7 @@ type HostnameError struct { func (h HostnameError) Error() string { c := h.Certificate - if !c.hasSANExtension() && matchHostnames(c.Subject.CommonName, h.Host) { + if !hasSANExtension(c) && matchHostnames(c.Subject.CommonName, h.Host) { return "x509: certificate relies on legacy Common Name field, use SANs instead" } diff --git a/internal/x509util/x509.go b/internal/x509util/x509.go new file mode 100644 index 00000000..3f8ea190 --- /dev/null +++ b/internal/x509util/x509.go @@ -0,0 +1,26 @@ +package x509util + +import ( + "crypto/x509" + "crypto/x509/pkix" + "encoding/asn1" +) + +var ( + oidExtensionSubjectAltName = []int{2, 5, 29, 17} +) + +func hasSANExtension(c *x509.Certificate) bool { + return oidInExtensions(oidExtensionSubjectAltName, c.Extensions) +} + +// oidInExtensions reports whether an extension with the given oid exists in +// extensions. +func oidInExtensions(oid asn1.ObjectIdentifier, extensions []pkix.Extension) bool { + for _, e := range extensions { + if e.Id.Equal(oid) { + return true + } + } + return false +} From bc71c54a6392da33bc49d75c6235ce5f2c83dc5a Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 12:26:22 +0000 Subject: [PATCH 15/23] disable time checks --- internal/x509util/verify.go | 21 ++++----------------- 1 file changed, 4 insertions(+), 17 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index 2c03c8f1..3fbb053f 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -21,6 +21,7 @@ import ( type InvalidReason int +// TODO(phboneff): delete options that are not enabled anymore. const ( // NotAuthorizedToSign results when a certificate is signed by another // which isn't marked as a CA certificate. @@ -544,23 +545,9 @@ func isValid(c *x509.Certificate, certType int, currentChain []*x509.Certificate } } - now := opts.CurrentTime - if now.IsZero() { - now = time.Now() - } - if now.Before(c.NotBefore) { - return CertificateInvalidError{ - Cert: c, - Reason: Expired, - Detail: fmt.Sprintf("current time %s is before %s", now.Format(time.RFC3339), c.NotBefore.Format(time.RFC3339)), - } - } else if now.After(c.NotAfter) { - return CertificateInvalidError{ - Cert: c, - Reason: Expired, - Detail: fmt.Sprintf("current time %s is after %s", now.Format(time.RFC3339), c.NotAfter.Format(time.RFC3339)), - } - } + // Expired checks disabled. + // CT servers handle this at submission time, and accept certificates even + // if they are expired. if certType == intermediateCertificate || certType == rootCertificate { if len(currentChain) == 0 { From 116c6dcdd88ff0f3c9c18904c5dc720caa107115 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 12:38:14 +0000 Subject: [PATCH 16/23] remove errors and hostname functions # Conflicts: # internal/x509util/verify.go --- internal/x509util/verify.go | 196 +----------------------------------- 1 file changed, 4 insertions(+), 192 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index 3fbb053f..fe62b182 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -61,81 +61,6 @@ const ( NoValidChains ) -// CertificateInvalidError results when an odd error occurs. Users of this -// library probably want to handle all these errors uniformly. -// TODO(phboneff): consider using the x509 one. -type CertificateInvalidError struct { - Cert *x509.Certificate - Reason InvalidReason - Detail string -} - -func (e CertificateInvalidError) Error() string { - switch e.Reason { - case NotAuthorizedToSign: - return "x509: certificate is not authorized to sign other certificates" - case Expired: - return "x509: certificate has expired or is not yet valid: " + e.Detail - case CANotAuthorizedForThisName: - return "x509: a root or intermediate certificate is not authorized to sign for this name: " + e.Detail - case CANotAuthorizedForExtKeyUsage: - return "x509: a root or intermediate certificate is not authorized for an extended key usage: " + e.Detail - case TooManyIntermediates: - return "x509: too many intermediates for path length constraint" - case IncompatibleUsage: - return "x509: certificate specifies an incompatible key usage" - case NameMismatch: - return "x509: issuer name does not match subject from issuing certificate" - case NameConstraintsWithoutSANs: - return "x509: issuer has name constraints but leaf doesn't have a SAN extension" - case UnconstrainedName: - return "x509: issuer has name constraints but leaf contains unknown or unconstrained name: " + e.Detail - case NoValidChains: - s := "x509: no valid chains built" - if e.Detail != "" { - s = fmt.Sprintf("%s: %s", s, e.Detail) - } - return s - } - return "x509: unknown error" -} - -// HostnameError results when the set of authorized names doesn't match the -// requested name. -type HostnameError struct { - Certificate *x509.Certificate - Host string -} - -func (h HostnameError) Error() string { - c := h.Certificate - - if !hasSANExtension(c) && matchHostnames(c.Subject.CommonName, h.Host) { - return "x509: certificate relies on legacy Common Name field, use SANs instead" - } - - var valid string - if ip := net.ParseIP(h.Host); ip != nil { - // Trying to validate an IP - if len(c.IPAddresses) == 0 { - return "x509: cannot validate certificate for " + h.Host + " because it doesn't contain any IP SANs" - } - for _, san := range c.IPAddresses { - if len(valid) > 0 { - valid += ", " - } - valid += san.String() - } - } else { - valid = strings.Join(c.DNSNames, ", ") - } - - if len(valid) == 0 { - return "x509: certificate is not valid for any names, but wanted to match " + h.Host - } - return "x509: certificate is valid for " + valid + ", not " + h.Host -} - // UnknownAuthorityError results when the certificate issuer is unknown type UnknownAuthorityError struct { Cert *x509.Certificate @@ -541,7 +466,7 @@ func isValid(c *x509.Certificate, certType int, currentChain []*x509.Certificate if len(currentChain) > 0 { child := currentChain[len(currentChain)-1] if !bytes.Equal(child.RawIssuer, c.RawSubject) { - return CertificateInvalidError{c, NameMismatch, ""} + return x509.CertificateInvalidError{c, x509.NameMismatch, ""} } } @@ -579,7 +504,7 @@ func isValid(c *x509.Certificate, certType int, currentChain []*x509.Certificate // encryption key could only be used for Diffie-Hellman key agreement. if certType == intermediateCertificate && (!c.BasicConstraintsValid || !c.IsCA) { - return CertificateInvalidError{c, NotAuthorizedToSign, ""} + return x509.CertificateInvalidError{c, x509.NotAuthorizedToSign, ""} } // TooManyIntermediates check deleted. @@ -669,7 +594,7 @@ func Verify(c *x509.Certificate, opts VerifyOptions) (chains [][]*x509.Certifica } if len(opts.DNSName) > 0 { - err = VerifyHostname(c, opts.DNSName) + err = c.VerifyHostname(opts.DNSName) if err != nil { return } @@ -699,7 +624,7 @@ func Verify(c *x509.Certificate, opts VerifyOptions) (chains [][]*x509.Certifica if len(candidateChains) == 0 { var details []string - err = CertificateInvalidError{c, NoValidChains, strings.Join(details, ", ")} + err = x509.CertificateInvalidError{c, x509.NoValidChains, strings.Join(details, ", ")} return nil, err } @@ -837,68 +762,6 @@ func buildChains(c *x509.Certificate, currentChain []*x509.Certificate, sigCheck return } -func validHostnamePattern(host string) bool { return validHostname(host, true) } -func validHostnameInput(host string) bool { return validHostname(host, false) } - -// validHostname reports whether host is a valid hostname that can be matched or -// matched against according to RFC 6125 2.2, with some leniency to accommodate -// legacy values. -func validHostname(host string, isPattern bool) bool { - if !isPattern { - host = strings.TrimSuffix(host, ".") - } - if len(host) == 0 { - return false - } - if host == "*" { - // Bare wildcards are not allowed, they are not valid DNS names, - // nor are they allowed per RFC 6125. - return false - } - - for i, part := range strings.Split(host, ".") { - if part == "" { - // Empty label. - return false - } - if isPattern && i == 0 && part == "*" { - // Only allow full left-most wildcards, as those are the only ones - // we match, and matching literal '*' characters is probably never - // the expected behavior. - continue - } - for j, c := range part { - if 'a' <= c && c <= 'z' { - continue - } - if '0' <= c && c <= '9' { - continue - } - if 'A' <= c && c <= 'Z' { - continue - } - if c == '-' && j != 0 { - continue - } - if c == '_' { - // Not a valid character in hostnames, but commonly - // found in deployments outside the WebPKI. - continue - } - return false - } - } - - return true -} - -func matchExactly(hostA, hostB string) bool { - if hostA == "" || hostA == "." || hostB == "" || hostB == "." { - return false - } - return toLowerCaseASCII(hostA) == toLowerCaseASCII(hostB) -} - func matchHostnames(pattern, host string) bool { pattern = toLowerCaseASCII(pattern) host = toLowerCaseASCII(strings.TrimSuffix(host, ".")) @@ -957,54 +820,3 @@ func toLowerCaseASCII(in string) string { } return string(out) } - -// VerifyHostname returns nil if c is a valid certificate for the named host. -// Otherwise it returns an error describing the mismatch. -// -// IP addresses can be optionally enclosed in square brackets and are checked -// against the IPAddresses field. Other names are checked case insensitively -// against the DNSNames field. If the names are valid hostnames, the certificate -// fields can have a wildcard as the complete left-most label (e.g. *.example.com). -// -// Note that the legacy Common Name field is ignored. -// TODO(phboneff): can we simply use the exported x509 one? Otherwise make this -// one private. -func VerifyHostname(c *x509.Certificate, h string) error { - // IP addresses may be written in [ ]. - candidateIP := h - if len(h) >= 3 && h[0] == '[' && h[len(h)-1] == ']' { - candidateIP = h[1 : len(h)-1] - } - if ip := net.ParseIP(candidateIP); ip != nil { - // We only match IP addresses against IP SANs. - // See RFC 6125, Appendix B.2. - for _, candidate := range c.IPAddresses { - if ip.Equal(candidate) { - return nil - } - } - return HostnameError{c, candidateIP} - } - - candidateName := toLowerCaseASCII(h) // Save allocations inside the loop. - validCandidateName := validHostnameInput(candidateName) - - for _, match := range c.DNSNames { - // Ideally, we'd only match valid hostnames according to RFC 6125 like - // browsers (more or less) do, but in practice Go is used in a wider - // array of contexts and can't even assume DNS resolution. Instead, - // always allow perfect matches, and only apply wildcard and trailing - // dot processing to valid hostnames. - if validCandidateName && validHostnamePattern(match) { - if matchHostnames(match, candidateName) { - return nil - } - } else { - if matchExactly(match, candidateName) { - return nil - } - } - } - - return HostnameError{c, h} -} From 9b9e4dc009e581adc9d84e84a6b4f54dd784f08c Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 14:59:30 +0000 Subject: [PATCH 17/23] remove more hostname functions --- internal/x509util/verify.go | 60 ------------------------------------- 1 file changed, 60 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index fe62b182..5983dcb9 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -16,7 +16,6 @@ import ( "runtime" "strings" "time" - "unicode/utf8" ) type InvalidReason int @@ -761,62 +760,3 @@ func buildChains(c *x509.Certificate, currentChain []*x509.Certificate, sigCheck return } - -func matchHostnames(pattern, host string) bool { - pattern = toLowerCaseASCII(pattern) - host = toLowerCaseASCII(strings.TrimSuffix(host, ".")) - - if len(pattern) == 0 || len(host) == 0 { - return false - } - - patternParts := strings.Split(pattern, ".") - hostParts := strings.Split(host, ".") - - if len(patternParts) != len(hostParts) { - return false - } - - for i, patternPart := range patternParts { - if i == 0 && patternPart == "*" { - continue - } - if patternPart != hostParts[i] { - return false - } - } - - return true -} - -// toLowerCaseASCII returns a lower-case version of in. See RFC 6125 6.4.1. We use -// an explicitly ASCII function to avoid any sharp corners resulting from -// performing Unicode operations on DNS labels. -func toLowerCaseASCII(in string) string { - // If the string is already lower-case then there's nothing to do. - isAlreadyLowerCase := true - for _, c := range in { - if c == utf8.RuneError { - // If we get a UTF-8 error then there might be - // upper-case ASCII bytes in the invalid sequence. - isAlreadyLowerCase = false - break - } - if 'A' <= c && c <= 'Z' { - isAlreadyLowerCase = false - break - } - } - - if isAlreadyLowerCase { - return in - } - - out := []byte(in) - for i, c := range out { - if 'A' <= c && c <= 'Z' { - out[i] += 'a' - 'A' - } - } - return string(out) -} From 4b0ba83de65959b1e2af7fe2687c4acddb894825 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 15:00:03 +0000 Subject: [PATCH 18/23] remove VerifyHostname: it's never used --- internal/x509util/verify.go | 7 ------- 1 file changed, 7 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index 5983dcb9..f840a800 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -592,13 +592,6 @@ func Verify(c *x509.Certificate, opts VerifyOptions) (chains [][]*x509.Certifica return } - if len(opts.DNSName) > 0 { - err = c.VerifyHostname(opts.DNSName) - if err != nil { - return - } - } - var candidateChains [][]*x509.Certificate if opts.Roots.contains(c) { candidateChains = [][]*x509.Certificate{{c}} From d7eeba05e2c1fcb74906c202b94a9bd7b208bbfa Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 18:46:03 +0000 Subject: [PATCH 19/23] remove error messages and options we don't use # Conflicts: # internal/x509util/verify.go --- internal/x509util/verify.go | 80 ------------------------------------- 1 file changed, 80 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index f840a800..b2741396 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -15,49 +15,6 @@ import ( "net/url" "runtime" "strings" - "time" -) - -type InvalidReason int - -// TODO(phboneff): delete options that are not enabled anymore. -const ( - // NotAuthorizedToSign results when a certificate is signed by another - // which isn't marked as a CA certificate. - NotAuthorizedToSign InvalidReason = iota - // Expired results when a certificate has expired, based on the time - // given in the VerifyOptions. - Expired - // CANotAuthorizedForThisName results when an intermediate or root - // certificate has a name constraint which doesn't permit a DNS or - // other name (including IP address) in the leaf certificate. - CANotAuthorizedForThisName - // TooManyIntermediates results when a path length constraint is - // violated. - TooManyIntermediates - // IncompatibleUsage results when the certificate's key usage indicates - // that it may only be used for a different purpose. - IncompatibleUsage - // NameMismatch results when the subject name of a parent certificate - // does not match the issuer name in the child. - NameMismatch - // NameConstraintsWithoutSANs is a legacy error and is no longer returned. - NameConstraintsWithoutSANs - // UnconstrainedName results when a CA certificate contains permitted - // name constraints, but leaf certificate contains a name of an - // unsupported or unconstrained type. - UnconstrainedName - // TooManyConstraints results when the number of comparison operations - // needed to check a certificate exceeds the limit set by - // VerifyOptions.MaxConstraintComparisions. This limit exists to - // prevent pathological certificates can consuming excessive amounts of - // CPU time to verify. - TooManyConstraints - // CANotAuthorizedForExtKeyUsage results when an intermediate or root - // certificate does not permit a requested extended key usage. - CANotAuthorizedForExtKeyUsage - // NoValidChains results when there are no valid chains to return. - NoValidChains ) // UnknownAuthorityError results when the certificate issuer is unknown @@ -108,10 +65,6 @@ var errNotParsed = errors.New("x509: missing ASN.1 contents; use ParseCertificat // VerifyOptions contains parameters for Certificate.Verify. type VerifyOptions struct { - // DNSName, if set, is checked against the leaf certificate with - // Certificate.VerifyHostname or the platform verifier. - DNSName string - // Intermediates is an optional pool of certificates that are not trust // anchors, but can be used to form a chain from the leaf certificate to a // root certificate. @@ -119,43 +72,10 @@ type VerifyOptions struct { // Roots is the set of trusted root certificates the leaf certificate needs // to chain up to. If nil, the system roots or the platform verifier are used. Roots *x509.CertPool - - // CurrentTime is used to check the validity of all certificates in the - // chain. If zero, the current time is used. - CurrentTime time.Time - // KeyUsages specifies which Extended Key Usage values are acceptable. A // chain is accepted if it allows any of the listed values. An empty list // means ExtKeyUsageServerAuth. To accept any key usage, include ExtKeyUsageAny. KeyUsages []x509.ExtKeyUsage - - // MaxConstraintComparisions is the maximum number of comparisons to - // perform when checking a given certificate's name constraints. If - // zero, a sensible default is used. This limit prevents pathological - // certificates from consuming excessive amounts of CPU time when - // validating. It does not apply to the platform verifier. - MaxConstraintComparisions int - - // CertificatePolicies specifies which certificate policy OIDs are - // acceptable during policy validation. An empty CertificatePolices - // field implies any valid policy is acceptable. - CertificatePolicies []x509.OID - - // The following policy fields are unexported, because we do not expect - // users to actually need to use them, but are useful for testing the - // policy validation code. - - // inhibitPolicyMapping indicates if policy mapping should be allowed - // during path validation. - inhibitPolicyMapping bool - - // requireExplicitPolicy indidicates if explicit policies must be present - // for each certificate being validated. - requireExplicitPolicy bool - - // inhibitAnyPolicy indicates if the anyPolicy policy should be - // processed if present in a certificate being validated. - inhibitAnyPolicy bool } const ( From 54feb52d44b1e86afa6b916c2d9c8b5731bbe138 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 11:22:50 +0000 Subject: [PATCH 20/23] disable systemRoots --- internal/x509util/verify.go | 41 ++----------------------------------- 1 file changed, 2 insertions(+), 39 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index b2741396..1ccad193 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -13,7 +13,6 @@ import ( "fmt" "net" "net/url" - "runtime" "strings" ) @@ -44,21 +43,6 @@ func (e UnknownAuthorityError) Error() string { return s } -// SystemRootsError results when we fail to load the system root certificates. -type SystemRootsError struct { - Err error -} - -func (se SystemRootsError) Error() string { - msg := "x509: failed to load system roots and no roots provided" - if se.Err != nil { - return msg + "; " + se.Err.Error() - } - return msg -} - -func (se SystemRootsError) Unwrap() error { return se.Err } - // errNotParsed is returned when a certificate without ASN.1 contents is // verified. Platform-specific verification needs the ASN.1 contents. var errNotParsed = errors.New("x509: missing ASN.1 contents; use ParseCertificate") @@ -481,30 +465,9 @@ func Verify(c *x509.Certificate, opts VerifyOptions) (chains [][]*x509.Certifica } } - // Use platform verifiers, where available, if Roots is from SystemCertPool. - if runtime.GOOS == "windows" || runtime.GOOS == "darwin" || runtime.GOOS == "ios" { - // Don't use the system verifier if the system pool was replaced with a non-system pool, - // i.e. if SetFallbackRoots was called with x509usefallbackroots=1. - systemPool := systemRootsPool() - if opts.Roots == nil && (systemPool == nil || systemPool.systemPool) { - return c.systemVerify(&opts) - } - if opts.Roots != nil && opts.Roots.systemPool { - platformChains, err := c.systemVerify(&opts) - // If the platform verifier succeeded, or there are no additional - // roots, return the platform verifier result. Otherwise, continue - // with the Go verifier. - if err == nil || opts.Roots.len() == 0 { - return platformChains, err - } - } - } - + // CT server roots MUST not be empty. if opts.Roots == nil { - opts.Roots = systemRootsPool() - if opts.Roots == nil { - return nil, SystemRootsError{systemRootsErr} - } + return nil, fmt.Errorf("opts.Roots == nil, roots MUST be provided") } err = isValid(c, leafCertificate, nil, &opts) From e7a51746d3724c5754c9d3f88abd7137248f16ee Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 12:33:11 +0000 Subject: [PATCH 21/23] delete more unused things # Conflicts: # internal/x509util/verify.go --- internal/x509util/verify.go | 291 ------------------------------------ 1 file changed, 291 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index 1ccad193..620e84b0 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -11,8 +11,6 @@ import ( "crypto/x509/pkix" "errors" "fmt" - "net" - "net/url" "strings" ) @@ -68,295 +66,6 @@ const ( rootCertificate ) -// rfc2821Mailbox represents a “mailbox” (which is an email address to most -// people) by breaking it into the “local” (i.e. before the '@') and “domain” -// parts. -type rfc2821Mailbox struct { - local, domain string -} - -// parseRFC2821Mailbox parses an email address into local and domain parts, -// based on the ABNF for a “Mailbox” from RFC 2821. According to RFC 5280, -// Section 4.2.1.6 that's correct for an rfc822Name from a certificate: “The -// format of an rfc822Name is a "Mailbox" as defined in RFC 2821, Section 4.1.2”. -func parseRFC2821Mailbox(in string) (mailbox rfc2821Mailbox, ok bool) { - if len(in) == 0 { - return mailbox, false - } - - localPartBytes := make([]byte, 0, len(in)/2) - - if in[0] == '"' { - // Quoted-string = DQUOTE *qcontent DQUOTE - // non-whitespace-control = %d1-8 / %d11 / %d12 / %d14-31 / %d127 - // qcontent = qtext / quoted-pair - // qtext = non-whitespace-control / - // %d33 / %d35-91 / %d93-126 - // quoted-pair = ("\" text) / obs-qp - // text = %d1-9 / %d11 / %d12 / %d14-127 / obs-text - // - // (Names beginning with “obs-” are the obsolete syntax from RFC 2822, - // Section 4. Since it has been 16 years, we no longer accept that.) - in = in[1:] - QuotedString: - for { - if len(in) == 0 { - return mailbox, false - } - c := in[0] - in = in[1:] - - switch { - case c == '"': - break QuotedString - - case c == '\\': - // quoted-pair - if len(in) == 0 { - return mailbox, false - } - if in[0] == 11 || - in[0] == 12 || - (1 <= in[0] && in[0] <= 9) || - (14 <= in[0] && in[0] <= 127) { - localPartBytes = append(localPartBytes, in[0]) - in = in[1:] - } else { - return mailbox, false - } - - case c == 11 || - c == 12 || - // Space (char 32) is not allowed based on the - // BNF, but RFC 3696 gives an example that - // assumes that it is. Several “verified” - // errata continue to argue about this point. - // We choose to accept it. - c == 32 || - c == 33 || - c == 127 || - (1 <= c && c <= 8) || - (14 <= c && c <= 31) || - (35 <= c && c <= 91) || - (93 <= c && c <= 126): - // qtext - localPartBytes = append(localPartBytes, c) - - default: - return mailbox, false - } - } - } else { - // Atom ("." Atom)* - NextChar: - for len(in) > 0 { - // atext from RFC 2822, Section 3.2.4 - c := in[0] - - switch { - case c == '\\': - // Examples given in RFC 3696 suggest that - // escaped characters can appear outside of a - // quoted string. Several “verified” errata - // continue to argue the point. We choose to - // accept it. - in = in[1:] - if len(in) == 0 { - return mailbox, false - } - fallthrough - - case ('0' <= c && c <= '9') || - ('a' <= c && c <= 'z') || - ('A' <= c && c <= 'Z') || - c == '!' || c == '#' || c == '$' || c == '%' || - c == '&' || c == '\'' || c == '*' || c == '+' || - c == '-' || c == '/' || c == '=' || c == '?' || - c == '^' || c == '_' || c == '`' || c == '{' || - c == '|' || c == '}' || c == '~' || c == '.': - localPartBytes = append(localPartBytes, in[0]) - in = in[1:] - - default: - break NextChar - } - } - - if len(localPartBytes) == 0 { - return mailbox, false - } - - // From RFC 3696, Section 3: - // “period (".") may also appear, but may not be used to start - // or end the local part, nor may two or more consecutive - // periods appear.” - twoDots := []byte{'.', '.'} - if localPartBytes[0] == '.' || - localPartBytes[len(localPartBytes)-1] == '.' || - bytes.Contains(localPartBytes, twoDots) { - return mailbox, false - } - } - - if len(in) == 0 || in[0] != '@' { - return mailbox, false - } - in = in[1:] - - // The RFC species a format for domains, but that's known to be - // violated in practice so we accept that anything after an '@' is the - // domain part. - if _, ok := domainToReverseLabels(in); !ok { - return mailbox, false - } - - mailbox.local = string(localPartBytes) - mailbox.domain = in - return mailbox, true -} - -// domainToReverseLabels converts a textual domain name like foo.example.com to -// the list of labels in reverse order, e.g. ["com", "example", "foo"]. -func domainToReverseLabels(domain string) (reverseLabels []string, ok bool) { - for len(domain) > 0 { - if i := strings.LastIndexByte(domain, '.'); i == -1 { - reverseLabels = append(reverseLabels, domain) - domain = "" - } else { - reverseLabels = append(reverseLabels, domain[i+1:]) - domain = domain[:i] - if i == 0 { // domain == "" - // domain is prefixed with an empty label, append an empty - // string to reverseLabels to indicate this. - reverseLabels = append(reverseLabels, "") - } - } - } - - if len(reverseLabels) > 0 && len(reverseLabels[0]) == 0 { - // An empty label at the end indicates an absolute value. - return nil, false - } - - for _, label := range reverseLabels { - if len(label) == 0 { - // Empty labels are otherwise invalid. - return nil, false - } - - for _, c := range label { - if c < 33 || c > 126 { - // Invalid character. - return nil, false - } - } - } - - return reverseLabels, true -} - -func matchEmailConstraint(mailbox rfc2821Mailbox, constraint string) (bool, error) { - // If the constraint contains an @, then it specifies an exact mailbox - // name. - if strings.Contains(constraint, "@") { - constraintMailbox, ok := parseRFC2821Mailbox(constraint) - if !ok { - return false, fmt.Errorf("x509: internal error: cannot parse constraint %q", constraint) - } - return mailbox.local == constraintMailbox.local && strings.EqualFold(mailbox.domain, constraintMailbox.domain), nil - } - - // Otherwise the constraint is like a DNS constraint of the domain part - // of the mailbox. - return matchDomainConstraint(mailbox.domain, constraint) -} - -func matchURIConstraint(uri *url.URL, constraint string) (bool, error) { - // From RFC 5280, Section 4.2.1.10: - // “a uniformResourceIdentifier that does not include an authority - // component with a host name specified as a fully qualified domain - // name (e.g., if the URI either does not include an authority - // component or includes an authority component in which the host name - // is specified as an IP address), then the application MUST reject the - // certificate.” - - host := uri.Host - if len(host) == 0 { - return false, fmt.Errorf("URI with empty host (%q) cannot be matched against constraints", uri.String()) - } - - if strings.Contains(host, ":") && !strings.HasSuffix(host, "]") { - var err error - host, _, err = net.SplitHostPort(uri.Host) - if err != nil { - return false, err - } - } - - if strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]") || - net.ParseIP(host) != nil { - return false, fmt.Errorf("URI with IP (%q) cannot be matched against constraints", uri.String()) - } - - return matchDomainConstraint(host, constraint) -} - -func matchIPConstraint(ip net.IP, constraint *net.IPNet) (bool, error) { - if len(ip) != len(constraint.IP) { - return false, nil - } - - for i := range ip { - if mask := constraint.Mask[i]; ip[i]&mask != constraint.IP[i]&mask { - return false, nil - } - } - - return true, nil -} - -func matchDomainConstraint(domain, constraint string) (bool, error) { - // The meaning of zero length constraints is not specified, but this - // code follows NSS and accepts them as matching everything. - if len(constraint) == 0 { - return true, nil - } - - domainLabels, ok := domainToReverseLabels(domain) - if !ok { - return false, fmt.Errorf("x509: internal error: cannot parse domain %q", domain) - } - - // RFC 5280 says that a leading period in a domain name means that at - // least one label must be prepended, but only for URI and email - // constraints, not DNS constraints. The code also supports that - // behaviour for DNS constraints. - - mustHaveSubdomains := false - if constraint[0] == '.' { - mustHaveSubdomains = true - constraint = constraint[1:] - } - - constraintLabels, ok := domainToReverseLabels(constraint) - if !ok { - return false, fmt.Errorf("x509: internal error: cannot parse domain %q", constraint) - } - - if len(domainLabels) < len(constraintLabels) || - (mustHaveSubdomains && len(domainLabels) == len(constraintLabels)) { - return false, nil - } - - for i, constraintLabel := range constraintLabels { - if !strings.EqualFold(constraintLabel, domainLabels[i]) { - return false, nil - } - } - - return true, nil -} - // isValid performs validity checks on c given that it is a candidate to append // to the chain in currentChain. func isValid(c *x509.Certificate, certType int, currentChain []*x509.Certificate, opts *VerifyOptions) error { From 94dee8aafb8d874d767741e941a73ea46401a349 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Tue, 25 Feb 2025 15:48:22 +0000 Subject: [PATCH 22/23] delete hasSanExtension --- internal/x509util/x509.go | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/internal/x509util/x509.go b/internal/x509util/x509.go index 3f8ea190..01f85f37 100644 --- a/internal/x509util/x509.go +++ b/internal/x509util/x509.go @@ -1,26 +1,5 @@ package x509util -import ( - "crypto/x509" - "crypto/x509/pkix" - "encoding/asn1" -) - var ( oidExtensionSubjectAltName = []int{2, 5, 29, 17} ) - -func hasSANExtension(c *x509.Certificate) bool { - return oidInExtensions(oidExtensionSubjectAltName, c.Extensions) -} - -// oidInExtensions reports whether an extension with the given oid exists in -// extensions. -func oidInExtensions(oid asn1.ObjectIdentifier, extensions []pkix.Extension) bool { - for _, e := range extensions { - if e.Id.Equal(oid) { - return true - } - } - return false -} From 19d0c02488a4a9ee6ddd01392546cbbb90cc0649 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Tue, 25 Feb 2025 16:05:49 +0000 Subject: [PATCH 23/23] use old error type --- internal/x509util/verify.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index 620e84b0..bb46612f 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -208,7 +208,7 @@ func Verify(c *x509.Certificate, opts VerifyOptions) (chains [][]*x509.Certifica if len(candidateChains) == 0 { var details []string - err = x509.CertificateInvalidError{c, x509.NoValidChains, strings.Join(details, ", ")} + err = x509.CertificateInvalidError{c, x509.IncompatibleUsage, strings.Join(details, ", ")} return nil, err }