From 0d4370a6f07744d0cf6fd3ceb72e9e8f8a4c6500 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Tue, 11 Feb 2025 17:28:37 +0000 Subject: [PATCH 01/39] use local BuildPrecertTBS instead of ctgo --- internal/scti/handlers.go | 3 ++- internal/scti/signatures_test.go | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/internal/scti/handlers.go b/internal/scti/handlers.go index 25d58d00..63b97c03 100644 --- a/internal/scti/handlers.go +++ b/internal/scti/handlers.go @@ -33,6 +33,7 @@ import ( "github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus/promauto" "github.com/transparency-dev/static-ct/internal/types" + "github.com/transparency-dev/static-ct/internal/x509util" "github.com/transparency-dev/static-ct/modules/dedup" tessera "github.com/transparency-dev/trillian-tessera" "github.com/transparency-dev/trillian-tessera/ctonly" @@ -491,7 +492,7 @@ func entryFromChain(chain []*x509.Certificate, isPrecert bool, timestamp uint64) // Next, post-process the DER-encoded TBSCertificate, to remove the CT poison // extension and possibly update the issuer field. - defangedTBS, err := x509.BuildPrecertTBS(cert.RawTBSCertificate, preIssuer) + defangedTBS, err := x509util.BuildPrecertTBS(cert.RawTBSCertificate, preIssuer) if err != nil { return nil, fmt.Errorf("failed to remove poison extension: %v", err) } diff --git a/internal/scti/signatures_test.go b/internal/scti/signatures_test.go index 5b9105bb..7e37d6d1 100644 --- a/internal/scti/signatures_test.go +++ b/internal/scti/signatures_test.go @@ -367,7 +367,7 @@ func TestSignV1SCTForPrecertificate(t *testing.T) { if got, want := keyHash[:], leaf.TimestampedEntry.PrecertEntry.IssuerKeyHash[:]; !bytes.Equal(got, want) { t.Fatalf("Issuer key hash bytes mismatch, got %v, expected %v", got, want) } - defangedTBS, _ := x509.RemoveCTPoison(cert.RawTBSCertificate) + defangedTBS, _ := x509util.RemoveCTPoison(cert.RawTBSCertificate) if got, want := leaf.TimestampedEntry.PrecertEntry.TBSCertificate, defangedTBS; !bytes.Equal(got, want) { t.Fatalf("TBS cert mismatch, got %v, expected %v", got, want) } From 5f00c138d5086237064fe2a7e5d85429f62d5847 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Tue, 4 Feb 2025 16:53:00 +0000 Subject: [PATCH 02/39] sed ctgo/x509 - crypto/x509 # Conflicts: # internal/scti/storage.go # Conflicts: # internal/scti/ctlog.go # Conflicts: # internal/scti/chain_validation.go # internal/scti/handlers_test.go # internal/scti/signatures_test.go # Conflicts: # ctlog.go --- ctlog.go | 3 ++- internal/scti/chain_validation.go | 5 +++++ internal/scti/chain_validation_test.go | 3 ++- internal/scti/ctlog.go | 2 +- internal/scti/handlers.go | 2 +- internal/scti/handlers_test.go | 3 ++- internal/scti/requestlog.go | 2 +- internal/scti/signatures.go | 2 +- internal/scti/signatures_test.go | 3 ++- mockstorage/mock_ct_storage.go | 2 +- storage/storage.go | 2 +- 11 files changed, 19 insertions(+), 10 deletions(-) diff --git a/ctlog.go b/ctlog.go index 143eeeec..04bc48be 100644 --- a/ctlog.go +++ b/ctlog.go @@ -23,8 +23,9 @@ import ( "strings" "time" + "crypto/x509" + "github.com/google/certificate-transparency-go/asn1" - "github.com/google/certificate-transparency-go/x509" "github.com/transparency-dev/static-ct/internal/scti" "github.com/transparency-dev/static-ct/internal/x509util" "github.com/transparency-dev/static-ct/storage" diff --git a/internal/scti/chain_validation.go b/internal/scti/chain_validation.go index 9c315da3..49a7db9c 100644 --- a/internal/scti/chain_validation.go +++ b/internal/scti/chain_validation.go @@ -23,8 +23,13 @@ import ( "time" "github.com/google/certificate-transparency-go/asn1" +<<<<<<< HEAD "github.com/google/certificate-transparency-go/x509" "github.com/transparency-dev/static-ct/internal/x509util" +======= + "crypto/x509" + "github.com/google/certificate-transparency-go/x509util" +>>>>>>> eaf33bf (sed ctgo/x509 - crypto/x509) "k8s.io/klog/v2" ) diff --git a/internal/scti/chain_validation_test.go b/internal/scti/chain_validation_test.go index eee64aad..9bd4916c 100644 --- a/internal/scti/chain_validation_test.go +++ b/internal/scti/chain_validation_test.go @@ -20,8 +20,9 @@ import ( "testing" "time" + "crypto/x509" + "github.com/google/certificate-transparency-go/asn1" - "github.com/google/certificate-transparency-go/x509" "github.com/google/certificate-transparency-go/x509/pkix" "github.com/transparency-dev/static-ct/internal/testdata" "github.com/transparency-dev/static-ct/internal/x509util" diff --git a/internal/scti/ctlog.go b/internal/scti/ctlog.go index b7dc7c7c..a54c1c61 100644 --- a/internal/scti/ctlog.go +++ b/internal/scti/ctlog.go @@ -4,10 +4,10 @@ import ( "context" "crypto" "crypto/ecdsa" + "crypto/x509" "errors" "fmt" - "github.com/google/certificate-transparency-go/x509" "github.com/transparency-dev/static-ct/internal/types" "github.com/transparency-dev/static-ct/modules/dedup" "github.com/transparency-dev/static-ct/storage" diff --git a/internal/scti/handlers.go b/internal/scti/handlers.go index 63b97c03..4b36c048 100644 --- a/internal/scti/handlers.go +++ b/internal/scti/handlers.go @@ -29,7 +29,7 @@ import ( "time" "github.com/google/certificate-transparency-go/tls" - "github.com/google/certificate-transparency-go/x509" + "crypto/x509" "github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus/promauto" "github.com/transparency-dev/static-ct/internal/types" diff --git a/internal/scti/handlers_test.go b/internal/scti/handlers_test.go index 68a6c1f9..a8fed82e 100644 --- a/internal/scti/handlers_test.go +++ b/internal/scti/handlers_test.go @@ -29,8 +29,9 @@ import ( "testing" "time" + "crypto/x509" + "github.com/golang/mock/gomock" - "github.com/google/certificate-transparency-go/x509" "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" "github.com/transparency-dev/static-ct/internal/testdata" diff --git a/internal/scti/requestlog.go b/internal/scti/requestlog.go index 1d696115..814aa1a5 100644 --- a/internal/scti/requestlog.go +++ b/internal/scti/requestlog.go @@ -19,7 +19,7 @@ import ( "encoding/hex" "time" - "github.com/google/certificate-transparency-go/x509" + "crypto/x509" "github.com/google/certificate-transparency-go/x509util" "k8s.io/klog/v2" ) diff --git a/internal/scti/signatures.go b/internal/scti/signatures.go index d9b78948..80a8e53d 100644 --- a/internal/scti/signatures.go +++ b/internal/scti/signatures.go @@ -23,7 +23,7 @@ import ( "time" "github.com/google/certificate-transparency-go/tls" - "github.com/google/certificate-transparency-go/x509" + "crypto/x509" tfl "github.com/transparency-dev/formats/log" "github.com/transparency-dev/static-ct/internal/types" "golang.org/x/mod/sumdb/note" diff --git a/internal/scti/signatures_test.go b/internal/scti/signatures_test.go index 7e37d6d1..e1cb0b91 100644 --- a/internal/scti/signatures_test.go +++ b/internal/scti/signatures_test.go @@ -23,8 +23,9 @@ import ( "testing" "time" + "crypto/x509" + "github.com/google/certificate-transparency-go/tls" - "github.com/google/certificate-transparency-go/x509" "github.com/kylelemons/godebug/pretty" "github.com/transparency-dev/static-ct/internal/testdata" "github.com/transparency-dev/static-ct/internal/types" diff --git a/mockstorage/mock_ct_storage.go b/mockstorage/mock_ct_storage.go index 14b0ad1d..adbbc0ac 100644 --- a/mockstorage/mock_ct_storage.go +++ b/mockstorage/mock_ct_storage.go @@ -9,7 +9,7 @@ import ( reflect "reflect" gomock "github.com/golang/mock/gomock" - x509 "github.com/google/certificate-transparency-go/x509" + x509 "crypto/x509" dedup "github.com/transparency-dev/static-ct/modules/dedup" tessera "github.com/transparency-dev/trillian-tessera" ctonly "github.com/transparency-dev/trillian-tessera/ctonly" diff --git a/storage/storage.go b/storage/storage.go index a36f6fbe..076b4e8d 100644 --- a/storage/storage.go +++ b/storage/storage.go @@ -17,11 +17,11 @@ package storage import ( "context" "crypto/sha256" + "crypto/x509" "encoding/hex" "fmt" "sync" - "github.com/google/certificate-transparency-go/x509" "github.com/transparency-dev/static-ct/modules/dedup" tessera "github.com/transparency-dev/trillian-tessera" "github.com/transparency-dev/trillian-tessera/ctonly" From 1d04c470d306752616ac6821cf50583f36c3efcc Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Tue, 4 Feb 2025 17:39:57 +0000 Subject: [PATCH 03/39] reshuffle imports # Conflicts: # internal/scti/signatures_test.go # Conflicts: # internal/scti/storage.go # Conflicts: # ctlog.go # Conflicts: # internal/scti/chain_validation.go # internal/scti/chain_validation_test.go # internal/scti/handlers_test.go # internal/scti/signatures_test.go # Conflicts: # ctlog.go # Conflicts: # internal/scti/chain_validation_test.go --- ctlog.go | 3 +-- internal/scti/chain_validation.go | 7 +------ internal/scti/chain_validation_test.go | 3 +-- internal/scti/handlers.go | 2 +- internal/scti/handlers_test.go | 3 +-- internal/scti/requestlog.go | 2 +- internal/scti/signatures.go | 2 +- internal/scti/signatures_test.go | 3 +-- mockstorage/mock_ct_storage.go | 2 +- 9 files changed, 9 insertions(+), 18 deletions(-) diff --git a/ctlog.go b/ctlog.go index 04bc48be..b4f81c22 100644 --- a/ctlog.go +++ b/ctlog.go @@ -17,14 +17,13 @@ package sctfe import ( "context" "crypto" + "crypto/x509" "errors" "fmt" "net/http" "strings" "time" - "crypto/x509" - "github.com/google/certificate-transparency-go/asn1" "github.com/transparency-dev/static-ct/internal/scti" "github.com/transparency-dev/static-ct/internal/x509util" diff --git a/internal/scti/chain_validation.go b/internal/scti/chain_validation.go index 49a7db9c..a4757c9d 100644 --- a/internal/scti/chain_validation.go +++ b/internal/scti/chain_validation.go @@ -16,6 +16,7 @@ package scti import ( "bytes" + "crypto/x509" "errors" "fmt" "strconv" @@ -23,13 +24,7 @@ import ( "time" "github.com/google/certificate-transparency-go/asn1" -<<<<<<< HEAD - "github.com/google/certificate-transparency-go/x509" "github.com/transparency-dev/static-ct/internal/x509util" -======= - "crypto/x509" - "github.com/google/certificate-transparency-go/x509util" ->>>>>>> eaf33bf (sed ctgo/x509 - crypto/x509) "k8s.io/klog/v2" ) diff --git a/internal/scti/chain_validation_test.go b/internal/scti/chain_validation_test.go index 9bd4916c..977907cb 100644 --- a/internal/scti/chain_validation_test.go +++ b/internal/scti/chain_validation_test.go @@ -15,13 +15,12 @@ package scti import ( + "crypto/x509" "encoding/pem" "strings" "testing" "time" - "crypto/x509" - "github.com/google/certificate-transparency-go/asn1" "github.com/google/certificate-transparency-go/x509/pkix" "github.com/transparency-dev/static-ct/internal/testdata" diff --git a/internal/scti/handlers.go b/internal/scti/handlers.go index 4b36c048..4f2cb22a 100644 --- a/internal/scti/handlers.go +++ b/internal/scti/handlers.go @@ -17,6 +17,7 @@ package scti import ( "context" "crypto/sha256" + "crypto/x509" "encoding/base64" "encoding/json" "errors" @@ -29,7 +30,6 @@ import ( "time" "github.com/google/certificate-transparency-go/tls" - "crypto/x509" "github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus/promauto" "github.com/transparency-dev/static-ct/internal/types" diff --git a/internal/scti/handlers_test.go b/internal/scti/handlers_test.go index a8fed82e..3d98f61f 100644 --- a/internal/scti/handlers_test.go +++ b/internal/scti/handlers_test.go @@ -19,6 +19,7 @@ import ( "bytes" "context" "crypto" + "crypto/x509" "encoding/hex" "encoding/json" "fmt" @@ -29,8 +30,6 @@ import ( "testing" "time" - "crypto/x509" - "github.com/golang/mock/gomock" "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" diff --git a/internal/scti/requestlog.go b/internal/scti/requestlog.go index 814aa1a5..a44dc7f2 100644 --- a/internal/scti/requestlog.go +++ b/internal/scti/requestlog.go @@ -16,10 +16,10 @@ package scti import ( "context" + "crypto/x509" "encoding/hex" "time" - "crypto/x509" "github.com/google/certificate-transparency-go/x509util" "k8s.io/klog/v2" ) diff --git a/internal/scti/signatures.go b/internal/scti/signatures.go index 80a8e53d..736c12c5 100644 --- a/internal/scti/signatures.go +++ b/internal/scti/signatures.go @@ -18,12 +18,12 @@ import ( "crypto" "crypto/rand" "crypto/sha256" + "crypto/x509" "encoding/binary" "fmt" "time" "github.com/google/certificate-transparency-go/tls" - "crypto/x509" tfl "github.com/transparency-dev/formats/log" "github.com/transparency-dev/static-ct/internal/types" "golang.org/x/mod/sumdb/note" diff --git a/internal/scti/signatures_test.go b/internal/scti/signatures_test.go index e1cb0b91..be633ef0 100644 --- a/internal/scti/signatures_test.go +++ b/internal/scti/signatures_test.go @@ -18,13 +18,12 @@ import ( "bytes" "crypto" "crypto/sha256" + "crypto/x509" "encoding/hex" "encoding/pem" "testing" "time" - "crypto/x509" - "github.com/google/certificate-transparency-go/tls" "github.com/kylelemons/godebug/pretty" "github.com/transparency-dev/static-ct/internal/testdata" diff --git a/mockstorage/mock_ct_storage.go b/mockstorage/mock_ct_storage.go index adbbc0ac..b336b4a5 100644 --- a/mockstorage/mock_ct_storage.go +++ b/mockstorage/mock_ct_storage.go @@ -7,9 +7,9 @@ package mockstorage import ( context "context" reflect "reflect" + x509 "crypto/x509" gomock "github.com/golang/mock/gomock" - x509 "crypto/x509" dedup "github.com/transparency-dev/static-ct/modules/dedup" tessera "github.com/transparency-dev/trillian-tessera" ctonly "github.com/transparency-dev/trillian-tessera/ctonly" From 670089d004afee0ef056166659e0062a0acc2389 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Tue, 4 Feb 2025 16:56:46 +0000 Subject: [PATCH 04/39] fix requestLog: implements stringer # Conflicts: # internal/scti/requestlog.go --- internal/scti/requestlog.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/internal/scti/requestlog.go b/internal/scti/requestlog.go index a44dc7f2..291e5f9e 100644 --- a/internal/scti/requestlog.go +++ b/internal/scti/requestlog.go @@ -20,7 +20,6 @@ import ( "encoding/hex" "time" - "github.com/google/certificate-transparency-go/x509util" "k8s.io/klog/v2" ) @@ -86,8 +85,8 @@ func (dlr *DefaultRequestLog) addDERToChain(_ context.Context, d []byte) { // certificate that is part of a submitted chain. func (dlr *DefaultRequestLog) addCertToChain(_ context.Context, cert *x509.Certificate) { klog.V(vLevel).Infof("RL: Cert: Sub: %s Iss: %s notBef: %s notAft: %s", - x509util.NameToString(cert.Subject), - x509util.NameToString(cert.Issuer), + cert.Subject, + cert.Issuer, cert.NotBefore.Format(time.RFC1123Z), cert.NotAfter.Format(time.RFC1123Z)) } From e5c592599dc9b09db8585b39b69c036c72e06527 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Tue, 4 Feb 2025 17:32:10 +0000 Subject: [PATCH 05/39] move pem_cert_pool to x509 package --- internal/x509util/pem_cert_pool.go | 2 +- internal/x509util/pem_cert_pool_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/x509util/pem_cert_pool.go b/internal/x509util/pem_cert_pool.go index e419659f..3c629847 100644 --- a/internal/x509util/pem_cert_pool.go +++ b/internal/x509util/pem_cert_pool.go @@ -16,12 +16,12 @@ package x509util import ( "crypto/sha256" + "crypto/x509" "encoding/pem" "errors" "fmt" "os" - "github.com/google/certificate-transparency-go/x509" "k8s.io/klog/v2" ) diff --git a/internal/x509util/pem_cert_pool_test.go b/internal/x509util/pem_cert_pool_test.go index b630e083..880adbaa 100644 --- a/internal/x509util/pem_cert_pool_test.go +++ b/internal/x509util/pem_cert_pool_test.go @@ -15,10 +15,10 @@ package x509util_test import ( + "crypto/x509" "encoding/pem" "testing" - "github.com/google/certificate-transparency-go/x509" "github.com/transparency-dev/static-ct/internal/x509util" ) From 27d8bcadbe7841a5f2acefa37da79b7a146644d2 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Tue, 4 Feb 2025 17:44:49 +0000 Subject: [PATCH 06/39] fix a bunch of things # Conflicts: # ctlog.go # Conflicts: # ctlog.go # Conflicts: # internal/scti/chain_validation_test.go --- ctlog.go | 2 +- internal/scti/chain_validation.go | 5 +++-- internal/scti/chain_validation_test.go | 11 ++++++----- internal/types/rfc6962.go | 6 +++++- 4 files changed, 15 insertions(+), 9 deletions(-) diff --git a/ctlog.go b/ctlog.go index b4f81c22..7c570212 100644 --- a/ctlog.go +++ b/ctlog.go @@ -18,13 +18,13 @@ import ( "context" "crypto" "crypto/x509" + "encoding/asn1" "errors" "fmt" "net/http" "strings" "time" - "github.com/google/certificate-transparency-go/asn1" "github.com/transparency-dev/static-ct/internal/scti" "github.com/transparency-dev/static-ct/internal/x509util" "github.com/transparency-dev/static-ct/storage" diff --git a/internal/scti/chain_validation.go b/internal/scti/chain_validation.go index a4757c9d..cc15396a 100644 --- a/internal/scti/chain_validation.go +++ b/internal/scti/chain_validation.go @@ -17,13 +17,14 @@ package scti import ( "bytes" "crypto/x509" + "encoding/asn1" "errors" "fmt" "strconv" "strings" "time" - "github.com/google/certificate-transparency-go/asn1" + "github.com/transparency-dev/static-ct/internal/types" "github.com/transparency-dev/static-ct/internal/x509util" "k8s.io/klog/v2" ) @@ -127,7 +128,7 @@ func NewChainValidationOpts(trustedRoots *x509util.PEMCertPool, rejectExpired, r // by the spec. func isPrecertificate(cert *x509.Certificate) (bool, error) { for _, ext := range cert.Extensions { - if x509.OIDExtensionCTPoison.Equal(ext.Id) { + if types.OIDExtensionCTPoison.Equal(ext.Id) { if !ext.Critical || !bytes.Equal(asn1.NullBytes, ext.Value) { return false, fmt.Errorf("CT poison ext is not critical or invalid: %v", ext) } diff --git a/internal/scti/chain_validation_test.go b/internal/scti/chain_validation_test.go index 977907cb..b2183881 100644 --- a/internal/scti/chain_validation_test.go +++ b/internal/scti/chain_validation_test.go @@ -16,14 +16,15 @@ package scti import ( "crypto/x509" + "crypto/x509/pkix" + "encoding/asn1" "encoding/pem" "strings" "testing" "time" - "github.com/google/certificate-transparency-go/asn1" - "github.com/google/certificate-transparency-go/x509/pkix" "github.com/transparency-dev/static-ct/internal/testdata" + "github.com/transparency-dev/static-ct/internal/types" "github.com/transparency-dev/static-ct/internal/x509util" ) @@ -34,13 +35,13 @@ func wipeExtensions(cert *x509.Certificate) *x509.Certificate { func makePoisonNonCritical(cert *x509.Certificate) *x509.Certificate { // Invalid as a pre-cert because poison extension needs to be marked as critical. - cert.Extensions = []pkix.Extension{{Id: x509.OIDExtensionCTPoison, Critical: false, Value: asn1.NullBytes}} + cert.Extensions = []pkix.Extension{{Id: types.OIDExtensionCTPoison, Critical: false, Value: asn1.NullBytes}} return cert } func makePoisonNonNull(cert *x509.Certificate) *x509.Certificate { // Invalid as a pre-cert because poison extension is not ASN.1 NULL value. - cert.Extensions = []pkix.Extension{{Id: x509.OIDExtensionCTPoison, Critical: false, Value: []byte{0x42, 0x42, 0x42}}} + cert.Extensions = []pkix.Extension{{Id: types.OIDExtensionCTPoison, Critical: false, Value: []byte{0x42, 0x42, 0x42}}} return cert } @@ -270,7 +271,7 @@ func TestValidateChain(t *testing.T) { if len(gotPath) != test.wantPathLen { t.Errorf("|ValidateChain()|=%d; want %d", len(gotPath), test.wantPathLen) for _, c := range gotPath { - t.Logf("Subject: %s Issuer: %s", x509util.NameToString(c.Subject), x509util.NameToString(c.Issuer)) + t.Logf("Subject: %s Issuer: %s", c.Subject, c.Issuer) } } }) diff --git a/internal/types/rfc6962.go b/internal/types/rfc6962.go index e89a4229..754c41d3 100644 --- a/internal/types/rfc6962.go +++ b/internal/types/rfc6962.go @@ -2,12 +2,13 @@ package types import ( "crypto/sha256" + "crypto/x509" + "encoding/asn1" "encoding/base64" "encoding/json" "fmt" "github.com/google/certificate-transparency-go/tls" - "github.com/google/certificate-transparency-go/x509" ) /////////////////////////////////////////////////////////////////////////////// @@ -43,6 +44,9 @@ const ( TreeNodePrefix = byte(0x01) ) +// OIDExtensionCTPoison is defined in RFC 6962 s3.1. +var OIDExtensionCTPoison = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3} + // MerkleLeafType represents the MerkleLeafType enum from section 3.4: // // enum { timestamped_entry(0), (255) } MerkleLeafType; From 0c37eef60b3e4faf18c65d515b714e6ca8d5b4c3 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 7 Feb 2025 14:02:46 +0000 Subject: [PATCH 07/39] IN PROGRESS: migrate x509util to standard librairies --- internal/x509util/x509util.go | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/internal/x509util/x509util.go b/internal/x509util/x509util.go index d5f0bf6f..8377e1d0 100644 --- a/internal/x509util/x509util.go +++ b/internal/x509util/x509util.go @@ -19,6 +19,10 @@ package x509util import ( "bytes" "crypto/rsa" + "crypto/tls" + "crypto/x509" + "crypto/x509/pkix" + "encoding/asn1" "encoding/base64" "encoding/hex" "encoding/pem" @@ -27,12 +31,8 @@ import ( "net" "strconv" - ct "github.com/google/certificate-transparency-go" - "github.com/google/certificate-transparency-go/asn1" + types "github.com/google/certificate-transparency-go" "github.com/google/certificate-transparency-go/gossip/minimal/x509ext" - "github.com/google/certificate-transparency-go/tls" - "github.com/google/certificate-transparency-go/x509" - "github.com/google/certificate-transparency-go/x509/pkix" ) // OIDForStandardExtension indicates whether oid identifies a standard extension. @@ -667,7 +667,7 @@ func showCTSCT(result *bytes.Buffer, cert *x509.Certificate) { showCritical(result, critical) for i, sctData := range cert.SCTList.SCTList { result.WriteString(fmt.Sprintf(" SCT [%d]:\n", i)) - var sct ct.SignedCertificateTimestamp + var sct types.SignedCertificateTimestamp _, err := tls.Unmarshal(sctData.Val, &sct) if err != nil { appendHexData(result, sctData.Val, 16, " ") @@ -790,8 +790,8 @@ func CertificatesFromPEM(pemBytes []byte) ([]*x509.Certificate, error) { } // ParseSCTsFromSCTList parses each of the SCTs contained within an SCT list. -func ParseSCTsFromSCTList(sctList *x509.SignedCertificateTimestampList) ([]*ct.SignedCertificateTimestamp, error) { - var scts []*ct.SignedCertificateTimestamp +func ParseSCTsFromSCTList(sctList *x509.SignedCertificateTimestampList) ([]*types.SignedCertificateTimestamp, error) { + var scts []*types.SignedCertificateTimestamp for i, data := range sctList.SCTList { sct, err := ExtractSCT(&data) if err != nil { @@ -803,11 +803,11 @@ func ParseSCTsFromSCTList(sctList *x509.SignedCertificateTimestampList) ([]*ct.S } // ExtractSCT deserializes an SCT from a TLS-encoded SCT. -func ExtractSCT(sctData *x509.SerializedSCT) (*ct.SignedCertificateTimestamp, error) { +func ExtractSCT(sctData *x509.SerializedSCT) (*types.SignedCertificateTimestamp, error) { if sctData == nil { return nil, errors.New("SCT is nil") } - var sct ct.SignedCertificateTimestamp + var sct types.SignedCertificateTimestamp if rest, err := tls.Unmarshal(sctData.Val, &sct); err != nil { return nil, fmt.Errorf("error parsing SCT: %s", err) } else if len(rest) > 0 { @@ -817,7 +817,7 @@ func ExtractSCT(sctData *x509.SerializedSCT) (*ct.SignedCertificateTimestamp, er } // MarshalSCTsIntoSCTList serializes SCTs into SCT list. -func MarshalSCTsIntoSCTList(scts []*ct.SignedCertificateTimestamp) (*x509.SignedCertificateTimestampList, error) { +func MarshalSCTsIntoSCTList(scts []*types.SignedCertificateTimestamp) (*x509.SignedCertificateTimestampList, error) { var sctList x509.SignedCertificateTimestampList sctList.SCTList = []x509.SerializedSCT{} for i, sct := range scts { @@ -840,7 +840,7 @@ var pemCertificatePrefix = []byte("-----BEGIN CERTIFICATE") // certificate provided. The certificate bytes provided can be either DER or // PEM, provided the PEM data starts with the PEM block marker (i.e. has no // leading text). -func ParseSCTsFromCertificate(certBytes []byte) ([]*ct.SignedCertificateTimestamp, error) { +func ParseSCTsFromCertificate(certBytes []byte) ([]*types.SignedCertificateTimestamp, error) { var cert *x509.Certificate var err error if bytes.HasPrefix(certBytes, pemCertificatePrefix) { From d9886f9743b4414230587c0c70ed9692688e0992 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 7 Feb 2025 15:34:12 +0000 Subject: [PATCH 08/39] drop dep on c-t-go/x509 in x509util and delete print funcs # Conflicts: # internal/x509util/x509util.go --- internal/scti/chain_validation_test.go | 3 +- internal/x509util/pem_cert_pool.go | 2 +- internal/x509util/pem_cert_pool_test.go | 2 +- internal/x509util/x509util.go | 816 ------------------------ 4 files changed, 4 insertions(+), 819 deletions(-) diff --git a/internal/scti/chain_validation_test.go b/internal/scti/chain_validation_test.go index b2183881..8807571d 100644 --- a/internal/scti/chain_validation_test.go +++ b/internal/scti/chain_validation_test.go @@ -15,6 +15,7 @@ package scti import ( + "crypto/md5" "crypto/x509" "crypto/x509/pkix" "encoding/asn1" @@ -547,7 +548,7 @@ func TestPreIssuedCert(t *testing.T) { t.Fatalf("failed to ValidateChain: %v", err) } for i, c := range chain { - t.Logf("chain[%d] = \n%s", i, x509util.CertificateToString(c)) + t.Logf("chain[%d] = \n%s", i, md5.Sum(c.Raw)) } }) } diff --git a/internal/x509util/pem_cert_pool.go b/internal/x509util/pem_cert_pool.go index 3c629847..dcaf3256 100644 --- a/internal/x509util/pem_cert_pool.go +++ b/internal/x509util/pem_cert_pool.go @@ -79,7 +79,7 @@ func (p *PEMCertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool) { } cert, err := x509.ParseCertificate(block.Bytes) - if x509.IsFatal(err) { + if err != nil { klog.Warningf("error parsing PEM certificate: %v", err) return false } diff --git a/internal/x509util/pem_cert_pool_test.go b/internal/x509util/pem_cert_pool_test.go index 880adbaa..3dbd809d 100644 --- a/internal/x509util/pem_cert_pool_test.go +++ b/internal/x509util/pem_cert_pool_test.go @@ -102,7 +102,7 @@ func parsePEM(t *testing.T, pemCert string) *x509.Certificate { } cert, err := x509.ParseCertificate(block.Bytes) - if x509.IsFatal(err) { + if err != nil { t.Fatalf("Failed to parse PEM certificate: %v", err) } return cert diff --git a/internal/x509util/x509util.go b/internal/x509util/x509util.go index 8377e1d0..968e3ed6 100644 --- a/internal/x509util/x509util.go +++ b/internal/x509util/x509util.go @@ -17,739 +17,11 @@ package x509util import ( - "bytes" - "crypto/rsa" - "crypto/tls" "crypto/x509" - "crypto/x509/pkix" - "encoding/asn1" - "encoding/base64" - "encoding/hex" "encoding/pem" "errors" - "fmt" - "net" - "strconv" - - types "github.com/google/certificate-transparency-go" - "github.com/google/certificate-transparency-go/gossip/minimal/x509ext" ) -// OIDForStandardExtension indicates whether oid identifies a standard extension. -// Standard extensions are listed in RFC 5280 (and other RFCs). -func OIDForStandardExtension(oid asn1.ObjectIdentifier) bool { - if oid.Equal(x509.OIDExtensionSubjectKeyId) || - oid.Equal(x509.OIDExtensionKeyUsage) || - oid.Equal(x509.OIDExtensionExtendedKeyUsage) || - oid.Equal(x509.OIDExtensionAuthorityKeyId) || - oid.Equal(x509.OIDExtensionBasicConstraints) || - oid.Equal(x509.OIDExtensionSubjectAltName) || - oid.Equal(x509.OIDExtensionCertificatePolicies) || - oid.Equal(x509.OIDExtensionNameConstraints) || - oid.Equal(x509.OIDExtensionCRLDistributionPoints) || - oid.Equal(x509.OIDExtensionIssuerAltName) || - oid.Equal(x509.OIDExtensionSubjectDirectoryAttributes) || - oid.Equal(x509.OIDExtensionInhibitAnyPolicy) || - oid.Equal(x509.OIDExtensionPolicyConstraints) || - oid.Equal(x509.OIDExtensionPolicyMappings) || - oid.Equal(x509.OIDExtensionFreshestCRL) || - oid.Equal(x509.OIDExtensionSubjectInfoAccess) || - oid.Equal(x509.OIDExtensionAuthorityInfoAccess) || - oid.Equal(x509.OIDExtensionIPPrefixList) || - oid.Equal(x509.OIDExtensionASList) || - oid.Equal(x509.OIDExtensionCTPoison) || - oid.Equal(x509.OIDExtensionCTSCT) { - return true - } - return false -} - -// OIDInExtensions checks whether the extension identified by oid is present in extensions -// and returns how many times it occurs together with an indication of whether any of them -// are marked critical. -func OIDInExtensions(oid asn1.ObjectIdentifier, extensions []pkix.Extension) (int, bool) { - count := 0 - critical := false - for _, ext := range extensions { - if ext.Id.Equal(oid) { - count++ - if ext.Critical { - critical = true - } - } - } - return count, critical -} - -// String formatting for various X.509/ASN.1 types -func bitStringToString(b asn1.BitString) string { // nolint:deadcode,unused - result := hex.EncodeToString(b.Bytes) - bitsLeft := b.BitLength % 8 - if bitsLeft != 0 { - result += " (" + strconv.Itoa(8-bitsLeft) + " unused bits)" - } - return result -} - -func publicKeyAlgorithmToString(algo x509.PublicKeyAlgorithm) string { - // Use OpenSSL-compatible strings for the algorithms. - switch algo { - case x509.RSA: - return "rsaEncryption" - case x509.ECDSA: - return "id-ecPublicKey" - default: - return strconv.Itoa(int(algo)) - } -} - -// appendHexData adds a hex dump of binary data to buf, with line breaks -// after each set of count bytes, and with each new line prefixed with the -// given prefix. -func appendHexData(buf *bytes.Buffer, data []byte, count int, prefix string) { - for ii, b := range data { - if ii%count == 0 { - if ii > 0 { - buf.WriteString("\n") - } - buf.WriteString(prefix) - } - buf.WriteString(fmt.Sprintf("%02x:", b)) - } -} - -func publicKeyToString(_ x509.PublicKeyAlgorithm, pub interface{}) string { - var buf bytes.Buffer - switch pub := pub.(type) { - case *rsa.PublicKey: - bitlen := pub.N.BitLen() - buf.WriteString(fmt.Sprintf(" Public Key: (%d bit)\n", bitlen)) - buf.WriteString(" Modulus:\n") - data := pub.N.Bytes() - appendHexData(&buf, data, 15, " ") - buf.WriteString("\n") - buf.WriteString(fmt.Sprintf(" Exponent: %d (0x%x)", pub.E, pub.E)) - default: - buf.WriteString(fmt.Sprintf("%v", pub)) - } - return buf.String() -} - -func commaAppend(buf *bytes.Buffer, s string) { - if buf.Len() > 0 { - buf.WriteString(", ") - } - buf.WriteString(s) -} - -func keyUsageToString(k x509.KeyUsage) string { - var buf bytes.Buffer - if k&x509.KeyUsageDigitalSignature != 0 { - commaAppend(&buf, "Digital Signature") - } - if k&x509.KeyUsageContentCommitment != 0 { - commaAppend(&buf, "Content Commitment") - } - if k&x509.KeyUsageKeyEncipherment != 0 { - commaAppend(&buf, "Key Encipherment") - } - if k&x509.KeyUsageDataEncipherment != 0 { - commaAppend(&buf, "Data Encipherment") - } - if k&x509.KeyUsageKeyAgreement != 0 { - commaAppend(&buf, "Key Agreement") - } - if k&x509.KeyUsageCertSign != 0 { - commaAppend(&buf, "Certificate Signing") - } - if k&x509.KeyUsageCRLSign != 0 { - commaAppend(&buf, "CRL Signing") - } - if k&x509.KeyUsageEncipherOnly != 0 { - commaAppend(&buf, "Encipher Only") - } - if k&x509.KeyUsageDecipherOnly != 0 { - commaAppend(&buf, "Decipher Only") - } - return buf.String() -} - -func extKeyUsageToString(u x509.ExtKeyUsage) string { - switch u { - case x509.ExtKeyUsageAny: - return "Any" - case x509.ExtKeyUsageServerAuth: - return "TLS Web server authentication" - case x509.ExtKeyUsageClientAuth: - return "TLS Web client authentication" - case x509.ExtKeyUsageCodeSigning: - return "Signing of executable code" - case x509.ExtKeyUsageEmailProtection: - return "Email protection" - case x509.ExtKeyUsageIPSECEndSystem: - return "IPSEC end system" - case x509.ExtKeyUsageIPSECTunnel: - return "IPSEC tunnel" - case x509.ExtKeyUsageIPSECUser: - return "IPSEC user" - case x509.ExtKeyUsageTimeStamping: - return "Time stamping" - case x509.ExtKeyUsageOCSPSigning: - return "OCSP signing" - case x509.ExtKeyUsageMicrosoftServerGatedCrypto: - return "Microsoft server gated cryptography" - case x509.ExtKeyUsageNetscapeServerGatedCrypto: - return "Netscape server gated cryptography" - case x509.ExtKeyUsageCertificateTransparency: - return "Certificate transparency" - default: - return "Unknown" - } -} - -func attributeOIDToString(oid asn1.ObjectIdentifier) string { // nolint:deadcode,unused - switch { - case oid.Equal(pkix.OIDCountry): - return "Country" - case oid.Equal(pkix.OIDOrganization): - return "Organization" - case oid.Equal(pkix.OIDOrganizationalUnit): - return "OrganizationalUnit" - case oid.Equal(pkix.OIDCommonName): - return "CommonName" - case oid.Equal(pkix.OIDSerialNumber): - return "SerialNumber" - case oid.Equal(pkix.OIDLocality): - return "Locality" - case oid.Equal(pkix.OIDProvince): - return "Province" - case oid.Equal(pkix.OIDStreetAddress): - return "StreetAddress" - case oid.Equal(pkix.OIDPostalCode): - return "PostalCode" - case oid.Equal(pkix.OIDPseudonym): - return "Pseudonym" - case oid.Equal(pkix.OIDTitle): - return "Title" - case oid.Equal(pkix.OIDDnQualifier): - return "DnQualifier" - case oid.Equal(pkix.OIDName): - return "Name" - case oid.Equal(pkix.OIDSurname): - return "Surname" - case oid.Equal(pkix.OIDGivenName): - return "GivenName" - case oid.Equal(pkix.OIDInitials): - return "Initials" - case oid.Equal(pkix.OIDGenerationQualifier): - return "GenerationQualifier" - default: - return oid.String() - } -} - -// NameToString creates a string description of a pkix.Name object. -func NameToString(name pkix.Name) string { - var result bytes.Buffer - addSingle := func(prefix, item string) { - if len(item) == 0 { - return - } - commaAppend(&result, prefix) - result.WriteString(item) - } - addList := func(prefix string, items []string) { - for _, item := range items { - addSingle(prefix, item) - } - } - addList("C=", name.Country) - addList("O=", name.Organization) - addList("OU=", name.OrganizationalUnit) - addList("L=", name.Locality) - addList("ST=", name.Province) - addList("streetAddress=", name.StreetAddress) - addList("postalCode=", name.PostalCode) - addSingle("serialNumber=", name.SerialNumber) - addSingle("CN=", name.CommonName) - for _, atv := range name.Names { - value, ok := atv.Value.(string) - if !ok { - continue - } - t := atv.Type - // All of the defined attribute OIDs are of the form 2.5.4.N, and OIDAttribute is - // the 2.5.4 prefix ('id-at' in RFC 5280). - if len(t) == 4 && t[0] == pkix.OIDAttribute[0] && t[1] == pkix.OIDAttribute[1] && t[2] == pkix.OIDAttribute[2] { - // OID is 'id-at N', so check the final value to figure out which attribute. - switch t[3] { - case pkix.OIDCommonName[3], pkix.OIDSerialNumber[3], pkix.OIDCountry[3], pkix.OIDLocality[3], pkix.OIDProvince[3], - pkix.OIDStreetAddress[3], pkix.OIDOrganization[3], pkix.OIDOrganizationalUnit[3], pkix.OIDPostalCode[3]: - continue // covered by explicit fields - case pkix.OIDPseudonym[3]: - addSingle("pseudonym=", value) - continue - case pkix.OIDTitle[3]: - addSingle("title=", value) - continue - case pkix.OIDDnQualifier[3]: - addSingle("dnQualifier=", value) - continue - case pkix.OIDName[3]: - addSingle("name=", value) - continue - case pkix.OIDSurname[3]: - addSingle("surname=", value) - continue - case pkix.OIDGivenName[3]: - addSingle("givenName=", value) - continue - case pkix.OIDInitials[3]: - addSingle("initials=", value) - continue - case pkix.OIDGenerationQualifier[3]: - addSingle("generationQualifier=", value) - continue - } - } - addSingle(t.String()+"=", value) - } - return result.String() -} - -// OtherNameToString creates a string description of an x509.OtherName object. -func OtherNameToString(other x509.OtherName) string { - return fmt.Sprintf("%v=%v", other.TypeID, hex.EncodeToString(other.Value.Bytes)) -} - -// GeneralNamesToString creates a string description of an x509.GeneralNames object. -func GeneralNamesToString(gname *x509.GeneralNames) string { - var buf bytes.Buffer - for _, name := range gname.DNSNames { - commaAppend(&buf, "DNS:"+name) - } - for _, email := range gname.EmailAddresses { - commaAppend(&buf, "email:"+email) - } - for _, name := range gname.DirectoryNames { - commaAppend(&buf, "DirName:"+NameToString(name)) - } - for _, uri := range gname.URIs { - commaAppend(&buf, "URI:"+uri) - } - for _, ip := range gname.IPNets { - if ip.Mask == nil { - commaAppend(&buf, "IP Address:"+ip.IP.String()) - } else { - commaAppend(&buf, "IP Address:"+ip.IP.String()+"/"+ip.Mask.String()) - } - } - for _, id := range gname.RegisteredIDs { - commaAppend(&buf, "Registered ID:"+id.String()) - } - for _, other := range gname.OtherNames { - commaAppend(&buf, "othername:"+OtherNameToString(other)) - } - return buf.String() -} - -// CertificateToString generates a string describing the given certificate. -// The output roughly resembles that from openssl x509 -text. -func CertificateToString(cert *x509.Certificate) string { - var result bytes.Buffer - result.WriteString("Certificate:\n") - result.WriteString(" Data:\n") - result.WriteString(fmt.Sprintf(" Version: %d (%#x)\n", cert.Version, cert.Version-1)) - result.WriteString(fmt.Sprintf(" Serial Number: %s (0x%s)\n", cert.SerialNumber.Text(10), cert.SerialNumber.Text(16))) - result.WriteString(fmt.Sprintf(" Signature Algorithm: %v\n", cert.SignatureAlgorithm)) - result.WriteString(fmt.Sprintf(" Issuer: %v\n", NameToString(cert.Issuer))) - result.WriteString(" Validity:\n") - result.WriteString(fmt.Sprintf(" Not Before: %v\n", cert.NotBefore)) - result.WriteString(fmt.Sprintf(" Not After : %v\n", cert.NotAfter)) - result.WriteString(fmt.Sprintf(" Subject: %v\n", NameToString(cert.Subject))) - result.WriteString(" Subject Public Key Info:\n") - result.WriteString(fmt.Sprintf(" Public Key Algorithm: %v\n", publicKeyAlgorithmToString(cert.PublicKeyAlgorithm))) - result.WriteString(fmt.Sprintf("%v\n", publicKeyToString(cert.PublicKeyAlgorithm, cert.PublicKey))) - - if len(cert.Extensions) > 0 { - result.WriteString(" X509v3 extensions:\n") - } - // First display the extensions that are already cracked out - showAuthKeyID(&result, cert) - showSubjectKeyID(&result, cert) - showKeyUsage(&result, cert) - showExtendedKeyUsage(&result, cert) - showBasicConstraints(&result, cert) - showSubjectAltName(&result, cert) - showNameConstraints(&result, cert) - showCertPolicies(&result, cert) - showCRLDPs(&result, cert) - showAuthInfoAccess(&result, cert) - showSubjectInfoAccess(&result, cert) - showRPKIAddressRanges(&result, cert) - showRPKIASIdentifiers(&result, cert) - showCTPoison(&result, cert) - showCTSCT(&result, cert) - showCTLogSTHInfo(&result, cert) - - showUnhandledExtensions(&result, cert) - showSignature(&result, cert) - - return result.String() -} - -func showCritical(result *bytes.Buffer, critical bool) { - if critical { - result.WriteString(" critical") - } - result.WriteString("\n") -} - -func showAuthKeyID(result *bytes.Buffer, cert *x509.Certificate) { - count, critical := OIDInExtensions(x509.OIDExtensionAuthorityKeyId, cert.Extensions) - if count > 0 { - result.WriteString(" X509v3 Authority Key Identifier:") - showCritical(result, critical) - result.WriteString(fmt.Sprintf(" keyid:%v\n", hex.EncodeToString(cert.AuthorityKeyId))) - } -} - -func showSubjectKeyID(result *bytes.Buffer, cert *x509.Certificate) { - count, critical := OIDInExtensions(x509.OIDExtensionSubjectKeyId, cert.Extensions) - if count > 0 { - result.WriteString(" X509v3 Subject Key Identifier:") - showCritical(result, critical) - result.WriteString(fmt.Sprintf(" keyid:%v\n", hex.EncodeToString(cert.SubjectKeyId))) - } -} - -func showKeyUsage(result *bytes.Buffer, cert *x509.Certificate) { - count, critical := OIDInExtensions(x509.OIDExtensionKeyUsage, cert.Extensions) - if count > 0 { - result.WriteString(" X509v3 Key Usage:") - showCritical(result, critical) - result.WriteString(fmt.Sprintf(" %v\n", keyUsageToString(cert.KeyUsage))) - } -} - -func showExtendedKeyUsage(result *bytes.Buffer, cert *x509.Certificate) { - count, critical := OIDInExtensions(x509.OIDExtensionExtendedKeyUsage, cert.Extensions) - if count > 0 { - result.WriteString(" X509v3 Extended Key Usage:") - showCritical(result, critical) - var usages bytes.Buffer - for _, usage := range cert.ExtKeyUsage { - commaAppend(&usages, extKeyUsageToString(usage)) - } - for _, oid := range cert.UnknownExtKeyUsage { - commaAppend(&usages, oid.String()) - } - result.WriteString(fmt.Sprintf(" %v\n", usages.String())) - } -} - -func showBasicConstraints(result *bytes.Buffer, cert *x509.Certificate) { - count, critical := OIDInExtensions(x509.OIDExtensionBasicConstraints, cert.Extensions) - if count > 0 { - result.WriteString(" X509v3 Basic Constraints:") - showCritical(result, critical) - result.WriteString(fmt.Sprintf(" CA:%t", cert.IsCA)) - if cert.MaxPathLen > 0 || cert.MaxPathLenZero { - result.WriteString(fmt.Sprintf(", pathlen:%d", cert.MaxPathLen)) - } - result.WriteString("\n") - } -} - -func showSubjectAltName(result *bytes.Buffer, cert *x509.Certificate) { - count, critical := OIDInExtensions(x509.OIDExtensionSubjectAltName, cert.Extensions) - if count > 0 { - result.WriteString(" X509v3 Subject Alternative Name:") - showCritical(result, critical) - var buf bytes.Buffer - for _, name := range cert.DNSNames { - commaAppend(&buf, "DNS:"+name) - } - for _, email := range cert.EmailAddresses { - commaAppend(&buf, "email:"+email) - } - for _, ip := range cert.IPAddresses { - commaAppend(&buf, "IP Address:"+ip.String()) - } - - result.WriteString(fmt.Sprintf(" %v\n", buf.String())) - // TODO(drysdale): include other name forms - } -} - -func showNameConstraints(result *bytes.Buffer, cert *x509.Certificate) { - count, critical := OIDInExtensions(x509.OIDExtensionNameConstraints, cert.Extensions) - if count > 0 { - result.WriteString(" X509v3 Name Constraints:") - showCritical(result, critical) - if len(cert.PermittedDNSDomains) > 0 { - result.WriteString(" Permitted:\n") - var buf bytes.Buffer - for _, name := range cert.PermittedDNSDomains { - commaAppend(&buf, "DNS:"+name) - } - result.WriteString(fmt.Sprintf(" %v\n", buf.String())) - } - // TODO(drysdale): include other name forms - } - -} - -func showCertPolicies(result *bytes.Buffer, cert *x509.Certificate) { - count, critical := OIDInExtensions(x509.OIDExtensionCertificatePolicies, cert.Extensions) - if count > 0 { - result.WriteString(" X509v3 Certificate Policies:") - showCritical(result, critical) - for _, oid := range cert.PolicyIdentifiers { - result.WriteString(fmt.Sprintf(" Policy: %v\n", oid.String())) - // TODO(drysdale): Display any qualifiers associated with the policy - } - } - -} - -func showCRLDPs(result *bytes.Buffer, cert *x509.Certificate) { - count, critical := OIDInExtensions(x509.OIDExtensionCRLDistributionPoints, cert.Extensions) - if count > 0 { - result.WriteString(" X509v3 CRL Distribution Points:") - showCritical(result, critical) - result.WriteString(" Full Name:\n") - var buf bytes.Buffer - for _, pt := range cert.CRLDistributionPoints { - commaAppend(&buf, "URI:"+pt) - } - result.WriteString(fmt.Sprintf(" %v\n", buf.String())) - // TODO(drysdale): Display other GeneralNames types, plus issuer/reasons/relative-name - } - -} - -func showAuthInfoAccess(result *bytes.Buffer, cert *x509.Certificate) { - count, critical := OIDInExtensions(x509.OIDExtensionAuthorityInfoAccess, cert.Extensions) - if count > 0 { - result.WriteString(" Authority Information Access:") - showCritical(result, critical) - var issuerBuf bytes.Buffer - for _, issuer := range cert.IssuingCertificateURL { - commaAppend(&issuerBuf, "URI:"+issuer) - } - if issuerBuf.Len() > 0 { - result.WriteString(fmt.Sprintf(" CA Issuers - %v\n", issuerBuf.String())) - } - var ocspBuf bytes.Buffer - for _, ocsp := range cert.OCSPServer { - commaAppend(&ocspBuf, "URI:"+ocsp) - } - if ocspBuf.Len() > 0 { - result.WriteString(fmt.Sprintf(" OCSP - %v\n", ocspBuf.String())) - } - // TODO(drysdale): Display other GeneralNames types - } -} - -func showSubjectInfoAccess(result *bytes.Buffer, cert *x509.Certificate) { - count, critical := OIDInExtensions(x509.OIDExtensionSubjectInfoAccess, cert.Extensions) - if count > 0 { - result.WriteString(" Subject Information Access:") - showCritical(result, critical) - var tsBuf bytes.Buffer - for _, ts := range cert.SubjectTimestamps { - commaAppend(&tsBuf, "URI:"+ts) - } - if tsBuf.Len() > 0 { - result.WriteString(fmt.Sprintf(" AD Time Stamping - %v\n", tsBuf.String())) - } - var repoBuf bytes.Buffer - for _, repo := range cert.SubjectCARepositories { - commaAppend(&repoBuf, "URI:"+repo) - } - if repoBuf.Len() > 0 { - result.WriteString(fmt.Sprintf(" CA repository - %v\n", repoBuf.String())) - } - } -} - -func showAddressRange(prefix x509.IPAddressPrefix, afi uint16) string { - switch afi { - case x509.IPv4AddressFamilyIndicator, x509.IPv6AddressFamilyIndicator: - size := 4 - if afi == x509.IPv6AddressFamilyIndicator { - size = 16 - } - ip := make([]byte, size) - copy(ip, prefix.Bytes) - addr := net.IPNet{IP: ip, Mask: net.CIDRMask(prefix.BitLength, 8*size)} - return addr.String() - default: - return fmt.Sprintf("%x/%d", prefix.Bytes, prefix.BitLength) - } - -} - -func showRPKIAddressRanges(result *bytes.Buffer, cert *x509.Certificate) { - count, critical := OIDInExtensions(x509.OIDExtensionIPPrefixList, cert.Extensions) - if count > 0 { - result.WriteString(" sbgp-ipAddrBlock:") - showCritical(result, critical) - for _, blocks := range cert.RPKIAddressRanges { - afi := blocks.AFI - switch afi { - case x509.IPv4AddressFamilyIndicator: - result.WriteString(" IPv4") - case x509.IPv6AddressFamilyIndicator: - result.WriteString(" IPv6") - default: - result.WriteString(fmt.Sprintf(" %d", afi)) - } - if blocks.SAFI != 0 { - result.WriteString(fmt.Sprintf(" SAFI=%d", blocks.SAFI)) - } - result.WriteString(":") - if blocks.InheritFromIssuer { - result.WriteString(" inherit\n") - continue - } - result.WriteString("\n") - for _, prefix := range blocks.AddressPrefixes { - result.WriteString(fmt.Sprintf(" %s\n", showAddressRange(prefix, afi))) - } - for _, ipRange := range blocks.AddressRanges { - result.WriteString(fmt.Sprintf(" [%s, %s]\n", showAddressRange(ipRange.Min, afi), showAddressRange(ipRange.Max, afi))) - } - } - } -} - -func showASIDs(result *bytes.Buffer, asids *x509.ASIdentifiers, label string) { - if asids == nil { - return - } - result.WriteString(fmt.Sprintf(" %s:\n", label)) - if asids.InheritFromIssuer { - result.WriteString(" inherit\n") - return - } - for _, id := range asids.ASIDs { - result.WriteString(fmt.Sprintf(" %d\n", id)) - } - for _, idRange := range asids.ASIDRanges { - result.WriteString(fmt.Sprintf(" %d-%d\n", idRange.Min, idRange.Max)) - } -} - -func showRPKIASIdentifiers(result *bytes.Buffer, cert *x509.Certificate) { - count, critical := OIDInExtensions(x509.OIDExtensionASList, cert.Extensions) - if count > 0 { - result.WriteString(" sbgp-autonomousSysNum:") - showCritical(result, critical) - showASIDs(result, cert.RPKIASNumbers, "Autonomous System Numbers") - showASIDs(result, cert.RPKIRoutingDomainIDs, "Routing Domain Identifiers") - } -} -func showCTPoison(result *bytes.Buffer, cert *x509.Certificate) { - count, critical := OIDInExtensions(x509.OIDExtensionCTPoison, cert.Extensions) - if count > 0 { - result.WriteString(" RFC6962 Pre-Certificate Poison:") - showCritical(result, critical) - result.WriteString(" .....\n") - } -} - -func showCTSCT(result *bytes.Buffer, cert *x509.Certificate) { - count, critical := OIDInExtensions(x509.OIDExtensionCTSCT, cert.Extensions) - if count > 0 { - result.WriteString(" RFC6962 Certificate Transparency SCT:") - showCritical(result, critical) - for i, sctData := range cert.SCTList.SCTList { - result.WriteString(fmt.Sprintf(" SCT [%d]:\n", i)) - var sct types.SignedCertificateTimestamp - _, err := tls.Unmarshal(sctData.Val, &sct) - if err != nil { - appendHexData(result, sctData.Val, 16, " ") - result.WriteString("\n") - continue - } - result.WriteString(fmt.Sprintf(" Version: %d\n", sct.SCTVersion)) - result.WriteString(fmt.Sprintf(" LogID: %s\n", base64.StdEncoding.EncodeToString(sct.LogID.KeyID[:]))) - result.WriteString(fmt.Sprintf(" Timestamp: %d\n", sct.Timestamp)) - result.WriteString(fmt.Sprintf(" Signature: %s\n", sct.Signature.Algorithm)) - result.WriteString(" Signature:\n") - appendHexData(result, sct.Signature.Signature, 16, " ") - result.WriteString("\n") - } - } -} - -func showCTLogSTHInfo(result *bytes.Buffer, cert *x509.Certificate) { - count, critical := OIDInExtensions(x509ext.OIDExtensionCTSTH, cert.Extensions) - if count > 0 { - result.WriteString(" Certificate Transparency STH:") - showCritical(result, critical) - sthInfo, err := x509ext.LogSTHInfoFromCert(cert) - if err != nil { - result.WriteString(" Failed to decode STH:\n") - return - } - result.WriteString(fmt.Sprintf(" LogURL: %s\n", string(sthInfo.LogURL))) - result.WriteString(fmt.Sprintf(" Version: %d\n", sthInfo.Version)) - result.WriteString(fmt.Sprintf(" TreeSize: %d\n", sthInfo.TreeSize)) - result.WriteString(fmt.Sprintf(" Timestamp: %d\n", sthInfo.Timestamp)) - result.WriteString(" RootHash:\n") - appendHexData(result, sthInfo.SHA256RootHash[:], 16, " ") - result.WriteString("\n") - result.WriteString(fmt.Sprintf(" TreeHeadSignature: %s\n", sthInfo.TreeHeadSignature.Algorithm)) - appendHexData(result, sthInfo.TreeHeadSignature.Signature, 16, " ") - result.WriteString("\n") - } -} - -func showUnhandledExtensions(result *bytes.Buffer, cert *x509.Certificate) { - for _, ext := range cert.Extensions { - // Skip extensions that are already cracked out - if oidAlreadyPrinted(ext.Id) { - continue - } - result.WriteString(fmt.Sprintf(" %v:", ext.Id)) - showCritical(result, ext.Critical) - appendHexData(result, ext.Value, 16, " ") - result.WriteString("\n") - } -} - -func showSignature(result *bytes.Buffer, cert *x509.Certificate) { - result.WriteString(fmt.Sprintf(" Signature Algorithm: %v\n", cert.SignatureAlgorithm)) - appendHexData(result, cert.Signature, 18, " ") - result.WriteString("\n") -} - -// TODO(drysdale): remove this once all standard OIDs are parsed and printed. -func oidAlreadyPrinted(oid asn1.ObjectIdentifier) bool { - if oid.Equal(x509.OIDExtensionSubjectKeyId) || - oid.Equal(x509.OIDExtensionKeyUsage) || - oid.Equal(x509.OIDExtensionExtendedKeyUsage) || - oid.Equal(x509.OIDExtensionAuthorityKeyId) || - oid.Equal(x509.OIDExtensionBasicConstraints) || - oid.Equal(x509.OIDExtensionSubjectAltName) || - oid.Equal(x509.OIDExtensionCertificatePolicies) || - oid.Equal(x509.OIDExtensionNameConstraints) || - oid.Equal(x509.OIDExtensionCRLDistributionPoints) || - oid.Equal(x509.OIDExtensionAuthorityInfoAccess) || - oid.Equal(x509.OIDExtensionSubjectInfoAccess) || - oid.Equal(x509.OIDExtensionIPPrefixList) || - oid.Equal(x509.OIDExtensionASList) || - oid.Equal(x509.OIDExtensionCTPoison) || - oid.Equal(x509.OIDExtensionCTSCT) || - oid.Equal(x509ext.OIDExtensionCTSTH) { - return true - } - return false -} - // CertificateFromPEM takes a certificate in PEM format and returns the // corresponding x509.Certificate object. func CertificateFromPEM(pemBytes []byte) (*x509.Certificate, error) { @@ -765,91 +37,3 @@ func CertificateFromPEM(pemBytes []byte) (*x509.Certificate, error) { } return x509.ParseCertificate(block.Bytes) } - -// CertificatesFromPEM parses one or more certificates from the given PEM data. -// The PEM certificates must be concatenated. This function can be used for -// parsing PEM-formatted certificate chains, but does not verify that the -// resulting chain is a valid certificate chain. -func CertificatesFromPEM(pemBytes []byte) ([]*x509.Certificate, error) { - var chain []*x509.Certificate - for { - var block *pem.Block - block, pemBytes = pem.Decode(pemBytes) - if block == nil { - return chain, nil - } - if block.Type != "CERTIFICATE" { - return nil, fmt.Errorf("PEM block is not a CERTIFICATE") - } - cert, err := x509.ParseCertificate(block.Bytes) - if err != nil { - return nil, errors.New("failed to parse certificate") - } - chain = append(chain, cert) - } -} - -// ParseSCTsFromSCTList parses each of the SCTs contained within an SCT list. -func ParseSCTsFromSCTList(sctList *x509.SignedCertificateTimestampList) ([]*types.SignedCertificateTimestamp, error) { - var scts []*types.SignedCertificateTimestamp - for i, data := range sctList.SCTList { - sct, err := ExtractSCT(&data) - if err != nil { - return nil, fmt.Errorf("error extracting SCT number %d: %s", i, err) - } - scts = append(scts, sct) - } - return scts, nil -} - -// ExtractSCT deserializes an SCT from a TLS-encoded SCT. -func ExtractSCT(sctData *x509.SerializedSCT) (*types.SignedCertificateTimestamp, error) { - if sctData == nil { - return nil, errors.New("SCT is nil") - } - var sct types.SignedCertificateTimestamp - if rest, err := tls.Unmarshal(sctData.Val, &sct); err != nil { - return nil, fmt.Errorf("error parsing SCT: %s", err) - } else if len(rest) > 0 { - return nil, fmt.Errorf("extra data (%d bytes) after serialized SCT", len(rest)) - } - return &sct, nil -} - -// MarshalSCTsIntoSCTList serializes SCTs into SCT list. -func MarshalSCTsIntoSCTList(scts []*types.SignedCertificateTimestamp) (*x509.SignedCertificateTimestampList, error) { - var sctList x509.SignedCertificateTimestampList - sctList.SCTList = []x509.SerializedSCT{} - for i, sct := range scts { - if sct == nil { - return nil, fmt.Errorf("SCT number %d is nil", i) - } - encd, err := tls.Marshal(*sct) - if err != nil { - return nil, fmt.Errorf("error serializing SCT number %d: %s", i, err) - } - sctData := x509.SerializedSCT{Val: encd} - sctList.SCTList = append(sctList.SCTList, sctData) - } - return &sctList, nil -} - -var pemCertificatePrefix = []byte("-----BEGIN CERTIFICATE") - -// ParseSCTsFromCertificate parses any SCTs that are embedded in the -// certificate provided. The certificate bytes provided can be either DER or -// PEM, provided the PEM data starts with the PEM block marker (i.e. has no -// leading text). -func ParseSCTsFromCertificate(certBytes []byte) ([]*types.SignedCertificateTimestamp, error) { - var cert *x509.Certificate - var err error - if bytes.HasPrefix(certBytes, pemCertificatePrefix) { - cert, err = CertificateFromPEM(certBytes) - } else { - cert, err = x509.ParseCertificate(certBytes) - } - if err != nil { - return nil, fmt.Errorf("failed to parse certificate: %s", err) - } - return ParseSCTsFromSCTList(&cert.SCTList) -} From b1e738d07cf4890dec901b3bb31f4b259150c4eb Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 7 Feb 2025 15:39:41 +0000 Subject: [PATCH 09/39] remove last IsFatal --- internal/scti/chain_validation.go | 4 ++-- internal/scti/chain_validation_test.go | 4 ++-- internal/scti/signatures_test.go | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/internal/scti/chain_validation.go b/internal/scti/chain_validation.go index cc15396a..d46365e5 100644 --- a/internal/scti/chain_validation.go +++ b/internal/scti/chain_validation.go @@ -153,8 +153,8 @@ func validateChain(rawChain [][]byte, validationOpts ChainValidationOpts) ([]*x5 for i, certBytes := range rawChain { cert, err := x509.ParseCertificate(certBytes) - if x509.IsFatal(err) { - return nil, err + if err != nil { + return nil, fmt.Errorf("x509.ParseCertificate(): %v") } chain = append(chain, cert) diff --git a/internal/scti/chain_validation_test.go b/internal/scti/chain_validation_test.go index 8807571d..4ec4e632 100644 --- a/internal/scti/chain_validation_test.go +++ b/internal/scti/chain_validation_test.go @@ -476,8 +476,8 @@ func pemToCert(t *testing.T, pemData string) *x509.Certificate { } cert, err := x509.ParseCertificate(bytes.Bytes) - if x509.IsFatal(err) { - t.Fatal(err) + if err != nil { + t.Fatalf("x509.ParseCertificate(): %v") } return cert diff --git a/internal/scti/signatures_test.go b/internal/scti/signatures_test.go index be633ef0..f4feb8e8 100644 --- a/internal/scti/signatures_test.go +++ b/internal/scti/signatures_test.go @@ -245,7 +245,7 @@ func TestSerializeV1STHSignatureKAT(t *testing.T) { func TestBuildV1MerkleTreeLeafForCert(t *testing.T) { cert, err := x509util.CertificateFromPEM([]byte(testdata.LeafSignedByFakeIntermediateCertPEM)) - if x509.IsFatal(err) { + if err != nil { t.Fatalf("failed to set up test cert: %v", err) } @@ -308,7 +308,7 @@ func TestBuildV1MerkleTreeLeafForCert(t *testing.T) { func TestSignV1SCTForPrecertificate(t *testing.T) { cert, err := x509util.CertificateFromPEM([]byte(testdata.PrecertPEMValid)) - if x509.IsFatal(err) { + if err != nil { t.Fatalf("failed to set up test precert: %v", err) } From 1d23e13a6face908951588a98e03f528ccfd8dc8 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 7 Feb 2025 17:24:30 +0000 Subject: [PATCH 10/39] inline isPreIssuer check --- internal/scti/handlers.go | 7 +++---- internal/types/rfc6962.go | 1 + 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/internal/scti/handlers.go b/internal/scti/handlers.go index 4f2cb22a..e9b80fdd 100644 --- a/internal/scti/handlers.go +++ b/internal/scti/handlers.go @@ -509,10 +509,9 @@ func entryFromChain(chain []*x509.Certificate, isPrecert bool, timestamp uint64) // isPreIssuer indicates whether a certificate is a pre-cert issuer with the specific // certificate transparency extended key usage. -// copied form certificate-transparency-go/serialization.go -func isPreIssuer(issuer *x509.Certificate) bool { - for _, eku := range issuer.ExtKeyUsage { - if eku == x509.ExtKeyUsageCertificateTransparency { +func isPreIssuer(cert *x509.Certificate) bool { + for _, ext := range cert.Extensions { + if types.OIDExtKeyUsageCertificateTransparency.Equal(ext.Id) { return true } } diff --git a/internal/types/rfc6962.go b/internal/types/rfc6962.go index 754c41d3..3572b3b1 100644 --- a/internal/types/rfc6962.go +++ b/internal/types/rfc6962.go @@ -46,6 +46,7 @@ const ( // OIDExtensionCTPoison is defined in RFC 6962 s3.1. var OIDExtensionCTPoison = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3} +var OIDExtKeyUsageCertificateTransparency = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 4} // MerkleLeafType represents the MerkleLeafType enum from section 3.4: // From 65095f4a2ac0ae9c71c9cd080772410bf25e520d Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 7 Feb 2025 18:09:55 +0000 Subject: [PATCH 11/39] remove unused PreCertificate method --- internal/types/rfc6962.go | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/internal/types/rfc6962.go b/internal/types/rfc6962.go index 3572b3b1..e86d0157 100644 --- a/internal/types/rfc6962.go +++ b/internal/types/rfc6962.go @@ -403,19 +403,6 @@ func (m *MerkleTreeLeaf) X509Certificate() (*x509.Certificate, error) { return x509.ParseCertificate(m.TimestampedEntry.X509Entry.Data) } -// Precertificate returns the X.509 Precertificate contained within the MerkleTreeLeaf. -// -// The returned precertificate is embedded in an x509.Certificate, but is in the -// form stored internally in the log rather than the original submitted form -// (i.e. it does not include the poison extension and any changes to reflect the -// final certificate's issuer have been made; see x509.BuildPrecertTBS). -func (m *MerkleTreeLeaf) Precertificate() (*x509.Certificate, error) { - if m.TimestampedEntry.EntryType != PrecertLogEntryType { - return nil, fmt.Errorf("cannot call Precertificate on a MerkleTreeLeaf that is not a precert entry") - } - return x509.ParseTBSCertificate(m.TimestampedEntry.PrecertEntry.TBSCertificate) -} - // APIEndpoint is a string that represents one of the Certificate Transparency // Log API endpoints. type APIEndpoint string From e33394d859135f4aee275c7d5cec5deceb19d8b3 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Tue, 11 Feb 2025 18:17:27 +0000 Subject: [PATCH 12/39] migrate x509/ct.go away from c-t-go # Conflicts: # internal/x509util/ct.go # internal/x509util/ct_test.go --- internal/x509util/ct.go | 193 ++++++++++++++++++++ internal/x509util/ct_test.go | 345 +++++++++++++++++++++++++++++++++++ 2 files changed, 538 insertions(+) create mode 100644 internal/x509util/ct.go create mode 100644 internal/x509util/ct_test.go diff --git a/internal/x509util/ct.go b/internal/x509util/ct.go new file mode 100644 index 00000000..dcb0f31f --- /dev/null +++ b/internal/x509util/ct.go @@ -0,0 +1,193 @@ +// Copyright 2024 Google LLC. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +package x509util + +import ( + "crypto/x509" + "crypto/x509/pkix" + "encoding/asn1" + "errors" + "fmt" + "math/big" + "time" +) + +var ( + oidExtensionAuthorityKeyId = asn1.ObjectIdentifier{2, 5, 29, 35} + // OIDExtensionCTPoison is defined in RFC 6962 s3.1. + oidExtensionCTPoison = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3} + oidExtensionKeyUsageCertificateTransparency = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 4} +) + +type tbsCertificate struct { + Raw asn1.RawContent + Version int `asn1:"optional,explicit,default:0,tag:0"` + SerialNumber *big.Int + SignatureAlgorithm pkix.AlgorithmIdentifier + Issuer asn1.RawValue + Validity validity + Subject asn1.RawValue + PublicKey publicKeyInfo + UniqueId asn1.BitString `asn1:"optional,tag:1"` + SubjectUniqueId asn1.BitString `asn1:"optional,tag:2"` + Extensions []pkix.Extension `asn1:"omitempty,optional,explicit,tag:3"` +} + +type validity struct { + NotBefore, NotAfter time.Time +} + +type publicKeyInfo struct { + Raw asn1.RawContent + Algorithm pkix.AlgorithmIdentifier + PublicKey asn1.BitString +} + +// removeExtension takes a DER-encoded TBSCertificate, removes the extension +// specified by oid (preserving the order of other extensions), and returns the +// result still as a DER-encoded TBSCertificate. This function will fail if +// there is not exactly 1 extension of the type specified by the oid present. +func removeExtension(tbsData []byte, oid asn1.ObjectIdentifier) ([]byte, error) { + var tbs tbsCertificate + rest, err := asn1.Unmarshal(tbsData, &tbs) + if err != nil { + return nil, fmt.Errorf("failed to parse TBSCertificate: %v", err) + } else if rLen := len(rest); rLen > 0 { + return nil, fmt.Errorf("trailing data (%d bytes) after TBSCertificate", rLen) + } + extAt := -1 + for i, ext := range tbs.Extensions { + if ext.Id.Equal(oid) { + if extAt != -1 { + return nil, errors.New("multiple extensions of specified type present") + } + extAt = i + } + } + if extAt == -1 { + return nil, errors.New("no extension of specified type present") + } + tbs.Extensions = append(tbs.Extensions[:extAt], tbs.Extensions[extAt+1:]...) + // Clear out the asn1.RawContent so the re-marshal operation sees the + // updated structure (rather than just copying the out-of-date DER data). + tbs.Raw = nil + + data, err := asn1.Marshal(tbs) + if err != nil { + return nil, fmt.Errorf("failed to re-marshal TBSCertificate: %v", err) + } + return data, nil +} + +// BuildPrecertTBS builds a Certificate Transparency pre-certificate (RFC 6962 +// s3.1) from the given DER-encoded TBSCertificate, returning a DER-encoded +// TBSCertificate. +// +// This function removes the CT poison extension (there must be exactly 1 of +// these), preserving the order of other extensions. +// +// If preIssuer is provided, this should be a special intermediate certificate +// that was used to sign the precert (indicated by having the special +// CertificateTransparency extended key usage). In this case, the issuance +// information of the pre-cert is updated to reflect the next issuer in the +// chain, i.e. the issuer of this special intermediate: +// - The precert's Issuer is changed to the Issuer of the intermediate +// - The precert's AuthorityKeyId is changed to the AuthorityKeyId of the +// intermediate. +func BuildPrecertTBS(tbsData []byte, preIssuer *x509.Certificate) ([]byte, error) { + data, err := removeExtension(tbsData, oidExtensionCTPoison) + if err != nil { + return nil, err + } + + var tbs tbsCertificate + rest, err := asn1.Unmarshal(data, &tbs) + if err != nil { + return nil, fmt.Errorf("failed to parse TBSCertificate: %v", err) + } else if rLen := len(rest); rLen > 0 { + return nil, fmt.Errorf("trailing data (%d bytes) after TBSCertificate", rLen) + } + + if preIssuer != nil { + // Update the precert's Issuer field. Use the RawIssuer rather than the + // parsed Issuer to avoid any chance of ASN.1 differences (e.g. switching + // from UTF8String to PrintableString). + tbs.Issuer.FullBytes = preIssuer.RawIssuer + + // Also need to update the cert's AuthorityKeyID extension + // to that of the preIssuer. + var issuerKeyID []byte + for _, ext := range preIssuer.Extensions { + if ext.Id.Equal(oidExtensionAuthorityKeyId) { + issuerKeyID = ext.Value + break + } + } + + // The x509 package does not parse CT EKU, so look for it in + // extensions directly. + seenCTEKU := false + for _, ext := range preIssuer.Extensions { + if ext.Id.Equal(oidExtensionKeyUsageCertificateTransparency) { + seenCTEKU = true + break + } + } + if !seenCTEKU { + return nil, fmt.Errorf("issuer does not have CertificateTransparency extended key usage") + } + + keyAt := -1 + for i, ext := range tbs.Extensions { + if ext.Id.Equal(oidExtensionAuthorityKeyId) { + keyAt = i + break + } + } + if keyAt >= 0 { + // PreCert has an auth-key-id; replace it with the value from the preIssuer + if issuerKeyID != nil { + tbs.Extensions[keyAt].Value = issuerKeyID + } else { + tbs.Extensions = append(tbs.Extensions[:keyAt], tbs.Extensions[keyAt+1:]...) + } + } else if issuerKeyID != nil { + // PreCert did not have an auth-key-id, but the preIssuer does, so add it at the end. + authKeyIDExt := pkix.Extension{ + Id: oidExtensionAuthorityKeyId, + Critical: false, + Value: issuerKeyID, + } + tbs.Extensions = append(tbs.Extensions, authKeyIDExt) + } + + // Clear out the asn1.RawContent so the re-marshal operation sees the + // updated structure (rather than just copying the out-of-date DER data). + tbs.Raw = nil + } + + data, err = asn1.Marshal(tbs) + if err != nil { + return nil, fmt.Errorf("failed to re-marshal TBSCertificate: %v", err) + } + return data, nil +} + +// RemoveCTPoison takes a DER-encoded TBSCertificate and removes the CT poison +// extension (preserving the order of other extensions), and returns the result +// still as a DER-encoded TBSCertificate. This function will fail if there is +// not exactly 1 CT poison extension present. +func RemoveCTPoison(tbsData []byte) ([]byte, error) { + return BuildPrecertTBS(tbsData, nil) +} diff --git a/internal/x509util/ct_test.go b/internal/x509util/ct_test.go new file mode 100644 index 00000000..fb1867a2 --- /dev/null +++ b/internal/x509util/ct_test.go @@ -0,0 +1,345 @@ +// Copyright 2024 Google LLC. All Rights Reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +package x509util + +import ( + "bytes" + "crypto/rand" + "crypto/rsa" + "crypto/x509" + "crypto/x509/pkix" + "encoding/asn1" + "encoding/hex" + "encoding/pem" + "math/big" + "reflect" + "strings" + "testing" + "time" +) + +var pemPrivateKey = testingKey(` +-----BEGIN RSA TESTING KEY----- +MIICXAIBAAKBgQCxoeCUW5KJxNPxMp+KmCxKLc1Zv9Ny+4CFqcUXVUYH69L3mQ7v +IWrJ9GBfcaA7BPQqUlWxWM+OCEQZH1EZNIuqRMNQVuIGCbz5UQ8w6tS0gcgdeGX7 +J7jgCQ4RK3F/PuCM38QBLaHx988qG8NMc6VKErBjctCXFHQt14lerd5KpQIDAQAB +AoGAYrf6Hbk+mT5AI33k2Jt1kcweodBP7UkExkPxeuQzRVe0KVJw0EkcFhywKpr1 +V5eLMrILWcJnpyHE5slWwtFHBG6a5fLaNtsBBtcAIfqTQ0Vfj5c6SzVaJv0Z5rOd +7gQF6isy3t3w9IF3We9wXQKzT6q5ypPGdm6fciKQ8RnzREkCQQDZwppKATqQ41/R +vhSj90fFifrGE6aVKC1hgSpxGQa4oIdsYYHwMzyhBmWW9Xv/R+fPyr8ZwPxp2c12 +33QwOLPLAkEA0NNUb+z4ebVVHyvSwF5jhfJxigim+s49KuzJ1+A2RaSApGyBZiwS +rWvWkB471POAKUYt5ykIWVZ83zcceQiNTwJBAMJUFQZX5GDqWFc/zwGoKkeR49Yi +MTXIvf7Wmv6E++eFcnT461FlGAUHRV+bQQXGsItR/opIG7mGogIkVXa3E1MCQARX +AAA7eoZ9AEHflUeuLn9QJI/r0hyQQLEtrpwv6rDT1GCWaLII5HJ6NUFVf4TTcqxo +6vdM4QGKTJoO+SaCyP0CQFdpcxSAuzpFcKv0IlJ8XzS/cy+mweCMwyJ1PFEc4FX6 +wg/HcAJWY60xZTJDFN+Qfx8ZQvBEin6c2/h+zZi5IVY= +-----END RSA TESTING KEY----- +`) + +var testPrivateKey *rsa.PrivateKey + +func testingKey(s string) string { return strings.ReplaceAll(s, "TESTING KEY", "PRIVATE KEY") } + +func init() { + block, _ := pem.Decode([]byte(pemPrivateKey)) + + var err error + if testPrivateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes); err != nil { + panic("Failed to parse private key: " + err.Error()) + } +} + +func makeCert(t *testing.T, template, issuer *x509.Certificate) *x509.Certificate { + t.Helper() + certData, err := x509.CreateCertificate(rand.Reader, template, issuer, &testPrivateKey.PublicKey, testPrivateKey) + if err != nil { + t.Fatalf("failed to create pre-cert: %v", err) + } + cert, err := x509.ParseCertificate(certData) + if err != nil { + t.Fatalf("failed to re-parse pre-cert: %v", err) + } + return cert +} + +func TestBuildPrecertTBS(t *testing.T) { + poisonExt := pkix.Extension{Id: oidExtensionCTPoison, Critical: true, Value: asn1.NullBytes} + // TODO(phboneff): check Critical and value are ok. + ctExt := pkix.Extension{Id: oidExtensionKeyUsageCertificateTransparency} + preIssuerKeyID := []byte{0x19, 0x09, 0x19, 0x70} + issuerKeyID := []byte{0x07, 0x07, 0x20, 0x07} + preCertTemplate := x509.Certificate{ + Version: 3, + SerialNumber: big.NewInt(123), + Issuer: pkix.Name{CommonName: "precert Issuer"}, + Subject: pkix.Name{CommonName: "precert subject"}, + NotBefore: time.Now(), + NotAfter: time.Now().Add(3 * time.Hour), + ExtraExtensions: []pkix.Extension{poisonExt}, + AuthorityKeyId: preIssuerKeyID, + } + preIssuerTemplate := x509.Certificate{ + Version: 3, + SerialNumber: big.NewInt(1234), + Issuer: pkix.Name{CommonName: "real Issuer"}, + Subject: pkix.Name{CommonName: "precert Issuer"}, + NotBefore: time.Now(), + NotAfter: time.Now().Add(3 * time.Hour), + ExtraExtensions: []pkix.Extension{ctExt}, + AuthorityKeyId: issuerKeyID, + SubjectKeyId: preIssuerKeyID, + } + actualIssuerTemplate := x509.Certificate{ + Version: 3, + SerialNumber: big.NewInt(12345), + Issuer: pkix.Name{CommonName: "real Issuer"}, + Subject: pkix.Name{CommonName: "real Issuer"}, + NotBefore: time.Now(), + NotAfter: time.Now().Add(3 * time.Hour), + SubjectKeyId: issuerKeyID, + } + preCertWithAKI := makeCert(t, &preCertTemplate, &preIssuerTemplate) + preIssuerWithAKI := makeCert(t, &preIssuerTemplate, &actualIssuerTemplate) + + preIssuerTemplate.AuthorityKeyId = nil + actualIssuerTemplate.SubjectKeyId = nil + preIssuerWithoutAKI := makeCert(t, &preIssuerTemplate, &actualIssuerTemplate) + + preCertTemplate.AuthorityKeyId = nil + preIssuerTemplate.SubjectKeyId = nil + preCertWithoutAKI := makeCert(t, &preCertTemplate, &preIssuerTemplate) + + preIssuerTemplate.ExtraExtensions = nil + invalidPreIssuer := makeCert(t, &preIssuerTemplate, &actualIssuerTemplate) + + akiPrefix := []byte{0x30, 0x06, 0x80, 0x04} // SEQUENCE { [0] { ... } } + var tests = []struct { + name string + tbs *x509.Certificate + preIssuer *x509.Certificate + wantAKI []byte + wantErr bool + }{ + { + name: "no-preIssuer-provided", + tbs: preCertWithAKI, + wantAKI: append(akiPrefix, preIssuerKeyID...), + }, + { + name: "both-with-AKI", + tbs: preCertWithAKI, + preIssuer: preIssuerWithAKI, + wantAKI: append(akiPrefix, issuerKeyID...), + }, + { + name: "invalid-preIssuer", + tbs: preCertWithAKI, + preIssuer: invalidPreIssuer, + wantErr: true, + }, + { + name: "both-without-AKI", + tbs: preCertWithoutAKI, + preIssuer: preIssuerWithoutAKI, + }, + { + name: "precert-with-preIssuer-without-AKI", + tbs: preCertWithAKI, + preIssuer: preIssuerWithoutAKI, + }, + { + name: "precert-without-preIssuer-with-AKI", + tbs: preCertWithoutAKI, + preIssuer: preIssuerWithAKI, + wantAKI: append(akiPrefix, issuerKeyID...), + }, + } + for _, test := range tests { + got, err := BuildPrecertTBS(test.tbs.RawTBSCertificate, test.preIssuer) + if err != nil { + if !test.wantErr { + t.Errorf("BuildPrecertTBS(%s)=nil,%q; want _,nil", test.name, err) + } + continue + } + if test.wantErr { + t.Errorf("BuildPrecertTBS(%s)=_,nil; want _,non-nil", test.name) + } + + var tbs tbsCertificate + if rest, err := asn1.Unmarshal(got, &tbs); err != nil { + t.Errorf("BuildPrecertTBS(%s) gave unparsable TBS: %v", test.name, err) + continue + } else if len(rest) > 0 { + t.Errorf("BuildPrecertTBS(%s) gave extra data in DER", test.name) + } + if test.preIssuer != nil { + if got, want := tbs.Issuer.FullBytes, test.preIssuer.RawIssuer; !bytes.Equal(got, want) { + t.Errorf("BuildPrecertTBS(%s).Issuer=%x, want %x", test.name, got, want) + } + } + var gotAKI []byte + for _, ext := range tbs.Extensions { + if ext.Id.Equal(oidExtensionAuthorityKeyId) { + gotAKI = ext.Value + break + } + } + if gotAKI != nil { + if test.wantAKI != nil { + if !reflect.DeepEqual(gotAKI, test.wantAKI) { + t.Errorf("BuildPrecertTBS(%s).Extensions[AKI]=%+v, want %+v", test.name, gotAKI, test.wantAKI) + } + } else { + t.Errorf("BuildPrecertTBS(%s).Extensions[AKI]=%+v, want nil", test.name, gotAKI) + } + } else if test.wantAKI != nil { + t.Errorf("BuildPrecertTBS(%s).Extensions[AKI]=nil, want %+v", test.name, test.wantAKI) + } + } +} + +const ( + tbsNoPoison = "30820245a003020102020842822a5b866fbfeb300d06092a864886f70d01010b" + + "05003071310b3009060355040613024742310f300d060355040813064c6f6e64" + + "6f6e310f300d060355040713064c6f6e646f6e310f300d060355040a1306476f" + + "6f676c65310c300a060355040b1303456e673121301f0603550403131846616b" + + "654365727469666963617465417574686f72697479301e170d31363037313731" + + "31313534305a170d3139303331393131313534305a3066310b30090603550406" + + "130255533113301106035504080c0a43616c69666f726e696131163014060355" + + "04070c0d4d6f756e7461696e205669657731133011060355040a0c0a476f6f67" + + "6c6520496e633115301306035504030c0c2a2e676f6f676c652e636f6d305930" + + "1306072a8648ce3d020106082a8648ce3d03010703420004c4093984f5158d12" + + "54b2029cf901e26d3547d40dd011616609351dcb121495b23fff35bd228e4dfc" + + "38502d22d6981ecaa023afa4967e32d1825f3157fb28ff37a381ce3081cb301d" + + "0603551d250416301406082b0601050507030106082b06010505070302306806" + + "082b06010505070101045c305a302b06082b06010505073002861f687474703a" + + "2f2f706b692e676f6f676c652e636f6d2f47494147322e637274302b06082b06" + + "010505073001861f687474703a2f2f636c69656e7473312e676f6f676c652e63" + + "6f6d2f6f637370301d0603551d0e04160414dbf46e63eee2dcbebf38604f9831" + + "d06444f163d830210603551d20041a3018300c060a2b06010401d67902050130" + + "08060667810c010202" + tbsPoisonFirst = "3082025aa003020102020842822a5b866fbfeb300d06092a864886f70d01010b" + + "05003071310b3009060355040613024742310f300d060355040813064c6f6e64" + + "6f6e310f300d060355040713064c6f6e646f6e310f300d060355040a1306476f" + + "6f676c65310c300a060355040b1303456e673121301f0603550403131846616b" + + "654365727469666963617465417574686f72697479301e170d31363037313731" + + "31313534305a170d3139303331393131313534305a3066310b30090603550406" + + "130255533113301106035504080c0a43616c69666f726e696131163014060355" + + "04070c0d4d6f756e7461696e205669657731133011060355040a0c0a476f6f67" + + "6c6520496e633115301306035504030c0c2a2e676f6f676c652e636f6d305930" + + "1306072a8648ce3d020106082a8648ce3d03010703420004c4093984f5158d12" + + "54b2029cf901e26d3547d40dd011616609351dcb121495b23fff35bd228e4dfc" + + "38502d22d6981ecaa023afa4967e32d1825f3157fb28ff37a381e33081e03013" + + "060a2b06010401d6790204030101ff04020500301d0603551d25041630140608" + + "2b0601050507030106082b06010505070302306806082b06010505070101045c" + + "305a302b06082b06010505073002861f687474703a2f2f706b692e676f6f676c" + + "652e636f6d2f47494147322e637274302b06082b06010505073001861f687474" + + "703a2f2f636c69656e7473312e676f6f676c652e636f6d2f6f637370301d0603" + + "551d0e04160414dbf46e63eee2dcbebf38604f9831d06444f163d83021060355" + + "1d20041a3018300c060a2b06010401d6790205013008060667810c010202" + tbsPoisonLast = "3082025aa003020102020842822a5b866fbfeb300d06092a864886f70d01010b" + + "05003071310b3009060355040613024742310f300d060355040813064c6f6e64" + + "6f6e310f300d060355040713064c6f6e646f6e310f300d060355040a1306476f" + + "6f676c65310c300a060355040b1303456e673121301f0603550403131846616b" + + "654365727469666963617465417574686f72697479301e170d31363037313731" + + "31313534305a170d3139303331393131313534305a3066310b30090603550406" + + "130255533113301106035504080c0a43616c69666f726e696131163014060355" + + "04070c0d4d6f756e7461696e205669657731133011060355040a0c0a476f6f67" + + "6c6520496e633115301306035504030c0c2a2e676f6f676c652e636f6d305930" + + "1306072a8648ce3d020106082a8648ce3d03010703420004c4093984f5158d12" + + "54b2029cf901e26d3547d40dd011616609351dcb121495b23fff35bd228e4dfc" + + "38502d22d6981ecaa023afa4967e32d1825f3157fb28ff37a381e33081e0301d" + + "0603551d250416301406082b0601050507030106082b06010505070302306806" + + "082b06010505070101045c305a302b06082b06010505073002861f687474703a" + + "2f2f706b692e676f6f676c652e636f6d2f47494147322e637274302b06082b06" + + "010505073001861f687474703a2f2f636c69656e7473312e676f6f676c652e63" + + "6f6d2f6f637370301d0603551d0e04160414dbf46e63eee2dcbebf38604f9831" + + "d06444f163d830210603551d20041a3018300c060a2b06010401d67902050130" + + "08060667810c0102023013060a2b06010401d6790204030101ff04020500" + tbsPoisonMiddle = "3082025aa003020102020842822a5b866fbfeb300d06092a864886f70d01010b" + + "05003071310b3009060355040613024742310f300d060355040813064c6f6e64" + + "6f6e310f300d060355040713064c6f6e646f6e310f300d060355040a1306476f" + + "6f676c65310c300a060355040b1303456e673121301f0603550403131846616b" + + "654365727469666963617465417574686f72697479301e170d31363037313731" + + "31313534305a170d3139303331393131313534305a3066310b30090603550406" + + "130255533113301106035504080c0a43616c69666f726e696131163014060355" + + "04070c0d4d6f756e7461696e205669657731133011060355040a0c0a476f6f67" + + "6c6520496e633115301306035504030c0c2a2e676f6f676c652e636f6d305930" + + "1306072a8648ce3d020106082a8648ce3d03010703420004c4093984f5158d12" + + "54b2029cf901e26d3547d40dd011616609351dcb121495b23fff35bd228e4dfc" + + "38502d22d6981ecaa023afa4967e32d1825f3157fb28ff37a381e33081e0301d" + + "0603551d250416301406082b0601050507030106082b06010505070302306806" + + "082b06010505070101045c305a302b06082b06010505073002861f687474703a" + + "2f2f706b692e676f6f676c652e636f6d2f47494147322e637274302b06082b06" + + "010505073001861f687474703a2f2f636c69656e7473312e676f6f676c652e63" + + "6f6d2f6f6373703013060a2b06010401d6790204030101ff04020500301d0603" + + "551d0e04160414dbf46e63eee2dcbebf38604f9831d06444f163d83021060355" + + "1d20041a3018300c060a2b06010401d6790205013008060667810c010202" + tbsPoisonTwice = "3082026fa003020102020842822a5b866fbfeb300d06092a864886f70d01010b" + + "05003071310b3009060355040613024742310f300d060355040813064c6f6e64" + + "6f6e310f300d060355040713064c6f6e646f6e310f300d060355040a1306476f" + + "6f676c65310c300a060355040b1303456e673121301f0603550403131846616b" + + "654365727469666963617465417574686f72697479301e170d31363037313731" + + "31313534305a170d3139303331393131313534305a3066310b30090603550406" + + "130255533113301106035504080c0a43616c69666f726e696131163014060355" + + "04070c0d4d6f756e7461696e205669657731133011060355040a0c0a476f6f67" + + "6c6520496e633115301306035504030c0c2a2e676f6f676c652e636f6d305930" + + "1306072a8648ce3d020106082a8648ce3d03010703420004c4093984f5158d12" + + "54b2029cf901e26d3547d40dd011616609351dcb121495b23fff35bd228e4dfc" + + "38502d22d6981ecaa023afa4967e32d1825f3157fb28ff37a381f83081f5301d" + + "0603551d250416301406082b0601050507030106082b06010505070302306806" + + "082b06010505070101045c305a302b06082b06010505073002861f687474703a" + + "2f2f706b692e676f6f676c652e636f6d2f47494147322e637274302b06082b06" + + "010505073001861f687474703a2f2f636c69656e7473312e676f6f676c652e63" + + "6f6d2f6f6373703013060a2b06010401d6790204030101ff04020500301d0603" + + "551d0e04160414dbf46e63eee2dcbebf38604f9831d06444f163d83013060a2b" + + "06010401d6790204030101ff0402050030210603551d20041a3018300c060a2b" + + "06010401d6790205013008060667810c010202" +) + +func TestRemoveCTPoison(t *testing.T) { + var tests = []struct { + name string // for human consumption + tbs string // hex encoded + want string // hex encoded + errstr string + }{ + {name: "invalid-der", tbs: "01020304", errstr: "failed to parse"}, + {name: "trailing-data", tbs: tbsPoisonMiddle + "01020304", errstr: "trailing data"}, + {name: "no-poison-ext", tbs: tbsNoPoison, errstr: "no extension of specified type present"}, + {name: "two-poison-exts", tbs: tbsPoisonTwice, errstr: "multiple extensions of specified type present"}, + {name: "poison-first", tbs: tbsPoisonFirst, want: tbsNoPoison}, + {name: "poison-last", tbs: tbsPoisonLast, want: tbsNoPoison}, + {name: "poison-middle", tbs: tbsPoisonMiddle, want: tbsNoPoison}, + } + for _, test := range tests { + in, _ := hex.DecodeString(test.tbs) + got, err := RemoveCTPoison(in) + if test.errstr != "" { + if err == nil { + t.Errorf("RemoveCTPoison(%s)=%s,nil; want error %q", test.name, hex.EncodeToString(got), test.errstr) + } else if !strings.Contains(err.Error(), test.errstr) { + t.Errorf("RemoveCTPoison(%s)=nil,%q; want error %q", test.name, err, test.errstr) + } + continue + } + want, _ := hex.DecodeString(test.want) + if err != nil { + t.Errorf("RemoveCTPoison(%s)=nil,%q; want %s,nil", test.name, err, test.want) + } else if !bytes.Equal(got, want) { + t.Errorf("RemoveCTPoison(%s)=%s,nil; want %s,nil", test.name, hex.EncodeToString(got), test.want) + } + } +} From 4fd70070f6552b961e42fe66a29f4ab84e55a40b Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Wed, 12 Feb 2025 15:24:26 +0000 Subject: [PATCH 13/39] allow specific verify errors to go through --- internal/scti/chain_validation.go | 76 ++++++++++++++++++-------- internal/scti/chain_validation_test.go | 2 +- 2 files changed, 54 insertions(+), 24 deletions(-) diff --git a/internal/scti/chain_validation.go b/internal/scti/chain_validation.go index d46365e5..a0660832 100644 --- a/internal/scti/chain_validation.go +++ b/internal/scti/chain_validation.go @@ -140,6 +140,52 @@ func isPrecertificate(cert *x509.Certificate) (bool, error) { return false, nil } +// getLaxVerifiedChain returns a verified certificate chain, allowing for specific +// errors that are commonly raised with certificates submitted to CT logs. +// +// Allowed x509 errors: +// - UnhandledCriticalExtension: Precertificates have the poison extension +// which the Go library code does not recognize; also the Go library code +// does not support the standard PolicyConstraints extension (which is +// required to be marked critical, RFC 5280 s4.2.1.11) +// - Expired: CT logs should be able to log expired certificates. +// - IncompatibleUsage: Pre-issued precertificates have the Certificate +// Transparency EKU, which intermediates don't have. Also some leaves have +// unknown EKUs that should not be bounced just because the intermediate +// does not also have them (cf. https://github.com/golang/go/issues/24590) +// so disable EKU checks inside the x509 library, but we've already done our +// own check on the leaf above. +// - NoValidChains: Do no enforce policy validation. +// - TooManyIntermediates: path length checks get confused by the presence of +// an additional pre-issuer intermediate. +// - CANotAuthorizedForThisName: allow to log all certificates, even if they +// have been isued by a CA trhat is not auhotized to issue certs for a +// given domain. +func getLaxVerifiedChain(cert *x509.Certificate, opts x509.VerifyOptions) ([][]*x509.Certificate, error) { + chains, err := cert.Verify(opts) + switch err.(type) { + case x509.UnhandledCriticalExtension: + return chains, nil + case x509.CertificateInvalidError: + if e, ok := err.(x509.CertificateInvalidError); ok { + switch e.Reason { + case x509.Expired, x509.TooManyIntermediates, x509.CANotAuthorizedForThisName: + return chains, nil + // TODO(phboneff): check if we can remove these two exceptions. + // NoValidChains was not a thing back when x509 was forked in ctgo. + // New CT logs should all filter incoming certs with EKU, and + // https://github.com/golang/go/issues/24590 has been updated, + // so we should be able to remove IncompatibleUsage as well. + case x509.IncompatibleUsage, x509.NoValidChains: + return chains, nil + default: + return chains, err + } + } + } + return chains, err +} + // validateChain takes the certificate chain as it was parsed from a JSON request. Ensures all // elements in the chain decode as X.509 certificates. Ensures that there is a valid path from the // end entity certificate in the chain to a trusted root cert, possibly using the intermediates @@ -154,7 +200,7 @@ func validateChain(rawChain [][]byte, validationOpts ChainValidationOpts) ([]*x5 for i, certBytes := range rawChain { cert, err := x509.ParseCertificate(certBytes) if err != nil { - return nil, fmt.Errorf("x509.ParseCertificate(): %v") + return nil, fmt.Errorf("x509.ParseCertificate(): %v", err) } chain = append(chain, cert) @@ -224,32 +270,16 @@ func validateChain(rawChain [][]byte, validationOpts ChainValidationOpts) ([]*x5 } } - // We can now do the verification. Use fairly lax options for verification, as + // We can now do the verification. Use fairly lax options for verification, as // CT is intended to observe certificates rather than police them. verifyOpts := x509.VerifyOptions{ - Roots: validationOpts.trustedRoots.CertPool(), - CurrentTime: now, - Intermediates: intermediatePool.CertPool(), - DisableTimeChecks: true, - // Precertificates have the poison extension; also the Go library code does not - // support the standard PolicyConstraints extension (which is required to be marked - // critical, RFC 5280 s4.2.1.11), so never check unhandled critical extensions. - DisableCriticalExtensionChecks: true, - // Pre-issued precertificates have the Certificate Transparency EKU; also some - // leaves have unknown EKUs that should not be bounced just because the intermediate - // does not also have them (cf. https://github.com/golang/go/issues/24590) so - // disable EKU checks inside the x509 library, but we've already done our own check - // on the leaf above. - DisableEKUChecks: true, - // Path length checks get confused by the presence of an additional - // pre-issuer intermediate, so disable them. - DisablePathLenChecks: true, - DisableNameConstraintChecks: true, - DisableNameChecks: false, - KeyUsages: validationOpts.extKeyUsages, + Roots: validationOpts.trustedRoots.CertPool(), + CurrentTime: now, + Intermediates: intermediatePool.CertPool(), + KeyUsages: validationOpts.extKeyUsages, } - verifiedChains, err := cert.Verify(verifyOpts) + verifiedChains, err := getLaxVerifiedChain(cert, verifyOpts) if err != nil { return nil, err } diff --git a/internal/scti/chain_validation_test.go b/internal/scti/chain_validation_test.go index 4ec4e632..ae9b229f 100644 --- a/internal/scti/chain_validation_test.go +++ b/internal/scti/chain_validation_test.go @@ -477,7 +477,7 @@ func pemToCert(t *testing.T, pemData string) *x509.Certificate { cert, err := x509.ParseCertificate(bytes.Bytes) if err != nil { - t.Fatalf("x509.ParseCertificate(): %v") + t.Fatalf("x509.ParseCertificate(): %v", err) } return cert From b080ba27ba8322f50119d408fa3d6e840c99ec94 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Thu, 13 Feb 2025 15:40:10 +0000 Subject: [PATCH 14/39] add comments --- internal/scti/chain_validation.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/internal/scti/chain_validation.go b/internal/scti/chain_validation.go index a0660832..a0b168c5 100644 --- a/internal/scti/chain_validation.go +++ b/internal/scti/chain_validation.go @@ -144,6 +144,7 @@ func isPrecertificate(cert *x509.Certificate) (bool, error) { // errors that are commonly raised with certificates submitted to CT logs. // // Allowed x509 errors: +// // - UnhandledCriticalExtension: Precertificates have the poison extension // which the Go library code does not recognize; also the Go library code // does not support the standard PolicyConstraints extension (which is @@ -161,14 +162,27 @@ func isPrecertificate(cert *x509.Certificate) (bool, error) { // - CANotAuthorizedForThisName: allow to log all certificates, even if they // have been isued by a CA trhat is not auhotized to issue certs for a // given domain. +// +// TODO(phboneff): this doesn't work because, as it should, cert.Verify() +// does not return a chain when it raises an error. func getLaxVerifiedChain(cert *x509.Certificate, opts x509.VerifyOptions) ([][]*x509.Certificate, error) { chains, err := cert.Verify(opts) switch err.(type) { + // TODO(phboneff): check if we could make the x509 library aware of the CT + // poison. + // TODO(phboneff): re-evaluate whether PolicyConstraints is still an issue. case x509.UnhandledCriticalExtension: return chains, nil case x509.CertificateInvalidError: if e, ok := err.(x509.CertificateInvalidError); ok { switch e.Reason { + // TODO(phboneff): if need be, change time to make sure that the cert is + // never considered as expired. + // TODO(phboneff): see if TooManyIntermediates handling could be improved + // upstream. + // TODO(phboneff): see if it's necessary to log certs for which + // CANotAuthorizedForThisName is raised. If browsers all check this + // as well, then there is no need to log these certs. case x509.Expired, x509.TooManyIntermediates, x509.CANotAuthorizedForThisName: return chains, nil // TODO(phboneff): check if we can remove these two exceptions. From 5945b5c02a14e80362d3755f1e5f58af60378349 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 10:17:19 +0000 Subject: [PATCH 15/39] copy x509/verify.go and use exported functions when possible --- internal/x509util/verify.go | 1604 +++++++++++++++++++++++++++++++++++ 1 file changed, 1604 insertions(+) create mode 100644 internal/x509util/verify.go diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go new file mode 100644 index 00000000..e6345412 --- /dev/null +++ b/internal/x509util/verify.go @@ -0,0 +1,1604 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package x509util + +import ( + "bytes" + "crypto" + "crypto/x509" + "crypto/x509/pkix" + "errors" + "fmt" + "iter" + "maps" + "net" + "net/url" + "reflect" + "runtime" + "strings" + "time" + "unicode/utf8" +) + +type InvalidReason int + +const ( + // NotAuthorizedToSign results when a certificate is signed by another + // which isn't marked as a CA certificate. + NotAuthorizedToSign InvalidReason = iota + // Expired results when a certificate has expired, based on the time + // given in the VerifyOptions. + Expired + // CANotAuthorizedForThisName results when an intermediate or root + // certificate has a name constraint which doesn't permit a DNS or + // other name (including IP address) in the leaf certificate. + CANotAuthorizedForThisName + // TooManyIntermediates results when a path length constraint is + // violated. + TooManyIntermediates + // IncompatibleUsage results when the certificate's key usage indicates + // that it may only be used for a different purpose. + IncompatibleUsage + // NameMismatch results when the subject name of a parent certificate + // does not match the issuer name in the child. + NameMismatch + // NameConstraintsWithoutSANs is a legacy error and is no longer returned. + NameConstraintsWithoutSANs + // UnconstrainedName results when a CA certificate contains permitted + // name constraints, but leaf certificate contains a name of an + // unsupported or unconstrained type. + UnconstrainedName + // TooManyConstraints results when the number of comparison operations + // needed to check a certificate exceeds the limit set by + // VerifyOptions.MaxConstraintComparisions. This limit exists to + // prevent pathological certificates can consuming excessive amounts of + // CPU time to verify. + TooManyConstraints + // CANotAuthorizedForExtKeyUsage results when an intermediate or root + // certificate does not permit a requested extended key usage. + CANotAuthorizedForExtKeyUsage + // NoValidChains results when there are no valid chains to return. + NoValidChains +) + +// CertificateInvalidError results when an odd error occurs. Users of this +// library probably want to handle all these errors uniformly. +type CertificateInvalidError struct { + Cert *x509.Certificate + Reason InvalidReason + Detail string +} + +func (e CertificateInvalidError) Error() string { + switch e.Reason { + case NotAuthorizedToSign: + return "x509: certificate is not authorized to sign other certificates" + case Expired: + return "x509: certificate has expired or is not yet valid: " + e.Detail + case CANotAuthorizedForThisName: + return "x509: a root or intermediate certificate is not authorized to sign for this name: " + e.Detail + case CANotAuthorizedForExtKeyUsage: + return "x509: a root or intermediate certificate is not authorized for an extended key usage: " + e.Detail + case TooManyIntermediates: + return "x509: too many intermediates for path length constraint" + case IncompatibleUsage: + return "x509: certificate specifies an incompatible key usage" + case NameMismatch: + return "x509: issuer name does not match subject from issuing certificate" + case NameConstraintsWithoutSANs: + return "x509: issuer has name constraints but leaf doesn't have a SAN extension" + case UnconstrainedName: + return "x509: issuer has name constraints but leaf contains unknown or unconstrained name: " + e.Detail + case NoValidChains: + s := "x509: no valid chains built" + if e.Detail != "" { + s = fmt.Sprintf("%s: %s", s, e.Detail) + } + return s + } + return "x509: unknown error" +} + +// HostnameError results when the set of authorized names doesn't match the +// requested name. +type HostnameError struct { + Certificate *x509.Certificate + Host string +} + +func (h HostnameError) Error() string { + c := h.Certificate + + if !c.hasSANExtension() && matchHostnames(c.Subject.CommonName, h.Host) { + return "x509: certificate relies on legacy Common Name field, use SANs instead" + } + + var valid string + if ip := net.ParseIP(h.Host); ip != nil { + // Trying to validate an IP + if len(c.IPAddresses) == 0 { + return "x509: cannot validate certificate for " + h.Host + " because it doesn't contain any IP SANs" + } + for _, san := range c.IPAddresses { + if len(valid) > 0 { + valid += ", " + } + valid += san.String() + } + } else { + valid = strings.Join(c.DNSNames, ", ") + } + + if len(valid) == 0 { + return "x509: certificate is not valid for any names, but wanted to match " + h.Host + } + return "x509: certificate is valid for " + valid + ", not " + h.Host +} + +// UnknownAuthorityError results when the certificate issuer is unknown +type UnknownAuthorityError struct { + Cert *x509.Certificate + // hintErr contains an error that may be helpful in determining why an + // authority wasn't found. + hintErr error + // hintCert contains a possible authority certificate that was rejected + // because of the error in hintErr. + hintCert *x509.Certificate +} + +func (e UnknownAuthorityError) Error() string { + s := "x509: certificate signed by unknown authority" + if e.hintErr != nil { + certName := e.hintCert.Subject.CommonName + if len(certName) == 0 { + if len(e.hintCert.Subject.Organization) > 0 { + certName = e.hintCert.Subject.Organization[0] + } else { + certName = "serial:" + e.hintCert.SerialNumber.String() + } + } + s += fmt.Sprintf(" (possibly because of %q while trying to verify candidate authority certificate %q)", e.hintErr, certName) + } + return s +} + +// SystemRootsError results when we fail to load the system root certificates. +type SystemRootsError struct { + Err error +} + +func (se SystemRootsError) Error() string { + msg := "x509: failed to load system roots and no roots provided" + if se.Err != nil { + return msg + "; " + se.Err.Error() + } + return msg +} + +func (se SystemRootsError) Unwrap() error { return se.Err } + +// errNotParsed is returned when a certificate without ASN.1 contents is +// verified. Platform-specific verification needs the ASN.1 contents. +var errNotParsed = errors.New("x509: missing ASN.1 contents; use ParseCertificate") + +// VerifyOptions contains parameters for Certificate.Verify. +type VerifyOptions struct { + // DNSName, if set, is checked against the leaf certificate with + // Certificate.VerifyHostname or the platform verifier. + DNSName string + + // Intermediates is an optional pool of certificates that are not trust + // anchors, but can be used to form a chain from the leaf certificate to a + // root certificate. + Intermediates *x509.CertPool + // Roots is the set of trusted root certificates the leaf certificate needs + // to chain up to. If nil, the system roots or the platform verifier are used. + Roots *x509.CertPool + + // CurrentTime is used to check the validity of all certificates in the + // chain. If zero, the current time is used. + CurrentTime time.Time + + // KeyUsages specifies which Extended Key Usage values are acceptable. A + // chain is accepted if it allows any of the listed values. An empty list + // means ExtKeyUsageServerAuth. To accept any key usage, include ExtKeyUsageAny. + KeyUsages []x509.ExtKeyUsage + + // MaxConstraintComparisions is the maximum number of comparisons to + // perform when checking a given certificate's name constraints. If + // zero, a sensible default is used. This limit prevents pathological + // certificates from consuming excessive amounts of CPU time when + // validating. It does not apply to the platform verifier. + MaxConstraintComparisions int + + // CertificatePolicies specifies which certificate policy OIDs are + // acceptable during policy validation. An empty CertificatePolices + // field implies any valid policy is acceptable. + CertificatePolicies []x509.OID + + // The following policy fields are unexported, because we do not expect + // users to actually need to use them, but are useful for testing the + // policy validation code. + + // inhibitPolicyMapping indicates if policy mapping should be allowed + // during path validation. + inhibitPolicyMapping bool + + // requireExplicitPolicy indidicates if explicit policies must be present + // for each certificate being validated. + requireExplicitPolicy bool + + // inhibitAnyPolicy indicates if the anyPolicy policy should be + // processed if present in a certificate being validated. + inhibitAnyPolicy bool +} + +const ( + leafCertificate = iota + intermediateCertificate + rootCertificate +) + +// rfc2821Mailbox represents a “mailbox” (which is an email address to most +// people) by breaking it into the “local” (i.e. before the '@') and “domain” +// parts. +type rfc2821Mailbox struct { + local, domain string +} + +// parseRFC2821Mailbox parses an email address into local and domain parts, +// based on the ABNF for a “Mailbox” from RFC 2821. According to RFC 5280, +// Section 4.2.1.6 that's correct for an rfc822Name from a certificate: “The +// format of an rfc822Name is a "Mailbox" as defined in RFC 2821, Section 4.1.2”. +func parseRFC2821Mailbox(in string) (mailbox rfc2821Mailbox, ok bool) { + if len(in) == 0 { + return mailbox, false + } + + localPartBytes := make([]byte, 0, len(in)/2) + + if in[0] == '"' { + // Quoted-string = DQUOTE *qcontent DQUOTE + // non-whitespace-control = %d1-8 / %d11 / %d12 / %d14-31 / %d127 + // qcontent = qtext / quoted-pair + // qtext = non-whitespace-control / + // %d33 / %d35-91 / %d93-126 + // quoted-pair = ("\" text) / obs-qp + // text = %d1-9 / %d11 / %d12 / %d14-127 / obs-text + // + // (Names beginning with “obs-” are the obsolete syntax from RFC 2822, + // Section 4. Since it has been 16 years, we no longer accept that.) + in = in[1:] + QuotedString: + for { + if len(in) == 0 { + return mailbox, false + } + c := in[0] + in = in[1:] + + switch { + case c == '"': + break QuotedString + + case c == '\\': + // quoted-pair + if len(in) == 0 { + return mailbox, false + } + if in[0] == 11 || + in[0] == 12 || + (1 <= in[0] && in[0] <= 9) || + (14 <= in[0] && in[0] <= 127) { + localPartBytes = append(localPartBytes, in[0]) + in = in[1:] + } else { + return mailbox, false + } + + case c == 11 || + c == 12 || + // Space (char 32) is not allowed based on the + // BNF, but RFC 3696 gives an example that + // assumes that it is. Several “verified” + // errata continue to argue about this point. + // We choose to accept it. + c == 32 || + c == 33 || + c == 127 || + (1 <= c && c <= 8) || + (14 <= c && c <= 31) || + (35 <= c && c <= 91) || + (93 <= c && c <= 126): + // qtext + localPartBytes = append(localPartBytes, c) + + default: + return mailbox, false + } + } + } else { + // Atom ("." Atom)* + NextChar: + for len(in) > 0 { + // atext from RFC 2822, Section 3.2.4 + c := in[0] + + switch { + case c == '\\': + // Examples given in RFC 3696 suggest that + // escaped characters can appear outside of a + // quoted string. Several “verified” errata + // continue to argue the point. We choose to + // accept it. + in = in[1:] + if len(in) == 0 { + return mailbox, false + } + fallthrough + + case ('0' <= c && c <= '9') || + ('a' <= c && c <= 'z') || + ('A' <= c && c <= 'Z') || + c == '!' || c == '#' || c == '$' || c == '%' || + c == '&' || c == '\'' || c == '*' || c == '+' || + c == '-' || c == '/' || c == '=' || c == '?' || + c == '^' || c == '_' || c == '`' || c == '{' || + c == '|' || c == '}' || c == '~' || c == '.': + localPartBytes = append(localPartBytes, in[0]) + in = in[1:] + + default: + break NextChar + } + } + + if len(localPartBytes) == 0 { + return mailbox, false + } + + // From RFC 3696, Section 3: + // “period (".") may also appear, but may not be used to start + // or end the local part, nor may two or more consecutive + // periods appear.” + twoDots := []byte{'.', '.'} + if localPartBytes[0] == '.' || + localPartBytes[len(localPartBytes)-1] == '.' || + bytes.Contains(localPartBytes, twoDots) { + return mailbox, false + } + } + + if len(in) == 0 || in[0] != '@' { + return mailbox, false + } + in = in[1:] + + // The RFC species a format for domains, but that's known to be + // violated in practice so we accept that anything after an '@' is the + // domain part. + if _, ok := domainToReverseLabels(in); !ok { + return mailbox, false + } + + mailbox.local = string(localPartBytes) + mailbox.domain = in + return mailbox, true +} + +// domainToReverseLabels converts a textual domain name like foo.example.com to +// the list of labels in reverse order, e.g. ["com", "example", "foo"]. +func domainToReverseLabels(domain string) (reverseLabels []string, ok bool) { + for len(domain) > 0 { + if i := strings.LastIndexByte(domain, '.'); i == -1 { + reverseLabels = append(reverseLabels, domain) + domain = "" + } else { + reverseLabels = append(reverseLabels, domain[i+1:]) + domain = domain[:i] + if i == 0 { // domain == "" + // domain is prefixed with an empty label, append an empty + // string to reverseLabels to indicate this. + reverseLabels = append(reverseLabels, "") + } + } + } + + if len(reverseLabels) > 0 && len(reverseLabels[0]) == 0 { + // An empty label at the end indicates an absolute value. + return nil, false + } + + for _, label := range reverseLabels { + if len(label) == 0 { + // Empty labels are otherwise invalid. + return nil, false + } + + for _, c := range label { + if c < 33 || c > 126 { + // Invalid character. + return nil, false + } + } + } + + return reverseLabels, true +} + +func matchEmailConstraint(mailbox rfc2821Mailbox, constraint string) (bool, error) { + // If the constraint contains an @, then it specifies an exact mailbox + // name. + if strings.Contains(constraint, "@") { + constraintMailbox, ok := parseRFC2821Mailbox(constraint) + if !ok { + return false, fmt.Errorf("x509: internal error: cannot parse constraint %q", constraint) + } + return mailbox.local == constraintMailbox.local && strings.EqualFold(mailbox.domain, constraintMailbox.domain), nil + } + + // Otherwise the constraint is like a DNS constraint of the domain part + // of the mailbox. + return matchDomainConstraint(mailbox.domain, constraint) +} + +func matchURIConstraint(uri *url.URL, constraint string) (bool, error) { + // From RFC 5280, Section 4.2.1.10: + // “a uniformResourceIdentifier that does not include an authority + // component with a host name specified as a fully qualified domain + // name (e.g., if the URI either does not include an authority + // component or includes an authority component in which the host name + // is specified as an IP address), then the application MUST reject the + // certificate.” + + host := uri.Host + if len(host) == 0 { + return false, fmt.Errorf("URI with empty host (%q) cannot be matched against constraints", uri.String()) + } + + if strings.Contains(host, ":") && !strings.HasSuffix(host, "]") { + var err error + host, _, err = net.SplitHostPort(uri.Host) + if err != nil { + return false, err + } + } + + if strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]") || + net.ParseIP(host) != nil { + return false, fmt.Errorf("URI with IP (%q) cannot be matched against constraints", uri.String()) + } + + return matchDomainConstraint(host, constraint) +} + +func matchIPConstraint(ip net.IP, constraint *net.IPNet) (bool, error) { + if len(ip) != len(constraint.IP) { + return false, nil + } + + for i := range ip { + if mask := constraint.Mask[i]; ip[i]&mask != constraint.IP[i]&mask { + return false, nil + } + } + + return true, nil +} + +func matchDomainConstraint(domain, constraint string) (bool, error) { + // The meaning of zero length constraints is not specified, but this + // code follows NSS and accepts them as matching everything. + if len(constraint) == 0 { + return true, nil + } + + domainLabels, ok := domainToReverseLabels(domain) + if !ok { + return false, fmt.Errorf("x509: internal error: cannot parse domain %q", domain) + } + + // RFC 5280 says that a leading period in a domain name means that at + // least one label must be prepended, but only for URI and email + // constraints, not DNS constraints. The code also supports that + // behaviour for DNS constraints. + + mustHaveSubdomains := false + if constraint[0] == '.' { + mustHaveSubdomains = true + constraint = constraint[1:] + } + + constraintLabels, ok := domainToReverseLabels(constraint) + if !ok { + return false, fmt.Errorf("x509: internal error: cannot parse domain %q", constraint) + } + + if len(domainLabels) < len(constraintLabels) || + (mustHaveSubdomains && len(domainLabels) == len(constraintLabels)) { + return false, nil + } + + for i, constraintLabel := range constraintLabels { + if !strings.EqualFold(constraintLabel, domainLabels[i]) { + return false, nil + } + } + + return true, nil +} + +// checkNameConstraints checks that c permits a child certificate to claim the +// given name, of type nameType. The argument parsedName contains the parsed +// form of name, suitable for passing to the match function. The total number +// of comparisons is tracked in the given count and should not exceed the given +// limit. +func (c *Certificate) checkNameConstraints(count *int, + maxConstraintComparisons int, + nameType string, + name string, + parsedName any, + match func(parsedName, constraint any) (match bool, err error), + permitted, excluded any) error { + + excludedValue := reflect.ValueOf(excluded) + + *count += excludedValue.Len() + if *count > maxConstraintComparisons { + return CertificateInvalidError{c, TooManyConstraints, ""} + } + + for i := 0; i < excludedValue.Len(); i++ { + constraint := excludedValue.Index(i).Interface() + match, err := match(parsedName, constraint) + if err != nil { + return CertificateInvalidError{c, CANotAuthorizedForThisName, err.Error()} + } + + if match { + return CertificateInvalidError{c, CANotAuthorizedForThisName, fmt.Sprintf("%s %q is excluded by constraint %q", nameType, name, constraint)} + } + } + + permittedValue := reflect.ValueOf(permitted) + + *count += permittedValue.Len() + if *count > maxConstraintComparisons { + return CertificateInvalidError{c, TooManyConstraints, ""} + } + + ok := true + for i := 0; i < permittedValue.Len(); i++ { + constraint := permittedValue.Index(i).Interface() + + var err error + if ok, err = match(parsedName, constraint); err != nil { + return CertificateInvalidError{c, CANotAuthorizedForThisName, err.Error()} + } + + if ok { + break + } + } + + if !ok { + return CertificateInvalidError{c, CANotAuthorizedForThisName, fmt.Sprintf("%s %q is not permitted by any constraint", nameType, name)} + } + + return nil +} + +// isValid performs validity checks on c given that it is a candidate to append +// to the chain in currentChain. +func (c *Certificate) isValid(certType int, currentChain []*x509.Certificate, opts *VerifyOptions) error { + if len(c.UnhandledCriticalExtensions) > 0 { + return x509.UnhandledCriticalExtension{} + } + + if len(currentChain) > 0 { + child := currentChain[len(currentChain)-1] + if !bytes.Equal(child.RawIssuer, c.RawSubject) { + return CertificateInvalidError{c, NameMismatch, ""} + } + } + + now := opts.CurrentTime + if now.IsZero() { + now = time.Now() + } + if now.Before(c.NotBefore) { + return CertificateInvalidError{ + Cert: c, + Reason: Expired, + Detail: fmt.Sprintf("current time %s is before %s", now.Format(time.RFC3339), c.NotBefore.Format(time.RFC3339)), + } + } else if now.After(c.NotAfter) { + return CertificateInvalidError{ + Cert: c, + Reason: Expired, + Detail: fmt.Sprintf("current time %s is after %s", now.Format(time.RFC3339), c.NotAfter.Format(time.RFC3339)), + } + } + + maxConstraintComparisons := opts.MaxConstraintComparisions + if maxConstraintComparisons == 0 { + maxConstraintComparisons = 250000 + } + comparisonCount := 0 + + if certType == intermediateCertificate || certType == rootCertificate { + if len(currentChain) == 0 { + return errors.New("x509: internal error: empty chain when appending CA cert") + } + } + + if (certType == intermediateCertificate || certType == rootCertificate) && + c.hasNameConstraints() { + toCheck := []*x509.Certificate{} + for _, c := range currentChain { + if c.hasSANExtension() { + toCheck = append(toCheck, c) + } + } + for _, sanCert := range toCheck { + err := forEachSAN(sanCert.getSANExtension(), func(tag int, data []byte) error { + switch tag { + case nameTypeEmail: + name := string(data) + mailbox, ok := parseRFC2821Mailbox(name) + if !ok { + return fmt.Errorf("x509: cannot parse rfc822Name %q", mailbox) + } + + if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "email address", name, mailbox, + func(parsedName, constraint any) (bool, error) { + return matchEmailConstraint(parsedName.(rfc2821Mailbox), constraint.(string)) + }, c.PermittedEmailAddresses, c.ExcludedEmailAddresses); err != nil { + return err + } + + case nameTypeDNS: + name := string(data) + if _, ok := domainToReverseLabels(name); !ok { + return fmt.Errorf("x509: cannot parse dnsName %q", name) + } + + if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "DNS name", name, name, + func(parsedName, constraint any) (bool, error) { + return matchDomainConstraint(parsedName.(string), constraint.(string)) + }, c.PermittedDNSDomains, c.ExcludedDNSDomains); err != nil { + return err + } + + case nameTypeURI: + name := string(data) + uri, err := url.Parse(name) + if err != nil { + return fmt.Errorf("x509: internal error: URI SAN %q failed to parse", name) + } + + if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "URI", name, uri, + func(parsedName, constraint any) (bool, error) { + return matchURIConstraint(parsedName.(*url.URL), constraint.(string)) + }, c.PermittedURIDomains, c.ExcludedURIDomains); err != nil { + return err + } + + case nameTypeIP: + ip := net.IP(data) + if l := len(ip); l != net.IPv4len && l != net.IPv6len { + return fmt.Errorf("x509: internal error: IP SAN %x failed to parse", data) + } + + if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "IP address", ip.String(), ip, + func(parsedName, constraint any) (bool, error) { + return matchIPConstraint(parsedName.(net.IP), constraint.(*net.IPNet)) + }, c.PermittedIPRanges, c.ExcludedIPRanges); err != nil { + return err + } + + default: + // Unknown SAN types are ignored. + } + + return nil + }) + + if err != nil { + return err + } + } + } + + // KeyUsage status flags are ignored. From Engineering Security, Peter + // Gutmann: A European government CA marked its signing certificates as + // being valid for encryption only, but no-one noticed. Another + // European CA marked its signature keys as not being valid for + // signatures. A different CA marked its own trusted root certificate + // as being invalid for certificate signing. Another national CA + // distributed a certificate to be used to encrypt data for the + // country’s tax authority that was marked as only being usable for + // digital signatures but not for encryption. Yet another CA reversed + // the order of the bit flags in the keyUsage due to confusion over + // encoding endianness, essentially setting a random keyUsage in + // certificates that it issued. Another CA created a self-invalidating + // certificate by adding a certificate policy statement stipulating + // that the certificate had to be used strictly as specified in the + // keyUsage, and a keyUsage containing a flag indicating that the RSA + // encryption key could only be used for Diffie-Hellman key agreement. + + if certType == intermediateCertificate && (!c.BasicConstraintsValid || !c.IsCA) { + return CertificateInvalidError{c, NotAuthorizedToSign, ""} + } + + if c.BasicConstraintsValid && c.MaxPathLen >= 0 { + numIntermediates := len(currentChain) - 1 + if numIntermediates > c.MaxPathLen { + return CertificateInvalidError{c, TooManyIntermediates, ""} + } + } + + return nil +} + +// Verify attempts to verify c by building one or more chains from c to a +// certificate in opts.Roots, using certificates in opts.Intermediates if +// needed. If successful, it returns one or more chains where the first +// element of the chain is c and the last element is from opts.Roots. +// +// If opts.Roots is nil, the platform verifier might be used, and +// verification details might differ from what is described below. If system +// roots are unavailable the returned error will be of type SystemRootsError. +// +// Name constraints in the intermediates will be applied to all names claimed +// in the chain, not just opts.DNSName. Thus it is invalid for a leaf to claim +// example.com if an intermediate doesn't permit it, even if example.com is not +// the name being validated. Note that DirectoryName constraints are not +// supported. +// +// Name constraint validation follows the rules from RFC 5280, with the +// addition that DNS name constraints may use the leading period format +// defined for emails and URIs. When a constraint has a leading period +// it indicates that at least one additional label must be prepended to +// the constrained name to be considered valid. +// +// Extended Key Usage values are enforced nested down a chain, so an intermediate +// or root that enumerates EKUs prevents a leaf from asserting an EKU not in that +// list. (While this is not specified, it is common practice in order to limit +// the types of certificates a CA can issue.) +// +// Certificates that use SHA1WithRSA and ECDSAWithSHA1 signatures are not supported, +// and will not be used to build chains. +// +// Certificates other than c in the returned chains should not be modified. +// +// WARNING: this function doesn't do any revocation checking. +func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*x509.Certificate, err error) { + // Platform-specific verification needs the ASN.1 contents so + // this makes the behavior consistent across platforms. + if len(c.Raw) == 0 { + return nil, errNotParsed + } + for i := 0; i < opts.Intermediates.len(); i++ { + c, _, err := opts.Intermediates.cert(i) + if err != nil { + return nil, fmt.Errorf("crypto/x509: error fetching intermediate: %w", err) + } + if len(c.Raw) == 0 { + return nil, errNotParsed + } + } + + // Use platform verifiers, where available, if Roots is from SystemCertPool. + if runtime.GOOS == "windows" || runtime.GOOS == "darwin" || runtime.GOOS == "ios" { + // Don't use the system verifier if the system pool was replaced with a non-system pool, + // i.e. if SetFallbackRoots was called with x509usefallbackroots=1. + systemPool := systemRootsPool() + if opts.Roots == nil && (systemPool == nil || systemPool.systemPool) { + return c.systemVerify(&opts) + } + if opts.Roots != nil && opts.Roots.systemPool { + platformChains, err := c.systemVerify(&opts) + // If the platform verifier succeeded, or there are no additional + // roots, return the platform verifier result. Otherwise, continue + // with the Go verifier. + if err == nil || opts.Roots.len() == 0 { + return platformChains, err + } + } + } + + if opts.Roots == nil { + opts.Roots = systemRootsPool() + if opts.Roots == nil { + return nil, SystemRootsError{systemRootsErr} + } + } + + err = c.isValid(leafCertificate, nil, &opts) + if err != nil { + return + } + + if len(opts.DNSName) > 0 { + err = c.VerifyHostname(opts.DNSName) + if err != nil { + return + } + } + + var candidateChains [][]*x509.Certificate + if opts.Roots.contains(c) { + candidateChains = [][]*x509.Certificate{{c}} + } else { + candidateChains, err = c.buildChains([]*x509.Certificate{c}, nil, &opts) + if err != nil { + return nil, err + } + } + + if len(opts.KeyUsages) == 0 { + opts.KeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth} + } + + for _, eku := range opts.KeyUsages { + if eku == x509.ExtKeyUsageAny { + // If any key usage is acceptable, no need to check the chain for + // key usages. + return candidateChains, nil + } + } + + chains = make([][]*x509.Certificate, 0, len(candidateChains)) + var incompatibleKeyUsageChains, invalidPoliciesChains int + for _, candidate := range candidateChains { + if !checkChainForKeyUsage(candidate, opts.KeyUsages) { + incompatibleKeyUsageChains++ + continue + } + if !policiesValid(candidate, opts) { + invalidPoliciesChains++ + continue + } + chains = append(chains, candidate) + } + if len(chains) == 0 { + var details []string + if incompatibleKeyUsageChains > 0 { + if invalidPoliciesChains == 0 { + return nil, CertificateInvalidError{c, IncompatibleUsage, ""} + } + details = append(details, fmt.Sprintf("%d chains with incompatible key usage", incompatibleKeyUsageChains)) + } + if invalidPoliciesChains > 0 { + details = append(details, fmt.Sprintf("%d chains with invalid policies", invalidPoliciesChains)) + } + err = CertificateInvalidError{c, NoValidChains, strings.Join(details, ", ")} + return nil, err + } + + return chains, nil +} + +func appendToFreshChain(chain []*x509.Certificate, cert *x509.Certificate) []*x509.Certificate { + n := make([]*x509.Certificate, len(chain)+1) + copy(n, chain) + n[len(chain)] = cert + return n +} + +// alreadyInChain checks whether a candidate certificate is present in a chain. +// Rather than doing a direct byte for byte equivalency check, we check if the +// subject, public key, and SAN, if present, are equal. This prevents loops that +// are created by mutual cross-signatures, or other cross-signature bridge +// oddities. +func alreadyInChain(candidate *x509.Certificate, chain []*x509.Certificate) bool { + type pubKeyEqual interface { + Equal(crypto.PublicKey) bool + } + + var candidateSAN *pkix.Extension + for _, ext := range candidate.Extensions { + if ext.Id.Equal(oidExtensionSubjectAltName) { + candidateSAN = &ext + break + } + } + + for _, cert := range chain { + if !bytes.Equal(candidate.RawSubject, cert.RawSubject) { + continue + } + if !candidate.PublicKey.(pubKeyEqual).Equal(cert.PublicKey) { + continue + } + var certSAN *pkix.Extension + for _, ext := range cert.Extensions { + if ext.Id.Equal(oidExtensionSubjectAltName) { + certSAN = &ext + break + } + } + if candidateSAN == nil && certSAN == nil { + return true + } else if candidateSAN == nil || certSAN == nil { + return false + } + if bytes.Equal(candidateSAN.Value, certSAN.Value) { + return true + } + } + return false +} + +// maxChainSignatureChecks is the maximum number of CheckSignatureFrom calls +// that an invocation of buildChains will (transitively) make. Most chains are +// less than 15 certificates long, so this leaves space for multiple chains and +// for failed checks due to different intermediates having the same Subject. +const maxChainSignatureChecks = 100 + +func (c *Certificate) buildChains(currentChain []*x509.Certificate, sigChecks *int, opts *VerifyOptions) (chains [][]*x509.Certificate, err error) { + var ( + hintErr error + hintCert *x509.Certificate + ) + + considerCandidate := func(certType int, candidate potentialParent) { + if candidate.cert.PublicKey == nil || alreadyInChain(candidate.cert, currentChain) { + return + } + + if sigChecks == nil { + sigChecks = new(int) + } + *sigChecks++ + if *sigChecks > maxChainSignatureChecks { + err = errors.New("x509: signature check attempts limit reached while verifying certificate chain") + return + } + + if err := c.CheckSignatureFrom(candidate.cert); err != nil { + if hintErr == nil { + hintErr = err + hintCert = candidate.cert + } + return + } + + err = candidate.cert.isValid(certType, currentChain, opts) + if err != nil { + if hintErr == nil { + hintErr = err + hintCert = candidate.cert + } + return + } + + if candidate.constraint != nil { + if err := candidate.constraint(currentChain); err != nil { + if hintErr == nil { + hintErr = err + hintCert = candidate.cert + } + return + } + } + + switch certType { + case rootCertificate: + chains = append(chains, appendToFreshChain(currentChain, candidate.cert)) + case intermediateCertificate: + var childChains [][]*x509.Certificate + childChains, err = candidate.cert.buildChains(appendToFreshChain(currentChain, candidate.cert), sigChecks, opts) + chains = append(chains, childChains...) + } + } + + for _, root := range opts.Roots.findPotentialParents(c) { + considerCandidate(rootCertificate, root) + } + for _, intermediate := range opts.Intermediates.findPotentialParents(c) { + considerCandidate(intermediateCertificate, intermediate) + } + + if len(chains) > 0 { + err = nil + } + if len(chains) == 0 && err == nil { + err = UnknownAuthorityError{c, hintErr, hintCert} + } + + return +} + +func validHostnamePattern(host string) bool { return validHostname(host, true) } +func validHostnameInput(host string) bool { return validHostname(host, false) } + +// validHostname reports whether host is a valid hostname that can be matched or +// matched against according to RFC 6125 2.2, with some leniency to accommodate +// legacy values. +func validHostname(host string, isPattern bool) bool { + if !isPattern { + host = strings.TrimSuffix(host, ".") + } + if len(host) == 0 { + return false + } + if host == "*" { + // Bare wildcards are not allowed, they are not valid DNS names, + // nor are they allowed per RFC 6125. + return false + } + + for i, part := range strings.Split(host, ".") { + if part == "" { + // Empty label. + return false + } + if isPattern && i == 0 && part == "*" { + // Only allow full left-most wildcards, as those are the only ones + // we match, and matching literal '*' characters is probably never + // the expected behavior. + continue + } + for j, c := range part { + if 'a' <= c && c <= 'z' { + continue + } + if '0' <= c && c <= '9' { + continue + } + if 'A' <= c && c <= 'Z' { + continue + } + if c == '-' && j != 0 { + continue + } + if c == '_' { + // Not a valid character in hostnames, but commonly + // found in deployments outside the WebPKI. + continue + } + return false + } + } + + return true +} + +func matchExactly(hostA, hostB string) bool { + if hostA == "" || hostA == "." || hostB == "" || hostB == "." { + return false + } + return toLowerCaseASCII(hostA) == toLowerCaseASCII(hostB) +} + +func matchHostnames(pattern, host string) bool { + pattern = toLowerCaseASCII(pattern) + host = toLowerCaseASCII(strings.TrimSuffix(host, ".")) + + if len(pattern) == 0 || len(host) == 0 { + return false + } + + patternParts := strings.Split(pattern, ".") + hostParts := strings.Split(host, ".") + + if len(patternParts) != len(hostParts) { + return false + } + + for i, patternPart := range patternParts { + if i == 0 && patternPart == "*" { + continue + } + if patternPart != hostParts[i] { + return false + } + } + + return true +} + +// toLowerCaseASCII returns a lower-case version of in. See RFC 6125 6.4.1. We use +// an explicitly ASCII function to avoid any sharp corners resulting from +// performing Unicode operations on DNS labels. +func toLowerCaseASCII(in string) string { + // If the string is already lower-case then there's nothing to do. + isAlreadyLowerCase := true + for _, c := range in { + if c == utf8.RuneError { + // If we get a UTF-8 error then there might be + // upper-case ASCII bytes in the invalid sequence. + isAlreadyLowerCase = false + break + } + if 'A' <= c && c <= 'Z' { + isAlreadyLowerCase = false + break + } + } + + if isAlreadyLowerCase { + return in + } + + out := []byte(in) + for i, c := range out { + if 'A' <= c && c <= 'Z' { + out[i] += 'a' - 'A' + } + } + return string(out) +} + +// VerifyHostname returns nil if c is a valid certificate for the named host. +// Otherwise it returns an error describing the mismatch. +// +// IP addresses can be optionally enclosed in square brackets and are checked +// against the IPAddresses field. Other names are checked case insensitively +// against the DNSNames field. If the names are valid hostnames, the certificate +// fields can have a wildcard as the complete left-most label (e.g. *.example.com). +// +// Note that the legacy Common Name field is ignored. +func (c *Certificate) VerifyHostname(h string) error { + // IP addresses may be written in [ ]. + candidateIP := h + if len(h) >= 3 && h[0] == '[' && h[len(h)-1] == ']' { + candidateIP = h[1 : len(h)-1] + } + if ip := net.ParseIP(candidateIP); ip != nil { + // We only match IP addresses against IP SANs. + // See RFC 6125, Appendix B.2. + for _, candidate := range c.IPAddresses { + if ip.Equal(candidate) { + return nil + } + } + return HostnameError{c, candidateIP} + } + + candidateName := toLowerCaseASCII(h) // Save allocations inside the loop. + validCandidateName := validHostnameInput(candidateName) + + for _, match := range c.DNSNames { + // Ideally, we'd only match valid hostnames according to RFC 6125 like + // browsers (more or less) do, but in practice Go is used in a wider + // array of contexts and can't even assume DNS resolution. Instead, + // always allow perfect matches, and only apply wildcard and trailing + // dot processing to valid hostnames. + if validCandidateName && validHostnamePattern(match) { + if matchHostnames(match, candidateName) { + return nil + } + } else { + if matchExactly(match, candidateName) { + return nil + } + } + } + + return HostnameError{c, h} +} + +func checkChainForKeyUsage(chain []*x509.Certificate, keyUsages []x509.ExtKeyUsage) bool { + usages := make([]x509.ExtKeyUsage, len(keyUsages)) + copy(usages, keyUsages) + + if len(chain) == 0 { + return false + } + + usagesRemaining := len(usages) + + // We walk down the list and cross out any usages that aren't supported + // by each certificate. If we cross out all the usages, then the chain + // is unacceptable. + +NextCert: + for i := len(chain) - 1; i >= 0; i-- { + cert := chain[i] + if len(cert.ExtKeyUsage) == 0 && len(cert.UnknownExtKeyUsage) == 0 { + // The certificate doesn't have any extended key usage specified. + continue + } + + for _, usage := range cert.ExtKeyUsage { + if usage == x509.ExtKeyUsageAny { + // The certificate is explicitly good for any usage. + continue NextCert + } + } + + const invalidUsage x509.ExtKeyUsage = -1 + + NextRequestedUsage: + for i, requestedUsage := range usages { + if requestedUsage == invalidUsage { + continue + } + + for _, usage := range cert.ExtKeyUsage { + if requestedUsage == usage { + continue NextRequestedUsage + } + } + + usages[i] = invalidUsage + usagesRemaining-- + if usagesRemaining == 0 { + return false + } + } + } + + return true +} + +func mustNewOIDFromInts(ints []uint64) x509.OID { + oid, err := x509.OIDFromInts(ints) + if err != nil { + panic(fmt.Sprintf("OIDFromInts(%v) unexpected error: %v", ints, err)) + } + return oid +} + +type policyGraphNode struct { + validPolicy x509.OID + expectedPolicySet []x509.OID + // we do not implement qualifiers, so we don't track qualifier_set + + parents map[*policyGraphNode]bool + children map[*policyGraphNode]bool +} + +func newPolicyGraphNode(valid x509.OID, parents []*policyGraphNode) *policyGraphNode { + n := &policyGraphNode{ + validPolicy: valid, + expectedPolicySet: []x509.OID{valid}, + children: map[*policyGraphNode]bool{}, + parents: map[*policyGraphNode]bool{}, + } + for _, p := range parents { + p.children[n] = true + n.parents[p] = true + } + return n +} + +type policyGraph struct { + strata []map[string]*policyGraphNode + // map of OID -> nodes at strata[depth-1] with OID in their expectedPolicySet + parentIndex map[string][]*policyGraphNode + depth int +} + +var anyPolicyOID = mustNewOIDFromInts([]uint64{2, 5, 29, 32, 0}) + +func newPolicyGraph() *policyGraph { + root := policyGraphNode{ + validPolicy: anyPolicyOID, + expectedPolicySet: []x509.OID{anyPolicyOID}, + children: map[*policyGraphNode]bool{}, + parents: map[*policyGraphNode]bool{}, + } + return &policyGraph{ + depth: 0, + strata: []map[string]*policyGraphNode{{string(anyPolicyOID.der): &root}}, + } +} + +func (pg *policyGraph) insert(n *policyGraphNode) { + pg.strata[pg.depth][string(n.validPolicy.der)] = n +} + +func (pg *policyGraph) parentsWithExpected(expected OID) []*policyGraphNode { + if pg.depth == 0 { + return nil + } + return pg.parentIndex[string(expected.der)] +} + +func (pg *policyGraph) parentWithAnyPolicy() *policyGraphNode { + if pg.depth == 0 { + return nil + } + return pg.strata[pg.depth-1][string(anyPolicyOID.der)] +} + +func (pg *policyGraph) parents() iter.Seq[*policyGraphNode] { + if pg.depth == 0 { + return nil + } + return maps.Values(pg.strata[pg.depth-1]) +} + +func (pg *policyGraph) leaves() map[string]*policyGraphNode { + return pg.strata[pg.depth] +} + +func (pg *policyGraph) leafWithPolicy(policy x509.OID) *policyGraphNode { + return pg.strata[pg.depth][string(policy.der)] +} + +func (pg *policyGraph) deleteLeaf(policy x509.OID) { + n := pg.strata[pg.depth][string(policy.der)] + if n == nil { + return + } + for p := range n.parents { + delete(p.children, n) + } + for c := range n.children { + delete(c.parents, n) + } + delete(pg.strata[pg.depth], string(policy.der)) +} + +func (pg *policyGraph) validPolicyNodes() []*policyGraphNode { + var validNodes []*policyGraphNode + for i := pg.depth; i >= 0; i-- { + for _, n := range pg.strata[i] { + if n.validPolicy.Equal(anyPolicyOID) { + continue + } + + if len(n.parents) == 1 { + for p := range n.parents { + if p.validPolicy.Equal(anyPolicyOID) { + validNodes = append(validNodes, n) + } + } + } + } + } + return validNodes +} + +func (pg *policyGraph) prune() { + for i := pg.depth - 1; i > 0; i-- { + for _, n := range pg.strata[i] { + if len(n.children) == 0 { + for p := range n.parents { + delete(p.children, n) + } + delete(pg.strata[i], string(n.validPolicy.der)) + } + } + } +} + +func (pg *policyGraph) incrDepth() { + pg.parentIndex = map[string][]*policyGraphNode{} + for _, n := range pg.strata[pg.depth] { + for _, e := range n.expectedPolicySet { + pg.parentIndex[string(e.der)] = append(pg.parentIndex[string(e.der)], n) + } + } + + pg.depth++ + pg.strata = append(pg.strata, map[string]*policyGraphNode{}) +} + +func policiesValid(chain []*x509.Certificate, opts VerifyOptions) bool { + // The following code implements the policy verification algorithm as + // specified in RFC 5280 and updated by RFC 9618. In particular the + // following sections are replaced by RFC 9618: + // * 6.1.2 (a) + // * 6.1.3 (d) + // * 6.1.3 (e) + // * 6.1.3 (f) + // * 6.1.4 (b) + // * 6.1.5 (g) + + if len(chain) == 1 { + return true + } + + // n is the length of the chain minus the trust anchor + n := len(chain) - 1 + + pg := newPolicyGraph() + var inhibitAnyPolicy, explicitPolicy, policyMapping int + if !opts.inhibitAnyPolicy { + inhibitAnyPolicy = n + 1 + } + if !opts.requireExplicitPolicy { + explicitPolicy = n + 1 + } + if !opts.inhibitPolicyMapping { + policyMapping = n + 1 + } + + initialUserPolicySet := map[string]bool{} + for _, p := range opts.CertificatePolicies { + initialUserPolicySet[string(p.der)] = true + } + // If the user does not pass any policies, we consider + // that equivalent to passing anyPolicyOID. + if len(initialUserPolicySet) == 0 { + initialUserPolicySet[string(anyPolicyOID.der)] = true + } + + for i := n - 1; i >= 0; i-- { + cert := chain[i] + + isSelfSigned := bytes.Equal(cert.RawIssuer, cert.RawSubject) + + // 6.1.3 (e) -- as updated by RFC 9618 + if len(cert.Policies) == 0 { + pg = nil + } + + // 6.1.3 (f) -- as updated by RFC 9618 + if explicitPolicy == 0 && pg == nil { + return false + } + + if pg != nil { + pg.incrDepth() + + policies := map[string]bool{} + + // 6.1.3 (d) (1) -- as updated by RFC 9618 + for _, policy := range cert.Policies { + policies[string(policy.der)] = true + + if policy.Equal(anyPolicyOID) { + continue + } + + // 6.1.3 (d) (1) (i) -- as updated by RFC 9618 + parents := pg.parentsWithExpected(policy) + if len(parents) == 0 { + // 6.1.3 (d) (1) (ii) -- as updated by RFC 9618 + if anyParent := pg.parentWithAnyPolicy(); anyParent != nil { + parents = []*policyGraphNode{anyParent} + } + } + if len(parents) > 0 { + pg.insert(newPolicyGraphNode(policy, parents)) + } + } + + // 6.1.3 (d) (2) -- as updated by RFC 9618 + // NOTE: in the check "n-i < n" our i is different from the i in the specification. + // In the specification chains go from the trust anchor to the leaf, whereas our + // chains go from the leaf to the trust anchor, so our i's our inverted. Our + // check here matches the check "i < n" in the specification. + if policies[string(anyPolicyOID.der)] && (inhibitAnyPolicy > 0 || (n-i < n && isSelfSigned)) { + missing := map[string][]*policyGraphNode{} + leaves := pg.leaves() + for p := range pg.parents() { + for _, expected := range p.expectedPolicySet { + if leaves[string(expected.der)] == nil { + missing[string(expected.der)] = append(missing[string(expected.der)], p) + } + } + } + + for oidStr, parents := range missing { + pg.insert(newPolicyGraphNode(x509.OID{der: []byte(oidStr)}, parents)) + } + } + + // 6.1.3 (d) (3) -- as updated by RFC 9618 + pg.prune() + + if i != 0 { + // 6.1.4 (b) -- as updated by RFC 9618 + if len(cert.PolicyMappings) > 0 { + // collect map of issuer -> []subject + mappings := map[string][]x509.OID{} + + for _, mapping := range cert.PolicyMappings { + if policyMapping > 0 { + if mapping.IssuerDomainPolicy.Equal(anyPolicyOID) || mapping.SubjectDomainPolicy.Equal(anyPolicyOID) { + // Invalid mapping + return false + } + mappings[string(mapping.IssuerDomainPolicy.der)] = append(mappings[string(mapping.IssuerDomainPolicy.der)], mapping.SubjectDomainPolicy) + } else { + // 6.1.4 (b) (3) (i) -- as updated by RFC 9618 + pg.deleteLeaf(mapping.IssuerDomainPolicy) + + // 6.1.4 (b) (3) (ii) -- as updated by RFC 9618 + pg.prune() + } + } + + for issuerStr, subjectPolicies := range mappings { + // 6.1.4 (b) (1) -- as updated by RFC 9618 + if matching := pg.leafWithPolicy(x509.OID{der: []byte(issuerStr)}); matching != nil { + matching.expectedPolicySet = subjectPolicies + } else if matching := pg.leafWithPolicy(anyPolicyOID); matching != nil { + // 6.1.4 (b) (2) -- as updated by RFC 9618 + n := newPolicyGraphNode(x509.OID{der: []byte(issuerStr)}, []*policyGraphNode{matching}) + n.expectedPolicySet = subjectPolicies + pg.insert(n) + } + } + } + } + } + + if i != 0 { + // 6.1.4 (h) + if !isSelfSigned { + if explicitPolicy > 0 { + explicitPolicy-- + } + if policyMapping > 0 { + policyMapping-- + } + if inhibitAnyPolicy > 0 { + inhibitAnyPolicy-- + } + } + + // 6.1.4 (i) + if (cert.RequireExplicitPolicy > 0 || cert.RequireExplicitPolicyZero) && cert.RequireExplicitPolicy < explicitPolicy { + explicitPolicy = cert.RequireExplicitPolicy + } + if (cert.InhibitPolicyMapping > 0 || cert.InhibitPolicyMappingZero) && cert.InhibitPolicyMapping < policyMapping { + policyMapping = cert.InhibitPolicyMapping + } + // 6.1.4 (j) + if (cert.InhibitAnyPolicy > 0 || cert.InhibitAnyPolicyZero) && cert.InhibitAnyPolicy < inhibitAnyPolicy { + inhibitAnyPolicy = cert.InhibitAnyPolicy + } + } + } + + // 6.1.5 (a) + if explicitPolicy > 0 { + explicitPolicy-- + } + + // 6.1.5 (b) + if chain[0].RequireExplicitPolicyZero { + explicitPolicy = 0 + } + + // 6.1.5 (g) (1) -- as updated by RFC 9618 + var validPolicyNodeSet []*policyGraphNode + // 6.1.5 (g) (2) -- as updated by RFC 9618 + if pg != nil { + validPolicyNodeSet = pg.validPolicyNodes() + // 6.1.5 (g) (3) -- as updated by RFC 9618 + if currentAny := pg.leafWithPolicy(anyPolicyOID); currentAny != nil { + validPolicyNodeSet = append(validPolicyNodeSet, currentAny) + } + } + + // 6.1.5 (g) (4) -- as updated by RFC 9618 + authorityConstrainedPolicySet := map[string]bool{} + for _, n := range validPolicyNodeSet { + authorityConstrainedPolicySet[string(n.validPolicy.der)] = true + } + // 6.1.5 (g) (5) -- as updated by RFC 9618 + userConstrainedPolicySet := maps.Clone(authorityConstrainedPolicySet) + // 6.1.5 (g) (6) -- as updated by RFC 9618 + if len(initialUserPolicySet) != 1 || !initialUserPolicySet[string(anyPolicyOID.der)] { + // 6.1.5 (g) (6) (i) -- as updated by RFC 9618 + for p := range userConstrainedPolicySet { + if !initialUserPolicySet[p] { + delete(userConstrainedPolicySet, p) + } + } + // 6.1.5 (g) (6) (ii) -- as updated by RFC 9618 + if authorityConstrainedPolicySet[string(anyPolicyOID.der)] { + for policy := range initialUserPolicySet { + userConstrainedPolicySet[policy] = true + } + } + } + + if explicitPolicy == 0 && len(userConstrainedPolicySet) == 0 { + return false + } + + return true +} From a296e5ebf8b5b55919f40939872336f9d3b8673b Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 10:19:43 +0000 Subject: [PATCH 16/39] c.checkNameConstraints --> checkNameConstraints(c) --- internal/x509util/verify.go | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index e6345412..b509266f 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -535,7 +535,8 @@ func matchDomainConstraint(domain, constraint string) (bool, error) { // form of name, suitable for passing to the match function. The total number // of comparisons is tracked in the given count and should not exceed the given // limit. -func (c *Certificate) checkNameConstraints(count *int, +func checkNameConstraints(c *x509.Certificate, + count *int, maxConstraintComparisons int, nameType string, name string, @@ -652,7 +653,7 @@ func (c *Certificate) isValid(certType int, currentChain []*x509.Certificate, op return fmt.Errorf("x509: cannot parse rfc822Name %q", mailbox) } - if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "email address", name, mailbox, + if err := checkNameConstraints(c, &comparisonCount, maxConstraintComparisons, "email address", name, mailbox, func(parsedName, constraint any) (bool, error) { return matchEmailConstraint(parsedName.(rfc2821Mailbox), constraint.(string)) }, c.PermittedEmailAddresses, c.ExcludedEmailAddresses); err != nil { @@ -665,7 +666,7 @@ func (c *Certificate) isValid(certType int, currentChain []*x509.Certificate, op return fmt.Errorf("x509: cannot parse dnsName %q", name) } - if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "DNS name", name, name, + if err := checkNameConstraints(c, &comparisonCount, maxConstraintComparisons, "DNS name", name, name, func(parsedName, constraint any) (bool, error) { return matchDomainConstraint(parsedName.(string), constraint.(string)) }, c.PermittedDNSDomains, c.ExcludedDNSDomains); err != nil { @@ -679,7 +680,7 @@ func (c *Certificate) isValid(certType int, currentChain []*x509.Certificate, op return fmt.Errorf("x509: internal error: URI SAN %q failed to parse", name) } - if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "URI", name, uri, + if err := checkNameConstraints(c, &comparisonCount, maxConstraintComparisons, "URI", name, uri, func(parsedName, constraint any) (bool, error) { return matchURIConstraint(parsedName.(*url.URL), constraint.(string)) }, c.PermittedURIDomains, c.ExcludedURIDomains); err != nil { @@ -692,7 +693,7 @@ func (c *Certificate) isValid(certType int, currentChain []*x509.Certificate, op return fmt.Errorf("x509: internal error: IP SAN %x failed to parse", data) } - if err := c.checkNameConstraints(&comparisonCount, maxConstraintComparisons, "IP address", ip.String(), ip, + if err := checkNameConstraints(c, &comparisonCount, maxConstraintComparisons, "IP address", ip.String(), ip, func(parsedName, constraint any) (bool, error) { return matchIPConstraint(parsedName.(net.IP), constraint.(*net.IPNet)) }, c.PermittedIPRanges, c.ExcludedIPRanges); err != nil { From f4fc9745287c4d165fd735fdeeb2cd591d3598d6 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 10:21:00 +0000 Subject: [PATCH 17/39] c.isValid --> isValid(c) --- internal/x509util/verify.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index b509266f..0fe9697f 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -593,7 +593,7 @@ func checkNameConstraints(c *x509.Certificate, // isValid performs validity checks on c given that it is a candidate to append // to the chain in currentChain. -func (c *Certificate) isValid(certType int, currentChain []*x509.Certificate, opts *VerifyOptions) error { +func isValid(c *x509.Certificate, certType int, currentChain []*x509.Certificate, opts *VerifyOptions) error { if len(c.UnhandledCriticalExtensions) > 0 { return x509.UnhandledCriticalExtension{} } @@ -818,7 +818,7 @@ func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*x509.Certificate, } } - err = c.isValid(leafCertificate, nil, &opts) + err = isValid(c, leafCertificate, nil, &opts) if err != nil { return } @@ -968,7 +968,7 @@ func (c *Certificate) buildChains(currentChain []*x509.Certificate, sigChecks *i return } - err = candidate.cert.isValid(certType, currentChain, opts) + err = isValid(candidate.cert, certType, currentChain, opts) if err != nil { if hintErr == nil { hintErr = err From bb60b2d20af657490687b77bc1207b3ca8741247 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 10:21:52 +0000 Subject: [PATCH 18/39] c.Verify --> Verify(c) --- internal/x509util/verify.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index 0fe9697f..7f23315a 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -776,7 +776,7 @@ func isValid(c *x509.Certificate, certType int, currentChain []*x509.Certificate // Certificates other than c in the returned chains should not be modified. // // WARNING: this function doesn't do any revocation checking. -func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*x509.Certificate, err error) { +func Verify(c *x509.Certificate, opts VerifyOptions) (chains [][]*x509.Certificate, err error) { // Platform-specific verification needs the ASN.1 contents so // this makes the behavior consistent across platforms. if len(c.Raw) == 0 { From 3c1a9387937de486f4b687b0d367a5f7ebb7d139 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 10:23:19 +0000 Subject: [PATCH 19/39] c.buildChains --> buildChains(c) --- internal/x509util/verify.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index 7f23315a..f4165a07 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -834,7 +834,7 @@ func Verify(c *x509.Certificate, opts VerifyOptions) (chains [][]*x509.Certifica if opts.Roots.contains(c) { candidateChains = [][]*x509.Certificate{{c}} } else { - candidateChains, err = c.buildChains([]*x509.Certificate{c}, nil, &opts) + candidateChains, err = buildChains(c, []*x509.Certificate{c}, nil, &opts) if err != nil { return nil, err } @@ -940,7 +940,7 @@ func alreadyInChain(candidate *x509.Certificate, chain []*x509.Certificate) bool // for failed checks due to different intermediates having the same Subject. const maxChainSignatureChecks = 100 -func (c *Certificate) buildChains(currentChain []*x509.Certificate, sigChecks *int, opts *VerifyOptions) (chains [][]*x509.Certificate, err error) { +func buildChains(c *x509.Certificate, currentChain []*x509.Certificate, sigChecks *int, opts *VerifyOptions) (chains [][]*x509.Certificate, err error) { var ( hintErr error hintCert *x509.Certificate @@ -992,7 +992,7 @@ func (c *Certificate) buildChains(currentChain []*x509.Certificate, sigChecks *i chains = append(chains, appendToFreshChain(currentChain, candidate.cert)) case intermediateCertificate: var childChains [][]*x509.Certificate - childChains, err = candidate.cert.buildChains(appendToFreshChain(currentChain, candidate.cert), sigChecks, opts) + childChains, err = buildChains(candidate.cert, appendToFreshChain(currentChain, candidate.cert), sigChecks, opts) chains = append(chains, childChains...) } } From a20663f4c117d596c1485d93cf4c569dd83b2b7f Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 10:27:55 +0000 Subject: [PATCH 20/39] c.VerifyHostName --> VerifyHostName(c) --- internal/x509util/verify.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index f4165a07..86daf462 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -824,7 +824,7 @@ func Verify(c *x509.Certificate, opts VerifyOptions) (chains [][]*x509.Certifica } if len(opts.DNSName) > 0 { - err = c.VerifyHostname(opts.DNSName) + err = VerifyHostname(c, opts.DNSName) if err != nil { return } @@ -1144,7 +1144,9 @@ func toLowerCaseASCII(in string) string { // fields can have a wildcard as the complete left-most label (e.g. *.example.com). // // Note that the legacy Common Name field is ignored. -func (c *Certificate) VerifyHostname(h string) error { +// TODO(phboneff): can we simply use the exported x509 one? Otherwise make this +// one private. +func VerifyHostname(c *x509.Certificate, h string) error { // IP addresses may be written in [ ]. candidateIP := h if len(h) >= 3 && h[0] == '[' && h[len(h)-1] == ']' { From 84cdf2e6abb98cdbfcaae3081ce7eb54b0078de8 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 10:52:14 +0000 Subject: [PATCH 21/39] delete UnhandledCriticalExtensions --- internal/x509util/verify.go | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index 86daf462..5ec52052 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -594,10 +594,12 @@ func checkNameConstraints(c *x509.Certificate, // isValid performs validity checks on c given that it is a candidate to append // to the chain in currentChain. func isValid(c *x509.Certificate, certType int, currentChain []*x509.Certificate, opts *VerifyOptions) error { - if len(c.UnhandledCriticalExtensions) > 0 { - return x509.UnhandledCriticalExtension{} - } - + // UnhandledCriticalExtension check deleted. + // Precertificates have the poison extension which the Go library code does + // not recognize; also the Go library code does not support the standard + // PolicyConstraints extension (which is required to be marked critical, RFC + // 5280 s4.2.1.11) + // TODO(phboneff): re-evaluate whether PolicyConstraints is still an issue. if len(currentChain) > 0 { child := currentChain[len(currentChain)-1] if !bytes.Equal(child.RawIssuer, c.RawSubject) { From 007487b967d54d3140edd5581a8f5d38cfea5d98 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 10:53:52 +0000 Subject: [PATCH 22/39] add TODO --- internal/x509util/verify.go | 1 + 1 file changed, 1 insertion(+) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index 5ec52052..6c189e6e 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -65,6 +65,7 @@ const ( // CertificateInvalidError results when an odd error occurs. Users of this // library probably want to handle all these errors uniformly. +// TODO(phboneff): consider using the x509 one. type CertificateInvalidError struct { Cert *x509.Certificate Reason InvalidReason From 0f8b59ec4910507fbc3faa4b2cb0c6d2f7a6d727 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 10:55:47 +0000 Subject: [PATCH 23/39] delete TooManyIntermediates --- internal/x509util/verify.go | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index 6c189e6e..9e664e8f 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -737,12 +737,9 @@ func isValid(c *x509.Certificate, certType int, currentChain []*x509.Certificate return CertificateInvalidError{c, NotAuthorizedToSign, ""} } - if c.BasicConstraintsValid && c.MaxPathLen >= 0 { - numIntermediates := len(currentChain) - 1 - if numIntermediates > c.MaxPathLen { - return CertificateInvalidError{c, TooManyIntermediates, ""} - } - } + // TooManyIntermediates check deleted. + // Path length checks get confused by the presence of an additional + // pre-issuer intermediate. return nil } From cf8d3af196e9945defe9627b8d67991da6547846 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 11:02:28 +0000 Subject: [PATCH 24/39] delete CANotAuthorizedForThisName --- internal/x509util/verify.go | 150 ++---------------------------------- 1 file changed, 5 insertions(+), 145 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index 9e664e8f..ec370f00 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -15,7 +15,6 @@ import ( "maps" "net" "net/url" - "reflect" "runtime" "strings" "time" @@ -531,67 +530,6 @@ func matchDomainConstraint(domain, constraint string) (bool, error) { return true, nil } -// checkNameConstraints checks that c permits a child certificate to claim the -// given name, of type nameType. The argument parsedName contains the parsed -// form of name, suitable for passing to the match function. The total number -// of comparisons is tracked in the given count and should not exceed the given -// limit. -func checkNameConstraints(c *x509.Certificate, - count *int, - maxConstraintComparisons int, - nameType string, - name string, - parsedName any, - match func(parsedName, constraint any) (match bool, err error), - permitted, excluded any) error { - - excludedValue := reflect.ValueOf(excluded) - - *count += excludedValue.Len() - if *count > maxConstraintComparisons { - return CertificateInvalidError{c, TooManyConstraints, ""} - } - - for i := 0; i < excludedValue.Len(); i++ { - constraint := excludedValue.Index(i).Interface() - match, err := match(parsedName, constraint) - if err != nil { - return CertificateInvalidError{c, CANotAuthorizedForThisName, err.Error()} - } - - if match { - return CertificateInvalidError{c, CANotAuthorizedForThisName, fmt.Sprintf("%s %q is excluded by constraint %q", nameType, name, constraint)} - } - } - - permittedValue := reflect.ValueOf(permitted) - - *count += permittedValue.Len() - if *count > maxConstraintComparisons { - return CertificateInvalidError{c, TooManyConstraints, ""} - } - - ok := true - for i := 0; i < permittedValue.Len(); i++ { - constraint := permittedValue.Index(i).Interface() - - var err error - if ok, err = match(parsedName, constraint); err != nil { - return CertificateInvalidError{c, CANotAuthorizedForThisName, err.Error()} - } - - if ok { - break - } - } - - if !ok { - return CertificateInvalidError{c, CANotAuthorizedForThisName, fmt.Sprintf("%s %q is not permitted by any constraint", nameType, name)} - } - - return nil -} - // isValid performs validity checks on c given that it is a candidate to append // to the chain in currentChain. func isValid(c *x509.Certificate, certType int, currentChain []*x509.Certificate, opts *VerifyOptions) error { @@ -626,95 +564,17 @@ func isValid(c *x509.Certificate, certType int, currentChain []*x509.Certificate } } - maxConstraintComparisons := opts.MaxConstraintComparisions - if maxConstraintComparisons == 0 { - maxConstraintComparisons = 250000 - } - comparisonCount := 0 - if certType == intermediateCertificate || certType == rootCertificate { if len(currentChain) == 0 { return errors.New("x509: internal error: empty chain when appending CA cert") } } - if (certType == intermediateCertificate || certType == rootCertificate) && - c.hasNameConstraints() { - toCheck := []*x509.Certificate{} - for _, c := range currentChain { - if c.hasSANExtension() { - toCheck = append(toCheck, c) - } - } - for _, sanCert := range toCheck { - err := forEachSAN(sanCert.getSANExtension(), func(tag int, data []byte) error { - switch tag { - case nameTypeEmail: - name := string(data) - mailbox, ok := parseRFC2821Mailbox(name) - if !ok { - return fmt.Errorf("x509: cannot parse rfc822Name %q", mailbox) - } - - if err := checkNameConstraints(c, &comparisonCount, maxConstraintComparisons, "email address", name, mailbox, - func(parsedName, constraint any) (bool, error) { - return matchEmailConstraint(parsedName.(rfc2821Mailbox), constraint.(string)) - }, c.PermittedEmailAddresses, c.ExcludedEmailAddresses); err != nil { - return err - } - - case nameTypeDNS: - name := string(data) - if _, ok := domainToReverseLabels(name); !ok { - return fmt.Errorf("x509: cannot parse dnsName %q", name) - } - - if err := checkNameConstraints(c, &comparisonCount, maxConstraintComparisons, "DNS name", name, name, - func(parsedName, constraint any) (bool, error) { - return matchDomainConstraint(parsedName.(string), constraint.(string)) - }, c.PermittedDNSDomains, c.ExcludedDNSDomains); err != nil { - return err - } - - case nameTypeURI: - name := string(data) - uri, err := url.Parse(name) - if err != nil { - return fmt.Errorf("x509: internal error: URI SAN %q failed to parse", name) - } - - if err := checkNameConstraints(c, &comparisonCount, maxConstraintComparisons, "URI", name, uri, - func(parsedName, constraint any) (bool, error) { - return matchURIConstraint(parsedName.(*url.URL), constraint.(string)) - }, c.PermittedURIDomains, c.ExcludedURIDomains); err != nil { - return err - } - - case nameTypeIP: - ip := net.IP(data) - if l := len(ip); l != net.IPv4len && l != net.IPv6len { - return fmt.Errorf("x509: internal error: IP SAN %x failed to parse", data) - } - - if err := checkNameConstraints(c, &comparisonCount, maxConstraintComparisons, "IP address", ip.String(), ip, - func(parsedName, constraint any) (bool, error) { - return matchIPConstraint(parsedName.(net.IP), constraint.(*net.IPNet)) - }, c.PermittedIPRanges, c.ExcludedIPRanges); err != nil { - return err - } - - default: - // Unknown SAN types are ignored. - } - - return nil - }) - - if err != nil { - return err - } - } - } + // CANotAuthorizedForThisName check deleted. + // Allow to log all certificates, even if they have been isued by a CA that + // is not auhotized to issue certs for a given domain. + // TODO(phboneff): check whether we can add this constraint back to be closer + // to the x509 library. // KeyUsage status flags are ignored. From Engineering Security, Peter // Gutmann: A European government CA marked its signing certificates as From 6e69aef75d519124af97e88fd55c7340141db382 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 11:58:45 +0000 Subject: [PATCH 25/39] delete EKU and Policy chain checks --- internal/x509util/verify.go | 26 ++------------------------ 1 file changed, 2 insertions(+), 24 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index ec370f00..f3782091 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -712,35 +712,13 @@ func Verify(c *x509.Certificate, opts VerifyOptions) (chains [][]*x509.Certifica } } - chains = make([][]*x509.Certificate, 0, len(candidateChains)) - var incompatibleKeyUsageChains, invalidPoliciesChains int - for _, candidate := range candidateChains { - if !checkChainForKeyUsage(candidate, opts.KeyUsages) { - incompatibleKeyUsageChains++ - continue - } - if !policiesValid(candidate, opts) { - invalidPoliciesChains++ - continue - } - chains = append(chains, candidate) - } - if len(chains) == 0 { + if len(candidateChains) == 0 { var details []string - if incompatibleKeyUsageChains > 0 { - if invalidPoliciesChains == 0 { - return nil, CertificateInvalidError{c, IncompatibleUsage, ""} - } - details = append(details, fmt.Sprintf("%d chains with incompatible key usage", incompatibleKeyUsageChains)) - } - if invalidPoliciesChains > 0 { - details = append(details, fmt.Sprintf("%d chains with invalid policies", invalidPoliciesChains)) - } err = CertificateInvalidError{c, NoValidChains, strings.Join(details, ", ")} return nil, err } - return chains, nil + return candidateChains, nil } func appendToFreshChain(chain []*x509.Certificate, cert *x509.Certificate) []*x509.Certificate { From 372a3ebafc457cb5a76b4bfd068e44a794cd92fe Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 12:00:34 +0000 Subject: [PATCH 26/39] delete unused code --- internal/x509util/verify.go | 422 ------------------------------------ 1 file changed, 422 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index f3782091..b527545f 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -11,8 +11,6 @@ import ( "crypto/x509/pkix" "errors" "fmt" - "iter" - "maps" "net" "net/url" "runtime" @@ -1023,423 +1021,3 @@ func VerifyHostname(c *x509.Certificate, h string) error { return HostnameError{c, h} } - -func checkChainForKeyUsage(chain []*x509.Certificate, keyUsages []x509.ExtKeyUsage) bool { - usages := make([]x509.ExtKeyUsage, len(keyUsages)) - copy(usages, keyUsages) - - if len(chain) == 0 { - return false - } - - usagesRemaining := len(usages) - - // We walk down the list and cross out any usages that aren't supported - // by each certificate. If we cross out all the usages, then the chain - // is unacceptable. - -NextCert: - for i := len(chain) - 1; i >= 0; i-- { - cert := chain[i] - if len(cert.ExtKeyUsage) == 0 && len(cert.UnknownExtKeyUsage) == 0 { - // The certificate doesn't have any extended key usage specified. - continue - } - - for _, usage := range cert.ExtKeyUsage { - if usage == x509.ExtKeyUsageAny { - // The certificate is explicitly good for any usage. - continue NextCert - } - } - - const invalidUsage x509.ExtKeyUsage = -1 - - NextRequestedUsage: - for i, requestedUsage := range usages { - if requestedUsage == invalidUsage { - continue - } - - for _, usage := range cert.ExtKeyUsage { - if requestedUsage == usage { - continue NextRequestedUsage - } - } - - usages[i] = invalidUsage - usagesRemaining-- - if usagesRemaining == 0 { - return false - } - } - } - - return true -} - -func mustNewOIDFromInts(ints []uint64) x509.OID { - oid, err := x509.OIDFromInts(ints) - if err != nil { - panic(fmt.Sprintf("OIDFromInts(%v) unexpected error: %v", ints, err)) - } - return oid -} - -type policyGraphNode struct { - validPolicy x509.OID - expectedPolicySet []x509.OID - // we do not implement qualifiers, so we don't track qualifier_set - - parents map[*policyGraphNode]bool - children map[*policyGraphNode]bool -} - -func newPolicyGraphNode(valid x509.OID, parents []*policyGraphNode) *policyGraphNode { - n := &policyGraphNode{ - validPolicy: valid, - expectedPolicySet: []x509.OID{valid}, - children: map[*policyGraphNode]bool{}, - parents: map[*policyGraphNode]bool{}, - } - for _, p := range parents { - p.children[n] = true - n.parents[p] = true - } - return n -} - -type policyGraph struct { - strata []map[string]*policyGraphNode - // map of OID -> nodes at strata[depth-1] with OID in their expectedPolicySet - parentIndex map[string][]*policyGraphNode - depth int -} - -var anyPolicyOID = mustNewOIDFromInts([]uint64{2, 5, 29, 32, 0}) - -func newPolicyGraph() *policyGraph { - root := policyGraphNode{ - validPolicy: anyPolicyOID, - expectedPolicySet: []x509.OID{anyPolicyOID}, - children: map[*policyGraphNode]bool{}, - parents: map[*policyGraphNode]bool{}, - } - return &policyGraph{ - depth: 0, - strata: []map[string]*policyGraphNode{{string(anyPolicyOID.der): &root}}, - } -} - -func (pg *policyGraph) insert(n *policyGraphNode) { - pg.strata[pg.depth][string(n.validPolicy.der)] = n -} - -func (pg *policyGraph) parentsWithExpected(expected OID) []*policyGraphNode { - if pg.depth == 0 { - return nil - } - return pg.parentIndex[string(expected.der)] -} - -func (pg *policyGraph) parentWithAnyPolicy() *policyGraphNode { - if pg.depth == 0 { - return nil - } - return pg.strata[pg.depth-1][string(anyPolicyOID.der)] -} - -func (pg *policyGraph) parents() iter.Seq[*policyGraphNode] { - if pg.depth == 0 { - return nil - } - return maps.Values(pg.strata[pg.depth-1]) -} - -func (pg *policyGraph) leaves() map[string]*policyGraphNode { - return pg.strata[pg.depth] -} - -func (pg *policyGraph) leafWithPolicy(policy x509.OID) *policyGraphNode { - return pg.strata[pg.depth][string(policy.der)] -} - -func (pg *policyGraph) deleteLeaf(policy x509.OID) { - n := pg.strata[pg.depth][string(policy.der)] - if n == nil { - return - } - for p := range n.parents { - delete(p.children, n) - } - for c := range n.children { - delete(c.parents, n) - } - delete(pg.strata[pg.depth], string(policy.der)) -} - -func (pg *policyGraph) validPolicyNodes() []*policyGraphNode { - var validNodes []*policyGraphNode - for i := pg.depth; i >= 0; i-- { - for _, n := range pg.strata[i] { - if n.validPolicy.Equal(anyPolicyOID) { - continue - } - - if len(n.parents) == 1 { - for p := range n.parents { - if p.validPolicy.Equal(anyPolicyOID) { - validNodes = append(validNodes, n) - } - } - } - } - } - return validNodes -} - -func (pg *policyGraph) prune() { - for i := pg.depth - 1; i > 0; i-- { - for _, n := range pg.strata[i] { - if len(n.children) == 0 { - for p := range n.parents { - delete(p.children, n) - } - delete(pg.strata[i], string(n.validPolicy.der)) - } - } - } -} - -func (pg *policyGraph) incrDepth() { - pg.parentIndex = map[string][]*policyGraphNode{} - for _, n := range pg.strata[pg.depth] { - for _, e := range n.expectedPolicySet { - pg.parentIndex[string(e.der)] = append(pg.parentIndex[string(e.der)], n) - } - } - - pg.depth++ - pg.strata = append(pg.strata, map[string]*policyGraphNode{}) -} - -func policiesValid(chain []*x509.Certificate, opts VerifyOptions) bool { - // The following code implements the policy verification algorithm as - // specified in RFC 5280 and updated by RFC 9618. In particular the - // following sections are replaced by RFC 9618: - // * 6.1.2 (a) - // * 6.1.3 (d) - // * 6.1.3 (e) - // * 6.1.3 (f) - // * 6.1.4 (b) - // * 6.1.5 (g) - - if len(chain) == 1 { - return true - } - - // n is the length of the chain minus the trust anchor - n := len(chain) - 1 - - pg := newPolicyGraph() - var inhibitAnyPolicy, explicitPolicy, policyMapping int - if !opts.inhibitAnyPolicy { - inhibitAnyPolicy = n + 1 - } - if !opts.requireExplicitPolicy { - explicitPolicy = n + 1 - } - if !opts.inhibitPolicyMapping { - policyMapping = n + 1 - } - - initialUserPolicySet := map[string]bool{} - for _, p := range opts.CertificatePolicies { - initialUserPolicySet[string(p.der)] = true - } - // If the user does not pass any policies, we consider - // that equivalent to passing anyPolicyOID. - if len(initialUserPolicySet) == 0 { - initialUserPolicySet[string(anyPolicyOID.der)] = true - } - - for i := n - 1; i >= 0; i-- { - cert := chain[i] - - isSelfSigned := bytes.Equal(cert.RawIssuer, cert.RawSubject) - - // 6.1.3 (e) -- as updated by RFC 9618 - if len(cert.Policies) == 0 { - pg = nil - } - - // 6.1.3 (f) -- as updated by RFC 9618 - if explicitPolicy == 0 && pg == nil { - return false - } - - if pg != nil { - pg.incrDepth() - - policies := map[string]bool{} - - // 6.1.3 (d) (1) -- as updated by RFC 9618 - for _, policy := range cert.Policies { - policies[string(policy.der)] = true - - if policy.Equal(anyPolicyOID) { - continue - } - - // 6.1.3 (d) (1) (i) -- as updated by RFC 9618 - parents := pg.parentsWithExpected(policy) - if len(parents) == 0 { - // 6.1.3 (d) (1) (ii) -- as updated by RFC 9618 - if anyParent := pg.parentWithAnyPolicy(); anyParent != nil { - parents = []*policyGraphNode{anyParent} - } - } - if len(parents) > 0 { - pg.insert(newPolicyGraphNode(policy, parents)) - } - } - - // 6.1.3 (d) (2) -- as updated by RFC 9618 - // NOTE: in the check "n-i < n" our i is different from the i in the specification. - // In the specification chains go from the trust anchor to the leaf, whereas our - // chains go from the leaf to the trust anchor, so our i's our inverted. Our - // check here matches the check "i < n" in the specification. - if policies[string(anyPolicyOID.der)] && (inhibitAnyPolicy > 0 || (n-i < n && isSelfSigned)) { - missing := map[string][]*policyGraphNode{} - leaves := pg.leaves() - for p := range pg.parents() { - for _, expected := range p.expectedPolicySet { - if leaves[string(expected.der)] == nil { - missing[string(expected.der)] = append(missing[string(expected.der)], p) - } - } - } - - for oidStr, parents := range missing { - pg.insert(newPolicyGraphNode(x509.OID{der: []byte(oidStr)}, parents)) - } - } - - // 6.1.3 (d) (3) -- as updated by RFC 9618 - pg.prune() - - if i != 0 { - // 6.1.4 (b) -- as updated by RFC 9618 - if len(cert.PolicyMappings) > 0 { - // collect map of issuer -> []subject - mappings := map[string][]x509.OID{} - - for _, mapping := range cert.PolicyMappings { - if policyMapping > 0 { - if mapping.IssuerDomainPolicy.Equal(anyPolicyOID) || mapping.SubjectDomainPolicy.Equal(anyPolicyOID) { - // Invalid mapping - return false - } - mappings[string(mapping.IssuerDomainPolicy.der)] = append(mappings[string(mapping.IssuerDomainPolicy.der)], mapping.SubjectDomainPolicy) - } else { - // 6.1.4 (b) (3) (i) -- as updated by RFC 9618 - pg.deleteLeaf(mapping.IssuerDomainPolicy) - - // 6.1.4 (b) (3) (ii) -- as updated by RFC 9618 - pg.prune() - } - } - - for issuerStr, subjectPolicies := range mappings { - // 6.1.4 (b) (1) -- as updated by RFC 9618 - if matching := pg.leafWithPolicy(x509.OID{der: []byte(issuerStr)}); matching != nil { - matching.expectedPolicySet = subjectPolicies - } else if matching := pg.leafWithPolicy(anyPolicyOID); matching != nil { - // 6.1.4 (b) (2) -- as updated by RFC 9618 - n := newPolicyGraphNode(x509.OID{der: []byte(issuerStr)}, []*policyGraphNode{matching}) - n.expectedPolicySet = subjectPolicies - pg.insert(n) - } - } - } - } - } - - if i != 0 { - // 6.1.4 (h) - if !isSelfSigned { - if explicitPolicy > 0 { - explicitPolicy-- - } - if policyMapping > 0 { - policyMapping-- - } - if inhibitAnyPolicy > 0 { - inhibitAnyPolicy-- - } - } - - // 6.1.4 (i) - if (cert.RequireExplicitPolicy > 0 || cert.RequireExplicitPolicyZero) && cert.RequireExplicitPolicy < explicitPolicy { - explicitPolicy = cert.RequireExplicitPolicy - } - if (cert.InhibitPolicyMapping > 0 || cert.InhibitPolicyMappingZero) && cert.InhibitPolicyMapping < policyMapping { - policyMapping = cert.InhibitPolicyMapping - } - // 6.1.4 (j) - if (cert.InhibitAnyPolicy > 0 || cert.InhibitAnyPolicyZero) && cert.InhibitAnyPolicy < inhibitAnyPolicy { - inhibitAnyPolicy = cert.InhibitAnyPolicy - } - } - } - - // 6.1.5 (a) - if explicitPolicy > 0 { - explicitPolicy-- - } - - // 6.1.5 (b) - if chain[0].RequireExplicitPolicyZero { - explicitPolicy = 0 - } - - // 6.1.5 (g) (1) -- as updated by RFC 9618 - var validPolicyNodeSet []*policyGraphNode - // 6.1.5 (g) (2) -- as updated by RFC 9618 - if pg != nil { - validPolicyNodeSet = pg.validPolicyNodes() - // 6.1.5 (g) (3) -- as updated by RFC 9618 - if currentAny := pg.leafWithPolicy(anyPolicyOID); currentAny != nil { - validPolicyNodeSet = append(validPolicyNodeSet, currentAny) - } - } - - // 6.1.5 (g) (4) -- as updated by RFC 9618 - authorityConstrainedPolicySet := map[string]bool{} - for _, n := range validPolicyNodeSet { - authorityConstrainedPolicySet[string(n.validPolicy.der)] = true - } - // 6.1.5 (g) (5) -- as updated by RFC 9618 - userConstrainedPolicySet := maps.Clone(authorityConstrainedPolicySet) - // 6.1.5 (g) (6) -- as updated by RFC 9618 - if len(initialUserPolicySet) != 1 || !initialUserPolicySet[string(anyPolicyOID.der)] { - // 6.1.5 (g) (6) (i) -- as updated by RFC 9618 - for p := range userConstrainedPolicySet { - if !initialUserPolicySet[p] { - delete(userConstrainedPolicySet, p) - } - } - // 6.1.5 (g) (6) (ii) -- as updated by RFC 9618 - if authorityConstrainedPolicySet[string(anyPolicyOID.der)] { - for policy := range initialUserPolicySet { - userConstrainedPolicySet[policy] = true - } - } - } - - if explicitPolicy == 0 && len(userConstrainedPolicySet) == 0 { - return false - } - - return true -} From 760c605309003c4ace8205359c6b83233d6fd921 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 11:14:53 +0000 Subject: [PATCH 27/39] copy hasSanExtension --- internal/x509util/verify.go | 2 +- internal/x509util/x509.go | 26 ++++++++++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 internal/x509util/x509.go diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index b527545f..2c03c8f1 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -109,7 +109,7 @@ type HostnameError struct { func (h HostnameError) Error() string { c := h.Certificate - if !c.hasSANExtension() && matchHostnames(c.Subject.CommonName, h.Host) { + if !hasSANExtension(c) && matchHostnames(c.Subject.CommonName, h.Host) { return "x509: certificate relies on legacy Common Name field, use SANs instead" } diff --git a/internal/x509util/x509.go b/internal/x509util/x509.go new file mode 100644 index 00000000..3f8ea190 --- /dev/null +++ b/internal/x509util/x509.go @@ -0,0 +1,26 @@ +package x509util + +import ( + "crypto/x509" + "crypto/x509/pkix" + "encoding/asn1" +) + +var ( + oidExtensionSubjectAltName = []int{2, 5, 29, 17} +) + +func hasSANExtension(c *x509.Certificate) bool { + return oidInExtensions(oidExtensionSubjectAltName, c.Extensions) +} + +// oidInExtensions reports whether an extension with the given oid exists in +// extensions. +func oidInExtensions(oid asn1.ObjectIdentifier, extensions []pkix.Extension) bool { + for _, e := range extensions { + if e.Id.Equal(oid) { + return true + } + } + return false +} From 6df0a3ebc829107a6b34645695d65c434686bfba Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 11:22:50 +0000 Subject: [PATCH 28/39] disable systemRoots --- internal/x509util/verify.go | 41 ++----------------------------------- 1 file changed, 2 insertions(+), 39 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index 2c03c8f1..5cc5b62a 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -13,7 +13,6 @@ import ( "fmt" "net" "net/url" - "runtime" "strings" "time" "unicode/utf8" @@ -162,21 +161,6 @@ func (e UnknownAuthorityError) Error() string { return s } -// SystemRootsError results when we fail to load the system root certificates. -type SystemRootsError struct { - Err error -} - -func (se SystemRootsError) Error() string { - msg := "x509: failed to load system roots and no roots provided" - if se.Err != nil { - return msg + "; " + se.Err.Error() - } - return msg -} - -func (se SystemRootsError) Unwrap() error { return se.Err } - // errNotParsed is returned when a certificate without ASN.1 contents is // verified. Platform-specific verification needs the ASN.1 contents. var errNotParsed = errors.New("x509: missing ASN.1 contents; use ParseCertificate") @@ -650,30 +634,9 @@ func Verify(c *x509.Certificate, opts VerifyOptions) (chains [][]*x509.Certifica } } - // Use platform verifiers, where available, if Roots is from SystemCertPool. - if runtime.GOOS == "windows" || runtime.GOOS == "darwin" || runtime.GOOS == "ios" { - // Don't use the system verifier if the system pool was replaced with a non-system pool, - // i.e. if SetFallbackRoots was called with x509usefallbackroots=1. - systemPool := systemRootsPool() - if opts.Roots == nil && (systemPool == nil || systemPool.systemPool) { - return c.systemVerify(&opts) - } - if opts.Roots != nil && opts.Roots.systemPool { - platformChains, err := c.systemVerify(&opts) - // If the platform verifier succeeded, or there are no additional - // roots, return the platform verifier result. Otherwise, continue - // with the Go verifier. - if err == nil || opts.Roots.len() == 0 { - return platformChains, err - } - } - } - + // CT server roots MUST not be empty. if opts.Roots == nil { - opts.Roots = systemRootsPool() - if opts.Roots == nil { - return nil, SystemRootsError{systemRootsErr} - } + return nil, fmt.Errorf("opts.Roots == nil, roots MUST be provided") } err = isValid(c, leafCertificate, nil, &opts) From 786800df1a6f93b9c455fa667cd6b844594a5371 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 12:09:17 +0000 Subject: [PATCH 29/39] copy cert_pool.go take dep on crypto/x509 --- internal/x509util/cert_pool.go | 295 +++++++++++++++++++++++++++++++++ 1 file changed, 295 insertions(+) create mode 100644 internal/x509util/cert_pool.go diff --git a/internal/x509util/cert_pool.go b/internal/x509util/cert_pool.go new file mode 100644 index 00000000..32f1cf39 --- /dev/null +++ b/internal/x509util/cert_pool.go @@ -0,0 +1,295 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package x509util + +import ( + "bytes" + "crypto/sha256" + "crypto/x509" + "encoding/pem" + "sync" +) + +type sum224 [sha256.Size224]byte + +// CertPool is a set of certificates. +type CertPool struct { + byName map[string][]int // cert.RawSubject => index into lazyCerts + + // lazyCerts contains funcs that return a certificate, + // lazily parsing/decompressing it as needed. + lazyCerts []lazyCert + + // haveSum maps from sum224(cert.Raw) to true. It's used only + // for AddCert duplicate detection, to avoid CertPool.contains + // calls in the AddCert path (because the contains method can + // call getCert and otherwise negate savings from lazy getCert + // funcs). + haveSum map[sum224]bool + + // systemPool indicates whether this is a special pool derived from the + // system roots. If it includes additional roots, it requires doing two + // verifications, one using the roots provided by the caller, and one using + // the system platform verifier. + systemPool bool +} + +// lazyCert is minimal metadata about a Cert and a func to retrieve it +// in its normal expanded *Certificate form. +type lazyCert struct { + // rawSubject is the Certificate.RawSubject value. + // It's the same as the CertPool.byName key, but in []byte + // form to make CertPool.Subjects (as used by crypto/tls) do + // fewer allocations. + rawSubject []byte + + // constraint is a function to run against a chain when it is a candidate to + // be added to the chain. This allows adding arbitrary constraints that are + // not specified in the certificate itself. + constraint func([]*x509.Certificate) error + + // getCert returns the certificate. + // + // It is not meant to do network operations or anything else + // where a failure is likely; the func is meant to lazily + // parse/decompress data that is already known to be good. The + // error in the signature primarily is meant for use in the + // case where a cert file existed on local disk when the program + // started up is deleted later before it's read. + getCert func() (*x509.Certificate, error) +} + +// NewCertPool returns a new, empty CertPool. +func NewCertPool() *CertPool { + return &CertPool{ + byName: make(map[string][]int), + haveSum: make(map[sum224]bool), + } +} + +// len returns the number of certs in the set. +// A nil set is a valid empty set. +func (s *CertPool) len() int { + if s == nil { + return 0 + } + return len(s.lazyCerts) +} + +// cert returns cert index n in s. +func (s *CertPool) cert(n int) (*x509.Certificate, func([]*x509.Certificate) error, error) { + cert, err := s.lazyCerts[n].getCert() + return cert, s.lazyCerts[n].constraint, err +} + +// Clone returns a copy of s. +func (s *CertPool) Clone() *CertPool { + p := &CertPool{ + byName: make(map[string][]int, len(s.byName)), + lazyCerts: make([]lazyCert, len(s.lazyCerts)), + haveSum: make(map[sum224]bool, len(s.haveSum)), + systemPool: s.systemPool, + } + for k, v := range s.byName { + indexes := make([]int, len(v)) + copy(indexes, v) + p.byName[k] = indexes + } + for k := range s.haveSum { + p.haveSum[k] = true + } + copy(p.lazyCerts, s.lazyCerts) + return p +} + +// SystemCertPool returns a copy of the system cert pool. +// +// On Unix systems other than macOS the environment variables SSL_CERT_FILE and +// SSL_CERT_DIR can be used to override the system default locations for the SSL +// certificate file and SSL certificate files directory, respectively. The +// latter can be a colon-separated list. +// +// Any mutations to the returned pool are not written to disk and do not affect +// any other pool returned by SystemCertPool. +// +// New changes in the system cert pool might not be reflected in subsequent calls. +func SystemCertPool() (*CertPool, error) { + if sysRoots := systemRootsPool(); sysRoots != nil { + return sysRoots.Clone(), nil + } + + return loadSystemRoots() +} + +type potentialParent struct { + cert *x509.Certificate + constraint func([]*x509.Certificate) error +} + +// findPotentialParents returns the certificates in s which might have signed +// cert. +func (s *CertPool) findPotentialParents(cert *x509.Certificate) []potentialParent { + if s == nil { + return nil + } + + // consider all candidates where cert.Issuer matches cert.Subject. + // when picking possible candidates the list is built in the order + // of match plausibility as to save cycles in buildChains: + // AKID and SKID match + // AKID present, SKID missing / AKID missing, SKID present + // AKID and SKID don't match + var matchingKeyID, oneKeyID, mismatchKeyID []potentialParent + for _, c := range s.byName[string(cert.RawIssuer)] { + candidate, constraint, err := s.cert(c) + if err != nil { + continue + } + kidMatch := bytes.Equal(candidate.SubjectKeyId, cert.AuthorityKeyId) + switch { + case kidMatch: + matchingKeyID = append(matchingKeyID, potentialParent{candidate, constraint}) + case (len(candidate.SubjectKeyId) == 0 && len(cert.AuthorityKeyId) > 0) || + (len(candidate.SubjectKeyId) > 0 && len(cert.AuthorityKeyId) == 0): + oneKeyID = append(oneKeyID, potentialParent{candidate, constraint}) + default: + mismatchKeyID = append(mismatchKeyID, potentialParent{candidate, constraint}) + } + } + + found := len(matchingKeyID) + len(oneKeyID) + len(mismatchKeyID) + if found == 0 { + return nil + } + candidates := make([]potentialParent, 0, found) + candidates = append(candidates, matchingKeyID...) + candidates = append(candidates, oneKeyID...) + candidates = append(candidates, mismatchKeyID...) + return candidates +} + +func (s *CertPool) contains(cert *x509.Certificate) bool { + if s == nil { + return false + } + return s.haveSum[sha256.Sum224(cert.Raw)] +} + +// AddCert adds a certificate to a pool. +func (s *CertPool) AddCert(cert *x509.Certificate) { + if cert == nil { + panic("adding nil Certificate to CertPool") + } + s.addCertFunc(sha256.Sum224(cert.Raw), string(cert.RawSubject), func() (*x509.Certificate, error) { + return cert, nil + }, nil) +} + +// addCertFunc adds metadata about a certificate to a pool, along with +// a func to fetch that certificate later when needed. +// +// The rawSubject is Certificate.RawSubject and must be non-empty. +// The getCert func may be called 0 or more times. +func (s *CertPool) addCertFunc(rawSum224 sum224, rawSubject string, getCert func() (*x509.Certificate, error), constraint func([]*x509.Certificate) error) { + if getCert == nil { + panic("getCert can't be nil") + } + + // Check that the certificate isn't being added twice. + if s.haveSum[rawSum224] { + return + } + + s.haveSum[rawSum224] = true + s.lazyCerts = append(s.lazyCerts, lazyCert{ + rawSubject: []byte(rawSubject), + getCert: getCert, + constraint: constraint, + }) + s.byName[rawSubject] = append(s.byName[rawSubject], len(s.lazyCerts)-1) +} + +// AppendCertsFromPEM attempts to parse a series of PEM encoded certificates. +// It appends any certificates found to s and reports whether any certificates +// were successfully parsed. +// +// On many Linux systems, /etc/ssl/cert.pem will contain the system wide set +// of root CAs in a format suitable for this function. +func (s *CertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool) { + for len(pemCerts) > 0 { + var block *pem.Block + block, pemCerts = pem.Decode(pemCerts) + if block == nil { + break + } + if block.Type != "CERTIFICATE" || len(block.Headers) != 0 { + continue + } + + certBytes := block.Bytes + cert, err := x509.ParseCertificate(certBytes) + if err != nil { + continue + } + var lazyCert struct { + sync.Once + v *x509.Certificate + } + s.addCertFunc(sha256.Sum224(cert.Raw), string(cert.RawSubject), func() (*x509.Certificate, error) { + lazyCert.Do(func() { + // This can't fail, as the same bytes already parsed above. + lazyCert.v, _ = x509.ParseCertificate(certBytes) + certBytes = nil + }) + return lazyCert.v, nil + }, nil) + ok = true + } + + return ok +} + +// Subjects returns a list of the DER-encoded subjects of +// all of the certificates in the pool. +// +// Deprecated: if s was returned by [SystemCertPool], Subjects +// will not include the system roots. +func (s *CertPool) Subjects() [][]byte { + res := make([][]byte, s.len()) + for i, lc := range s.lazyCerts { + res[i] = lc.rawSubject + } + return res +} + +// Equal reports whether s and other are equal. +func (s *CertPool) Equal(other *CertPool) bool { + if s == nil || other == nil { + return s == other + } + if s.systemPool != other.systemPool || len(s.haveSum) != len(other.haveSum) { + return false + } + for h := range s.haveSum { + if !other.haveSum[h] { + return false + } + } + return true +} + +// AddCertWithConstraint adds a certificate to the pool with the additional +// constraint. When Certificate.Verify builds a chain which is rooted by cert, +// it will additionally pass the whole chain to constraint to determine its +// validity. If constraint returns a non-nil error, the chain will be discarded. +// constraint may be called concurrently from multiple goroutines. +func (s *CertPool) AddCertWithConstraint(cert *x509.Certificate, constraint func([]*x509.Certificate) error) { + if cert == nil { + panic("adding nil Certificate to CertPool") + } + s.addCertFunc(sha256.Sum224(cert.Raw), string(cert.RawSubject), func() (*x509.Certificate, error) { + return cert, nil + }, constraint) +} From 8b4a7b028b90485d580365532d10d80722e2e85b Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 12:09:41 +0000 Subject: [PATCH 30/39] delete systemRootPool --- internal/x509util/cert_pool.go | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/internal/x509util/cert_pool.go b/internal/x509util/cert_pool.go index 32f1cf39..311c898d 100644 --- a/internal/x509util/cert_pool.go +++ b/internal/x509util/cert_pool.go @@ -104,25 +104,6 @@ func (s *CertPool) Clone() *CertPool { return p } -// SystemCertPool returns a copy of the system cert pool. -// -// On Unix systems other than macOS the environment variables SSL_CERT_FILE and -// SSL_CERT_DIR can be used to override the system default locations for the SSL -// certificate file and SSL certificate files directory, respectively. The -// latter can be a colon-separated list. -// -// Any mutations to the returned pool are not written to disk and do not affect -// any other pool returned by SystemCertPool. -// -// New changes in the system cert pool might not be reflected in subsequent calls. -func SystemCertPool() (*CertPool, error) { - if sysRoots := systemRootsPool(); sysRoots != nil { - return sysRoots.Clone(), nil - } - - return loadSystemRoots() -} - type potentialParent struct { cert *x509.Certificate constraint func([]*x509.Certificate) error From 8e2cc742ea100e1b91d438a20a739276c3e027de Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 12:10:21 +0000 Subject: [PATCH 31/39] migrate options to local certPool --- internal/x509util/verify.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index 5cc5b62a..4ea71837 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -174,10 +174,10 @@ type VerifyOptions struct { // Intermediates is an optional pool of certificates that are not trust // anchors, but can be used to form a chain from the leaf certificate to a // root certificate. - Intermediates *x509.CertPool + Intermediates *CertPool // Roots is the set of trusted root certificates the leaf certificate needs // to chain up to. If nil, the system roots or the platform verifier are used. - Roots *x509.CertPool + Roots *CertPool // CurrentTime is used to check the validity of all certificates in the // chain. If zero, the current time is used. From c498993f948acd9ecd3af6f109347bb3b0884eb9 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 12:16:59 +0000 Subject: [PATCH 32/39] conver everythig to local cert_pool --- internal/scti/chain_validation.go | 64 +----------------------------- internal/x509util/pem_cert_pool.go | 6 +-- 2 files changed, 5 insertions(+), 65 deletions(-) diff --git a/internal/scti/chain_validation.go b/internal/scti/chain_validation.go index a0b168c5..82c4505e 100644 --- a/internal/scti/chain_validation.go +++ b/internal/scti/chain_validation.go @@ -140,66 +140,6 @@ func isPrecertificate(cert *x509.Certificate) (bool, error) { return false, nil } -// getLaxVerifiedChain returns a verified certificate chain, allowing for specific -// errors that are commonly raised with certificates submitted to CT logs. -// -// Allowed x509 errors: -// -// - UnhandledCriticalExtension: Precertificates have the poison extension -// which the Go library code does not recognize; also the Go library code -// does not support the standard PolicyConstraints extension (which is -// required to be marked critical, RFC 5280 s4.2.1.11) -// - Expired: CT logs should be able to log expired certificates. -// - IncompatibleUsage: Pre-issued precertificates have the Certificate -// Transparency EKU, which intermediates don't have. Also some leaves have -// unknown EKUs that should not be bounced just because the intermediate -// does not also have them (cf. https://github.com/golang/go/issues/24590) -// so disable EKU checks inside the x509 library, but we've already done our -// own check on the leaf above. -// - NoValidChains: Do no enforce policy validation. -// - TooManyIntermediates: path length checks get confused by the presence of -// an additional pre-issuer intermediate. -// - CANotAuthorizedForThisName: allow to log all certificates, even if they -// have been isued by a CA trhat is not auhotized to issue certs for a -// given domain. -// -// TODO(phboneff): this doesn't work because, as it should, cert.Verify() -// does not return a chain when it raises an error. -func getLaxVerifiedChain(cert *x509.Certificate, opts x509.VerifyOptions) ([][]*x509.Certificate, error) { - chains, err := cert.Verify(opts) - switch err.(type) { - // TODO(phboneff): check if we could make the x509 library aware of the CT - // poison. - // TODO(phboneff): re-evaluate whether PolicyConstraints is still an issue. - case x509.UnhandledCriticalExtension: - return chains, nil - case x509.CertificateInvalidError: - if e, ok := err.(x509.CertificateInvalidError); ok { - switch e.Reason { - // TODO(phboneff): if need be, change time to make sure that the cert is - // never considered as expired. - // TODO(phboneff): see if TooManyIntermediates handling could be improved - // upstream. - // TODO(phboneff): see if it's necessary to log certs for which - // CANotAuthorizedForThisName is raised. If browsers all check this - // as well, then there is no need to log these certs. - case x509.Expired, x509.TooManyIntermediates, x509.CANotAuthorizedForThisName: - return chains, nil - // TODO(phboneff): check if we can remove these two exceptions. - // NoValidChains was not a thing back when x509 was forked in ctgo. - // New CT logs should all filter incoming certs with EKU, and - // https://github.com/golang/go/issues/24590 has been updated, - // so we should be able to remove IncompatibleUsage as well. - case x509.IncompatibleUsage, x509.NoValidChains: - return chains, nil - default: - return chains, err - } - } - } - return chains, err -} - // validateChain takes the certificate chain as it was parsed from a JSON request. Ensures all // elements in the chain decode as X.509 certificates. Ensures that there is a valid path from the // end entity certificate in the chain to a trusted root cert, possibly using the intermediates @@ -286,14 +226,14 @@ func validateChain(rawChain [][]byte, validationOpts ChainValidationOpts) ([]*x5 // We can now do the verification. Use fairly lax options for verification, as // CT is intended to observe certificates rather than police them. - verifyOpts := x509.VerifyOptions{ + verifyOpts := x509util.VerifyOptions{ Roots: validationOpts.trustedRoots.CertPool(), CurrentTime: now, Intermediates: intermediatePool.CertPool(), KeyUsages: validationOpts.extKeyUsages, } - verifiedChains, err := getLaxVerifiedChain(cert, verifyOpts) + verifiedChains, err := x509util.Verify(cert, verifyOpts) if err != nil { return nil, err } diff --git a/internal/x509util/pem_cert_pool.go b/internal/x509util/pem_cert_pool.go index dcaf3256..9a78c93f 100644 --- a/internal/x509util/pem_cert_pool.go +++ b/internal/x509util/pem_cert_pool.go @@ -36,12 +36,12 @@ type PEMCertPool struct { // maps from sha-256 to certificate, used for dup detection fingerprintToCertMap map[[sha256.Size]byte]x509.Certificate rawCerts []*x509.Certificate - certPool *x509.CertPool + certPool *CertPool } // NewPEMCertPool creates a new, empty, instance of PEMCertPool. func NewPEMCertPool() *PEMCertPool { - return &PEMCertPool{fingerprintToCertMap: make(map[[sha256.Size]byte]x509.Certificate), certPool: x509.NewCertPool()} + return &PEMCertPool{fingerprintToCertMap: make(map[[sha256.Size]byte]x509.Certificate), certPool: NewCertPool()} } // AddCert adds a certificate to a pool. Uses fingerprint to weed out duplicates. @@ -110,7 +110,7 @@ func (p *PEMCertPool) Subjects() (res [][]byte) { } // CertPool returns the underlying CertPool. -func (p *PEMCertPool) CertPool() *x509.CertPool { +func (p *PEMCertPool) CertPool() *CertPool { return p.certPool } From 5c722afb43e9f9b4e01973ab5288d64a851c3eb8 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 12:26:22 +0000 Subject: [PATCH 33/39] disable time checks --- internal/x509util/verify.go | 21 ++++----------------- 1 file changed, 4 insertions(+), 17 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index 4ea71837..cf29d92d 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -20,6 +20,7 @@ import ( type InvalidReason int +// TODO(phboneff): delete options that are not enabled anymore. const ( // NotAuthorizedToSign results when a certificate is signed by another // which isn't marked as a CA certificate. @@ -528,23 +529,9 @@ func isValid(c *x509.Certificate, certType int, currentChain []*x509.Certificate } } - now := opts.CurrentTime - if now.IsZero() { - now = time.Now() - } - if now.Before(c.NotBefore) { - return CertificateInvalidError{ - Cert: c, - Reason: Expired, - Detail: fmt.Sprintf("current time %s is before %s", now.Format(time.RFC3339), c.NotBefore.Format(time.RFC3339)), - } - } else if now.After(c.NotAfter) { - return CertificateInvalidError{ - Cert: c, - Reason: Expired, - Detail: fmt.Sprintf("current time %s is after %s", now.Format(time.RFC3339), c.NotAfter.Format(time.RFC3339)), - } - } + // Expired checks disabled. + // CT servers handle this at submission time, and accept certificates even + // if they are expired. if certType == intermediateCertificate || certType == rootCertificate { if len(currentChain) == 0 { From 206638681f5d06824b0f579cc4a31287296f2c2d Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 12:26:35 +0000 Subject: [PATCH 34/39] remove time check option --- internal/scti/chain_validation.go | 1 - 1 file changed, 1 deletion(-) diff --git a/internal/scti/chain_validation.go b/internal/scti/chain_validation.go index 82c4505e..d1b28acd 100644 --- a/internal/scti/chain_validation.go +++ b/internal/scti/chain_validation.go @@ -228,7 +228,6 @@ func validateChain(rawChain [][]byte, validationOpts ChainValidationOpts) ([]*x5 // CT is intended to observe certificates rather than police them. verifyOpts := x509util.VerifyOptions{ Roots: validationOpts.trustedRoots.CertPool(), - CurrentTime: now, Intermediates: intermediatePool.CertPool(), KeyUsages: validationOpts.extKeyUsages, } From bd73f082a39c1661801006d789554af96e53b2f0 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 12:33:11 +0000 Subject: [PATCH 35/39] delete more unused things --- internal/x509util/verify.go | 306 ------------------------------------ 1 file changed, 306 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index cf29d92d..16f72b45 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -12,7 +12,6 @@ import ( "errors" "fmt" "net" - "net/url" "strings" "time" "unicode/utf8" @@ -200,22 +199,6 @@ type VerifyOptions struct { // acceptable during policy validation. An empty CertificatePolices // field implies any valid policy is acceptable. CertificatePolicies []x509.OID - - // The following policy fields are unexported, because we do not expect - // users to actually need to use them, but are useful for testing the - // policy validation code. - - // inhibitPolicyMapping indicates if policy mapping should be allowed - // during path validation. - inhibitPolicyMapping bool - - // requireExplicitPolicy indidicates if explicit policies must be present - // for each certificate being validated. - requireExplicitPolicy bool - - // inhibitAnyPolicy indicates if the anyPolicy policy should be - // processed if present in a certificate being validated. - inhibitAnyPolicy bool } const ( @@ -224,295 +207,6 @@ const ( rootCertificate ) -// rfc2821Mailbox represents a “mailbox” (which is an email address to most -// people) by breaking it into the “local” (i.e. before the '@') and “domain” -// parts. -type rfc2821Mailbox struct { - local, domain string -} - -// parseRFC2821Mailbox parses an email address into local and domain parts, -// based on the ABNF for a “Mailbox” from RFC 2821. According to RFC 5280, -// Section 4.2.1.6 that's correct for an rfc822Name from a certificate: “The -// format of an rfc822Name is a "Mailbox" as defined in RFC 2821, Section 4.1.2”. -func parseRFC2821Mailbox(in string) (mailbox rfc2821Mailbox, ok bool) { - if len(in) == 0 { - return mailbox, false - } - - localPartBytes := make([]byte, 0, len(in)/2) - - if in[0] == '"' { - // Quoted-string = DQUOTE *qcontent DQUOTE - // non-whitespace-control = %d1-8 / %d11 / %d12 / %d14-31 / %d127 - // qcontent = qtext / quoted-pair - // qtext = non-whitespace-control / - // %d33 / %d35-91 / %d93-126 - // quoted-pair = ("\" text) / obs-qp - // text = %d1-9 / %d11 / %d12 / %d14-127 / obs-text - // - // (Names beginning with “obs-” are the obsolete syntax from RFC 2822, - // Section 4. Since it has been 16 years, we no longer accept that.) - in = in[1:] - QuotedString: - for { - if len(in) == 0 { - return mailbox, false - } - c := in[0] - in = in[1:] - - switch { - case c == '"': - break QuotedString - - case c == '\\': - // quoted-pair - if len(in) == 0 { - return mailbox, false - } - if in[0] == 11 || - in[0] == 12 || - (1 <= in[0] && in[0] <= 9) || - (14 <= in[0] && in[0] <= 127) { - localPartBytes = append(localPartBytes, in[0]) - in = in[1:] - } else { - return mailbox, false - } - - case c == 11 || - c == 12 || - // Space (char 32) is not allowed based on the - // BNF, but RFC 3696 gives an example that - // assumes that it is. Several “verified” - // errata continue to argue about this point. - // We choose to accept it. - c == 32 || - c == 33 || - c == 127 || - (1 <= c && c <= 8) || - (14 <= c && c <= 31) || - (35 <= c && c <= 91) || - (93 <= c && c <= 126): - // qtext - localPartBytes = append(localPartBytes, c) - - default: - return mailbox, false - } - } - } else { - // Atom ("." Atom)* - NextChar: - for len(in) > 0 { - // atext from RFC 2822, Section 3.2.4 - c := in[0] - - switch { - case c == '\\': - // Examples given in RFC 3696 suggest that - // escaped characters can appear outside of a - // quoted string. Several “verified” errata - // continue to argue the point. We choose to - // accept it. - in = in[1:] - if len(in) == 0 { - return mailbox, false - } - fallthrough - - case ('0' <= c && c <= '9') || - ('a' <= c && c <= 'z') || - ('A' <= c && c <= 'Z') || - c == '!' || c == '#' || c == '$' || c == '%' || - c == '&' || c == '\'' || c == '*' || c == '+' || - c == '-' || c == '/' || c == '=' || c == '?' || - c == '^' || c == '_' || c == '`' || c == '{' || - c == '|' || c == '}' || c == '~' || c == '.': - localPartBytes = append(localPartBytes, in[0]) - in = in[1:] - - default: - break NextChar - } - } - - if len(localPartBytes) == 0 { - return mailbox, false - } - - // From RFC 3696, Section 3: - // “period (".") may also appear, but may not be used to start - // or end the local part, nor may two or more consecutive - // periods appear.” - twoDots := []byte{'.', '.'} - if localPartBytes[0] == '.' || - localPartBytes[len(localPartBytes)-1] == '.' || - bytes.Contains(localPartBytes, twoDots) { - return mailbox, false - } - } - - if len(in) == 0 || in[0] != '@' { - return mailbox, false - } - in = in[1:] - - // The RFC species a format for domains, but that's known to be - // violated in practice so we accept that anything after an '@' is the - // domain part. - if _, ok := domainToReverseLabels(in); !ok { - return mailbox, false - } - - mailbox.local = string(localPartBytes) - mailbox.domain = in - return mailbox, true -} - -// domainToReverseLabels converts a textual domain name like foo.example.com to -// the list of labels in reverse order, e.g. ["com", "example", "foo"]. -func domainToReverseLabels(domain string) (reverseLabels []string, ok bool) { - for len(domain) > 0 { - if i := strings.LastIndexByte(domain, '.'); i == -1 { - reverseLabels = append(reverseLabels, domain) - domain = "" - } else { - reverseLabels = append(reverseLabels, domain[i+1:]) - domain = domain[:i] - if i == 0 { // domain == "" - // domain is prefixed with an empty label, append an empty - // string to reverseLabels to indicate this. - reverseLabels = append(reverseLabels, "") - } - } - } - - if len(reverseLabels) > 0 && len(reverseLabels[0]) == 0 { - // An empty label at the end indicates an absolute value. - return nil, false - } - - for _, label := range reverseLabels { - if len(label) == 0 { - // Empty labels are otherwise invalid. - return nil, false - } - - for _, c := range label { - if c < 33 || c > 126 { - // Invalid character. - return nil, false - } - } - } - - return reverseLabels, true -} - -func matchEmailConstraint(mailbox rfc2821Mailbox, constraint string) (bool, error) { - // If the constraint contains an @, then it specifies an exact mailbox - // name. - if strings.Contains(constraint, "@") { - constraintMailbox, ok := parseRFC2821Mailbox(constraint) - if !ok { - return false, fmt.Errorf("x509: internal error: cannot parse constraint %q", constraint) - } - return mailbox.local == constraintMailbox.local && strings.EqualFold(mailbox.domain, constraintMailbox.domain), nil - } - - // Otherwise the constraint is like a DNS constraint of the domain part - // of the mailbox. - return matchDomainConstraint(mailbox.domain, constraint) -} - -func matchURIConstraint(uri *url.URL, constraint string) (bool, error) { - // From RFC 5280, Section 4.2.1.10: - // “a uniformResourceIdentifier that does not include an authority - // component with a host name specified as a fully qualified domain - // name (e.g., if the URI either does not include an authority - // component or includes an authority component in which the host name - // is specified as an IP address), then the application MUST reject the - // certificate.” - - host := uri.Host - if len(host) == 0 { - return false, fmt.Errorf("URI with empty host (%q) cannot be matched against constraints", uri.String()) - } - - if strings.Contains(host, ":") && !strings.HasSuffix(host, "]") { - var err error - host, _, err = net.SplitHostPort(uri.Host) - if err != nil { - return false, err - } - } - - if strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]") || - net.ParseIP(host) != nil { - return false, fmt.Errorf("URI with IP (%q) cannot be matched against constraints", uri.String()) - } - - return matchDomainConstraint(host, constraint) -} - -func matchIPConstraint(ip net.IP, constraint *net.IPNet) (bool, error) { - if len(ip) != len(constraint.IP) { - return false, nil - } - - for i := range ip { - if mask := constraint.Mask[i]; ip[i]&mask != constraint.IP[i]&mask { - return false, nil - } - } - - return true, nil -} - -func matchDomainConstraint(domain, constraint string) (bool, error) { - // The meaning of zero length constraints is not specified, but this - // code follows NSS and accepts them as matching everything. - if len(constraint) == 0 { - return true, nil - } - - domainLabels, ok := domainToReverseLabels(domain) - if !ok { - return false, fmt.Errorf("x509: internal error: cannot parse domain %q", domain) - } - - // RFC 5280 says that a leading period in a domain name means that at - // least one label must be prepended, but only for URI and email - // constraints, not DNS constraints. The code also supports that - // behaviour for DNS constraints. - - mustHaveSubdomains := false - if constraint[0] == '.' { - mustHaveSubdomains = true - constraint = constraint[1:] - } - - constraintLabels, ok := domainToReverseLabels(constraint) - if !ok { - return false, fmt.Errorf("x509: internal error: cannot parse domain %q", constraint) - } - - if len(domainLabels) < len(constraintLabels) || - (mustHaveSubdomains && len(domainLabels) == len(constraintLabels)) { - return false, nil - } - - for i, constraintLabel := range constraintLabels { - if !strings.EqualFold(constraintLabel, domainLabels[i]) { - return false, nil - } - } - - return true, nil -} - // isValid performs validity checks on c given that it is a candidate to append // to the chain in currentChain. func isValid(c *x509.Certificate, certType int, currentChain []*x509.Certificate, opts *VerifyOptions) error { From be9db26ee63b835060534569e44cd1c73ffb75b7 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 12:38:14 +0000 Subject: [PATCH 36/39] remove errors and hostname functions --- internal/x509util/verify.go | 197 +----------------------------------- 1 file changed, 4 insertions(+), 193 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index 16f72b45..6039b1fa 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -11,7 +11,6 @@ import ( "crypto/x509/pkix" "errors" "fmt" - "net" "strings" "time" "unicode/utf8" @@ -59,81 +58,6 @@ const ( NoValidChains ) -// CertificateInvalidError results when an odd error occurs. Users of this -// library probably want to handle all these errors uniformly. -// TODO(phboneff): consider using the x509 one. -type CertificateInvalidError struct { - Cert *x509.Certificate - Reason InvalidReason - Detail string -} - -func (e CertificateInvalidError) Error() string { - switch e.Reason { - case NotAuthorizedToSign: - return "x509: certificate is not authorized to sign other certificates" - case Expired: - return "x509: certificate has expired or is not yet valid: " + e.Detail - case CANotAuthorizedForThisName: - return "x509: a root or intermediate certificate is not authorized to sign for this name: " + e.Detail - case CANotAuthorizedForExtKeyUsage: - return "x509: a root or intermediate certificate is not authorized for an extended key usage: " + e.Detail - case TooManyIntermediates: - return "x509: too many intermediates for path length constraint" - case IncompatibleUsage: - return "x509: certificate specifies an incompatible key usage" - case NameMismatch: - return "x509: issuer name does not match subject from issuing certificate" - case NameConstraintsWithoutSANs: - return "x509: issuer has name constraints but leaf doesn't have a SAN extension" - case UnconstrainedName: - return "x509: issuer has name constraints but leaf contains unknown or unconstrained name: " + e.Detail - case NoValidChains: - s := "x509: no valid chains built" - if e.Detail != "" { - s = fmt.Sprintf("%s: %s", s, e.Detail) - } - return s - } - return "x509: unknown error" -} - -// HostnameError results when the set of authorized names doesn't match the -// requested name. -type HostnameError struct { - Certificate *x509.Certificate - Host string -} - -func (h HostnameError) Error() string { - c := h.Certificate - - if !hasSANExtension(c) && matchHostnames(c.Subject.CommonName, h.Host) { - return "x509: certificate relies on legacy Common Name field, use SANs instead" - } - - var valid string - if ip := net.ParseIP(h.Host); ip != nil { - // Trying to validate an IP - if len(c.IPAddresses) == 0 { - return "x509: cannot validate certificate for " + h.Host + " because it doesn't contain any IP SANs" - } - for _, san := range c.IPAddresses { - if len(valid) > 0 { - valid += ", " - } - valid += san.String() - } - } else { - valid = strings.Join(c.DNSNames, ", ") - } - - if len(valid) == 0 { - return "x509: certificate is not valid for any names, but wanted to match " + h.Host - } - return "x509: certificate is valid for " + valid + ", not " + h.Host -} - // UnknownAuthorityError results when the certificate issuer is unknown type UnknownAuthorityError struct { Cert *x509.Certificate @@ -219,7 +143,7 @@ func isValid(c *x509.Certificate, certType int, currentChain []*x509.Certificate if len(currentChain) > 0 { child := currentChain[len(currentChain)-1] if !bytes.Equal(child.RawIssuer, c.RawSubject) { - return CertificateInvalidError{c, NameMismatch, ""} + return x509.CertificateInvalidError{c, x509.NameMismatch, ""} } } @@ -257,7 +181,7 @@ func isValid(c *x509.Certificate, certType int, currentChain []*x509.Certificate // encryption key could only be used for Diffie-Hellman key agreement. if certType == intermediateCertificate && (!c.BasicConstraintsValid || !c.IsCA) { - return CertificateInvalidError{c, NotAuthorizedToSign, ""} + return x509.CertificateInvalidError{c, x509.NotAuthorizedToSign, ""} } // TooManyIntermediates check deleted. @@ -326,7 +250,7 @@ func Verify(c *x509.Certificate, opts VerifyOptions) (chains [][]*x509.Certifica } if len(opts.DNSName) > 0 { - err = VerifyHostname(c, opts.DNSName) + err = c.VerifyHostname(opts.DNSName) if err != nil { return } @@ -356,7 +280,7 @@ func Verify(c *x509.Certificate, opts VerifyOptions) (chains [][]*x509.Certifica if len(candidateChains) == 0 { var details []string - err = CertificateInvalidError{c, NoValidChains, strings.Join(details, ", ")} + err = x509.CertificateInvalidError{c, x509.NoValidChains, strings.Join(details, ", ")} return nil, err } @@ -494,68 +418,6 @@ func buildChains(c *x509.Certificate, currentChain []*x509.Certificate, sigCheck return } -func validHostnamePattern(host string) bool { return validHostname(host, true) } -func validHostnameInput(host string) bool { return validHostname(host, false) } - -// validHostname reports whether host is a valid hostname that can be matched or -// matched against according to RFC 6125 2.2, with some leniency to accommodate -// legacy values. -func validHostname(host string, isPattern bool) bool { - if !isPattern { - host = strings.TrimSuffix(host, ".") - } - if len(host) == 0 { - return false - } - if host == "*" { - // Bare wildcards are not allowed, they are not valid DNS names, - // nor are they allowed per RFC 6125. - return false - } - - for i, part := range strings.Split(host, ".") { - if part == "" { - // Empty label. - return false - } - if isPattern && i == 0 && part == "*" { - // Only allow full left-most wildcards, as those are the only ones - // we match, and matching literal '*' characters is probably never - // the expected behavior. - continue - } - for j, c := range part { - if 'a' <= c && c <= 'z' { - continue - } - if '0' <= c && c <= '9' { - continue - } - if 'A' <= c && c <= 'Z' { - continue - } - if c == '-' && j != 0 { - continue - } - if c == '_' { - // Not a valid character in hostnames, but commonly - // found in deployments outside the WebPKI. - continue - } - return false - } - } - - return true -} - -func matchExactly(hostA, hostB string) bool { - if hostA == "" || hostA == "." || hostB == "" || hostB == "." { - return false - } - return toLowerCaseASCII(hostA) == toLowerCaseASCII(hostB) -} - func matchHostnames(pattern, host string) bool { pattern = toLowerCaseASCII(pattern) host = toLowerCaseASCII(strings.TrimSuffix(host, ".")) @@ -614,54 +476,3 @@ func toLowerCaseASCII(in string) string { } return string(out) } - -// VerifyHostname returns nil if c is a valid certificate for the named host. -// Otherwise it returns an error describing the mismatch. -// -// IP addresses can be optionally enclosed in square brackets and are checked -// against the IPAddresses field. Other names are checked case insensitively -// against the DNSNames field. If the names are valid hostnames, the certificate -// fields can have a wildcard as the complete left-most label (e.g. *.example.com). -// -// Note that the legacy Common Name field is ignored. -// TODO(phboneff): can we simply use the exported x509 one? Otherwise make this -// one private. -func VerifyHostname(c *x509.Certificate, h string) error { - // IP addresses may be written in [ ]. - candidateIP := h - if len(h) >= 3 && h[0] == '[' && h[len(h)-1] == ']' { - candidateIP = h[1 : len(h)-1] - } - if ip := net.ParseIP(candidateIP); ip != nil { - // We only match IP addresses against IP SANs. - // See RFC 6125, Appendix B.2. - for _, candidate := range c.IPAddresses { - if ip.Equal(candidate) { - return nil - } - } - return HostnameError{c, candidateIP} - } - - candidateName := toLowerCaseASCII(h) // Save allocations inside the loop. - validCandidateName := validHostnameInput(candidateName) - - for _, match := range c.DNSNames { - // Ideally, we'd only match valid hostnames according to RFC 6125 like - // browsers (more or less) do, but in practice Go is used in a wider - // array of contexts and can't even assume DNS resolution. Instead, - // always allow perfect matches, and only apply wildcard and trailing - // dot processing to valid hostnames. - if validCandidateName && validHostnamePattern(match) { - if matchHostnames(match, candidateName) { - return nil - } - } else { - if matchExactly(match, candidateName) { - return nil - } - } - } - - return HostnameError{c, h} -} From f0c8bd09d884057d86e9f5f149a1056370b1ff19 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 14:59:30 +0000 Subject: [PATCH 37/39] remove more hostname functions --- internal/x509util/verify.go | 60 ------------------------------------- 1 file changed, 60 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index 6039b1fa..5f7f13f2 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -13,7 +13,6 @@ import ( "fmt" "strings" "time" - "unicode/utf8" ) type InvalidReason int @@ -417,62 +416,3 @@ func buildChains(c *x509.Certificate, currentChain []*x509.Certificate, sigCheck return } - -func matchHostnames(pattern, host string) bool { - pattern = toLowerCaseASCII(pattern) - host = toLowerCaseASCII(strings.TrimSuffix(host, ".")) - - if len(pattern) == 0 || len(host) == 0 { - return false - } - - patternParts := strings.Split(pattern, ".") - hostParts := strings.Split(host, ".") - - if len(patternParts) != len(hostParts) { - return false - } - - for i, patternPart := range patternParts { - if i == 0 && patternPart == "*" { - continue - } - if patternPart != hostParts[i] { - return false - } - } - - return true -} - -// toLowerCaseASCII returns a lower-case version of in. See RFC 6125 6.4.1. We use -// an explicitly ASCII function to avoid any sharp corners resulting from -// performing Unicode operations on DNS labels. -func toLowerCaseASCII(in string) string { - // If the string is already lower-case then there's nothing to do. - isAlreadyLowerCase := true - for _, c := range in { - if c == utf8.RuneError { - // If we get a UTF-8 error then there might be - // upper-case ASCII bytes in the invalid sequence. - isAlreadyLowerCase = false - break - } - if 'A' <= c && c <= 'Z' { - isAlreadyLowerCase = false - break - } - } - - if isAlreadyLowerCase { - return in - } - - out := []byte(in) - for i, c := range out { - if 'A' <= c && c <= 'Z' { - out[i] += 'a' - 'A' - } - } - return string(out) -} From 0e6886f94680d30e7feab43a454512b2bc7fb4b8 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 15:00:03 +0000 Subject: [PATCH 38/39] remove VerifyHostname: it's never used --- internal/x509util/verify.go | 7 ------- 1 file changed, 7 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index 5f7f13f2..00bb2dd4 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -248,13 +248,6 @@ func Verify(c *x509.Certificate, opts VerifyOptions) (chains [][]*x509.Certifica return } - if len(opts.DNSName) > 0 { - err = c.VerifyHostname(opts.DNSName) - if err != nil { - return - } - } - var candidateChains [][]*x509.Certificate if opts.Roots.contains(c) { candidateChains = [][]*x509.Certificate{{c}} From 0682fd1ec1ef0bcfed6a06706d84ca91ce8fed7f Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Fri, 14 Feb 2025 18:46:03 +0000 Subject: [PATCH 39/39] remove error messages and options we don't use --- internal/x509util/verify.go | 64 ------------------------------------- 1 file changed, 64 deletions(-) diff --git a/internal/x509util/verify.go b/internal/x509util/verify.go index 00bb2dd4..03fa8d1b 100644 --- a/internal/x509util/verify.go +++ b/internal/x509util/verify.go @@ -12,49 +12,6 @@ import ( "errors" "fmt" "strings" - "time" -) - -type InvalidReason int - -// TODO(phboneff): delete options that are not enabled anymore. -const ( - // NotAuthorizedToSign results when a certificate is signed by another - // which isn't marked as a CA certificate. - NotAuthorizedToSign InvalidReason = iota - // Expired results when a certificate has expired, based on the time - // given in the VerifyOptions. - Expired - // CANotAuthorizedForThisName results when an intermediate or root - // certificate has a name constraint which doesn't permit a DNS or - // other name (including IP address) in the leaf certificate. - CANotAuthorizedForThisName - // TooManyIntermediates results when a path length constraint is - // violated. - TooManyIntermediates - // IncompatibleUsage results when the certificate's key usage indicates - // that it may only be used for a different purpose. - IncompatibleUsage - // NameMismatch results when the subject name of a parent certificate - // does not match the issuer name in the child. - NameMismatch - // NameConstraintsWithoutSANs is a legacy error and is no longer returned. - NameConstraintsWithoutSANs - // UnconstrainedName results when a CA certificate contains permitted - // name constraints, but leaf certificate contains a name of an - // unsupported or unconstrained type. - UnconstrainedName - // TooManyConstraints results when the number of comparison operations - // needed to check a certificate exceeds the limit set by - // VerifyOptions.MaxConstraintComparisions. This limit exists to - // prevent pathological certificates can consuming excessive amounts of - // CPU time to verify. - TooManyConstraints - // CANotAuthorizedForExtKeyUsage results when an intermediate or root - // certificate does not permit a requested extended key usage. - CANotAuthorizedForExtKeyUsage - // NoValidChains results when there are no valid chains to return. - NoValidChains ) // UnknownAuthorityError results when the certificate issuer is unknown @@ -90,10 +47,6 @@ var errNotParsed = errors.New("x509: missing ASN.1 contents; use ParseCertificat // VerifyOptions contains parameters for Certificate.Verify. type VerifyOptions struct { - // DNSName, if set, is checked against the leaf certificate with - // Certificate.VerifyHostname or the platform verifier. - DNSName string - // Intermediates is an optional pool of certificates that are not trust // anchors, but can be used to form a chain from the leaf certificate to a // root certificate. @@ -101,27 +54,10 @@ type VerifyOptions struct { // Roots is the set of trusted root certificates the leaf certificate needs // to chain up to. If nil, the system roots or the platform verifier are used. Roots *CertPool - - // CurrentTime is used to check the validity of all certificates in the - // chain. If zero, the current time is used. - CurrentTime time.Time - // KeyUsages specifies which Extended Key Usage values are acceptable. A // chain is accepted if it allows any of the listed values. An empty list // means ExtKeyUsageServerAuth. To accept any key usage, include ExtKeyUsageAny. KeyUsages []x509.ExtKeyUsage - - // MaxConstraintComparisions is the maximum number of comparisons to - // perform when checking a given certificate's name constraints. If - // zero, a sensible default is used. This limit prevents pathological - // certificates from consuming excessive amounts of CPU time when - // validating. It does not apply to the platform verifier. - MaxConstraintComparisions int - - // CertificatePolicies specifies which certificate policy OIDs are - // acceptable during policy validation. An empty CertificatePolices - // field implies any valid policy is acceptable. - CertificatePolicies []x509.OID } const (