diff --git a/internal/x509fork/README.md b/internal/x509fork/README.md new file mode 100644 index 0000000..928fc0c --- /dev/null +++ b/internal/x509fork/README.md @@ -0,0 +1,18 @@ +# x509fork + +This is a minimalist fork of "crypto/x509". + +CT logs MUST validate sumbmitted chains to ensure that they link up to roots they accept, as specified by [RFC6962 S3.1](https://www.rfc-editor.org/rfc/rfc6962#section-3.1). The "crypto/x509" library validates this, and also runs additional checks. These additional checks would either prevent precertificates from being accepted in CT logs, or prevent some non compliant certificates from being accepted, and therefore becoming transparency discoverable. + +The library in this directory disables a checks the `crypto/x509` library would run, such as: + + - **Handling of critical extensions**: CT precertificates are identified by a critical extension defined in [RFC6962 S3.1](https://www.rfc-editor.org/rfc/rfc6962#section-3.1), which the `crypto/x509` library does not process. A non-processed critical extension would fail certifiate validation. This check is disabled to allow precertificate in the logs. + - **Cert expiry**: `notBefore` and `notAfter` ceritificate checks are handled at submission time, based on the `notBeforeLimit` and `notAfterLimit` log parameters. Therefore, not only we don't need to check them again at certificate verification time, but we specifically want to accept expired certificates, as long as they are still within the `[notBeforeLimit, notAfterLimit]` range. + - **CA name restrictions**: an intermediate or root certificate can restrict the domains it can issue certificates for. This check is disabled to make such issuance discoverable, if any. + - **Chain length**: this check is confused by chains including precertificates and preissuer. + - **Extended Key Usage**: this would ensure that all the EKU of a child certificate are also held by its parents. However, the EKU identifying preissuer intermediate certs in [RFC6962 S3.1](https://www.rfc-editor.org/rfc/rfc6962#section-3.1) does not need to be set in the issuing certificate, so this check would not pass for chains using a preissuer. + - **Policy graph validation**: chains that violate policy validation should be discoverable through CT logs. + +[!WARNING] This library is not safe to use for other applications. + +[!WARNING] This fork will not be kept in synced with upstream. It will not be updated, unless required by a security vulnerability or a critical functionality. \ No newline at end of file diff --git a/internal/x509fork/cert_pool.go b/internal/x509fork/cert_pool.go new file mode 100644 index 0000000..832e9b4 --- /dev/null +++ b/internal/x509fork/cert_pool.go @@ -0,0 +1,276 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package x509fork + +import ( + "bytes" + "crypto/sha256" + "crypto/x509" + "encoding/pem" + "sync" +) + +type sum224 [sha256.Size224]byte + +// CertPool is a set of certificates. +type CertPool struct { + byName map[string][]int // cert.RawSubject => index into lazyCerts + + // lazyCerts contains funcs that return a certificate, + // lazily parsing/decompressing it as needed. + lazyCerts []lazyCert + + // haveSum maps from sum224(cert.Raw) to true. It's used only + // for AddCert duplicate detection, to avoid CertPool.contains + // calls in the AddCert path (because the contains method can + // call getCert and otherwise negate savings from lazy getCert + // funcs). + haveSum map[sum224]bool + + // systemPool indicates whether this is a special pool derived from the + // system roots. If it includes additional roots, it requires doing two + // verifications, one using the roots provided by the caller, and one using + // the system platform verifier. + systemPool bool +} + +// lazyCert is minimal metadata about a Cert and a func to retrieve it +// in its normal expanded *Certificate form. +type lazyCert struct { + // rawSubject is the Certificate.RawSubject value. + // It's the same as the CertPool.byName key, but in []byte + // form to make CertPool.Subjects (as used by crypto/tls) do + // fewer allocations. + rawSubject []byte + + // constraint is a function to run against a chain when it is a candidate to + // be added to the chain. This allows adding arbitrary constraints that are + // not specified in the certificate itself. + constraint func([]*x509.Certificate) error + + // getCert returns the certificate. + // + // It is not meant to do network operations or anything else + // where a failure is likely; the func is meant to lazily + // parse/decompress data that is already known to be good. The + // error in the signature primarily is meant for use in the + // case where a cert file existed on local disk when the program + // started up is deleted later before it's read. + getCert func() (*x509.Certificate, error) +} + +// NewCertPool returns a new, empty CertPool. +func NewCertPool() *CertPool { + return &CertPool{ + byName: make(map[string][]int), + haveSum: make(map[sum224]bool), + } +} + +// len returns the number of certs in the set. +// A nil set is a valid empty set. +func (s *CertPool) len() int { + if s == nil { + return 0 + } + return len(s.lazyCerts) +} + +// cert returns cert index n in s. +func (s *CertPool) cert(n int) (*x509.Certificate, func([]*x509.Certificate) error, error) { + cert, err := s.lazyCerts[n].getCert() + return cert, s.lazyCerts[n].constraint, err +} + +// Clone returns a copy of s. +func (s *CertPool) Clone() *CertPool { + p := &CertPool{ + byName: make(map[string][]int, len(s.byName)), + lazyCerts: make([]lazyCert, len(s.lazyCerts)), + haveSum: make(map[sum224]bool, len(s.haveSum)), + systemPool: s.systemPool, + } + for k, v := range s.byName { + indexes := make([]int, len(v)) + copy(indexes, v) + p.byName[k] = indexes + } + for k := range s.haveSum { + p.haveSum[k] = true + } + copy(p.lazyCerts, s.lazyCerts) + return p +} + +type potentialParent struct { + cert *x509.Certificate + constraint func([]*x509.Certificate) error +} + +// findPotentialParents returns the certificates in s which might have signed +// cert. +func (s *CertPool) findPotentialParents(cert *x509.Certificate) []potentialParent { + if s == nil { + return nil + } + + // consider all candidates where cert.Issuer matches cert.Subject. + // when picking possible candidates the list is built in the order + // of match plausibility as to save cycles in buildChains: + // AKID and SKID match + // AKID present, SKID missing / AKID missing, SKID present + // AKID and SKID don't match + var matchingKeyID, oneKeyID, mismatchKeyID []potentialParent + for _, c := range s.byName[string(cert.RawIssuer)] { + candidate, constraint, err := s.cert(c) + if err != nil { + continue + } + kidMatch := bytes.Equal(candidate.SubjectKeyId, cert.AuthorityKeyId) + switch { + case kidMatch: + matchingKeyID = append(matchingKeyID, potentialParent{candidate, constraint}) + case (len(candidate.SubjectKeyId) == 0 && len(cert.AuthorityKeyId) > 0) || + (len(candidate.SubjectKeyId) > 0 && len(cert.AuthorityKeyId) == 0): + oneKeyID = append(oneKeyID, potentialParent{candidate, constraint}) + default: + mismatchKeyID = append(mismatchKeyID, potentialParent{candidate, constraint}) + } + } + + found := len(matchingKeyID) + len(oneKeyID) + len(mismatchKeyID) + if found == 0 { + return nil + } + candidates := make([]potentialParent, 0, found) + candidates = append(candidates, matchingKeyID...) + candidates = append(candidates, oneKeyID...) + candidates = append(candidates, mismatchKeyID...) + return candidates +} + +func (s *CertPool) contains(cert *x509.Certificate) bool { + if s == nil { + return false + } + return s.haveSum[sha256.Sum224(cert.Raw)] +} + +// AddCert adds a certificate to a pool. +func (s *CertPool) AddCert(cert *x509.Certificate) { + if cert == nil { + panic("adding nil Certificate to CertPool") + } + s.addCertFunc(sha256.Sum224(cert.Raw), string(cert.RawSubject), func() (*x509.Certificate, error) { + return cert, nil + }, nil) +} + +// addCertFunc adds metadata about a certificate to a pool, along with +// a func to fetch that certificate later when needed. +// +// The rawSubject is Certificate.RawSubject and must be non-empty. +// The getCert func may be called 0 or more times. +func (s *CertPool) addCertFunc(rawSum224 sum224, rawSubject string, getCert func() (*x509.Certificate, error), constraint func([]*x509.Certificate) error) { + if getCert == nil { + panic("getCert can't be nil") + } + + // Check that the certificate isn't being added twice. + if s.haveSum[rawSum224] { + return + } + + s.haveSum[rawSum224] = true + s.lazyCerts = append(s.lazyCerts, lazyCert{ + rawSubject: []byte(rawSubject), + getCert: getCert, + constraint: constraint, + }) + s.byName[rawSubject] = append(s.byName[rawSubject], len(s.lazyCerts)-1) +} + +// AppendCertsFromPEM attempts to parse a series of PEM encoded certificates. +// It appends any certificates found to s and reports whether any certificates +// were successfully parsed. +// +// On many Linux systems, /etc/ssl/cert.pem will contain the system wide set +// of root CAs in a format suitable for this function. +func (s *CertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool) { + for len(pemCerts) > 0 { + var block *pem.Block + block, pemCerts = pem.Decode(pemCerts) + if block == nil { + break + } + if block.Type != "CERTIFICATE" || len(block.Headers) != 0 { + continue + } + + certBytes := block.Bytes + cert, err := x509.ParseCertificate(certBytes) + if err != nil { + continue + } + var lazyCert struct { + sync.Once + v *x509.Certificate + } + s.addCertFunc(sha256.Sum224(cert.Raw), string(cert.RawSubject), func() (*x509.Certificate, error) { + lazyCert.Do(func() { + // This can't fail, as the same bytes already parsed above. + lazyCert.v, _ = x509.ParseCertificate(certBytes) + certBytes = nil + }) + return lazyCert.v, nil + }, nil) + ok = true + } + + return ok +} + +// Subjects returns a list of the DER-encoded subjects of +// all of the certificates in the pool. +// +// Deprecated: if s was returned by [SystemCertPool], Subjects +// will not include the system roots. +func (s *CertPool) Subjects() [][]byte { + res := make([][]byte, s.len()) + for i, lc := range s.lazyCerts { + res[i] = lc.rawSubject + } + return res +} + +// Equal reports whether s and other are equal. +func (s *CertPool) Equal(other *CertPool) bool { + if s == nil || other == nil { + return s == other + } + if s.systemPool != other.systemPool || len(s.haveSum) != len(other.haveSum) { + return false + } + for h := range s.haveSum { + if !other.haveSum[h] { + return false + } + } + return true +} + +// AddCertWithConstraint adds a certificate to the pool with the additional +// constraint. When Certificate.Verify builds a chain which is rooted by cert, +// it will additionally pass the whole chain to constraint to determine its +// validity. If constraint returns a non-nil error, the chain will be discarded. +// constraint may be called concurrently from multiple goroutines. +func (s *CertPool) AddCertWithConstraint(cert *x509.Certificate, constraint func([]*x509.Certificate) error) { + if cert == nil { + panic("adding nil Certificate to CertPool") + } + s.addCertFunc(sha256.Sum224(cert.Raw), string(cert.RawSubject), func() (*x509.Certificate, error) { + return cert, nil + }, constraint) +} diff --git a/internal/x509fork/verify.go b/internal/x509fork/verify.go new file mode 100644 index 0000000..19ed54d --- /dev/null +++ b/internal/x509fork/verify.go @@ -0,0 +1,344 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package x509fork + +import ( + "bytes" + "crypto" + "crypto/x509" + "crypto/x509/pkix" + "errors" + "fmt" + "strings" +) + +// UnknownAuthorityError results when the certificate issuer is unknown +type UnknownAuthorityError struct { + Cert *x509.Certificate + // hintErr contains an error that may be helpful in determining why an + // authority wasn't found. + hintErr error + // hintCert contains a possible authority certificate that was rejected + // because of the error in hintErr. + hintCert *x509.Certificate +} + +func (e UnknownAuthorityError) Error() string { + s := "x509: certificate signed by unknown authority" + if e.hintErr != nil { + certName := e.hintCert.Subject.CommonName + if len(certName) == 0 { + if len(e.hintCert.Subject.Organization) > 0 { + certName = e.hintCert.Subject.Organization[0] + } else { + certName = "serial:" + e.hintCert.SerialNumber.String() + } + } + s += fmt.Sprintf(" (possibly because of %q while trying to verify candidate authority certificate %q)", e.hintErr, certName) + } + return s +} + +// errNotParsed is returned when a certificate without ASN.1 contents is +// verified. Platform-specific verification needs the ASN.1 contents. +var errNotParsed = errors.New("x509: missing ASN.1 contents; use ParseCertificate") + +// VerifyOptions contains parameters for Certificate.Verify. +type VerifyOptions struct { + // Intermediates is an optional pool of certificates that are not trust + // anchors, but can be used to form a chain from the leaf certificate to a + // root certificate. + Intermediates *CertPool + // Roots is the set of trusted root certificates the leaf certificate needs + // to chain up to. If nil, the system roots or the platform verifier are used. + Roots *CertPool + // KeyUsages specifies which Extended Key Usage values are acceptable. A + // chain is accepted if it allows any of the listed values. An empty list + // means ExtKeyUsageServerAuth. To accept any key usage, include ExtKeyUsageAny. + KeyUsages []x509.ExtKeyUsage +} + +const ( + leafCertificate = iota + intermediateCertificate + rootCertificate +) + +// isValid performs validity checks on c given that it is a candidate to append +// to the chain in currentChain. +func isValid(c *x509.Certificate, certType int, currentChain []*x509.Certificate) error { + // UnhandledCriticalExtension check deleted. + // Precertificates have the poison extension which the Go library code does + // not recognize; also the Go library code does not support the standard + // PolicyConstraints extension (which is required to be marked critical, RFC + // 5280 s4.2.1.11) + if len(currentChain) > 0 { + child := currentChain[len(currentChain)-1] + if !bytes.Equal(child.RawIssuer, c.RawSubject) { + return x509.CertificateInvalidError{Cert: c, Reason: x509.NameMismatch, Detail: ""} + } + } + + // Expired checks disabled. + // CT servers handle this at submission time, and accept certificates even + // if they are expired. + + if certType == intermediateCertificate || certType == rootCertificate { + if len(currentChain) == 0 { + return errors.New("x509: internal error: empty chain when appending CA cert") + } + } + + // CANotAuthorizedForThisName check deleted. + // Allow logging of all certificates, even if they have been issued by a CA that + // is not authorized to issue certs for a given domain. + + // KeyUsage status flags are ignored. From Engineering Security, Peter + // Gutmann: A European government CA marked its signing certificates as + // being valid for encryption only, but no-one noticed. Another + // European CA marked its signature keys as not being valid for + // signatures. A different CA marked its own trusted root certificate + // as being invalid for certificate signing. Another national CA + // distributed a certificate to be used to encrypt data for the + // country’s tax authority that was marked as only being usable for + // digital signatures but not for encryption. Yet another CA reversed + // the order of the bit flags in the keyUsage due to confusion over + // encoding endianness, essentially setting a random keyUsage in + // certificates that it issued. Another CA created a self-invalidating + // certificate by adding a certificate policy statement stipulating + // that the certificate had to be used strictly as specified in the + // keyUsage, and a keyUsage containing a flag indicating that the RSA + // encryption key could only be used for Diffie-Hellman key agreement. + + if certType == intermediateCertificate && (!c.BasicConstraintsValid || !c.IsCA) { + return x509.CertificateInvalidError{Cert: c, Reason: x509.NotAuthorizedToSign, Detail: ""} + } + + // TooManyIntermediates check deleted. + // Path length checks get confused by the presence of an additional + // pre-issuer intermediate. + + return nil +} + +// Verify attempts to verify c by building one or more chains from c to a +// certificate in opts.Roots, using certificates in opts.Intermediates if +// needed. If successful, it returns one or more chains where the first +// element of the chain is c and the last element is from opts.Roots. +// +// If opts.Roots is nil, the platform verifier might be used, and +// verification details might differ from what is described below. If system +// roots are unavailable the returned error will be of type SystemRootsError. +// +// Name constraints in the intermediates will be applied to all names claimed +// in the chain, not just opts.DNSName. Thus it is invalid for a leaf to claim +// example.com if an intermediate doesn't permit it, even if example.com is not +// the name being validated. Note that DirectoryName constraints are not +// supported. +// +// Name constraint validation follows the rules from RFC 5280, with the +// addition that DNS name constraints may use the leading period format +// defined for emails and URIs. When a constraint has a leading period +// it indicates that at least one additional label must be prepended to +// the constrained name to be considered valid. +// +// Extended Key Usage values are enforced nested down a chain, so an intermediate +// or root that enumerates EKUs prevents a leaf from asserting an EKU not in that +// list. (While this is not specified, it is common practice in order to limit +// the types of certificates a CA can issue.) +// +// Certificates that use SHA1WithRSA and ECDSAWithSHA1 signatures are not supported, +// and will not be used to build chains. +// +// Certificates other than c in the returned chains should not be modified. +// +// WARNING: this function doesn't do any revocation checking. +func Verify(c *x509.Certificate, opts VerifyOptions) (chains [][]*x509.Certificate, err error) { + // Platform-specific verification needs the ASN.1 contents so + // this makes the behavior consistent across platforms. + if len(c.Raw) == 0 { + return nil, errNotParsed + } + for i := 0; i < opts.Intermediates.len(); i++ { + c, _, err := opts.Intermediates.cert(i) + if err != nil { + return nil, fmt.Errorf("crypto/x509: error fetching intermediate: %w", err) + } + if len(c.Raw) == 0 { + return nil, errNotParsed + } + } + + // CT server roots MUST not be empty. + if opts.Roots == nil { + return nil, fmt.Errorf("opts.Roots == nil, roots MUST be provided") + } + + err = isValid(c, leafCertificate, nil) + if err != nil { + return + } + + var candidateChains [][]*x509.Certificate + if opts.Roots.contains(c) { + candidateChains = [][]*x509.Certificate{{c}} + } else { + candidateChains, err = buildChains(c, []*x509.Certificate{c}, nil, &opts) + if err != nil { + return nil, err + } + } + + if len(opts.KeyUsages) == 0 { + opts.KeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth} + } + + for _, eku := range opts.KeyUsages { + if eku == x509.ExtKeyUsageAny { + // If any key usage is acceptable, no need to check the chain for + // key usages. + return candidateChains, nil + } + } + + if len(candidateChains) == 0 { + var details []string + err = x509.CertificateInvalidError{Cert: c, Reason: x509.NoValidChains, Detail: strings.Join(details, ", ")} + return nil, err + } + + return candidateChains, nil +} + +func appendToFreshChain(chain []*x509.Certificate, cert *x509.Certificate) []*x509.Certificate { + n := make([]*x509.Certificate, len(chain)+1) + copy(n, chain) + n[len(chain)] = cert + return n +} + +// alreadyInChain checks whether a candidate certificate is present in a chain. +// Rather than doing a direct byte for byte equivalency check, we check if the +// subject, public key, and SAN, if present, are equal. This prevents loops that +// are created by mutual cross-signatures, or other cross-signature bridge +// oddities. +func alreadyInChain(candidate *x509.Certificate, chain []*x509.Certificate) bool { + type pubKeyEqual interface { + Equal(crypto.PublicKey) bool + } + + var candidateSAN *pkix.Extension + for _, ext := range candidate.Extensions { + if ext.Id.Equal(oidExtensionSubjectAltName) { + candidateSAN = &ext + break + } + } + + for _, cert := range chain { + if !bytes.Equal(candidate.RawSubject, cert.RawSubject) { + continue + } + if !candidate.PublicKey.(pubKeyEqual).Equal(cert.PublicKey) { + continue + } + var certSAN *pkix.Extension + for _, ext := range cert.Extensions { + if ext.Id.Equal(oidExtensionSubjectAltName) { + certSAN = &ext + break + } + } + if candidateSAN == nil && certSAN == nil { + return true + } else if candidateSAN == nil || certSAN == nil { + return false + } + if bytes.Equal(candidateSAN.Value, certSAN.Value) { + return true + } + } + return false +} + +// maxChainSignatureChecks is the maximum number of CheckSignatureFrom calls +// that an invocation of buildChains will (transitively) make. Most chains are +// less than 15 certificates long, so this leaves space for multiple chains and +// for failed checks due to different intermediates having the same Subject. +const maxChainSignatureChecks = 100 + +func buildChains(c *x509.Certificate, currentChain []*x509.Certificate, sigChecks *int, opts *VerifyOptions) (chains [][]*x509.Certificate, err error) { + var ( + hintErr error + hintCert *x509.Certificate + ) + + considerCandidate := func(certType int, candidate potentialParent) { + if candidate.cert.PublicKey == nil || alreadyInChain(candidate.cert, currentChain) { + return + } + + if sigChecks == nil { + sigChecks = new(int) + } + *sigChecks++ + if *sigChecks > maxChainSignatureChecks { + err = errors.New("x509: signature check attempts limit reached while verifying certificate chain") + return + } + + if err := c.CheckSignatureFrom(candidate.cert); err != nil { + if hintErr == nil { + hintErr = err + hintCert = candidate.cert + } + return + } + + err = isValid(candidate.cert, certType, currentChain) + if err != nil { + if hintErr == nil { + hintErr = err + hintCert = candidate.cert + } + return + } + + if candidate.constraint != nil { + if err := candidate.constraint(currentChain); err != nil { + if hintErr == nil { + hintErr = err + hintCert = candidate.cert + } + return + } + } + + switch certType { + case rootCertificate: + chains = append(chains, appendToFreshChain(currentChain, candidate.cert)) + case intermediateCertificate: + var childChains [][]*x509.Certificate + childChains, err = buildChains(candidate.cert, appendToFreshChain(currentChain, candidate.cert), sigChecks, opts) + chains = append(chains, childChains...) + } + } + + for _, root := range opts.Roots.findPotentialParents(c) { + considerCandidate(rootCertificate, root) + } + for _, intermediate := range opts.Intermediates.findPotentialParents(c) { + considerCandidate(intermediateCertificate, intermediate) + } + + if len(chains) > 0 { + err = nil + } + if len(chains) == 0 && err == nil { + err = UnknownAuthorityError{c, hintErr, hintCert} + } + + return +} diff --git a/internal/x509fork/x509.go b/internal/x509fork/x509.go new file mode 100644 index 0000000..773d298 --- /dev/null +++ b/internal/x509fork/x509.go @@ -0,0 +1,5 @@ +package x509fork + +var ( + oidExtensionSubjectAltName = []int{2, 5, 29, 17} +)