github.com/code-reading/golang@v0.0.0-20220303082512-ba5bc0e589a3/go/src/crypto/x509/name_constraints_test.go (about) 1 // Copyright 2017 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package x509 6 7 import ( 8 "bytes" 9 "crypto/ecdsa" 10 "crypto/elliptic" 11 "crypto/rand" 12 "crypto/x509/pkix" 13 "encoding/asn1" 14 "encoding/hex" 15 "encoding/pem" 16 "fmt" 17 "math/big" 18 "net" 19 "net/url" 20 "os" 21 "os/exec" 22 "strconv" 23 "strings" 24 "sync" 25 "testing" 26 "time" 27 ) 28 29 const ( 30 // testNameConstraintsAgainstOpenSSL can be set to true to run tests 31 // against the system OpenSSL. This is disabled by default because Go 32 // cannot depend on having OpenSSL installed at testing time. 33 testNameConstraintsAgainstOpenSSL = false 34 35 // debugOpenSSLFailure can be set to true, when 36 // testNameConstraintsAgainstOpenSSL is also true, to cause 37 // intermediate files to be preserved for debugging. 38 debugOpenSSLFailure = false 39 ) 40 41 type nameConstraintsTest struct { 42 roots []constraintsSpec 43 intermediates [][]constraintsSpec 44 leaf leafSpec 45 requestedEKUs []ExtKeyUsage 46 expectedError string 47 noOpenSSL bool 48 ignoreCN bool 49 } 50 51 type constraintsSpec struct { 52 ok []string 53 bad []string 54 ekus []string 55 } 56 57 type leafSpec struct { 58 sans []string 59 ekus []string 60 cn string 61 } 62 63 var nameConstraintsTests = []nameConstraintsTest{ 64 // #0: dummy test for the certificate generation process itself. 65 { 66 roots: make([]constraintsSpec, 1), 67 leaf: leafSpec{ 68 sans: []string{"dns:example.com"}, 69 }, 70 }, 71 72 // #1: dummy test for the certificate generation process itself: single 73 // level of intermediate. 74 { 75 roots: make([]constraintsSpec, 1), 76 intermediates: [][]constraintsSpec{ 77 { 78 {}, 79 }, 80 }, 81 leaf: leafSpec{ 82 sans: []string{"dns:example.com"}, 83 }, 84 }, 85 86 // #2: dummy test for the certificate generation process itself: two 87 // levels of intermediates. 88 { 89 roots: make([]constraintsSpec, 1), 90 intermediates: [][]constraintsSpec{ 91 { 92 {}, 93 }, 94 { 95 {}, 96 }, 97 }, 98 leaf: leafSpec{ 99 sans: []string{"dns:example.com"}, 100 }, 101 }, 102 103 // #3: matching DNS constraint in root 104 { 105 roots: []constraintsSpec{ 106 { 107 ok: []string{"dns:example.com"}, 108 }, 109 }, 110 intermediates: [][]constraintsSpec{ 111 { 112 {}, 113 }, 114 }, 115 leaf: leafSpec{ 116 sans: []string{"dns:example.com"}, 117 }, 118 }, 119 120 // #4: matching DNS constraint in intermediate. 121 { 122 roots: make([]constraintsSpec, 1), 123 intermediates: [][]constraintsSpec{ 124 { 125 { 126 ok: []string{"dns:example.com"}, 127 }, 128 }, 129 }, 130 leaf: leafSpec{ 131 sans: []string{"dns:example.com"}, 132 }, 133 }, 134 135 // #5: .example.com only matches subdomains. 136 { 137 roots: []constraintsSpec{ 138 { 139 ok: []string{"dns:.example.com"}, 140 }, 141 }, 142 intermediates: [][]constraintsSpec{ 143 { 144 {}, 145 }, 146 }, 147 leaf: leafSpec{ 148 sans: []string{"dns:example.com"}, 149 }, 150 expectedError: "\"example.com\" is not permitted", 151 }, 152 153 // #6: .example.com matches subdomains. 154 { 155 roots: make([]constraintsSpec, 1), 156 intermediates: [][]constraintsSpec{ 157 { 158 { 159 ok: []string{"dns:.example.com"}, 160 }, 161 }, 162 }, 163 leaf: leafSpec{ 164 sans: []string{"dns:foo.example.com"}, 165 }, 166 }, 167 168 // #7: .example.com matches multiple levels of subdomains 169 { 170 roots: []constraintsSpec{ 171 { 172 ok: []string{"dns:.example.com"}, 173 }, 174 }, 175 intermediates: [][]constraintsSpec{ 176 { 177 {}, 178 }, 179 }, 180 leaf: leafSpec{ 181 sans: []string{"dns:foo.bar.example.com"}, 182 }, 183 }, 184 185 // #8: specifying a permitted list of names does not exclude other name 186 // types 187 { 188 roots: []constraintsSpec{ 189 { 190 ok: []string{"dns:.example.com"}, 191 }, 192 }, 193 intermediates: [][]constraintsSpec{ 194 { 195 {}, 196 }, 197 }, 198 leaf: leafSpec{ 199 sans: []string{"ip:10.1.1.1"}, 200 }, 201 }, 202 203 // #9: specifying a permitted list of names does not exclude other name 204 // types 205 { 206 roots: []constraintsSpec{ 207 { 208 ok: []string{"ip:10.0.0.0/8"}, 209 }, 210 }, 211 intermediates: [][]constraintsSpec{ 212 { 213 {}, 214 }, 215 }, 216 leaf: leafSpec{ 217 sans: []string{"dns:example.com"}, 218 }, 219 }, 220 221 // #10: intermediates can try to permit other names, which isn't 222 // forbidden if the leaf doesn't mention them. I.e. name constraints 223 // apply to names, not constraints themselves. 224 { 225 roots: []constraintsSpec{ 226 { 227 ok: []string{"dns:example.com"}, 228 }, 229 }, 230 intermediates: [][]constraintsSpec{ 231 { 232 { 233 ok: []string{"dns:example.com", "dns:foo.com"}, 234 }, 235 }, 236 }, 237 leaf: leafSpec{ 238 sans: []string{"dns:example.com"}, 239 }, 240 }, 241 242 // #11: intermediates cannot add permitted names that the root doesn't 243 // grant them. 244 { 245 roots: []constraintsSpec{ 246 { 247 ok: []string{"dns:example.com"}, 248 }, 249 }, 250 intermediates: [][]constraintsSpec{ 251 { 252 { 253 ok: []string{"dns:example.com", "dns:foo.com"}, 254 }, 255 }, 256 }, 257 leaf: leafSpec{ 258 sans: []string{"dns:foo.com"}, 259 }, 260 expectedError: "\"foo.com\" is not permitted", 261 }, 262 263 // #12: intermediates can further limit their scope if they wish. 264 { 265 roots: []constraintsSpec{ 266 { 267 ok: []string{"dns:.example.com"}, 268 }, 269 }, 270 intermediates: [][]constraintsSpec{ 271 { 272 { 273 ok: []string{"dns:.bar.example.com"}, 274 }, 275 }, 276 }, 277 leaf: leafSpec{ 278 sans: []string{"dns:foo.bar.example.com"}, 279 }, 280 }, 281 282 // #13: intermediates can further limit their scope and that limitation 283 // is effective 284 { 285 roots: []constraintsSpec{ 286 { 287 ok: []string{"dns:.example.com"}, 288 }, 289 }, 290 intermediates: [][]constraintsSpec{ 291 { 292 { 293 ok: []string{"dns:.bar.example.com"}, 294 }, 295 }, 296 }, 297 leaf: leafSpec{ 298 sans: []string{"dns:foo.notbar.example.com"}, 299 }, 300 expectedError: "\"foo.notbar.example.com\" is not permitted", 301 }, 302 303 // #14: roots can exclude subtrees and that doesn't affect other names. 304 { 305 roots: []constraintsSpec{ 306 { 307 bad: []string{"dns:.example.com"}, 308 }, 309 }, 310 intermediates: [][]constraintsSpec{ 311 { 312 {}, 313 }, 314 }, 315 leaf: leafSpec{ 316 sans: []string{"dns:foo.com"}, 317 }, 318 }, 319 320 // #15: roots exclusions are effective. 321 { 322 roots: []constraintsSpec{ 323 { 324 bad: []string{"dns:.example.com"}, 325 }, 326 }, 327 intermediates: [][]constraintsSpec{ 328 { 329 {}, 330 }, 331 }, 332 leaf: leafSpec{ 333 sans: []string{"dns:foo.example.com"}, 334 }, 335 expectedError: "\"foo.example.com\" is excluded", 336 }, 337 338 // #16: intermediates can also exclude names and that doesn't affect 339 // other names. 340 { 341 roots: make([]constraintsSpec, 1), 342 intermediates: [][]constraintsSpec{ 343 { 344 { 345 bad: []string{"dns:.example.com"}, 346 }, 347 }, 348 }, 349 leaf: leafSpec{ 350 sans: []string{"dns:foo.com"}, 351 }, 352 }, 353 354 // #17: intermediate exclusions are effective. 355 { 356 roots: make([]constraintsSpec, 1), 357 intermediates: [][]constraintsSpec{ 358 { 359 { 360 bad: []string{"dns:.example.com"}, 361 }, 362 }, 363 }, 364 leaf: leafSpec{ 365 sans: []string{"dns:foo.example.com"}, 366 }, 367 expectedError: "\"foo.example.com\" is excluded", 368 }, 369 370 // #18: having an exclusion doesn't prohibit other types of names. 371 { 372 roots: []constraintsSpec{ 373 { 374 bad: []string{"dns:.example.com"}, 375 }, 376 }, 377 intermediates: [][]constraintsSpec{ 378 { 379 {}, 380 }, 381 }, 382 leaf: leafSpec{ 383 sans: []string{"dns:foo.com", "ip:10.1.1.1"}, 384 }, 385 }, 386 387 // #19: IP-based exclusions are permitted and don't affect unrelated IP 388 // addresses. 389 { 390 roots: []constraintsSpec{ 391 { 392 bad: []string{"ip:10.0.0.0/8"}, 393 }, 394 }, 395 intermediates: [][]constraintsSpec{ 396 { 397 {}, 398 }, 399 }, 400 leaf: leafSpec{ 401 sans: []string{"ip:192.168.1.1"}, 402 }, 403 }, 404 405 // #20: IP-based exclusions are effective 406 { 407 roots: []constraintsSpec{ 408 { 409 bad: []string{"ip:10.0.0.0/8"}, 410 }, 411 }, 412 intermediates: [][]constraintsSpec{ 413 { 414 {}, 415 }, 416 }, 417 leaf: leafSpec{ 418 sans: []string{"ip:10.0.0.1"}, 419 }, 420 expectedError: "\"10.0.0.1\" is excluded", 421 }, 422 423 // #21: intermediates can further constrain IP ranges. 424 { 425 roots: []constraintsSpec{ 426 { 427 bad: []string{"ip:0.0.0.0/1"}, 428 }, 429 }, 430 intermediates: [][]constraintsSpec{ 431 { 432 { 433 bad: []string{"ip:11.0.0.0/8"}, 434 }, 435 }, 436 }, 437 leaf: leafSpec{ 438 sans: []string{"ip:11.0.0.1"}, 439 }, 440 expectedError: "\"11.0.0.1\" is excluded", 441 }, 442 443 // #22: when multiple intermediates are present, chain building can 444 // avoid intermediates with incompatible constraints. 445 { 446 roots: make([]constraintsSpec, 1), 447 intermediates: [][]constraintsSpec{ 448 { 449 { 450 ok: []string{"dns:.foo.com"}, 451 }, 452 { 453 ok: []string{"dns:.example.com"}, 454 }, 455 }, 456 }, 457 leaf: leafSpec{ 458 sans: []string{"dns:foo.example.com"}, 459 }, 460 noOpenSSL: true, // OpenSSL's chain building is not informed by constraints. 461 }, 462 463 // #23: (same as the previous test, but in the other order in ensure 464 // that we don't pass it by luck.) 465 { 466 roots: make([]constraintsSpec, 1), 467 intermediates: [][]constraintsSpec{ 468 { 469 { 470 ok: []string{"dns:.example.com"}, 471 }, 472 { 473 ok: []string{"dns:.foo.com"}, 474 }, 475 }, 476 }, 477 leaf: leafSpec{ 478 sans: []string{"dns:foo.example.com"}, 479 }, 480 noOpenSSL: true, // OpenSSL's chain building is not informed by constraints. 481 }, 482 483 // #24: when multiple roots are valid, chain building can avoid roots 484 // with incompatible constraints. 485 { 486 roots: []constraintsSpec{ 487 {}, 488 { 489 ok: []string{"dns:foo.com"}, 490 }, 491 }, 492 intermediates: [][]constraintsSpec{ 493 { 494 {}, 495 }, 496 }, 497 leaf: leafSpec{ 498 sans: []string{"dns:example.com"}, 499 }, 500 noOpenSSL: true, // OpenSSL's chain building is not informed by constraints. 501 }, 502 503 // #25: (same as the previous test, but in the other order in ensure 504 // that we don't pass it by luck.) 505 { 506 roots: []constraintsSpec{ 507 { 508 ok: []string{"dns:foo.com"}, 509 }, 510 {}, 511 }, 512 intermediates: [][]constraintsSpec{ 513 { 514 {}, 515 }, 516 }, 517 leaf: leafSpec{ 518 sans: []string{"dns:example.com"}, 519 }, 520 noOpenSSL: true, // OpenSSL's chain building is not informed by constraints. 521 }, 522 523 // #26: chain building can find a valid path even with multiple levels 524 // of alternative intermediates and alternative roots. 525 { 526 roots: []constraintsSpec{ 527 { 528 ok: []string{"dns:foo.com"}, 529 }, 530 { 531 ok: []string{"dns:example.com"}, 532 }, 533 {}, 534 }, 535 intermediates: [][]constraintsSpec{ 536 { 537 {}, 538 { 539 ok: []string{"dns:foo.com"}, 540 }, 541 }, 542 { 543 {}, 544 { 545 ok: []string{"dns:foo.com"}, 546 }, 547 }, 548 }, 549 leaf: leafSpec{ 550 sans: []string{"dns:bar.com"}, 551 }, 552 noOpenSSL: true, // OpenSSL's chain building is not informed by constraints. 553 }, 554 555 // #27: chain building doesn't get stuck when there is no valid path. 556 { 557 roots: []constraintsSpec{ 558 { 559 ok: []string{"dns:foo.com"}, 560 }, 561 { 562 ok: []string{"dns:example.com"}, 563 }, 564 }, 565 intermediates: [][]constraintsSpec{ 566 { 567 {}, 568 { 569 ok: []string{"dns:foo.com"}, 570 }, 571 }, 572 { 573 { 574 ok: []string{"dns:bar.com"}, 575 }, 576 { 577 ok: []string{"dns:foo.com"}, 578 }, 579 }, 580 }, 581 leaf: leafSpec{ 582 sans: []string{"dns:bar.com"}, 583 }, 584 expectedError: "\"bar.com\" is not permitted", 585 }, 586 587 // #28: unknown name types don't cause a problem without constraints. 588 { 589 roots: make([]constraintsSpec, 1), 590 intermediates: [][]constraintsSpec{ 591 { 592 {}, 593 }, 594 }, 595 leaf: leafSpec{ 596 sans: []string{"unknown:"}, 597 }, 598 }, 599 600 // #29: unknown name types are allowed even in constrained chains. 601 { 602 roots: []constraintsSpec{ 603 { 604 ok: []string{"dns:foo.com", "dns:.foo.com"}, 605 }, 606 }, 607 intermediates: [][]constraintsSpec{ 608 { 609 {}, 610 }, 611 }, 612 leaf: leafSpec{ 613 sans: []string{"unknown:"}, 614 }, 615 }, 616 617 // #30: without SANs, a certificate with a CN is still accepted in a 618 // constrained chain, since we ignore the CN in VerifyHostname. 619 { 620 roots: []constraintsSpec{ 621 { 622 ok: []string{"dns:foo.com", "dns:.foo.com"}, 623 }, 624 }, 625 intermediates: [][]constraintsSpec{ 626 { 627 {}, 628 }, 629 }, 630 leaf: leafSpec{ 631 sans: []string{}, 632 cn: "foo.com", 633 }, 634 }, 635 636 // #31: IPv6 addresses work in constraints: roots can permit them as 637 // expected. 638 { 639 roots: []constraintsSpec{ 640 { 641 ok: []string{"ip:2000:abcd::/32"}, 642 }, 643 }, 644 intermediates: [][]constraintsSpec{ 645 { 646 {}, 647 }, 648 }, 649 leaf: leafSpec{ 650 sans: []string{"ip:2000:abcd:1234::"}, 651 }, 652 }, 653 654 // #32: IPv6 addresses work in constraints: root restrictions are 655 // effective. 656 { 657 roots: []constraintsSpec{ 658 { 659 ok: []string{"ip:2000:abcd::/32"}, 660 }, 661 }, 662 intermediates: [][]constraintsSpec{ 663 { 664 {}, 665 }, 666 }, 667 leaf: leafSpec{ 668 sans: []string{"ip:2000:1234:abcd::"}, 669 }, 670 expectedError: "\"2000:1234:abcd::\" is not permitted", 671 }, 672 673 // #33: An IPv6 permitted subtree doesn't affect DNS names. 674 { 675 roots: []constraintsSpec{ 676 { 677 ok: []string{"ip:2000:abcd::/32"}, 678 }, 679 }, 680 intermediates: [][]constraintsSpec{ 681 { 682 {}, 683 }, 684 }, 685 leaf: leafSpec{ 686 sans: []string{"ip:2000:abcd::", "dns:foo.com"}, 687 }, 688 }, 689 690 // #34: IPv6 exclusions don't affect unrelated addresses. 691 { 692 roots: []constraintsSpec{ 693 { 694 bad: []string{"ip:2000:abcd::/32"}, 695 }, 696 }, 697 intermediates: [][]constraintsSpec{ 698 { 699 {}, 700 }, 701 }, 702 leaf: leafSpec{ 703 sans: []string{"ip:2000:1234::"}, 704 }, 705 }, 706 707 // #35: IPv6 exclusions are effective. 708 { 709 roots: []constraintsSpec{ 710 { 711 bad: []string{"ip:2000:abcd::/32"}, 712 }, 713 }, 714 intermediates: [][]constraintsSpec{ 715 { 716 {}, 717 }, 718 }, 719 leaf: leafSpec{ 720 sans: []string{"ip:2000:abcd::"}, 721 }, 722 expectedError: "\"2000:abcd::\" is excluded", 723 }, 724 725 // #36: IPv6 constraints do not permit IPv4 addresses. 726 { 727 roots: []constraintsSpec{ 728 { 729 ok: []string{"ip:2000:abcd::/32"}, 730 }, 731 }, 732 intermediates: [][]constraintsSpec{ 733 { 734 {}, 735 }, 736 }, 737 leaf: leafSpec{ 738 sans: []string{"ip:10.0.0.1"}, 739 }, 740 expectedError: "\"10.0.0.1\" is not permitted", 741 }, 742 743 // #37: IPv4 constraints do not permit IPv6 addresses. 744 { 745 roots: []constraintsSpec{ 746 { 747 ok: []string{"ip:10.0.0.0/8"}, 748 }, 749 }, 750 intermediates: [][]constraintsSpec{ 751 { 752 {}, 753 }, 754 }, 755 leaf: leafSpec{ 756 sans: []string{"ip:2000:abcd::"}, 757 }, 758 expectedError: "\"2000:abcd::\" is not permitted", 759 }, 760 761 // #38: an exclusion of an unknown type doesn't affect other names. 762 { 763 roots: []constraintsSpec{ 764 { 765 bad: []string{"unknown:"}, 766 }, 767 }, 768 intermediates: [][]constraintsSpec{ 769 { 770 {}, 771 }, 772 }, 773 leaf: leafSpec{ 774 sans: []string{"dns:example.com"}, 775 }, 776 }, 777 778 // #39: a permitted subtree of an unknown type doesn't affect other 779 // name types. 780 { 781 roots: []constraintsSpec{ 782 { 783 ok: []string{"unknown:"}, 784 }, 785 }, 786 intermediates: [][]constraintsSpec{ 787 { 788 {}, 789 }, 790 }, 791 leaf: leafSpec{ 792 sans: []string{"dns:example.com"}, 793 }, 794 }, 795 796 // #40: exact email constraints work 797 { 798 roots: []constraintsSpec{ 799 { 800 ok: []string{"email:foo@example.com"}, 801 }, 802 }, 803 intermediates: [][]constraintsSpec{ 804 { 805 {}, 806 }, 807 }, 808 leaf: leafSpec{ 809 sans: []string{"email:foo@example.com"}, 810 }, 811 }, 812 813 // #41: exact email constraints are effective 814 { 815 roots: []constraintsSpec{ 816 { 817 ok: []string{"email:foo@example.com"}, 818 }, 819 }, 820 intermediates: [][]constraintsSpec{ 821 { 822 {}, 823 }, 824 }, 825 leaf: leafSpec{ 826 sans: []string{"email:bar@example.com"}, 827 }, 828 expectedError: "\"bar@example.com\" is not permitted", 829 }, 830 831 // #42: email canonicalisation works. 832 { 833 roots: []constraintsSpec{ 834 { 835 ok: []string{"email:foo@example.com"}, 836 }, 837 }, 838 intermediates: [][]constraintsSpec{ 839 { 840 {}, 841 }, 842 }, 843 leaf: leafSpec{ 844 sans: []string{"email:\"\\f\\o\\o\"@example.com"}, 845 }, 846 noOpenSSL: true, // OpenSSL doesn't canonicalise email addresses before matching 847 }, 848 849 // #43: limiting email addresses to a host works. 850 { 851 roots: []constraintsSpec{ 852 { 853 ok: []string{"email:example.com"}, 854 }, 855 }, 856 intermediates: [][]constraintsSpec{ 857 { 858 {}, 859 }, 860 }, 861 leaf: leafSpec{ 862 sans: []string{"email:foo@example.com"}, 863 }, 864 }, 865 866 // #44: a leading dot matches hosts one level deep 867 { 868 roots: []constraintsSpec{ 869 { 870 ok: []string{"email:.example.com"}, 871 }, 872 }, 873 intermediates: [][]constraintsSpec{ 874 { 875 {}, 876 }, 877 }, 878 leaf: leafSpec{ 879 sans: []string{"email:foo@sub.example.com"}, 880 }, 881 }, 882 883 // #45: a leading dot does not match the host itself 884 { 885 roots: []constraintsSpec{ 886 { 887 ok: []string{"email:.example.com"}, 888 }, 889 }, 890 intermediates: [][]constraintsSpec{ 891 { 892 {}, 893 }, 894 }, 895 leaf: leafSpec{ 896 sans: []string{"email:foo@example.com"}, 897 }, 898 expectedError: "\"foo@example.com\" is not permitted", 899 }, 900 901 // #46: a leading dot also matches two (or more) levels deep. 902 { 903 roots: []constraintsSpec{ 904 { 905 ok: []string{"email:.example.com"}, 906 }, 907 }, 908 intermediates: [][]constraintsSpec{ 909 { 910 {}, 911 }, 912 }, 913 leaf: leafSpec{ 914 sans: []string{"email:foo@sub.sub.example.com"}, 915 }, 916 }, 917 918 // #47: the local part of an email is case-sensitive 919 { 920 roots: []constraintsSpec{ 921 { 922 ok: []string{"email:foo@example.com"}, 923 }, 924 }, 925 intermediates: [][]constraintsSpec{ 926 { 927 {}, 928 }, 929 }, 930 leaf: leafSpec{ 931 sans: []string{"email:Foo@example.com"}, 932 }, 933 expectedError: "\"Foo@example.com\" is not permitted", 934 }, 935 936 // #48: the domain part of an email is not case-sensitive 937 { 938 roots: []constraintsSpec{ 939 { 940 ok: []string{"email:foo@EXAMPLE.com"}, 941 }, 942 }, 943 intermediates: [][]constraintsSpec{ 944 { 945 {}, 946 }, 947 }, 948 leaf: leafSpec{ 949 sans: []string{"email:foo@example.com"}, 950 }, 951 }, 952 953 // #49: the domain part of a DNS constraint is also not case-sensitive. 954 { 955 roots: []constraintsSpec{ 956 { 957 ok: []string{"dns:EXAMPLE.com"}, 958 }, 959 }, 960 intermediates: [][]constraintsSpec{ 961 { 962 {}, 963 }, 964 }, 965 leaf: leafSpec{ 966 sans: []string{"dns:example.com"}, 967 }, 968 }, 969 970 // #50: URI constraints only cover the host part of the URI 971 { 972 roots: []constraintsSpec{ 973 { 974 ok: []string{"uri:example.com"}, 975 }, 976 }, 977 intermediates: [][]constraintsSpec{ 978 { 979 {}, 980 }, 981 }, 982 leaf: leafSpec{ 983 sans: []string{ 984 "uri:http://example.com/bar", 985 "uri:http://example.com:8080/", 986 "uri:https://example.com/wibble#bar", 987 }, 988 }, 989 }, 990 991 // #51: URIs with IPs are rejected 992 { 993 roots: []constraintsSpec{ 994 { 995 ok: []string{"uri:example.com"}, 996 }, 997 }, 998 intermediates: [][]constraintsSpec{ 999 { 1000 {}, 1001 }, 1002 }, 1003 leaf: leafSpec{ 1004 sans: []string{"uri:http://1.2.3.4/"}, 1005 }, 1006 expectedError: "URI with IP", 1007 }, 1008 1009 // #52: URIs with IPs and ports are rejected 1010 { 1011 roots: []constraintsSpec{ 1012 { 1013 ok: []string{"uri:example.com"}, 1014 }, 1015 }, 1016 intermediates: [][]constraintsSpec{ 1017 { 1018 {}, 1019 }, 1020 }, 1021 leaf: leafSpec{ 1022 sans: []string{"uri:http://1.2.3.4:43/"}, 1023 }, 1024 expectedError: "URI with IP", 1025 }, 1026 1027 // #53: URIs with IPv6 addresses are also rejected 1028 { 1029 roots: []constraintsSpec{ 1030 { 1031 ok: []string{"uri:example.com"}, 1032 }, 1033 }, 1034 intermediates: [][]constraintsSpec{ 1035 { 1036 {}, 1037 }, 1038 }, 1039 leaf: leafSpec{ 1040 sans: []string{"uri:http://[2006:abcd::1]/"}, 1041 }, 1042 expectedError: "URI with IP", 1043 }, 1044 1045 // #54: URIs with IPv6 addresses with ports are also rejected 1046 { 1047 roots: []constraintsSpec{ 1048 { 1049 ok: []string{"uri:example.com"}, 1050 }, 1051 }, 1052 intermediates: [][]constraintsSpec{ 1053 { 1054 {}, 1055 }, 1056 }, 1057 leaf: leafSpec{ 1058 sans: []string{"uri:http://[2006:abcd::1]:16/"}, 1059 }, 1060 expectedError: "URI with IP", 1061 }, 1062 1063 // #55: URI constraints are effective 1064 { 1065 roots: []constraintsSpec{ 1066 { 1067 ok: []string{"uri:example.com"}, 1068 }, 1069 }, 1070 intermediates: [][]constraintsSpec{ 1071 { 1072 {}, 1073 }, 1074 }, 1075 leaf: leafSpec{ 1076 sans: []string{"uri:http://bar.com/"}, 1077 }, 1078 expectedError: "\"http://bar.com/\" is not permitted", 1079 }, 1080 1081 // #56: URI constraints are effective 1082 { 1083 roots: []constraintsSpec{ 1084 { 1085 bad: []string{"uri:foo.com"}, 1086 }, 1087 }, 1088 intermediates: [][]constraintsSpec{ 1089 { 1090 {}, 1091 }, 1092 }, 1093 leaf: leafSpec{ 1094 sans: []string{"uri:http://foo.com/"}, 1095 }, 1096 expectedError: "\"http://foo.com/\" is excluded", 1097 }, 1098 1099 // #57: URI constraints can allow subdomains 1100 { 1101 roots: []constraintsSpec{ 1102 { 1103 ok: []string{"uri:.foo.com"}, 1104 }, 1105 }, 1106 intermediates: [][]constraintsSpec{ 1107 { 1108 {}, 1109 }, 1110 }, 1111 leaf: leafSpec{ 1112 sans: []string{"uri:http://www.foo.com/"}, 1113 }, 1114 }, 1115 1116 // #58: excluding an IPv4-mapped-IPv6 address doesn't affect the IPv4 1117 // version of that address. 1118 { 1119 roots: []constraintsSpec{ 1120 { 1121 bad: []string{"ip:::ffff:1.2.3.4/128"}, 1122 }, 1123 }, 1124 intermediates: [][]constraintsSpec{ 1125 { 1126 {}, 1127 }, 1128 }, 1129 leaf: leafSpec{ 1130 sans: []string{"ip:1.2.3.4"}, 1131 }, 1132 }, 1133 1134 // #59: a URI constraint isn't matched by a URN. 1135 { 1136 roots: []constraintsSpec{ 1137 { 1138 ok: []string{"uri:example.com"}, 1139 }, 1140 }, 1141 intermediates: [][]constraintsSpec{ 1142 { 1143 {}, 1144 }, 1145 }, 1146 leaf: leafSpec{ 1147 sans: []string{"uri:urn:example"}, 1148 }, 1149 expectedError: "URI with empty host", 1150 }, 1151 1152 // #60: excluding all IPv6 addresses doesn't exclude all IPv4 addresses 1153 // too, even though IPv4 is mapped into the IPv6 range. 1154 { 1155 roots: []constraintsSpec{ 1156 { 1157 ok: []string{"ip:1.2.3.0/24"}, 1158 bad: []string{"ip:::0/0"}, 1159 }, 1160 }, 1161 intermediates: [][]constraintsSpec{ 1162 { 1163 {}, 1164 }, 1165 }, 1166 leaf: leafSpec{ 1167 sans: []string{"ip:1.2.3.4"}, 1168 }, 1169 }, 1170 1171 // #61: omitting extended key usage in a CA certificate implies that 1172 // any usage is ok. 1173 { 1174 roots: make([]constraintsSpec, 1), 1175 intermediates: [][]constraintsSpec{ 1176 { 1177 {}, 1178 }, 1179 }, 1180 leaf: leafSpec{ 1181 sans: []string{"dns:example.com"}, 1182 ekus: []string{"serverAuth", "other"}, 1183 }, 1184 }, 1185 1186 // #62: The “any” EKU also means that any usage is ok. 1187 { 1188 roots: make([]constraintsSpec, 1), 1189 intermediates: [][]constraintsSpec{ 1190 { 1191 { 1192 ekus: []string{"any"}, 1193 }, 1194 }, 1195 }, 1196 leaf: leafSpec{ 1197 sans: []string{"dns:example.com"}, 1198 ekus: []string{"serverAuth", "other"}, 1199 }, 1200 }, 1201 1202 // #63: An intermediate with enumerated EKUs causes a failure if we 1203 // test for an EKU not in that set. (ServerAuth is required by 1204 // default.) 1205 { 1206 roots: make([]constraintsSpec, 1), 1207 intermediates: [][]constraintsSpec{ 1208 { 1209 { 1210 ekus: []string{"email"}, 1211 }, 1212 }, 1213 }, 1214 leaf: leafSpec{ 1215 sans: []string{"dns:example.com"}, 1216 ekus: []string{"serverAuth"}, 1217 }, 1218 expectedError: "incompatible key usage", 1219 }, 1220 1221 // #64: an unknown EKU in the leaf doesn't break anything, even if it's not 1222 // correctly nested. 1223 { 1224 roots: make([]constraintsSpec, 1), 1225 intermediates: [][]constraintsSpec{ 1226 { 1227 { 1228 ekus: []string{"email"}, 1229 }, 1230 }, 1231 }, 1232 leaf: leafSpec{ 1233 sans: []string{"dns:example.com"}, 1234 ekus: []string{"other"}, 1235 }, 1236 requestedEKUs: []ExtKeyUsage{ExtKeyUsageAny}, 1237 }, 1238 1239 // #65: trying to add extra permitted key usages in an intermediate 1240 // (after a limitation in the root) is acceptable so long as the leaf 1241 // certificate doesn't use them. 1242 { 1243 roots: []constraintsSpec{ 1244 { 1245 ekus: []string{"serverAuth"}, 1246 }, 1247 }, 1248 intermediates: [][]constraintsSpec{ 1249 { 1250 { 1251 ekus: []string{"serverAuth", "email"}, 1252 }, 1253 }, 1254 }, 1255 leaf: leafSpec{ 1256 sans: []string{"dns:example.com"}, 1257 ekus: []string{"serverAuth"}, 1258 }, 1259 }, 1260 1261 // #66: EKUs in roots are not ignored. 1262 { 1263 roots: []constraintsSpec{ 1264 { 1265 ekus: []string{"email"}, 1266 }, 1267 }, 1268 intermediates: [][]constraintsSpec{ 1269 { 1270 { 1271 ekus: []string{"serverAuth"}, 1272 }, 1273 }, 1274 }, 1275 leaf: leafSpec{ 1276 sans: []string{"dns:example.com"}, 1277 ekus: []string{"serverAuth"}, 1278 }, 1279 expectedError: "incompatible key usage", 1280 }, 1281 1282 // #67: in order to support COMODO chains, SGC key usages permit 1283 // serverAuth and clientAuth. 1284 { 1285 roots: []constraintsSpec{ 1286 {}, 1287 }, 1288 intermediates: [][]constraintsSpec{ 1289 { 1290 { 1291 ekus: []string{"netscapeSGC"}, 1292 }, 1293 }, 1294 }, 1295 leaf: leafSpec{ 1296 sans: []string{"dns:example.com"}, 1297 ekus: []string{"serverAuth", "clientAuth"}, 1298 }, 1299 }, 1300 1301 // #68: in order to support COMODO chains, SGC key usages permit 1302 // serverAuth and clientAuth. 1303 { 1304 roots: make([]constraintsSpec, 1), 1305 intermediates: [][]constraintsSpec{ 1306 { 1307 { 1308 ekus: []string{"msSGC"}, 1309 }, 1310 }, 1311 }, 1312 leaf: leafSpec{ 1313 sans: []string{"dns:example.com"}, 1314 ekus: []string{"serverAuth", "clientAuth"}, 1315 }, 1316 }, 1317 1318 // #69: an empty DNS constraint should allow anything. 1319 { 1320 roots: []constraintsSpec{ 1321 { 1322 ok: []string{"dns:"}, 1323 }, 1324 }, 1325 intermediates: [][]constraintsSpec{ 1326 { 1327 {}, 1328 }, 1329 }, 1330 leaf: leafSpec{ 1331 sans: []string{"dns:example.com"}, 1332 }, 1333 }, 1334 1335 // #70: an empty DNS constraint should also reject everything. 1336 { 1337 roots: []constraintsSpec{ 1338 { 1339 bad: []string{"dns:"}, 1340 }, 1341 }, 1342 intermediates: [][]constraintsSpec{ 1343 { 1344 {}, 1345 }, 1346 }, 1347 leaf: leafSpec{ 1348 sans: []string{"dns:example.com"}, 1349 }, 1350 expectedError: "\"example.com\" is excluded", 1351 }, 1352 1353 // #71: an empty email constraint should allow anything 1354 { 1355 roots: []constraintsSpec{ 1356 { 1357 ok: []string{"email:"}, 1358 }, 1359 }, 1360 intermediates: [][]constraintsSpec{ 1361 { 1362 {}, 1363 }, 1364 }, 1365 leaf: leafSpec{ 1366 sans: []string{"email:foo@example.com"}, 1367 }, 1368 }, 1369 1370 // #72: an empty email constraint should also reject everything. 1371 { 1372 roots: []constraintsSpec{ 1373 { 1374 bad: []string{"email:"}, 1375 }, 1376 }, 1377 intermediates: [][]constraintsSpec{ 1378 { 1379 {}, 1380 }, 1381 }, 1382 leaf: leafSpec{ 1383 sans: []string{"email:foo@example.com"}, 1384 }, 1385 expectedError: "\"foo@example.com\" is excluded", 1386 }, 1387 1388 // #73: an empty URI constraint should allow anything 1389 { 1390 roots: []constraintsSpec{ 1391 { 1392 ok: []string{"uri:"}, 1393 }, 1394 }, 1395 intermediates: [][]constraintsSpec{ 1396 { 1397 {}, 1398 }, 1399 }, 1400 leaf: leafSpec{ 1401 sans: []string{"uri:https://example.com/test"}, 1402 }, 1403 }, 1404 1405 // #74: an empty URI constraint should also reject everything. 1406 { 1407 roots: []constraintsSpec{ 1408 { 1409 bad: []string{"uri:"}, 1410 }, 1411 }, 1412 intermediates: [][]constraintsSpec{ 1413 { 1414 {}, 1415 }, 1416 }, 1417 leaf: leafSpec{ 1418 sans: []string{"uri:https://example.com/test"}, 1419 }, 1420 expectedError: "\"https://example.com/test\" is excluded", 1421 }, 1422 1423 // #75: serverAuth in a leaf shouldn't permit clientAuth when requested in 1424 // VerifyOptions. 1425 { 1426 roots: make([]constraintsSpec, 1), 1427 intermediates: [][]constraintsSpec{ 1428 { 1429 {}, 1430 }, 1431 }, 1432 leaf: leafSpec{ 1433 sans: []string{"dns:example.com"}, 1434 ekus: []string{"serverAuth"}, 1435 }, 1436 requestedEKUs: []ExtKeyUsage{ExtKeyUsageClientAuth}, 1437 expectedError: "incompatible key usage", 1438 }, 1439 1440 // #76: However, MSSGC in a leaf should match a request for serverAuth. 1441 { 1442 roots: make([]constraintsSpec, 1), 1443 intermediates: [][]constraintsSpec{ 1444 { 1445 {}, 1446 }, 1447 }, 1448 leaf: leafSpec{ 1449 sans: []string{"dns:example.com"}, 1450 ekus: []string{"msSGC"}, 1451 }, 1452 requestedEKUs: []ExtKeyUsage{ExtKeyUsageServerAuth}, 1453 }, 1454 1455 // An invalid DNS SAN should be detected only at validation time so 1456 // that we can process CA certificates in the wild that have invalid SANs. 1457 // See https://github.com/golang/go/issues/23995 1458 1459 // #77: an invalid DNS or mail SAN will not be detected if name constraint 1460 // checking is not triggered. 1461 { 1462 roots: make([]constraintsSpec, 1), 1463 intermediates: [][]constraintsSpec{ 1464 { 1465 {}, 1466 }, 1467 }, 1468 leaf: leafSpec{ 1469 sans: []string{"dns:this is invalid", "email:this @ is invalid"}, 1470 }, 1471 }, 1472 1473 // #78: an invalid DNS SAN will be detected if any name constraint checking 1474 // is triggered. 1475 { 1476 roots: []constraintsSpec{ 1477 { 1478 bad: []string{"uri:"}, 1479 }, 1480 }, 1481 intermediates: [][]constraintsSpec{ 1482 { 1483 {}, 1484 }, 1485 }, 1486 leaf: leafSpec{ 1487 sans: []string{"dns:this is invalid"}, 1488 }, 1489 expectedError: "cannot parse dnsName", 1490 }, 1491 1492 // #79: an invalid email SAN will be detected if any name constraint 1493 // checking is triggered. 1494 { 1495 roots: []constraintsSpec{ 1496 { 1497 bad: []string{"uri:"}, 1498 }, 1499 }, 1500 intermediates: [][]constraintsSpec{ 1501 { 1502 {}, 1503 }, 1504 }, 1505 leaf: leafSpec{ 1506 sans: []string{"email:this @ is invalid"}, 1507 }, 1508 expectedError: "cannot parse rfc822Name", 1509 }, 1510 1511 // #80: if several EKUs are requested, satisfying any of them is sufficient. 1512 { 1513 roots: make([]constraintsSpec, 1), 1514 intermediates: [][]constraintsSpec{ 1515 { 1516 {}, 1517 }, 1518 }, 1519 leaf: leafSpec{ 1520 sans: []string{"dns:example.com"}, 1521 ekus: []string{"email"}, 1522 }, 1523 requestedEKUs: []ExtKeyUsage{ExtKeyUsageClientAuth, ExtKeyUsageEmailProtection}, 1524 }, 1525 1526 // #81: EKUs that are not asserted in VerifyOpts are not required to be 1527 // nested. 1528 { 1529 roots: make([]constraintsSpec, 1), 1530 intermediates: [][]constraintsSpec{ 1531 { 1532 { 1533 ekus: []string{"serverAuth"}, 1534 }, 1535 }, 1536 }, 1537 leaf: leafSpec{ 1538 sans: []string{"dns:example.com"}, 1539 // There's no email EKU in the intermediate. This would be rejected if 1540 // full nesting was required. 1541 ekus: []string{"email", "serverAuth"}, 1542 }, 1543 }, 1544 1545 // #82: a certificate without SANs and CN is accepted in a constrained chain. 1546 { 1547 roots: []constraintsSpec{ 1548 { 1549 ok: []string{"dns:foo.com", "dns:.foo.com"}, 1550 }, 1551 }, 1552 intermediates: [][]constraintsSpec{ 1553 { 1554 {}, 1555 }, 1556 }, 1557 leaf: leafSpec{ 1558 sans: []string{}, 1559 }, 1560 }, 1561 1562 // #83: a certificate without SANs and with a CN that does not parse as a 1563 // hostname is accepted in a constrained chain. 1564 { 1565 roots: []constraintsSpec{ 1566 { 1567 ok: []string{"dns:foo.com", "dns:.foo.com"}, 1568 }, 1569 }, 1570 intermediates: [][]constraintsSpec{ 1571 { 1572 {}, 1573 }, 1574 }, 1575 leaf: leafSpec{ 1576 sans: []string{}, 1577 cn: "foo,bar", 1578 }, 1579 }, 1580 1581 // #84: a certificate with SANs and CN is accepted in a constrained chain. 1582 { 1583 roots: []constraintsSpec{ 1584 { 1585 ok: []string{"dns:foo.com", "dns:.foo.com"}, 1586 }, 1587 }, 1588 intermediates: [][]constraintsSpec{ 1589 { 1590 {}, 1591 }, 1592 }, 1593 leaf: leafSpec{ 1594 sans: []string{"dns:foo.com"}, 1595 cn: "foo.bar", 1596 }, 1597 }, 1598 } 1599 1600 func makeConstraintsCACert(constraints constraintsSpec, name string, key *ecdsa.PrivateKey, parent *Certificate, parentKey *ecdsa.PrivateKey) (*Certificate, error) { 1601 var serialBytes [16]byte 1602 rand.Read(serialBytes[:]) 1603 1604 template := &Certificate{ 1605 SerialNumber: new(big.Int).SetBytes(serialBytes[:]), 1606 Subject: pkix.Name{ 1607 CommonName: name, 1608 }, 1609 NotBefore: time.Unix(1000, 0), 1610 NotAfter: time.Unix(2000, 0), 1611 KeyUsage: KeyUsageCertSign, 1612 BasicConstraintsValid: true, 1613 IsCA: true, 1614 } 1615 1616 if err := addConstraintsToTemplate(constraints, template); err != nil { 1617 return nil, err 1618 } 1619 1620 if parent == nil { 1621 parent = template 1622 } 1623 derBytes, err := CreateCertificate(rand.Reader, template, parent, &key.PublicKey, parentKey) 1624 if err != nil { 1625 return nil, err 1626 } 1627 1628 caCert, err := ParseCertificate(derBytes) 1629 if err != nil { 1630 return nil, err 1631 } 1632 1633 return caCert, nil 1634 } 1635 1636 func makeConstraintsLeafCert(leaf leafSpec, key *ecdsa.PrivateKey, parent *Certificate, parentKey *ecdsa.PrivateKey) (*Certificate, error) { 1637 var serialBytes [16]byte 1638 rand.Read(serialBytes[:]) 1639 1640 template := &Certificate{ 1641 SerialNumber: new(big.Int).SetBytes(serialBytes[:]), 1642 Subject: pkix.Name{ 1643 OrganizationalUnit: []string{"Leaf"}, 1644 CommonName: leaf.cn, 1645 }, 1646 NotBefore: time.Unix(1000, 0), 1647 NotAfter: time.Unix(2000, 0), 1648 KeyUsage: KeyUsageDigitalSignature, 1649 BasicConstraintsValid: true, 1650 IsCA: false, 1651 } 1652 1653 for _, name := range leaf.sans { 1654 switch { 1655 case strings.HasPrefix(name, "dns:"): 1656 template.DNSNames = append(template.DNSNames, name[4:]) 1657 1658 case strings.HasPrefix(name, "ip:"): 1659 ip := net.ParseIP(name[3:]) 1660 if ip == nil { 1661 return nil, fmt.Errorf("cannot parse IP %q", name[3:]) 1662 } 1663 template.IPAddresses = append(template.IPAddresses, ip) 1664 1665 case strings.HasPrefix(name, "invalidip:"): 1666 ipBytes, err := hex.DecodeString(name[10:]) 1667 if err != nil { 1668 return nil, fmt.Errorf("cannot parse invalid IP: %s", err) 1669 } 1670 template.IPAddresses = append(template.IPAddresses, net.IP(ipBytes)) 1671 1672 case strings.HasPrefix(name, "email:"): 1673 template.EmailAddresses = append(template.EmailAddresses, name[6:]) 1674 1675 case strings.HasPrefix(name, "uri:"): 1676 uri, err := url.Parse(name[4:]) 1677 if err != nil { 1678 return nil, fmt.Errorf("cannot parse URI %q: %s", name[4:], err) 1679 } 1680 template.URIs = append(template.URIs, uri) 1681 1682 case strings.HasPrefix(name, "unknown:"): 1683 // This is a special case for testing unknown 1684 // name types. A custom SAN extension is 1685 // injected into the certificate. 1686 if len(leaf.sans) != 1 { 1687 panic("when using unknown name types, it must be the sole name") 1688 } 1689 1690 template.ExtraExtensions = append(template.ExtraExtensions, pkix.Extension{ 1691 Id: []int{2, 5, 29, 17}, 1692 Value: []byte{ 1693 0x30, // SEQUENCE 1694 3, // three bytes 1695 9, // undefined GeneralName type 9 1696 1, 1697 1, 1698 }, 1699 }) 1700 1701 default: 1702 return nil, fmt.Errorf("unknown name type %q", name) 1703 } 1704 } 1705 1706 var err error 1707 if template.ExtKeyUsage, template.UnknownExtKeyUsage, err = parseEKUs(leaf.ekus); err != nil { 1708 return nil, err 1709 } 1710 1711 if parent == nil { 1712 parent = template 1713 } 1714 1715 derBytes, err := CreateCertificate(rand.Reader, template, parent, &key.PublicKey, parentKey) 1716 if err != nil { 1717 return nil, err 1718 } 1719 1720 return ParseCertificate(derBytes) 1721 } 1722 1723 func customConstraintsExtension(typeNum int, constraint []byte, isExcluded bool) pkix.Extension { 1724 appendConstraint := func(contents []byte, tag uint8) []byte { 1725 contents = append(contents, tag|32 /* constructed */ |0x80 /* context-specific */) 1726 contents = append(contents, byte(4+len(constraint)) /* length */) 1727 contents = append(contents, 0x30 /* SEQUENCE */) 1728 contents = append(contents, byte(2+len(constraint)) /* length */) 1729 contents = append(contents, byte(typeNum) /* GeneralName type */) 1730 contents = append(contents, byte(len(constraint))) 1731 return append(contents, constraint...) 1732 } 1733 1734 var contents []byte 1735 if !isExcluded { 1736 contents = appendConstraint(contents, 0 /* tag 0 for permitted */) 1737 } else { 1738 contents = appendConstraint(contents, 1 /* tag 1 for excluded */) 1739 } 1740 1741 var value []byte 1742 value = append(value, 0x30 /* SEQUENCE */) 1743 value = append(value, byte(len(contents))) 1744 value = append(value, contents...) 1745 1746 return pkix.Extension{ 1747 Id: []int{2, 5, 29, 30}, 1748 Value: value, 1749 } 1750 } 1751 1752 func addConstraintsToTemplate(constraints constraintsSpec, template *Certificate) error { 1753 parse := func(constraints []string) (dnsNames []string, ips []*net.IPNet, emailAddrs []string, uriDomains []string, err error) { 1754 for _, constraint := range constraints { 1755 switch { 1756 case strings.HasPrefix(constraint, "dns:"): 1757 dnsNames = append(dnsNames, constraint[4:]) 1758 1759 case strings.HasPrefix(constraint, "ip:"): 1760 _, ipNet, err := net.ParseCIDR(constraint[3:]) 1761 if err != nil { 1762 return nil, nil, nil, nil, err 1763 } 1764 ips = append(ips, ipNet) 1765 1766 case strings.HasPrefix(constraint, "email:"): 1767 emailAddrs = append(emailAddrs, constraint[6:]) 1768 1769 case strings.HasPrefix(constraint, "uri:"): 1770 uriDomains = append(uriDomains, constraint[4:]) 1771 1772 default: 1773 return nil, nil, nil, nil, fmt.Errorf("unknown constraint %q", constraint) 1774 } 1775 } 1776 1777 return dnsNames, ips, emailAddrs, uriDomains, err 1778 } 1779 1780 handleSpecialConstraint := func(constraint string, isExcluded bool) bool { 1781 switch { 1782 case constraint == "unknown:": 1783 template.ExtraExtensions = append(template.ExtraExtensions, customConstraintsExtension(9 /* undefined GeneralName type */, []byte{1}, isExcluded)) 1784 1785 default: 1786 return false 1787 } 1788 1789 return true 1790 } 1791 1792 if len(constraints.ok) == 1 && len(constraints.bad) == 0 { 1793 if handleSpecialConstraint(constraints.ok[0], false) { 1794 return nil 1795 } 1796 } 1797 1798 if len(constraints.bad) == 1 && len(constraints.ok) == 0 { 1799 if handleSpecialConstraint(constraints.bad[0], true) { 1800 return nil 1801 } 1802 } 1803 1804 var err error 1805 template.PermittedDNSDomains, template.PermittedIPRanges, template.PermittedEmailAddresses, template.PermittedURIDomains, err = parse(constraints.ok) 1806 if err != nil { 1807 return err 1808 } 1809 1810 template.ExcludedDNSDomains, template.ExcludedIPRanges, template.ExcludedEmailAddresses, template.ExcludedURIDomains, err = parse(constraints.bad) 1811 if err != nil { 1812 return err 1813 } 1814 1815 if template.ExtKeyUsage, template.UnknownExtKeyUsage, err = parseEKUs(constraints.ekus); err != nil { 1816 return err 1817 } 1818 1819 return nil 1820 } 1821 1822 func parseEKUs(ekuStrs []string) (ekus []ExtKeyUsage, unknowns []asn1.ObjectIdentifier, err error) { 1823 for _, s := range ekuStrs { 1824 switch s { 1825 case "serverAuth": 1826 ekus = append(ekus, ExtKeyUsageServerAuth) 1827 case "clientAuth": 1828 ekus = append(ekus, ExtKeyUsageClientAuth) 1829 case "email": 1830 ekus = append(ekus, ExtKeyUsageEmailProtection) 1831 case "netscapeSGC": 1832 ekus = append(ekus, ExtKeyUsageNetscapeServerGatedCrypto) 1833 case "msSGC": 1834 ekus = append(ekus, ExtKeyUsageMicrosoftServerGatedCrypto) 1835 case "any": 1836 ekus = append(ekus, ExtKeyUsageAny) 1837 case "other": 1838 unknowns = append(unknowns, asn1.ObjectIdentifier{2, 4, 1, 2, 3}) 1839 default: 1840 return nil, nil, fmt.Errorf("unknown EKU %q", s) 1841 } 1842 } 1843 1844 return 1845 } 1846 1847 func TestConstraintCases(t *testing.T) { 1848 privateKeys := sync.Pool{ 1849 New: func() interface{} { 1850 priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) 1851 if err != nil { 1852 panic(err) 1853 } 1854 return priv 1855 }, 1856 } 1857 1858 for i, test := range nameConstraintsTests { 1859 rootPool := NewCertPool() 1860 rootKey := privateKeys.Get().(*ecdsa.PrivateKey) 1861 rootName := "Root " + strconv.Itoa(i) 1862 1863 // keys keeps track of all the private keys used in a given 1864 // test and puts them back in the privateKeys pool at the end. 1865 keys := []*ecdsa.PrivateKey{rootKey} 1866 1867 // At each level (root, intermediate(s), leaf), parent points to 1868 // an example parent certificate and parentKey the key for the 1869 // parent level. Since all certificates at a given level have 1870 // the same name and public key, any parent certificate is 1871 // sufficient to get the correct issuer name and authority 1872 // key ID. 1873 var parent *Certificate 1874 parentKey := rootKey 1875 1876 for _, root := range test.roots { 1877 rootCert, err := makeConstraintsCACert(root, rootName, rootKey, nil, rootKey) 1878 if err != nil { 1879 t.Fatalf("#%d: failed to create root: %s", i, err) 1880 } 1881 1882 parent = rootCert 1883 rootPool.AddCert(rootCert) 1884 } 1885 1886 intermediatePool := NewCertPool() 1887 1888 for level, intermediates := range test.intermediates { 1889 levelKey := privateKeys.Get().(*ecdsa.PrivateKey) 1890 keys = append(keys, levelKey) 1891 levelName := "Intermediate level " + strconv.Itoa(level) 1892 var last *Certificate 1893 1894 for _, intermediate := range intermediates { 1895 caCert, err := makeConstraintsCACert(intermediate, levelName, levelKey, parent, parentKey) 1896 if err != nil { 1897 t.Fatalf("#%d: failed to create %q: %s", i, levelName, err) 1898 } 1899 1900 last = caCert 1901 intermediatePool.AddCert(caCert) 1902 } 1903 1904 parent = last 1905 parentKey = levelKey 1906 } 1907 1908 leafKey := privateKeys.Get().(*ecdsa.PrivateKey) 1909 keys = append(keys, leafKey) 1910 1911 leafCert, err := makeConstraintsLeafCert(test.leaf, leafKey, parent, parentKey) 1912 if err != nil { 1913 t.Fatalf("#%d: cannot create leaf: %s", i, err) 1914 } 1915 1916 // Skip tests with CommonName set because OpenSSL will try to match it 1917 // against name constraints, while we ignore it when it's not hostname-looking. 1918 if !test.noOpenSSL && testNameConstraintsAgainstOpenSSL && test.leaf.cn == "" { 1919 output, err := testChainAgainstOpenSSL(t, leafCert, intermediatePool, rootPool) 1920 if err == nil && len(test.expectedError) > 0 { 1921 t.Errorf("#%d: unexpectedly succeeded against OpenSSL", i) 1922 if debugOpenSSLFailure { 1923 return 1924 } 1925 } 1926 1927 if err != nil { 1928 if _, ok := err.(*exec.ExitError); !ok { 1929 t.Errorf("#%d: OpenSSL failed to run: %s", i, err) 1930 } else if len(test.expectedError) == 0 { 1931 t.Errorf("#%d: OpenSSL unexpectedly failed: %v", i, output) 1932 if debugOpenSSLFailure { 1933 return 1934 } 1935 } 1936 } 1937 } 1938 1939 verifyOpts := VerifyOptions{ 1940 Roots: rootPool, 1941 Intermediates: intermediatePool, 1942 CurrentTime: time.Unix(1500, 0), 1943 KeyUsages: test.requestedEKUs, 1944 } 1945 _, err = leafCert.Verify(verifyOpts) 1946 1947 logInfo := true 1948 if len(test.expectedError) == 0 { 1949 if err != nil { 1950 t.Errorf("#%d: unexpected failure: %s", i, err) 1951 } else { 1952 logInfo = false 1953 } 1954 } else { 1955 if err == nil { 1956 t.Errorf("#%d: unexpected success", i) 1957 } else if !strings.Contains(err.Error(), test.expectedError) { 1958 t.Errorf("#%d: expected error containing %q, but got: %s", i, test.expectedError, err) 1959 } else { 1960 logInfo = false 1961 } 1962 } 1963 1964 if logInfo { 1965 certAsPEM := func(cert *Certificate) string { 1966 var buf bytes.Buffer 1967 pem.Encode(&buf, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}) 1968 return buf.String() 1969 } 1970 t.Errorf("#%d: root:\n%s", i, certAsPEM(rootPool.mustCert(t, 0))) 1971 t.Errorf("#%d: leaf:\n%s", i, certAsPEM(leafCert)) 1972 } 1973 1974 for _, key := range keys { 1975 privateKeys.Put(key) 1976 } 1977 } 1978 } 1979 1980 func writePEMsToTempFile(certs []*Certificate) *os.File { 1981 file, err := os.CreateTemp("", "name_constraints_test") 1982 if err != nil { 1983 panic("cannot create tempfile") 1984 } 1985 1986 pemBlock := &pem.Block{Type: "CERTIFICATE"} 1987 for _, cert := range certs { 1988 pemBlock.Bytes = cert.Raw 1989 pem.Encode(file, pemBlock) 1990 } 1991 1992 return file 1993 } 1994 1995 func testChainAgainstOpenSSL(t *testing.T, leaf *Certificate, intermediates, roots *CertPool) (string, error) { 1996 args := []string{"verify", "-no_check_time"} 1997 1998 rootsFile := writePEMsToTempFile(allCerts(t, roots)) 1999 if debugOpenSSLFailure { 2000 println("roots file:", rootsFile.Name()) 2001 } else { 2002 defer os.Remove(rootsFile.Name()) 2003 } 2004 args = append(args, "-CAfile", rootsFile.Name()) 2005 2006 if intermediates.len() > 0 { 2007 intermediatesFile := writePEMsToTempFile(allCerts(t, intermediates)) 2008 if debugOpenSSLFailure { 2009 println("intermediates file:", intermediatesFile.Name()) 2010 } else { 2011 defer os.Remove(intermediatesFile.Name()) 2012 } 2013 args = append(args, "-untrusted", intermediatesFile.Name()) 2014 } 2015 2016 leafFile := writePEMsToTempFile([]*Certificate{leaf}) 2017 if debugOpenSSLFailure { 2018 println("leaf file:", leafFile.Name()) 2019 } else { 2020 defer os.Remove(leafFile.Name()) 2021 } 2022 args = append(args, leafFile.Name()) 2023 2024 var output bytes.Buffer 2025 cmd := exec.Command("openssl", args...) 2026 cmd.Stdout = &output 2027 cmd.Stderr = &output 2028 2029 err := cmd.Run() 2030 return output.String(), err 2031 } 2032 2033 var rfc2821Tests = []struct { 2034 in string 2035 localPart, domain string 2036 }{ 2037 {"foo@example.com", "foo", "example.com"}, 2038 {"@example.com", "", ""}, 2039 {"\"@example.com", "", ""}, 2040 {"\"\"@example.com", "", "example.com"}, 2041 {"\"a\"@example.com", "a", "example.com"}, 2042 {"\"\\a\"@example.com", "a", "example.com"}, 2043 {"a\"@example.com", "", ""}, 2044 {"foo..bar@example.com", "", ""}, 2045 {".foo.bar@example.com", "", ""}, 2046 {"foo.bar.@example.com", "", ""}, 2047 {"|{}?'@example.com", "|{}?'", "example.com"}, 2048 2049 // Examples from RFC 3696 2050 {"Abc\\@def@example.com", "Abc@def", "example.com"}, 2051 {"Fred\\ Bloggs@example.com", "Fred Bloggs", "example.com"}, 2052 {"Joe.\\\\Blow@example.com", "Joe.\\Blow", "example.com"}, 2053 {"\"Abc@def\"@example.com", "Abc@def", "example.com"}, 2054 {"\"Fred Bloggs\"@example.com", "Fred Bloggs", "example.com"}, 2055 {"customer/department=shipping@example.com", "customer/department=shipping", "example.com"}, 2056 {"$A12345@example.com", "$A12345", "example.com"}, 2057 {"!def!xyz%abc@example.com", "!def!xyz%abc", "example.com"}, 2058 {"_somename@example.com", "_somename", "example.com"}, 2059 } 2060 2061 func TestRFC2821Parsing(t *testing.T) { 2062 for i, test := range rfc2821Tests { 2063 mailbox, ok := parseRFC2821Mailbox(test.in) 2064 expectedFailure := len(test.localPart) == 0 && len(test.domain) == 0 2065 2066 if ok && expectedFailure { 2067 t.Errorf("#%d: %q unexpectedly parsed as (%q, %q)", i, test.in, mailbox.local, mailbox.domain) 2068 continue 2069 } 2070 2071 if !ok && !expectedFailure { 2072 t.Errorf("#%d: unexpected failure for %q", i, test.in) 2073 continue 2074 } 2075 2076 if !ok { 2077 continue 2078 } 2079 2080 if mailbox.local != test.localPart || mailbox.domain != test.domain { 2081 t.Errorf("#%d: %q parsed as (%q, %q), but wanted (%q, %q)", i, test.in, mailbox.local, mailbox.domain, test.localPart, test.domain) 2082 } 2083 } 2084 } 2085 2086 func TestBadNamesInConstraints(t *testing.T) { 2087 constraintParseError := func(err error) bool { 2088 str := err.Error() 2089 return strings.Contains(str, "failed to parse ") && strings.Contains(str, "constraint") 2090 } 2091 2092 encodingError := func(err error) bool { 2093 return strings.Contains(err.Error(), "cannot be encoded as an IA5String") 2094 } 2095 2096 // Bad names in constraints should not parse. 2097 badNames := []struct { 2098 name string 2099 matcher func(error) bool 2100 }{ 2101 {"dns:foo.com.", constraintParseError}, 2102 {"email:abc@foo.com.", constraintParseError}, 2103 {"email:foo.com.", constraintParseError}, 2104 {"uri:example.com.", constraintParseError}, 2105 {"uri:1.2.3.4", constraintParseError}, 2106 {"uri:ffff::1", constraintParseError}, 2107 {"dns:not–hyphen.com", encodingError}, 2108 {"email:foo@not–hyphen.com", encodingError}, 2109 {"uri:not–hyphen.com", encodingError}, 2110 } 2111 2112 priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) 2113 if err != nil { 2114 panic(err) 2115 } 2116 2117 for _, test := range badNames { 2118 _, err := makeConstraintsCACert(constraintsSpec{ 2119 ok: []string{test.name}, 2120 }, "TestAbsoluteNamesInConstraints", priv, nil, priv) 2121 2122 if err == nil { 2123 t.Errorf("bad name %q unexpectedly accepted in name constraint", test.name) 2124 continue 2125 } else { 2126 if !test.matcher(err) { 2127 t.Errorf("bad name %q triggered unrecognised error: %s", test.name, err) 2128 } 2129 } 2130 } 2131 } 2132 2133 func TestBadNamesInSANs(t *testing.T) { 2134 // Bad names in URI and IP SANs should not parse. Bad DNS and email SANs 2135 // will parse and are tested in name constraint tests at the top of this 2136 // file. 2137 badNames := []string{ 2138 "uri:https://example.com./dsf", 2139 "invalidip:0102", 2140 "invalidip:0102030405", 2141 } 2142 2143 priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) 2144 if err != nil { 2145 panic(err) 2146 } 2147 2148 for _, badName := range badNames { 2149 _, err := makeConstraintsLeafCert(leafSpec{sans: []string{badName}}, priv, nil, priv) 2150 2151 if err == nil { 2152 t.Errorf("bad name %q unexpectedly accepted in SAN", badName) 2153 continue 2154 } 2155 2156 if str := err.Error(); !strings.Contains(str, "cannot parse ") { 2157 t.Errorf("bad name %q triggered unrecognised error: %s", badName, str) 2158 } 2159 } 2160 }