github.com/zmap/zcrypto@v0.0.0-20240512203510-0fef58d9a9db/ct/x509/verify.go (about) 1 // Copyright 2011 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package x509 6 7 import ( 8 "fmt" 9 "net" 10 "runtime" 11 "strings" 12 "time" 13 "unicode/utf8" 14 ) 15 16 type InvalidReason int 17 18 const ( 19 // NotAuthorizedToSign results when a certificate is signed by another 20 // which isn't marked as a CA certificate. 21 NotAuthorizedToSign InvalidReason = iota 22 // Expired results when a certificate has expired, based on the time 23 // given in the VerifyOptions. 24 Expired 25 // CANotAuthorizedForThisName results when an intermediate or root 26 // certificate has a name constraint which doesn't include the name 27 // being checked. 28 CANotAuthorizedForThisName 29 // TooManyIntermediates results when a path length constraint is 30 // violated. 31 TooManyIntermediates 32 // IncompatibleUsage results when the certificate's key usage indicates 33 // that it may only be used for a different purpose. 34 IncompatibleUsage 35 ) 36 37 // CertificateInvalidError results when an odd error occurs. Users of this 38 // library probably want to handle all these errors uniformly. 39 type CertificateInvalidError struct { 40 Cert *Certificate 41 Reason InvalidReason 42 } 43 44 func (e CertificateInvalidError) Error() string { 45 switch e.Reason { 46 case NotAuthorizedToSign: 47 return "x509: certificate is not authorized to sign other certificates" 48 case Expired: 49 return "x509: certificate has expired or is not yet valid" 50 case CANotAuthorizedForThisName: 51 return "x509: a root or intermediate certificate is not authorized to sign in this domain" 52 case TooManyIntermediates: 53 return "x509: too many intermediates for path length constraint" 54 case IncompatibleUsage: 55 return "x509: certificate specifies an incompatible key usage" 56 } 57 return "x509: unknown error" 58 } 59 60 // HostnameError results when the set of authorized names doesn't match the 61 // requested name. 62 type HostnameError struct { 63 Certificate *Certificate 64 Host string 65 } 66 67 func (h HostnameError) Error() string { 68 c := h.Certificate 69 70 var valid string 71 if ip := net.ParseIP(h.Host); ip != nil { 72 // Trying to validate an IP 73 if len(c.IPAddresses) == 0 { 74 return "x509: cannot validate certificate for " + h.Host + " because it doesn't contain any IP SANs" 75 } 76 for _, san := range c.IPAddresses { 77 if len(valid) > 0 { 78 valid += ", " 79 } 80 valid += san.String() 81 } 82 } else { 83 if len(c.DNSNames) > 0 { 84 valid = strings.Join(c.DNSNames, ", ") 85 } else { 86 valid = c.Subject.CommonName 87 } 88 } 89 return "x509: certificate is valid for " + valid + ", not " + h.Host 90 } 91 92 // UnknownAuthorityError results when the certificate issuer is unknown 93 type UnknownAuthorityError struct { 94 cert *Certificate 95 // hintErr contains an error that may be helpful in determining why an 96 // authority wasn't found. 97 hintErr error 98 // hintCert contains a possible authority certificate that was rejected 99 // because of the error in hintErr. 100 hintCert *Certificate 101 } 102 103 func (e UnknownAuthorityError) Error() string { 104 s := "x509: certificate signed by unknown authority" 105 if e.hintErr != nil { 106 certName := e.hintCert.Subject.CommonName 107 if len(certName) == 0 { 108 if len(e.hintCert.Subject.Organization) > 0 { 109 certName = e.hintCert.Subject.Organization[0] 110 } 111 certName = "serial:" + e.hintCert.SerialNumber.String() 112 } 113 s += fmt.Sprintf(" (possibly because of %q while trying to verify candidate authority certificate %q)", e.hintErr, certName) 114 } 115 return s 116 } 117 118 // SystemRootsError results when we fail to load the system root certificates. 119 type SystemRootsError struct { 120 } 121 122 func (e SystemRootsError) Error() string { 123 return "x509: failed to load system roots and no roots provided" 124 } 125 126 // VerifyOptions contains parameters for Certificate.Verify. It's a structure 127 // because other PKIX verification APIs have ended up needing many options. 128 type VerifyOptions struct { 129 DNSName string 130 Intermediates *CertPool 131 Roots *CertPool // if nil, the system roots are used 132 CurrentTime time.Time // if zero, the current time is used 133 DisableTimeChecks bool 134 // KeyUsage specifies which Extended Key Usage values are acceptable. 135 // An empty list means ExtKeyUsageServerAuth. Key usage is considered a 136 // constraint down the chain which mirrors Windows CryptoAPI behaviour, 137 // but not the spec. To accept any key usage, include ExtKeyUsageAny. 138 KeyUsages []ExtKeyUsage 139 } 140 141 const ( 142 leafCertificate = iota 143 intermediateCertificate 144 rootCertificate 145 ) 146 147 // isValid performs validity checks on the c. 148 func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *VerifyOptions) error { 149 if !opts.DisableTimeChecks { 150 now := opts.CurrentTime 151 if now.IsZero() { 152 now = time.Now() 153 } 154 if now.Before(c.NotBefore) || now.After(c.NotAfter) { 155 return CertificateInvalidError{c, Expired} 156 } 157 } 158 159 if len(c.PermittedDNSDomains) > 0 { 160 ok := false 161 for _, domain := range c.PermittedDNSDomains { 162 if opts.DNSName == domain || 163 (strings.HasSuffix(opts.DNSName, domain) && 164 len(opts.DNSName) >= 1+len(domain) && 165 opts.DNSName[len(opts.DNSName)-len(domain)-1] == '.') { 166 ok = true 167 break 168 } 169 } 170 171 if !ok { 172 return CertificateInvalidError{c, CANotAuthorizedForThisName} 173 } 174 } 175 176 // KeyUsage status flags are ignored. From Engineering Security, Peter 177 // Gutmann: A European government CA marked its signing certificates as 178 // being valid for encryption only, but no-one noticed. Another 179 // European CA marked its signature keys as not being valid for 180 // signatures. A different CA marked its own trusted root certificate 181 // as being invalid for certificate signing. Another national CA 182 // distributed a certificate to be used to encrypt data for the 183 // country’s tax authority that was marked as only being usable for 184 // digital signatures but not for encryption. Yet another CA reversed 185 // the order of the bit flags in the keyUsage due to confusion over 186 // encoding endianness, essentially setting a random keyUsage in 187 // certificates that it issued. Another CA created a self-invalidating 188 // certificate by adding a certificate policy statement stipulating 189 // that the certificate had to be used strictly as specified in the 190 // keyUsage, and a keyUsage containing a flag indicating that the RSA 191 // encryption key could only be used for Diffie-Hellman key agreement. 192 193 if certType == intermediateCertificate && (!c.BasicConstraintsValid || !c.IsCA) { 194 return CertificateInvalidError{c, NotAuthorizedToSign} 195 } 196 197 if c.BasicConstraintsValid && c.MaxPathLen >= 0 { 198 numIntermediates := len(currentChain) - 1 199 if numIntermediates > c.MaxPathLen { 200 return CertificateInvalidError{c, TooManyIntermediates} 201 } 202 } 203 204 return nil 205 } 206 207 // Verify attempts to verify c by building one or more chains from c to a 208 // certificate in opts.Roots, using certificates in opts.Intermediates if 209 // needed. If successful, it returns one or more chains where the first 210 // element of the chain is c and the last element is from opts.Roots. 211 // 212 // WARNING: this doesn't do any revocation checking. 213 func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err error) { 214 // Use Windows's own verification and chain building. 215 if opts.Roots == nil && runtime.GOOS == "windows" { 216 return c.systemVerify(&opts) 217 } 218 219 if opts.Roots == nil { 220 opts.Roots = systemRootsPool() 221 if opts.Roots == nil { 222 return nil, SystemRootsError{} 223 } 224 } 225 226 err = c.isValid(leafCertificate, nil, &opts) 227 if err != nil { 228 return 229 } 230 231 if len(opts.DNSName) > 0 { 232 err = c.VerifyHostname(opts.DNSName) 233 if err != nil { 234 return 235 } 236 } 237 238 candidateChains, err := c.buildChains(make(map[int][][]*Certificate), []*Certificate{c}, &opts) 239 if err != nil { 240 return 241 } 242 243 keyUsages := opts.KeyUsages 244 if len(keyUsages) == 0 { 245 keyUsages = []ExtKeyUsage{ExtKeyUsageServerAuth} 246 } 247 248 // If any key usage is acceptable then we're done. 249 for _, usage := range keyUsages { 250 if usage == ExtKeyUsageAny { 251 chains = candidateChains 252 return 253 } 254 } 255 256 for _, candidate := range candidateChains { 257 if checkChainForKeyUsage(candidate, keyUsages) { 258 chains = append(chains, candidate) 259 } 260 } 261 262 if len(chains) == 0 { 263 err = CertificateInvalidError{c, IncompatibleUsage} 264 } 265 266 return 267 } 268 269 func appendToFreshChain(chain []*Certificate, cert *Certificate) []*Certificate { 270 n := make([]*Certificate, len(chain)+1) 271 copy(n, chain) 272 n[len(chain)] = cert 273 return n 274 } 275 276 func (c *Certificate) buildChains(cache map[int][][]*Certificate, currentChain []*Certificate, opts *VerifyOptions) (chains [][]*Certificate, err error) { 277 possibleRoots, failedRoot, rootErr := opts.Roots.findVerifiedParents(c) 278 for _, rootNum := range possibleRoots { 279 root := opts.Roots.certs[rootNum] 280 err = root.isValid(rootCertificate, currentChain, opts) 281 if err != nil { 282 continue 283 } 284 chains = append(chains, appendToFreshChain(currentChain, root)) 285 } 286 287 possibleIntermediates, failedIntermediate, intermediateErr := opts.Intermediates.findVerifiedParents(c) 288 nextIntermediate: 289 for _, intermediateNum := range possibleIntermediates { 290 intermediate := opts.Intermediates.certs[intermediateNum] 291 for _, cert := range currentChain { 292 if cert == intermediate { 293 continue nextIntermediate 294 } 295 } 296 err = intermediate.isValid(intermediateCertificate, currentChain, opts) 297 if err != nil { 298 continue 299 } 300 var childChains [][]*Certificate 301 childChains, ok := cache[intermediateNum] 302 if !ok { 303 childChains, err = intermediate.buildChains(cache, appendToFreshChain(currentChain, intermediate), opts) 304 cache[intermediateNum] = childChains 305 } 306 chains = append(chains, childChains...) 307 } 308 309 if len(chains) > 0 { 310 err = nil 311 } 312 313 if len(chains) == 0 && err == nil { 314 hintErr := rootErr 315 hintCert := failedRoot 316 if hintErr == nil { 317 hintErr = intermediateErr 318 hintCert = failedIntermediate 319 } 320 err = UnknownAuthorityError{c, hintErr, hintCert} 321 } 322 323 return 324 } 325 326 func matchHostnames(pattern, host string) bool { 327 if len(pattern) == 0 || len(host) == 0 { 328 return false 329 } 330 331 patternParts := strings.Split(pattern, ".") 332 hostParts := strings.Split(host, ".") 333 334 if len(patternParts) != len(hostParts) { 335 return false 336 } 337 338 for i, patternPart := range patternParts { 339 if patternPart == "*" { 340 continue 341 } 342 if patternPart != hostParts[i] { 343 return false 344 } 345 } 346 347 return true 348 } 349 350 // toLowerCaseASCII returns a lower-case version of in. See RFC 6125 6.4.1. We use 351 // an explicitly ASCII function to avoid any sharp corners resulting from 352 // performing Unicode operations on DNS labels. 353 func toLowerCaseASCII(in string) string { 354 // If the string is already lower-case then there's nothing to do. 355 isAlreadyLowerCase := true 356 for _, c := range in { 357 if c == utf8.RuneError { 358 // If we get a UTF-8 error then there might be 359 // upper-case ASCII bytes in the invalid sequence. 360 isAlreadyLowerCase = false 361 break 362 } 363 if 'A' <= c && c <= 'Z' { 364 isAlreadyLowerCase = false 365 break 366 } 367 } 368 369 if isAlreadyLowerCase { 370 return in 371 } 372 373 out := []byte(in) 374 for i, c := range out { 375 if 'A' <= c && c <= 'Z' { 376 out[i] += 'a' - 'A' 377 } 378 } 379 return string(out) 380 } 381 382 // VerifyHostname returns nil if c is a valid certificate for the named host. 383 // Otherwise it returns an error describing the mismatch. 384 func (c *Certificate) VerifyHostname(h string) error { 385 // IP addresses may be written in [ ]. 386 candidateIP := h 387 if len(h) >= 3 && h[0] == '[' && h[len(h)-1] == ']' { 388 candidateIP = h[1 : len(h)-1] 389 } 390 if ip := net.ParseIP(candidateIP); ip != nil { 391 // We only match IP addresses against IP SANs. 392 // https://tools.ietf.org/html/rfc6125#appendix-B.2 393 for _, candidate := range c.IPAddresses { 394 if ip.Equal(candidate) { 395 return nil 396 } 397 } 398 return HostnameError{c, candidateIP} 399 } 400 401 lowered := toLowerCaseASCII(h) 402 403 if len(c.DNSNames) > 0 { 404 for _, match := range c.DNSNames { 405 if matchHostnames(toLowerCaseASCII(match), lowered) { 406 return nil 407 } 408 } 409 // If Subject Alt Name is given, we ignore the common name. 410 } else if matchHostnames(toLowerCaseASCII(c.Subject.CommonName), lowered) { 411 return nil 412 } 413 414 return HostnameError{c, h} 415 } 416 417 func checkChainForKeyUsage(chain []*Certificate, keyUsages []ExtKeyUsage) bool { 418 usages := make([]ExtKeyUsage, len(keyUsages)) 419 copy(usages, keyUsages) 420 421 if len(chain) == 0 { 422 return false 423 } 424 425 usagesRemaining := len(usages) 426 427 // We walk down the list and cross out any usages that aren't supported 428 // by each certificate. If we cross out all the usages, then the chain 429 // is unacceptable. 430 431 for i := len(chain) - 1; i >= 0; i-- { 432 cert := chain[i] 433 if len(cert.ExtKeyUsage) == 0 && len(cert.UnknownExtKeyUsage) == 0 { 434 // The certificate doesn't have any extended key usage specified. 435 continue 436 } 437 438 for _, usage := range cert.ExtKeyUsage { 439 if usage == ExtKeyUsageAny { 440 // The certificate is explicitly good for any usage. 441 continue 442 } 443 } 444 445 const invalidUsage ExtKeyUsage = -1 446 447 NextRequestedUsage: 448 for i, requestedUsage := range usages { 449 if requestedUsage == invalidUsage { 450 continue 451 } 452 453 for _, usage := range cert.ExtKeyUsage { 454 if requestedUsage == usage { 455 continue NextRequestedUsage 456 } else if requestedUsage == ExtKeyUsageServerAuth && 457 (usage == ExtKeyUsageNetscapeServerGatedCrypto || 458 usage == ExtKeyUsageMicrosoftServerGatedCrypto) { 459 // In order to support COMODO 460 // certificate chains, we have to 461 // accept Netscape or Microsoft SGC 462 // usages as equal to ServerAuth. 463 continue NextRequestedUsage 464 } 465 } 466 467 usages[i] = invalidUsage 468 usagesRemaining-- 469 if usagesRemaining == 0 { 470 return false 471 } 472 } 473 } 474 475 return true 476 }