github.com/zmap/zcrypto@v0.0.0-20240512203510-0fef58d9a9db/ct/x509/verify.go (about)

     1  // Copyright 2011 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package x509
     6  
     7  import (
     8  	"fmt"
     9  	"net"
    10  	"runtime"
    11  	"strings"
    12  	"time"
    13  	"unicode/utf8"
    14  )
    15  
    16  type InvalidReason int
    17  
    18  const (
    19  	// NotAuthorizedToSign results when a certificate is signed by another
    20  	// which isn't marked as a CA certificate.
    21  	NotAuthorizedToSign InvalidReason = iota
    22  	// Expired results when a certificate has expired, based on the time
    23  	// given in the VerifyOptions.
    24  	Expired
    25  	// CANotAuthorizedForThisName results when an intermediate or root
    26  	// certificate has a name constraint which doesn't include the name
    27  	// being checked.
    28  	CANotAuthorizedForThisName
    29  	// TooManyIntermediates results when a path length constraint is
    30  	// violated.
    31  	TooManyIntermediates
    32  	// IncompatibleUsage results when the certificate's key usage indicates
    33  	// that it may only be used for a different purpose.
    34  	IncompatibleUsage
    35  )
    36  
    37  // CertificateInvalidError results when an odd error occurs. Users of this
    38  // library probably want to handle all these errors uniformly.
    39  type CertificateInvalidError struct {
    40  	Cert   *Certificate
    41  	Reason InvalidReason
    42  }
    43  
    44  func (e CertificateInvalidError) Error() string {
    45  	switch e.Reason {
    46  	case NotAuthorizedToSign:
    47  		return "x509: certificate is not authorized to sign other certificates"
    48  	case Expired:
    49  		return "x509: certificate has expired or is not yet valid"
    50  	case CANotAuthorizedForThisName:
    51  		return "x509: a root or intermediate certificate is not authorized to sign in this domain"
    52  	case TooManyIntermediates:
    53  		return "x509: too many intermediates for path length constraint"
    54  	case IncompatibleUsage:
    55  		return "x509: certificate specifies an incompatible key usage"
    56  	}
    57  	return "x509: unknown error"
    58  }
    59  
    60  // HostnameError results when the set of authorized names doesn't match the
    61  // requested name.
    62  type HostnameError struct {
    63  	Certificate *Certificate
    64  	Host        string
    65  }
    66  
    67  func (h HostnameError) Error() string {
    68  	c := h.Certificate
    69  
    70  	var valid string
    71  	if ip := net.ParseIP(h.Host); ip != nil {
    72  		// Trying to validate an IP
    73  		if len(c.IPAddresses) == 0 {
    74  			return "x509: cannot validate certificate for " + h.Host + " because it doesn't contain any IP SANs"
    75  		}
    76  		for _, san := range c.IPAddresses {
    77  			if len(valid) > 0 {
    78  				valid += ", "
    79  			}
    80  			valid += san.String()
    81  		}
    82  	} else {
    83  		if len(c.DNSNames) > 0 {
    84  			valid = strings.Join(c.DNSNames, ", ")
    85  		} else {
    86  			valid = c.Subject.CommonName
    87  		}
    88  	}
    89  	return "x509: certificate is valid for " + valid + ", not " + h.Host
    90  }
    91  
    92  // UnknownAuthorityError results when the certificate issuer is unknown
    93  type UnknownAuthorityError struct {
    94  	cert *Certificate
    95  	// hintErr contains an error that may be helpful in determining why an
    96  	// authority wasn't found.
    97  	hintErr error
    98  	// hintCert contains a possible authority certificate that was rejected
    99  	// because of the error in hintErr.
   100  	hintCert *Certificate
   101  }
   102  
   103  func (e UnknownAuthorityError) Error() string {
   104  	s := "x509: certificate signed by unknown authority"
   105  	if e.hintErr != nil {
   106  		certName := e.hintCert.Subject.CommonName
   107  		if len(certName) == 0 {
   108  			if len(e.hintCert.Subject.Organization) > 0 {
   109  				certName = e.hintCert.Subject.Organization[0]
   110  			}
   111  			certName = "serial:" + e.hintCert.SerialNumber.String()
   112  		}
   113  		s += fmt.Sprintf(" (possibly because of %q while trying to verify candidate authority certificate %q)", e.hintErr, certName)
   114  	}
   115  	return s
   116  }
   117  
   118  // SystemRootsError results when we fail to load the system root certificates.
   119  type SystemRootsError struct {
   120  }
   121  
   122  func (e SystemRootsError) Error() string {
   123  	return "x509: failed to load system roots and no roots provided"
   124  }
   125  
   126  // VerifyOptions contains parameters for Certificate.Verify. It's a structure
   127  // because other PKIX verification APIs have ended up needing many options.
   128  type VerifyOptions struct {
   129  	DNSName           string
   130  	Intermediates     *CertPool
   131  	Roots             *CertPool // if nil, the system roots are used
   132  	CurrentTime       time.Time // if zero, the current time is used
   133  	DisableTimeChecks bool
   134  	// KeyUsage specifies which Extended Key Usage values are acceptable.
   135  	// An empty list means ExtKeyUsageServerAuth. Key usage is considered a
   136  	// constraint down the chain which mirrors Windows CryptoAPI behaviour,
   137  	// but not the spec. To accept any key usage, include ExtKeyUsageAny.
   138  	KeyUsages []ExtKeyUsage
   139  }
   140  
   141  const (
   142  	leafCertificate = iota
   143  	intermediateCertificate
   144  	rootCertificate
   145  )
   146  
   147  // isValid performs validity checks on the c.
   148  func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *VerifyOptions) error {
   149  	if !opts.DisableTimeChecks {
   150  		now := opts.CurrentTime
   151  		if now.IsZero() {
   152  			now = time.Now()
   153  		}
   154  		if now.Before(c.NotBefore) || now.After(c.NotAfter) {
   155  			return CertificateInvalidError{c, Expired}
   156  		}
   157  	}
   158  
   159  	if len(c.PermittedDNSDomains) > 0 {
   160  		ok := false
   161  		for _, domain := range c.PermittedDNSDomains {
   162  			if opts.DNSName == domain ||
   163  				(strings.HasSuffix(opts.DNSName, domain) &&
   164  					len(opts.DNSName) >= 1+len(domain) &&
   165  					opts.DNSName[len(opts.DNSName)-len(domain)-1] == '.') {
   166  				ok = true
   167  				break
   168  			}
   169  		}
   170  
   171  		if !ok {
   172  			return CertificateInvalidError{c, CANotAuthorizedForThisName}
   173  		}
   174  	}
   175  
   176  	// KeyUsage status flags are ignored. From Engineering Security, Peter
   177  	// Gutmann: A European government CA marked its signing certificates as
   178  	// being valid for encryption only, but no-one noticed. Another
   179  	// European CA marked its signature keys as not being valid for
   180  	// signatures. A different CA marked its own trusted root certificate
   181  	// as being invalid for certificate signing.  Another national CA
   182  	// distributed a certificate to be used to encrypt data for the
   183  	// country’s tax authority that was marked as only being usable for
   184  	// digital signatures but not for encryption. Yet another CA reversed
   185  	// the order of the bit flags in the keyUsage due to confusion over
   186  	// encoding endianness, essentially setting a random keyUsage in
   187  	// certificates that it issued. Another CA created a self-invalidating
   188  	// certificate by adding a certificate policy statement stipulating
   189  	// that the certificate had to be used strictly as specified in the
   190  	// keyUsage, and a keyUsage containing a flag indicating that the RSA
   191  	// encryption key could only be used for Diffie-Hellman key agreement.
   192  
   193  	if certType == intermediateCertificate && (!c.BasicConstraintsValid || !c.IsCA) {
   194  		return CertificateInvalidError{c, NotAuthorizedToSign}
   195  	}
   196  
   197  	if c.BasicConstraintsValid && c.MaxPathLen >= 0 {
   198  		numIntermediates := len(currentChain) - 1
   199  		if numIntermediates > c.MaxPathLen {
   200  			return CertificateInvalidError{c, TooManyIntermediates}
   201  		}
   202  	}
   203  
   204  	return nil
   205  }
   206  
   207  // Verify attempts to verify c by building one or more chains from c to a
   208  // certificate in opts.Roots, using certificates in opts.Intermediates if
   209  // needed. If successful, it returns one or more chains where the first
   210  // element of the chain is c and the last element is from opts.Roots.
   211  //
   212  // WARNING: this doesn't do any revocation checking.
   213  func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err error) {
   214  	// Use Windows's own verification and chain building.
   215  	if opts.Roots == nil && runtime.GOOS == "windows" {
   216  		return c.systemVerify(&opts)
   217  	}
   218  
   219  	if opts.Roots == nil {
   220  		opts.Roots = systemRootsPool()
   221  		if opts.Roots == nil {
   222  			return nil, SystemRootsError{}
   223  		}
   224  	}
   225  
   226  	err = c.isValid(leafCertificate, nil, &opts)
   227  	if err != nil {
   228  		return
   229  	}
   230  
   231  	if len(opts.DNSName) > 0 {
   232  		err = c.VerifyHostname(opts.DNSName)
   233  		if err != nil {
   234  			return
   235  		}
   236  	}
   237  
   238  	candidateChains, err := c.buildChains(make(map[int][][]*Certificate), []*Certificate{c}, &opts)
   239  	if err != nil {
   240  		return
   241  	}
   242  
   243  	keyUsages := opts.KeyUsages
   244  	if len(keyUsages) == 0 {
   245  		keyUsages = []ExtKeyUsage{ExtKeyUsageServerAuth}
   246  	}
   247  
   248  	// If any key usage is acceptable then we're done.
   249  	for _, usage := range keyUsages {
   250  		if usage == ExtKeyUsageAny {
   251  			chains = candidateChains
   252  			return
   253  		}
   254  	}
   255  
   256  	for _, candidate := range candidateChains {
   257  		if checkChainForKeyUsage(candidate, keyUsages) {
   258  			chains = append(chains, candidate)
   259  		}
   260  	}
   261  
   262  	if len(chains) == 0 {
   263  		err = CertificateInvalidError{c, IncompatibleUsage}
   264  	}
   265  
   266  	return
   267  }
   268  
   269  func appendToFreshChain(chain []*Certificate, cert *Certificate) []*Certificate {
   270  	n := make([]*Certificate, len(chain)+1)
   271  	copy(n, chain)
   272  	n[len(chain)] = cert
   273  	return n
   274  }
   275  
   276  func (c *Certificate) buildChains(cache map[int][][]*Certificate, currentChain []*Certificate, opts *VerifyOptions) (chains [][]*Certificate, err error) {
   277  	possibleRoots, failedRoot, rootErr := opts.Roots.findVerifiedParents(c)
   278  	for _, rootNum := range possibleRoots {
   279  		root := opts.Roots.certs[rootNum]
   280  		err = root.isValid(rootCertificate, currentChain, opts)
   281  		if err != nil {
   282  			continue
   283  		}
   284  		chains = append(chains, appendToFreshChain(currentChain, root))
   285  	}
   286  
   287  	possibleIntermediates, failedIntermediate, intermediateErr := opts.Intermediates.findVerifiedParents(c)
   288  nextIntermediate:
   289  	for _, intermediateNum := range possibleIntermediates {
   290  		intermediate := opts.Intermediates.certs[intermediateNum]
   291  		for _, cert := range currentChain {
   292  			if cert == intermediate {
   293  				continue nextIntermediate
   294  			}
   295  		}
   296  		err = intermediate.isValid(intermediateCertificate, currentChain, opts)
   297  		if err != nil {
   298  			continue
   299  		}
   300  		var childChains [][]*Certificate
   301  		childChains, ok := cache[intermediateNum]
   302  		if !ok {
   303  			childChains, err = intermediate.buildChains(cache, appendToFreshChain(currentChain, intermediate), opts)
   304  			cache[intermediateNum] = childChains
   305  		}
   306  		chains = append(chains, childChains...)
   307  	}
   308  
   309  	if len(chains) > 0 {
   310  		err = nil
   311  	}
   312  
   313  	if len(chains) == 0 && err == nil {
   314  		hintErr := rootErr
   315  		hintCert := failedRoot
   316  		if hintErr == nil {
   317  			hintErr = intermediateErr
   318  			hintCert = failedIntermediate
   319  		}
   320  		err = UnknownAuthorityError{c, hintErr, hintCert}
   321  	}
   322  
   323  	return
   324  }
   325  
   326  func matchHostnames(pattern, host string) bool {
   327  	if len(pattern) == 0 || len(host) == 0 {
   328  		return false
   329  	}
   330  
   331  	patternParts := strings.Split(pattern, ".")
   332  	hostParts := strings.Split(host, ".")
   333  
   334  	if len(patternParts) != len(hostParts) {
   335  		return false
   336  	}
   337  
   338  	for i, patternPart := range patternParts {
   339  		if patternPart == "*" {
   340  			continue
   341  		}
   342  		if patternPart != hostParts[i] {
   343  			return false
   344  		}
   345  	}
   346  
   347  	return true
   348  }
   349  
   350  // toLowerCaseASCII returns a lower-case version of in. See RFC 6125 6.4.1. We use
   351  // an explicitly ASCII function to avoid any sharp corners resulting from
   352  // performing Unicode operations on DNS labels.
   353  func toLowerCaseASCII(in string) string {
   354  	// If the string is already lower-case then there's nothing to do.
   355  	isAlreadyLowerCase := true
   356  	for _, c := range in {
   357  		if c == utf8.RuneError {
   358  			// If we get a UTF-8 error then there might be
   359  			// upper-case ASCII bytes in the invalid sequence.
   360  			isAlreadyLowerCase = false
   361  			break
   362  		}
   363  		if 'A' <= c && c <= 'Z' {
   364  			isAlreadyLowerCase = false
   365  			break
   366  		}
   367  	}
   368  
   369  	if isAlreadyLowerCase {
   370  		return in
   371  	}
   372  
   373  	out := []byte(in)
   374  	for i, c := range out {
   375  		if 'A' <= c && c <= 'Z' {
   376  			out[i] += 'a' - 'A'
   377  		}
   378  	}
   379  	return string(out)
   380  }
   381  
   382  // VerifyHostname returns nil if c is a valid certificate for the named host.
   383  // Otherwise it returns an error describing the mismatch.
   384  func (c *Certificate) VerifyHostname(h string) error {
   385  	// IP addresses may be written in [ ].
   386  	candidateIP := h
   387  	if len(h) >= 3 && h[0] == '[' && h[len(h)-1] == ']' {
   388  		candidateIP = h[1 : len(h)-1]
   389  	}
   390  	if ip := net.ParseIP(candidateIP); ip != nil {
   391  		// We only match IP addresses against IP SANs.
   392  		// https://tools.ietf.org/html/rfc6125#appendix-B.2
   393  		for _, candidate := range c.IPAddresses {
   394  			if ip.Equal(candidate) {
   395  				return nil
   396  			}
   397  		}
   398  		return HostnameError{c, candidateIP}
   399  	}
   400  
   401  	lowered := toLowerCaseASCII(h)
   402  
   403  	if len(c.DNSNames) > 0 {
   404  		for _, match := range c.DNSNames {
   405  			if matchHostnames(toLowerCaseASCII(match), lowered) {
   406  				return nil
   407  			}
   408  		}
   409  		// If Subject Alt Name is given, we ignore the common name.
   410  	} else if matchHostnames(toLowerCaseASCII(c.Subject.CommonName), lowered) {
   411  		return nil
   412  	}
   413  
   414  	return HostnameError{c, h}
   415  }
   416  
   417  func checkChainForKeyUsage(chain []*Certificate, keyUsages []ExtKeyUsage) bool {
   418  	usages := make([]ExtKeyUsage, len(keyUsages))
   419  	copy(usages, keyUsages)
   420  
   421  	if len(chain) == 0 {
   422  		return false
   423  	}
   424  
   425  	usagesRemaining := len(usages)
   426  
   427  	// We walk down the list and cross out any usages that aren't supported
   428  	// by each certificate. If we cross out all the usages, then the chain
   429  	// is unacceptable.
   430  
   431  	for i := len(chain) - 1; i >= 0; i-- {
   432  		cert := chain[i]
   433  		if len(cert.ExtKeyUsage) == 0 && len(cert.UnknownExtKeyUsage) == 0 {
   434  			// The certificate doesn't have any extended key usage specified.
   435  			continue
   436  		}
   437  
   438  		for _, usage := range cert.ExtKeyUsage {
   439  			if usage == ExtKeyUsageAny {
   440  				// The certificate is explicitly good for any usage.
   441  				continue
   442  			}
   443  		}
   444  
   445  		const invalidUsage ExtKeyUsage = -1
   446  
   447  	NextRequestedUsage:
   448  		for i, requestedUsage := range usages {
   449  			if requestedUsage == invalidUsage {
   450  				continue
   451  			}
   452  
   453  			for _, usage := range cert.ExtKeyUsage {
   454  				if requestedUsage == usage {
   455  					continue NextRequestedUsage
   456  				} else if requestedUsage == ExtKeyUsageServerAuth &&
   457  					(usage == ExtKeyUsageNetscapeServerGatedCrypto ||
   458  						usage == ExtKeyUsageMicrosoftServerGatedCrypto) {
   459  					// In order to support COMODO
   460  					// certificate chains, we have to
   461  					// accept Netscape or Microsoft SGC
   462  					// usages as equal to ServerAuth.
   463  					continue NextRequestedUsage
   464  				}
   465  			}
   466  
   467  			usages[i] = invalidUsage
   468  			usagesRemaining--
   469  			if usagesRemaining == 0 {
   470  				return false
   471  			}
   472  		}
   473  	}
   474  
   475  	return true
   476  }