Source file
src/crypto/x509/name_constraints_test.go
1
2
3
4
5 package x509
6
7 import (
8 "bytes"
9 "crypto/ecdsa"
10 "crypto/elliptic"
11 "crypto/rand"
12 "crypto/x509/pkix"
13 "encoding/asn1"
14 "encoding/hex"
15 "encoding/pem"
16 "fmt"
17 "internal/testenv"
18 "math/big"
19 "net"
20 "net/url"
21 "os"
22 "os/exec"
23 "strconv"
24 "strings"
25 "sync"
26 "testing"
27 "time"
28 )
29
30 const (
31
32
33
34 testNameConstraintsAgainstOpenSSL = false
35
36
37
38
39 debugOpenSSLFailure = false
40 )
41
42 type nameConstraintsTest struct {
43 name string
44 roots []constraintsSpec
45 intermediates [][]constraintsSpec
46 leaf leafSpec
47 requestedEKUs []ExtKeyUsage
48 expectedError string
49 noOpenSSL bool
50 ignoreCN bool
51 }
52
53 type constraintsSpec struct {
54 ok []string
55 bad []string
56 ekus []string
57 }
58
59 type leafSpec struct {
60 sans []string
61 ekus []string
62 cn string
63 }
64
65 var nameConstraintsTests = []nameConstraintsTest{
66 {
67 name: "certificate generation process",
68 roots: make([]constraintsSpec, 1),
69 leaf: leafSpec{
70 sans: []string{"dns:example.com"},
71 },
72 },
73 {
74 name: "single level of intermediate",
75 roots: make([]constraintsSpec, 1),
76 intermediates: [][]constraintsSpec{
77 {
78 {},
79 },
80 },
81 leaf: leafSpec{
82 sans: []string{"dns:example.com"},
83 },
84 },
85 {
86 name: "two levels of intermediates",
87 roots: make([]constraintsSpec, 1),
88 intermediates: [][]constraintsSpec{
89 {
90 {},
91 },
92 {
93 {},
94 },
95 },
96 leaf: leafSpec{
97 sans: []string{"dns:example.com"},
98 },
99 },
100 {
101 name: "matching DNS constraint in root",
102 roots: []constraintsSpec{
103 {
104 ok: []string{"dns:example.com"},
105 },
106 },
107 intermediates: [][]constraintsSpec{
108 {
109 {},
110 },
111 },
112 leaf: leafSpec{
113 sans: []string{"dns:example.com"},
114 },
115 },
116 {
117 name: "matching DNS constraint in intermediate",
118 roots: make([]constraintsSpec, 1),
119 intermediates: [][]constraintsSpec{
120 {
121 {
122 ok: []string{"dns:example.com"},
123 },
124 },
125 },
126 leaf: leafSpec{
127 sans: []string{"dns:example.com"},
128 },
129 },
130 {
131 name: "leading period only matches subdomains",
132 roots: []constraintsSpec{
133 {
134 ok: []string{"dns:.example.com"},
135 },
136 },
137 intermediates: [][]constraintsSpec{
138 {
139 {},
140 },
141 },
142 leaf: leafSpec{
143 sans: []string{"dns:example.com"},
144 },
145 expectedError: "\"example.com\" is not permitted",
146 },
147 {
148 name: "leading period matches subdomains",
149 roots: make([]constraintsSpec, 1),
150 intermediates: [][]constraintsSpec{
151 {
152 {
153 ok: []string{"dns:.example.com"},
154 },
155 },
156 },
157 leaf: leafSpec{
158 sans: []string{"dns:foo.example.com"},
159 },
160 },
161 {
162 name: "leading period matches multiple levels of subdomains",
163 roots: []constraintsSpec{
164 {
165 ok: []string{"dns:.example.com"},
166 },
167 },
168 intermediates: [][]constraintsSpec{
169 {
170 {},
171 },
172 },
173 leaf: leafSpec{
174 sans: []string{"dns:foo.bar.example.com"},
175 },
176 },
177 {
178 name: "specifying a permitted list of names does not exclude other name types",
179 roots: []constraintsSpec{
180 {
181 ok: []string{"dns:.example.com"},
182 },
183 },
184 intermediates: [][]constraintsSpec{
185 {
186 {},
187 },
188 },
189 leaf: leafSpec{
190 sans: []string{"ip:10.1.1.1"},
191 },
192 },
193 {
194 name: "specifying a permitted list of names does not exclude other name types",
195 roots: []constraintsSpec{
196 {
197 ok: []string{"ip:10.0.0.0/8"},
198 },
199 },
200 intermediates: [][]constraintsSpec{
201 {
202 {},
203 },
204 },
205 leaf: leafSpec{
206 sans: []string{"dns:example.com"},
207 },
208 },
209 {
210 name: "intermediates can try to permit other names, which isn't forbidden if the leaf doesn't mention them",
211 roots: []constraintsSpec{
212 {
213 ok: []string{"dns:example.com"},
214 },
215 },
216 intermediates: [][]constraintsSpec{
217 {
218 {
219 ok: []string{"dns:example.com", "dns:foo.com"},
220 },
221 },
222 },
223 leaf: leafSpec{
224 sans: []string{"dns:example.com"},
225 },
226 },
227 {
228 name: "intermediates cannot add permitted names that the root doesn't grant them",
229 roots: []constraintsSpec{
230 {
231 ok: []string{"dns:example.com"},
232 },
233 },
234 intermediates: [][]constraintsSpec{
235 {
236 {
237 ok: []string{"dns:foo.example.com", "dns:foo.com"},
238 },
239 },
240 },
241 leaf: leafSpec{
242 sans: []string{"dns:foo.com"},
243 },
244 expectedError: "\"foo.com\" is not permitted",
245 },
246 {
247 name: "intermediates can further limit their scope if they wish",
248 roots: []constraintsSpec{
249 {
250 ok: []string{"dns:.example.com"},
251 },
252 },
253 intermediates: [][]constraintsSpec{
254 {
255 {
256 ok: []string{"dns:.bar.example.com"},
257 },
258 },
259 },
260 leaf: leafSpec{
261 sans: []string{"dns:foo.bar.example.com"},
262 },
263 },
264 {
265 name: "intermediates can further limit their scope and that limitation is effective",
266 roots: []constraintsSpec{
267 {
268 ok: []string{"dns:.example.com"},
269 },
270 },
271 intermediates: [][]constraintsSpec{
272 {
273 {
274 ok: []string{"dns:.bar.example.com"},
275 },
276 },
277 },
278 leaf: leafSpec{
279 sans: []string{"dns:foo.notbar.example.com"},
280 },
281 expectedError: "\"foo.notbar.example.com\" is not permitted",
282 },
283 {
284 name: "roots can exclude subtrees and that doesn't affect other names",
285 roots: []constraintsSpec{
286 {
287 bad: []string{"dns:.example.com"},
288 },
289 },
290 intermediates: [][]constraintsSpec{
291 {
292 {},
293 },
294 },
295 leaf: leafSpec{
296 sans: []string{"dns:foo.com"},
297 },
298 },
299 {
300 name: "roots exclusions are effective",
301 roots: []constraintsSpec{
302 {
303 bad: []string{"dns:.example.com"},
304 },
305 },
306 intermediates: [][]constraintsSpec{
307 {
308 {},
309 },
310 },
311 leaf: leafSpec{
312 sans: []string{"dns:foo.example.com"},
313 },
314 expectedError: "\"foo.example.com\" is excluded",
315 },
316 {
317 name: "intermediates can also exclude names and that doesn't affect other names",
318 roots: make([]constraintsSpec, 1),
319 intermediates: [][]constraintsSpec{
320 {
321 {
322 bad: []string{"dns:.example.com"},
323 },
324 },
325 },
326 leaf: leafSpec{
327 sans: []string{"dns:foo.com"},
328 },
329 },
330 {
331 name: "intermediate exclusions are effective",
332 roots: make([]constraintsSpec, 1),
333 intermediates: [][]constraintsSpec{
334 {
335 {
336 bad: []string{"dns:.example.com"},
337 },
338 },
339 },
340 leaf: leafSpec{
341 sans: []string{"dns:foo.example.com"},
342 },
343 expectedError: "\"foo.example.com\" is excluded",
344 },
345 {
346 name: "having an exclusion doesn't prohibit other types of names",
347 roots: []constraintsSpec{
348 {
349 bad: []string{"dns:.example.com"},
350 },
351 },
352 intermediates: [][]constraintsSpec{
353 {
354 {},
355 },
356 },
357 leaf: leafSpec{
358 sans: []string{"dns:foo.com", "ip:10.1.1.1"},
359 },
360 },
361 {
362 name: "IP-based exclusions are permitted and don't affect unrelated IP addresses",
363 roots: []constraintsSpec{
364 {
365 bad: []string{"ip:10.0.0.0/8"},
366 },
367 },
368 intermediates: [][]constraintsSpec{
369 {
370 {},
371 },
372 },
373 leaf: leafSpec{
374 sans: []string{"ip:192.168.1.1"},
375 },
376 },
377 {
378 name: "IP-based exclusions are effective",
379 roots: []constraintsSpec{
380 {
381 bad: []string{"ip:10.0.0.0/8"},
382 },
383 },
384 intermediates: [][]constraintsSpec{
385 {
386 {},
387 },
388 },
389 leaf: leafSpec{
390 sans: []string{"ip:10.0.0.1"},
391 },
392 expectedError: "\"10.0.0.1\" is excluded",
393 },
394 {
395 name: "intermediates can further constrain IP ranges",
396 roots: []constraintsSpec{
397 {
398 bad: []string{"ip:0.0.0.0/1"},
399 },
400 },
401 intermediates: [][]constraintsSpec{
402 {
403 {
404 bad: []string{"ip:11.0.0.0/8"},
405 },
406 },
407 },
408 leaf: leafSpec{
409 sans: []string{"ip:11.0.0.1"},
410 },
411 expectedError: "\"11.0.0.1\" is excluded",
412 },
413 {
414 name: "multiple intermediates with incompatible constraints",
415 roots: make([]constraintsSpec, 1),
416 intermediates: [][]constraintsSpec{
417 {
418 {
419 ok: []string{"dns:.foo.com"},
420 },
421 {
422 ok: []string{"dns:.example.com"},
423 },
424 },
425 },
426 leaf: leafSpec{
427 sans: []string{"dns:foo.example.com"},
428 },
429 noOpenSSL: true,
430 },
431 {
432 name: "multiple intermediates with incompatible constraints swapped",
433 roots: make([]constraintsSpec, 1),
434 intermediates: [][]constraintsSpec{
435 {
436 {
437 ok: []string{"dns:.example.com"},
438 },
439 {
440 ok: []string{"dns:.foo.com"},
441 },
442 },
443 },
444 leaf: leafSpec{
445 sans: []string{"dns:foo.example.com"},
446 },
447 noOpenSSL: true,
448 },
449 {
450 name: "multiple roots with incompatible constraints",
451 roots: []constraintsSpec{
452 {},
453 {
454 ok: []string{"dns:foo.com"},
455 },
456 },
457 intermediates: [][]constraintsSpec{
458 {
459 {},
460 },
461 },
462 leaf: leafSpec{
463 sans: []string{"dns:example.com"},
464 },
465 noOpenSSL: true,
466 },
467 {
468 name: "multiple roots with incompatible constraints swapped",
469 roots: []constraintsSpec{
470 {
471 ok: []string{"dns:foo.com"},
472 },
473 {},
474 },
475 intermediates: [][]constraintsSpec{
476 {
477 {},
478 },
479 },
480 leaf: leafSpec{
481 sans: []string{"dns:example.com"},
482 },
483 noOpenSSL: true,
484 },
485 {
486 name: "chain building with multiple intermediates and roots",
487 roots: []constraintsSpec{
488 {
489 ok: []string{"dns:foo.com"},
490 },
491 {
492 ok: []string{"dns:example.com"},
493 },
494 {},
495 },
496 intermediates: [][]constraintsSpec{
497 {
498 {},
499 {
500 ok: []string{"dns:foo.com"},
501 },
502 },
503 {
504 {},
505 {
506 ok: []string{"dns:foo.com"},
507 },
508 },
509 },
510 leaf: leafSpec{
511 sans: []string{"dns:bar.com"},
512 },
513 noOpenSSL: true,
514 },
515 {
516 name: "chain building fails with no valid path",
517 roots: []constraintsSpec{
518 {
519 ok: []string{"dns:foo.com"},
520 },
521 {
522 ok: []string{"dns:example.com"},
523 },
524 },
525 intermediates: [][]constraintsSpec{
526 {
527 {},
528 {
529 ok: []string{"dns:foo.com"},
530 },
531 },
532 {
533 {
534 ok: []string{"dns:bar.com"},
535 },
536 {
537 ok: []string{"dns:foo.com"},
538 },
539 },
540 },
541 leaf: leafSpec{
542 sans: []string{"dns:bar.com"},
543 },
544 expectedError: "\"bar.com\" is not permitted",
545 },
546 {
547 name: "unknown name types are unconstrained",
548 roots: make([]constraintsSpec, 1),
549 intermediates: [][]constraintsSpec{
550 {
551 {},
552 },
553 },
554 leaf: leafSpec{
555 sans: []string{"unknown:"},
556 },
557 },
558 {
559 name: "unknown name types allowed in constrained chain",
560 roots: []constraintsSpec{
561 {
562 ok: []string{"dns:foo.com", "dns:.foo.com"},
563 },
564 },
565 intermediates: [][]constraintsSpec{
566 {
567 {},
568 },
569 },
570 leaf: leafSpec{
571 sans: []string{"unknown:"},
572 },
573 },
574 {
575 name: "CN is ignored in constrained chain",
576 roots: []constraintsSpec{
577 {
578 ok: []string{"dns:foo.com", "dns:.foo.com"},
579 },
580 },
581 intermediates: [][]constraintsSpec{
582 {
583 {},
584 },
585 },
586 leaf: leafSpec{
587 sans: []string{},
588 cn: "foo.com",
589 },
590 },
591 {
592 name: "IPv6 permitted constraint",
593 roots: []constraintsSpec{
594 {
595 ok: []string{"ip:2000:abcd::/32"},
596 },
597 },
598 intermediates: [][]constraintsSpec{
599 {
600 {},
601 },
602 },
603 leaf: leafSpec{
604 sans: []string{"ip:2000:abcd:1234::"},
605 },
606 },
607 {
608 name: "IPv6 permitted constraint is effective",
609 roots: []constraintsSpec{
610 {
611 ok: []string{"ip:2000:abcd::/32"},
612 },
613 },
614 intermediates: [][]constraintsSpec{
615 {
616 {},
617 },
618 },
619 leaf: leafSpec{
620 sans: []string{"ip:2000:1234:abcd::"},
621 },
622 expectedError: "\"2000:1234:abcd::\" is not permitted",
623 },
624 {
625 name: "IPv6 permitted constraint does not affect DNS",
626 roots: []constraintsSpec{
627 {
628 ok: []string{"ip:2000:abcd::/32"},
629 },
630 },
631 intermediates: [][]constraintsSpec{
632 {
633 {},
634 },
635 },
636 leaf: leafSpec{
637 sans: []string{"ip:2000:abcd::", "dns:foo.com"},
638 },
639 },
640 {
641 name: "IPv6 excluded constraint",
642 roots: []constraintsSpec{
643 {
644 bad: []string{"ip:2000:abcd::/32"},
645 },
646 },
647 intermediates: [][]constraintsSpec{
648 {
649 {},
650 },
651 },
652 leaf: leafSpec{
653 sans: []string{"ip:2000:1234::"},
654 },
655 },
656 {
657 name: "IPv6 excluded constraint is effective",
658 roots: []constraintsSpec{
659 {
660 bad: []string{"ip:2000:abcd::/32"},
661 },
662 },
663 intermediates: [][]constraintsSpec{
664 {
665 {},
666 },
667 },
668 leaf: leafSpec{
669 sans: []string{"ip:2000:abcd::"},
670 },
671 expectedError: "\"2000:abcd::\" is excluded",
672 },
673 {
674 name: "IPv6 constraint does not permit IPv4",
675 roots: []constraintsSpec{
676 {
677 ok: []string{"ip:2000:abcd::/32"},
678 },
679 },
680 intermediates: [][]constraintsSpec{
681 {
682 {},
683 },
684 },
685 leaf: leafSpec{
686 sans: []string{"ip:10.0.0.1"},
687 },
688 expectedError: "\"10.0.0.1\" is not permitted",
689 },
690 {
691 name: "IPv4 constraint does not permit IPv6",
692 roots: []constraintsSpec{
693 {
694 ok: []string{"ip:10.0.0.0/8"},
695 },
696 },
697 intermediates: [][]constraintsSpec{
698 {
699 {},
700 },
701 },
702 leaf: leafSpec{
703 sans: []string{"ip:2000:abcd::"},
704 },
705 expectedError: "\"2000:abcd::\" is not permitted",
706 },
707 {
708 name: "unknown excluded constraint does not affect other names",
709 roots: []constraintsSpec{
710 {
711 bad: []string{"unknown:"},
712 },
713 },
714 intermediates: [][]constraintsSpec{
715 {
716 {},
717 },
718 },
719 leaf: leafSpec{
720 sans: []string{"dns:example.com"},
721 },
722 },
723 {
724 name: "unknown permitted constraint does not affect other names",
725 roots: []constraintsSpec{
726 {
727 ok: []string{"unknown:"},
728 },
729 },
730 intermediates: [][]constraintsSpec{
731 {
732 {},
733 },
734 },
735 leaf: leafSpec{
736 sans: []string{"dns:example.com"},
737 },
738 },
739 {
740 name: "exact email constraint",
741 roots: []constraintsSpec{
742 {
743 ok: []string{"email:foo@example.com"},
744 },
745 },
746 intermediates: [][]constraintsSpec{
747 {
748 {},
749 },
750 },
751 leaf: leafSpec{
752 sans: []string{"email:foo@example.com"},
753 },
754 },
755 {
756 name: "exact email constraint is effective",
757 roots: []constraintsSpec{
758 {
759 ok: []string{"email:foo@example.com"},
760 },
761 },
762 intermediates: [][]constraintsSpec{
763 {
764 {},
765 },
766 },
767 leaf: leafSpec{
768 sans: []string{"email:bar@example.com"},
769 },
770 expectedError: "\"bar@example.com\" is not permitted",
771 },
772 {
773 name: "email canonicalization",
774 roots: []constraintsSpec{
775 {
776 ok: []string{"email:foo@example.com"},
777 },
778 },
779 intermediates: [][]constraintsSpec{
780 {
781 {},
782 },
783 },
784 leaf: leafSpec{
785 sans: []string{"email:\"\\f\\o\\o\"@example.com"},
786 },
787 noOpenSSL: true,
788 },
789 {
790 name: "email host constraint",
791 roots: []constraintsSpec{
792 {
793 ok: []string{"email:example.com"},
794 },
795 },
796 intermediates: [][]constraintsSpec{
797 {
798 {},
799 },
800 },
801 leaf: leafSpec{
802 sans: []string{"email:foo@example.com"},
803 },
804 },
805 {
806 name: "email subdomain constraint",
807 roots: []constraintsSpec{
808 {
809 ok: []string{"email:.example.com"},
810 },
811 },
812 intermediates: [][]constraintsSpec{
813 {
814 {},
815 },
816 },
817 leaf: leafSpec{
818 sans: []string{"email:foo@sub.example.com"},
819 },
820 },
821 {
822 name: "email subdomain constraint does not match parent",
823 roots: []constraintsSpec{
824 {
825 ok: []string{"email:.example.com"},
826 },
827 },
828 intermediates: [][]constraintsSpec{
829 {
830 {},
831 },
832 },
833 leaf: leafSpec{
834 sans: []string{"email:foo@example.com"},
835 },
836 expectedError: "\"foo@example.com\" is not permitted",
837 },
838 {
839 name: "email subdomain constraint matches deeper subdomains",
840 roots: []constraintsSpec{
841 {
842 ok: []string{"email:.example.com"},
843 },
844 },
845 intermediates: [][]constraintsSpec{
846 {
847 {},
848 },
849 },
850 leaf: leafSpec{
851 sans: []string{"email:foo@sub.sub.example.com"},
852 },
853 },
854 {
855 name: "email local part is case-sensitive",
856 roots: []constraintsSpec{
857 {
858 ok: []string{"email:foo@example.com"},
859 },
860 },
861 intermediates: [][]constraintsSpec{
862 {
863 {},
864 },
865 },
866 leaf: leafSpec{
867 sans: []string{"email:Foo@example.com"},
868 },
869 expectedError: "\"Foo@example.com\" is not permitted",
870 },
871 {
872 name: "email domain part is case-insensitive",
873 roots: []constraintsSpec{
874 {
875 ok: []string{"email:foo@EXAMPLE.com"},
876 },
877 },
878 intermediates: [][]constraintsSpec{
879 {
880 {},
881 },
882 },
883 leaf: leafSpec{
884 sans: []string{"email:foo@example.com"},
885 },
886 },
887 {
888 name: "DNS domain is case-insensitive",
889 roots: []constraintsSpec{
890 {
891 ok: []string{"dns:EXAMPLE.com"},
892 },
893 },
894 intermediates: [][]constraintsSpec{
895 {
896 {},
897 },
898 },
899 leaf: leafSpec{
900 sans: []string{"dns:example.com"},
901 },
902 },
903 {
904 name: "URI constraint covers host",
905 roots: []constraintsSpec{
906 {
907 ok: []string{"uri:example.com"},
908 },
909 },
910 intermediates: [][]constraintsSpec{
911 {
912 {},
913 },
914 },
915 leaf: leafSpec{
916 sans: []string{
917 "uri:http://example.com/bar",
918 "uri:http://example.com:8080/",
919 "uri:https://example.com/wibble#bar",
920 },
921 },
922 },
923 {
924 name: "URI with IP is rejected",
925 roots: []constraintsSpec{
926 {
927 ok: []string{"uri:example.com"},
928 },
929 },
930 intermediates: [][]constraintsSpec{
931 {
932 {},
933 },
934 },
935 leaf: leafSpec{
936 sans: []string{"uri:http://1.2.3.4/"},
937 },
938 expectedError: "URI with IP",
939 },
940 {
941 name: "URI with IP and port is rejected",
942 roots: []constraintsSpec{
943 {
944 ok: []string{"uri:example.com"},
945 },
946 },
947 intermediates: [][]constraintsSpec{
948 {
949 {},
950 },
951 },
952 leaf: leafSpec{
953 sans: []string{"uri:http://1.2.3.4:43/"},
954 },
955 expectedError: "URI with IP",
956 },
957 {
958 name: "URI with IPv6 is rejected",
959 roots: []constraintsSpec{
960 {
961 ok: []string{"uri:example.com"},
962 },
963 },
964 intermediates: [][]constraintsSpec{
965 {
966 {},
967 },
968 },
969 leaf: leafSpec{
970 sans: []string{"uri:http://[2006:abcd::1]/"},
971 },
972 expectedError: "URI with IP",
973 },
974 {
975 name: "URI with IPv6 and port is rejected",
976 roots: []constraintsSpec{
977 {
978 ok: []string{"uri:example.com"},
979 },
980 },
981 intermediates: [][]constraintsSpec{
982 {
983 {},
984 },
985 },
986 leaf: leafSpec{
987 sans: []string{"uri:http://[2006:abcd::1]:16/"},
988 },
989 expectedError: "URI with IP",
990 },
991 {
992 name: "URI permitted constraint is effective",
993 roots: []constraintsSpec{
994 {
995 ok: []string{"uri:example.com"},
996 },
997 },
998 intermediates: [][]constraintsSpec{
999 {
1000 {},
1001 },
1002 },
1003 leaf: leafSpec{
1004 sans: []string{"uri:http://bar.com/"},
1005 },
1006 expectedError: "\"http://bar.com/\" is not permitted",
1007 },
1008 {
1009 name: "URI excluded constraint is effective",
1010 roots: []constraintsSpec{
1011 {
1012 bad: []string{"uri:foo.com"},
1013 },
1014 },
1015 intermediates: [][]constraintsSpec{
1016 {
1017 {},
1018 },
1019 },
1020 leaf: leafSpec{
1021 sans: []string{"uri:http://foo.com/"},
1022 },
1023 expectedError: "\"http://foo.com/\" is excluded",
1024 },
1025 {
1026 name: "URI subdomain constraint",
1027 roots: []constraintsSpec{
1028 {
1029 ok: []string{"uri:.foo.com"},
1030 },
1031 },
1032 intermediates: [][]constraintsSpec{
1033 {
1034 {},
1035 },
1036 },
1037 leaf: leafSpec{
1038 sans: []string{"uri:http://www.foo.com/"},
1039 },
1040 },
1041 {
1042 name: "IPv4-mapped-IPv6 exclusion does not affect IPv4",
1043 roots: []constraintsSpec{
1044 {
1045 bad: []string{"ip:::ffff:1.2.3.4/128"},
1046 },
1047 },
1048 intermediates: [][]constraintsSpec{
1049 {
1050 {},
1051 },
1052 },
1053 leaf: leafSpec{
1054 sans: []string{"ip:1.2.3.4"},
1055 },
1056 },
1057 {
1058 name: "URI constraint not matched by URN",
1059 roots: []constraintsSpec{
1060 {
1061 ok: []string{"uri:example.com"},
1062 },
1063 },
1064 intermediates: [][]constraintsSpec{
1065 {
1066 {},
1067 },
1068 },
1069 leaf: leafSpec{
1070 sans: []string{"uri:urn:example"},
1071 },
1072 expectedError: "URI with empty host",
1073 },
1074 {
1075 name: "IPv6 exclusion does not exclude all IPv4",
1076 roots: []constraintsSpec{
1077 {
1078 ok: []string{"ip:1.2.3.0/24"},
1079 bad: []string{"ip:::0/0"},
1080 },
1081 },
1082 intermediates: [][]constraintsSpec{
1083 {
1084 {},
1085 },
1086 },
1087 leaf: leafSpec{
1088 sans: []string{"ip:1.2.3.4"},
1089 },
1090 },
1091 {
1092 name: "empty EKU in CA means any is ok",
1093 roots: make([]constraintsSpec, 1),
1094 intermediates: [][]constraintsSpec{
1095 {
1096 {},
1097 },
1098 },
1099 leaf: leafSpec{
1100 sans: []string{"dns:example.com"},
1101 ekus: []string{"serverAuth", "other"},
1102 },
1103 },
1104 {
1105 name: "any EKU means any is ok",
1106 roots: make([]constraintsSpec, 1),
1107 intermediates: [][]constraintsSpec{
1108 {
1109 {
1110 ekus: []string{"any"},
1111 },
1112 },
1113 },
1114 leaf: leafSpec{
1115 sans: []string{"dns:example.com"},
1116 ekus: []string{"serverAuth", "other"},
1117 },
1118 },
1119
1120 {
1121 name: "intermediate with enumerated EKUs",
1122 roots: make([]constraintsSpec, 1),
1123 intermediates: [][]constraintsSpec{
1124 {
1125 {
1126 ekus: []string{"email"},
1127 },
1128 },
1129 },
1130 leaf: leafSpec{
1131 sans: []string{"dns:example.com"},
1132 ekus: []string{"serverAuth"},
1133 },
1134 expectedError: "incompatible key usage",
1135 },
1136 {
1137 name: "unknown EKU in leaf",
1138 roots: make([]constraintsSpec, 1),
1139 intermediates: [][]constraintsSpec{
1140 {
1141 {
1142 ekus: []string{"email"},
1143 },
1144 },
1145 },
1146 leaf: leafSpec{
1147 sans: []string{"dns:example.com"},
1148 ekus: []string{"other"},
1149 },
1150 requestedEKUs: []ExtKeyUsage{ExtKeyUsageAny},
1151 },
1152
1153 {
1154 name: "intermediate cannot add EKUs not in root if leaf uses them",
1155 roots: []constraintsSpec{
1156 {
1157 ekus: []string{"serverAuth"},
1158 },
1159 },
1160 intermediates: [][]constraintsSpec{
1161 {
1162 {
1163 ekus: []string{"serverAuth", "email"},
1164 },
1165 },
1166 },
1167 leaf: leafSpec{
1168 sans: []string{"dns:example.com"},
1169 ekus: []string{"serverAuth"},
1170 },
1171 },
1172 {
1173 name: "EKUs in root are effective",
1174 roots: []constraintsSpec{
1175 {
1176 ekus: []string{"email"},
1177 },
1178 },
1179 intermediates: [][]constraintsSpec{
1180 {
1181 {
1182 ekus: []string{"serverAuth"},
1183 },
1184 },
1185 },
1186 leaf: leafSpec{
1187 sans: []string{"dns:example.com"},
1188 ekus: []string{"serverAuth"},
1189 },
1190 expectedError: "incompatible key usage",
1191 },
1192 {
1193 name: "netscapeSGC EKU does not permit server/client auth",
1194 roots: []constraintsSpec{
1195 {},
1196 },
1197 intermediates: [][]constraintsSpec{
1198 {
1199 {
1200 ekus: []string{"netscapeSGC"},
1201 },
1202 },
1203 },
1204 leaf: leafSpec{
1205 sans: []string{"dns:example.com"},
1206 ekus: []string{"serverAuth", "clientAuth"},
1207 },
1208 expectedError: "incompatible key usage",
1209 },
1210 {
1211 name: "msSGC EKU does not permit server/client auth",
1212 roots: make([]constraintsSpec, 1),
1213 intermediates: [][]constraintsSpec{
1214 {
1215 {
1216 ekus: []string{"msSGC"},
1217 },
1218 },
1219 },
1220 leaf: leafSpec{
1221 sans: []string{"dns:example.com"},
1222 ekus: []string{"serverAuth", "clientAuth"},
1223 },
1224 expectedError: "incompatible key usage",
1225 },
1226 {
1227 name: "empty DNS permitted constraint allows anything",
1228 roots: []constraintsSpec{
1229 {
1230 ok: []string{"dns:"},
1231 },
1232 },
1233 intermediates: [][]constraintsSpec{
1234 {
1235 {},
1236 },
1237 },
1238 leaf: leafSpec{
1239 sans: []string{"dns:example.com"},
1240 },
1241 },
1242 {
1243 name: "empty DNS excluded constraint rejects everything",
1244 roots: []constraintsSpec{
1245 {
1246 bad: []string{"dns:"},
1247 },
1248 },
1249 intermediates: [][]constraintsSpec{
1250 {
1251 {},
1252 },
1253 },
1254 leaf: leafSpec{
1255 sans: []string{"dns:example.com"},
1256 },
1257 expectedError: "\"example.com\" is excluded",
1258 },
1259 {
1260 name: "empty email permitted constraint allows anything",
1261 roots: []constraintsSpec{
1262 {
1263 ok: []string{"email:"},
1264 },
1265 },
1266 intermediates: [][]constraintsSpec{
1267 {
1268 {},
1269 },
1270 },
1271 leaf: leafSpec{
1272 sans: []string{"email:foo@example.com"},
1273 },
1274 },
1275 {
1276 name: "empty email excluded constraint rejects everything",
1277 roots: []constraintsSpec{
1278 {
1279 bad: []string{"email:"},
1280 },
1281 },
1282 intermediates: [][]constraintsSpec{
1283 {
1284 {},
1285 },
1286 },
1287 leaf: leafSpec{
1288 sans: []string{"email:foo@example.com"},
1289 },
1290 expectedError: "\"foo@example.com\" is excluded",
1291 },
1292 {
1293 name: "empty URI permitted constraint allows anything",
1294 roots: []constraintsSpec{
1295 {
1296 ok: []string{"uri:"},
1297 },
1298 },
1299 intermediates: [][]constraintsSpec{
1300 {
1301 {},
1302 },
1303 },
1304 leaf: leafSpec{
1305 sans: []string{"uri:https://example.com/test"},
1306 },
1307 },
1308 {
1309 name: "empty URI excluded constraint rejects everything",
1310 roots: []constraintsSpec{
1311 {
1312 bad: []string{"uri:"},
1313 },
1314 },
1315 intermediates: [][]constraintsSpec{
1316 {
1317 {},
1318 },
1319 },
1320 leaf: leafSpec{
1321 sans: []string{"uri:https://example.com/test"},
1322 },
1323 expectedError: "\"https://example.com/test\" is excluded",
1324 },
1325 {
1326 name: "serverAuth EKU does not permit clientAuth",
1327 roots: make([]constraintsSpec, 1),
1328 intermediates: [][]constraintsSpec{
1329 {
1330 {},
1331 },
1332 },
1333 leaf: leafSpec{
1334 sans: []string{"dns:example.com"},
1335 ekus: []string{"serverAuth"},
1336 },
1337 requestedEKUs: []ExtKeyUsage{ExtKeyUsageClientAuth},
1338 expectedError: "incompatible key usage",
1339 },
1340 {
1341 name: "msSGC EKU does not permit serverAuth",
1342 roots: make([]constraintsSpec, 1),
1343 intermediates: [][]constraintsSpec{
1344 {
1345 {},
1346 },
1347 },
1348 leaf: leafSpec{
1349 sans: []string{"dns:example.com"},
1350 ekus: []string{"msSGC"},
1351 },
1352 requestedEKUs: []ExtKeyUsage{ExtKeyUsageServerAuth},
1353 expectedError: "incompatible key usage",
1354 },
1355 {
1356
1357
1358
1359 name: "invalid SANs are ignored with no constraints",
1360 roots: make([]constraintsSpec, 1),
1361 intermediates: [][]constraintsSpec{
1362 {
1363 {},
1364 },
1365 },
1366 leaf: leafSpec{
1367 sans: []string{"dns:this is invalid", "email:this @ is invalid"},
1368 },
1369 },
1370 {
1371 name: "invalid DNS SAN detected with constraints",
1372 roots: []constraintsSpec{
1373 {
1374 bad: []string{"uri:"},
1375 },
1376 },
1377 intermediates: [][]constraintsSpec{
1378 {
1379 {},
1380 },
1381 },
1382 leaf: leafSpec{
1383 sans: []string{"dns:this is invalid"},
1384 },
1385 expectedError: "cannot parse dnsName",
1386 },
1387 {
1388 name: "invalid email SAN detected with constraints",
1389 roots: []constraintsSpec{
1390 {
1391 bad: []string{"uri:"},
1392 },
1393 },
1394 intermediates: [][]constraintsSpec{
1395 {
1396 {},
1397 },
1398 },
1399 leaf: leafSpec{
1400 sans: []string{"email:this @ is invalid"},
1401 },
1402 expectedError: "cannot parse rfc822Name",
1403 },
1404 {
1405 name: "any requested EKU is sufficient",
1406 roots: make([]constraintsSpec, 1),
1407 intermediates: [][]constraintsSpec{
1408 {
1409 {},
1410 },
1411 },
1412 leaf: leafSpec{
1413 sans: []string{"dns:example.com"},
1414 ekus: []string{"email"},
1415 },
1416 requestedEKUs: []ExtKeyUsage{ExtKeyUsageClientAuth, ExtKeyUsageEmailProtection},
1417 },
1418 {
1419 name: "unrequested EKUs not required to be nested",
1420 roots: make([]constraintsSpec, 1),
1421 intermediates: [][]constraintsSpec{
1422 {
1423 {
1424 ekus: []string{"serverAuth"},
1425 },
1426 },
1427 },
1428 leaf: leafSpec{
1429 sans: []string{"dns:example.com"},
1430
1431
1432 ekus: []string{"email", "serverAuth"},
1433 },
1434 },
1435 {
1436 name: "empty leaf is accepted in constrained chain",
1437 roots: []constraintsSpec{
1438 {
1439 ok: []string{"dns:foo.com", "dns:.foo.com"},
1440 },
1441 },
1442 intermediates: [][]constraintsSpec{
1443 {
1444 {},
1445 },
1446 },
1447 leaf: leafSpec{
1448 sans: []string{},
1449 },
1450 },
1451 {
1452 name: "no SANs and non-hostname CN is accepted in constrained chain",
1453 roots: []constraintsSpec{
1454 {
1455 ok: []string{"dns:foo.com", "dns:.foo.com"},
1456 },
1457 },
1458 intermediates: [][]constraintsSpec{
1459 {
1460 {},
1461 },
1462 },
1463 leaf: leafSpec{
1464 sans: []string{},
1465 cn: "foo.bar",
1466 },
1467 },
1468 {
1469 name: "constraints don't apply to CN",
1470 roots: []constraintsSpec{
1471 {
1472 ok: []string{"dns:foo.com", "dns:.foo.com"},
1473 },
1474 },
1475 intermediates: [][]constraintsSpec{
1476 {
1477 {},
1478 },
1479 },
1480 leaf: leafSpec{
1481 sans: []string{"dns:foo.com"},
1482 cn: "foo.bar",
1483 },
1484 },
1485 {
1486 name: "DNS SAN cannot use leading period form",
1487 roots: []constraintsSpec{{ok: []string{"dns:example.com"}}},
1488 leaf: leafSpec{sans: []string{"dns:.example.com"}},
1489 expectedError: "cannot parse dnsName \".example.com\"",
1490 },
1491 {
1492 name: "URI with IPv6 and zone is rejected",
1493 roots: []constraintsSpec{
1494 {
1495 ok: []string{"uri:example.com"},
1496 },
1497 },
1498 intermediates: [][]constraintsSpec{
1499 {
1500 {},
1501 },
1502 },
1503 leaf: leafSpec{
1504 sans: []string{"uri:http://[2006:abcd::1%25.example.com]:16/"},
1505 },
1506 expectedError: "URI with IP",
1507 },
1508 {
1509 name: "intermediate can narrow permitted dns scope",
1510 roots: []constraintsSpec{
1511 {
1512 ok: []string{"dns:"},
1513 },
1514 },
1515 intermediates: [][]constraintsSpec{
1516 {
1517 {
1518 ok: []string{"dns:example.com"},
1519 },
1520 },
1521 },
1522 leaf: leafSpec{
1523 sans: []string{"dns:test.com"},
1524 },
1525 expectedError: "\"test.com\" is not permitted",
1526 },
1527 {
1528 name: "intermediate cannot narrow excluded dns scope",
1529 roots: []constraintsSpec{
1530 {
1531 bad: []string{"dns:"},
1532 },
1533 },
1534 intermediates: [][]constraintsSpec{
1535 {
1536 {
1537 bad: []string{"dns:example.com"},
1538 },
1539 },
1540 },
1541 leaf: leafSpec{
1542 sans: []string{"dns:test.com"},
1543 },
1544 expectedError: "\"test.com\" is excluded by constraint \"\"",
1545 },
1546 {
1547 name: "intermediate can narrow excluded dns scope",
1548 roots: []constraintsSpec{
1549 {
1550 bad: []string{"dns:example.com"},
1551 },
1552 },
1553 intermediates: [][]constraintsSpec{
1554 {
1555 {
1556 bad: []string{"dns:"},
1557 },
1558 },
1559 },
1560 leaf: leafSpec{
1561 sans: []string{"dns:test.com"},
1562 },
1563 expectedError: "\"test.com\" is excluded by constraint \"\"",
1564 },
1565 {
1566 name: "permitted dns constraint is not a prefix match",
1567 roots: []constraintsSpec{
1568 {
1569 ok: []string{"dns:example.com"},
1570 },
1571 },
1572 intermediates: [][]constraintsSpec{
1573 {
1574 {},
1575 },
1576 },
1577 leaf: leafSpec{
1578 sans: []string{"dns:testexample.com"},
1579 },
1580 expectedError: "\"testexample.com\" is not permitted",
1581 },
1582 {
1583 name: "subdomain constraint does not allow wildcard",
1584 roots: []constraintsSpec{
1585 {
1586 ok: []string{"dns:a.com", "dns:foo.example.com", "dns:z.com"},
1587 },
1588 },
1589 intermediates: [][]constraintsSpec{
1590 {
1591 {},
1592 },
1593 },
1594 leaf: leafSpec{
1595 sans: []string{"dns:*.example.com"},
1596 },
1597 expectedError: "\"*.example.com\" is not permitted",
1598 },
1599 {
1600 name: "excluded dns constraint is not a prefix match",
1601 roots: []constraintsSpec{
1602 {
1603 bad: []string{"dns:example.com"},
1604 },
1605 },
1606 intermediates: [][]constraintsSpec{
1607 {
1608 {},
1609 },
1610 },
1611 leaf: leafSpec{
1612 sans: []string{"dns:testexample.com"},
1613 },
1614 },
1615 {
1616 name: "excluded email constraint, multiple email with matching local portion",
1617 roots: []constraintsSpec{
1618 {
1619 bad: []string{"email:a@example.com", "email:a@test.com"},
1620 },
1621 },
1622 intermediates: [][]constraintsSpec{
1623 {
1624 {},
1625 },
1626 },
1627 leaf: leafSpec{
1628 sans: []string{"email:a@example.com"},
1629 },
1630 expectedError: "\"a@example.com\" is excluded by constraint \"a@example.com\"",
1631 },
1632 {
1633 name: "email_case_check",
1634 roots: []constraintsSpec{
1635 {
1636 ok: []string{"email:a@example.com"},
1637 },
1638 },
1639 intermediates: [][]constraintsSpec{
1640 {
1641 {},
1642 },
1643 },
1644 leaf: leafSpec{
1645 sans: []string{"email:a@ExAmple.com"},
1646 },
1647 },
1648 {
1649 name: "excluded constraint, empty DNS san",
1650 roots: []constraintsSpec{
1651 {
1652 bad: []string{"dns:example.com"},
1653 },
1654 },
1655 leaf: leafSpec{
1656 sans: []string{"dns:"},
1657 },
1658 },
1659
1660 {
1661 name: "subdomain excluded constraints preclude outer wildcard names",
1662 roots: []constraintsSpec{
1663 {
1664 bad: []string{"dns:foo.example.com"},
1665 },
1666 },
1667 intermediates: [][]constraintsSpec{
1668 {
1669 {},
1670 },
1671 },
1672 leaf: leafSpec{
1673 sans: []string{"dns:*.example.com"},
1674 },
1675 expectedError: "\"*.example.com\" is excluded by constraint \"foo.example.com\"",
1676 },
1677 {
1678 name: "subdomain excluded constraints do not preclude far outer wildcard names",
1679 roots: []constraintsSpec{
1680 {
1681 bad: []string{"dns:foo.example.com"},
1682 },
1683 },
1684 intermediates: [][]constraintsSpec{
1685 {
1686 {},
1687 },
1688 },
1689 leaf: leafSpec{
1690 sans: []string{"dns:*.com"},
1691 },
1692 },
1693 {
1694 name: "subdomain excluded constraints preclude inner wildcard names",
1695 roots: []constraintsSpec{
1696 {
1697 bad: []string{"dns:foo.example.com"},
1698 },
1699 },
1700 intermediates: [][]constraintsSpec{
1701 {
1702 {},
1703 },
1704 },
1705 leaf: leafSpec{
1706 sans: []string{"dns:*.foo.example.com"},
1707 },
1708 expectedError: "\"*.foo.example.com\" is excluded by constraint \"foo.example.com\"",
1709 },
1710 {
1711 name: "subdomain excluded constraints preclude far inner wildcard names",
1712 roots: []constraintsSpec{
1713 {
1714 bad: []string{"dns:foo.example.com"},
1715 },
1716 },
1717 intermediates: [][]constraintsSpec{
1718 {
1719 {},
1720 },
1721 },
1722 leaf: leafSpec{
1723 sans: []string{"dns:*.bar.foo.example.com"},
1724 },
1725 expectedError: "\"*.bar.foo.example.com\" is excluded by constraint \"foo.example.com\"",
1726 },
1727 {
1728 name: "outer wildcard names are not matched by subdomain permitted constraints",
1729 roots: []constraintsSpec{
1730 {
1731 ok: []string{"dns:foo.example.com"},
1732 },
1733 },
1734 intermediates: [][]constraintsSpec{
1735 {
1736 {},
1737 },
1738 },
1739 leaf: leafSpec{
1740 sans: []string{"dns:*.example.com"},
1741 },
1742 expectedError: "\"*.example.com\" is not permitted",
1743 },
1744 {
1745 name: "far outer wildcard names are not matched by subdomain permitted constraints",
1746 roots: []constraintsSpec{
1747 {
1748 ok: []string{"dns:foo.example.com"},
1749 },
1750 },
1751 intermediates: [][]constraintsSpec{
1752 {
1753 {},
1754 },
1755 },
1756 leaf: leafSpec{
1757 sans: []string{"dns:*.com"},
1758 },
1759 expectedError: "\"*.com\" is not permitted",
1760 },
1761 {
1762 name: "inner wildcard names are matched by subdomain permitted constraints",
1763 roots: []constraintsSpec{
1764 {
1765 ok: []string{"dns:foo.example.com"},
1766 },
1767 },
1768 intermediates: [][]constraintsSpec{
1769 {
1770 {},
1771 },
1772 },
1773 leaf: leafSpec{
1774 sans: []string{"dns:*.foo.example.com"},
1775 },
1776 },
1777 {
1778 name: "far inner wildcard names are matched by subdomain permitted constraints",
1779 roots: []constraintsSpec{
1780 {
1781 ok: []string{"dns:foo.example.com"},
1782 },
1783 },
1784 intermediates: [][]constraintsSpec{
1785 {
1786 {},
1787 },
1788 },
1789 leaf: leafSpec{
1790 sans: []string{"dns:*.bar.foo.example.com"},
1791 },
1792 },
1793
1794 {
1795 name: "cross include should not match",
1796 roots: []constraintsSpec{
1797 {
1798 ok: []string{"dns:foo.example.com"},
1799 },
1800 },
1801 intermediates: [][]constraintsSpec{
1802 {
1803 {},
1804 },
1805 },
1806 leaf: leafSpec{
1807 sans: []string{"dns:*.bar.example.com"},
1808 },
1809 expectedError: "\"*.bar.example.com\" is not permitted by any constraint",
1810 },
1811 {
1812 name: "cross exclude should not match",
1813 roots: []constraintsSpec{
1814 {
1815 bad: []string{"dns:foo.example.com"},
1816 },
1817 },
1818 intermediates: [][]constraintsSpec{
1819 {
1820 {},
1821 },
1822 },
1823 leaf: leafSpec{
1824 sans: []string{"dns:*.bar.example.com"},
1825 },
1826 },
1827 {
1828 name: "subdomain exclusion blocks uppercase wildcard",
1829 roots: []constraintsSpec{{
1830 bad: []string{"dns:sub.example.com"},
1831 }},
1832 intermediates: [][]constraintsSpec{{{}}},
1833 leaf: leafSpec{
1834 sans: []string{"dns:*.EXAMPLE.COM"},
1835 },
1836 expectedError: "\"*.EXAMPLE.COM\" is excluded by constraint \"sub.example.com\"",
1837 },
1838 {
1839 name: "uppercase subdomain exclusion blocks lowercase wildcard",
1840 roots: []constraintsSpec{{
1841 bad: []string{"dns:SUB.EXAMPLE.COM"},
1842 }},
1843 intermediates: [][]constraintsSpec{{{}}},
1844 leaf: leafSpec{
1845 sans: []string{"dns:*.example.com"},
1846 },
1847 expectedError: "\"*.example.com\" is excluded by constraint \"sub.example.com\"",
1848 },
1849 }
1850
1851 func makeConstraintsCACert(constraints constraintsSpec, name string, key *ecdsa.PrivateKey, parent *Certificate, parentKey *ecdsa.PrivateKey) (*Certificate, error) {
1852 var serialBytes [16]byte
1853 rand.Read(serialBytes[:])
1854
1855 template := &Certificate{
1856 SerialNumber: new(big.Int).SetBytes(serialBytes[:]),
1857 Subject: pkix.Name{
1858 CommonName: name,
1859 },
1860 NotBefore: time.Unix(1000, 0),
1861 NotAfter: time.Unix(2000, 0),
1862 KeyUsage: KeyUsageCertSign,
1863 BasicConstraintsValid: true,
1864 IsCA: true,
1865 }
1866
1867 if err := addConstraintsToTemplate(constraints, template); err != nil {
1868 return nil, err
1869 }
1870
1871 if parent == nil {
1872 parent = template
1873 }
1874 derBytes, err := CreateCertificate(rand.Reader, template, parent, &key.PublicKey, parentKey)
1875 if err != nil {
1876 return nil, err
1877 }
1878
1879 caCert, err := ParseCertificate(derBytes)
1880 if err != nil {
1881 return nil, err
1882 }
1883
1884 return caCert, nil
1885 }
1886
1887 func makeConstraintsLeafCert(leaf leafSpec, key *ecdsa.PrivateKey, parent *Certificate, parentKey *ecdsa.PrivateKey) (*Certificate, error) {
1888 var serialBytes [16]byte
1889 rand.Read(serialBytes[:])
1890
1891 template := &Certificate{
1892 SerialNumber: new(big.Int).SetBytes(serialBytes[:]),
1893 Subject: pkix.Name{
1894 OrganizationalUnit: []string{"Leaf"},
1895 CommonName: leaf.cn,
1896 },
1897 NotBefore: time.Unix(1000, 0),
1898 NotAfter: time.Unix(2000, 0),
1899 KeyUsage: KeyUsageDigitalSignature,
1900 BasicConstraintsValid: true,
1901 IsCA: false,
1902 }
1903
1904 for _, name := range leaf.sans {
1905 switch {
1906 case strings.HasPrefix(name, "dns:"):
1907 template.DNSNames = append(template.DNSNames, name[4:])
1908
1909 case strings.HasPrefix(name, "ip:"):
1910 ip := net.ParseIP(name[3:])
1911 if ip == nil {
1912 return nil, fmt.Errorf("cannot parse IP %q", name[3:])
1913 }
1914 template.IPAddresses = append(template.IPAddresses, ip)
1915
1916 case strings.HasPrefix(name, "invalidip:"):
1917 ipBytes, err := hex.DecodeString(name[10:])
1918 if err != nil {
1919 return nil, fmt.Errorf("cannot parse invalid IP: %s", err)
1920 }
1921 template.IPAddresses = append(template.IPAddresses, net.IP(ipBytes))
1922
1923 case strings.HasPrefix(name, "email:"):
1924 template.EmailAddresses = append(template.EmailAddresses, name[6:])
1925
1926 case strings.HasPrefix(name, "uri:"):
1927 uri, err := url.Parse(name[4:])
1928 if err != nil {
1929 return nil, fmt.Errorf("cannot parse URI %q: %s", name[4:], err)
1930 }
1931 template.URIs = append(template.URIs, uri)
1932
1933 case strings.HasPrefix(name, "unknown:"):
1934
1935
1936
1937 if len(leaf.sans) != 1 {
1938 panic("when using unknown name types, it must be the sole name")
1939 }
1940
1941 template.ExtraExtensions = append(template.ExtraExtensions, pkix.Extension{
1942 Id: []int{2, 5, 29, 17},
1943 Value: []byte{
1944 0x30,
1945 3,
1946 9,
1947 1,
1948 1,
1949 },
1950 })
1951
1952 default:
1953 return nil, fmt.Errorf("unknown name type %q", name)
1954 }
1955 }
1956
1957 var err error
1958 if template.ExtKeyUsage, template.UnknownExtKeyUsage, err = parseEKUs(leaf.ekus); err != nil {
1959 return nil, err
1960 }
1961
1962 if parent == nil {
1963 parent = template
1964 }
1965
1966 derBytes, err := CreateCertificate(rand.Reader, template, parent, &key.PublicKey, parentKey)
1967 if err != nil {
1968 return nil, err
1969 }
1970
1971 return ParseCertificate(derBytes)
1972 }
1973
1974 func customConstraintsExtension(typeNum int, constraint []byte, isExcluded bool) pkix.Extension {
1975 appendConstraint := func(contents []byte, tag uint8) []byte {
1976 contents = append(contents, tag|32 |0x80 )
1977 contents = append(contents, byte(4+len(constraint)) )
1978 contents = append(contents, 0x30 )
1979 contents = append(contents, byte(2+len(constraint)) )
1980 contents = append(contents, byte(typeNum) )
1981 contents = append(contents, byte(len(constraint)))
1982 return append(contents, constraint...)
1983 }
1984
1985 var contents []byte
1986 if !isExcluded {
1987 contents = appendConstraint(contents, 0 )
1988 } else {
1989 contents = appendConstraint(contents, 1 )
1990 }
1991
1992 var value []byte
1993 value = append(value, 0x30 )
1994 value = append(value, byte(len(contents)))
1995 value = append(value, contents...)
1996
1997 return pkix.Extension{
1998 Id: []int{2, 5, 29, 30},
1999 Value: value,
2000 }
2001 }
2002
2003 func addConstraintsToTemplate(constraints constraintsSpec, template *Certificate) error {
2004 parse := func(constraints []string) (dnsNames []string, ips []*net.IPNet, emailAddrs []string, uriDomains []string, err error) {
2005 for _, constraint := range constraints {
2006 switch {
2007 case strings.HasPrefix(constraint, "dns:"):
2008 dnsNames = append(dnsNames, constraint[4:])
2009
2010 case strings.HasPrefix(constraint, "ip:"):
2011 _, ipNet, err := net.ParseCIDR(constraint[3:])
2012 if err != nil {
2013 return nil, nil, nil, nil, err
2014 }
2015 ips = append(ips, ipNet)
2016
2017 case strings.HasPrefix(constraint, "email:"):
2018 emailAddrs = append(emailAddrs, constraint[6:])
2019
2020 case strings.HasPrefix(constraint, "uri:"):
2021 uriDomains = append(uriDomains, constraint[4:])
2022
2023 default:
2024 return nil, nil, nil, nil, fmt.Errorf("unknown constraint %q", constraint)
2025 }
2026 }
2027
2028 return dnsNames, ips, emailAddrs, uriDomains, err
2029 }
2030
2031 handleSpecialConstraint := func(constraint string, isExcluded bool) bool {
2032 switch {
2033 case constraint == "unknown:":
2034 template.ExtraExtensions = append(template.ExtraExtensions, customConstraintsExtension(9 , []byte{1}, isExcluded))
2035
2036 default:
2037 return false
2038 }
2039
2040 return true
2041 }
2042
2043 if len(constraints.ok) == 1 && len(constraints.bad) == 0 {
2044 if handleSpecialConstraint(constraints.ok[0], false) {
2045 return nil
2046 }
2047 }
2048
2049 if len(constraints.bad) == 1 && len(constraints.ok) == 0 {
2050 if handleSpecialConstraint(constraints.bad[0], true) {
2051 return nil
2052 }
2053 }
2054
2055 var err error
2056 template.PermittedDNSDomains, template.PermittedIPRanges, template.PermittedEmailAddresses, template.PermittedURIDomains, err = parse(constraints.ok)
2057 if err != nil {
2058 return err
2059 }
2060
2061 template.ExcludedDNSDomains, template.ExcludedIPRanges, template.ExcludedEmailAddresses, template.ExcludedURIDomains, err = parse(constraints.bad)
2062 if err != nil {
2063 return err
2064 }
2065
2066 if template.ExtKeyUsage, template.UnknownExtKeyUsage, err = parseEKUs(constraints.ekus); err != nil {
2067 return err
2068 }
2069
2070 return nil
2071 }
2072
2073 func parseEKUs(ekuStrs []string) (ekus []ExtKeyUsage, unknowns []asn1.ObjectIdentifier, err error) {
2074 for _, s := range ekuStrs {
2075 switch s {
2076 case "serverAuth":
2077 ekus = append(ekus, ExtKeyUsageServerAuth)
2078 case "clientAuth":
2079 ekus = append(ekus, ExtKeyUsageClientAuth)
2080 case "email":
2081 ekus = append(ekus, ExtKeyUsageEmailProtection)
2082 case "netscapeSGC":
2083 ekus = append(ekus, ExtKeyUsageNetscapeServerGatedCrypto)
2084 case "msSGC":
2085 ekus = append(ekus, ExtKeyUsageMicrosoftServerGatedCrypto)
2086 case "any":
2087 ekus = append(ekus, ExtKeyUsageAny)
2088 case "other":
2089 unknowns = append(unknowns, asn1.ObjectIdentifier{2, 4, 1, 2, 3})
2090 default:
2091 return nil, nil, fmt.Errorf("unknown EKU %q", s)
2092 }
2093 }
2094
2095 return
2096 }
2097
2098 func TestConstraintCases(t *testing.T) {
2099 privateKeys := sync.Pool{
2100 New: func() any {
2101 priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
2102 if err != nil {
2103 panic(err)
2104 }
2105 return priv
2106 },
2107 }
2108
2109 for i, test := range nameConstraintsTests {
2110 t.Run(test.name, func(t *testing.T) {
2111 rootPool := NewCertPool()
2112 rootKey := privateKeys.Get().(*ecdsa.PrivateKey)
2113 rootName := "Root " + strconv.Itoa(i)
2114
2115
2116
2117 keys := []*ecdsa.PrivateKey{rootKey}
2118
2119
2120
2121
2122
2123
2124
2125 var parent *Certificate
2126 parentKey := rootKey
2127
2128 for _, root := range test.roots {
2129 rootCert, err := makeConstraintsCACert(root, rootName, rootKey, nil, rootKey)
2130 if err != nil {
2131 t.Fatalf("failed to create root: %s", err)
2132 }
2133
2134 parent = rootCert
2135 rootPool.AddCert(rootCert)
2136 }
2137
2138 intermediatePool := NewCertPool()
2139
2140 for level, intermediates := range test.intermediates {
2141 levelKey := privateKeys.Get().(*ecdsa.PrivateKey)
2142 keys = append(keys, levelKey)
2143 levelName := "Intermediate level " + strconv.Itoa(level)
2144 var last *Certificate
2145
2146 for _, intermediate := range intermediates {
2147 caCert, err := makeConstraintsCACert(intermediate, levelName, levelKey, parent, parentKey)
2148 if err != nil {
2149 t.Fatalf("failed to create %q: %s", levelName, err)
2150 }
2151
2152 last = caCert
2153 intermediatePool.AddCert(caCert)
2154 }
2155
2156 parent = last
2157 parentKey = levelKey
2158 }
2159
2160 leafKey := privateKeys.Get().(*ecdsa.PrivateKey)
2161 keys = append(keys, leafKey)
2162
2163 leafCert, err := makeConstraintsLeafCert(test.leaf, leafKey, parent, parentKey)
2164 if err != nil {
2165 t.Fatalf("cannot create leaf: %s", err)
2166 }
2167
2168
2169
2170 if !test.noOpenSSL && testNameConstraintsAgainstOpenSSL && test.leaf.cn == "" {
2171 output, err := testChainAgainstOpenSSL(t, leafCert, intermediatePool, rootPool)
2172 if err == nil && len(test.expectedError) > 0 {
2173 t.Error("unexpectedly succeeded against OpenSSL")
2174 if debugOpenSSLFailure {
2175 return
2176 }
2177 }
2178
2179 if err != nil {
2180 if _, ok := err.(*exec.ExitError); !ok {
2181 t.Errorf("OpenSSL failed to run: %s", err)
2182 } else if len(test.expectedError) == 0 {
2183 t.Errorf("OpenSSL unexpectedly failed: %v", output)
2184 if debugOpenSSLFailure {
2185 return
2186 }
2187 }
2188 }
2189 }
2190
2191 verifyOpts := VerifyOptions{
2192 Roots: rootPool,
2193 Intermediates: intermediatePool,
2194 CurrentTime: time.Unix(1500, 0),
2195 KeyUsages: test.requestedEKUs,
2196 }
2197 _, err = leafCert.Verify(verifyOpts)
2198
2199 logInfo := false
2200 if len(test.expectedError) == 0 {
2201 if err != nil {
2202 t.Errorf("unexpected failure: %s", err)
2203 } else {
2204 logInfo = false
2205 }
2206 } else {
2207 if err == nil {
2208 t.Error("unexpected success")
2209 } else if !strings.Contains(err.Error(), test.expectedError) {
2210 t.Errorf("expected error containing %q, but got: %s", test.expectedError, err)
2211 } else {
2212 logInfo = false
2213 }
2214 }
2215
2216 if logInfo {
2217 certAsPEM := func(cert *Certificate) string {
2218 var buf bytes.Buffer
2219 pem.Encode(&buf, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
2220 return buf.String()
2221 }
2222 t.Errorf("root:\n%s", certAsPEM(rootPool.mustCert(t, 0)))
2223 if intermediates := allCerts(t, intermediatePool); len(intermediates) > 0 {
2224 for ii, intermediate := range intermediates {
2225 t.Errorf("intermediate %d:\n%s", ii, certAsPEM(intermediate))
2226 }
2227 }
2228 t.Errorf("leaf:\n%s", certAsPEM(leafCert))
2229 }
2230
2231 for _, key := range keys {
2232 privateKeys.Put(key)
2233 }
2234 })
2235 }
2236 }
2237
2238 func writePEMsToTempFile(certs []*Certificate) *os.File {
2239 file, err := os.CreateTemp("", "name_constraints_test")
2240 if err != nil {
2241 panic("cannot create tempfile")
2242 }
2243
2244 pemBlock := &pem.Block{Type: "CERTIFICATE"}
2245 for _, cert := range certs {
2246 pemBlock.Bytes = cert.Raw
2247 pem.Encode(file, pemBlock)
2248 }
2249
2250 return file
2251 }
2252
2253 func testChainAgainstOpenSSL(t *testing.T, leaf *Certificate, intermediates, roots *CertPool) (string, error) {
2254 args := []string{"verify", "-no_check_time"}
2255
2256 rootsFile := writePEMsToTempFile(allCerts(t, roots))
2257 if debugOpenSSLFailure {
2258 println("roots file:", rootsFile.Name())
2259 } else {
2260 defer os.Remove(rootsFile.Name())
2261 }
2262 args = append(args, "-CAfile", rootsFile.Name())
2263
2264 if intermediates.len() > 0 {
2265 intermediatesFile := writePEMsToTempFile(allCerts(t, intermediates))
2266 if debugOpenSSLFailure {
2267 println("intermediates file:", intermediatesFile.Name())
2268 } else {
2269 defer os.Remove(intermediatesFile.Name())
2270 }
2271 args = append(args, "-untrusted", intermediatesFile.Name())
2272 }
2273
2274 leafFile := writePEMsToTempFile([]*Certificate{leaf})
2275 if debugOpenSSLFailure {
2276 println("leaf file:", leafFile.Name())
2277 } else {
2278 defer os.Remove(leafFile.Name())
2279 }
2280 args = append(args, leafFile.Name())
2281
2282 cmd := testenv.Command(t, "openssl", args...)
2283 out, err := cmd.CombinedOutput()
2284 return string(out), err
2285 }
2286
2287 var rfc2821Tests = []struct {
2288 in string
2289 localPart, domain string
2290 }{
2291 {"foo@example.com", "foo", "example.com"},
2292 {"@example.com", "", ""},
2293 {"\"@example.com", "", ""},
2294 {"\"\"@example.com", "", "example.com"},
2295 {"\"a\"@example.com", "a", "example.com"},
2296 {"\"\\a\"@example.com", "a", "example.com"},
2297 {"a\"@example.com", "", ""},
2298 {"foo..bar@example.com", "", ""},
2299 {".foo.bar@example.com", "", ""},
2300 {"foo.bar.@example.com", "", ""},
2301 {"|{}?'@example.com", "|{}?'", "example.com"},
2302 {"a@b@c.com", "", ""},
2303
2304
2305 {"Abc\\@def@example.com", "Abc@def", "example.com"},
2306 {"Fred\\ Bloggs@example.com", "Fred Bloggs", "example.com"},
2307 {"Joe.\\\\Blow@example.com", "Joe.\\Blow", "example.com"},
2308 {"\"Abc@def\"@example.com", "Abc@def", "example.com"},
2309 {"\"Fred Bloggs\"@example.com", "Fred Bloggs", "example.com"},
2310 {"customer/department=shipping@example.com", "customer/department=shipping", "example.com"},
2311 {"$A12345@example.com", "$A12345", "example.com"},
2312 {"!def!xyz%abc@example.com", "!def!xyz%abc", "example.com"},
2313 {"_somename@example.com", "_somename", "example.com"},
2314 }
2315
2316 func TestRFC2821Parsing(t *testing.T) {
2317 for i, test := range rfc2821Tests {
2318 mailbox, ok := parseRFC2821Mailbox(test.in)
2319 expectedFailure := len(test.localPart) == 0 && len(test.domain) == 0
2320
2321 if ok && expectedFailure {
2322 t.Errorf("#%d: %q unexpectedly parsed as (%q, %q)", i, test.in, mailbox.local, mailbox.domain)
2323 continue
2324 }
2325
2326 if !ok && !expectedFailure {
2327 t.Errorf("#%d: unexpected failure for %q", i, test.in)
2328 continue
2329 }
2330
2331 if !ok {
2332 continue
2333 }
2334
2335 if mailbox.local != test.localPart || mailbox.domain != test.domain {
2336 t.Errorf("#%d: %q parsed as (%q, %q), but wanted (%q, %q)", i, test.in, mailbox.local, mailbox.domain, test.localPart, test.domain)
2337 }
2338 }
2339 }
2340
2341 func TestBadNamesInConstraints(t *testing.T) {
2342 constraintParseError := func(err error) bool {
2343 str := err.Error()
2344 return strings.Contains(str, "failed to parse ") && strings.Contains(str, "constraint")
2345 }
2346
2347 encodingError := func(err error) bool {
2348 return strings.Contains(err.Error(), "cannot be encoded as an IA5String")
2349 }
2350
2351
2352 badNames := []struct {
2353 name string
2354 matcher func(error) bool
2355 }{
2356 {"dns:foo.com.", constraintParseError},
2357 {"email:abc@foo.com.", constraintParseError},
2358 {"email:foo.com.", constraintParseError},
2359 {"uri:example.com.", constraintParseError},
2360 {"uri:1.2.3.4", constraintParseError},
2361 {"uri:ffff::1", constraintParseError},
2362 {"dns:not–hyphen.com", encodingError},
2363 {"email:foo@not–hyphen.com", encodingError},
2364 {"uri:not–hyphen.com", encodingError},
2365 }
2366
2367 priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
2368 if err != nil {
2369 panic(err)
2370 }
2371
2372 for _, test := range badNames {
2373 _, err := makeConstraintsCACert(constraintsSpec{
2374 ok: []string{test.name},
2375 }, "TestAbsoluteNamesInConstraints", priv, nil, priv)
2376
2377 if err == nil {
2378 t.Errorf("bad name %q unexpectedly accepted in name constraint", test.name)
2379 continue
2380 } else {
2381 if !test.matcher(err) {
2382 t.Errorf("bad name %q triggered unrecognised error: %s", test.name, err)
2383 }
2384 }
2385 }
2386 }
2387
2388 func TestBadNamesInSANs(t *testing.T) {
2389
2390
2391
2392 badNames := []string{
2393 "uri:https://example.com./dsf",
2394 "invalidip:0102",
2395 "invalidip:0102030405",
2396 }
2397
2398 priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
2399 if err != nil {
2400 panic(err)
2401 }
2402
2403 for _, badName := range badNames {
2404 _, err := makeConstraintsLeafCert(leafSpec{sans: []string{badName}}, priv, nil, priv)
2405
2406 if err == nil {
2407 t.Errorf("bad name %q unexpectedly accepted in SAN", badName)
2408 continue
2409 }
2410
2411 if str := err.Error(); !strings.Contains(str, "cannot parse ") {
2412 t.Errorf("bad name %q triggered unrecognised error: %s", badName, str)
2413 }
2414 }
2415 }
2416
View as plain text