Source file
src/crypto/x509/name_constraints_test.go
1
2
3
4
5 package x509
6
7 import (
8 "bytes"
9 "crypto/ecdsa"
10 "crypto/elliptic"
11 "crypto/rand"
12 "crypto/x509/pkix"
13 "encoding/asn1"
14 "encoding/hex"
15 "encoding/pem"
16 "fmt"
17 "internal/testenv"
18 "math/big"
19 "net"
20 "net/url"
21 "os"
22 "os/exec"
23 "strconv"
24 "strings"
25 "sync"
26 "testing"
27 "time"
28 )
29
30 const (
31
32
33
34 testNameConstraintsAgainstOpenSSL = false
35
36
37
38
39 debugOpenSSLFailure = false
40 )
41
42 type nameConstraintsTest struct {
43 name string
44 roots []constraintsSpec
45 intermediates [][]constraintsSpec
46 leaf leafSpec
47 requestedEKUs []ExtKeyUsage
48 expectedError string
49 noOpenSSL bool
50 ignoreCN bool
51 }
52
53 type constraintsSpec struct {
54 ok []string
55 bad []string
56 ekus []string
57 }
58
59 type leafSpec struct {
60 sans []string
61 ekus []string
62 cn string
63 }
64
65 var nameConstraintsTests = []nameConstraintsTest{
66 {
67 name: "certificate generation process",
68 roots: make([]constraintsSpec, 1),
69 leaf: leafSpec{
70 sans: []string{"dns:example.com"},
71 },
72 },
73 {
74 name: "single level of intermediate",
75 roots: make([]constraintsSpec, 1),
76 intermediates: [][]constraintsSpec{
77 {
78 {},
79 },
80 },
81 leaf: leafSpec{
82 sans: []string{"dns:example.com"},
83 },
84 },
85 {
86 name: "two levels of intermediates",
87 roots: make([]constraintsSpec, 1),
88 intermediates: [][]constraintsSpec{
89 {
90 {},
91 },
92 {
93 {},
94 },
95 },
96 leaf: leafSpec{
97 sans: []string{"dns:example.com"},
98 },
99 },
100 {
101 name: "matching DNS constraint in root",
102 roots: []constraintsSpec{
103 {
104 ok: []string{"dns:example.com"},
105 },
106 },
107 intermediates: [][]constraintsSpec{
108 {
109 {},
110 },
111 },
112 leaf: leafSpec{
113 sans: []string{"dns:example.com"},
114 },
115 },
116 {
117 name: "matching DNS constraint in intermediate",
118 roots: make([]constraintsSpec, 1),
119 intermediates: [][]constraintsSpec{
120 {
121 {
122 ok: []string{"dns:example.com"},
123 },
124 },
125 },
126 leaf: leafSpec{
127 sans: []string{"dns:example.com"},
128 },
129 },
130 {
131 name: "leading period only matches subdomains",
132 roots: []constraintsSpec{
133 {
134 ok: []string{"dns:.example.com"},
135 },
136 },
137 intermediates: [][]constraintsSpec{
138 {
139 {},
140 },
141 },
142 leaf: leafSpec{
143 sans: []string{"dns:example.com"},
144 },
145 expectedError: "\"example.com\" is not permitted",
146 },
147 {
148 name: "leading period matches subdomains",
149 roots: make([]constraintsSpec, 1),
150 intermediates: [][]constraintsSpec{
151 {
152 {
153 ok: []string{"dns:.example.com"},
154 },
155 },
156 },
157 leaf: leafSpec{
158 sans: []string{"dns:foo.example.com"},
159 },
160 },
161 {
162 name: "leading period matches multiple levels of subdomains",
163 roots: []constraintsSpec{
164 {
165 ok: []string{"dns:.example.com"},
166 },
167 },
168 intermediates: [][]constraintsSpec{
169 {
170 {},
171 },
172 },
173 leaf: leafSpec{
174 sans: []string{"dns:foo.bar.example.com"},
175 },
176 },
177 {
178 name: "specifying a permitted list of names does not exclude other name types",
179 roots: []constraintsSpec{
180 {
181 ok: []string{"dns:.example.com"},
182 },
183 },
184 intermediates: [][]constraintsSpec{
185 {
186 {},
187 },
188 },
189 leaf: leafSpec{
190 sans: []string{"ip:10.1.1.1"},
191 },
192 },
193 {
194 name: "specifying a permitted list of names does not exclude other name types",
195 roots: []constraintsSpec{
196 {
197 ok: []string{"ip:10.0.0.0/8"},
198 },
199 },
200 intermediates: [][]constraintsSpec{
201 {
202 {},
203 },
204 },
205 leaf: leafSpec{
206 sans: []string{"dns:example.com"},
207 },
208 },
209 {
210 name: "intermediates can try to permit other names, which isn't forbidden if the leaf doesn't mention them",
211 roots: []constraintsSpec{
212 {
213 ok: []string{"dns:example.com"},
214 },
215 },
216 intermediates: [][]constraintsSpec{
217 {
218 {
219 ok: []string{"dns:example.com", "dns:foo.com"},
220 },
221 },
222 },
223 leaf: leafSpec{
224 sans: []string{"dns:example.com"},
225 },
226 },
227 {
228 name: "intermediates cannot add permitted names that the root doesn't grant them",
229 roots: []constraintsSpec{
230 {
231 ok: []string{"dns:example.com"},
232 },
233 },
234 intermediates: [][]constraintsSpec{
235 {
236 {
237 ok: []string{"dns:foo.example.com", "dns:foo.com"},
238 },
239 },
240 },
241 leaf: leafSpec{
242 sans: []string{"dns:foo.com"},
243 },
244 expectedError: "\"foo.com\" is not permitted",
245 },
246 {
247 name: "intermediates can further limit their scope if they wish",
248 roots: []constraintsSpec{
249 {
250 ok: []string{"dns:.example.com"},
251 },
252 },
253 intermediates: [][]constraintsSpec{
254 {
255 {
256 ok: []string{"dns:.bar.example.com"},
257 },
258 },
259 },
260 leaf: leafSpec{
261 sans: []string{"dns:foo.bar.example.com"},
262 },
263 },
264 {
265 name: "intermediates can further limit their scope and that limitation is effective",
266 roots: []constraintsSpec{
267 {
268 ok: []string{"dns:.example.com"},
269 },
270 },
271 intermediates: [][]constraintsSpec{
272 {
273 {
274 ok: []string{"dns:.bar.example.com"},
275 },
276 },
277 },
278 leaf: leafSpec{
279 sans: []string{"dns:foo.notbar.example.com"},
280 },
281 expectedError: "\"foo.notbar.example.com\" is not permitted",
282 },
283 {
284 name: "roots can exclude subtrees and that doesn't affect other names",
285 roots: []constraintsSpec{
286 {
287 bad: []string{"dns:.example.com"},
288 },
289 },
290 intermediates: [][]constraintsSpec{
291 {
292 {},
293 },
294 },
295 leaf: leafSpec{
296 sans: []string{"dns:foo.com"},
297 },
298 },
299 {
300 name: "roots exclusions are effective",
301 roots: []constraintsSpec{
302 {
303 bad: []string{"dns:.example.com"},
304 },
305 },
306 intermediates: [][]constraintsSpec{
307 {
308 {},
309 },
310 },
311 leaf: leafSpec{
312 sans: []string{"dns:foo.example.com"},
313 },
314 expectedError: "\"foo.example.com\" is excluded",
315 },
316 {
317 name: "intermediates can also exclude names and that doesn't affect other names",
318 roots: make([]constraintsSpec, 1),
319 intermediates: [][]constraintsSpec{
320 {
321 {
322 bad: []string{"dns:.example.com"},
323 },
324 },
325 },
326 leaf: leafSpec{
327 sans: []string{"dns:foo.com"},
328 },
329 },
330 {
331 name: "intermediate exclusions are effective",
332 roots: make([]constraintsSpec, 1),
333 intermediates: [][]constraintsSpec{
334 {
335 {
336 bad: []string{"dns:.example.com"},
337 },
338 },
339 },
340 leaf: leafSpec{
341 sans: []string{"dns:foo.example.com"},
342 },
343 expectedError: "\"foo.example.com\" is excluded",
344 },
345 {
346 name: "having an exclusion doesn't prohibit other types of names",
347 roots: []constraintsSpec{
348 {
349 bad: []string{"dns:.example.com"},
350 },
351 },
352 intermediates: [][]constraintsSpec{
353 {
354 {},
355 },
356 },
357 leaf: leafSpec{
358 sans: []string{"dns:foo.com", "ip:10.1.1.1"},
359 },
360 },
361 {
362 name: "IP-based exclusions are permitted and don't affect unrelated IP addresses",
363 roots: []constraintsSpec{
364 {
365 bad: []string{"ip:10.0.0.0/8"},
366 },
367 },
368 intermediates: [][]constraintsSpec{
369 {
370 {},
371 },
372 },
373 leaf: leafSpec{
374 sans: []string{"ip:192.168.1.1"},
375 },
376 },
377 {
378 name: "IP-based exclusions are effective",
379 roots: []constraintsSpec{
380 {
381 bad: []string{"ip:10.0.0.0/8"},
382 },
383 },
384 intermediates: [][]constraintsSpec{
385 {
386 {},
387 },
388 },
389 leaf: leafSpec{
390 sans: []string{"ip:10.0.0.1"},
391 },
392 expectedError: "\"10.0.0.1\" is excluded",
393 },
394 {
395 name: "intermediates can further constrain IP ranges",
396 roots: []constraintsSpec{
397 {
398 bad: []string{"ip:0.0.0.0/1"},
399 },
400 },
401 intermediates: [][]constraintsSpec{
402 {
403 {
404 bad: []string{"ip:11.0.0.0/8"},
405 },
406 },
407 },
408 leaf: leafSpec{
409 sans: []string{"ip:11.0.0.1"},
410 },
411 expectedError: "\"11.0.0.1\" is excluded",
412 },
413 {
414 name: "multiple intermediates with incompatible constraints",
415 roots: make([]constraintsSpec, 1),
416 intermediates: [][]constraintsSpec{
417 {
418 {
419 ok: []string{"dns:.foo.com"},
420 },
421 {
422 ok: []string{"dns:.example.com"},
423 },
424 },
425 },
426 leaf: leafSpec{
427 sans: []string{"dns:foo.example.com"},
428 },
429 noOpenSSL: true,
430 },
431 {
432 name: "multiple intermediates with incompatible constraints swapped",
433 roots: make([]constraintsSpec, 1),
434 intermediates: [][]constraintsSpec{
435 {
436 {
437 ok: []string{"dns:.example.com"},
438 },
439 {
440 ok: []string{"dns:.foo.com"},
441 },
442 },
443 },
444 leaf: leafSpec{
445 sans: []string{"dns:foo.example.com"},
446 },
447 noOpenSSL: true,
448 },
449 {
450 name: "multiple roots with incompatible constraints",
451 roots: []constraintsSpec{
452 {},
453 {
454 ok: []string{"dns:foo.com"},
455 },
456 },
457 intermediates: [][]constraintsSpec{
458 {
459 {},
460 },
461 },
462 leaf: leafSpec{
463 sans: []string{"dns:example.com"},
464 },
465 noOpenSSL: true,
466 },
467 {
468 name: "multiple roots with incompatible constraints swapped",
469 roots: []constraintsSpec{
470 {
471 ok: []string{"dns:foo.com"},
472 },
473 {},
474 },
475 intermediates: [][]constraintsSpec{
476 {
477 {},
478 },
479 },
480 leaf: leafSpec{
481 sans: []string{"dns:example.com"},
482 },
483 noOpenSSL: true,
484 },
485 {
486 name: "chain building with multiple intermediates and roots",
487 roots: []constraintsSpec{
488 {
489 ok: []string{"dns:foo.com"},
490 },
491 {
492 ok: []string{"dns:example.com"},
493 },
494 {},
495 },
496 intermediates: [][]constraintsSpec{
497 {
498 {},
499 {
500 ok: []string{"dns:foo.com"},
501 },
502 },
503 {
504 {},
505 {
506 ok: []string{"dns:foo.com"},
507 },
508 },
509 },
510 leaf: leafSpec{
511 sans: []string{"dns:bar.com"},
512 },
513 noOpenSSL: true,
514 },
515 {
516 name: "chain building fails with no valid path",
517 roots: []constraintsSpec{
518 {
519 ok: []string{"dns:foo.com"},
520 },
521 {
522 ok: []string{"dns:example.com"},
523 },
524 },
525 intermediates: [][]constraintsSpec{
526 {
527 {},
528 {
529 ok: []string{"dns:foo.com"},
530 },
531 },
532 {
533 {
534 ok: []string{"dns:bar.com"},
535 },
536 {
537 ok: []string{"dns:foo.com"},
538 },
539 },
540 },
541 leaf: leafSpec{
542 sans: []string{"dns:bar.com"},
543 },
544 expectedError: "\"bar.com\" is not permitted",
545 },
546 {
547 name: "unknown name types are unconstrained",
548 roots: make([]constraintsSpec, 1),
549 intermediates: [][]constraintsSpec{
550 {
551 {},
552 },
553 },
554 leaf: leafSpec{
555 sans: []string{"unknown:"},
556 },
557 },
558 {
559 name: "unknown name types allowed in constrained chain",
560 roots: []constraintsSpec{
561 {
562 ok: []string{"dns:foo.com", "dns:.foo.com"},
563 },
564 },
565 intermediates: [][]constraintsSpec{
566 {
567 {},
568 },
569 },
570 leaf: leafSpec{
571 sans: []string{"unknown:"},
572 },
573 },
574 {
575 name: "CN is ignored in constrained chain",
576 roots: []constraintsSpec{
577 {
578 ok: []string{"dns:foo.com", "dns:.foo.com"},
579 },
580 },
581 intermediates: [][]constraintsSpec{
582 {
583 {},
584 },
585 },
586 leaf: leafSpec{
587 sans: []string{},
588 cn: "foo.com",
589 },
590 },
591 {
592 name: "IPv6 permitted constraint",
593 roots: []constraintsSpec{
594 {
595 ok: []string{"ip:2000:abcd::/32"},
596 },
597 },
598 intermediates: [][]constraintsSpec{
599 {
600 {},
601 },
602 },
603 leaf: leafSpec{
604 sans: []string{"ip:2000:abcd:1234::"},
605 },
606 },
607 {
608 name: "IPv6 permitted constraint is effective",
609 roots: []constraintsSpec{
610 {
611 ok: []string{"ip:2000:abcd::/32"},
612 },
613 },
614 intermediates: [][]constraintsSpec{
615 {
616 {},
617 },
618 },
619 leaf: leafSpec{
620 sans: []string{"ip:2000:1234:abcd::"},
621 },
622 expectedError: "\"2000:1234:abcd::\" is not permitted",
623 },
624 {
625 name: "IPv6 permitted constraint does not affect DNS",
626 roots: []constraintsSpec{
627 {
628 ok: []string{"ip:2000:abcd::/32"},
629 },
630 },
631 intermediates: [][]constraintsSpec{
632 {
633 {},
634 },
635 },
636 leaf: leafSpec{
637 sans: []string{"ip:2000:abcd::", "dns:foo.com"},
638 },
639 },
640 {
641 name: "IPv6 excluded constraint",
642 roots: []constraintsSpec{
643 {
644 bad: []string{"ip:2000:abcd::/32"},
645 },
646 },
647 intermediates: [][]constraintsSpec{
648 {
649 {},
650 },
651 },
652 leaf: leafSpec{
653 sans: []string{"ip:2000:1234::"},
654 },
655 },
656 {
657 name: "IPv6 excluded constraint is effective",
658 roots: []constraintsSpec{
659 {
660 bad: []string{"ip:2000:abcd::/32"},
661 },
662 },
663 intermediates: [][]constraintsSpec{
664 {
665 {},
666 },
667 },
668 leaf: leafSpec{
669 sans: []string{"ip:2000:abcd::"},
670 },
671 expectedError: "\"2000:abcd::\" is excluded",
672 },
673 {
674 name: "IPv6 constraint does not permit IPv4",
675 roots: []constraintsSpec{
676 {
677 ok: []string{"ip:2000:abcd::/32"},
678 },
679 },
680 intermediates: [][]constraintsSpec{
681 {
682 {},
683 },
684 },
685 leaf: leafSpec{
686 sans: []string{"ip:10.0.0.1"},
687 },
688 expectedError: "\"10.0.0.1\" is not permitted",
689 },
690 {
691 name: "IPv4 constraint does not permit IPv6",
692 roots: []constraintsSpec{
693 {
694 ok: []string{"ip:10.0.0.0/8"},
695 },
696 },
697 intermediates: [][]constraintsSpec{
698 {
699 {},
700 },
701 },
702 leaf: leafSpec{
703 sans: []string{"ip:2000:abcd::"},
704 },
705 expectedError: "\"2000:abcd::\" is not permitted",
706 },
707 {
708 name: "unknown excluded constraint does not affect other names",
709 roots: []constraintsSpec{
710 {
711 bad: []string{"unknown:"},
712 },
713 },
714 intermediates: [][]constraintsSpec{
715 {
716 {},
717 },
718 },
719 leaf: leafSpec{
720 sans: []string{"dns:example.com"},
721 },
722 },
723 {
724 name: "unknown permitted constraint does not affect other names",
725 roots: []constraintsSpec{
726 {
727 ok: []string{"unknown:"},
728 },
729 },
730 intermediates: [][]constraintsSpec{
731 {
732 {},
733 },
734 },
735 leaf: leafSpec{
736 sans: []string{"dns:example.com"},
737 },
738 },
739 {
740 name: "exact email constraint",
741 roots: []constraintsSpec{
742 {
743 ok: []string{"email:foo@example.com"},
744 },
745 },
746 intermediates: [][]constraintsSpec{
747 {
748 {},
749 },
750 },
751 leaf: leafSpec{
752 sans: []string{"email:foo@example.com"},
753 },
754 },
755 {
756 name: "exact email constraint is effective",
757 roots: []constraintsSpec{
758 {
759 ok: []string{"email:foo@example.com"},
760 },
761 },
762 intermediates: [][]constraintsSpec{
763 {
764 {},
765 },
766 },
767 leaf: leafSpec{
768 sans: []string{"email:bar@example.com"},
769 },
770 expectedError: "\"bar@example.com\" is not permitted",
771 },
772 {
773 name: "email canonicalization",
774 roots: []constraintsSpec{
775 {
776 ok: []string{"email:foo@example.com"},
777 },
778 },
779 intermediates: [][]constraintsSpec{
780 {
781 {},
782 },
783 },
784 leaf: leafSpec{
785 sans: []string{"email:\"\\f\\o\\o\"@example.com"},
786 },
787 noOpenSSL: true,
788 },
789 {
790 name: "email host constraint",
791 roots: []constraintsSpec{
792 {
793 ok: []string{"email:example.com"},
794 },
795 },
796 intermediates: [][]constraintsSpec{
797 {
798 {},
799 },
800 },
801 leaf: leafSpec{
802 sans: []string{"email:foo@example.com"},
803 },
804 },
805 {
806 name: "email subdomain constraint",
807 roots: []constraintsSpec{
808 {
809 ok: []string{"email:.example.com"},
810 },
811 },
812 intermediates: [][]constraintsSpec{
813 {
814 {},
815 },
816 },
817 leaf: leafSpec{
818 sans: []string{"email:foo@sub.example.com"},
819 },
820 },
821 {
822 name: "email subdomain constraint does not match parent",
823 roots: []constraintsSpec{
824 {
825 ok: []string{"email:.example.com"},
826 },
827 },
828 intermediates: [][]constraintsSpec{
829 {
830 {},
831 },
832 },
833 leaf: leafSpec{
834 sans: []string{"email:foo@example.com"},
835 },
836 expectedError: "\"foo@example.com\" is not permitted",
837 },
838 {
839 name: "email subdomain constraint matches deeper subdomains",
840 roots: []constraintsSpec{
841 {
842 ok: []string{"email:.example.com"},
843 },
844 },
845 intermediates: [][]constraintsSpec{
846 {
847 {},
848 },
849 },
850 leaf: leafSpec{
851 sans: []string{"email:foo@sub.sub.example.com"},
852 },
853 },
854 {
855 name: "email local part is case-sensitive",
856 roots: []constraintsSpec{
857 {
858 ok: []string{"email:foo@example.com"},
859 },
860 },
861 intermediates: [][]constraintsSpec{
862 {
863 {},
864 },
865 },
866 leaf: leafSpec{
867 sans: []string{"email:Foo@example.com"},
868 },
869 expectedError: "\"Foo@example.com\" is not permitted",
870 },
871 {
872 name: "email domain part is case-insensitive",
873 roots: []constraintsSpec{
874 {
875 ok: []string{"email:foo@EXAMPLE.com"},
876 },
877 },
878 intermediates: [][]constraintsSpec{
879 {
880 {},
881 },
882 },
883 leaf: leafSpec{
884 sans: []string{"email:foo@example.com"},
885 },
886 },
887 {
888 name: "DNS domain is case-insensitive",
889 roots: []constraintsSpec{
890 {
891 ok: []string{"dns:EXAMPLE.com"},
892 },
893 },
894 intermediates: [][]constraintsSpec{
895 {
896 {},
897 },
898 },
899 leaf: leafSpec{
900 sans: []string{"dns:example.com"},
901 },
902 },
903 {
904 name: "URI constraint covers host",
905 roots: []constraintsSpec{
906 {
907 ok: []string{"uri:example.com"},
908 },
909 },
910 intermediates: [][]constraintsSpec{
911 {
912 {},
913 },
914 },
915 leaf: leafSpec{
916 sans: []string{
917 "uri:http://example.com/bar",
918 "uri:http://example.com:8080/",
919 "uri:https://example.com/wibble#bar",
920 },
921 },
922 },
923 {
924 name: "URI with IP is rejected",
925 roots: []constraintsSpec{
926 {
927 ok: []string{"uri:example.com"},
928 },
929 },
930 intermediates: [][]constraintsSpec{
931 {
932 {},
933 },
934 },
935 leaf: leafSpec{
936 sans: []string{"uri:http://1.2.3.4/"},
937 },
938 expectedError: "URI with IP",
939 },
940 {
941 name: "URI with IP and port is rejected",
942 roots: []constraintsSpec{
943 {
944 ok: []string{"uri:example.com"},
945 },
946 },
947 intermediates: [][]constraintsSpec{
948 {
949 {},
950 },
951 },
952 leaf: leafSpec{
953 sans: []string{"uri:http://1.2.3.4:43/"},
954 },
955 expectedError: "URI with IP",
956 },
957 {
958 name: "URI with IPv6 is rejected",
959 roots: []constraintsSpec{
960 {
961 ok: []string{"uri:example.com"},
962 },
963 },
964 intermediates: [][]constraintsSpec{
965 {
966 {},
967 },
968 },
969 leaf: leafSpec{
970 sans: []string{"uri:http://[2006:abcd::1]/"},
971 },
972 expectedError: "URI with IP",
973 },
974 {
975 name: "URI with IPv6 and port is rejected",
976 roots: []constraintsSpec{
977 {
978 ok: []string{"uri:example.com"},
979 },
980 },
981 intermediates: [][]constraintsSpec{
982 {
983 {},
984 },
985 },
986 leaf: leafSpec{
987 sans: []string{"uri:http://[2006:abcd::1]:16/"},
988 },
989 expectedError: "URI with IP",
990 },
991 {
992 name: "URI permitted constraint is effective",
993 roots: []constraintsSpec{
994 {
995 ok: []string{"uri:example.com"},
996 },
997 },
998 intermediates: [][]constraintsSpec{
999 {
1000 {},
1001 },
1002 },
1003 leaf: leafSpec{
1004 sans: []string{"uri:http://bar.com/"},
1005 },
1006 expectedError: "\"http://bar.com/\" is not permitted",
1007 },
1008 {
1009 name: "URI excluded constraint is effective",
1010 roots: []constraintsSpec{
1011 {
1012 bad: []string{"uri:foo.com"},
1013 },
1014 },
1015 intermediates: [][]constraintsSpec{
1016 {
1017 {},
1018 },
1019 },
1020 leaf: leafSpec{
1021 sans: []string{"uri:http://foo.com/"},
1022 },
1023 expectedError: "\"http://foo.com/\" is excluded",
1024 },
1025 {
1026 name: "URI subdomain constraint",
1027 roots: []constraintsSpec{
1028 {
1029 ok: []string{"uri:.foo.com"},
1030 },
1031 },
1032 intermediates: [][]constraintsSpec{
1033 {
1034 {},
1035 },
1036 },
1037 leaf: leafSpec{
1038 sans: []string{"uri:http://www.foo.com/"},
1039 },
1040 },
1041 {
1042 name: "IPv4-mapped-IPv6 exclusion does not affect IPv4",
1043 roots: []constraintsSpec{
1044 {
1045 bad: []string{"ip:::ffff:1.2.3.4/128"},
1046 },
1047 },
1048 intermediates: [][]constraintsSpec{
1049 {
1050 {},
1051 },
1052 },
1053 leaf: leafSpec{
1054 sans: []string{"ip:1.2.3.4"},
1055 },
1056 },
1057 {
1058 name: "URI constraint not matched by URN",
1059 roots: []constraintsSpec{
1060 {
1061 ok: []string{"uri:example.com"},
1062 },
1063 },
1064 intermediates: [][]constraintsSpec{
1065 {
1066 {},
1067 },
1068 },
1069 leaf: leafSpec{
1070 sans: []string{"uri:urn:example"},
1071 },
1072 expectedError: "URI with empty host",
1073 },
1074 {
1075 name: "IPv6 exclusion does not exclude all IPv4",
1076 roots: []constraintsSpec{
1077 {
1078 ok: []string{"ip:1.2.3.0/24"},
1079 bad: []string{"ip:::0/0"},
1080 },
1081 },
1082 intermediates: [][]constraintsSpec{
1083 {
1084 {},
1085 },
1086 },
1087 leaf: leafSpec{
1088 sans: []string{"ip:1.2.3.4"},
1089 },
1090 },
1091 {
1092 name: "empty EKU in CA means any is ok",
1093 roots: make([]constraintsSpec, 1),
1094 intermediates: [][]constraintsSpec{
1095 {
1096 {},
1097 },
1098 },
1099 leaf: leafSpec{
1100 sans: []string{"dns:example.com"},
1101 ekus: []string{"serverAuth", "other"},
1102 },
1103 },
1104 {
1105 name: "any EKU means any is ok",
1106 roots: make([]constraintsSpec, 1),
1107 intermediates: [][]constraintsSpec{
1108 {
1109 {
1110 ekus: []string{"any"},
1111 },
1112 },
1113 },
1114 leaf: leafSpec{
1115 sans: []string{"dns:example.com"},
1116 ekus: []string{"serverAuth", "other"},
1117 },
1118 },
1119
1120 {
1121 name: "intermediate with enumerated EKUs",
1122 roots: make([]constraintsSpec, 1),
1123 intermediates: [][]constraintsSpec{
1124 {
1125 {
1126 ekus: []string{"email"},
1127 },
1128 },
1129 },
1130 leaf: leafSpec{
1131 sans: []string{"dns:example.com"},
1132 ekus: []string{"serverAuth"},
1133 },
1134 expectedError: "incompatible key usage",
1135 },
1136 {
1137 name: "unknown EKU in leaf",
1138 roots: make([]constraintsSpec, 1),
1139 intermediates: [][]constraintsSpec{
1140 {
1141 {
1142 ekus: []string{"email"},
1143 },
1144 },
1145 },
1146 leaf: leafSpec{
1147 sans: []string{"dns:example.com"},
1148 ekus: []string{"other"},
1149 },
1150 requestedEKUs: []ExtKeyUsage{ExtKeyUsageAny},
1151 },
1152
1153 {
1154 name: "intermediate cannot add EKUs not in root if leaf uses them",
1155 roots: []constraintsSpec{
1156 {
1157 ekus: []string{"serverAuth"},
1158 },
1159 },
1160 intermediates: [][]constraintsSpec{
1161 {
1162 {
1163 ekus: []string{"serverAuth", "email"},
1164 },
1165 },
1166 },
1167 leaf: leafSpec{
1168 sans: []string{"dns:example.com"},
1169 ekus: []string{"serverAuth"},
1170 },
1171 },
1172 {
1173 name: "EKUs in root are effective",
1174 roots: []constraintsSpec{
1175 {
1176 ekus: []string{"email"},
1177 },
1178 },
1179 intermediates: [][]constraintsSpec{
1180 {
1181 {
1182 ekus: []string{"serverAuth"},
1183 },
1184 },
1185 },
1186 leaf: leafSpec{
1187 sans: []string{"dns:example.com"},
1188 ekus: []string{"serverAuth"},
1189 },
1190 expectedError: "incompatible key usage",
1191 },
1192 {
1193 name: "netscapeSGC EKU does not permit server/client auth",
1194 roots: []constraintsSpec{
1195 {},
1196 },
1197 intermediates: [][]constraintsSpec{
1198 {
1199 {
1200 ekus: []string{"netscapeSGC"},
1201 },
1202 },
1203 },
1204 leaf: leafSpec{
1205 sans: []string{"dns:example.com"},
1206 ekus: []string{"serverAuth", "clientAuth"},
1207 },
1208 expectedError: "incompatible key usage",
1209 },
1210 {
1211 name: "msSGC EKU does not permit server/client auth",
1212 roots: make([]constraintsSpec, 1),
1213 intermediates: [][]constraintsSpec{
1214 {
1215 {
1216 ekus: []string{"msSGC"},
1217 },
1218 },
1219 },
1220 leaf: leafSpec{
1221 sans: []string{"dns:example.com"},
1222 ekus: []string{"serverAuth", "clientAuth"},
1223 },
1224 expectedError: "incompatible key usage",
1225 },
1226 {
1227 name: "empty DNS permitted constraint allows anything",
1228 roots: []constraintsSpec{
1229 {
1230 ok: []string{"dns:"},
1231 },
1232 },
1233 intermediates: [][]constraintsSpec{
1234 {
1235 {},
1236 },
1237 },
1238 leaf: leafSpec{
1239 sans: []string{"dns:example.com"},
1240 },
1241 },
1242 {
1243 name: "empty DNS excluded constraint rejects everything",
1244 roots: []constraintsSpec{
1245 {
1246 bad: []string{"dns:"},
1247 },
1248 },
1249 intermediates: [][]constraintsSpec{
1250 {
1251 {},
1252 },
1253 },
1254 leaf: leafSpec{
1255 sans: []string{"dns:example.com"},
1256 },
1257 expectedError: "\"example.com\" is excluded",
1258 },
1259 {
1260 name: "empty email permitted constraint allows anything",
1261 roots: []constraintsSpec{
1262 {
1263 ok: []string{"email:"},
1264 },
1265 },
1266 intermediates: [][]constraintsSpec{
1267 {
1268 {},
1269 },
1270 },
1271 leaf: leafSpec{
1272 sans: []string{"email:foo@example.com"},
1273 },
1274 },
1275 {
1276 name: "empty email excluded constraint rejects everything",
1277 roots: []constraintsSpec{
1278 {
1279 bad: []string{"email:"},
1280 },
1281 },
1282 intermediates: [][]constraintsSpec{
1283 {
1284 {},
1285 },
1286 },
1287 leaf: leafSpec{
1288 sans: []string{"email:foo@example.com"},
1289 },
1290 expectedError: "\"foo@example.com\" is excluded",
1291 },
1292 {
1293 name: "empty URI permitted constraint allows anything",
1294 roots: []constraintsSpec{
1295 {
1296 ok: []string{"uri:"},
1297 },
1298 },
1299 intermediates: [][]constraintsSpec{
1300 {
1301 {},
1302 },
1303 },
1304 leaf: leafSpec{
1305 sans: []string{"uri:https://example.com/test"},
1306 },
1307 },
1308 {
1309 name: "empty URI excluded constraint rejects everything",
1310 roots: []constraintsSpec{
1311 {
1312 bad: []string{"uri:"},
1313 },
1314 },
1315 intermediates: [][]constraintsSpec{
1316 {
1317 {},
1318 },
1319 },
1320 leaf: leafSpec{
1321 sans: []string{"uri:https://example.com/test"},
1322 },
1323 expectedError: "\"https://example.com/test\" is excluded",
1324 },
1325 {
1326 name: "serverAuth EKU does not permit clientAuth",
1327 roots: make([]constraintsSpec, 1),
1328 intermediates: [][]constraintsSpec{
1329 {
1330 {},
1331 },
1332 },
1333 leaf: leafSpec{
1334 sans: []string{"dns:example.com"},
1335 ekus: []string{"serverAuth"},
1336 },
1337 requestedEKUs: []ExtKeyUsage{ExtKeyUsageClientAuth},
1338 expectedError: "incompatible key usage",
1339 },
1340 {
1341 name: "msSGC EKU does not permit serverAuth",
1342 roots: make([]constraintsSpec, 1),
1343 intermediates: [][]constraintsSpec{
1344 {
1345 {},
1346 },
1347 },
1348 leaf: leafSpec{
1349 sans: []string{"dns:example.com"},
1350 ekus: []string{"msSGC"},
1351 },
1352 requestedEKUs: []ExtKeyUsage{ExtKeyUsageServerAuth},
1353 expectedError: "incompatible key usage",
1354 },
1355 {
1356
1357
1358
1359 name: "invalid SANs are ignored with no constraints",
1360 roots: make([]constraintsSpec, 1),
1361 intermediates: [][]constraintsSpec{
1362 {
1363 {},
1364 },
1365 },
1366 leaf: leafSpec{
1367 sans: []string{"dns:this is invalid", "email:this @ is invalid"},
1368 },
1369 },
1370 {
1371 name: "invalid DNS SAN detected with constraints",
1372 roots: []constraintsSpec{
1373 {
1374 bad: []string{"uri:"},
1375 },
1376 },
1377 intermediates: [][]constraintsSpec{
1378 {
1379 {},
1380 },
1381 },
1382 leaf: leafSpec{
1383 sans: []string{"dns:this is invalid"},
1384 },
1385 expectedError: "cannot parse dnsName",
1386 },
1387 {
1388 name: "invalid email SAN detected with constraints",
1389 roots: []constraintsSpec{
1390 {
1391 bad: []string{"uri:"},
1392 },
1393 },
1394 intermediates: [][]constraintsSpec{
1395 {
1396 {},
1397 },
1398 },
1399 leaf: leafSpec{
1400 sans: []string{"email:this @ is invalid"},
1401 },
1402 expectedError: "cannot parse rfc822Name",
1403 },
1404 {
1405 name: "any requested EKU is sufficient",
1406 roots: make([]constraintsSpec, 1),
1407 intermediates: [][]constraintsSpec{
1408 {
1409 {},
1410 },
1411 },
1412 leaf: leafSpec{
1413 sans: []string{"dns:example.com"},
1414 ekus: []string{"email"},
1415 },
1416 requestedEKUs: []ExtKeyUsage{ExtKeyUsageClientAuth, ExtKeyUsageEmailProtection},
1417 },
1418 {
1419 name: "unrequested EKUs not required to be nested",
1420 roots: make([]constraintsSpec, 1),
1421 intermediates: [][]constraintsSpec{
1422 {
1423 {
1424 ekus: []string{"serverAuth"},
1425 },
1426 },
1427 },
1428 leaf: leafSpec{
1429 sans: []string{"dns:example.com"},
1430
1431
1432 ekus: []string{"email", "serverAuth"},
1433 },
1434 },
1435 {
1436 name: "empty leaf is accepted in constrained chain",
1437 roots: []constraintsSpec{
1438 {
1439 ok: []string{"dns:foo.com", "dns:.foo.com"},
1440 },
1441 },
1442 intermediates: [][]constraintsSpec{
1443 {
1444 {},
1445 },
1446 },
1447 leaf: leafSpec{
1448 sans: []string{},
1449 },
1450 },
1451 {
1452 name: "no SANs and non-hostname CN is accepted in constrained chain",
1453 roots: []constraintsSpec{
1454 {
1455 ok: []string{"dns:foo.com", "dns:.foo.com"},
1456 },
1457 },
1458 intermediates: [][]constraintsSpec{
1459 {
1460 {},
1461 },
1462 },
1463 leaf: leafSpec{
1464 sans: []string{},
1465 cn: "foo.bar",
1466 },
1467 },
1468 {
1469 name: "constraints don't apply to CN",
1470 roots: []constraintsSpec{
1471 {
1472 ok: []string{"dns:foo.com", "dns:.foo.com"},
1473 },
1474 },
1475 intermediates: [][]constraintsSpec{
1476 {
1477 {},
1478 },
1479 },
1480 leaf: leafSpec{
1481 sans: []string{"dns:foo.com"},
1482 cn: "foo.bar",
1483 },
1484 },
1485 {
1486 name: "DNS SAN cannot use leading period form",
1487 roots: []constraintsSpec{{ok: []string{"dns:example.com"}}},
1488 leaf: leafSpec{sans: []string{"dns:.example.com"}},
1489 expectedError: "cannot parse dnsName \".example.com\"",
1490 },
1491 {
1492 name: "URI with IPv6 and zone is rejected",
1493 roots: []constraintsSpec{
1494 {
1495 ok: []string{"uri:example.com"},
1496 },
1497 },
1498 intermediates: [][]constraintsSpec{
1499 {
1500 {},
1501 },
1502 },
1503 leaf: leafSpec{
1504 sans: []string{"uri:http://[2006:abcd::1%25.example.com]:16/"},
1505 },
1506 expectedError: "URI with IP",
1507 },
1508 {
1509 name: "intermediate can narrow permitted dns scope",
1510 roots: []constraintsSpec{
1511 {
1512 ok: []string{"dns:"},
1513 },
1514 },
1515 intermediates: [][]constraintsSpec{
1516 {
1517 {
1518 ok: []string{"dns:example.com"},
1519 },
1520 },
1521 },
1522 leaf: leafSpec{
1523 sans: []string{"dns:test.com"},
1524 },
1525 expectedError: "\"test.com\" is not permitted",
1526 },
1527 {
1528 name: "intermediate cannot narrow excluded dns scope",
1529 roots: []constraintsSpec{
1530 {
1531 bad: []string{"dns:"},
1532 },
1533 },
1534 intermediates: [][]constraintsSpec{
1535 {
1536 {
1537 bad: []string{"dns:example.com"},
1538 },
1539 },
1540 },
1541 leaf: leafSpec{
1542 sans: []string{"dns:test.com"},
1543 },
1544 expectedError: "\"test.com\" is excluded by constraint \"\"",
1545 },
1546 {
1547 name: "intermediate can narrow excluded dns scope",
1548 roots: []constraintsSpec{
1549 {
1550 bad: []string{"dns:example.com"},
1551 },
1552 },
1553 intermediates: [][]constraintsSpec{
1554 {
1555 {
1556 bad: []string{"dns:"},
1557 },
1558 },
1559 },
1560 leaf: leafSpec{
1561 sans: []string{"dns:test.com"},
1562 },
1563 expectedError: "\"test.com\" is excluded by constraint \"\"",
1564 },
1565 {
1566 name: "permitted dns constraint is not a prefix match",
1567 roots: []constraintsSpec{
1568 {
1569 ok: []string{"dns:example.com"},
1570 },
1571 },
1572 intermediates: [][]constraintsSpec{
1573 {
1574 {},
1575 },
1576 },
1577 leaf: leafSpec{
1578 sans: []string{"dns:testexample.com"},
1579 },
1580 expectedError: "\"testexample.com\" is not permitted",
1581 },
1582 {
1583 name: "subdomain constraint does not allow wildcard",
1584 roots: []constraintsSpec{
1585 {
1586 ok: []string{"dns:a.com", "dns:foo.example.com", "dns:z.com"},
1587 },
1588 },
1589 intermediates: [][]constraintsSpec{
1590 {
1591 {},
1592 },
1593 },
1594 leaf: leafSpec{
1595 sans: []string{"dns:*.example.com"},
1596 },
1597 expectedError: "\"*.example.com\" is not permitted",
1598 },
1599 {
1600 name: "excluded dns constraint is not a prefix match",
1601 roots: []constraintsSpec{
1602 {
1603 bad: []string{"dns:example.com"},
1604 },
1605 },
1606 intermediates: [][]constraintsSpec{
1607 {
1608 {},
1609 },
1610 },
1611 leaf: leafSpec{
1612 sans: []string{"dns:testexample.com"},
1613 },
1614 },
1615 {
1616 name: "excluded email constraint, multiple email with matching local portion",
1617 roots: []constraintsSpec{
1618 {
1619 bad: []string{"email:a@example.com", "email:a@test.com"},
1620 },
1621 },
1622 intermediates: [][]constraintsSpec{
1623 {
1624 {},
1625 },
1626 },
1627 leaf: leafSpec{
1628 sans: []string{"email:a@example.com"},
1629 },
1630 expectedError: "\"a@example.com\" is excluded by constraint \"a@example.com\"",
1631 },
1632 {
1633 name: "email_case_check",
1634 roots: []constraintsSpec{
1635 {
1636 ok: []string{"email:a@example.com"},
1637 },
1638 },
1639 intermediates: [][]constraintsSpec{
1640 {
1641 {},
1642 },
1643 },
1644 leaf: leafSpec{
1645 sans: []string{"email:a@ExAmple.com"},
1646 },
1647 },
1648 {
1649 name: "excluded constraint, empty DNS san",
1650 roots: []constraintsSpec{
1651 {
1652 bad: []string{"dns:example.com"},
1653 },
1654 },
1655 leaf: leafSpec{
1656 sans: []string{"dns:"},
1657 },
1658 },
1659
1660 {
1661 name: "subdomain excluded constraints preclude outer wildcard names",
1662 roots: []constraintsSpec{
1663 {
1664 bad: []string{"dns:foo.example.com"},
1665 },
1666 },
1667 intermediates: [][]constraintsSpec{
1668 {
1669 {},
1670 },
1671 },
1672 leaf: leafSpec{
1673 sans: []string{"dns:*.example.com"},
1674 },
1675 expectedError: "\"*.example.com\" is excluded by constraint \"foo.example.com\"",
1676 },
1677 {
1678 name: "subdomain excluded constraints do not preclude far outer wildcard names",
1679 roots: []constraintsSpec{
1680 {
1681 bad: []string{"dns:foo.example.com"},
1682 },
1683 },
1684 intermediates: [][]constraintsSpec{
1685 {
1686 {},
1687 },
1688 },
1689 leaf: leafSpec{
1690 sans: []string{"dns:*.com"},
1691 },
1692 },
1693 {
1694 name: "subdomain excluded constraints preclude inner wildcard names",
1695 roots: []constraintsSpec{
1696 {
1697 bad: []string{"dns:foo.example.com"},
1698 },
1699 },
1700 intermediates: [][]constraintsSpec{
1701 {
1702 {},
1703 },
1704 },
1705 leaf: leafSpec{
1706 sans: []string{"dns:*.foo.example.com"},
1707 },
1708 expectedError: "\"*.foo.example.com\" is excluded by constraint \"foo.example.com\"",
1709 },
1710 {
1711 name: "subdomain excluded constraints preclude far inner wildcard names",
1712 roots: []constraintsSpec{
1713 {
1714 bad: []string{"dns:foo.example.com"},
1715 },
1716 },
1717 intermediates: [][]constraintsSpec{
1718 {
1719 {},
1720 },
1721 },
1722 leaf: leafSpec{
1723 sans: []string{"dns:*.bar.foo.example.com"},
1724 },
1725 expectedError: "\"*.bar.foo.example.com\" is excluded by constraint \"foo.example.com\"",
1726 },
1727 {
1728 name: "outer wildcard names are not matched by subdomain permitted constraints",
1729 roots: []constraintsSpec{
1730 {
1731 ok: []string{"dns:foo.example.com"},
1732 },
1733 },
1734 intermediates: [][]constraintsSpec{
1735 {
1736 {},
1737 },
1738 },
1739 leaf: leafSpec{
1740 sans: []string{"dns:*.example.com"},
1741 },
1742 expectedError: "\"*.example.com\" is not permitted",
1743 },
1744 {
1745 name: "far outer wildcard names are not matched by subdomain permitted constraints",
1746 roots: []constraintsSpec{
1747 {
1748 ok: []string{"dns:foo.example.com"},
1749 },
1750 },
1751 intermediates: [][]constraintsSpec{
1752 {
1753 {},
1754 },
1755 },
1756 leaf: leafSpec{
1757 sans: []string{"dns:*.com"},
1758 },
1759 expectedError: "\"*.com\" is not permitted",
1760 },
1761 {
1762 name: "inner wildcard names are matched by subdomain permitted constraints",
1763 roots: []constraintsSpec{
1764 {
1765 ok: []string{"dns:foo.example.com"},
1766 },
1767 },
1768 intermediates: [][]constraintsSpec{
1769 {
1770 {},
1771 },
1772 },
1773 leaf: leafSpec{
1774 sans: []string{"dns:*.foo.example.com"},
1775 },
1776 },
1777 {
1778 name: "far inner wildcard names are matched by subdomain permitted constraints",
1779 roots: []constraintsSpec{
1780 {
1781 ok: []string{"dns:foo.example.com"},
1782 },
1783 },
1784 intermediates: [][]constraintsSpec{
1785 {
1786 {},
1787 },
1788 },
1789 leaf: leafSpec{
1790 sans: []string{"dns:*.bar.foo.example.com"},
1791 },
1792 },
1793
1794 {
1795 name: "cross include should not match",
1796 roots: []constraintsSpec{
1797 {
1798 ok: []string{"dns:foo.example.com"},
1799 },
1800 },
1801 intermediates: [][]constraintsSpec{
1802 {
1803 {},
1804 },
1805 },
1806 leaf: leafSpec{
1807 sans: []string{"dns:*.bar.example.com"},
1808 },
1809 expectedError: "\"*.bar.example.com\" is not permitted by any constraint",
1810 },
1811 {
1812 name: "cross exclude should not match",
1813 roots: []constraintsSpec{
1814 {
1815 bad: []string{"dns:foo.example.com"},
1816 },
1817 },
1818 intermediates: [][]constraintsSpec{
1819 {
1820 {},
1821 },
1822 },
1823 leaf: leafSpec{
1824 sans: []string{"dns:*.bar.example.com"},
1825 },
1826 },
1827 }
1828
1829 func makeConstraintsCACert(constraints constraintsSpec, name string, key *ecdsa.PrivateKey, parent *Certificate, parentKey *ecdsa.PrivateKey) (*Certificate, error) {
1830 var serialBytes [16]byte
1831 rand.Read(serialBytes[:])
1832
1833 template := &Certificate{
1834 SerialNumber: new(big.Int).SetBytes(serialBytes[:]),
1835 Subject: pkix.Name{
1836 CommonName: name,
1837 },
1838 NotBefore: time.Unix(1000, 0),
1839 NotAfter: time.Unix(2000, 0),
1840 KeyUsage: KeyUsageCertSign,
1841 BasicConstraintsValid: true,
1842 IsCA: true,
1843 }
1844
1845 if err := addConstraintsToTemplate(constraints, template); err != nil {
1846 return nil, err
1847 }
1848
1849 if parent == nil {
1850 parent = template
1851 }
1852 derBytes, err := CreateCertificate(rand.Reader, template, parent, &key.PublicKey, parentKey)
1853 if err != nil {
1854 return nil, err
1855 }
1856
1857 caCert, err := ParseCertificate(derBytes)
1858 if err != nil {
1859 return nil, err
1860 }
1861
1862 return caCert, nil
1863 }
1864
1865 func makeConstraintsLeafCert(leaf leafSpec, key *ecdsa.PrivateKey, parent *Certificate, parentKey *ecdsa.PrivateKey) (*Certificate, error) {
1866 var serialBytes [16]byte
1867 rand.Read(serialBytes[:])
1868
1869 template := &Certificate{
1870 SerialNumber: new(big.Int).SetBytes(serialBytes[:]),
1871 Subject: pkix.Name{
1872 OrganizationalUnit: []string{"Leaf"},
1873 CommonName: leaf.cn,
1874 },
1875 NotBefore: time.Unix(1000, 0),
1876 NotAfter: time.Unix(2000, 0),
1877 KeyUsage: KeyUsageDigitalSignature,
1878 BasicConstraintsValid: true,
1879 IsCA: false,
1880 }
1881
1882 for _, name := range leaf.sans {
1883 switch {
1884 case strings.HasPrefix(name, "dns:"):
1885 template.DNSNames = append(template.DNSNames, name[4:])
1886
1887 case strings.HasPrefix(name, "ip:"):
1888 ip := net.ParseIP(name[3:])
1889 if ip == nil {
1890 return nil, fmt.Errorf("cannot parse IP %q", name[3:])
1891 }
1892 template.IPAddresses = append(template.IPAddresses, ip)
1893
1894 case strings.HasPrefix(name, "invalidip:"):
1895 ipBytes, err := hex.DecodeString(name[10:])
1896 if err != nil {
1897 return nil, fmt.Errorf("cannot parse invalid IP: %s", err)
1898 }
1899 template.IPAddresses = append(template.IPAddresses, net.IP(ipBytes))
1900
1901 case strings.HasPrefix(name, "email:"):
1902 template.EmailAddresses = append(template.EmailAddresses, name[6:])
1903
1904 case strings.HasPrefix(name, "uri:"):
1905 uri, err := url.Parse(name[4:])
1906 if err != nil {
1907 return nil, fmt.Errorf("cannot parse URI %q: %s", name[4:], err)
1908 }
1909 template.URIs = append(template.URIs, uri)
1910
1911 case strings.HasPrefix(name, "unknown:"):
1912
1913
1914
1915 if len(leaf.sans) != 1 {
1916 panic("when using unknown name types, it must be the sole name")
1917 }
1918
1919 template.ExtraExtensions = append(template.ExtraExtensions, pkix.Extension{
1920 Id: []int{2, 5, 29, 17},
1921 Value: []byte{
1922 0x30,
1923 3,
1924 9,
1925 1,
1926 1,
1927 },
1928 })
1929
1930 default:
1931 return nil, fmt.Errorf("unknown name type %q", name)
1932 }
1933 }
1934
1935 var err error
1936 if template.ExtKeyUsage, template.UnknownExtKeyUsage, err = parseEKUs(leaf.ekus); err != nil {
1937 return nil, err
1938 }
1939
1940 if parent == nil {
1941 parent = template
1942 }
1943
1944 derBytes, err := CreateCertificate(rand.Reader, template, parent, &key.PublicKey, parentKey)
1945 if err != nil {
1946 return nil, err
1947 }
1948
1949 return ParseCertificate(derBytes)
1950 }
1951
1952 func customConstraintsExtension(typeNum int, constraint []byte, isExcluded bool) pkix.Extension {
1953 appendConstraint := func(contents []byte, tag uint8) []byte {
1954 contents = append(contents, tag|32 |0x80 )
1955 contents = append(contents, byte(4+len(constraint)) )
1956 contents = append(contents, 0x30 )
1957 contents = append(contents, byte(2+len(constraint)) )
1958 contents = append(contents, byte(typeNum) )
1959 contents = append(contents, byte(len(constraint)))
1960 return append(contents, constraint...)
1961 }
1962
1963 var contents []byte
1964 if !isExcluded {
1965 contents = appendConstraint(contents, 0 )
1966 } else {
1967 contents = appendConstraint(contents, 1 )
1968 }
1969
1970 var value []byte
1971 value = append(value, 0x30 )
1972 value = append(value, byte(len(contents)))
1973 value = append(value, contents...)
1974
1975 return pkix.Extension{
1976 Id: []int{2, 5, 29, 30},
1977 Value: value,
1978 }
1979 }
1980
1981 func addConstraintsToTemplate(constraints constraintsSpec, template *Certificate) error {
1982 parse := func(constraints []string) (dnsNames []string, ips []*net.IPNet, emailAddrs []string, uriDomains []string, err error) {
1983 for _, constraint := range constraints {
1984 switch {
1985 case strings.HasPrefix(constraint, "dns:"):
1986 dnsNames = append(dnsNames, constraint[4:])
1987
1988 case strings.HasPrefix(constraint, "ip:"):
1989 _, ipNet, err := net.ParseCIDR(constraint[3:])
1990 if err != nil {
1991 return nil, nil, nil, nil, err
1992 }
1993 ips = append(ips, ipNet)
1994
1995 case strings.HasPrefix(constraint, "email:"):
1996 emailAddrs = append(emailAddrs, constraint[6:])
1997
1998 case strings.HasPrefix(constraint, "uri:"):
1999 uriDomains = append(uriDomains, constraint[4:])
2000
2001 default:
2002 return nil, nil, nil, nil, fmt.Errorf("unknown constraint %q", constraint)
2003 }
2004 }
2005
2006 return dnsNames, ips, emailAddrs, uriDomains, err
2007 }
2008
2009 handleSpecialConstraint := func(constraint string, isExcluded bool) bool {
2010 switch {
2011 case constraint == "unknown:":
2012 template.ExtraExtensions = append(template.ExtraExtensions, customConstraintsExtension(9 , []byte{1}, isExcluded))
2013
2014 default:
2015 return false
2016 }
2017
2018 return true
2019 }
2020
2021 if len(constraints.ok) == 1 && len(constraints.bad) == 0 {
2022 if handleSpecialConstraint(constraints.ok[0], false) {
2023 return nil
2024 }
2025 }
2026
2027 if len(constraints.bad) == 1 && len(constraints.ok) == 0 {
2028 if handleSpecialConstraint(constraints.bad[0], true) {
2029 return nil
2030 }
2031 }
2032
2033 var err error
2034 template.PermittedDNSDomains, template.PermittedIPRanges, template.PermittedEmailAddresses, template.PermittedURIDomains, err = parse(constraints.ok)
2035 if err != nil {
2036 return err
2037 }
2038
2039 template.ExcludedDNSDomains, template.ExcludedIPRanges, template.ExcludedEmailAddresses, template.ExcludedURIDomains, err = parse(constraints.bad)
2040 if err != nil {
2041 return err
2042 }
2043
2044 if template.ExtKeyUsage, template.UnknownExtKeyUsage, err = parseEKUs(constraints.ekus); err != nil {
2045 return err
2046 }
2047
2048 return nil
2049 }
2050
2051 func parseEKUs(ekuStrs []string) (ekus []ExtKeyUsage, unknowns []asn1.ObjectIdentifier, err error) {
2052 for _, s := range ekuStrs {
2053 switch s {
2054 case "serverAuth":
2055 ekus = append(ekus, ExtKeyUsageServerAuth)
2056 case "clientAuth":
2057 ekus = append(ekus, ExtKeyUsageClientAuth)
2058 case "email":
2059 ekus = append(ekus, ExtKeyUsageEmailProtection)
2060 case "netscapeSGC":
2061 ekus = append(ekus, ExtKeyUsageNetscapeServerGatedCrypto)
2062 case "msSGC":
2063 ekus = append(ekus, ExtKeyUsageMicrosoftServerGatedCrypto)
2064 case "any":
2065 ekus = append(ekus, ExtKeyUsageAny)
2066 case "other":
2067 unknowns = append(unknowns, asn1.ObjectIdentifier{2, 4, 1, 2, 3})
2068 default:
2069 return nil, nil, fmt.Errorf("unknown EKU %q", s)
2070 }
2071 }
2072
2073 return
2074 }
2075
2076 func TestConstraintCases(t *testing.T) {
2077 privateKeys := sync.Pool{
2078 New: func() any {
2079 priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
2080 if err != nil {
2081 panic(err)
2082 }
2083 return priv
2084 },
2085 }
2086
2087 for i, test := range nameConstraintsTests {
2088 t.Run(test.name, func(t *testing.T) {
2089 rootPool := NewCertPool()
2090 rootKey := privateKeys.Get().(*ecdsa.PrivateKey)
2091 rootName := "Root " + strconv.Itoa(i)
2092
2093
2094
2095 keys := []*ecdsa.PrivateKey{rootKey}
2096
2097
2098
2099
2100
2101
2102
2103 var parent *Certificate
2104 parentKey := rootKey
2105
2106 for _, root := range test.roots {
2107 rootCert, err := makeConstraintsCACert(root, rootName, rootKey, nil, rootKey)
2108 if err != nil {
2109 t.Fatalf("failed to create root: %s", err)
2110 }
2111
2112 parent = rootCert
2113 rootPool.AddCert(rootCert)
2114 }
2115
2116 intermediatePool := NewCertPool()
2117
2118 for level, intermediates := range test.intermediates {
2119 levelKey := privateKeys.Get().(*ecdsa.PrivateKey)
2120 keys = append(keys, levelKey)
2121 levelName := "Intermediate level " + strconv.Itoa(level)
2122 var last *Certificate
2123
2124 for _, intermediate := range intermediates {
2125 caCert, err := makeConstraintsCACert(intermediate, levelName, levelKey, parent, parentKey)
2126 if err != nil {
2127 t.Fatalf("failed to create %q: %s", levelName, err)
2128 }
2129
2130 last = caCert
2131 intermediatePool.AddCert(caCert)
2132 }
2133
2134 parent = last
2135 parentKey = levelKey
2136 }
2137
2138 leafKey := privateKeys.Get().(*ecdsa.PrivateKey)
2139 keys = append(keys, leafKey)
2140
2141 leafCert, err := makeConstraintsLeafCert(test.leaf, leafKey, parent, parentKey)
2142 if err != nil {
2143 t.Fatalf("cannot create leaf: %s", err)
2144 }
2145
2146
2147
2148 if !test.noOpenSSL && testNameConstraintsAgainstOpenSSL && test.leaf.cn == "" {
2149 output, err := testChainAgainstOpenSSL(t, leafCert, intermediatePool, rootPool)
2150 if err == nil && len(test.expectedError) > 0 {
2151 t.Error("unexpectedly succeeded against OpenSSL")
2152 if debugOpenSSLFailure {
2153 return
2154 }
2155 }
2156
2157 if err != nil {
2158 if _, ok := err.(*exec.ExitError); !ok {
2159 t.Errorf("OpenSSL failed to run: %s", err)
2160 } else if len(test.expectedError) == 0 {
2161 t.Errorf("OpenSSL unexpectedly failed: %v", output)
2162 if debugOpenSSLFailure {
2163 return
2164 }
2165 }
2166 }
2167 }
2168
2169 verifyOpts := VerifyOptions{
2170 Roots: rootPool,
2171 Intermediates: intermediatePool,
2172 CurrentTime: time.Unix(1500, 0),
2173 KeyUsages: test.requestedEKUs,
2174 }
2175 _, err = leafCert.Verify(verifyOpts)
2176
2177 logInfo := false
2178 if len(test.expectedError) == 0 {
2179 if err != nil {
2180 t.Errorf("unexpected failure: %s", err)
2181 } else {
2182 logInfo = false
2183 }
2184 } else {
2185 if err == nil {
2186 t.Error("unexpected success")
2187 } else if !strings.Contains(err.Error(), test.expectedError) {
2188 t.Errorf("expected error containing %q, but got: %s", test.expectedError, err)
2189 } else {
2190 logInfo = false
2191 }
2192 }
2193
2194 if logInfo {
2195 certAsPEM := func(cert *Certificate) string {
2196 var buf bytes.Buffer
2197 pem.Encode(&buf, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
2198 return buf.String()
2199 }
2200 t.Errorf("root:\n%s", certAsPEM(rootPool.mustCert(t, 0)))
2201 if intermediates := allCerts(t, intermediatePool); len(intermediates) > 0 {
2202 for ii, intermediate := range intermediates {
2203 t.Errorf("intermediate %d:\n%s", ii, certAsPEM(intermediate))
2204 }
2205 }
2206 t.Errorf("leaf:\n%s", certAsPEM(leafCert))
2207 }
2208
2209 for _, key := range keys {
2210 privateKeys.Put(key)
2211 }
2212 })
2213 }
2214 }
2215
2216 func writePEMsToTempFile(certs []*Certificate) *os.File {
2217 file, err := os.CreateTemp("", "name_constraints_test")
2218 if err != nil {
2219 panic("cannot create tempfile")
2220 }
2221
2222 pemBlock := &pem.Block{Type: "CERTIFICATE"}
2223 for _, cert := range certs {
2224 pemBlock.Bytes = cert.Raw
2225 pem.Encode(file, pemBlock)
2226 }
2227
2228 return file
2229 }
2230
2231 func testChainAgainstOpenSSL(t *testing.T, leaf *Certificate, intermediates, roots *CertPool) (string, error) {
2232 args := []string{"verify", "-no_check_time"}
2233
2234 rootsFile := writePEMsToTempFile(allCerts(t, roots))
2235 if debugOpenSSLFailure {
2236 println("roots file:", rootsFile.Name())
2237 } else {
2238 defer os.Remove(rootsFile.Name())
2239 }
2240 args = append(args, "-CAfile", rootsFile.Name())
2241
2242 if intermediates.len() > 0 {
2243 intermediatesFile := writePEMsToTempFile(allCerts(t, intermediates))
2244 if debugOpenSSLFailure {
2245 println("intermediates file:", intermediatesFile.Name())
2246 } else {
2247 defer os.Remove(intermediatesFile.Name())
2248 }
2249 args = append(args, "-untrusted", intermediatesFile.Name())
2250 }
2251
2252 leafFile := writePEMsToTempFile([]*Certificate{leaf})
2253 if debugOpenSSLFailure {
2254 println("leaf file:", leafFile.Name())
2255 } else {
2256 defer os.Remove(leafFile.Name())
2257 }
2258 args = append(args, leafFile.Name())
2259
2260 cmd := testenv.Command(t, "openssl", args...)
2261 out, err := cmd.CombinedOutput()
2262 return string(out), err
2263 }
2264
2265 var rfc2821Tests = []struct {
2266 in string
2267 localPart, domain string
2268 }{
2269 {"foo@example.com", "foo", "example.com"},
2270 {"@example.com", "", ""},
2271 {"\"@example.com", "", ""},
2272 {"\"\"@example.com", "", "example.com"},
2273 {"\"a\"@example.com", "a", "example.com"},
2274 {"\"\\a\"@example.com", "a", "example.com"},
2275 {"a\"@example.com", "", ""},
2276 {"foo..bar@example.com", "", ""},
2277 {".foo.bar@example.com", "", ""},
2278 {"foo.bar.@example.com", "", ""},
2279 {"|{}?'@example.com", "|{}?'", "example.com"},
2280
2281
2282 {"Abc\\@def@example.com", "Abc@def", "example.com"},
2283 {"Fred\\ Bloggs@example.com", "Fred Bloggs", "example.com"},
2284 {"Joe.\\\\Blow@example.com", "Joe.\\Blow", "example.com"},
2285 {"\"Abc@def\"@example.com", "Abc@def", "example.com"},
2286 {"\"Fred Bloggs\"@example.com", "Fred Bloggs", "example.com"},
2287 {"customer/department=shipping@example.com", "customer/department=shipping", "example.com"},
2288 {"$A12345@example.com", "$A12345", "example.com"},
2289 {"!def!xyz%abc@example.com", "!def!xyz%abc", "example.com"},
2290 {"_somename@example.com", "_somename", "example.com"},
2291 }
2292
2293 func TestRFC2821Parsing(t *testing.T) {
2294 for i, test := range rfc2821Tests {
2295 mailbox, ok := parseRFC2821Mailbox(test.in)
2296 expectedFailure := len(test.localPart) == 0 && len(test.domain) == 0
2297
2298 if ok && expectedFailure {
2299 t.Errorf("#%d: %q unexpectedly parsed as (%q, %q)", i, test.in, mailbox.local, mailbox.domain)
2300 continue
2301 }
2302
2303 if !ok && !expectedFailure {
2304 t.Errorf("#%d: unexpected failure for %q", i, test.in)
2305 continue
2306 }
2307
2308 if !ok {
2309 continue
2310 }
2311
2312 if mailbox.local != test.localPart || mailbox.domain != test.domain {
2313 t.Errorf("#%d: %q parsed as (%q, %q), but wanted (%q, %q)", i, test.in, mailbox.local, mailbox.domain, test.localPart, test.domain)
2314 }
2315 }
2316 }
2317
2318 func TestBadNamesInConstraints(t *testing.T) {
2319 constraintParseError := func(err error) bool {
2320 str := err.Error()
2321 return strings.Contains(str, "failed to parse ") && strings.Contains(str, "constraint")
2322 }
2323
2324 encodingError := func(err error) bool {
2325 return strings.Contains(err.Error(), "cannot be encoded as an IA5String")
2326 }
2327
2328
2329 badNames := []struct {
2330 name string
2331 matcher func(error) bool
2332 }{
2333 {"dns:foo.com.", constraintParseError},
2334 {"email:abc@foo.com.", constraintParseError},
2335 {"email:foo.com.", constraintParseError},
2336 {"uri:example.com.", constraintParseError},
2337 {"uri:1.2.3.4", constraintParseError},
2338 {"uri:ffff::1", constraintParseError},
2339 {"dns:not–hyphen.com", encodingError},
2340 {"email:foo@not–hyphen.com", encodingError},
2341 {"uri:not–hyphen.com", encodingError},
2342 }
2343
2344 priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
2345 if err != nil {
2346 panic(err)
2347 }
2348
2349 for _, test := range badNames {
2350 _, err := makeConstraintsCACert(constraintsSpec{
2351 ok: []string{test.name},
2352 }, "TestAbsoluteNamesInConstraints", priv, nil, priv)
2353
2354 if err == nil {
2355 t.Errorf("bad name %q unexpectedly accepted in name constraint", test.name)
2356 continue
2357 } else {
2358 if !test.matcher(err) {
2359 t.Errorf("bad name %q triggered unrecognised error: %s", test.name, err)
2360 }
2361 }
2362 }
2363 }
2364
2365 func TestBadNamesInSANs(t *testing.T) {
2366
2367
2368
2369 badNames := []string{
2370 "uri:https://example.com./dsf",
2371 "invalidip:0102",
2372 "invalidip:0102030405",
2373 }
2374
2375 priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
2376 if err != nil {
2377 panic(err)
2378 }
2379
2380 for _, badName := range badNames {
2381 _, err := makeConstraintsLeafCert(leafSpec{sans: []string{badName}}, priv, nil, priv)
2382
2383 if err == nil {
2384 t.Errorf("bad name %q unexpectedly accepted in SAN", badName)
2385 continue
2386 }
2387
2388 if str := err.Error(); !strings.Contains(str, "cannot parse ") {
2389 t.Errorf("bad name %q triggered unrecognised error: %s", badName, str)
2390 }
2391 }
2392 }
2393
View as plain text