Source file
src/crypto/x509/name_constraints_test.go
1
2
3
4
5 package x509
6
7 import (
8 "bytes"
9 "crypto/ecdsa"
10 "crypto/elliptic"
11 "crypto/rand"
12 "crypto/x509/pkix"
13 "encoding/asn1"
14 "encoding/hex"
15 "encoding/pem"
16 "fmt"
17 "internal/testenv"
18 "math/big"
19 "net"
20 "net/url"
21 "os"
22 "os/exec"
23 "strconv"
24 "strings"
25 "sync"
26 "testing"
27 "time"
28 )
29
30 const (
31
32
33
34 testNameConstraintsAgainstOpenSSL = false
35
36
37
38
39 debugOpenSSLFailure = false
40 )
41
42 type nameConstraintsTest struct {
43 name string
44 roots []constraintsSpec
45 intermediates [][]constraintsSpec
46 leaf leafSpec
47 requestedEKUs []ExtKeyUsage
48 expectedError string
49 noOpenSSL bool
50 ignoreCN bool
51 }
52
53 type constraintsSpec struct {
54 ok []string
55 bad []string
56 ekus []string
57 }
58
59 type leafSpec struct {
60 sans []string
61 ekus []string
62 cn string
63 }
64
65 var nameConstraintsTests = []nameConstraintsTest{
66 {
67 name: "certificate generation process",
68 roots: make([]constraintsSpec, 1),
69 leaf: leafSpec{
70 sans: []string{"dns:example.com"},
71 },
72 },
73 {
74 name: "single level of intermediate",
75 roots: make([]constraintsSpec, 1),
76 intermediates: [][]constraintsSpec{
77 {
78 {},
79 },
80 },
81 leaf: leafSpec{
82 sans: []string{"dns:example.com"},
83 },
84 },
85 {
86 name: "two levels of intermediates",
87 roots: make([]constraintsSpec, 1),
88 intermediates: [][]constraintsSpec{
89 {
90 {},
91 },
92 {
93 {},
94 },
95 },
96 leaf: leafSpec{
97 sans: []string{"dns:example.com"},
98 },
99 },
100 {
101 name: "matching DNS constraint in root",
102 roots: []constraintsSpec{
103 {
104 ok: []string{"dns:example.com"},
105 },
106 },
107 intermediates: [][]constraintsSpec{
108 {
109 {},
110 },
111 },
112 leaf: leafSpec{
113 sans: []string{"dns:example.com"},
114 },
115 },
116 {
117 name: "matching DNS constraint in intermediate",
118 roots: make([]constraintsSpec, 1),
119 intermediates: [][]constraintsSpec{
120 {
121 {
122 ok: []string{"dns:example.com"},
123 },
124 },
125 },
126 leaf: leafSpec{
127 sans: []string{"dns:example.com"},
128 },
129 },
130 {
131 name: "leading period only matches subdomains",
132 roots: []constraintsSpec{
133 {
134 ok: []string{"dns:.example.com"},
135 },
136 },
137 intermediates: [][]constraintsSpec{
138 {
139 {},
140 },
141 },
142 leaf: leafSpec{
143 sans: []string{"dns:example.com"},
144 },
145 expectedError: "\"example.com\" is not permitted",
146 },
147 {
148 name: "leading period matches subdomains",
149 roots: make([]constraintsSpec, 1),
150 intermediates: [][]constraintsSpec{
151 {
152 {
153 ok: []string{"dns:.example.com"},
154 },
155 },
156 },
157 leaf: leafSpec{
158 sans: []string{"dns:foo.example.com"},
159 },
160 },
161 {
162 name: "leading period matches multiple levels of subdomains",
163 roots: []constraintsSpec{
164 {
165 ok: []string{"dns:.example.com"},
166 },
167 },
168 intermediates: [][]constraintsSpec{
169 {
170 {},
171 },
172 },
173 leaf: leafSpec{
174 sans: []string{"dns:foo.bar.example.com"},
175 },
176 },
177 {
178 name: "specifying a permitted list of names does not exclude other name types",
179 roots: []constraintsSpec{
180 {
181 ok: []string{"dns:.example.com"},
182 },
183 },
184 intermediates: [][]constraintsSpec{
185 {
186 {},
187 },
188 },
189 leaf: leafSpec{
190 sans: []string{"ip:10.1.1.1"},
191 },
192 },
193 {
194 name: "specifying a permitted list of names does not exclude other name types",
195 roots: []constraintsSpec{
196 {
197 ok: []string{"ip:10.0.0.0/8"},
198 },
199 },
200 intermediates: [][]constraintsSpec{
201 {
202 {},
203 },
204 },
205 leaf: leafSpec{
206 sans: []string{"dns:example.com"},
207 },
208 },
209 {
210 name: "intermediates can try to permit other names, which isn't forbidden if the leaf doesn't mention them",
211 roots: []constraintsSpec{
212 {
213 ok: []string{"dns:example.com"},
214 },
215 },
216 intermediates: [][]constraintsSpec{
217 {
218 {
219 ok: []string{"dns:example.com", "dns:foo.com"},
220 },
221 },
222 },
223 leaf: leafSpec{
224 sans: []string{"dns:example.com"},
225 },
226 },
227 {
228 name: "intermediates cannot add permitted names that the root doesn't grant them",
229 roots: []constraintsSpec{
230 {
231 ok: []string{"dns:example.com"},
232 },
233 },
234 intermediates: [][]constraintsSpec{
235 {
236 {
237 ok: []string{"dns:foo.example.com", "dns:foo.com"},
238 },
239 },
240 },
241 leaf: leafSpec{
242 sans: []string{"dns:foo.com"},
243 },
244 expectedError: "\"foo.com\" is not permitted",
245 },
246 {
247 name: "intermediates can further limit their scope if they wish",
248 roots: []constraintsSpec{
249 {
250 ok: []string{"dns:.example.com"},
251 },
252 },
253 intermediates: [][]constraintsSpec{
254 {
255 {
256 ok: []string{"dns:.bar.example.com"},
257 },
258 },
259 },
260 leaf: leafSpec{
261 sans: []string{"dns:foo.bar.example.com"},
262 },
263 },
264 {
265 name: "intermediates can further limit their scope and that limitation is effective",
266 roots: []constraintsSpec{
267 {
268 ok: []string{"dns:.example.com"},
269 },
270 },
271 intermediates: [][]constraintsSpec{
272 {
273 {
274 ok: []string{"dns:.bar.example.com"},
275 },
276 },
277 },
278 leaf: leafSpec{
279 sans: []string{"dns:foo.notbar.example.com"},
280 },
281 expectedError: "\"foo.notbar.example.com\" is not permitted",
282 },
283 {
284 name: "roots can exclude subtrees and that doesn't affect other names",
285 roots: []constraintsSpec{
286 {
287 bad: []string{"dns:.example.com"},
288 },
289 },
290 intermediates: [][]constraintsSpec{
291 {
292 {},
293 },
294 },
295 leaf: leafSpec{
296 sans: []string{"dns:foo.com"},
297 },
298 },
299 {
300 name: "roots exclusions are effective",
301 roots: []constraintsSpec{
302 {
303 bad: []string{"dns:.example.com"},
304 },
305 },
306 intermediates: [][]constraintsSpec{
307 {
308 {},
309 },
310 },
311 leaf: leafSpec{
312 sans: []string{"dns:foo.example.com"},
313 },
314 expectedError: "\"foo.example.com\" is excluded",
315 },
316 {
317 name: "intermediates can also exclude names and that doesn't affect other names",
318 roots: make([]constraintsSpec, 1),
319 intermediates: [][]constraintsSpec{
320 {
321 {
322 bad: []string{"dns:.example.com"},
323 },
324 },
325 },
326 leaf: leafSpec{
327 sans: []string{"dns:foo.com"},
328 },
329 },
330 {
331 name: "intermediate exclusions are effective",
332 roots: make([]constraintsSpec, 1),
333 intermediates: [][]constraintsSpec{
334 {
335 {
336 bad: []string{"dns:.example.com"},
337 },
338 },
339 },
340 leaf: leafSpec{
341 sans: []string{"dns:foo.example.com"},
342 },
343 expectedError: "\"foo.example.com\" is excluded",
344 },
345 {
346 name: "having an exclusion doesn't prohibit other types of names",
347 roots: []constraintsSpec{
348 {
349 bad: []string{"dns:.example.com"},
350 },
351 },
352 intermediates: [][]constraintsSpec{
353 {
354 {},
355 },
356 },
357 leaf: leafSpec{
358 sans: []string{"dns:foo.com", "ip:10.1.1.1"},
359 },
360 },
361 {
362 name: "IP-based exclusions are permitted and don't affect unrelated IP addresses",
363 roots: []constraintsSpec{
364 {
365 bad: []string{"ip:10.0.0.0/8"},
366 },
367 },
368 intermediates: [][]constraintsSpec{
369 {
370 {},
371 },
372 },
373 leaf: leafSpec{
374 sans: []string{"ip:192.168.1.1"},
375 },
376 },
377 {
378 name: "IP-based exclusions are effective",
379 roots: []constraintsSpec{
380 {
381 bad: []string{"ip:10.0.0.0/8"},
382 },
383 },
384 intermediates: [][]constraintsSpec{
385 {
386 {},
387 },
388 },
389 leaf: leafSpec{
390 sans: []string{"ip:10.0.0.1"},
391 },
392 expectedError: "\"10.0.0.1\" is excluded",
393 },
394 {
395 name: "intermediates can further constrain IP ranges",
396 roots: []constraintsSpec{
397 {
398 bad: []string{"ip:0.0.0.0/1"},
399 },
400 },
401 intermediates: [][]constraintsSpec{
402 {
403 {
404 bad: []string{"ip:11.0.0.0/8"},
405 },
406 },
407 },
408 leaf: leafSpec{
409 sans: []string{"ip:11.0.0.1"},
410 },
411 expectedError: "\"11.0.0.1\" is excluded",
412 },
413 {
414 name: "multiple intermediates with incompatible constraints",
415 roots: make([]constraintsSpec, 1),
416 intermediates: [][]constraintsSpec{
417 {
418 {
419 ok: []string{"dns:.foo.com"},
420 },
421 {
422 ok: []string{"dns:.example.com"},
423 },
424 },
425 },
426 leaf: leafSpec{
427 sans: []string{"dns:foo.example.com"},
428 },
429 noOpenSSL: true,
430 },
431 {
432 name: "multiple intermediates with incompatible constraints swapped",
433 roots: make([]constraintsSpec, 1),
434 intermediates: [][]constraintsSpec{
435 {
436 {
437 ok: []string{"dns:.example.com"},
438 },
439 {
440 ok: []string{"dns:.foo.com"},
441 },
442 },
443 },
444 leaf: leafSpec{
445 sans: []string{"dns:foo.example.com"},
446 },
447 noOpenSSL: true,
448 },
449 {
450 name: "multiple roots with incompatible constraints",
451 roots: []constraintsSpec{
452 {},
453 {
454 ok: []string{"dns:foo.com"},
455 },
456 },
457 intermediates: [][]constraintsSpec{
458 {
459 {},
460 },
461 },
462 leaf: leafSpec{
463 sans: []string{"dns:example.com"},
464 },
465 noOpenSSL: true,
466 },
467 {
468 name: "multiple roots with incompatible constraints swapped",
469 roots: []constraintsSpec{
470 {
471 ok: []string{"dns:foo.com"},
472 },
473 {},
474 },
475 intermediates: [][]constraintsSpec{
476 {
477 {},
478 },
479 },
480 leaf: leafSpec{
481 sans: []string{"dns:example.com"},
482 },
483 noOpenSSL: true,
484 },
485 {
486 name: "chain building with multiple intermediates and roots",
487 roots: []constraintsSpec{
488 {
489 ok: []string{"dns:foo.com"},
490 },
491 {
492 ok: []string{"dns:example.com"},
493 },
494 {},
495 },
496 intermediates: [][]constraintsSpec{
497 {
498 {},
499 {
500 ok: []string{"dns:foo.com"},
501 },
502 },
503 {
504 {},
505 {
506 ok: []string{"dns:foo.com"},
507 },
508 },
509 },
510 leaf: leafSpec{
511 sans: []string{"dns:bar.com"},
512 },
513 noOpenSSL: true,
514 },
515 {
516 name: "chain building fails with no valid path",
517 roots: []constraintsSpec{
518 {
519 ok: []string{"dns:foo.com"},
520 },
521 {
522 ok: []string{"dns:example.com"},
523 },
524 },
525 intermediates: [][]constraintsSpec{
526 {
527 {},
528 {
529 ok: []string{"dns:foo.com"},
530 },
531 },
532 {
533 {
534 ok: []string{"dns:bar.com"},
535 },
536 {
537 ok: []string{"dns:foo.com"},
538 },
539 },
540 },
541 leaf: leafSpec{
542 sans: []string{"dns:bar.com"},
543 },
544 expectedError: "\"bar.com\" is not permitted",
545 },
546 {
547 name: "unknown name types are unconstrained",
548 roots: make([]constraintsSpec, 1),
549 intermediates: [][]constraintsSpec{
550 {
551 {},
552 },
553 },
554 leaf: leafSpec{
555 sans: []string{"unknown:"},
556 },
557 },
558 {
559 name: "unknown name types allowed in constrained chain",
560 roots: []constraintsSpec{
561 {
562 ok: []string{"dns:foo.com", "dns:.foo.com"},
563 },
564 },
565 intermediates: [][]constraintsSpec{
566 {
567 {},
568 },
569 },
570 leaf: leafSpec{
571 sans: []string{"unknown:"},
572 },
573 },
574 {
575 name: "CN is ignored in constrained chain",
576 roots: []constraintsSpec{
577 {
578 ok: []string{"dns:foo.com", "dns:.foo.com"},
579 },
580 },
581 intermediates: [][]constraintsSpec{
582 {
583 {},
584 },
585 },
586 leaf: leafSpec{
587 sans: []string{},
588 cn: "foo.com",
589 },
590 },
591 {
592 name: "IPv6 permitted constraint",
593 roots: []constraintsSpec{
594 {
595 ok: []string{"ip:2000:abcd::/32"},
596 },
597 },
598 intermediates: [][]constraintsSpec{
599 {
600 {},
601 },
602 },
603 leaf: leafSpec{
604 sans: []string{"ip:2000:abcd:1234::"},
605 },
606 },
607 {
608 name: "IPv6 permitted constraint is effective",
609 roots: []constraintsSpec{
610 {
611 ok: []string{"ip:2000:abcd::/32"},
612 },
613 },
614 intermediates: [][]constraintsSpec{
615 {
616 {},
617 },
618 },
619 leaf: leafSpec{
620 sans: []string{"ip:2000:1234:abcd::"},
621 },
622 expectedError: "\"2000:1234:abcd::\" is not permitted",
623 },
624 {
625 name: "IPv6 permitted constraint does not affect DNS",
626 roots: []constraintsSpec{
627 {
628 ok: []string{"ip:2000:abcd::/32"},
629 },
630 },
631 intermediates: [][]constraintsSpec{
632 {
633 {},
634 },
635 },
636 leaf: leafSpec{
637 sans: []string{"ip:2000:abcd::", "dns:foo.com"},
638 },
639 },
640 {
641 name: "IPv6 excluded constraint",
642 roots: []constraintsSpec{
643 {
644 bad: []string{"ip:2000:abcd::/32"},
645 },
646 },
647 intermediates: [][]constraintsSpec{
648 {
649 {},
650 },
651 },
652 leaf: leafSpec{
653 sans: []string{"ip:2000:1234::"},
654 },
655 },
656 {
657 name: "IPv6 excluded constraint is effective",
658 roots: []constraintsSpec{
659 {
660 bad: []string{"ip:2000:abcd::/32"},
661 },
662 },
663 intermediates: [][]constraintsSpec{
664 {
665 {},
666 },
667 },
668 leaf: leafSpec{
669 sans: []string{"ip:2000:abcd::"},
670 },
671 expectedError: "\"2000:abcd::\" is excluded",
672 },
673 {
674 name: "IPv6 constraint does not permit IPv4",
675 roots: []constraintsSpec{
676 {
677 ok: []string{"ip:2000:abcd::/32"},
678 },
679 },
680 intermediates: [][]constraintsSpec{
681 {
682 {},
683 },
684 },
685 leaf: leafSpec{
686 sans: []string{"ip:10.0.0.1"},
687 },
688 expectedError: "\"10.0.0.1\" is not permitted",
689 },
690 {
691 name: "IPv4 constraint does not permit IPv6",
692 roots: []constraintsSpec{
693 {
694 ok: []string{"ip:10.0.0.0/8"},
695 },
696 },
697 intermediates: [][]constraintsSpec{
698 {
699 {},
700 },
701 },
702 leaf: leafSpec{
703 sans: []string{"ip:2000:abcd::"},
704 },
705 expectedError: "\"2000:abcd::\" is not permitted",
706 },
707 {
708 name: "unknown excluded constraint does not affect other names",
709 roots: []constraintsSpec{
710 {
711 bad: []string{"unknown:"},
712 },
713 },
714 intermediates: [][]constraintsSpec{
715 {
716 {},
717 },
718 },
719 leaf: leafSpec{
720 sans: []string{"dns:example.com"},
721 },
722 },
723 {
724 name: "unknown permitted constraint does not affect other names",
725 roots: []constraintsSpec{
726 {
727 ok: []string{"unknown:"},
728 },
729 },
730 intermediates: [][]constraintsSpec{
731 {
732 {},
733 },
734 },
735 leaf: leafSpec{
736 sans: []string{"dns:example.com"},
737 },
738 },
739 {
740 name: "exact email constraint",
741 roots: []constraintsSpec{
742 {
743 ok: []string{"email:foo@example.com"},
744 },
745 },
746 intermediates: [][]constraintsSpec{
747 {
748 {},
749 },
750 },
751 leaf: leafSpec{
752 sans: []string{"email:foo@example.com"},
753 },
754 },
755 {
756 name: "exact email constraint is effective",
757 roots: []constraintsSpec{
758 {
759 ok: []string{"email:foo@example.com"},
760 },
761 },
762 intermediates: [][]constraintsSpec{
763 {
764 {},
765 },
766 },
767 leaf: leafSpec{
768 sans: []string{"email:bar@example.com"},
769 },
770 expectedError: "\"bar@example.com\" is not permitted",
771 },
772 {
773 name: "email canonicalization",
774 roots: []constraintsSpec{
775 {
776 ok: []string{"email:foo@example.com"},
777 },
778 },
779 intermediates: [][]constraintsSpec{
780 {
781 {},
782 },
783 },
784 leaf: leafSpec{
785 sans: []string{"email:\"\\f\\o\\o\"@example.com"},
786 },
787 noOpenSSL: true,
788 },
789 {
790 name: "email host constraint",
791 roots: []constraintsSpec{
792 {
793 ok: []string{"email:example.com"},
794 },
795 },
796 intermediates: [][]constraintsSpec{
797 {
798 {},
799 },
800 },
801 leaf: leafSpec{
802 sans: []string{"email:foo@example.com"},
803 },
804 },
805 {
806 name: "email subdomain constraint",
807 roots: []constraintsSpec{
808 {
809 ok: []string{"email:.example.com"},
810 },
811 },
812 intermediates: [][]constraintsSpec{
813 {
814 {},
815 },
816 },
817 leaf: leafSpec{
818 sans: []string{"email:foo@sub.example.com"},
819 },
820 },
821 {
822 name: "email subdomain constraint does not match parent",
823 roots: []constraintsSpec{
824 {
825 ok: []string{"email:.example.com"},
826 },
827 },
828 intermediates: [][]constraintsSpec{
829 {
830 {},
831 },
832 },
833 leaf: leafSpec{
834 sans: []string{"email:foo@example.com"},
835 },
836 expectedError: "\"foo@example.com\" is not permitted",
837 },
838 {
839 name: "email subdomain constraint matches deeper subdomains",
840 roots: []constraintsSpec{
841 {
842 ok: []string{"email:.example.com"},
843 },
844 },
845 intermediates: [][]constraintsSpec{
846 {
847 {},
848 },
849 },
850 leaf: leafSpec{
851 sans: []string{"email:foo@sub.sub.example.com"},
852 },
853 },
854 {
855 name: "email local part is case-sensitive",
856 roots: []constraintsSpec{
857 {
858 ok: []string{"email:foo@example.com"},
859 },
860 },
861 intermediates: [][]constraintsSpec{
862 {
863 {},
864 },
865 },
866 leaf: leafSpec{
867 sans: []string{"email:Foo@example.com"},
868 },
869 expectedError: "\"Foo@example.com\" is not permitted",
870 },
871 {
872 name: "email domain part is case-insensitive",
873 roots: []constraintsSpec{
874 {
875 ok: []string{"email:foo@EXAMPLE.com"},
876 },
877 },
878 intermediates: [][]constraintsSpec{
879 {
880 {},
881 },
882 },
883 leaf: leafSpec{
884 sans: []string{"email:foo@example.com"},
885 },
886 },
887 {
888 name: "DNS domain is case-insensitive",
889 roots: []constraintsSpec{
890 {
891 ok: []string{"dns:EXAMPLE.com"},
892 },
893 },
894 intermediates: [][]constraintsSpec{
895 {
896 {},
897 },
898 },
899 leaf: leafSpec{
900 sans: []string{"dns:example.com"},
901 },
902 },
903 {
904 name: "URI constraint covers host",
905 roots: []constraintsSpec{
906 {
907 ok: []string{"uri:example.com"},
908 },
909 },
910 intermediates: [][]constraintsSpec{
911 {
912 {},
913 },
914 },
915 leaf: leafSpec{
916 sans: []string{
917 "uri:http://example.com/bar",
918 "uri:http://example.com:8080/",
919 "uri:https://example.com/wibble#bar",
920 },
921 },
922 },
923 {
924 name: "URI with IP is rejected",
925 roots: []constraintsSpec{
926 {
927 ok: []string{"uri:example.com"},
928 },
929 },
930 intermediates: [][]constraintsSpec{
931 {
932 {},
933 },
934 },
935 leaf: leafSpec{
936 sans: []string{"uri:http://1.2.3.4/"},
937 },
938 expectedError: "URI with IP",
939 },
940 {
941 name: "URI with IP and port is rejected",
942 roots: []constraintsSpec{
943 {
944 ok: []string{"uri:example.com"},
945 },
946 },
947 intermediates: [][]constraintsSpec{
948 {
949 {},
950 },
951 },
952 leaf: leafSpec{
953 sans: []string{"uri:http://1.2.3.4:43/"},
954 },
955 expectedError: "URI with IP",
956 },
957 {
958 name: "URI with IPv6 is rejected",
959 roots: []constraintsSpec{
960 {
961 ok: []string{"uri:example.com"},
962 },
963 },
964 intermediates: [][]constraintsSpec{
965 {
966 {},
967 },
968 },
969 leaf: leafSpec{
970 sans: []string{"uri:http://[2006:abcd::1]/"},
971 },
972 expectedError: "URI with IP",
973 },
974 {
975 name: "URI with IPv6 and port is rejected",
976 roots: []constraintsSpec{
977 {
978 ok: []string{"uri:example.com"},
979 },
980 },
981 intermediates: [][]constraintsSpec{
982 {
983 {},
984 },
985 },
986 leaf: leafSpec{
987 sans: []string{"uri:http://[2006:abcd::1]:16/"},
988 },
989 expectedError: "URI with IP",
990 },
991 {
992 name: "URI permitted constraint is effective",
993 roots: []constraintsSpec{
994 {
995 ok: []string{"uri:example.com"},
996 },
997 },
998 intermediates: [][]constraintsSpec{
999 {
1000 {},
1001 },
1002 },
1003 leaf: leafSpec{
1004 sans: []string{"uri:http://bar.com/"},
1005 },
1006 expectedError: "\"http://bar.com/\" is not permitted",
1007 },
1008 {
1009 name: "URI excluded constraint is effective",
1010 roots: []constraintsSpec{
1011 {
1012 bad: []string{"uri:foo.com"},
1013 },
1014 },
1015 intermediates: [][]constraintsSpec{
1016 {
1017 {},
1018 },
1019 },
1020 leaf: leafSpec{
1021 sans: []string{"uri:http://foo.com/"},
1022 },
1023 expectedError: "\"http://foo.com/\" is excluded",
1024 },
1025 {
1026 name: "URI subdomain constraint",
1027 roots: []constraintsSpec{
1028 {
1029 ok: []string{"uri:.foo.com"},
1030 },
1031 },
1032 intermediates: [][]constraintsSpec{
1033 {
1034 {},
1035 },
1036 },
1037 leaf: leafSpec{
1038 sans: []string{"uri:http://www.foo.com/"},
1039 },
1040 },
1041 {
1042 name: "IPv4-mapped-IPv6 exclusion does not affect IPv4",
1043 roots: []constraintsSpec{
1044 {
1045 bad: []string{"ip:::ffff:1.2.3.4/128"},
1046 },
1047 },
1048 intermediates: [][]constraintsSpec{
1049 {
1050 {},
1051 },
1052 },
1053 leaf: leafSpec{
1054 sans: []string{"ip:1.2.3.4"},
1055 },
1056 },
1057 {
1058 name: "URI constraint not matched by URN",
1059 roots: []constraintsSpec{
1060 {
1061 ok: []string{"uri:example.com"},
1062 },
1063 },
1064 intermediates: [][]constraintsSpec{
1065 {
1066 {},
1067 },
1068 },
1069 leaf: leafSpec{
1070 sans: []string{"uri:urn:example"},
1071 },
1072 expectedError: "URI with empty host",
1073 },
1074 {
1075 name: "IPv6 exclusion does not exclude all IPv4",
1076 roots: []constraintsSpec{
1077 {
1078 ok: []string{"ip:1.2.3.0/24"},
1079 bad: []string{"ip:::0/0"},
1080 },
1081 },
1082 intermediates: [][]constraintsSpec{
1083 {
1084 {},
1085 },
1086 },
1087 leaf: leafSpec{
1088 sans: []string{"ip:1.2.3.4"},
1089 },
1090 },
1091 {
1092 name: "empty EKU in CA means any is ok",
1093 roots: make([]constraintsSpec, 1),
1094 intermediates: [][]constraintsSpec{
1095 {
1096 {},
1097 },
1098 },
1099 leaf: leafSpec{
1100 sans: []string{"dns:example.com"},
1101 ekus: []string{"serverAuth", "other"},
1102 },
1103 },
1104 {
1105 name: "any EKU means any is ok",
1106 roots: make([]constraintsSpec, 1),
1107 intermediates: [][]constraintsSpec{
1108 {
1109 {
1110 ekus: []string{"any"},
1111 },
1112 },
1113 },
1114 leaf: leafSpec{
1115 sans: []string{"dns:example.com"},
1116 ekus: []string{"serverAuth", "other"},
1117 },
1118 },
1119
1120 {
1121 name: "intermediate with enumerated EKUs",
1122 roots: make([]constraintsSpec, 1),
1123 intermediates: [][]constraintsSpec{
1124 {
1125 {
1126 ekus: []string{"email"},
1127 },
1128 },
1129 },
1130 leaf: leafSpec{
1131 sans: []string{"dns:example.com"},
1132 ekus: []string{"serverAuth"},
1133 },
1134 expectedError: "incompatible key usage",
1135 },
1136 {
1137 name: "unknown EKU in leaf",
1138 roots: make([]constraintsSpec, 1),
1139 intermediates: [][]constraintsSpec{
1140 {
1141 {
1142 ekus: []string{"email"},
1143 },
1144 },
1145 },
1146 leaf: leafSpec{
1147 sans: []string{"dns:example.com"},
1148 ekus: []string{"other"},
1149 },
1150 requestedEKUs: []ExtKeyUsage{ExtKeyUsageAny},
1151 },
1152
1153 {
1154 name: "intermediate cannot add EKUs not in root if leaf uses them",
1155 roots: []constraintsSpec{
1156 {
1157 ekus: []string{"serverAuth"},
1158 },
1159 },
1160 intermediates: [][]constraintsSpec{
1161 {
1162 {
1163 ekus: []string{"serverAuth", "email"},
1164 },
1165 },
1166 },
1167 leaf: leafSpec{
1168 sans: []string{"dns:example.com"},
1169 ekus: []string{"serverAuth"},
1170 },
1171 },
1172 {
1173 name: "EKUs in root are effective",
1174 roots: []constraintsSpec{
1175 {
1176 ekus: []string{"email"},
1177 },
1178 },
1179 intermediates: [][]constraintsSpec{
1180 {
1181 {
1182 ekus: []string{"serverAuth"},
1183 },
1184 },
1185 },
1186 leaf: leafSpec{
1187 sans: []string{"dns:example.com"},
1188 ekus: []string{"serverAuth"},
1189 },
1190 expectedError: "incompatible key usage",
1191 },
1192 {
1193 name: "netscapeSGC EKU does not permit server/client auth",
1194 roots: []constraintsSpec{
1195 {},
1196 },
1197 intermediates: [][]constraintsSpec{
1198 {
1199 {
1200 ekus: []string{"netscapeSGC"},
1201 },
1202 },
1203 },
1204 leaf: leafSpec{
1205 sans: []string{"dns:example.com"},
1206 ekus: []string{"serverAuth", "clientAuth"},
1207 },
1208 expectedError: "incompatible key usage",
1209 },
1210 {
1211 name: "msSGC EKU does not permit server/client auth",
1212 roots: make([]constraintsSpec, 1),
1213 intermediates: [][]constraintsSpec{
1214 {
1215 {
1216 ekus: []string{"msSGC"},
1217 },
1218 },
1219 },
1220 leaf: leafSpec{
1221 sans: []string{"dns:example.com"},
1222 ekus: []string{"serverAuth", "clientAuth"},
1223 },
1224 expectedError: "incompatible key usage",
1225 },
1226 {
1227 name: "empty DNS permitted constraint allows anything",
1228 roots: []constraintsSpec{
1229 {
1230 ok: []string{"dns:"},
1231 },
1232 },
1233 intermediates: [][]constraintsSpec{
1234 {
1235 {},
1236 },
1237 },
1238 leaf: leafSpec{
1239 sans: []string{"dns:example.com"},
1240 },
1241 },
1242 {
1243 name: "empty DNS excluded constraint rejects everything",
1244 roots: []constraintsSpec{
1245 {
1246 bad: []string{"dns:"},
1247 },
1248 },
1249 intermediates: [][]constraintsSpec{
1250 {
1251 {},
1252 },
1253 },
1254 leaf: leafSpec{
1255 sans: []string{"dns:example.com"},
1256 },
1257 expectedError: "\"example.com\" is excluded",
1258 },
1259 {
1260 name: "empty email permitted constraint allows anything",
1261 roots: []constraintsSpec{
1262 {
1263 ok: []string{"email:"},
1264 },
1265 },
1266 intermediates: [][]constraintsSpec{
1267 {
1268 {},
1269 },
1270 },
1271 leaf: leafSpec{
1272 sans: []string{"email:foo@example.com"},
1273 },
1274 },
1275 {
1276 name: "empty email excluded constraint rejects everything",
1277 roots: []constraintsSpec{
1278 {
1279 bad: []string{"email:"},
1280 },
1281 },
1282 intermediates: [][]constraintsSpec{
1283 {
1284 {},
1285 },
1286 },
1287 leaf: leafSpec{
1288 sans: []string{"email:foo@example.com"},
1289 },
1290 expectedError: "\"foo@example.com\" is excluded",
1291 },
1292 {
1293 name: "empty URI permitted constraint allows anything",
1294 roots: []constraintsSpec{
1295 {
1296 ok: []string{"uri:"},
1297 },
1298 },
1299 intermediates: [][]constraintsSpec{
1300 {
1301 {},
1302 },
1303 },
1304 leaf: leafSpec{
1305 sans: []string{"uri:https://example.com/test"},
1306 },
1307 },
1308 {
1309 name: "empty URI excluded constraint rejects everything",
1310 roots: []constraintsSpec{
1311 {
1312 bad: []string{"uri:"},
1313 },
1314 },
1315 intermediates: [][]constraintsSpec{
1316 {
1317 {},
1318 },
1319 },
1320 leaf: leafSpec{
1321 sans: []string{"uri:https://example.com/test"},
1322 },
1323 expectedError: "\"https://example.com/test\" is excluded",
1324 },
1325 {
1326 name: "serverAuth EKU does not permit clientAuth",
1327 roots: make([]constraintsSpec, 1),
1328 intermediates: [][]constraintsSpec{
1329 {
1330 {},
1331 },
1332 },
1333 leaf: leafSpec{
1334 sans: []string{"dns:example.com"},
1335 ekus: []string{"serverAuth"},
1336 },
1337 requestedEKUs: []ExtKeyUsage{ExtKeyUsageClientAuth},
1338 expectedError: "incompatible key usage",
1339 },
1340 {
1341 name: "msSGC EKU does not permit serverAuth",
1342 roots: make([]constraintsSpec, 1),
1343 intermediates: [][]constraintsSpec{
1344 {
1345 {},
1346 },
1347 },
1348 leaf: leafSpec{
1349 sans: []string{"dns:example.com"},
1350 ekus: []string{"msSGC"},
1351 },
1352 requestedEKUs: []ExtKeyUsage{ExtKeyUsageServerAuth},
1353 expectedError: "incompatible key usage",
1354 },
1355 {
1356
1357
1358
1359 name: "invalid SANs are ignored with no constraints",
1360 roots: make([]constraintsSpec, 1),
1361 intermediates: [][]constraintsSpec{
1362 {
1363 {},
1364 },
1365 },
1366 leaf: leafSpec{
1367 sans: []string{"dns:this is invalid", "email:this @ is invalid"},
1368 },
1369 },
1370 {
1371 name: "invalid DNS SAN detected with constraints",
1372 roots: []constraintsSpec{
1373 {
1374 bad: []string{"uri:"},
1375 },
1376 },
1377 intermediates: [][]constraintsSpec{
1378 {
1379 {},
1380 },
1381 },
1382 leaf: leafSpec{
1383 sans: []string{"dns:this is invalid"},
1384 },
1385 expectedError: "cannot parse dnsName",
1386 },
1387 {
1388 name: "invalid email SAN detected with constraints",
1389 roots: []constraintsSpec{
1390 {
1391 bad: []string{"uri:"},
1392 },
1393 },
1394 intermediates: [][]constraintsSpec{
1395 {
1396 {},
1397 },
1398 },
1399 leaf: leafSpec{
1400 sans: []string{"email:this @ is invalid"},
1401 },
1402 expectedError: "cannot parse rfc822Name",
1403 },
1404 {
1405 name: "any requested EKU is sufficient",
1406 roots: make([]constraintsSpec, 1),
1407 intermediates: [][]constraintsSpec{
1408 {
1409 {},
1410 },
1411 },
1412 leaf: leafSpec{
1413 sans: []string{"dns:example.com"},
1414 ekus: []string{"email"},
1415 },
1416 requestedEKUs: []ExtKeyUsage{ExtKeyUsageClientAuth, ExtKeyUsageEmailProtection},
1417 },
1418 {
1419 name: "unrequested EKUs not required to be nested",
1420 roots: make([]constraintsSpec, 1),
1421 intermediates: [][]constraintsSpec{
1422 {
1423 {
1424 ekus: []string{"serverAuth"},
1425 },
1426 },
1427 },
1428 leaf: leafSpec{
1429 sans: []string{"dns:example.com"},
1430
1431
1432 ekus: []string{"email", "serverAuth"},
1433 },
1434 },
1435 {
1436 name: "empty leaf is accepted in constrained chain",
1437 roots: []constraintsSpec{
1438 {
1439 ok: []string{"dns:foo.com", "dns:.foo.com"},
1440 },
1441 },
1442 intermediates: [][]constraintsSpec{
1443 {
1444 {},
1445 },
1446 },
1447 leaf: leafSpec{
1448 sans: []string{},
1449 },
1450 },
1451 {
1452 name: "no SANs and non-hostname CN is accepted in constrained chain",
1453 roots: []constraintsSpec{
1454 {
1455 ok: []string{"dns:foo.com", "dns:.foo.com"},
1456 },
1457 },
1458 intermediates: [][]constraintsSpec{
1459 {
1460 {},
1461 },
1462 },
1463 leaf: leafSpec{
1464 sans: []string{},
1465 cn: "foo.bar",
1466 },
1467 },
1468 {
1469 name: "constraints don't apply to CN",
1470 roots: []constraintsSpec{
1471 {
1472 ok: []string{"dns:foo.com", "dns:.foo.com"},
1473 },
1474 },
1475 intermediates: [][]constraintsSpec{
1476 {
1477 {},
1478 },
1479 },
1480 leaf: leafSpec{
1481 sans: []string{"dns:foo.com"},
1482 cn: "foo.bar",
1483 },
1484 },
1485 {
1486 name: "DNS SAN cannot use leading period form",
1487 roots: []constraintsSpec{{ok: []string{"dns:example.com"}}},
1488 leaf: leafSpec{sans: []string{"dns:.example.com"}},
1489 expectedError: "cannot parse dnsName \".example.com\"",
1490 },
1491 {
1492 name: "URI with IPv6 and zone is rejected",
1493 roots: []constraintsSpec{
1494 {
1495 ok: []string{"uri:example.com"},
1496 },
1497 },
1498 intermediates: [][]constraintsSpec{
1499 {
1500 {},
1501 },
1502 },
1503 leaf: leafSpec{
1504 sans: []string{"uri:http://[2006:abcd::1%25.example.com]:16/"},
1505 },
1506 expectedError: "URI with IP",
1507 },
1508 {
1509 name: "intermediate can narrow permitted dns scope",
1510 roots: []constraintsSpec{
1511 {
1512 ok: []string{"dns:"},
1513 },
1514 },
1515 intermediates: [][]constraintsSpec{
1516 {
1517 {
1518 ok: []string{"dns:example.com"},
1519 },
1520 },
1521 },
1522 leaf: leafSpec{
1523 sans: []string{"dns:test.com"},
1524 },
1525 expectedError: "\"test.com\" is not permitted",
1526 },
1527 {
1528 name: "intermediate cannot narrow excluded dns scope",
1529 roots: []constraintsSpec{
1530 {
1531 bad: []string{"dns:"},
1532 },
1533 },
1534 intermediates: [][]constraintsSpec{
1535 {
1536 {
1537 bad: []string{"dns:example.com"},
1538 },
1539 },
1540 },
1541 leaf: leafSpec{
1542 sans: []string{"dns:test.com"},
1543 },
1544 expectedError: "\"test.com\" is excluded by constraint \"\"",
1545 },
1546 {
1547 name: "intermediate can narrow excluded dns scope",
1548 roots: []constraintsSpec{
1549 {
1550 bad: []string{"dns:example.com"},
1551 },
1552 },
1553 intermediates: [][]constraintsSpec{
1554 {
1555 {
1556 bad: []string{"dns:"},
1557 },
1558 },
1559 },
1560 leaf: leafSpec{
1561 sans: []string{"dns:test.com"},
1562 },
1563 expectedError: "\"test.com\" is excluded by constraint \"\"",
1564 },
1565 {
1566 name: "permitted dns constraint is not a prefix match",
1567 roots: []constraintsSpec{
1568 {
1569 ok: []string{"dns:example.com"},
1570 },
1571 },
1572 intermediates: [][]constraintsSpec{
1573 {
1574 {},
1575 },
1576 },
1577 leaf: leafSpec{
1578 sans: []string{"dns:testexample.com"},
1579 },
1580 expectedError: "\"testexample.com\" is not permitted",
1581 },
1582 {
1583 name: "subdomain constraint does not allow wildcard",
1584 roots: []constraintsSpec{
1585 {
1586 ok: []string{"dns:a.com", "dns:foo.example.com", "dns:z.com"},
1587 },
1588 },
1589 intermediates: [][]constraintsSpec{
1590 {
1591 {},
1592 },
1593 },
1594 leaf: leafSpec{
1595 sans: []string{"dns:*.example.com"},
1596 },
1597 expectedError: "\"*.example.com\" is not permitted",
1598 },
1599 {
1600 name: "excluded dns constraint is not a prefix match",
1601 roots: []constraintsSpec{
1602 {
1603 bad: []string{"dns:example.com"},
1604 },
1605 },
1606 intermediates: [][]constraintsSpec{
1607 {
1608 {},
1609 },
1610 },
1611 leaf: leafSpec{
1612 sans: []string{"dns:testexample.com"},
1613 },
1614 },
1615 {
1616 name: "excluded email constraint, multiple email with matching local portion",
1617 roots: []constraintsSpec{
1618 {
1619 bad: []string{"email:a@example.com", "email:a@test.com"},
1620 },
1621 },
1622 intermediates: [][]constraintsSpec{
1623 {
1624 {},
1625 },
1626 },
1627 leaf: leafSpec{
1628 sans: []string{"email:a@example.com"},
1629 },
1630 expectedError: "\"a@example.com\" is excluded by constraint \"a@example.com\"",
1631 },
1632 {
1633 name: "email_case_check",
1634 roots: []constraintsSpec{
1635 {
1636 ok: []string{"email:a@example.com"},
1637 },
1638 },
1639 intermediates: [][]constraintsSpec{
1640 {
1641 {},
1642 },
1643 },
1644 leaf: leafSpec{
1645 sans: []string{"email:a@ExAmple.com"},
1646 },
1647 },
1648 {
1649 name: "excluded constraint, empty DNS san",
1650 roots: []constraintsSpec{
1651 {
1652 bad: []string{"dns:example.com"},
1653 },
1654 },
1655 leaf: leafSpec{
1656 sans: []string{"dns:"},
1657 },
1658 },
1659 {
1660 name: "subdomain exclusion blocks uppercase wildcard",
1661 roots: []constraintsSpec{{
1662 bad: []string{"dns:sub.example.com"},
1663 }},
1664 intermediates: [][]constraintsSpec{{{}}},
1665 leaf: leafSpec{
1666 sans: []string{"dns:*.EXAMPLE.COM"},
1667 },
1668 expectedError: "\"*.EXAMPLE.COM\" is excluded by constraint \"sub.example.com\"",
1669 },
1670 {
1671 name: "uppercase subdomain exclusion blocks lowercase wildcard",
1672 roots: []constraintsSpec{{
1673 bad: []string{"dns:SUB.EXAMPLE.COM"},
1674 }},
1675 intermediates: [][]constraintsSpec{{{}}},
1676 leaf: leafSpec{
1677 sans: []string{"dns:*.example.com"},
1678 },
1679 expectedError: "\"*.example.com\" is excluded by constraint \"sub.example.com\"",
1680 },
1681 }
1682
1683 func makeConstraintsCACert(constraints constraintsSpec, name string, key *ecdsa.PrivateKey, parent *Certificate, parentKey *ecdsa.PrivateKey) (*Certificate, error) {
1684 var serialBytes [16]byte
1685 rand.Read(serialBytes[:])
1686
1687 template := &Certificate{
1688 SerialNumber: new(big.Int).SetBytes(serialBytes[:]),
1689 Subject: pkix.Name{
1690 CommonName: name,
1691 },
1692 NotBefore: time.Unix(1000, 0),
1693 NotAfter: time.Unix(2000, 0),
1694 KeyUsage: KeyUsageCertSign,
1695 BasicConstraintsValid: true,
1696 IsCA: true,
1697 }
1698
1699 if err := addConstraintsToTemplate(constraints, template); err != nil {
1700 return nil, err
1701 }
1702
1703 if parent == nil {
1704 parent = template
1705 }
1706 derBytes, err := CreateCertificate(rand.Reader, template, parent, &key.PublicKey, parentKey)
1707 if err != nil {
1708 return nil, err
1709 }
1710
1711 caCert, err := ParseCertificate(derBytes)
1712 if err != nil {
1713 return nil, err
1714 }
1715
1716 return caCert, nil
1717 }
1718
1719 func makeConstraintsLeafCert(leaf leafSpec, key *ecdsa.PrivateKey, parent *Certificate, parentKey *ecdsa.PrivateKey) (*Certificate, error) {
1720 var serialBytes [16]byte
1721 rand.Read(serialBytes[:])
1722
1723 template := &Certificate{
1724 SerialNumber: new(big.Int).SetBytes(serialBytes[:]),
1725 Subject: pkix.Name{
1726 OrganizationalUnit: []string{"Leaf"},
1727 CommonName: leaf.cn,
1728 },
1729 NotBefore: time.Unix(1000, 0),
1730 NotAfter: time.Unix(2000, 0),
1731 KeyUsage: KeyUsageDigitalSignature,
1732 BasicConstraintsValid: true,
1733 IsCA: false,
1734 }
1735
1736 for _, name := range leaf.sans {
1737 switch {
1738 case strings.HasPrefix(name, "dns:"):
1739 template.DNSNames = append(template.DNSNames, name[4:])
1740
1741 case strings.HasPrefix(name, "ip:"):
1742 ip := net.ParseIP(name[3:])
1743 if ip == nil {
1744 return nil, fmt.Errorf("cannot parse IP %q", name[3:])
1745 }
1746 template.IPAddresses = append(template.IPAddresses, ip)
1747
1748 case strings.HasPrefix(name, "invalidip:"):
1749 ipBytes, err := hex.DecodeString(name[10:])
1750 if err != nil {
1751 return nil, fmt.Errorf("cannot parse invalid IP: %s", err)
1752 }
1753 template.IPAddresses = append(template.IPAddresses, net.IP(ipBytes))
1754
1755 case strings.HasPrefix(name, "email:"):
1756 template.EmailAddresses = append(template.EmailAddresses, name[6:])
1757
1758 case strings.HasPrefix(name, "uri:"):
1759 uri, err := url.Parse(name[4:])
1760 if err != nil {
1761 return nil, fmt.Errorf("cannot parse URI %q: %s", name[4:], err)
1762 }
1763 template.URIs = append(template.URIs, uri)
1764
1765 case strings.HasPrefix(name, "unknown:"):
1766
1767
1768
1769 if len(leaf.sans) != 1 {
1770 panic("when using unknown name types, it must be the sole name")
1771 }
1772
1773 template.ExtraExtensions = append(template.ExtraExtensions, pkix.Extension{
1774 Id: []int{2, 5, 29, 17},
1775 Value: []byte{
1776 0x30,
1777 3,
1778 9,
1779 1,
1780 1,
1781 },
1782 })
1783
1784 default:
1785 return nil, fmt.Errorf("unknown name type %q", name)
1786 }
1787 }
1788
1789 var err error
1790 if template.ExtKeyUsage, template.UnknownExtKeyUsage, err = parseEKUs(leaf.ekus); err != nil {
1791 return nil, err
1792 }
1793
1794 if parent == nil {
1795 parent = template
1796 }
1797
1798 derBytes, err := CreateCertificate(rand.Reader, template, parent, &key.PublicKey, parentKey)
1799 if err != nil {
1800 return nil, err
1801 }
1802
1803 return ParseCertificate(derBytes)
1804 }
1805
1806 func customConstraintsExtension(typeNum int, constraint []byte, isExcluded bool) pkix.Extension {
1807 appendConstraint := func(contents []byte, tag uint8) []byte {
1808 contents = append(contents, tag|32 |0x80 )
1809 contents = append(contents, byte(4+len(constraint)) )
1810 contents = append(contents, 0x30 )
1811 contents = append(contents, byte(2+len(constraint)) )
1812 contents = append(contents, byte(typeNum) )
1813 contents = append(contents, byte(len(constraint)))
1814 return append(contents, constraint...)
1815 }
1816
1817 var contents []byte
1818 if !isExcluded {
1819 contents = appendConstraint(contents, 0 )
1820 } else {
1821 contents = appendConstraint(contents, 1 )
1822 }
1823
1824 var value []byte
1825 value = append(value, 0x30 )
1826 value = append(value, byte(len(contents)))
1827 value = append(value, contents...)
1828
1829 return pkix.Extension{
1830 Id: []int{2, 5, 29, 30},
1831 Value: value,
1832 }
1833 }
1834
1835 func addConstraintsToTemplate(constraints constraintsSpec, template *Certificate) error {
1836 parse := func(constraints []string) (dnsNames []string, ips []*net.IPNet, emailAddrs []string, uriDomains []string, err error) {
1837 for _, constraint := range constraints {
1838 switch {
1839 case strings.HasPrefix(constraint, "dns:"):
1840 dnsNames = append(dnsNames, constraint[4:])
1841
1842 case strings.HasPrefix(constraint, "ip:"):
1843 _, ipNet, err := net.ParseCIDR(constraint[3:])
1844 if err != nil {
1845 return nil, nil, nil, nil, err
1846 }
1847 ips = append(ips, ipNet)
1848
1849 case strings.HasPrefix(constraint, "email:"):
1850 emailAddrs = append(emailAddrs, constraint[6:])
1851
1852 case strings.HasPrefix(constraint, "uri:"):
1853 uriDomains = append(uriDomains, constraint[4:])
1854
1855 default:
1856 return nil, nil, nil, nil, fmt.Errorf("unknown constraint %q", constraint)
1857 }
1858 }
1859
1860 return dnsNames, ips, emailAddrs, uriDomains, err
1861 }
1862
1863 handleSpecialConstraint := func(constraint string, isExcluded bool) bool {
1864 switch {
1865 case constraint == "unknown:":
1866 template.ExtraExtensions = append(template.ExtraExtensions, customConstraintsExtension(9 , []byte{1}, isExcluded))
1867
1868 default:
1869 return false
1870 }
1871
1872 return true
1873 }
1874
1875 if len(constraints.ok) == 1 && len(constraints.bad) == 0 {
1876 if handleSpecialConstraint(constraints.ok[0], false) {
1877 return nil
1878 }
1879 }
1880
1881 if len(constraints.bad) == 1 && len(constraints.ok) == 0 {
1882 if handleSpecialConstraint(constraints.bad[0], true) {
1883 return nil
1884 }
1885 }
1886
1887 var err error
1888 template.PermittedDNSDomains, template.PermittedIPRanges, template.PermittedEmailAddresses, template.PermittedURIDomains, err = parse(constraints.ok)
1889 if err != nil {
1890 return err
1891 }
1892
1893 template.ExcludedDNSDomains, template.ExcludedIPRanges, template.ExcludedEmailAddresses, template.ExcludedURIDomains, err = parse(constraints.bad)
1894 if err != nil {
1895 return err
1896 }
1897
1898 if template.ExtKeyUsage, template.UnknownExtKeyUsage, err = parseEKUs(constraints.ekus); err != nil {
1899 return err
1900 }
1901
1902 return nil
1903 }
1904
1905 func parseEKUs(ekuStrs []string) (ekus []ExtKeyUsage, unknowns []asn1.ObjectIdentifier, err error) {
1906 for _, s := range ekuStrs {
1907 switch s {
1908 case "serverAuth":
1909 ekus = append(ekus, ExtKeyUsageServerAuth)
1910 case "clientAuth":
1911 ekus = append(ekus, ExtKeyUsageClientAuth)
1912 case "email":
1913 ekus = append(ekus, ExtKeyUsageEmailProtection)
1914 case "netscapeSGC":
1915 ekus = append(ekus, ExtKeyUsageNetscapeServerGatedCrypto)
1916 case "msSGC":
1917 ekus = append(ekus, ExtKeyUsageMicrosoftServerGatedCrypto)
1918 case "any":
1919 ekus = append(ekus, ExtKeyUsageAny)
1920 case "other":
1921 unknowns = append(unknowns, asn1.ObjectIdentifier{2, 4, 1, 2, 3})
1922 default:
1923 return nil, nil, fmt.Errorf("unknown EKU %q", s)
1924 }
1925 }
1926
1927 return
1928 }
1929
1930 func TestConstraintCases(t *testing.T) {
1931 privateKeys := sync.Pool{
1932 New: func() any {
1933 priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
1934 if err != nil {
1935 panic(err)
1936 }
1937 return priv
1938 },
1939 }
1940
1941 for i, test := range nameConstraintsTests {
1942 t.Run(test.name, func(t *testing.T) {
1943 rootPool := NewCertPool()
1944 rootKey := privateKeys.Get().(*ecdsa.PrivateKey)
1945 rootName := "Root " + strconv.Itoa(i)
1946
1947
1948
1949 keys := []*ecdsa.PrivateKey{rootKey}
1950
1951
1952
1953
1954
1955
1956
1957 var parent *Certificate
1958 parentKey := rootKey
1959
1960 for _, root := range test.roots {
1961 rootCert, err := makeConstraintsCACert(root, rootName, rootKey, nil, rootKey)
1962 if err != nil {
1963 t.Fatalf("failed to create root: %s", err)
1964 }
1965
1966 parent = rootCert
1967 rootPool.AddCert(rootCert)
1968 }
1969
1970 intermediatePool := NewCertPool()
1971
1972 for level, intermediates := range test.intermediates {
1973 levelKey := privateKeys.Get().(*ecdsa.PrivateKey)
1974 keys = append(keys, levelKey)
1975 levelName := "Intermediate level " + strconv.Itoa(level)
1976 var last *Certificate
1977
1978 for _, intermediate := range intermediates {
1979 caCert, err := makeConstraintsCACert(intermediate, levelName, levelKey, parent, parentKey)
1980 if err != nil {
1981 t.Fatalf("failed to create %q: %s", levelName, err)
1982 }
1983
1984 last = caCert
1985 intermediatePool.AddCert(caCert)
1986 }
1987
1988 parent = last
1989 parentKey = levelKey
1990 }
1991
1992 leafKey := privateKeys.Get().(*ecdsa.PrivateKey)
1993 keys = append(keys, leafKey)
1994
1995 leafCert, err := makeConstraintsLeafCert(test.leaf, leafKey, parent, parentKey)
1996 if err != nil {
1997 t.Fatalf("cannot create leaf: %s", err)
1998 }
1999
2000
2001
2002 if !test.noOpenSSL && testNameConstraintsAgainstOpenSSL && test.leaf.cn == "" {
2003 output, err := testChainAgainstOpenSSL(t, leafCert, intermediatePool, rootPool)
2004 if err == nil && len(test.expectedError) > 0 {
2005 t.Error("unexpectedly succeeded against OpenSSL")
2006 if debugOpenSSLFailure {
2007 return
2008 }
2009 }
2010
2011 if err != nil {
2012 if _, ok := err.(*exec.ExitError); !ok {
2013 t.Errorf("OpenSSL failed to run: %s", err)
2014 } else if len(test.expectedError) == 0 {
2015 t.Errorf("OpenSSL unexpectedly failed: %v", output)
2016 if debugOpenSSLFailure {
2017 return
2018 }
2019 }
2020 }
2021 }
2022
2023 verifyOpts := VerifyOptions{
2024 Roots: rootPool,
2025 Intermediates: intermediatePool,
2026 CurrentTime: time.Unix(1500, 0),
2027 KeyUsages: test.requestedEKUs,
2028 }
2029 _, err = leafCert.Verify(verifyOpts)
2030
2031 logInfo := false
2032 if len(test.expectedError) == 0 {
2033 if err != nil {
2034 t.Errorf("unexpected failure: %s", err)
2035 } else {
2036 logInfo = false
2037 }
2038 } else {
2039 if err == nil {
2040 t.Error("unexpected success")
2041 } else if !strings.Contains(err.Error(), test.expectedError) {
2042 t.Errorf("expected error containing %q, but got: %s", test.expectedError, err)
2043 } else {
2044 logInfo = false
2045 }
2046 }
2047
2048 if logInfo {
2049 certAsPEM := func(cert *Certificate) string {
2050 var buf bytes.Buffer
2051 pem.Encode(&buf, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
2052 return buf.String()
2053 }
2054 t.Errorf("root:\n%s", certAsPEM(rootPool.mustCert(t, 0)))
2055 if intermediates := allCerts(t, intermediatePool); len(intermediates) > 0 {
2056 for ii, intermediate := range intermediates {
2057 t.Errorf("intermediate %d:\n%s", ii, certAsPEM(intermediate))
2058 }
2059 }
2060 t.Errorf("leaf:\n%s", certAsPEM(leafCert))
2061 }
2062
2063 for _, key := range keys {
2064 privateKeys.Put(key)
2065 }
2066 })
2067 }
2068 }
2069
2070 func writePEMsToTempFile(certs []*Certificate) *os.File {
2071 file, err := os.CreateTemp("", "name_constraints_test")
2072 if err != nil {
2073 panic("cannot create tempfile")
2074 }
2075
2076 pemBlock := &pem.Block{Type: "CERTIFICATE"}
2077 for _, cert := range certs {
2078 pemBlock.Bytes = cert.Raw
2079 pem.Encode(file, pemBlock)
2080 }
2081
2082 return file
2083 }
2084
2085 func testChainAgainstOpenSSL(t *testing.T, leaf *Certificate, intermediates, roots *CertPool) (string, error) {
2086 args := []string{"verify", "-no_check_time"}
2087
2088 rootsFile := writePEMsToTempFile(allCerts(t, roots))
2089 if debugOpenSSLFailure {
2090 println("roots file:", rootsFile.Name())
2091 } else {
2092 defer os.Remove(rootsFile.Name())
2093 }
2094 args = append(args, "-CAfile", rootsFile.Name())
2095
2096 if intermediates.len() > 0 {
2097 intermediatesFile := writePEMsToTempFile(allCerts(t, intermediates))
2098 if debugOpenSSLFailure {
2099 println("intermediates file:", intermediatesFile.Name())
2100 } else {
2101 defer os.Remove(intermediatesFile.Name())
2102 }
2103 args = append(args, "-untrusted", intermediatesFile.Name())
2104 }
2105
2106 leafFile := writePEMsToTempFile([]*Certificate{leaf})
2107 if debugOpenSSLFailure {
2108 println("leaf file:", leafFile.Name())
2109 } else {
2110 defer os.Remove(leafFile.Name())
2111 }
2112 args = append(args, leafFile.Name())
2113
2114 cmd := testenv.Command(t, "openssl", args...)
2115 out, err := cmd.CombinedOutput()
2116 return string(out), err
2117 }
2118
2119 var rfc2821Tests = []struct {
2120 in string
2121 localPart, domain string
2122 }{
2123 {"foo@example.com", "foo", "example.com"},
2124 {"@example.com", "", ""},
2125 {"\"@example.com", "", ""},
2126 {"\"\"@example.com", "", "example.com"},
2127 {"\"a\"@example.com", "a", "example.com"},
2128 {"\"\\a\"@example.com", "a", "example.com"},
2129 {"a\"@example.com", "", ""},
2130 {"foo..bar@example.com", "", ""},
2131 {".foo.bar@example.com", "", ""},
2132 {"foo.bar.@example.com", "", ""},
2133 {"|{}?'@example.com", "|{}?'", "example.com"},
2134
2135
2136 {"Abc\\@def@example.com", "Abc@def", "example.com"},
2137 {"Fred\\ Bloggs@example.com", "Fred Bloggs", "example.com"},
2138 {"Joe.\\\\Blow@example.com", "Joe.\\Blow", "example.com"},
2139 {"\"Abc@def\"@example.com", "Abc@def", "example.com"},
2140 {"\"Fred Bloggs\"@example.com", "Fred Bloggs", "example.com"},
2141 {"customer/department=shipping@example.com", "customer/department=shipping", "example.com"},
2142 {"$A12345@example.com", "$A12345", "example.com"},
2143 {"!def!xyz%abc@example.com", "!def!xyz%abc", "example.com"},
2144 {"_somename@example.com", "_somename", "example.com"},
2145 }
2146
2147 func TestRFC2821Parsing(t *testing.T) {
2148 for i, test := range rfc2821Tests {
2149 mailbox, ok := parseRFC2821Mailbox(test.in)
2150 expectedFailure := len(test.localPart) == 0 && len(test.domain) == 0
2151
2152 if ok && expectedFailure {
2153 t.Errorf("#%d: %q unexpectedly parsed as (%q, %q)", i, test.in, mailbox.local, mailbox.domain)
2154 continue
2155 }
2156
2157 if !ok && !expectedFailure {
2158 t.Errorf("#%d: unexpected failure for %q", i, test.in)
2159 continue
2160 }
2161
2162 if !ok {
2163 continue
2164 }
2165
2166 if mailbox.local != test.localPart || mailbox.domain != test.domain {
2167 t.Errorf("#%d: %q parsed as (%q, %q), but wanted (%q, %q)", i, test.in, mailbox.local, mailbox.domain, test.localPart, test.domain)
2168 }
2169 }
2170 }
2171
2172 func TestBadNamesInConstraints(t *testing.T) {
2173 constraintParseError := func(err error) bool {
2174 str := err.Error()
2175 return strings.Contains(str, "failed to parse ") && strings.Contains(str, "constraint")
2176 }
2177
2178 encodingError := func(err error) bool {
2179 return strings.Contains(err.Error(), "cannot be encoded as an IA5String")
2180 }
2181
2182
2183 badNames := []struct {
2184 name string
2185 matcher func(error) bool
2186 }{
2187 {"dns:foo.com.", constraintParseError},
2188 {"email:abc@foo.com.", constraintParseError},
2189 {"email:foo.com.", constraintParseError},
2190 {"uri:example.com.", constraintParseError},
2191 {"uri:1.2.3.4", constraintParseError},
2192 {"uri:ffff::1", constraintParseError},
2193 {"dns:not–hyphen.com", encodingError},
2194 {"email:foo@not–hyphen.com", encodingError},
2195 {"uri:not–hyphen.com", encodingError},
2196 }
2197
2198 priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
2199 if err != nil {
2200 panic(err)
2201 }
2202
2203 for _, test := range badNames {
2204 _, err := makeConstraintsCACert(constraintsSpec{
2205 ok: []string{test.name},
2206 }, "TestAbsoluteNamesInConstraints", priv, nil, priv)
2207
2208 if err == nil {
2209 t.Errorf("bad name %q unexpectedly accepted in name constraint", test.name)
2210 continue
2211 } else {
2212 if !test.matcher(err) {
2213 t.Errorf("bad name %q triggered unrecognised error: %s", test.name, err)
2214 }
2215 }
2216 }
2217 }
2218
2219 func TestBadNamesInSANs(t *testing.T) {
2220
2221
2222
2223 badNames := []string{
2224 "uri:https://example.com./dsf",
2225 "invalidip:0102",
2226 "invalidip:0102030405",
2227 }
2228
2229 priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
2230 if err != nil {
2231 panic(err)
2232 }
2233
2234 for _, badName := range badNames {
2235 _, err := makeConstraintsLeafCert(leafSpec{sans: []string{badName}}, priv, nil, priv)
2236
2237 if err == nil {
2238 t.Errorf("bad name %q unexpectedly accepted in SAN", badName)
2239 continue
2240 }
2241
2242 if str := err.Error(); !strings.Contains(str, "cannot parse ") {
2243 t.Errorf("bad name %q triggered unrecognised error: %s", badName, str)
2244 }
2245 }
2246 }
2247
View as plain text