Return error on attestation validation
The method storeError returns a nil error
This commit is contained in:
parent
ab5f916bd3
commit
ca412e77cc
1 changed files with 35 additions and 24 deletions
|
@ -11,13 +11,11 @@ import (
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
"encoding/hex"
|
"encoding/hex"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"encoding/pem"
|
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"net"
|
"net"
|
||||||
"net/url"
|
"net/url"
|
||||||
"os"
|
|
||||||
"reflect"
|
"reflect"
|
||||||
"strconv"
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
|
@ -344,7 +342,15 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
|
||||||
case "apple":
|
case "apple":
|
||||||
data, err := doAppleAttestationFormat(ctx, ch, db, &att)
|
data, err := doAppleAttestationFormat(ctx, ch, db, &att)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
var acmeError *Error
|
||||||
|
if errors.As(err, &acmeError) {
|
||||||
|
if acmeError.Status == 500 {
|
||||||
|
return acmeError
|
||||||
|
}
|
||||||
|
return storeError(ctx, db, ch, true, acmeError)
|
||||||
|
} else {
|
||||||
|
return WrapErrorISE(err, "error validating attestation")
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Validate nonce with SHA-256 of the token.
|
// Validate nonce with SHA-256 of the token.
|
||||||
|
@ -365,7 +371,16 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
|
||||||
case "step":
|
case "step":
|
||||||
data, err := doStepAttestationFormat(ctx, ch, db, &att)
|
data, err := doStepAttestationFormat(ctx, ch, db, &att)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
var acmeError *Error
|
||||||
|
if errors.As(err, &acmeError) {
|
||||||
|
fmt.Println(acmeError)
|
||||||
|
if acmeError.Status == 500 {
|
||||||
|
return acmeError
|
||||||
|
}
|
||||||
|
return storeError(ctx, db, ch, true, acmeError)
|
||||||
|
} else {
|
||||||
|
return WrapErrorISE(err, "error validating attestation")
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Validate Apple's ClientIdentifier (Identifier.Value) with device
|
// Validate Apple's ClientIdentifier (Identifier.Value) with device
|
||||||
|
@ -432,30 +447,30 @@ func doAppleAttestationFormat(ctx context.Context, ch *Challenge, db DB, att *At
|
||||||
|
|
||||||
x5c, ok := att.AttStatement["x5c"].([]interface{})
|
x5c, ok := att.AttStatement["x5c"].([]interface{})
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil, storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatement, "x5c not present"))
|
return nil, NewError(ErrorBadAttestationStatement, "x5c not present")
|
||||||
}
|
}
|
||||||
if len(x5c) == 0 {
|
if len(x5c) == 0 {
|
||||||
return nil, storeError(ctx, db, ch, true, NewError(ErrorRejectedIdentifierType, "x5c is empty"))
|
return nil, NewError(ErrorRejectedIdentifierType, "x5c is empty")
|
||||||
}
|
}
|
||||||
|
|
||||||
der, ok := x5c[0].([]byte)
|
der, ok := x5c[0].([]byte)
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil, storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatement, "x5c is malformed"))
|
return nil, NewError(ErrorBadAttestationStatement, "x5c is malformed")
|
||||||
}
|
}
|
||||||
leaf, err := x509.ParseCertificate(der)
|
leaf, err := x509.ParseCertificate(der)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, storeError(ctx, db, ch, true, WrapError(ErrorBadAttestationStatement, err, "x5c is malformed"))
|
return nil, WrapError(ErrorBadAttestationStatement, err, "x5c is malformed")
|
||||||
}
|
}
|
||||||
|
|
||||||
intermediates := x509.NewCertPool()
|
intermediates := x509.NewCertPool()
|
||||||
for _, v := range x5c[1:] {
|
for _, v := range x5c[1:] {
|
||||||
der, ok = v.([]byte)
|
der, ok = v.([]byte)
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil, storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatement, "x5c is malformed"))
|
return nil, NewError(ErrorBadAttestationStatement, "x5c is malformed")
|
||||||
}
|
}
|
||||||
cert, err := x509.ParseCertificate(der)
|
cert, err := x509.ParseCertificate(der)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, storeError(ctx, db, ch, true, WrapError(ErrorBadAttestationStatement, err, "x5c is malformed"))
|
return nil, WrapError(ErrorBadAttestationStatement, err, "x5c is malformed")
|
||||||
}
|
}
|
||||||
intermediates.AddCert(cert)
|
intermediates.AddCert(cert)
|
||||||
}
|
}
|
||||||
|
@ -466,7 +481,7 @@ func doAppleAttestationFormat(ctx context.Context, ch *Challenge, db DB, att *At
|
||||||
CurrentTime: time.Now().Truncate(time.Second),
|
CurrentTime: time.Now().Truncate(time.Second),
|
||||||
KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
|
KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
|
||||||
}); err != nil {
|
}); err != nil {
|
||||||
return nil, storeError(ctx, db, ch, true, WrapError(ErrorBadAttestationStatement, err, "x5c is not valid"))
|
return nil, WrapError(ErrorBadAttestationStatement, err, "x5c is not valid")
|
||||||
}
|
}
|
||||||
|
|
||||||
data := &appleAttestationData{
|
data := &appleAttestationData{
|
||||||
|
@ -522,41 +537,37 @@ type stepAttestationData struct {
|
||||||
func doStepAttestationFormat(ctx context.Context, ch *Challenge, db DB, att *AttestationObject) (*stepAttestationData, error) {
|
func doStepAttestationFormat(ctx context.Context, ch *Challenge, db DB, att *AttestationObject) (*stepAttestationData, error) {
|
||||||
root, err := pemutil.ParseCertificate([]byte(yubicoPIVRootCA))
|
root, err := pemutil.ParseCertificate([]byte(yubicoPIVRootCA))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, WrapErrorISE(err, "error parsing apple enterprise ca")
|
return nil, WrapErrorISE(err, "error parsing root ca")
|
||||||
}
|
}
|
||||||
roots := x509.NewCertPool()
|
roots := x509.NewCertPool()
|
||||||
roots.AddCert(root)
|
roots.AddCert(root)
|
||||||
|
|
||||||
x5c, ok := att.AttStatement["x5c"].([]interface{})
|
x5c, ok := att.AttStatement["x5c"].([]interface{})
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil, storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatement, "x5c not present"))
|
return nil, NewError(ErrorBadAttestationStatement, "x5c not present")
|
||||||
}
|
}
|
||||||
if len(x5c) == 0 {
|
if len(x5c) == 0 {
|
||||||
return nil, storeError(ctx, db, ch, true, NewError(ErrorRejectedIdentifierType, "x5c is empty"))
|
return nil, NewError(ErrorRejectedIdentifierType, "x5c is empty")
|
||||||
}
|
}
|
||||||
|
|
||||||
der, ok := x5c[0].([]byte)
|
der, ok := x5c[0].([]byte)
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil, storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatement, "x5c is malformed"))
|
return nil, NewError(ErrorBadAttestationStatement, "x5c is malformed")
|
||||||
}
|
}
|
||||||
leaf, err := x509.ParseCertificate(der)
|
leaf, err := x509.ParseCertificate(der)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, storeError(ctx, db, ch, true, WrapError(ErrorBadAttestationStatement, err, "x5c is malformed"))
|
return nil, WrapError(ErrorBadAttestationStatement, err, "x5c is malformed")
|
||||||
}
|
}
|
||||||
|
|
||||||
pem.Encode(os.Stderr, &pem.Block{
|
|
||||||
Type: "CERTIFICATE", Bytes: leaf.Raw,
|
|
||||||
})
|
|
||||||
|
|
||||||
intermediates := x509.NewCertPool()
|
intermediates := x509.NewCertPool()
|
||||||
for _, v := range x5c[1:] {
|
for _, v := range x5c[1:] {
|
||||||
der, ok = v.([]byte)
|
der, ok = v.([]byte)
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil, storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatement, "x5c is malformed"))
|
return nil, NewError(ErrorBadAttestationStatement, "x5c is malformed")
|
||||||
}
|
}
|
||||||
cert, err := x509.ParseCertificate(der)
|
cert, err := x509.ParseCertificate(der)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, storeError(ctx, db, ch, true, WrapError(ErrorBadAttestationStatement, err, "x5c is malformed"))
|
return nil, WrapError(ErrorBadAttestationStatement, err, "x5c is malformed")
|
||||||
}
|
}
|
||||||
intermediates.AddCert(cert)
|
intermediates.AddCert(cert)
|
||||||
}
|
}
|
||||||
|
@ -567,7 +578,7 @@ func doStepAttestationFormat(ctx context.Context, ch *Challenge, db DB, att *Att
|
||||||
CurrentTime: time.Now().Truncate(time.Second),
|
CurrentTime: time.Now().Truncate(time.Second),
|
||||||
KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
|
KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
|
||||||
}); err != nil {
|
}); err != nil {
|
||||||
return nil, storeError(ctx, db, ch, true, WrapError(ErrorBadAttestationStatement, err, "x5c is not valid"))
|
return nil, WrapError(ErrorBadAttestationStatement, err, "x5c is not valid")
|
||||||
}
|
}
|
||||||
|
|
||||||
data := &stepAttestationData{
|
data := &stepAttestationData{
|
||||||
|
@ -579,7 +590,7 @@ func doStepAttestationFormat(ctx context.Context, ch *Challenge, db DB, att *Att
|
||||||
var serialNumber int
|
var serialNumber int
|
||||||
rest, err := asn1.Unmarshal(ext.Value, &serialNumber)
|
rest, err := asn1.Unmarshal(ext.Value, &serialNumber)
|
||||||
if err != nil || len(rest) > 0 {
|
if err != nil || len(rest) > 0 {
|
||||||
return nil, storeError(ctx, db, ch, true, WrapError(ErrorBadAttestationStatement, err, "error parsing serial number"))
|
return nil, WrapError(ErrorBadAttestationStatement, err, "error parsing serial number")
|
||||||
}
|
}
|
||||||
data.SerialNumber = strconv.Itoa(serialNumber)
|
data.SerialNumber = strconv.Itoa(serialNumber)
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue