From 0263468424fb2f7ff9de791b6fd1c50c7650d3d9 Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Mon, 19 Sep 2022 19:45:13 -0700 Subject: [PATCH] Initial work on name constraints validation Issue #1060 --- authority/internal/constraints/constraints.go | 106 ++++++ .../internal/constraints/constraints_test.go | 140 +++++++ authority/internal/constraints/verify.go | 358 ++++++++++++++++++ 3 files changed, 604 insertions(+) create mode 100644 authority/internal/constraints/constraints.go create mode 100644 authority/internal/constraints/constraints_test.go create mode 100644 authority/internal/constraints/verify.go diff --git a/authority/internal/constraints/constraints.go b/authority/internal/constraints/constraints.go new file mode 100644 index 00000000..a9dcf715 --- /dev/null +++ b/authority/internal/constraints/constraints.go @@ -0,0 +1,106 @@ +package constraints + +import ( + "crypto/x509" + "fmt" + "net" + "net/url" +) + +var oidExtensionNameConstraints = []int{2, 5, 29, 30} + +type ConstraintError struct { + Type string + Name string +} + +func (e ConstraintError) Error() string { + return fmt.Sprintf("%s %q is not allowed", e.Type, e.Name) +} + +type service struct { + hasNameConstraints bool + permittedDNSDomains []string + excludedDNSDomains []string + permittedIPRanges []*net.IPNet + excludedIPRanges []*net.IPNet + permittedEmailAddresses []string + excludedEmailAddresses []string + permittedURIDomains []string + excludedURIDomains []string +} + +func New(chain ...*x509.Certificate) *service { + s := new(service) + for _, crt := range chain { + s.permittedDNSDomains = append(s.permittedDNSDomains, crt.PermittedDNSDomains...) + s.excludedDNSDomains = append(s.excludedDNSDomains, crt.ExcludedDNSDomains...) + s.permittedIPRanges = append(s.permittedIPRanges, crt.PermittedIPRanges...) + s.excludedIPRanges = append(s.excludedIPRanges, crt.ExcludedIPRanges...) + s.permittedEmailAddresses = append(s.permittedEmailAddresses, crt.PermittedEmailAddresses...) + s.excludedEmailAddresses = append(s.excludedEmailAddresses, crt.ExcludedEmailAddresses...) + s.permittedURIDomains = append(s.permittedURIDomains, crt.PermittedURIDomains...) + s.excludedURIDomains = append(s.excludedURIDomains, crt.ExcludedURIDomains...) + + if !s.hasNameConstraints { + for _, ext := range crt.Extensions { + if ext.Id.Equal(oidExtensionNameConstraints) { + s.hasNameConstraints = true + break + } + } + } + } + return s +} + +// Validates +func (s *service) Validate(dnsNames []string, ipAddresses []*net.IP, emailAddresses []string, uris []*url.URL) error { + if !s.hasNameConstraints { + return nil + } + + for _, name := range dnsNames { + if err := checkNameConstraints("DNS name", name, name, s.permittedDNSDomains, s.excludedDNSDomains, + func(parsedName, constraint any) (bool, error) { + return matchDomainConstraint(parsedName.(string), constraint.(string)) + }, + ); err != nil { + return err + } + } + + for _, ip := range ipAddresses { + if err := checkNameConstraints("IP address", ip.String(), ip, s.permittedIPRanges, s.excludedIPRanges, + func(parsedName, constraint any) (bool, error) { + return matchIPConstraint(parsedName.(net.IP), constraint.(*net.IPNet)) + }); err != nil { + return err + } + } + + for _, email := range emailAddresses { + mailbox, ok := parseRFC2821Mailbox(email) + if !ok { + return fmt.Errorf("cannot parse rfc822Name %q", email) + } + if err := checkNameConstraints("Email address", email, mailbox, s.permittedEmailAddresses, s.excludedEmailAddresses, + func(parsedName, constraint any) (bool, error) { + return matchEmailConstraint(parsedName.(rfc2821Mailbox), constraint.(string)) + }, + ); err != nil { + return err + } + } + + for _, uri := range uris { + if err := checkNameConstraints("URI", uri.String(), uri, s.permittedURIDomains, s.excludedURIDomains, + func(parsedName, constraint any) (bool, error) { + return matchURIConstraint(parsedName.(*url.URL), constraint.(string)) + }); err != nil { + return err + } + } + + return nil +} diff --git a/authority/internal/constraints/constraints_test.go b/authority/internal/constraints/constraints_test.go new file mode 100644 index 00000000..1194f6ce --- /dev/null +++ b/authority/internal/constraints/constraints_test.go @@ -0,0 +1,140 @@ +package constraints + +import ( + "crypto/x509" + "net" + "net/url" + "reflect" + "testing" + + "go.step.sm/crypto/minica" +) + +func TestNew(t *testing.T) { + ca1, err := minica.New() + if err != nil { + t.Fatal(err) + } + + ca2, err := minica.New( + minica.WithIntermediateTemplate(`{ + "subject": {{ toJson .Subject }}, + "keyUsage": ["certSign", "crlSign"], + "basicConstraints": { + "isCA": true, + "maxPathLen": 0 + }, + "nameConstraints": { + "critical": true, + "permittedDNSDomains": ["internal.example.org"], + "excludedDNSDomains": ["internal.example.com"], + "permittedIPRanges": ["192.168.1.0/24", "192.168.2.1/32"], + "excludedIPRanges": ["192.168.3.0/24", "192.168.4.0/28"], + "permittedEmailAddresses": ["root@example.org", "example.org", ".acme.org"], + "excludedEmailAddresses": ["root@example.com", "example.com", ".acme.com"], + "permittedURIDomains": ["host.example.org", ".acme.org"], + "excludedURIDomains": ["host.example.com", ".acme.com"] + } + }`), + ) + if err != nil { + t.Fatal(err) + } + + type args struct { + chain []*x509.Certificate + } + tests := []struct { + name string + args args + want *service + }{ + {"ok", args{[]*x509.Certificate{ca1.Intermediate, ca1.Root}}, &service{ + hasNameConstraints: false, + }}, + {"ok with constraints", args{[]*x509.Certificate{ca2.Intermediate, ca2.Root}}, &service{ + hasNameConstraints: true, + permittedDNSDomains: []string{"internal.example.org"}, + excludedDNSDomains: []string{"internal.example.com"}, + permittedIPRanges: []*net.IPNet{ + {IP: net.ParseIP("192.168.1.0").To4(), Mask: net.IPMask{255, 255, 255, 0}}, + {IP: net.ParseIP("192.168.2.1").To4(), Mask: net.IPMask{255, 255, 255, 255}}, + }, + excludedIPRanges: []*net.IPNet{ + {IP: net.ParseIP("192.168.3.0").To4(), Mask: net.IPMask{255, 255, 255, 0}}, + {IP: net.ParseIP("192.168.4.0").To4(), Mask: net.IPMask{255, 255, 255, 240}}, + }, + permittedEmailAddresses: []string{"root@example.org", "example.org", ".acme.org"}, + excludedEmailAddresses: []string{"root@example.com", "example.com", ".acme.com"}, + permittedURIDomains: []string{"host.example.org", ".acme.org"}, + excludedURIDomains: []string{"host.example.com", ".acme.com"}, + }}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := New(tt.args.chain...); !reflect.DeepEqual(got, tt.want) { + t.Errorf("New() = %v, want %v", got, tt.want) + } + }) + } +} + +func Test_service_Validate(t *testing.T) { + + type fields struct { + hasNameConstraints bool + permittedDNSDomains []string + excludedDNSDomains []string + permittedIPRanges []*net.IPNet + excludedIPRanges []*net.IPNet + permittedEmailAddresses []string + excludedEmailAddresses []string + permittedURIDomains []string + excludedURIDomains []string + } + type args struct { + dnsNames []string + ipAddresses []*net.IP + emailAddresses []string + uris []*url.URL + } + tests := []struct { + name string + fields fields + args args + wantErr bool + }{ + {"ok", fields{hasNameConstraints: false}, args{ + dnsNames: []string{"example.com", "host.example.com"}, + ipAddresses: []*net.IP{{192, 168, 1, 1}, {0x26, 0x00, 0x1f, 0x1c, 0x47, 0x1, 0x9d, 0x00, 0xc3, 0xa7, 0x66, 0x94, 0x87, 0x0f, 0x20, 0x72}}, + emailAddresses: []string{"root@example.com"}, + uris: []*url.URL{{Scheme: "https", Host: "example.com", Path: "/uuid/c6d1a755-0c12-431e-9136-b64cb3173ec7"}}, + }, false}, + // {"ok dns", fields{}, args{}, false}, + // {"ok ip", fields{}, args{}, false}, + // {"ok email", fields{}, args{}, false}, + // {"ok uri", fields{}, args{}, false}, + // {"fail dns", fields{}, args{}, true}, + // {"fail ip", fields{}, args{}, true}, + // {"fail email", fields{}, args{}, true}, + // {"fail uri", fields{}, args{}, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + s := &service{ + hasNameConstraints: tt.fields.hasNameConstraints, + permittedDNSDomains: tt.fields.permittedDNSDomains, + excludedDNSDomains: tt.fields.excludedDNSDomains, + permittedIPRanges: tt.fields.permittedIPRanges, + excludedIPRanges: tt.fields.excludedIPRanges, + permittedEmailAddresses: tt.fields.permittedEmailAddresses, + excludedEmailAddresses: tt.fields.excludedEmailAddresses, + permittedURIDomains: tt.fields.permittedURIDomains, + excludedURIDomains: tt.fields.excludedURIDomains, + } + if err := s.Validate(tt.args.dnsNames, tt.args.ipAddresses, tt.args.emailAddresses, tt.args.uris); (err != nil) != tt.wantErr { + t.Errorf("service.Validate() error = %v, wantErr %v", err, tt.wantErr) + } + }) + } +} diff --git a/authority/internal/constraints/verify.go b/authority/internal/constraints/verify.go new file mode 100644 index 00000000..981cd35e --- /dev/null +++ b/authority/internal/constraints/verify.go @@ -0,0 +1,358 @@ +// Copyright (c) 2009 The Go Authors. All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following disclaimer +// in the documentation and/or other materials provided with the +// distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived from +// this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +package constraints + +import ( + "bytes" + "fmt" + "net" + "net/url" + "reflect" + "strings" +) + +func checkNameConstraints(nameType string, name string, parsedName any, permitted, excluded any, match func(name, constraint any) (bool, error)) error { + excludedValue := reflect.ValueOf(excluded) + for i := 0; i < excludedValue.Len(); i++ { + constraint := excludedValue.Index(i).Interface() + match, err := match(parsedName, constraint) + if err != nil { + return err + } + + if match { + return fmt.Errorf("%s %q is excluded by constraint %q", nameType, name, constraint) + } + } + + var ( + err error + ok = true + ) + + permittedValue := reflect.ValueOf(permitted) + for i := 0; i < permittedValue.Len(); i++ { + constraint := permittedValue.Index(i).Interface() + if ok, err = match(parsedName, constraint); err != nil { + return err + } + if ok { + break + } + } + if !ok { + return fmt.Errorf("%s %q is not permitted by any constraint", nameType, name) + } + + return nil +} + +func matchDomainConstraint(domain, constraint string) (bool, error) { + // The meaning of zero length constraints is not specified, but this + // code follows NSS and accepts them as matching everything. + if len(constraint) == 0 { + return true, nil + } + + domainLabels, ok := domainToReverseLabels(domain) + if !ok { + return false, fmt.Errorf("x509: internal error: cannot parse domain %q", domain) + } + + // RFC 5280 says that a leading period in a domain name means that at + // least one label must be prepended, but only for URI and email + // constraints, not DNS constraints. The code also supports that + // behaviour for DNS constraints. + + mustHaveSubdomains := false + if constraint[0] == '.' { + mustHaveSubdomains = true + constraint = constraint[1:] + } + + constraintLabels, ok := domainToReverseLabels(constraint) + if !ok { + return false, fmt.Errorf("x509: internal error: cannot parse domain %q", constraint) + } + + if len(domainLabels) < len(constraintLabels) || + (mustHaveSubdomains && len(domainLabels) == len(constraintLabels)) { + return false, nil + } + + for i, constraintLabel := range constraintLabels { + if !strings.EqualFold(constraintLabel, domainLabels[i]) { + return false, nil + } + } + + return true, nil +} + +func matchIPConstraint(ip net.IP, constraint *net.IPNet) (bool, error) { + if len(ip) != len(constraint.IP) { + return false, nil + } + + for i := range ip { + if mask := constraint.Mask[i]; ip[i]&mask != constraint.IP[i]&mask { + return false, nil + } + } + + return true, nil +} + +func matchEmailConstraint(mailbox rfc2821Mailbox, constraint string) (bool, error) { + // If the constraint contains an @, then it specifies an exact mailbox + // name. + if strings.Contains(constraint, "@") { + constraintMailbox, ok := parseRFC2821Mailbox(constraint) + if !ok { + return false, fmt.Errorf("x509: internal error: cannot parse constraint %q", constraint) + } + return mailbox.local == constraintMailbox.local && strings.EqualFold(mailbox.domain, constraintMailbox.domain), nil + } + + // Otherwise the constraint is like a DNS constraint of the domain part + // of the mailbox. + return matchDomainConstraint(mailbox.domain, constraint) +} + +func matchURIConstraint(uri *url.URL, constraint string) (bool, error) { + // From RFC 5280, Section 4.2.1.10: + // “a uniformResourceIdentifier that does not include an authority + // component with a host name specified as a fully qualified domain + // name (e.g., if the URI either does not include an authority + // component or includes an authority component in which the host name + // is specified as an IP address), then the application MUST reject the + // certificate.” + + host := uri.Host + if len(host) == 0 { + return false, fmt.Errorf("URI with empty host (%q) cannot be matched against constraints", uri.String()) + } + + if strings.Contains(host, ":") && !strings.HasSuffix(host, "]") { + var err error + host, _, err = net.SplitHostPort(uri.Host) + if err != nil { + return false, err + } + } + + if strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]") || + net.ParseIP(host) != nil { + return false, fmt.Errorf("URI with IP (%q) cannot be matched against constraints", uri.String()) + } + + return matchDomainConstraint(host, constraint) +} + +// domainToReverseLabels converts a textual domain name like foo.example.com to +// the list of labels in reverse order, e.g. ["com", "example", "foo"]. +func domainToReverseLabels(domain string) (reverseLabels []string, ok bool) { + for len(domain) > 0 { + if i := strings.LastIndexByte(domain, '.'); i == -1 { + reverseLabels = append(reverseLabels, domain) + domain = "" + } else { + reverseLabels = append(reverseLabels, domain[i+1:]) + domain = domain[:i] + } + } + + if len(reverseLabels) > 0 && len(reverseLabels[0]) == 0 { + // An empty label at the end indicates an absolute value. + return nil, false + } + + for _, label := range reverseLabels { + if len(label) == 0 { + // Empty labels are otherwise invalid. + return nil, false + } + + for _, c := range label { + if c < 33 || c > 126 { + // Invalid character. + return nil, false + } + } + } + + return reverseLabels, true +} + +// rfc2821Mailbox represents a “mailbox” (which is an email address to most +// people) by breaking it into the “local” (i.e. before the '@') and “domain” +// parts. +type rfc2821Mailbox struct { + local, domain string +} + +// parseRFC2821Mailbox parses an email address into local and domain parts, +// based on the ABNF for a “Mailbox” from RFC 2821. According to RFC 5280, +// Section 4.2.1.6 that's correct for an rfc822Name from a certificate: “The +// format of an rfc822Name is a "Mailbox" as defined in RFC 2821, Section 4.1.2”. +func parseRFC2821Mailbox(in string) (mailbox rfc2821Mailbox, ok bool) { + if len(in) == 0 { + return mailbox, false + } + + localPartBytes := make([]byte, 0, len(in)/2) + + if in[0] == '"' { + // Quoted-string = DQUOTE *qcontent DQUOTE + // non-whitespace-control = %d1-8 / %d11 / %d12 / %d14-31 / %d127 + // qcontent = qtext / quoted-pair + // qtext = non-whitespace-control / + // %d33 / %d35-91 / %d93-126 + // quoted-pair = ("\" text) / obs-qp + // text = %d1-9 / %d11 / %d12 / %d14-127 / obs-text + // + // (Names beginning with “obs-” are the obsolete syntax from RFC 2822, + // Section 4. Since it has been 16 years, we no longer accept that.) + in = in[1:] + QuotedString: + for { + if len(in) == 0 { + return mailbox, false + } + c := in[0] + in = in[1:] + + switch { + case c == '"': + break QuotedString + + case c == '\\': + // quoted-pair + if len(in) == 0 { + return mailbox, false + } + if in[0] == 11 || + in[0] == 12 || + (1 <= in[0] && in[0] <= 9) || + (14 <= in[0] && in[0] <= 127) { + localPartBytes = append(localPartBytes, in[0]) + in = in[1:] + } else { + return mailbox, false + } + + case c == 11 || + c == 12 || + // Space (char 32) is not allowed based on the + // BNF, but RFC 3696 gives an example that + // assumes that it is. Several “verified” + // errata continue to argue about this point. + // We choose to accept it. + c == 32 || + c == 33 || + c == 127 || + (1 <= c && c <= 8) || + (14 <= c && c <= 31) || + (35 <= c && c <= 91) || + (93 <= c && c <= 126): + // qtext + localPartBytes = append(localPartBytes, c) + + default: + return mailbox, false + } + } + } else { + // Atom ("." Atom)* + NextChar: + for len(in) > 0 { + // atext from RFC 2822, Section 3.2.4 + c := in[0] + + switch { + case c == '\\': + // Examples given in RFC 3696 suggest that + // escaped characters can appear outside of a + // quoted string. Several “verified” errata + // continue to argue the point. We choose to + // accept it. + in = in[1:] + if len(in) == 0 { + return mailbox, false + } + fallthrough + + case ('0' <= c && c <= '9') || + ('a' <= c && c <= 'z') || + ('A' <= c && c <= 'Z') || + c == '!' || c == '#' || c == '$' || c == '%' || + c == '&' || c == '\'' || c == '*' || c == '+' || + c == '-' || c == '/' || c == '=' || c == '?' || + c == '^' || c == '_' || c == '`' || c == '{' || + c == '|' || c == '}' || c == '~' || c == '.': + localPartBytes = append(localPartBytes, in[0]) + in = in[1:] + + default: + break NextChar + } + } + + if len(localPartBytes) == 0 { + return mailbox, false + } + + // From RFC 3696, Section 3: + // “period (".") may also appear, but may not be used to start + // or end the local part, nor may two or more consecutive + // periods appear.” + twoDots := []byte{'.', '.'} + if localPartBytes[0] == '.' || + localPartBytes[len(localPartBytes)-1] == '.' || + bytes.Contains(localPartBytes, twoDots) { + return mailbox, false + } + } + + if len(in) == 0 || in[0] != '@' { + return mailbox, false + } + in = in[1:] + + // The RFC species a format for domains, but that's known to be + // violated in practice so we accept that anything after an '@' is the + // domain part. + if _, ok := domainToReverseLabels(in); !ok { + return mailbox, false + } + + mailbox.local = string(localPartBytes) + mailbox.domain = in + return mailbox, true +}