diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..e0871f93 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates + +version: 2 +updates: + - package-ecosystem: "gomod" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "weekly" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 00000000..a67b766f --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,27 @@ +name: CI + +on: + push: + tags-ignore: + - 'v*' + branches: + - "master" + pull_request: + workflow_call: + secrets: + GITLEAKS_LICENSE_KEY: + required: true + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +jobs: + ci: + uses: smallstep/workflows/.github/workflows/goCI.yml@main + with: + os-dependencies: "libpcsclite-dev" + run-gitleaks: true + run-codeql: true + secrets: + GITLEAKS_LICENSE_KEY: ${{ secrets.GITLEAKS_LICENSE_KEY }} diff --git a/.github/workflows/code-scan-cron.yml b/.github/workflows/code-scan-cron.yml new file mode 100644 index 00000000..56969c11 --- /dev/null +++ b/.github/workflows/code-scan-cron.yml @@ -0,0 +1,9 @@ +on: + schedule: + - cron: '0 0 * * *' + +jobs: + code-scan: + uses: smallstep/workflows/.github/workflows/code-scan.yml@main + secrets: + GITLEAKS_LICENSE_KEY: ${{ secrets.GITLEAKS_LICENSE_KEY }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index d23cddf9..00000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null @@ -1,72 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL" - -on: - push: - branches: [ "master" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "master" ] - schedule: - - cron: '30 3 * * 3' - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: [ 'go' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - - # ℹ️ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b4336472..bd434737 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,41 +7,13 @@ on: - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10 jobs: - test: - name: Lint, Test, Build - runs-on: ubuntu-20.04 - strategy: - matrix: - go: [ '1.18', '1.19' ] - outputs: - is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }} - steps: - - - name: Checkout - uses: actions/checkout@v2 - - - name: Setup Go - uses: actions/setup-go@v2 - with: - go-version: ${{ matrix.go }} - - - name: Install Deps - id: install-deps - run: sudo apt-get -y install libpcsclite-dev - - - name: golangci-lint - uses: golangci/golangci-lint-action@v2 - with: - version: ${{ secrets.GOLANGCI_LINT_VERSION }} - args: --timeout=30m - - - name: Test, Build - id: lint_test_build - run: V=1 make ci + ci: + uses: smallstep/certificates/.github/workflows/ci.yml@main + secrets: inherit create_release: name: Create Release - needs: test + needs: ci runs-on: ubuntu-20.04 outputs: debversion: ${{ steps.extract-tag.outputs.DEB_VERSION }} @@ -132,7 +104,7 @@ jobs: build_upload_docker: name: Build & Upload Docker Images runs-on: ubuntu-20.04 - needs: test + needs: ci steps: - name: Checkout diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml deleted file mode 100644 index 8a2f391c..00000000 --- a/.github/workflows/test.yml +++ /dev/null @@ -1,49 +0,0 @@ -name: Lint, Test, Build - -on: - push: - tags-ignore: - - 'v*' - branches: - - "**" - pull_request: - -jobs: - lintTestBuild: - name: Lint, Test, Build - runs-on: ubuntu-20.04 - strategy: - matrix: - go: [ '1.18', '1.19' ] - steps: - - - name: Checkout - uses: actions/checkout@v2 - - - name: Setup Go - uses: actions/setup-go@v2 - with: - go-version: ${{ matrix.go }} - - - name: Install Deps - id: install-deps - run: sudo apt-get -y install libpcsclite-dev - - - name: golangci-lint - uses: golangci/golangci-lint-action@v2 - with: - version: ${{ secrets.GOLANGCI_LINT_VERSION }} - args: --timeout=30m - - - name: Test, Build - id: lint_test_build - run: V=1 make ci - - - name: Codecov - if: matrix.go == '1.19' - uses: codecov/codecov-action@v2 - with: - token: ${{ secrets.CODECOV_TOKEN }} - files: ./coverage.out # optional - name: codecov-umbrella # optional - fail_ci_if_error: true # optional (default = false) diff --git a/.gitignore b/.gitignore index 299a2c16..42e96049 100644 --- a/.gitignore +++ b/.gitignore @@ -6,6 +6,10 @@ *.so *.dylib +# Go Workspaces +go.work +go.work.sum + # Test binary, build with `go test -c` *.test diff --git a/.gitleaksignore b/.gitleaksignore new file mode 100644 index 00000000..71318c8a --- /dev/null +++ b/.gitleaksignore @@ -0,0 +1,18 @@ +deac15327f5605a1a963e50818760a95cee9d882:docs/kms.md:generic-api-key:85 +deac15327f5605a1a963e50818760a95cee9d882:docs/kms.md:generic-api-key:107 +deac15327f5605a1a963e50818760a95cee9d882:docs/kms.md:generic-api-key:108 +deac15327f5605a1a963e50818760a95cee9d882:docs/kms.md:generic-api-key:129 +deac15327f5605a1a963e50818760a95cee9d882:docs/kms.md:generic-api-key:131 +deac15327f5605a1a963e50818760a95cee9d882:docs/kms.md:generic-api-key:136 +deac15327f5605a1a963e50818760a95cee9d882:docs/kms.md:generic-api-key:138 +7c9ab9814fb676cb3c125c3dac4893271f1b7ae5:README.md:generic-api-key:282 +fb7140444ac8f1fa1245a80e49d17e206f7435f3:docs/provisioners.md:generic-api-key:110 +e4de7f07e82118b3f926716666b620db058fa9f7:docs/revocation.md:generic-api-key:73 +e4de7f07e82118b3f926716666b620db058fa9f7:docs/revocation.md:generic-api-key:113 +e4de7f07e82118b3f926716666b620db058fa9f7:docs/revocation.md:generic-api-key:151 +8b2de42e9cf6ce99f53a5049881e1d6077d5d66e:docs/docker.md:generic-api-key:152 +3939e855264117e81531df777a642ea953d325a7:autocert/init/ca/intermediate_ca_key:private-key:1 +e72f08703753facfa05f2d8c68f9f6a3745824b8:README.md:generic-api-key:244 +e70a5dae7de0b6ca40a0393c09c28872d4cfa071:autocert/README.md:generic-api-key:365 +e70a5dae7de0b6ca40a0393c09c28872d4cfa071:autocert/README.md:generic-api-key:366 +c284a2c0ab1c571a46443104be38c873ef0c7c6d:config.json:generic-api-key:10 diff --git a/.golangci.yml b/.golangci.yml deleted file mode 100644 index af723230..00000000 --- a/.golangci.yml +++ /dev/null @@ -1,74 +0,0 @@ -linters-settings: - govet: - check-shadowing: true - settings: - printf: - funcs: - - (github.com/golangci/golangci-lint/pkg/logutils.Log).Infof - - (github.com/golangci/golangci-lint/pkg/logutils.Log).Errorf - - (github.com/golangci/golangci-lint/pkg/logutils.Log).Warnf - - (github.com/golangci/golangci-lint/pkg/logutils.Log).Fatalf - revive: - min-confidence: 0 - gocyclo: - min-complexity: 10 - maligned: - suggest-new: true - dupl: - threshold: 100 - goconst: - min-len: 2 - min-occurrences: 2 - depguard: - list-type: blacklist - packages: - # logging is allowed only by logutils.Log, logrus - # is allowed to use only in logutils package - - github.com/sirupsen/logrus - misspell: - locale: US - lll: - line-length: 140 - goimports: - local-prefixes: github.com/golangci/golangci-lint - gocritic: - enabled-tags: - - performance - - style - - experimental - - diagnostic - disabled-checks: - - commentFormatting - - commentedOutCode - - evalOrder - - hugeParam - - octalLiteral - - rangeValCopy - - tooManyResultsChecker - - unnamedResult - -linters: - disable-all: true - enable: - - gocritic - - gofmt - - gosimple - - govet - - ineffassign - - misspell - - revive - - staticcheck - - unused - -run: - skip-dirs: - - pkg - -issues: - exclude: - - can't lint - - declaration of "err" shadows declaration at line - - should have a package comment, unless it's in another file for this package - - error strings should not be capitalized or end with punctuation or a newline - - Wrapf call needs 1 arg but has 2 args - - cs.NegotiatedProtocolIsMutual is deprecated diff --git a/CHANGELOG.md b/CHANGELOG.md index 73d06543..d2f50379 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. --- ## [Unreleased] +### Added +- Added support for ACME device-attest-01 challenge. +- Added name constraints evaluation and enforcement when issuing or renewing + X.509 certificates. ## [0.22.1] - 2022-08-31 ### Fixed diff --git a/Makefile b/Makefile index 906569f1..55b97c62 100644 --- a/Makefile +++ b/Makefile @@ -28,8 +28,9 @@ ci: testcgo build ######################################### bootstra%: - # Using a released version of golangci-lint to take into account custom replacements in their go.mod - $Q curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(shell go env GOPATH)/bin v1.42.0 + $Q curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $$(go env GOPATH)/bin latest + $Q go install golang.org/x/vuln/cmd/govulncheck@latest + $Q go install gotest.tools/gotestsum@latest .PHONY: bootstra% @@ -132,17 +133,18 @@ generate: # Test ######################################### test: - $Q $(GOFLAGS) go test -short -coverprofile=coverage.out ./... + $Q $(GOFLAGS) gotestsum -- -coverprofile=coverage.out -short -covermode=atomic ./... + testcgo: - $Q go test -short -coverprofile=coverage.out ./... + $Q gotestsum -- -coverprofile=coverage.out -short -covermode=atomic ./... .PHONY: test testcgo integrate: integration integration: bin/$(BINNAME) - $Q $(GOFLAGS) go test -tags=integration ./integration/... + $Q $(GOFLAGS) gotestsum -- -tags=integration ./integration/... .PHONY: integrate integration @@ -151,15 +153,14 @@ integration: bin/$(BINNAME) ######################################### fmt: - $Q gofmt -l -s -w $(SRC) + $Q goimports -l -w $(SRC) +lint: SHELL:=/bin/bash lint: - $Q golangci-lint run --timeout=30m + $Q LOG_LEVEL=error golangci-lint run --config <(curl -s https://raw.githubusercontent.com/smallstep/workflows/master/.golangci.yml) --timeout=30m + $Q govulncheck ./... -lintcgo: - $Q LOG_LEVEL=error golangci-lint run --timeout=30m - -.PHONY: fmt lint lintcgo +.PHONY: fmt lint ######################################### # Install diff --git a/README.md b/README.md index 1efeb4a9..9544e7cd 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ To get up and running quickly, or as an alternative to running your own `step-ca [![GitHub release](https://img.shields.io/github/release/smallstep/certificates.svg)](https://github.com/smallstep/certificates/releases/latest) [![Go Report Card](https://goreportcard.com/badge/github.com/smallstep/certificates)](https://goreportcard.com/report/github.com/smallstep/certificates) -[![Build Status](https://travis-ci.com/smallstep/certificates.svg?branch=master)](https://travis-ci.com/smallstep/certificates) +[![Build Status](https://github.com/smallstep/certificates/actions/workflows/test.yml/badge.svg)](https://github.com/smallstep/certificates) [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![CLA assistant](https://cla-assistant.io/readme/badge/smallstep/certificates)](https://cla-assistant.io/smallstep/certificates) diff --git a/acme/account.go b/acme/account.go index 2dd412db..fa4b1167 100644 --- a/acme/account.go +++ b/acme/account.go @@ -33,7 +33,7 @@ func (a *Account) ToLog() (interface{}, error) { // IsValid returns true if the Account is valid. func (a *Account) IsValid() bool { - return Status(a.Status) == StatusValid + return a.Status == StatusValid } // KeyToID converts a JWK to a thumbprint. diff --git a/acme/account_test.go b/acme/account_test.go index edd1f5b0..88718a9a 100644 --- a/acme/account_test.go +++ b/acme/account_test.go @@ -46,14 +46,14 @@ func TestKeyToID(t *testing.T) { tc := run(t) if id, err := KeyToID(tc.jwk); err != nil { if assert.NotNil(t, tc.err) { - switch k := err.(type) { - case *Error: + var k *Error + if errors.As(err, &k) { assert.Equals(t, k.Type, tc.err.Type) assert.Equals(t, k.Detail, tc.err.Detail) assert.Equals(t, k.Status, tc.err.Status) assert.Equals(t, k.Err.Error(), tc.err.Err.Error()) assert.Equals(t, k.Detail, tc.err.Detail) - default: + } else { assert.FatalError(t, errors.New("unexpected error type")) } } @@ -131,12 +131,13 @@ func TestExternalAccountKey_BindTo(t *testing.T) { } if wantErr { assert.NotNil(t, err) - assert.Type(t, &Error{}, err) - ae, _ := err.(*Error) - assert.Equals(t, ae.Type, tt.err.Type) - assert.Equals(t, ae.Detail, tt.err.Detail) - assert.Equals(t, ae.Identifier, tt.err.Identifier) - assert.Equals(t, ae.Subproblems, tt.err.Subproblems) + var ae *Error + if assert.True(t, errors.As(err, &ae)) { + assert.Equals(t, ae.Type, tt.err.Type) + assert.Equals(t, ae.Detail, tt.err.Detail) + assert.Equals(t, ae.Identifier, tt.err.Identifier) + assert.Equals(t, ae.Subproblems, tt.err.Subproblems) + } } else { assert.Equals(t, eak.AccountID, acct.ID) assert.Equals(t, eak.HmacKey, []byte{}) diff --git a/acme/api/account.go b/acme/api/account.go index 710747ca..954cb9de 100644 --- a/acme/api/account.go +++ b/acme/api/account.go @@ -2,6 +2,7 @@ package api import ( "encoding/json" + "errors" "net/http" "github.com/go-chi/chi" @@ -97,8 +98,8 @@ func NewAccount(w http.ResponseWriter, r *http.Request) { httpStatus := http.StatusCreated acc, err := accountFromContext(ctx) if err != nil { - acmeErr, ok := err.(*acme.Error) - if !ok || acmeErr.Status != http.StatusBadRequest { + var acmeErr *acme.Error + if !errors.As(err, &acmeErr) || acmeErr.Status != http.StatusBadRequest { // Something went wrong ... render.Error(w, err) return diff --git a/acme/api/account_test.go b/acme/api/account_test.go index d81553d2..3f8641b8 100644 --- a/acme/api/account_test.go +++ b/acme/api/account_test.go @@ -3,6 +3,7 @@ package api import ( "bytes" "context" + "crypto/x509" "encoding/json" "fmt" "io" @@ -41,6 +42,18 @@ func (*fakeProvisioner) AuthorizeSign(ctx context.Context, token string) ([]prov return nil, nil } +func (*fakeProvisioner) IsChallengeEnabled(ctx context.Context, challenge provisioner.ACMEChallenge) bool { + return true +} + +func (*fakeProvisioner) IsAttestationFormatEnabled(ctx context.Context, format provisioner.ACMEAttestationFormat) bool { + return true +} + +func (*fakeProvisioner) GetAttestationRoots() (*x509.CertPool, bool) { + return nil, false +} + func (*fakeProvisioner) AuthorizeRevoke(ctx context.Context, token string) error { return nil } func (*fakeProvisioner) GetID() string { return "" } func (*fakeProvisioner) GetName() string { return "" } @@ -184,11 +197,12 @@ func TestNewAccountRequest_Validate(t *testing.T) { t.Run(name, func(t *testing.T) { if err := tc.nar.Validate(); err != nil { if assert.NotNil(t, err) { - ae, ok := err.(*acme.Error) - assert.True(t, ok) - assert.HasPrefix(t, ae.Error(), tc.err.Error()) - assert.Equals(t, ae.StatusCode(), tc.err.StatusCode()) - assert.Equals(t, ae.Type, tc.err.Type) + var ae *acme.Error + if assert.True(t, errors.As(err, &ae)) { + assert.HasPrefix(t, ae.Error(), tc.err.Error()) + assert.Equals(t, ae.StatusCode(), tc.err.StatusCode()) + assert.Equals(t, ae.Type, tc.err.Type) + } } } else { assert.Nil(t, tc.err) @@ -255,11 +269,12 @@ func TestUpdateAccountRequest_Validate(t *testing.T) { t.Run(name, func(t *testing.T) { if err := tc.uar.Validate(); err != nil { if assert.NotNil(t, err) { - ae, ok := err.(*acme.Error) - assert.True(t, ok) - assert.HasPrefix(t, ae.Error(), tc.err.Error()) - assert.Equals(t, ae.StatusCode(), tc.err.StatusCode()) - assert.Equals(t, ae.Type, tc.err.Type) + var ae *acme.Error + if assert.True(t, errors.As(err, &ae)) { + assert.HasPrefix(t, ae.Error(), tc.err.Error()) + assert.Equals(t, ae.StatusCode(), tc.err.StatusCode()) + assert.Equals(t, ae.Type, tc.err.Type) + } } } else { assert.Nil(t, tc.err) diff --git a/acme/api/eab.go b/acme/api/eab.go index 4c4fff04..26854595 100644 --- a/acme/api/eab.go +++ b/acme/api/eab.go @@ -3,6 +3,7 @@ package api import ( "context" "encoding/json" + "errors" "go.step.sm/crypto/jose" @@ -24,6 +25,7 @@ func validateExternalAccountBinding(ctx context.Context, nar *NewAccountRequest) } if !acmeProv.RequireEAB { + //nolint:nilnil // legacy return nil, nil } @@ -51,7 +53,8 @@ func validateExternalAccountBinding(ctx context.Context, nar *NewAccountRequest) db := acme.MustDatabaseFromContext(ctx) externalAccountKey, err := db.GetExternalAccountKey(ctx, acmeProv.ID, keyID) if err != nil { - if _, ok := err.(*acme.Error); ok { + var ae *acme.Error + if errors.As(err, &ae) { return nil, acme.WrapError(acme.ErrorUnauthorizedType, err, "the field 'kid' references an unknown key") } return nil, acme.WrapErrorISE(err, "error retrieving external account key") diff --git a/acme/api/eab_test.go b/acme/api/eab_test.go index d2e596f9..c923a2f6 100644 --- a/acme/api/eab_test.go +++ b/acme/api/eab_test.go @@ -860,13 +860,15 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) { if wantErr { assert.NotNil(t, err) assert.Type(t, &acme.Error{}, err) - ae, _ := err.(*acme.Error) - assert.Equals(t, ae.Type, tc.err.Type) - assert.Equals(t, ae.Status, tc.err.Status) - assert.HasPrefix(t, ae.Err.Error(), tc.err.Err.Error()) - assert.Equals(t, ae.Detail, tc.err.Detail) - assert.Equals(t, ae.Identifier, tc.err.Identifier) - assert.Equals(t, ae.Subproblems, tc.err.Subproblems) + var ae *acme.Error + if assert.True(t, errors.As(err, &ae)) { + assert.Equals(t, ae.Type, tc.err.Type) + assert.Equals(t, ae.Status, tc.err.Status) + assert.HasPrefix(t, ae.Err.Error(), tc.err.Err.Error()) + assert.Equals(t, ae.Detail, tc.err.Detail) + assert.Equals(t, ae.Identifier, tc.err.Identifier) + assert.Equals(t, ae.Subproblems, tc.err.Subproblems) + } } else { if got == nil { assert.Nil(t, tc.eak) diff --git a/acme/api/handler.go b/acme/api/handler.go index 2e3931b1..6ae57ab8 100644 --- a/acme/api/handler.go +++ b/acme/api/handler.go @@ -289,19 +289,18 @@ func GetChallenge(w http.ResponseWriter, r *http.Request) { render.Error(w, err) return } - // Just verify that the payload was set, since we're not strictly adhering - // to ACME V2 spec for reasons specified below. - _, err = payloadFromContext(ctx) + + payload, err := payloadFromContext(ctx) if err != nil { render.Error(w, err) return } - // NOTE: We should be checking ^^^ that the request is either a POST-as-GET, or - // that the payload is an empty JSON block ({}). However, older ACME clients - // still send a vestigial body (rather than an empty JSON block) and - // strict enforcement would render these clients broken. For the time being - // we'll just ignore the body. + // NOTE: We should be checking that the request is either a POST-as-GET, or + // that for all challenges except for device-attest-01, the payload is an + // empty JSON block ({}). However, older ACME clients still send a vestigial + // body (rather than an empty JSON block) and strict enforcement would + // render these clients broken. azID := chi.URLParam(r, "authzID") ch, err := db.GetChallenge(ctx, chi.URLParam(r, "chID"), azID) @@ -320,7 +319,7 @@ func GetChallenge(w http.ResponseWriter, r *http.Request) { render.Error(w, err) return } - if err = ch.Validate(ctx, db, jwk); err != nil { + if err = ch.Validate(ctx, db, jwk, payload.value); err != nil { render.Error(w, acme.WrapErrorISE(err, "error validating challenge")) return } diff --git a/acme/api/middleware_test.go b/acme/api/middleware_test.go index e43f6f99..faff0616 100644 --- a/acme/api/middleware_test.go +++ b/acme/api/middleware_test.go @@ -518,9 +518,6 @@ func TestHandler_verifyAndExtractJWSPayload(t *testing.T) { } }, "ok/empty-algorithm-in-jwk": func(t *testing.T) test { - _pub := *pub - clone := &_pub - clone.Algorithm = "" ctx := context.WithValue(context.Background(), jwsContextKey, parsedJWS) ctx = context.WithValue(ctx, jwkContextKey, pub) return test{ diff --git a/acme/api/order.go b/acme/api/order.go index 2927a620..0c81df76 100644 --- a/acme/api/order.go +++ b/acme/api/order.go @@ -44,6 +44,10 @@ func (n *NewOrderRequest) Validate() error { if _, err := x509util.SanitizeName(value); err != nil { return acme.NewError(acme.ErrorMalformedType, "invalid DNS name: %s", id.Value) } + case acme.PermanentIdentifier: + if id.Value == "" { + return acme.NewError(acme.ErrorMalformedType, "permanent identifier cannot be empty") + } default: return acme.NewError(acme.ErrorMalformedType, "identifier type unsupported: %s", id.Type) } @@ -251,8 +255,13 @@ func newAuthorization(ctx context.Context, az *acme.Authorization) error { } db := acme.MustDatabaseFromContext(ctx) - az.Challenges = make([]*acme.Challenge, len(chTypes)) - for i, typ := range chTypes { + prov := acme.MustProvisionerFromContext(ctx) + az.Challenges = make([]*acme.Challenge, 0, len(chTypes)) + for _, typ := range chTypes { + if !prov.IsChallengeEnabled(ctx, provisioner.ACMEChallenge(typ)) { + continue + } + ch := &acme.Challenge{ AccountID: az.AccountID, Value: az.Identifier.Value, @@ -263,7 +272,7 @@ func newAuthorization(ctx context.Context, az *acme.Authorization) error { if err := db.CreateChallenge(ctx, ch); err != nil { return acme.WrapErrorISE(err, "error creating challenge") } - az.Challenges[i] = ch + az.Challenges = append(az.Challenges, ch) } if err = db.CreateAuthorization(ctx, az); err != nil { return acme.WrapErrorISE(err, "error creating authorization") @@ -388,6 +397,8 @@ func challengeTypes(az *acme.Authorization) []acme.ChallengeType { if !az.Wildcard { chTypes = append(chTypes, []acme.ChallengeType{acme.HTTP01, acme.TLSALPN01}...) } + case acme.PermanentIdentifier: + chTypes = []acme.ChallengeType{acme.DEVICEATTEST01} default: chTypes = []acme.ChallengeType{} } diff --git a/acme/api/order_test.go b/acme/api/order_test.go index 724357d8..b7b58b7f 100644 --- a/acme/api/order_test.go +++ b/acme/api/order_test.go @@ -179,11 +179,12 @@ func TestNewOrderRequest_Validate(t *testing.T) { t.Run(name, func(t *testing.T) { if err := tc.nor.Validate(); err != nil { if assert.NotNil(t, err) { - ae, ok := err.(*acme.Error) - assert.True(t, ok) - assert.HasPrefix(t, ae.Error(), tc.err.Error()) - assert.Equals(t, ae.StatusCode(), tc.err.StatusCode()) - assert.Equals(t, ae.Type, tc.err.Type) + var ae *acme.Error + if assert.True(t, errors.As(err, &ae)) { + assert.HasPrefix(t, ae.Error(), tc.err.Error()) + assert.Equals(t, ae.StatusCode(), tc.err.StatusCode()) + assert.Equals(t, ae.Type, tc.err.Type) + } } } else { if assert.Nil(t, tc.err) { @@ -253,11 +254,12 @@ func TestFinalizeRequestValidate(t *testing.T) { t.Run(name, func(t *testing.T) { if err := tc.fr.Validate(); err != nil { if assert.NotNil(t, err) { - ae, ok := err.(*acme.Error) - assert.True(t, ok) - assert.HasPrefix(t, ae.Error(), tc.err.Error()) - assert.Equals(t, ae.StatusCode(), tc.err.StatusCode()) - assert.Equals(t, ae.Type, tc.err.Type) + var ae *acme.Error + if assert.True(t, errors.As(err, &ae)) { + assert.HasPrefix(t, ae.Error(), tc.err.Error()) + assert.Equals(t, ae.StatusCode(), tc.err.StatusCode()) + assert.Equals(t, ae.Type, tc.err.Type) + } } } else { if assert.Nil(t, tc.err) { @@ -500,10 +502,12 @@ func TestHandler_GetOrder(t *testing.T) { } func TestHandler_newAuthorization(t *testing.T) { + defaultProvisioner := newProv() type test struct { - az *acme.Authorization - db acme.DB - err *acme.Error + az *acme.Authorization + prov acme.Provisioner + db acme.DB + err *acme.Error } var tests = map[string]func(t *testing.T) test{ "fail/error-db.CreateChallenge": func(t *testing.T) test { @@ -515,6 +519,7 @@ func TestHandler_newAuthorization(t *testing.T) { }, } return test{ + prov: defaultProvisioner, db: &acme.MockDB{ MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error { assert.Equals(t, ch.AccountID, az.AccountID) @@ -542,6 +547,7 @@ func TestHandler_newAuthorization(t *testing.T) { count := 0 var ch1, ch2, ch3 **acme.Challenge return test{ + prov: defaultProvisioner, db: &acme.MockDB{ MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error { switch count { @@ -596,6 +602,7 @@ func TestHandler_newAuthorization(t *testing.T) { count := 0 var ch1, ch2, ch3 **acme.Challenge return test{ + prov: defaultProvisioner, db: &acme.MockDB{ MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error { switch count { @@ -648,6 +655,7 @@ func TestHandler_newAuthorization(t *testing.T) { } var ch1 **acme.Challenge return test{ + prov: defaultProvisioner, db: &acme.MockDB{ MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error { ch.ID = "dns" @@ -676,21 +684,96 @@ func TestHandler_newAuthorization(t *testing.T) { az: az, } }, + "ok/permanent-identifier-disabled": func(t *testing.T) test { + az := &acme.Authorization{ + AccountID: "accID", + Identifier: acme.Identifier{ + Type: "permanent-identifier", + Value: "7b53aa19-26f7-4fac-824f-7a781de0dab0", + }, + Status: acme.StatusPending, + ExpiresAt: clock.Now(), + } + return test{ + prov: defaultProvisioner, + db: &acme.MockDB{ + MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error { + t.Errorf("createChallenge should not be called") + return nil + }, + MockCreateAuthorization: func(ctx context.Context, _az *acme.Authorization) error { + assert.Equals(t, _az.AccountID, az.AccountID) + assert.Equals(t, _az.Token, az.Token) + assert.Equals(t, _az.Status, acme.StatusPending) + assert.Equals(t, _az.Identifier, az.Identifier) + assert.Equals(t, _az.ExpiresAt, az.ExpiresAt) + assert.Equals(t, _az.Challenges, []*acme.Challenge{}) + assert.Equals(t, _az.Wildcard, false) + return nil + }, + }, + az: az, + } + }, + "ok/permanent-identifier-enabled": func(t *testing.T) test { + var ch1 *acme.Challenge + az := &acme.Authorization{ + AccountID: "accID", + Identifier: acme.Identifier{ + Type: "permanent-identifier", + Value: "7b53aa19-26f7-4fac-824f-7a781de0dab0", + }, + Status: acme.StatusPending, + ExpiresAt: clock.Now(), + } + deviceAttestProv := newProv() + deviceAttestProv.(*provisioner.ACME).Challenges = []provisioner.ACMEChallenge{provisioner.DEVICE_ATTEST_01} + return test{ + prov: deviceAttestProv, + db: &acme.MockDB{ + MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error { + ch.ID = "997bacc2-c175-4214-a3b4-a229ada5f671" + assert.Equals(t, ch.Type, acme.DEVICEATTEST01) + assert.Equals(t, ch.AccountID, az.AccountID) + assert.Equals(t, ch.Token, az.Token) + assert.Equals(t, ch.Status, acme.StatusPending) + assert.Equals(t, ch.Value, "7b53aa19-26f7-4fac-824f-7a781de0dab0") + ch1 = ch + return nil + }, + MockCreateAuthorization: func(ctx context.Context, _az *acme.Authorization) error { + assert.Equals(t, _az.AccountID, az.AccountID) + assert.Equals(t, _az.Token, az.Token) + assert.Equals(t, _az.Status, acme.StatusPending) + assert.Equals(t, _az.Identifier, az.Identifier) + assert.Equals(t, _az.ExpiresAt, az.ExpiresAt) + assert.Equals(t, _az.Challenges, []*acme.Challenge{ch1}) + assert.Equals(t, _az.Wildcard, false) + return nil + }, + }, + az: az, + } + }, } for name, run := range tests { t.Run(name, func(t *testing.T) { + if name == "ok/permanent-identifier-enabled" { + println(1) + } tc := run(t) ctx := newBaseContext(context.Background(), tc.db) + ctx = acme.NewProvisionerContext(ctx, tc.prov) if err := newAuthorization(ctx, tc.az); err != nil { if assert.NotNil(t, tc.err) { - switch k := err.(type) { - case *acme.Error: + var k *acme.Error + if assert.True(t, errors.As(err, &k)) { assert.Equals(t, k.Type, tc.err.Type) assert.Equals(t, k.Detail, tc.err.Detail) assert.Equals(t, k.Status, tc.err.Status) assert.Equals(t, k.Err.Error(), tc.err.Err.Error()) assert.Equals(t, k.Detail, tc.err.Detail) - default: + } else { assert.FatalError(t, errors.New("unexpected error type")) } } diff --git a/acme/authorization_test.go b/acme/authorization_test.go index 00b35b99..28aefe9f 100644 --- a/acme/authorization_test.go +++ b/acme/authorization_test.go @@ -130,14 +130,14 @@ func TestAuthorization_UpdateStatus(t *testing.T) { tc := run(t) if err := tc.az.UpdateStatus(context.Background(), tc.db); err != nil { if assert.NotNil(t, tc.err) { - switch k := err.(type) { - case *Error: + var k *Error + if errors.As(err, &k) { assert.Equals(t, k.Type, tc.err.Type) assert.Equals(t, k.Detail, tc.err.Detail) assert.Equals(t, k.Status, tc.err.Status) assert.Equals(t, k.Err.Error(), tc.err.Err.Error()) assert.Equals(t, k.Detail, tc.err.Detail) - default: + } else { assert.FatalError(t, errors.New("unexpected error type")) } } diff --git a/acme/challenge.go b/acme/challenge.go index 96637627..84b3f83a 100644 --- a/acme/challenge.go +++ b/acme/challenge.go @@ -3,9 +3,14 @@ package acme import ( "context" "crypto" + "crypto/ecdsa" + "crypto/ed25519" + "crypto/elliptic" + "crypto/rsa" "crypto/sha256" "crypto/subtle" "crypto/tls" + "crypto/x509" "encoding/asn1" "encoding/base64" "encoding/hex" @@ -16,10 +21,14 @@ import ( "net" "net/url" "reflect" + "strconv" "strings" "time" + "github.com/fxamacker/cbor/v2" + "github.com/smallstep/certificates/authority/provisioner" "go.step.sm/crypto/jose" + "go.step.sm/crypto/pemutil" ) type ChallengeType string @@ -31,6 +40,8 @@ const ( DNS01 ChallengeType = "dns-01" // TLSALPN01 is the tls-alpn-01 ACME challenge type TLSALPN01 ChallengeType = "tls-alpn-01" + // DEVICEATTEST01 is the device-attest-01 ACME challenge type + DEVICEATTEST01 ChallengeType = "device-attest-01" ) // Challenge represents an ACME response Challenge type. @@ -60,7 +71,7 @@ func (ch *Challenge) ToLog() (interface{}, error) { // type using the DB interface. // satisfactorily validated, the 'status' and 'validated' attributes are // updated. -func (ch *Challenge) Validate(ctx context.Context, db DB, jwk *jose.JSONWebKey) error { +func (ch *Challenge) Validate(ctx context.Context, db DB, jwk *jose.JSONWebKey, payload []byte) error { // If already valid or invalid then return without performing validation. if ch.Status != StatusPending { return nil @@ -72,6 +83,8 @@ func (ch *Challenge) Validate(ctx context.Context, db DB, jwk *jose.JSONWebKey) return dns01Validate(ctx, ch, db, jwk) case TLSALPN01: return tlsalpn01Validate(ctx, ch, db, jwk) + case DEVICEATTEST01: + return deviceAttest01Validate(ctx, ch, db, jwk, payload) default: return NewErrorISE("unexpected challenge type '%s'", ch.Type) } @@ -149,7 +162,7 @@ func tlsalpn01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSON // [RFC5246] or higher when connecting to clients for validation. MinVersion: tls.VersionTLS12, ServerName: serverName(ch), - InsecureSkipVerify: true, // nolint:gosec // we expect a self-signed challenge certificate + InsecureSkipVerify: true, //nolint:gosec // we expect a self-signed challenge certificate } hostPort := net.JoinHostPort(ch.Value, "443") @@ -297,6 +310,350 @@ func dns01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebK return nil } +type Payload struct { + AttObj string `json:"attObj"` + Error string `json:"error"` +} + +type AttestationObject struct { + Format string `json:"fmt"` + AttStatement map[string]interface{} `json:"attStmt,omitempty"` +} + +// TODO(bweeks): move attestation verification to a shared package. +// TODO(bweeks): define new error type for failed attestation validation. +func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebKey, payload []byte) error { + var p Payload + if err := json.Unmarshal(payload, &p); err != nil { + return WrapErrorISE(err, "error unmarshalling JSON") + } + if p.Error != "" { + return storeError(ctx, db, ch, true, NewError(ErrorRejectedIdentifierType, + "payload contained error: %v", p.Error)) + } + + attObj, err := base64.RawURLEncoding.DecodeString(p.AttObj) + if err != nil { + return WrapErrorISE(err, "error base64 decoding attObj") + } + + att := AttestationObject{} + if err := cbor.Unmarshal(attObj, &att); err != nil { + return WrapErrorISE(err, "error unmarshalling CBOR") + } + + prov := MustProvisionerFromContext(ctx) + if !prov.IsAttestationFormatEnabled(ctx, provisioner.ACMEAttestationFormat(att.Format)) { + return storeError(ctx, db, ch, true, + NewError(ErrorBadAttestationStatementType, "attestation format %q is not enabled", att.Format)) + } + + switch att.Format { + case "apple": + data, err := doAppleAttestationFormat(ctx, prov, ch, &att) + if err != nil { + var acmeError *Error + if errors.As(err, &acmeError) { + if acmeError.Status == 500 { + return acmeError + } + return storeError(ctx, db, ch, true, acmeError) + } + return WrapErrorISE(err, "error validating attestation") + } + + // Validate nonce with SHA-256 of the token. + if len(data.Nonce) != 0 { + sum := sha256.Sum256([]byte(ch.Token)) + if subtle.ConstantTimeCompare(data.Nonce, sum[:]) != 1 { + return storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatementType, "challenge token does not match")) + } + } + + // Validate Apple's ClientIdentifier (Identifier.Value) with device + // identifiers. + // + // Note: We might want to use an external service for this. + if data.UDID != ch.Value && data.SerialNumber != ch.Value { + return storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatementType, "permanent identifier does not match")) + } + case "step": + data, err := doStepAttestationFormat(ctx, prov, ch, jwk, &att) + if err != nil { + var acmeError *Error + if errors.As(err, &acmeError) { + if acmeError.Status == 500 { + return acmeError + } + return storeError(ctx, db, ch, true, acmeError) + } + return WrapErrorISE(err, "error validating attestation") + } + + // Validate Apple's ClientIdentifier (Identifier.Value) with device + // identifiers. + // + // Note: We might want to use an external service for this. + if data.SerialNumber != ch.Value { + return storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatementType, "permanent identifier does not match")) + } + default: + return storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatementType, "unexpected attestation object format")) + } + + // Update and store the challenge. + ch.Status = StatusValid + ch.Error = nil + ch.ValidatedAt = clock.Now().Format(time.RFC3339) + + if err := db.UpdateChallenge(ctx, ch); err != nil { + return WrapErrorISE(err, "error updating challenge") + } + return nil +} + +// Apple Enterprise Attestation Root CA from +// https://www.apple.com/certificateauthority/private/ +const appleEnterpriseAttestationRootCA = `-----BEGIN CERTIFICATE----- +MIICJDCCAamgAwIBAgIUQsDCuyxyfFxeq/bxpm8frF15hzcwCgYIKoZIzj0EAwMw +UTEtMCsGA1UEAwwkQXBwbGUgRW50ZXJwcmlzZSBBdHRlc3RhdGlvbiBSb290IENB +MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzAeFw0yMjAyMTYxOTAx +MjRaFw00NzAyMjAwMDAwMDBaMFExLTArBgNVBAMMJEFwcGxlIEVudGVycHJpc2Ug +QXR0ZXN0YXRpb24gUm9vdCBDQTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UE +BhMCVVMwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT6Jigq+Ps9Q4CoT8t8q+UnOe2p +oT9nRaUfGhBTbgvqSGXPjVkbYlIWYO+1zPk2Sz9hQ5ozzmLrPmTBgEWRcHjA2/y7 +7GEicps9wn2tj+G89l3INNDKETdxSPPIZpPj8VmjQjBAMA8GA1UdEwEB/wQFMAMB +Af8wHQYDVR0OBBYEFPNqTQGd8muBpV5du+UIbVbi+d66MA4GA1UdDwEB/wQEAwIB +BjAKBggqhkjOPQQDAwNpADBmAjEA1xpWmTLSpr1VH4f8Ypk8f3jMUKYz4QPG8mL5 +8m9sX/b2+eXpTv2pH4RZgJjucnbcAjEA4ZSB6S45FlPuS/u4pTnzoz632rA+xW/T +ZwFEh9bhKjJ+5VQ9/Do1os0u3LEkgN/r +-----END CERTIFICATE-----` + +var ( + oidAppleSerialNumber = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 8, 9, 1} + oidAppleUniqueDeviceIdentifier = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 8, 9, 2} + oidAppleSecureEnclaveProcessorOSVersion = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 8, 10, 2} + oidAppleNonce = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 8, 11, 1} +) + +type appleAttestationData struct { + Nonce []byte + SerialNumber string + UDID string + SEPVersion string + Certificate *x509.Certificate +} + +func doAppleAttestationFormat(ctx context.Context, prov Provisioner, ch *Challenge, att *AttestationObject) (*appleAttestationData, error) { + // Use configured or default attestation roots if none is configured. + roots, ok := prov.GetAttestationRoots() + if !ok { + root, err := pemutil.ParseCertificate([]byte(appleEnterpriseAttestationRootCA)) + if err != nil { + return nil, WrapErrorISE(err, "error parsing apple enterprise ca") + } + roots = x509.NewCertPool() + roots.AddCert(root) + } + + x5c, ok := att.AttStatement["x5c"].([]interface{}) + if !ok { + return nil, NewError(ErrorBadAttestationStatementType, "x5c not present") + } + if len(x5c) == 0 { + return nil, NewError(ErrorRejectedIdentifierType, "x5c is empty") + } + + der, ok := x5c[0].([]byte) + if !ok { + return nil, NewError(ErrorBadAttestationStatementType, "x5c is malformed") + } + leaf, err := x509.ParseCertificate(der) + if err != nil { + return nil, WrapError(ErrorBadAttestationStatementType, err, "x5c is malformed") + } + + intermediates := x509.NewCertPool() + for _, v := range x5c[1:] { + der, ok = v.([]byte) + if !ok { + return nil, NewError(ErrorBadAttestationStatementType, "x5c is malformed") + } + cert, err := x509.ParseCertificate(der) + if err != nil { + return nil, WrapError(ErrorBadAttestationStatementType, err, "x5c is malformed") + } + intermediates.AddCert(cert) + } + + if _, err := leaf.Verify(x509.VerifyOptions{ + Intermediates: intermediates, + Roots: roots, + CurrentTime: time.Now().Truncate(time.Second), + KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, + }); err != nil { + return nil, WrapError(ErrorBadAttestationStatementType, err, "x5c is not valid") + } + + data := &appleAttestationData{ + Certificate: leaf, + } + for _, ext := range leaf.Extensions { + switch { + case ext.Id.Equal(oidAppleSerialNumber): + data.SerialNumber = string(ext.Value) + case ext.Id.Equal(oidAppleUniqueDeviceIdentifier): + data.UDID = string(ext.Value) + case ext.Id.Equal(oidAppleSecureEnclaveProcessorOSVersion): + data.SEPVersion = string(ext.Value) + case ext.Id.Equal(oidAppleNonce): + data.Nonce = ext.Value + } + } + + return data, nil +} + +// Yubico PIV Root CA Serial 263751 +// https://developers.yubico.com/PIV/Introduction/piv-attestation-ca.pem +const yubicoPIVRootCA = `-----BEGIN CERTIFICATE----- +MIIDFzCCAf+gAwIBAgIDBAZHMA0GCSqGSIb3DQEBCwUAMCsxKTAnBgNVBAMMIFl1 +YmljbyBQSVYgUm9vdCBDQSBTZXJpYWwgMjYzNzUxMCAXDTE2MDMxNDAwMDAwMFoY +DzIwNTIwNDE3MDAwMDAwWjArMSkwJwYDVQQDDCBZdWJpY28gUElWIFJvb3QgQ0Eg +U2VyaWFsIDI2Mzc1MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMN2 +cMTNR6YCdcTFRxuPy31PabRn5m6pJ+nSE0HRWpoaM8fc8wHC+Tmb98jmNvhWNE2E +ilU85uYKfEFP9d6Q2GmytqBnxZsAa3KqZiCCx2LwQ4iYEOb1llgotVr/whEpdVOq +joU0P5e1j1y7OfwOvky/+AXIN/9Xp0VFlYRk2tQ9GcdYKDmqU+db9iKwpAzid4oH +BVLIhmD3pvkWaRA2H3DA9t7H/HNq5v3OiO1jyLZeKqZoMbPObrxqDg+9fOdShzgf +wCqgT3XVmTeiwvBSTctyi9mHQfYd2DwkaqxRnLbNVyK9zl+DzjSGp9IhVPiVtGet +X02dxhQnGS7K6BO0Qe8CAwEAAaNCMEAwHQYDVR0OBBYEFMpfyvLEojGc6SJf8ez0 +1d8Cv4O/MA8GA1UdEwQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3 +DQEBCwUAA4IBAQBc7Ih8Bc1fkC+FyN1fhjWioBCMr3vjneh7MLbA6kSoyWF70N3s +XhbXvT4eRh0hvxqvMZNjPU/VlRn6gLVtoEikDLrYFXN6Hh6Wmyy1GTnspnOvMvz2 +lLKuym9KYdYLDgnj3BeAvzIhVzzYSeU77/Cupofj093OuAswW0jYvXsGTyix6B3d +bW5yWvyS9zNXaqGaUmP3U9/b6DlHdDogMLu3VLpBB9bm5bjaKWWJYgWltCVgUbFq +Fqyi4+JE014cSgR57Jcu3dZiehB6UtAPgad9L5cNvua/IWRmm+ANy3O2LH++Pyl8 +SREzU8onbBsjMg9QDiSf5oJLKvd/Ren+zGY7 +-----END CERTIFICATE-----` + +// Serial number of the YubiKey, encoded as an integer. +// https://developers.yubico.com/PIV/Introduction/PIV_attestation.html +var oidYubicoSerialNumber = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 41482, 3, 7} + +type stepAttestationData struct { + Certificate *x509.Certificate + SerialNumber string +} + +func doStepAttestationFormat(ctx context.Context, prov Provisioner, ch *Challenge, jwk *jose.JSONWebKey, att *AttestationObject) (*stepAttestationData, error) { + // Use configured or default attestation roots if none is configured. + roots, ok := prov.GetAttestationRoots() + if !ok { + root, err := pemutil.ParseCertificate([]byte(yubicoPIVRootCA)) + if err != nil { + return nil, WrapErrorISE(err, "error parsing root ca") + } + roots = x509.NewCertPool() + roots.AddCert(root) + } + + // Extract x5c and verify certificate + x5c, ok := att.AttStatement["x5c"].([]interface{}) + if !ok { + return nil, NewError(ErrorBadAttestationStatementType, "x5c not present") + } + if len(x5c) == 0 { + return nil, NewError(ErrorRejectedIdentifierType, "x5c is empty") + } + der, ok := x5c[0].([]byte) + if !ok { + return nil, NewError(ErrorBadAttestationStatementType, "x5c is malformed") + } + leaf, err := x509.ParseCertificate(der) + if err != nil { + return nil, WrapError(ErrorBadAttestationStatementType, err, "x5c is malformed") + } + intermediates := x509.NewCertPool() + for _, v := range x5c[1:] { + der, ok = v.([]byte) + if !ok { + return nil, NewError(ErrorBadAttestationStatementType, "x5c is malformed") + } + cert, err := x509.ParseCertificate(der) + if err != nil { + return nil, WrapError(ErrorBadAttestationStatementType, err, "x5c is malformed") + } + intermediates.AddCert(cert) + } + if _, err := leaf.Verify(x509.VerifyOptions{ + Intermediates: intermediates, + Roots: roots, + CurrentTime: time.Now().Truncate(time.Second), + KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, + }); err != nil { + return nil, WrapError(ErrorBadAttestationStatementType, err, "x5c is not valid") + } + + // Verify proof of possession of private key validating the key + // authorization. Per recommendation at + // https://w3c.github.io/webauthn/#sctn-signature-attestation-types the + // signature is CBOR-encoded. + var sig []byte + csig, ok := att.AttStatement["sig"].([]byte) + if !ok { + return nil, NewError(ErrorBadAttestationStatementType, "sig not present") + } + if err := cbor.Unmarshal(csig, &sig); err != nil { + return nil, NewError(ErrorBadAttestationStatementType, "sig is malformed") + } + keyAuth, err := KeyAuthorization(ch.Token, jwk) + if err != nil { + return nil, err + } + + switch pub := leaf.PublicKey.(type) { + case *ecdsa.PublicKey: + if pub.Curve != elliptic.P256() { + return nil, WrapError(ErrorBadAttestationStatementType, err, "unsupported elliptic curve %s", pub.Curve) + } + sum := sha256.Sum256([]byte(keyAuth)) + if !ecdsa.VerifyASN1(pub, sum[:], sig) { + return nil, NewError(ErrorBadAttestationStatementType, "failed to validate signature") + } + case *rsa.PublicKey: + sum := sha256.Sum256([]byte(keyAuth)) + if err := rsa.VerifyPKCS1v15(pub, crypto.SHA256, sum[:], sig); err != nil { + return nil, NewError(ErrorBadAttestationStatementType, "failed to validate signature") + } + case ed25519.PublicKey: + if !ed25519.Verify(pub, []byte(keyAuth), sig) { + return nil, NewError(ErrorBadAttestationStatementType, "failed to validate signature") + } + default: + return nil, NewError(ErrorBadAttestationStatementType, "unsupported public key type %T", pub) + } + + // Parse attestation data: + // TODO(mariano): add support for other extensions. + data := &stepAttestationData{ + Certificate: leaf, + } + for _, ext := range leaf.Extensions { + if !ext.Id.Equal(oidYubicoSerialNumber) { + continue + } + var serialNumber int + rest, err := asn1.Unmarshal(ext.Value, &serialNumber) + if err != nil || len(rest) > 0 { + return nil, WrapError(ErrorBadAttestationStatementType, err, "error parsing serial number") + } + data.SerialNumber = strconv.Itoa(serialNumber) + break + } + + return data, nil +} + // serverName determines the SNI HostName to set based on an acme.Challenge // for TLS-ALPN-01 challenges RFC8738 states that, if HostName is an IP, it // should be the ARPA address https://datatracker.ietf.org/doc/html/rfc8738#section-6. diff --git a/acme/challenge_test.go b/acme/challenge_test.go index e1b6816a..e452b175 100644 --- a/acme/challenge_test.go +++ b/acme/challenge_test.go @@ -4,6 +4,8 @@ import ( "bytes" "context" "crypto" + "crypto/ecdsa" + "crypto/elliptic" "crypto/rand" "crypto/rsa" "crypto/sha256" @@ -13,6 +15,7 @@ import ( "encoding/asn1" "encoding/base64" "encoding/hex" + "encoding/pem" "errors" "fmt" "io" @@ -20,13 +23,18 @@ import ( "net" "net/http" "net/http/httptest" + "reflect" "strings" "testing" "time" - "go.step.sm/crypto/jose" - + "github.com/fxamacker/cbor/v2" "github.com/smallstep/assert" + "github.com/smallstep/certificates/authority/config" + "github.com/smallstep/certificates/authority/provisioner" + "go.step.sm/crypto/jose" + "go.step.sm/crypto/keyutil" + "go.step.sm/crypto/minica" ) type mockClient struct { @@ -37,8 +45,25 @@ type mockClient struct { func (m *mockClient) Get(url string) (*http.Response, error) { return m.get(url) } func (m *mockClient) LookupTxt(name string) ([]string, error) { return m.lookupTxt(name) } -func (m *mockClient) TLSDial(network, addr string, config *tls.Config) (*tls.Conn, error) { - return m.tlsDial(network, addr, config) +func (m *mockClient) TLSDial(network, addr string, tlsConfig *tls.Config) (*tls.Conn, error) { + return m.tlsDial(network, addr, tlsConfig) +} + +func mustAttestationProvisioner(t *testing.T, roots []byte) Provisioner { + t.Helper() + + prov := &provisioner.ACME{ + Type: "ACME", + Name: "acme", + Challenges: []provisioner.ACMEChallenge{provisioner.DEVICE_ATTEST_01}, + AttestationRoots: roots, + } + if err := prov.Init(provisioner.Config{ + Claims: config.GlobalProvisionerClaims, + }); err != nil { + t.Fatal(err) + } + return prov } func Test_storeError(t *testing.T) { @@ -163,14 +188,14 @@ func Test_storeError(t *testing.T) { tc := run(t) if err := storeError(context.Background(), tc.db, tc.ch, tc.markInvalid, err); err != nil { if assert.NotNil(t, tc.err) { - switch k := err.(type) { - case *Error: + var k *Error + if errors.As(err, &k) { assert.Equals(t, k.Type, tc.err.Type) assert.Equals(t, k.Detail, tc.err.Detail) assert.Equals(t, k.Status, tc.err.Status) assert.Equals(t, k.Err.Error(), tc.err.Err.Error()) assert.Equals(t, k.Detail, tc.err.Detail) - default: + } else { assert.FatalError(t, errors.New("unexpected error type")) } } @@ -218,14 +243,14 @@ func TestKeyAuthorization(t *testing.T) { tc := run(t) if ka, err := KeyAuthorization(tc.token, tc.jwk); err != nil { if assert.NotNil(t, tc.err) { - switch k := err.(type) { - case *Error: + var k *Error + if errors.As(err, &k) { assert.Equals(t, k.Type, tc.err.Type) assert.Equals(t, k.Detail, tc.err.Detail) assert.Equals(t, k.Status, tc.err.Status) assert.Equals(t, k.Err.Error(), tc.err.Err.Error()) assert.Equals(t, k.Detail, tc.err.Detail) - default: + } else { assert.FatalError(t, errors.New("unexpected error type")) } } @@ -506,16 +531,16 @@ func TestChallenge_Validate(t *testing.T) { } ctx := NewClientContext(context.Background(), tc.vc) - if err := tc.ch.Validate(ctx, tc.db, tc.jwk); err != nil { + if err := tc.ch.Validate(ctx, tc.db, tc.jwk, nil); err != nil { if assert.NotNil(t, tc.err) { - switch k := err.(type) { - case *Error: + var k *Error + if errors.As(err, &k) { assert.Equals(t, k.Type, tc.err.Type) assert.Equals(t, k.Detail, tc.err.Detail) assert.Equals(t, k.Status, tc.err.Status) assert.Equals(t, k.Err.Error(), tc.err.Err.Error()) assert.Equals(t, k.Detail, tc.err.Detail) - default: + } else { assert.FatalError(t, errors.New("unexpected error type")) } } @@ -903,14 +928,14 @@ func TestHTTP01Validate(t *testing.T) { ctx := NewClientContext(context.Background(), tc.vc) if err := http01Validate(ctx, tc.ch, tc.db, tc.jwk); err != nil { if assert.NotNil(t, tc.err) { - switch k := err.(type) { - case *Error: + var k *Error + if errors.As(err, &k) { assert.Equals(t, k.Type, tc.err.Type) assert.Equals(t, k.Detail, tc.err.Detail) assert.Equals(t, k.Status, tc.err.Status) assert.Equals(t, k.Err.Error(), tc.err.Err.Error()) assert.Equals(t, k.Detail, tc.err.Detail) - default: + } else { assert.FatalError(t, errors.New("unexpected error type")) } } @@ -1203,14 +1228,14 @@ func TestDNS01Validate(t *testing.T) { ctx := NewClientContext(context.Background(), tc.vc) if err := dns01Validate(ctx, tc.ch, tc.db, tc.jwk); err != nil { if assert.NotNil(t, tc.err) { - switch k := err.(type) { - case *Error: + var k *Error + if errors.As(err, &k) { assert.Equals(t, k.Type, tc.err.Type) assert.Equals(t, k.Detail, tc.err.Detail) assert.Equals(t, k.Status, tc.err.Status) assert.Equals(t, k.Err.Error(), tc.err.Err.Error()) assert.Equals(t, k.Detail, tc.err.Detail) - default: + } else { assert.FatalError(t, errors.New("unexpected error type")) } } @@ -2273,14 +2298,14 @@ func TestTLSALPN01Validate(t *testing.T) { ctx := NewClientContext(context.Background(), tc.vc) if err := tlsalpn01Validate(ctx, tc.ch, tc.db, tc.jwk); err != nil { if assert.NotNil(t, tc.err) { - switch k := err.(type) { - case *Error: + var k *Error + if errors.As(err, &k) { assert.Equals(t, k.Type, tc.err.Type) assert.Equals(t, k.Detail, tc.err.Detail) assert.Equals(t, k.Status, tc.err.Status) assert.Equals(t, k.Err.Error(), tc.err.Err.Error()) assert.Equals(t, k.Detail, tc.err.Detail) - default: + } else { assert.FatalError(t, errors.New("unexpected error type")) } } @@ -2400,3 +2425,352 @@ func Test_http01ChallengeHost(t *testing.T) { }) } } + +func Test_doAppleAttestationFormat(t *testing.T) { + ctx := context.Background() + ca, err := minica.New() + if err != nil { + t.Fatal(err) + } + caRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: ca.Root.Raw}) + signer, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + t.Fatal(err) + } + leaf, err := ca.Sign(&x509.Certificate{ + Subject: pkix.Name{CommonName: "attestation cert"}, + PublicKey: signer.Public(), + ExtraExtensions: []pkix.Extension{ + {Id: oidAppleSerialNumber, Value: []byte("serial-number")}, + {Id: oidAppleUniqueDeviceIdentifier, Value: []byte("udid")}, + {Id: oidAppleSecureEnclaveProcessorOSVersion, Value: []byte("16.0")}, + {Id: oidAppleNonce, Value: []byte("nonce")}, + }, + }) + if err != nil { + t.Fatal(err) + } + + type args struct { + ctx context.Context + prov Provisioner + ch *Challenge + att *AttestationObject + } + tests := []struct { + name string + args args + want *appleAttestationData + wantErr bool + }{ + {"ok", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{}, &AttestationObject{ + Format: "apple", + AttStatement: map[string]interface{}{ + "x5c": []interface{}{leaf.Raw, ca.Intermediate.Raw}, + }, + }}, &appleAttestationData{ + Nonce: []byte("nonce"), + SerialNumber: "serial-number", + UDID: "udid", + SEPVersion: "16.0", + Certificate: leaf, + }, false}, + {"fail apple issuer", args{ctx, mustAttestationProvisioner(t, nil), &Challenge{}, &AttestationObject{ + Format: "apple", + AttStatement: map[string]interface{}{ + "x5c": []interface{}{leaf.Raw, ca.Intermediate.Raw}, + }, + }}, nil, true}, + {"fail missing x5c", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{}, &AttestationObject{ + Format: "apple", + AttStatement: map[string]interface{}{ + "foo": "bar", + }, + }}, nil, true}, + {"fail empty issuer", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{}, &AttestationObject{ + Format: "apple", + AttStatement: map[string]interface{}{ + "x5c": []interface{}{}, + }, + }}, nil, true}, + {"fail leaf type", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{}, &AttestationObject{ + Format: "apple", + AttStatement: map[string]interface{}{ + "x5c": []interface{}{"leaf", ca.Intermediate.Raw}, + }, + }}, nil, true}, + {"fail leaf parse", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{}, &AttestationObject{ + Format: "apple", + AttStatement: map[string]interface{}{ + "x5c": []interface{}{leaf.Raw[:100], ca.Intermediate.Raw}, + }, + }}, nil, true}, + {"fail intermediate type", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{}, &AttestationObject{ + Format: "apple", + AttStatement: map[string]interface{}{ + "x5c": []interface{}{leaf.Raw, "intermediate"}, + }, + }}, nil, true}, + {"fail intermediate parse", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{}, &AttestationObject{ + Format: "apple", + AttStatement: map[string]interface{}{ + "x5c": []interface{}{leaf.Raw, ca.Intermediate.Raw[:100]}, + }, + }}, nil, true}, + {"fail verify", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{}, &AttestationObject{ + Format: "apple", + AttStatement: map[string]interface{}{ + "x5c": []interface{}{leaf.Raw}, + }, + }}, nil, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := doAppleAttestationFormat(tt.args.ctx, tt.args.prov, tt.args.ch, tt.args.att) + if (err != nil) != tt.wantErr { + t.Errorf("doAppleAttestationFormat() error = %v, wantErr %v", err, tt.wantErr) + return + } + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("doAppleAttestationFormat() = %v, want %v", got, tt.want) + } + }) + } +} + +func Test_doStepAttestationFormat(t *testing.T) { + ctx := context.Background() + ca, err := minica.New() + if err != nil { + t.Fatal(err) + } + caRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: ca.Root.Raw}) + + makeLeaf := func(signer crypto.Signer, serialNumber []byte) *x509.Certificate { + leaf, err := ca.Sign(&x509.Certificate{ + Subject: pkix.Name{CommonName: "attestation cert"}, + PublicKey: signer.Public(), + ExtraExtensions: []pkix.Extension{ + {Id: oidYubicoSerialNumber, Value: serialNumber}, + }, + }) + if err != nil { + t.Fatal(err) + } + return leaf + } + mustSigner := func(kty, crv string, size int) crypto.Signer { + s, err := keyutil.GenerateSigner(kty, crv, size) + if err != nil { + t.Fatal(err) + } + return s + } + + signer, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + t.Fatal(err) + } + serialNumber, err := asn1.Marshal(1234) + if err != nil { + t.Fatal(err) + } + leaf := makeLeaf(signer, serialNumber) + + jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0) + if err != nil { + t.Fatal(err) + } + keyAuth, err := KeyAuthorization("token", jwk) + if err != nil { + t.Fatal(err) + } + keyAuthSum := sha256.Sum256([]byte(keyAuth)) + sig, err := signer.Sign(rand.Reader, keyAuthSum[:], crypto.SHA256) + if err != nil { + t.Fatal(err) + } + cborSig, err := cbor.Marshal(sig) + if err != nil { + t.Fatal(err) + } + + otherSigner, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + t.Fatal(err) + } + otherSig, err := otherSigner.Sign(rand.Reader, keyAuthSum[:], crypto.SHA256) + if err != nil { + t.Fatal(err) + } + otherCBORSig, err := cbor.Marshal(otherSig) + if err != nil { + t.Fatal(err) + } + + type args struct { + ctx context.Context + prov Provisioner + ch *Challenge + jwk *jose.JSONWebKey + att *AttestationObject + } + tests := []struct { + name string + args args + want *stepAttestationData + wantErr bool + }{ + {"ok", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{ + Format: "step", + AttStatement: map[string]interface{}{ + "x5c": []interface{}{leaf.Raw, ca.Intermediate.Raw}, + "alg": -7, + "sig": cborSig, + }, + }}, &stepAttestationData{ + SerialNumber: "1234", + Certificate: leaf, + }, false}, + {"fail yubico issuer", args{ctx, mustAttestationProvisioner(t, nil), &Challenge{Token: "token"}, jwk, &AttestationObject{ + Format: "step", + AttStatement: map[string]interface{}{ + "x5c": []interface{}{leaf.Raw, ca.Intermediate.Raw}, + "alg": -7, + "sig": cborSig, + }, + }}, nil, true}, + {"fail x5c type", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{ + Format: "step", + AttStatement: map[string]interface{}{ + "x5c": [][]byte{leaf.Raw, ca.Intermediate.Raw}, + "alg": -7, + "sig": cborSig, + }, + }}, nil, true}, + {"fail x5c empty", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{ + Format: "step", + AttStatement: map[string]interface{}{ + "x5c": []interface{}{}, + "alg": -7, + "sig": cborSig, + }, + }}, nil, true}, + {"fail leaf type", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{ + Format: "step", + AttStatement: map[string]interface{}{ + "x5c": []interface{}{"leaf", ca.Intermediate.Raw}, + "alg": -7, + "sig": cborSig, + }, + }}, nil, true}, + {"fail leaf parse", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{ + Format: "step", + AttStatement: map[string]interface{}{ + "x5c": []interface{}{leaf.Raw[:100], ca.Intermediate.Raw}, + "alg": -7, + "sig": cborSig, + }, + }}, nil, true}, + {"fail intermediate type", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{ + Format: "step", + AttStatement: map[string]interface{}{ + "x5c": []interface{}{leaf.Raw, "intermediate"}, + "alg": -7, + "sig": cborSig, + }, + }}, nil, true}, + {"fail intermediate parse", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{ + Format: "step", + AttStatement: map[string]interface{}{ + "x5c": []interface{}{leaf.Raw, ca.Intermediate.Raw[:100]}, + "alg": -7, + "sig": cborSig, + }, + }}, nil, true}, + {"fail verify", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{ + Format: "step", + AttStatement: map[string]interface{}{ + "x5c": []interface{}{leaf.Raw}, + "alg": -7, + "sig": cborSig, + }, + }}, nil, true}, + {"fail sig type", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{ + Format: "step", + AttStatement: map[string]interface{}{ + "x5c": []interface{}{leaf.Raw, ca.Intermediate.Raw}, + "alg": -7, + "sig": string(cborSig), + }, + }}, nil, true}, + {"fail sig unmarshal", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{ + Format: "step", + AttStatement: map[string]interface{}{ + "x5c": []interface{}{leaf.Raw, ca.Intermediate.Raw}, + "alg": -7, + "sig": []byte("bad-sig"), + }, + }}, nil, true}, + {"fail keyAuthorization", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, &jose.JSONWebKey{Key: []byte("not an asymmetric key")}, &AttestationObject{ + Format: "step", + AttStatement: map[string]interface{}{ + "x5c": []interface{}{leaf.Raw, ca.Intermediate.Raw}, + "alg": -7, + "sig": cborSig, + }, + }}, nil, true}, + {"fail sig verify P-256", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{ + Format: "step", + AttStatement: map[string]interface{}{ + "x5c": []interface{}{leaf.Raw, ca.Intermediate.Raw}, + "alg": -7, + "sig": otherCBORSig, + }, + }}, nil, true}, + {"fail sig verify P-384", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{ + Format: "step", + AttStatement: map[string]interface{}{ + "x5c": []interface{}{makeLeaf(mustSigner("EC", "P-384", 0), serialNumber).Raw, ca.Intermediate.Raw}, + "alg": -7, + "sig": cborSig, + }, + }}, nil, true}, + {"fail sig verify RSA", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{ + Format: "step", + AttStatement: map[string]interface{}{ + "x5c": []interface{}{makeLeaf(mustSigner("RSA", "", 2048), serialNumber).Raw, ca.Intermediate.Raw}, + "alg": -7, + "sig": cborSig, + }, + }}, nil, true}, + {"fail sig verify Ed25519", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{ + Format: "step", + AttStatement: map[string]interface{}{ + "x5c": []interface{}{makeLeaf(mustSigner("OKP", "Ed25519", 0), serialNumber).Raw, ca.Intermediate.Raw}, + "alg": -7, + "sig": cborSig, + }, + }}, nil, true}, + {"fail unmarshal serial number", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{ + Format: "step", + AttStatement: map[string]interface{}{ + "x5c": []interface{}{makeLeaf(signer, []byte("bad-serial")).Raw, ca.Intermediate.Raw}, + "alg": -7, + "sig": cborSig, + }, + }}, nil, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := doStepAttestationFormat(tt.args.ctx, tt.args.prov, tt.args.ch, tt.args.jwk, tt.args.att) + if (err != nil) != tt.wantErr { + t.Errorf("doStepAttestationFormat() error = %#v, wantErr %v", err, tt.wantErr) + return + } + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("doStepAttestationFormat() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/acme/client.go b/acme/client.go index cf5f8c09..51560cb8 100644 --- a/acme/client.go +++ b/acme/client.go @@ -56,7 +56,7 @@ func NewClient() Client { Timeout: 30 * time.Second, Transport: &http.Transport{ TLSClientConfig: &tls.Config{ - // nolint:gosec // used on tls-alpn-01 challenge + //nolint:gosec // used on tls-alpn-01 challenge InsecureSkipVerify: true, // lgtm[go/disabled-certificate-check] }, }, diff --git a/acme/common.go b/acme/common.go index 3054abe1..91cf772b 100644 --- a/acme/common.go +++ b/acme/common.go @@ -71,6 +71,9 @@ type Provisioner interface { AuthorizeOrderIdentifier(ctx context.Context, identifier provisioner.ACMEIdentifier) error AuthorizeSign(ctx context.Context, token string) ([]provisioner.SignOption, error) AuthorizeRevoke(ctx context.Context, token string) error + IsChallengeEnabled(ctx context.Context, challenge provisioner.ACMEChallenge) bool + IsAttestationFormatEnabled(ctx context.Context, format provisioner.ACMEAttestationFormat) bool + GetAttestationRoots() (*x509.CertPool, bool) GetID() string GetName() string DefaultTLSCertDuration() time.Duration @@ -109,6 +112,9 @@ type MockProvisioner struct { MauthorizeOrderIdentifier func(ctx context.Context, identifier provisioner.ACMEIdentifier) error MauthorizeSign func(ctx context.Context, ott string) ([]provisioner.SignOption, error) MauthorizeRevoke func(ctx context.Context, token string) error + MisChallengeEnabled func(ctx context.Context, challenge provisioner.ACMEChallenge) bool + MisAttFormatEnabled func(ctx context.Context, format provisioner.ACMEAttestationFormat) bool + MgetAttestationRoots func() (*x509.CertPool, bool) MdefaultTLSCertDuration func() time.Duration MgetOptions func() *provisioner.Options } @@ -145,6 +151,29 @@ func (m *MockProvisioner) AuthorizeRevoke(ctx context.Context, token string) err return m.Merr } +// IsChallengeEnabled mock +func (m *MockProvisioner) IsChallengeEnabled(ctx context.Context, challenge provisioner.ACMEChallenge) bool { + if m.MisChallengeEnabled != nil { + return m.MisChallengeEnabled(ctx, challenge) + } + return m.Merr == nil +} + +// IsAttestationFormatEnabled mock +func (m *MockProvisioner) IsAttestationFormatEnabled(ctx context.Context, format provisioner.ACMEAttestationFormat) bool { + if m.MisAttFormatEnabled != nil { + return m.MisAttFormatEnabled(ctx, format) + } + return m.Merr == nil +} + +func (m *MockProvisioner) GetAttestationRoots() (*x509.CertPool, bool) { + if m.MgetAttestationRoots != nil { + return m.MgetAttestationRoots() + } + return m.Mret1.(*x509.CertPool), m.Mret1 != nil +} + // DefaultTLSCertDuration mock func (m *MockProvisioner) DefaultTLSCertDuration() time.Duration { if m.MdefaultTLSCertDuration != nil { diff --git a/acme/db/nosql/account_test.go b/acme/db/nosql/account_test.go index 83a23476..6097cc5a 100644 --- a/acme/db/nosql/account_test.go +++ b/acme/db/nosql/account_test.go @@ -95,16 +95,16 @@ func TestDB_getDBAccount(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db} if dbacc, err := d.getDBAccount(context.Background(), accID); err != nil { - switch k := err.(type) { - case *acme.Error: + var acmeErr *acme.Error + if errors.As(err, &acmeErr) { if assert.NotNil(t, tc.acmeErr) { - assert.Equals(t, k.Type, tc.acmeErr.Type) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) - assert.Equals(t, k.Status, tc.acmeErr.Status) - assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error()) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) + assert.Equals(t, acmeErr.Type, tc.acmeErr.Type) + assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail) + assert.Equals(t, acmeErr.Status, tc.acmeErr.Status) + assert.Equals(t, acmeErr.Err.Error(), tc.acmeErr.Err.Error()) + assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -174,16 +174,16 @@ func TestDB_getAccountIDByKeyID(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db} if retAccID, err := d.getAccountIDByKeyID(context.Background(), kid); err != nil { - switch k := err.(type) { - case *acme.Error: + var acmeErr *acme.Error + if errors.As(err, &acmeErr) { if assert.NotNil(t, tc.acmeErr) { - assert.Equals(t, k.Type, tc.acmeErr.Type) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) - assert.Equals(t, k.Status, tc.acmeErr.Status) - assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error()) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) + assert.Equals(t, acmeErr.Type, tc.acmeErr.Type) + assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail) + assert.Equals(t, acmeErr.Status, tc.acmeErr.Status) + assert.Equals(t, acmeErr.Err.Error(), tc.acmeErr.Err.Error()) + assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -248,16 +248,16 @@ func TestDB_GetAccount(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db} if acc, err := d.GetAccount(context.Background(), accID); err != nil { - switch k := err.(type) { - case *acme.Error: + var acmeErr *acme.Error + if errors.As(err, &acmeErr) { if assert.NotNil(t, tc.acmeErr) { - assert.Equals(t, k.Type, tc.acmeErr.Type) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) - assert.Equals(t, k.Status, tc.acmeErr.Status) - assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error()) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) + assert.Equals(t, acmeErr.Type, tc.acmeErr.Type) + assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail) + assert.Equals(t, acmeErr.Status, tc.acmeErr.Status) + assert.Equals(t, acmeErr.Err.Error(), tc.acmeErr.Err.Error()) + assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -354,16 +354,16 @@ func TestDB_GetAccountByKeyID(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db} if acc, err := d.GetAccountByKeyID(context.Background(), kid); err != nil { - switch k := err.(type) { - case *acme.Error: + var acmeErr *acme.Error + if errors.As(err, &acmeErr) { if assert.NotNil(t, tc.acmeErr) { - assert.Equals(t, k.Type, tc.acmeErr.Type) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) - assert.Equals(t, k.Status, tc.acmeErr.Status) - assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error()) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) + assert.Equals(t, acmeErr.Type, tc.acmeErr.Type) + assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail) + assert.Equals(t, acmeErr.Status, tc.acmeErr.Status) + assert.Equals(t, acmeErr.Err.Error(), tc.acmeErr.Err.Error()) + assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } diff --git a/acme/db/nosql/authz_test.go b/acme/db/nosql/authz_test.go index 2e5dd3ea..c7d47eda 100644 --- a/acme/db/nosql/authz_test.go +++ b/acme/db/nosql/authz_test.go @@ -77,7 +77,7 @@ func TestDB_getDBAuthz(t *testing.T) { Token: "token", CreatedAt: now, ExpiresAt: now.Add(5 * time.Minute), - Error: acme.NewErrorISE("force"), + Error: acme.NewErrorISE("The server experienced an internal error"), ChallengeIDs: []string{"foo", "bar"}, Wildcard: true, } @@ -101,16 +101,16 @@ func TestDB_getDBAuthz(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db} if dbaz, err := d.getDBAuthz(context.Background(), azID); err != nil { - switch k := err.(type) { - case *acme.Error: + var acmeErr *acme.Error + if errors.As(err, &acmeErr) { if assert.NotNil(t, tc.acmeErr) { - assert.Equals(t, k.Type, tc.acmeErr.Type) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) - assert.Equals(t, k.Status, tc.acmeErr.Status) - assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error()) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) + assert.Equals(t, acmeErr.Type, tc.acmeErr.Type) + assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail) + assert.Equals(t, acmeErr.Status, tc.acmeErr.Status) + assert.Equals(t, acmeErr.Err.Error(), tc.acmeErr.Err.Error()) + assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -254,7 +254,7 @@ func TestDB_GetAuthorization(t *testing.T) { Token: "token", CreatedAt: now, ExpiresAt: now.Add(5 * time.Minute), - Error: acme.NewErrorISE("force"), + Error: acme.NewErrorISE("The server experienced an internal error"), ChallengeIDs: []string{"foo", "bar"}, Wildcard: true, } @@ -295,16 +295,16 @@ func TestDB_GetAuthorization(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db} if az, err := d.GetAuthorization(context.Background(), azID); err != nil { - switch k := err.(type) { - case *acme.Error: + var acmeErr *acme.Error + if errors.As(err, &acmeErr) { if assert.NotNil(t, tc.acmeErr) { - assert.Equals(t, k.Type, tc.acmeErr.Type) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) - assert.Equals(t, k.Status, tc.acmeErr.Status) - assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error()) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) + assert.Equals(t, acmeErr.Type, tc.acmeErr.Type) + assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail) + assert.Equals(t, acmeErr.Status, tc.acmeErr.Status) + assert.Equals(t, acmeErr.Err.Error(), tc.acmeErr.Err.Error()) + assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -532,7 +532,7 @@ func TestDB_UpdateAuthorization(t *testing.T) { assert.Equals(t, dbNew.Wildcard, dbaz.Wildcard) assert.Equals(t, dbNew.CreatedAt, dbaz.CreatedAt) assert.Equals(t, dbNew.ExpiresAt, dbaz.ExpiresAt) - assert.Equals(t, dbNew.Error.Error(), acme.NewError(acme.ErrorMalformedType, "malformed").Error()) + assert.Equals(t, dbNew.Error.Error(), acme.NewError(acme.ErrorMalformedType, "The request message was malformed").Error()) return nil, false, errors.New("force") }, }, @@ -582,7 +582,7 @@ func TestDB_UpdateAuthorization(t *testing.T) { assert.Equals(t, dbNew.Wildcard, dbaz.Wildcard) assert.Equals(t, dbNew.CreatedAt, dbaz.CreatedAt) assert.Equals(t, dbNew.ExpiresAt, dbaz.ExpiresAt) - assert.Equals(t, dbNew.Error.Error(), acme.NewError(acme.ErrorMalformedType, "malformed").Error()) + assert.Equals(t, dbNew.Error.Error(), acme.NewError(acme.ErrorMalformedType, "The request message was malformed").Error()) return nu, true, nil }, }, @@ -745,16 +745,16 @@ func TestDB_GetAuthorizationsByAccountID(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db} if azs, err := d.GetAuthorizationsByAccountID(context.Background(), accountID); err != nil { - switch k := err.(type) { - case *acme.Error: + var acmeErr *acme.Error + if errors.As(err, &acmeErr) { if assert.NotNil(t, tc.acmeErr) { - assert.Equals(t, k.Type, tc.acmeErr.Type) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) - assert.Equals(t, k.Status, tc.acmeErr.Status) - assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error()) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) + assert.Equals(t, acmeErr.Type, tc.acmeErr.Type) + assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail) + assert.Equals(t, acmeErr.Status, tc.acmeErr.Status) + assert.Equals(t, acmeErr.Err.Error(), tc.acmeErr.Err.Error()) + assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } diff --git a/acme/db/nosql/certificate.go b/acme/db/nosql/certificate.go index ee37c570..8f271ba5 100644 --- a/acme/db/nosql/certificate.go +++ b/acme/db/nosql/certificate.go @@ -138,5 +138,4 @@ func parseBundle(b []byte) ([]*x509.Certificate, error) { return nil, errors.New("error decoding PEM: unexpected data") } return bundle, nil - } diff --git a/acme/db/nosql/certificate_test.go b/acme/db/nosql/certificate_test.go index d64b3015..ba16a175 100644 --- a/acme/db/nosql/certificate_test.go +++ b/acme/db/nosql/certificate_test.go @@ -250,16 +250,16 @@ func TestDB_GetCertificate(t *testing.T) { d := DB{db: tc.db} cert, err := d.GetCertificate(context.Background(), certID) if err != nil { - switch k := err.(type) { - case *acme.Error: + var acmeErr *acme.Error + if errors.As(err, &acmeErr) { if assert.NotNil(t, tc.acmeErr) { - assert.Equals(t, k.Type, tc.acmeErr.Type) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) - assert.Equals(t, k.Status, tc.acmeErr.Status) - assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error()) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) + assert.Equals(t, acmeErr.Type, tc.acmeErr.Type) + assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail) + assert.Equals(t, acmeErr.Status, tc.acmeErr.Status) + assert.Equals(t, acmeErr.Err.Error(), tc.acmeErr.Err.Error()) + assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -444,16 +444,16 @@ func TestDB_GetCertificateBySerial(t *testing.T) { d := DB{db: tc.db} cert, err := d.GetCertificateBySerial(context.Background(), serial) if err != nil { - switch k := err.(type) { - case *acme.Error: + var ae *acme.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.acmeErr) { - assert.Equals(t, k.Type, tc.acmeErr.Type) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) - assert.Equals(t, k.Status, tc.acmeErr.Status) - assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error()) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) + assert.Equals(t, ae.Type, tc.acmeErr.Type) + assert.Equals(t, ae.Detail, tc.acmeErr.Detail) + assert.Equals(t, ae.Status, tc.acmeErr.Status) + assert.Equals(t, ae.Err.Error(), tc.acmeErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.acmeErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } diff --git a/acme/db/nosql/challenge_test.go b/acme/db/nosql/challenge_test.go index 4da5679b..4eb815f5 100644 --- a/acme/db/nosql/challenge_test.go +++ b/acme/db/nosql/challenge_test.go @@ -72,7 +72,7 @@ func TestDB_getDBChallenge(t *testing.T) { Value: "test.ca.smallstep.com", CreatedAt: clock.Now(), ValidatedAt: "foobar", - Error: acme.NewErrorISE("force"), + Error: acme.NewErrorISE("The server experienced an internal error"), } b, err := json.Marshal(dbc) assert.FatalError(t, err) @@ -94,16 +94,16 @@ func TestDB_getDBChallenge(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db} if ch, err := d.getDBChallenge(context.Background(), chID); err != nil { - switch k := err.(type) { - case *acme.Error: + var ae *acme.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.acmeErr) { - assert.Equals(t, k.Type, tc.acmeErr.Type) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) - assert.Equals(t, k.Status, tc.acmeErr.Status) - assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error()) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) + assert.Equals(t, ae.Type, tc.acmeErr.Type) + assert.Equals(t, ae.Detail, tc.acmeErr.Detail) + assert.Equals(t, ae.Status, tc.acmeErr.Status) + assert.Equals(t, ae.Err.Error(), tc.acmeErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.acmeErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -264,7 +264,7 @@ func TestDB_GetChallenge(t *testing.T) { Value: "test.ca.smallstep.com", CreatedAt: clock.Now(), ValidatedAt: "foobar", - Error: acme.NewErrorISE("force"), + Error: acme.NewErrorISE("The server experienced an internal error"), } b, err := json.Marshal(dbc) assert.FatalError(t, err) @@ -286,16 +286,16 @@ func TestDB_GetChallenge(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db} if ch, err := d.GetChallenge(context.Background(), chID, azID); err != nil { - switch k := err.(type) { - case *acme.Error: + var ae *acme.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.acmeErr) { - assert.Equals(t, k.Type, tc.acmeErr.Type) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) - assert.Equals(t, k.Status, tc.acmeErr.Status) - assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error()) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) + assert.Equals(t, ae.Type, tc.acmeErr.Type) + assert.Equals(t, ae.Detail, tc.acmeErr.Detail) + assert.Equals(t, ae.Status, tc.acmeErr.Status) + assert.Equals(t, ae.Err.Error(), tc.acmeErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.acmeErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -354,7 +354,7 @@ func TestDB_UpdateChallenge(t *testing.T) { ID: chID, Status: acme.StatusValid, ValidatedAt: "foobar", - Error: acme.NewError(acme.ErrorMalformedType, "malformed"), + Error: acme.NewError(acme.ErrorMalformedType, "The request message was malformed"), } return test{ ch: updCh, @@ -428,7 +428,7 @@ func TestDB_UpdateChallenge(t *testing.T) { assert.Equals(t, dbNew.CreatedAt, dbc.CreatedAt) assert.Equals(t, dbNew.Status, acme.StatusValid) assert.Equals(t, dbNew.ValidatedAt, "foobar") - assert.Equals(t, dbNew.Error.Error(), acme.NewError(acme.ErrorMalformedType, "malformed").Error()) + assert.Equals(t, dbNew.Error.Error(), acme.NewError(acme.ErrorMalformedType, "The request message was malformed").Error()) return nu, true, nil }, }, diff --git a/acme/db/nosql/eab.go b/acme/db/nosql/eab.go index e87aa9bc..e3651151 100644 --- a/acme/db/nosql/eab.go +++ b/acme/db/nosql/eab.go @@ -54,7 +54,6 @@ func (db *DB) getDBExternalAccountKey(ctx context.Context, id string) (*dbExtern // CreateExternalAccountKey creates a new External Account Binding key with a name func (db *DB) CreateExternalAccountKey(ctx context.Context, provisionerID, reference string) (*acme.ExternalAccountKey, error) { - externalAccountKeyMutex.Lock() defer externalAccountKeyMutex.Unlock() @@ -210,6 +209,7 @@ func (db *DB) GetExternalAccountKeyByReference(ctx context.Context, provisionerI defer externalAccountKeyMutex.RUnlock() if reference == "" { + //nolint:nilnil // legacy return nil, nil } @@ -228,6 +228,7 @@ func (db *DB) GetExternalAccountKeyByReference(ctx context.Context, provisionerI } func (db *DB) GetExternalAccountKeyByAccountID(ctx context.Context, provisionerID, accountID string) (*acme.ExternalAccountKey, error) { + //nolint:nilnil // legacy return nil, nil } @@ -371,7 +372,6 @@ func sliceIndex(slice []string, item string) int { // removeElement deletes the item if it exists in the // slice. It returns a new slice, keeping the old one intact. func removeElement(slice []string, item string) []string { - newSlice := make([]string, 0) index := sliceIndex(slice, item) if index < 0 { diff --git a/acme/db/nosql/eab_test.go b/acme/db/nosql/eab_test.go index 525afa72..51097911 100644 --- a/acme/db/nosql/eab_test.go +++ b/acme/db/nosql/eab_test.go @@ -93,16 +93,16 @@ func TestDB_getDBExternalAccountKey(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db} if dbeak, err := d.getDBExternalAccountKey(context.Background(), keyID); err != nil { - switch k := err.(type) { - case *acme.Error: + var ae *acme.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.acmeErr) { - assert.Equals(t, k.Type, tc.acmeErr.Type) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) - assert.Equals(t, k.Status, tc.acmeErr.Status) - assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error()) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) + assert.Equals(t, ae.Type, tc.acmeErr.Type) + assert.Equals(t, ae.Detail, tc.acmeErr.Detail) + assert.Equals(t, ae.Status, tc.acmeErr.Status) + assert.Equals(t, ae.Err.Error(), tc.acmeErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.acmeErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -210,16 +210,16 @@ func TestDB_GetExternalAccountKey(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db} if eak, err := d.GetExternalAccountKey(context.Background(), provID, keyID); err != nil { - switch k := err.(type) { - case *acme.Error: + var ae *acme.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.acmeErr) { - assert.Equals(t, k.Type, tc.acmeErr.Type) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) - assert.Equals(t, k.Status, tc.acmeErr.Status) - assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error()) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) + assert.Equals(t, ae.Type, tc.acmeErr.Type) + assert.Equals(t, ae.Detail, tc.acmeErr.Detail) + assert.Equals(t, ae.Status, tc.acmeErr.Status) + assert.Equals(t, ae.Err.Error(), tc.acmeErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.acmeErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -374,16 +374,16 @@ func TestDB_GetExternalAccountKeyByReference(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db} if eak, err := d.GetExternalAccountKeyByReference(context.Background(), provID, tc.ref); err != nil { - switch k := err.(type) { - case *acme.Error: + var ae *acme.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.acmeErr) { - assert.Equals(t, k.Type, tc.acmeErr.Type) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) - assert.Equals(t, k.Status, tc.acmeErr.Status) - assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error()) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) + assert.Equals(t, ae.Type, tc.acmeErr.Type) + assert.Equals(t, ae.Detail, tc.acmeErr.Detail) + assert.Equals(t, ae.Status, tc.acmeErr.Status) + assert.Equals(t, ae.Err.Error(), tc.acmeErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.acmeErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -580,16 +580,16 @@ func TestDB_GetExternalAccountKeys(t *testing.T) { cursor, limit := "", 0 if eaks, nextCursor, err := d.GetExternalAccountKeys(context.Background(), provID, cursor, limit); err != nil { assert.Equals(t, "", nextCursor) - switch k := err.(type) { - case *acme.Error: + var ae *acme.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.acmeErr) { - assert.Equals(t, k.Type, tc.acmeErr.Type) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) - assert.Equals(t, k.Status, tc.acmeErr.Status) - assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error()) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) + assert.Equals(t, ae.Type, tc.acmeErr.Type) + assert.Equals(t, ae.Detail, tc.acmeErr.Detail) + assert.Equals(t, ae.Status, tc.acmeErr.Status) + assert.Equals(t, ae.Err.Error(), tc.acmeErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.acmeErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.Equals(t, tc.err.Error(), err.Error()) } @@ -672,7 +672,7 @@ func TestDB_DeleteExternalAccountKey(t *testing.T) { return errors.New("force default") } }, - MCmpAndSwap: func(bucket, key, old, new []byte) ([]byte, bool, error) { + MCmpAndSwap: func(bucket, key, old, nu []byte) ([]byte, bool, error) { fmt.Println(string(bucket)) switch string(bucket) { case string(externalAccountKeyIDsByReferenceTable): @@ -882,16 +882,16 @@ func TestDB_DeleteExternalAccountKey(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db} if err := d.DeleteExternalAccountKey(context.Background(), provID, keyID); err != nil { - switch k := err.(type) { - case *acme.Error: + var ae *acme.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.acmeErr) { - assert.Equals(t, k.Type, tc.acmeErr.Type) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) - assert.Equals(t, k.Status, tc.acmeErr.Status) - assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error()) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) + assert.Equals(t, ae.Type, tc.acmeErr.Type) + assert.Equals(t, ae.Detail, tc.acmeErr.Detail) + assert.Equals(t, ae.Status, tc.acmeErr.Status) + assert.Equals(t, ae.Err.Error(), tc.acmeErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.acmeErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.Equals(t, err.Error(), tc.err.Error()) } diff --git a/acme/db/nosql/nonce_test.go b/acme/db/nosql/nonce_test.go index 7dc5cc91..253731bf 100644 --- a/acme/db/nosql/nonce_test.go +++ b/acme/db/nosql/nonce_test.go @@ -146,16 +146,16 @@ func TestDB_DeleteNonce(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db} if err := d.DeleteNonce(context.Background(), acme.Nonce(nonceID)); err != nil { - switch k := err.(type) { - case *acme.Error: + var ae *acme.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.acmeErr) { - assert.Equals(t, k.Type, tc.acmeErr.Type) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) - assert.Equals(t, k.Status, tc.acmeErr.Status) - assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error()) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) + assert.Equals(t, ae.Type, tc.acmeErr.Type) + assert.Equals(t, ae.Detail, tc.acmeErr.Detail) + assert.Equals(t, ae.Status, tc.acmeErr.Status) + assert.Equals(t, ae.Err.Error(), tc.acmeErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.acmeErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } diff --git a/acme/db/nosql/order_test.go b/acme/db/nosql/order_test.go index e92eb684..cf22f094 100644 --- a/acme/db/nosql/order_test.go +++ b/acme/db/nosql/order_test.go @@ -80,7 +80,7 @@ func TestDB_getDBOrder(t *testing.T) { {Type: "dns", Value: "example.foo.com"}, }, AuthorizationIDs: []string{"foo", "bar"}, - Error: acme.NewError(acme.ErrorMalformedType, "force"), + Error: acme.NewError(acme.ErrorMalformedType, "The request message was malformed"), } b, err := json.Marshal(dbo) assert.FatalError(t, err) @@ -102,16 +102,16 @@ func TestDB_getDBOrder(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db} if dbo, err := d.getDBOrder(context.Background(), orderID); err != nil { - switch k := err.(type) { - case *acme.Error: + var ae *acme.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.acmeErr) { - assert.Equals(t, k.Type, tc.acmeErr.Type) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) - assert.Equals(t, k.Status, tc.acmeErr.Status) - assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error()) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) + assert.Equals(t, ae.Type, tc.acmeErr.Type) + assert.Equals(t, ae.Detail, tc.acmeErr.Detail) + assert.Equals(t, ae.Status, tc.acmeErr.Status) + assert.Equals(t, ae.Err.Error(), tc.acmeErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.acmeErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -185,7 +185,7 @@ func TestDB_GetOrder(t *testing.T) { {Type: "dns", Value: "example.foo.com"}, }, AuthorizationIDs: []string{"foo", "bar"}, - Error: acme.NewError(acme.ErrorMalformedType, "force"), + Error: acme.NewError(acme.ErrorMalformedType, "The request message was malformed"), } b, err := json.Marshal(dbo) assert.FatalError(t, err) @@ -206,16 +206,16 @@ func TestDB_GetOrder(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db} if o, err := d.GetOrder(context.Background(), orderID); err != nil { - switch k := err.(type) { - case *acme.Error: + var ae *acme.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.acmeErr) { - assert.Equals(t, k.Type, tc.acmeErr.Type) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) - assert.Equals(t, k.Status, tc.acmeErr.Status) - assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error()) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) + assert.Equals(t, ae.Type, tc.acmeErr.Type) + assert.Equals(t, ae.Detail, tc.acmeErr.Detail) + assert.Equals(t, ae.Status, tc.acmeErr.Status) + assert.Equals(t, ae.Err.Error(), tc.acmeErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.acmeErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -284,7 +284,7 @@ func TestDB_UpdateOrder(t *testing.T) { ID: orderID, Status: acme.StatusValid, CertificateID: "certID", - Error: acme.NewError(acme.ErrorMalformedType, "force"), + Error: acme.NewError(acme.ErrorMalformedType, "The request message was malformed"), } return test{ o: o, @@ -324,7 +324,7 @@ func TestDB_UpdateOrder(t *testing.T) { ID: orderID, Status: acme.StatusValid, CertificateID: "certID", - Error: acme.NewError(acme.ErrorMalformedType, "force"), + Error: acme.NewError(acme.ErrorMalformedType, "The request message was malformed"), } return test{ o: o, @@ -372,7 +372,7 @@ func TestDB_UpdateOrder(t *testing.T) { assert.Equals(t, tc.o.ID, dbo.ID) assert.Equals(t, tc.o.CertificateID, "certID") assert.Equals(t, tc.o.Status, acme.StatusValid) - assert.Equals(t, tc.o.Error.Error(), acme.NewError(acme.ErrorMalformedType, "force").Error()) + assert.Equals(t, tc.o.Error.Error(), acme.NewError(acme.ErrorMalformedType, "The request message was malformed").Error()) } } }) @@ -659,7 +659,7 @@ func TestDB_updateAddOrderIDs(t *testing.T) { assert.Equals(t, newdbo.ID, "foo") assert.Equals(t, newdbo.Status, acme.StatusInvalid) assert.Equals(t, newdbo.ExpiresAt, expiry) - assert.Equals(t, newdbo.Error.Error(), acme.NewError(acme.ErrorMalformedType, "order has expired").Error()) + assert.Equals(t, newdbo.Error.Error(), acme.NewError(acme.ErrorMalformedType, "The request message was malformed").Error()) return nil, false, errors.New("force") }, }, @@ -1003,16 +1003,16 @@ func TestDB_updateAddOrderIDs(t *testing.T) { } if err != nil { - switch k := err.(type) { - case *acme.Error: + var ae *acme.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.acmeErr) { - assert.Equals(t, k.Type, tc.acmeErr.Type) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) - assert.Equals(t, k.Status, tc.acmeErr.Status) - assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error()) - assert.Equals(t, k.Detail, tc.acmeErr.Detail) + assert.Equals(t, ae.Type, tc.acmeErr.Type) + assert.Equals(t, ae.Detail, tc.acmeErr.Detail) + assert.Equals(t, ae.Status, tc.acmeErr.Status) + assert.Equals(t, ae.Err.Error(), tc.acmeErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.acmeErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } diff --git a/acme/errors.go b/acme/errors.go index 05888c24..c7c6c2cf 100644 --- a/acme/errors.go +++ b/acme/errors.go @@ -17,6 +17,8 @@ const ( ErrorAccountDoesNotExistType ProblemType = iota // ErrorAlreadyRevokedType request specified a certificate to be revoked that has already been revoked ErrorAlreadyRevokedType + // ErrorBadAttestationStatementType WebAuthn attestation statement could not be verified + ErrorBadAttestationStatementType // ErrorBadCSRType CSR is unacceptable (e.g., due to a short key) ErrorBadCSRType // ErrorBadNonceType client sent an unacceptable anti-replay nonce @@ -172,6 +174,11 @@ var ( details: "The JWS was signed with an algorithm the server does not support", status: 400, }, + ErrorBadAttestationStatementType: { + typ: officialACMEPrefix + ErrorBadAttestationStatementType.String(), + details: "Attestation statement cannot be verified", + status: 400, + }, ErrorCaaType: { typ: officialACMEPrefix + ErrorCaaType.String(), details: "Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate", @@ -303,10 +310,11 @@ func NewErrorISE(msg string, args ...interface{}) *Error { // WrapError attempts to wrap the internal error. func WrapError(typ ProblemType, err error, msg string, args ...interface{}) *Error { - switch e := err.(type) { - case nil: + var e *Error + switch { + case err == nil: return nil - case *Error: + case errors.As(err, &e): if e.Err == nil { e.Err = errors.Errorf(msg+"; "+e.Detail, args...) } else { @@ -328,9 +336,12 @@ func (e *Error) StatusCode() int { return e.Status } -// Error allows AError to implement the error interface. +// Error implements the error interface. func (e *Error) Error() string { - return e.Detail + if e.Err == nil { + return e.Detail + } + return e.Err.Error() } // Cause returns the internal error and implements the Causer interface. diff --git a/acme/order.go b/acme/order.go index 1fa0809e..96c925f1 100644 --- a/acme/order.go +++ b/acme/order.go @@ -21,6 +21,9 @@ const ( IP IdentifierType = "ip" // DNS is the ACME dns identifier type DNS IdentifierType = "dns" + // PermanentIdentifier is the ACME permanent-identifier identifier type + // defined in https://datatracker.ietf.org/doc/html/draft-bweeks-acme-device-attest-00 + PermanentIdentifier IdentifierType = "permanent-identifier" ) // Identifier encodes the type that an order pertains to. @@ -124,6 +127,11 @@ func (o *Order) UpdateStatus(ctx context.Context, db DB) error { // Finalize signs a certificate if the necessary conditions for Order completion // have been met. +// +// TODO(mariano): Here or in the challenge validation we should perform some +// external validation using the identifier value and the attestation data. From +// a validation service we can get the list of SANs to set in the final +// certificate. func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateRequest, auth CertificateAuthority, p Provisioner) error { if err := o.UpdateStatus(ctx, db); err != nil { return err @@ -145,10 +153,39 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques // canonicalize the CSR to allow for comparison csr = canonicalize(csr) - // retrieve the requested SANs for the Order - sans, err := o.sans(csr) - if err != nil { - return err + // Template data + data := x509util.NewTemplateData() + data.SetCommonName(csr.Subject.CommonName) + + // Custom sign options passed to authority.Sign + var extraOptions []provisioner.SignOption + + // TODO: support for multiple identifiers? + var permanentIdentifier string + for i := range o.Identifiers { + if o.Identifiers[i].Type == PermanentIdentifier { + permanentIdentifier = o.Identifiers[i].Value + break + } + } + + var defaultTemplate string + if permanentIdentifier != "" { + defaultTemplate = x509util.DefaultAttestedLeafTemplate + data.SetSubjectAlternativeNames(x509util.SubjectAlternativeName{ + Type: x509util.PermanentIdentifierType, + Value: permanentIdentifier, + }) + extraOptions = append(extraOptions, provisioner.AttestationData{ + PermanentIdentifier: permanentIdentifier, + }) + } else { + defaultTemplate = x509util.DefaultLeafTemplate + sans, err := o.sans(csr) + if err != nil { + return err + } + data.SetSubjectAlternativeNames(sans...) } // Get authorizations from the ACME provisioner. @@ -158,16 +195,14 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques return WrapErrorISE(err, "error retrieving authorization options from ACME provisioner") } - // Template data - data := x509util.NewTemplateData() - data.SetCommonName(csr.Subject.CommonName) - data.Set(x509util.SANsKey, sans) - - templateOptions, err := provisioner.TemplateOptions(p.GetOptions(), data) + templateOptions, err := provisioner.CustomTemplateOptions(p.GetOptions(), data, defaultTemplate) if err != nil { return WrapErrorISE(err, "error creating template options from ACME provisioner") } + + // Build extra signing options. signOps = append(signOps, templateOptions) + signOps = append(signOps, extraOptions...) // Sign a new certificate. certChain, err := auth.Sign(csr, provisioner.SignOptions{ @@ -197,9 +232,7 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques } func (o *Order) sans(csr *x509.CertificateRequest) ([]x509util.SubjectAlternativeName, error) { - var sans []x509util.SubjectAlternativeName - if len(csr.EmailAddresses) > 0 || len(csr.URIs) > 0 { return sans, NewError(ErrorBadCSRType, "Only DNS names and IP addresses are allowed") } @@ -207,7 +240,8 @@ func (o *Order) sans(csr *x509.CertificateRequest) ([]x509util.SubjectAlternativ // order the DNS names and IP addresses, so that they can be compared against the canonicalized CSR orderNames := make([]string, numberOfIdentifierType(DNS, o.Identifiers)) orderIPs := make([]net.IP, numberOfIdentifierType(IP, o.Identifiers)) - indexDNS, indexIP := 0, 0 + orderPIDs := make([]string, numberOfIdentifierType(PermanentIdentifier, o.Identifiers)) + indexDNS, indexIP, indexPID := 0, 0, 0 for _, n := range o.Identifiers { switch n.Type { case DNS: @@ -216,6 +250,9 @@ func (o *Order) sans(csr *x509.CertificateRequest) ([]x509util.SubjectAlternativ case IP: orderIPs[indexIP] = net.ParseIP(n.Value) // NOTE: this assumes are all valid IPs at this time; or will result in nil entries indexIP++ + case PermanentIdentifier: + orderPIDs[indexPID] = n.Value + indexPID++ default: return sans, NewErrorISE("unsupported identifier type in order: %s", n.Type) } @@ -287,7 +324,6 @@ func numberOfIdentifierType(typ IdentifierType, ids []Identifier) int { // addresses or DNS names slice, depending on whether it can be parsed as an IP // or not. This might result in an additional SAN in the final certificate. func canonicalize(csr *x509.CertificateRequest) (canonicalized *x509.CertificateRequest) { - // for clarity only; we're operating on the same object by pointer canonicalized = csr diff --git a/acme/order_test.go b/acme/order_test.go index f1f28e40..606e9f71 100644 --- a/acme/order_test.go +++ b/acme/order_test.go @@ -247,14 +247,14 @@ func TestOrder_UpdateStatus(t *testing.T) { tc := run(t) if err := tc.o.UpdateStatus(context.Background(), tc.db); err != nil { if assert.NotNil(t, tc.err) { - switch k := err.(type) { - case *Error: + var k *Error + if errors.As(err, &k) { assert.Equals(t, k.Type, tc.err.Type) assert.Equals(t, k.Detail, tc.err.Detail) assert.Equals(t, k.Status, tc.err.Status) assert.Equals(t, k.Err.Error(), tc.err.Err.Error()) assert.Equals(t, k.Detail, tc.err.Detail) - default: + } else { assert.FatalError(t, errors.New("unexpected error type")) } } @@ -812,14 +812,14 @@ func TestOrder_Finalize(t *testing.T) { tc := run(t) if err := tc.o.Finalize(context.Background(), tc.db, tc.csr, tc.ca, tc.prov); err != nil { if assert.NotNil(t, tc.err) { - switch k := err.(type) { - case *Error: + var k *Error + if errors.As(err, &k) { assert.Equals(t, k.Type, tc.err.Type) assert.Equals(t, k.Detail, tc.err.Detail) assert.Equals(t, k.Status, tc.err.Status) assert.Equals(t, k.Err.Error(), tc.err.Err.Error()) assert.Equals(t, k.Detail, tc.err.Detail) - default: + } else { assert.FatalError(t, errors.New("unexpected error type")) } } @@ -1474,14 +1474,14 @@ func TestOrder_sans(t *testing.T) { t.Errorf("Order.sans() = %v, want error; got none", got) return } - switch k := err.(type) { - case *Error: + var k *Error + if errors.As(err, &k) { assert.Equals(t, k.Type, tt.err.Type) assert.Equals(t, k.Detail, tt.err.Detail) assert.Equals(t, k.Status, tt.err.Status) assert.Equals(t, k.Err.Error(), tt.err.Err.Error()) assert.Equals(t, k.Detail, tt.err.Detail) - default: + } else { assert.FatalError(t, errors.New("unexpected error type")) } return diff --git a/api/api.go b/api/api.go index bf5c8632..fda27c42 100644 --- a/api/api.go +++ b/api/api.go @@ -3,7 +3,7 @@ package api import ( "context" "crypto" - "crypto/dsa" //nolint + "crypto/dsa" //nolint:staticcheck // support legacy algorithms "crypto/ecdsa" "crypto/ed25519" "crypto/rsa" diff --git a/api/log/log.go b/api/log/log.go index e5c8c45a..dc030c39 100644 --- a/api/log/log.go +++ b/api/log/log.go @@ -38,14 +38,10 @@ func Error(rw http.ResponseWriter, err error) { return } - e, ok := err.(StackTracedError) - if !ok { - e, ok = errors.Cause(err).(StackTracedError) - } - - if ok { + var st StackTracedError + if !errors.As(err, &st) { rl.WithFields(map[string]interface{}{ - "stack-trace": fmt.Sprintf("%+v", e.StackTrace()), + "stack-trace": fmt.Sprintf("%+v", st.StackTrace()), }) } } diff --git a/api/read/read_test.go b/api/read/read_test.go index 72100584..e46e7f61 100644 --- a/api/read/read_test.go +++ b/api/read/read_test.go @@ -41,8 +41,8 @@ func TestJSON(t *testing.T) { } if tt.wantErr { - e, ok := err.(*errs.Error) - if ok { + var e *errs.Error + if errors.As(err, &e) { if code := e.StatusCode(); code != 400 { t.Errorf("error.StatusCode() = %v, wants 400", code) } @@ -102,14 +102,15 @@ func TestProtoJSON(t *testing.T) { } if tt.wantErr { - switch err.(type) { - case badProtoJSONError: + var ( + ee *errs.Error + bpe badProtoJSONError + ) + switch { + case errors.As(err, &bpe): assert.Contains(t, err.Error(), "syntax error") - case *errs.Error: - var ee *errs.Error - if errors.As(err, &ee) { - assert.Equal(t, http.StatusBadRequest, ee.Status) - } + case errors.As(err, &ee): + assert.Equal(t, http.StatusBadRequest, ee.Status) } return } diff --git a/api/render/render.go b/api/render/render.go index 9df4c791..81a7a02e 100644 --- a/api/render/render.go +++ b/api/render/render.go @@ -4,6 +4,7 @@ package render import ( "bytes" "encoding/json" + "errors" "net/http" "google.golang.org/protobuf/encoding/protojson" @@ -77,8 +78,9 @@ type RenderableError interface { func Error(w http.ResponseWriter, err error) { log.Error(w, err) - if e, ok := err.(RenderableError); ok { - e.Render(w) + var r RenderableError + if errors.As(err, &r) { + r.Render(w) return } @@ -105,17 +107,18 @@ func statusCodeFromError(err error) (code int) { } for err != nil { - if sc, ok := err.(StatusCodedError); ok { + var sc StatusCodedError + if errors.As(err, &sc) { code = sc.StatusCode() break } - cause, ok := err.(causer) - if !ok { + var c causer + if !errors.As(err, &c) { break } - err = cause.Cause() + err = c.Cause() } return diff --git a/api/renew.go b/api/renew.go index 6e9f680f..3cfd5fdf 100644 --- a/api/renew.go +++ b/api/renew.go @@ -17,6 +17,7 @@ const ( // Renew uses the information of certificate in the TLS connection to create a // new one. func Renew(w http.ResponseWriter, r *http.Request) { + //nolint:contextcheck // the reqest has the context cert, err := getPeerCertificate(r) if err != nil { render.Error(w, err) diff --git a/api/revoke_test.go b/api/revoke_test.go index 0955244e..763986b0 100644 --- a/api/revoke_test.go +++ b/api/revoke_test.go @@ -62,12 +62,12 @@ func TestRevokeRequestValidate(t *testing.T) { for name, tc := range tests { t.Run(name, func(t *testing.T) { if err := tc.rr.Validate(); err != nil { - switch v := err.(type) { - case *errs.Error: - assert.HasPrefix(t, v.Error(), tc.err.Error()) - assert.Equals(t, v.StatusCode(), tc.err.Status) - default: - t.Errorf("unexpected error type: %T", v) + var ee *errs.Error + if errors.As(err, &ee) { + assert.HasPrefix(t, ee.Error(), tc.err.Error()) + assert.Equals(t, ee.StatusCode(), tc.err.Status) + } else { + t.Errorf("unexpected error type: %T", err) } } else { assert.Nil(t, tc.err) diff --git a/api/sshRekey.go b/api/sshRekey.go index 6c0a5064..977c4719 100644 --- a/api/sshRekey.go +++ b/api/sshRekey.go @@ -83,6 +83,7 @@ func SSHRekey(w http.ResponseWriter, r *http.Request) { notBefore := time.Unix(int64(oldCert.ValidAfter), 0) notAfter := time.Unix(int64(oldCert.ValidBefore), 0) + //nolint:contextcheck // the reqest has the context identity, err := renewIdentityCertificate(r, notBefore, notAfter) if err != nil { render.Error(w, errs.ForbiddenErr(err, "error renewing identity certificate")) diff --git a/api/sshRenew.go b/api/sshRenew.go index 4e4d0b04..456be3f6 100644 --- a/api/sshRenew.go +++ b/api/sshRenew.go @@ -75,6 +75,7 @@ func SSHRenew(w http.ResponseWriter, r *http.Request) { notBefore := time.Unix(int64(oldCert.ValidAfter), 0) notAfter := time.Unix(int64(oldCert.ValidBefore), 0) + //nolint:contextcheck // the reqest has the context identity, err := renewIdentityCertificate(r, notBefore, notAfter) if err != nil { render.Error(w, errs.ForbiddenErr(err, "error renewing identity certificate")) diff --git a/authority/admin/api/acme.go b/authority/admin/api/acme.go index db393e9a..0ce8d4d7 100644 --- a/authority/admin/api/acme.go +++ b/authority/admin/api/acme.go @@ -84,7 +84,6 @@ func (h *acmeAdminResponder) DeleteExternalAccountKey(w http.ResponseWriter, r * } func eakToLinked(k *acme.ExternalAccountKey) *linkedca.EABKey { - if k == nil { return nil } diff --git a/authority/admin/api/admin_test.go b/authority/admin/api/admin_test.go index ecb95244..3d4cdd9c 100644 --- a/authority/admin/api/admin_test.go +++ b/authority/admin/api/admin_test.go @@ -229,11 +229,13 @@ func TestCreateAdminRequest_Validate(t *testing.T) { if err != nil { assert.Type(t, &admin.Error{}, err) - adminErr, _ := err.(*admin.Error) - assert.Equals(t, tt.err.Type, adminErr.Type) - assert.Equals(t, tt.err.Detail, adminErr.Detail) - assert.Equals(t, tt.err.Status, adminErr.Status) - assert.Equals(t, tt.err.Message, adminErr.Message) + var adminErr *admin.Error + if assert.True(t, errors.As(err, &adminErr)) { + assert.Equals(t, tt.err.Type, adminErr.Type) + assert.Equals(t, tt.err.Detail, adminErr.Detail) + assert.Equals(t, tt.err.Status, adminErr.Status) + assert.Equals(t, tt.err.Message, adminErr.Message) + } } }) } @@ -278,11 +280,13 @@ func TestUpdateAdminRequest_Validate(t *testing.T) { if err != nil { assert.Type(t, &admin.Error{}, err) - adminErr, _ := err.(*admin.Error) - assert.Equals(t, tt.err.Type, adminErr.Type) - assert.Equals(t, tt.err.Detail, adminErr.Detail) - assert.Equals(t, tt.err.Status, adminErr.Status) - assert.Equals(t, tt.err.Message, adminErr.Message) + var ae *admin.Error + if assert.True(t, errors.As(err, &ae)) { + assert.Equals(t, tt.err.Type, ae.Type) + assert.Equals(t, tt.err.Detail, ae.Detail) + assert.Equals(t, tt.err.Status, ae.Status) + assert.Equals(t, tt.err.Message, ae.Message) + } } }) } diff --git a/authority/admin/api/middleware.go b/authority/admin/api/middleware.go index 780cfb65..3c1b040a 100644 --- a/authority/admin/api/middleware.go +++ b/authority/admin/api/middleware.go @@ -30,7 +30,6 @@ func requireAPIEnabled(next http.HandlerFunc) http.HandlerFunc { // extractAuthorizeTokenAdmin is a middleware that extracts and caches the bearer token. func extractAuthorizeTokenAdmin(next http.HandlerFunc) http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { - tok := r.Header.Get("Authorization") if tok == "" { render.Error(w, admin.NewError(admin.ErrorUnauthorizedType, diff --git a/authority/admin/api/policy.go b/authority/admin/api/policy.go index a478c83c..89744893 100644 --- a/authority/admin/api/policy.go +++ b/authority/admin/api/policy.go @@ -50,7 +50,8 @@ func (par *policyAdminResponder) GetAuthorityPolicy(w http.ResponseWriter, r *ht auth := mustAuthority(ctx) authorityPolicy, err := auth.GetAuthorityPolicy(r.Context()) - if ae, ok := err.(*admin.Error); ok && !ae.IsType(admin.ErrorNotFoundType) { + var ae *admin.Error + if errors.As(err, &ae) && !ae.IsType(admin.ErrorNotFoundType) { render.Error(w, admin.WrapErrorISE(ae, "error retrieving authority policy")) return } @@ -74,7 +75,8 @@ func (par *policyAdminResponder) CreateAuthorityPolicy(w http.ResponseWriter, r auth := mustAuthority(ctx) authorityPolicy, err := auth.GetAuthorityPolicy(ctx) - if ae, ok := err.(*admin.Error); ok && !ae.IsType(admin.ErrorNotFoundType) { + var ae *admin.Error + if errors.As(err, &ae) && !ae.IsType(admin.ErrorNotFoundType) { render.Error(w, admin.WrapErrorISE(err, "error retrieving authority policy")) return } @@ -125,7 +127,8 @@ func (par *policyAdminResponder) UpdateAuthorityPolicy(w http.ResponseWriter, r auth := mustAuthority(ctx) authorityPolicy, err := auth.GetAuthorityPolicy(ctx) - if ae, ok := err.(*admin.Error); ok && !ae.IsType(admin.ErrorNotFoundType) { + var ae *admin.Error + if errors.As(err, &ae) && !ae.IsType(admin.ErrorNotFoundType) { render.Error(w, admin.WrapErrorISE(err, "error retrieving authority policy")) return } @@ -175,7 +178,8 @@ func (par *policyAdminResponder) DeleteAuthorityPolicy(w http.ResponseWriter, r auth := mustAuthority(ctx) authorityPolicy, err := auth.GetAuthorityPolicy(ctx) - if ae, ok := err.(*admin.Error); ok && !ae.IsType(admin.ErrorNotFoundType) { + var ae *admin.Error + if errors.As(err, &ae) && !ae.IsType(admin.ErrorNotFoundType) { render.Error(w, admin.WrapErrorISE(ae, "error retrieving authority policy")) return } @@ -468,7 +472,6 @@ func isBadRequest(err error) bool { } func validatePolicy(p *linkedca.Policy) error { - // convert the policy; return early if nil options := policy.LinkedToCertificates(p) if options == nil { diff --git a/authority/admin/db/nosql/admin.go b/authority/admin/db/nosql/admin.go index 6bb6bdd1..c0f90c2f 100644 --- a/authority/admin/db/nosql/admin.go +++ b/authority/admin/db/nosql/admin.go @@ -111,14 +111,14 @@ func (db *DB) GetAdmins(ctx context.Context) ([]*linkedca.Admin, error) { for _, entry := range dbEntries { adm, err := db.unmarshalAdmin(entry.Value, string(entry.Key)) if err != nil { - switch k := err.(type) { - case *admin.Error: - if k.IsType(admin.ErrorDeletedType) || k.IsType(admin.ErrorAuthorityMismatchType) { + var ae *admin.Error + if errors.As(err, &ae) { + if ae.IsType(admin.ErrorDeletedType) || ae.IsType(admin.ErrorAuthorityMismatchType) { continue } else { return nil, err } - default: + } else { return nil, err } } diff --git a/authority/admin/db/nosql/admin_test.go b/authority/admin/db/nosql/admin_test.go index 2631b68c..9961d7f5 100644 --- a/authority/admin/db/nosql/admin_test.go +++ b/authority/admin/db/nosql/admin_test.go @@ -68,16 +68,16 @@ func TestDB_getDBAdminBytes(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db} if b, err := d.getDBAdminBytes(context.Background(), adminID); err != nil { - switch k := err.(type) { - case *admin.Error: + var ae *admin.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.adminErr) { - assert.Equals(t, k.Type, tc.adminErr.Type) - assert.Equals(t, k.Detail, tc.adminErr.Detail) - assert.Equals(t, k.Status, tc.adminErr.Status) - assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error()) - assert.Equals(t, k.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Type, tc.adminErr.Type) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Status, tc.adminErr.Status) + assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -192,16 +192,16 @@ func TestDB_getDBAdmin(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID} if dba, err := d.getDBAdmin(context.Background(), adminID); err != nil { - switch k := err.(type) { - case *admin.Error: + var ae *admin.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.adminErr) { - assert.Equals(t, k.Type, tc.adminErr.Type) - assert.Equals(t, k.Detail, tc.adminErr.Detail) - assert.Equals(t, k.Status, tc.adminErr.Status) - assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error()) - assert.Equals(t, k.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Type, tc.adminErr.Type) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Status, tc.adminErr.Status) + assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -280,16 +280,16 @@ func TestDB_unmarshalDBAdmin(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{authorityID: admin.DefaultAuthorityID} if dba, err := d.unmarshalDBAdmin(tc.in, adminID); err != nil { - switch k := err.(type) { - case *admin.Error: + var ae *admin.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.adminErr) { - assert.Equals(t, k.Type, tc.adminErr.Type) - assert.Equals(t, k.Detail, tc.adminErr.Detail) - assert.Equals(t, k.Status, tc.adminErr.Status) - assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error()) - assert.Equals(t, k.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Type, tc.adminErr.Type) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Status, tc.adminErr.Status) + assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -355,16 +355,16 @@ func TestDB_unmarshalAdmin(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{authorityID: admin.DefaultAuthorityID} if adm, err := d.unmarshalAdmin(tc.in, adminID); err != nil { - switch k := err.(type) { - case *admin.Error: + var ae *admin.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.adminErr) { - assert.Equals(t, k.Type, tc.adminErr.Type) - assert.Equals(t, k.Detail, tc.adminErr.Detail) - assert.Equals(t, k.Status, tc.adminErr.Status) - assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error()) - assert.Equals(t, k.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Type, tc.adminErr.Type) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Status, tc.adminErr.Status) + assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -509,16 +509,16 @@ func TestDB_GetAdmin(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID} if adm, err := d.GetAdmin(context.Background(), adminID); err != nil { - switch k := err.(type) { - case *admin.Error: + var ae *admin.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.adminErr) { - assert.Equals(t, k.Type, tc.adminErr.Type) - assert.Equals(t, k.Detail, tc.adminErr.Detail) - assert.Equals(t, k.Status, tc.adminErr.Status) - assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error()) - assert.Equals(t, k.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Type, tc.adminErr.Type) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Status, tc.adminErr.Status) + assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -661,16 +661,16 @@ func TestDB_DeleteAdmin(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID} if err := d.DeleteAdmin(context.Background(), adminID); err != nil { - switch k := err.(type) { - case *admin.Error: + var ae *admin.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.adminErr) { - assert.Equals(t, k.Type, tc.adminErr.Type) - assert.Equals(t, k.Detail, tc.adminErr.Detail) - assert.Equals(t, k.Status, tc.adminErr.Status) - assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error()) - assert.Equals(t, k.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Type, tc.adminErr.Type) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Status, tc.adminErr.Status) + assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -812,16 +812,16 @@ func TestDB_UpdateAdmin(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID} if err := d.UpdateAdmin(context.Background(), tc.adm); err != nil { - switch k := err.(type) { - case *admin.Error: + var ae *admin.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.adminErr) { - assert.Equals(t, k.Type, tc.adminErr.Type) - assert.Equals(t, k.Detail, tc.adminErr.Detail) - assert.Equals(t, k.Status, tc.adminErr.Status) - assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error()) - assert.Equals(t, k.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Type, tc.adminErr.Type) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Status, tc.adminErr.Status) + assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -910,16 +910,16 @@ func TestDB_CreateAdmin(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID} if err := d.CreateAdmin(context.Background(), tc.adm); err != nil { - switch k := err.(type) { - case *admin.Error: + var ae *admin.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.adminErr) { - assert.Equals(t, k.Type, tc.adminErr.Type) - assert.Equals(t, k.Detail, tc.adminErr.Detail) - assert.Equals(t, k.Status, tc.adminErr.Status) - assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error()) - assert.Equals(t, k.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Type, tc.adminErr.Type) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Status, tc.adminErr.Status) + assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -1086,16 +1086,16 @@ func TestDB_GetAdmins(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID} if admins, err := d.GetAdmins(context.Background()); err != nil { - switch k := err.(type) { - case *admin.Error: + var ae *admin.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.adminErr) { - assert.Equals(t, k.Type, tc.adminErr.Type) - assert.Equals(t, k.Detail, tc.adminErr.Detail) - assert.Equals(t, k.Status, tc.adminErr.Status) - assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error()) - assert.Equals(t, k.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Type, tc.adminErr.Type) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Status, tc.adminErr.Status) + assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } diff --git a/authority/admin/db/nosql/policy.go b/authority/admin/db/nosql/policy.go index d4f2e9f9..3023a3f6 100644 --- a/authority/admin/db/nosql/policy.go +++ b/authority/admin/db/nosql/policy.go @@ -83,6 +83,7 @@ func (db *DB) getDBAuthorityPolicyBytes(ctx context.Context, authorityID string) func (db *DB) unmarshalDBAuthorityPolicy(data []byte) (*dbAuthorityPolicy, error) { if len(data) == 0 { + //nolint:nilnil // legacy return nil, nil } var dba = new(dbAuthorityPolicy) @@ -102,6 +103,7 @@ func (db *DB) getDBAuthorityPolicy(ctx context.Context, authorityID string) (*db return nil, err } if dbap == nil { + //nolint:nilnil // legacy return nil, nil } if dbap.AuthorityID != authorityID { @@ -112,7 +114,6 @@ func (db *DB) getDBAuthorityPolicy(ctx context.Context, authorityID string) (*db } func (db *DB) CreateAuthorityPolicy(ctx context.Context, policy *linkedca.Policy) error { - dbap := &dbAuthorityPolicy{ ID: db.authorityID, AuthorityID: db.authorityID, @@ -228,7 +229,6 @@ func dbToLinked(p *dbPolicy) *linkedca.Policy { } func linkedToDB(p *linkedca.Policy) *dbPolicy { - if p == nil { return nil } diff --git a/authority/admin/db/nosql/policy_test.go b/authority/admin/db/nosql/policy_test.go index 3ffded6b..84f02a1d 100644 --- a/authority/admin/db/nosql/policy_test.go +++ b/authority/admin/db/nosql/policy_test.go @@ -72,16 +72,16 @@ func TestDB_getDBAuthorityPolicyBytes(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db} if b, err := d.getDBAuthorityPolicyBytes(tc.ctx, tc.authorityID); err != nil { - switch k := err.(type) { - case *admin.Error: + var ae *admin.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.adminErr) { - assert.Equals(t, k.Type, tc.adminErr.Type) - assert.Equals(t, k.Detail, tc.adminErr.Detail) - assert.Equals(t, k.Status, tc.adminErr.Status) - assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error()) - assert.Equals(t, k.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Type, tc.adminErr.Type) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Status, tc.adminErr.Status) + assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -208,16 +208,16 @@ func TestDB_getDBAuthorityPolicy(t *testing.T) { dbp, err := d.getDBAuthorityPolicy(tc.ctx, tc.authorityID) switch { case err != nil: - switch k := err.(type) { - case *admin.Error: + var ae *admin.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.adminErr) { - assert.Equals(t, k.Type, tc.adminErr.Type) - assert.Equals(t, k.Detail, tc.adminErr.Detail) - assert.Equals(t, k.Status, tc.adminErr.Status) - assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error()) - assert.Equals(t, k.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Type, tc.adminErr.Type) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Status, tc.adminErr.Status) + assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -309,16 +309,16 @@ func TestDB_CreateAuthorityPolicy(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db, authorityID: tc.authorityID} if err := d.CreateAuthorityPolicy(tc.ctx, tc.policy); err != nil { - switch k := err.(type) { - case *admin.Error: + var ae *admin.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.adminErr) { - assert.Equals(t, k.Type, tc.adminErr.Type) - assert.Equals(t, k.Detail, tc.adminErr.Detail) - assert.Equals(t, k.Status, tc.adminErr.Status) - assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error()) - assert.Equals(t, k.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Type, tc.adminErr.Type) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Status, tc.adminErr.Status) + assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -406,16 +406,16 @@ func TestDB_GetAuthorityPolicy(t *testing.T) { d := DB{db: tc.db, authorityID: tc.authorityID} got, err := d.GetAuthorityPolicy(tc.ctx) if err != nil { - switch k := err.(type) { - case *admin.Error: + var ae *admin.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.adminErr) { - assert.Equals(t, k.Type, tc.adminErr.Type) - assert.Equals(t, k.Detail, tc.adminErr.Detail) - assert.Equals(t, k.Status, tc.adminErr.Status) - assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error()) - assert.Equals(t, k.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Type, tc.adminErr.Type) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Status, tc.adminErr.Status) + assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -578,16 +578,16 @@ func TestDB_UpdateAuthorityPolicy(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db, authorityID: tc.authorityID} if err := d.UpdateAuthorityPolicy(tc.ctx, tc.policy); err != nil { - switch k := err.(type) { - case *admin.Error: + var ae *admin.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.adminErr) { - assert.Equals(t, k.Type, tc.adminErr.Type) - assert.Equals(t, k.Detail, tc.adminErr.Detail) - assert.Equals(t, k.Status, tc.adminErr.Status) - assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error()) - assert.Equals(t, k.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Type, tc.adminErr.Type) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Status, tc.adminErr.Status) + assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -718,16 +718,16 @@ func TestDB_DeleteAuthorityPolicy(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db, authorityID: tc.authorityID} if err := d.DeleteAuthorityPolicy(tc.ctx); err != nil { - switch k := err.(type) { - case *admin.Error: + var ae *admin.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.adminErr) { - assert.Equals(t, k.Type, tc.adminErr.Type) - assert.Equals(t, k.Detail, tc.adminErr.Detail) - assert.Equals(t, k.Status, tc.adminErr.Status) - assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error()) - assert.Equals(t, k.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Type, tc.adminErr.Type) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Status, tc.adminErr.Status) + assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } diff --git a/authority/admin/db/nosql/provisioner.go b/authority/admin/db/nosql/provisioner.go index 71d9c8d6..c82d4afe 100644 --- a/authority/admin/db/nosql/provisioner.go +++ b/authority/admin/db/nosql/provisioner.go @@ -122,14 +122,14 @@ func (db *DB) GetProvisioners(ctx context.Context) ([]*linkedca.Provisioner, err for _, entry := range dbEntries { prov, err := db.unmarshalProvisioner(entry.Value, string(entry.Key)) if err != nil { - switch k := err.(type) { - case *admin.Error: - if k.IsType(admin.ErrorDeletedType) || k.IsType(admin.ErrorAuthorityMismatchType) { + var ae *admin.Error + if errors.As(err, &ae) { + if ae.IsType(admin.ErrorDeletedType) || ae.IsType(admin.ErrorAuthorityMismatchType) { continue } else { return nil, err } - default: + } else { return nil, err } } diff --git a/authority/admin/db/nosql/provisioner_test.go b/authority/admin/db/nosql/provisioner_test.go index a399558a..c5caf696 100644 --- a/authority/admin/db/nosql/provisioner_test.go +++ b/authority/admin/db/nosql/provisioner_test.go @@ -67,16 +67,16 @@ func TestDB_getDBProvisionerBytes(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db} if b, err := d.getDBProvisionerBytes(context.Background(), provID); err != nil { - switch k := err.(type) { - case *admin.Error: + var ae *admin.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.adminErr) { - assert.Equals(t, k.Type, tc.adminErr.Type) - assert.Equals(t, k.Detail, tc.adminErr.Detail) - assert.Equals(t, k.Status, tc.adminErr.Status) - assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error()) - assert.Equals(t, k.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Type, tc.adminErr.Type) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Status, tc.adminErr.Status) + assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -189,16 +189,16 @@ func TestDB_getDBProvisioner(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID} if dbp, err := d.getDBProvisioner(context.Background(), provID); err != nil { - switch k := err.(type) { - case *admin.Error: + var ae *admin.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.adminErr) { - assert.Equals(t, k.Type, tc.adminErr.Type) - assert.Equals(t, k.Detail, tc.adminErr.Detail) - assert.Equals(t, k.Status, tc.adminErr.Status) - assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error()) - assert.Equals(t, k.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Type, tc.adminErr.Type) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Status, tc.adminErr.Status) + assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -275,16 +275,16 @@ func TestDB_unmarshalDBProvisioner(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{authorityID: admin.DefaultAuthorityID} if dbp, err := d.unmarshalDBProvisioner(tc.in, provID); err != nil { - switch k := err.(type) { - case *admin.Error: + var ae *admin.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.adminErr) { - assert.Equals(t, k.Type, tc.adminErr.Type) - assert.Equals(t, k.Detail, tc.adminErr.Detail) - assert.Equals(t, k.Status, tc.adminErr.Status) - assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error()) - assert.Equals(t, k.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Type, tc.adminErr.Type) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Status, tc.adminErr.Status) + assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -397,16 +397,16 @@ func TestDB_unmarshalProvisioner(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{authorityID: admin.DefaultAuthorityID} if prov, err := d.unmarshalProvisioner(tc.in, provID); err != nil { - switch k := err.(type) { - case *admin.Error: + var ae *admin.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.adminErr) { - assert.Equals(t, k.Type, tc.adminErr.Type) - assert.Equals(t, k.Detail, tc.adminErr.Detail) - assert.Equals(t, k.Status, tc.adminErr.Status) - assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error()) - assert.Equals(t, k.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Type, tc.adminErr.Type) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Status, tc.adminErr.Status) + assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -535,16 +535,16 @@ func TestDB_GetProvisioner(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID} if prov, err := d.GetProvisioner(context.Background(), provID); err != nil { - switch k := err.(type) { - case *admin.Error: + var ae *admin.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.adminErr) { - assert.Equals(t, k.Type, tc.adminErr.Type) - assert.Equals(t, k.Detail, tc.adminErr.Detail) - assert.Equals(t, k.Status, tc.adminErr.Status) - assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error()) - assert.Equals(t, k.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Type, tc.adminErr.Type) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Status, tc.adminErr.Status) + assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -683,16 +683,16 @@ func TestDB_DeleteProvisioner(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID} if err := d.DeleteProvisioner(context.Background(), provID); err != nil { - switch k := err.(type) { - case *admin.Error: + var ae *admin.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.adminErr) { - assert.Equals(t, k.Type, tc.adminErr.Type) - assert.Equals(t, k.Detail, tc.adminErr.Detail) - assert.Equals(t, k.Status, tc.adminErr.Status) - assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error()) - assert.Equals(t, k.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Type, tc.adminErr.Type) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Status, tc.adminErr.Status) + assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -844,16 +844,16 @@ func TestDB_GetProvisioners(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID} if provs, err := d.GetProvisioners(context.Background()); err != nil { - switch k := err.(type) { - case *admin.Error: + var ae *admin.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.adminErr) { - assert.Equals(t, k.Type, tc.adminErr.Type) - assert.Equals(t, k.Detail, tc.adminErr.Detail) - assert.Equals(t, k.Status, tc.adminErr.Status) - assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error()) - assert.Equals(t, k.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Type, tc.adminErr.Type) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Status, tc.adminErr.Status) + assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -952,16 +952,16 @@ func TestDB_CreateProvisioner(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID} if err := d.CreateProvisioner(context.Background(), tc.prov); err != nil { - switch k := err.(type) { - case *admin.Error: + var ae *admin.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.adminErr) { - assert.Equals(t, k.Type, tc.adminErr.Type) - assert.Equals(t, k.Detail, tc.adminErr.Detail) - assert.Equals(t, k.Status, tc.adminErr.Status) - assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error()) - assert.Equals(t, k.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Type, tc.adminErr.Type) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Status, tc.adminErr.Status) + assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -1188,16 +1188,16 @@ func TestDB_UpdateProvisioner(t *testing.T) { t.Run(name, func(t *testing.T) { d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID} if err := d.UpdateProvisioner(context.Background(), tc.prov); err != nil { - switch k := err.(type) { - case *admin.Error: + var ae *admin.Error + if errors.As(err, &ae) { if assert.NotNil(t, tc.adminErr) { - assert.Equals(t, k.Type, tc.adminErr.Type) - assert.Equals(t, k.Detail, tc.adminErr.Detail) - assert.Equals(t, k.Status, tc.adminErr.Status) - assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error()) - assert.Equals(t, k.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Type, tc.adminErr.Type) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) + assert.Equals(t, ae.Status, tc.adminErr.Status) + assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error()) + assert.Equals(t, ae.Detail, tc.adminErr.Detail) } - default: + } else { if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) } diff --git a/authority/admin/errors.go b/authority/admin/errors.go index 2cf0c0e5..c729c8b2 100644 --- a/authority/admin/errors.go +++ b/authority/admin/errors.go @@ -156,16 +156,17 @@ func NewErrorISE(msg string, args ...interface{}) *Error { // WrapError attempts to wrap the internal error. func WrapError(typ ProblemType, err error, msg string, args ...interface{}) *Error { - switch e := err.(type) { - case nil: + var ee *Error + switch { + case err == nil: return nil - case *Error: - if e.Err == nil { - e.Err = errors.Errorf(msg+"; "+e.Detail, args...) + case errors.As(err, &ee): + if ee.Err == nil { + ee.Err = errors.Errorf(msg+"; "+ee.Detail, args...) } else { - e.Err = errors.Wrapf(e.Err, msg, args...) + ee.Err = errors.Wrapf(ee.Err, msg, args...) } - return e + return ee default: return newError(typ, errors.Wrapf(err, msg, args...)) } diff --git a/authority/authority.go b/authority/authority.go index 1b2faf4b..ede13269 100644 --- a/authority/authority.go +++ b/authority/authority.go @@ -1,6 +1,7 @@ package authority import ( + "bytes" "context" "crypto" "crypto/sha256" @@ -25,6 +26,7 @@ import ( adminDBNosql "github.com/smallstep/certificates/authority/admin/db/nosql" "github.com/smallstep/certificates/authority/administrator" "github.com/smallstep/certificates/authority/config" + "github.com/smallstep/certificates/authority/internal/constraints" "github.com/smallstep/certificates/authority/policy" "github.com/smallstep/certificates/authority/provisioner" "github.com/smallstep/certificates/cas" @@ -47,14 +49,15 @@ type Authority struct { linkedCAToken string // X509 CA - password []byte - issuerPassword []byte - x509CAService cas.CertificateAuthorityService - rootX509Certs []*x509.Certificate - rootX509CertPool *x509.CertPool - federatedX509Certs []*x509.Certificate - certificates *sync.Map - x509Enforcers []provisioner.CertificateEnforcer + password []byte + issuerPassword []byte + x509CAService cas.CertificateAuthorityService + rootX509Certs []*x509.Certificate + rootX509CertPool *x509.CertPool + federatedX509Certs []*x509.Certificate + intermediateX509Certs []*x509.Certificate + certificates *sync.Map + x509Enforcers []provisioner.CertificateEnforcer // SCEP CA scepService *scep.Service @@ -85,8 +88,9 @@ type Authority struct { authorizeRenewFunc provisioner.AuthorizeRenewFunc authorizeSSHRenewFunc provisioner.AuthorizeSSHRenewFunc - // Policy engines - policyEngine *policy.Engine + // Constraints and Policy engines + constraintsEngine *constraints.Engine + policyEngine *policy.Engine adminMutex sync.RWMutex @@ -373,11 +377,17 @@ func (a *Authority) init() error { } options.Signer, err = a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{ SigningKey: a.config.IntermediateKey, - Password: []byte(a.password), + Password: a.password, }) if err != nil { return err } + // If not defined with an option, add intermediates to the list of + // certificates used for name constraints validation at issuance + // time. + if len(a.intermediateX509Certs) == 0 { + a.intermediateX509Certs = append(a.intermediateX509Certs, options.CertificateChain...) + } } a.x509CAService, err = cas.New(ctx, options) if err != nil { @@ -439,7 +449,7 @@ func (a *Authority) init() error { if a.config.SSH.HostKey != "" { signer, err := a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{ SigningKey: a.config.SSH.HostKey, - Password: []byte(a.sshHostPassword), + Password: a.sshHostPassword, }) if err != nil { return err @@ -465,7 +475,7 @@ func (a *Authority) init() error { if a.config.SSH.UserKey != "" { signer, err := a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{ SigningKey: a.config.SSH.UserKey, - Password: []byte(a.sshUserPassword), + Password: a.sshUserPassword, }) if err != nil { return err @@ -550,7 +560,7 @@ func (a *Authority) init() error { options.CertificateChain = append(options.CertificateChain, a.rootX509Certs...) options.Signer, err = a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{ SigningKey: a.config.IntermediateKey, - Password: []byte(a.password), + Password: a.password, }) if err != nil { return err @@ -559,7 +569,7 @@ func (a *Authority) init() error { if km, ok := a.keyManager.(kmsapi.Decrypter); ok { options.Decrypter, err = km.CreateDecrypter(&kmsapi.CreateDecrypterRequest{ DecryptionKey: a.config.IntermediateKey, - Password: []byte(a.password), + Password: a.password, }) if err != nil { return err @@ -615,6 +625,21 @@ func (a *Authority) init() error { return err } + // Load X509 constraints engine. + // + // This is currently only available in CA mode. + if size := len(a.intermediateX509Certs); size > 0 { + last := a.intermediateX509Certs[size-1] + constraintCerts := make([]*x509.Certificate, 0, size+1) + constraintCerts = append(constraintCerts, a.intermediateX509Certs...) + for _, root := range a.rootX509Certs { + if bytes.Equal(last.RawIssuer, root.RawSubject) && bytes.Equal(last.AuthorityKeyId, root.SubjectKeyId) { + constraintCerts = append(constraintCerts, root) + } + } + a.constraintsEngine = constraints.New(constraintCerts...) + } + // Load x509 and SSH Policy Engines if err := a.reloadPolicyEngines(ctx); err != nil { return err diff --git a/authority/authorize.go b/authority/authorize.go index 91f1b3cb..44956cbd 100644 --- a/authority/authorize.go +++ b/authority/authorize.go @@ -12,6 +12,7 @@ import ( "strings" "time" + "github.com/pkg/errors" "github.com/smallstep/certificates/authority/admin" "github.com/smallstep/certificates/authority/provisioner" "github.com/smallstep/certificates/errs" @@ -416,16 +417,16 @@ func (a *Authority) AuthorizeRenewToken(ctx context.Context, ott string) (*x509. Subject: leaf.Subject.CommonName, Time: time.Now().UTC(), }, time.Minute); err != nil { - switch err { - case jose.ErrInvalidIssuer: + switch { + case errors.Is(err, jose.ErrInvalidIssuer): return nil, errs.UnauthorizedErr(err, errs.WithMessage("error validating renew token: invalid issuer claim (iss)")) - case jose.ErrInvalidSubject: + case errors.Is(err, jose.ErrInvalidSubject): return nil, errs.UnauthorizedErr(err, errs.WithMessage("error validating renew token: invalid subject claim (sub)")) - case jose.ErrNotValidYet: + case errors.Is(err, jose.ErrNotValidYet): return nil, errs.UnauthorizedErr(err, errs.WithMessage("error validating renew token: token not valid yet (nbf)")) - case jose.ErrExpired: + case errors.Is(err, jose.ErrExpired): return nil, errs.UnauthorizedErr(err, errs.WithMessage("error validating renew token: token is expired (exp)")) - case jose.ErrIssuedInTheFuture: + case errors.Is(err, jose.ErrIssuedInTheFuture): return nil, errs.UnauthorizedErr(err, errs.WithMessage("error validating renew token: token issued in the future (iat)")) default: return nil, errs.UnauthorizedErr(err, errs.WithMessage("error validating renew token")) @@ -434,7 +435,7 @@ func (a *Authority) AuthorizeRenewToken(ctx context.Context, ott string) (*x509. audiences := a.config.GetAudiences().Renew if !matchesAudience(claims.Audience, audiences) { - return nil, errs.InternalServerErr(err, errs.WithMessage("error validating renew token: invalid audience claim (aud)")) + return nil, errs.InternalServerErr(jose.ErrInvalidAudience, errs.WithMessage("error validating renew token: invalid audience claim (aud)")) } // validate issuer: old versions used the provisioner name, new version uses diff --git a/authority/authorize_test.go b/authority/authorize_test.go index af80d3d3..8f49cf03 100644 --- a/authority/authorize_test.go +++ b/authority/authorize_test.go @@ -313,8 +313,8 @@ func TestAuthority_authorizeToken(t *testing.T) { p, err := tc.auth.authorizeToken(context.Background(), tc.token) if err != nil { if assert.NotNil(t, tc.err) { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tc.code) assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -399,8 +399,8 @@ func TestAuthority_authorizeRevoke(t *testing.T) { if err := tc.auth.authorizeRevoke(context.Background(), tc.token); err != nil { if assert.NotNil(t, tc.err) { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tc.code) assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -484,8 +484,8 @@ func TestAuthority_authorizeSign(t *testing.T) { got, err := tc.auth.authorizeSign(context.Background(), tc.token) if err != nil { if assert.NotNil(t, tc.err) { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tc.code) assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -743,13 +743,13 @@ func TestAuthority_Authorize(t *testing.T) { if err != nil { if assert.NotNil(t, tc.err, fmt.Sprintf("unexpected error: %s", err)) { assert.Nil(t, got) - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tc.code) assert.HasPrefix(t, err.Error(), tc.err.Error()) - ctxErr, ok := err.(*errs.Error) - assert.Fatal(t, ok, "error is not of type *errs.Error") + var ctxErr *errs.Error + assert.Fatal(t, errors.As(err, &ctxErr), "error is not of type *errs.Error") assert.Equals(t, ctxErr.Details["token"], tc.token) } } else { @@ -879,13 +879,13 @@ func TestAuthority_authorizeRenew(t *testing.T) { err := tc.auth.authorizeRenew(tc.cert) if err != nil { if assert.NotNil(t, tc.err) { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCoder interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tc.code) assert.HasPrefix(t, err.Error(), tc.err.Error()) - ctxErr, ok := err.(*errs.Error) - assert.Fatal(t, ok, "error is not of type *errs.Error") + var ctxErr *errs.Error + assert.Fatal(t, errors.As(err, &ctxErr), "error is not of type *errs.Error") assert.Equals(t, ctxErr.Details["serialNumber"], tc.cert.SerialNumber.String()) } } else { @@ -1027,8 +1027,8 @@ func TestAuthority_authorizeSSHSign(t *testing.T) { got, err := tc.auth.authorizeSSHSign(context.Background(), tc.token) if err != nil { if assert.NotNil(t, tc.err) { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tc.code) assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -1144,8 +1144,8 @@ func TestAuthority_authorizeSSHRenew(t *testing.T) { got, err := tc.auth.authorizeSSHRenew(context.Background(), tc.token) if err != nil { if assert.NotNil(t, tc.err) { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tc.code) assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -1244,8 +1244,8 @@ func TestAuthority_authorizeSSHRevoke(t *testing.T) { if err := tc.auth.authorizeSSHRevoke(context.Background(), tc.token); err != nil { if assert.NotNil(t, tc.err) { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tc.code) assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -1337,8 +1337,8 @@ func TestAuthority_authorizeSSHRekey(t *testing.T) { cert, signOpts, err := tc.auth.authorizeSSHRekey(context.Background(), tc.token) if err != nil { if assert.NotNil(t, tc.err) { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tc.code) assert.HasPrefix(t, err.Error(), tc.err.Error()) } diff --git a/authority/config/tls_options.go b/authority/config/tls_options.go index 01ab3d0a..5ef6c894 100644 --- a/authority/config/tls_options.go +++ b/authority/config/tls_options.go @@ -169,7 +169,7 @@ func (t *TLSOptions) TLSConfig() *tls.Config { rs = tls.RenegotiateNever } - // nolint:gosec // default MinVersion 1.2, if defined but empty 1.3 is used + //nolint:gosec // default MinVersion 1.2, if defined but empty 1.3 is used return &tls.Config{ CipherSuites: t.CipherSuites.Value(), MinVersion: t.MinVersion.Value(), diff --git a/authority/internal/constraints/constraints.go b/authority/internal/constraints/constraints.go new file mode 100644 index 00000000..a1cbde7e --- /dev/null +++ b/authority/internal/constraints/constraints.go @@ -0,0 +1,135 @@ +package constraints + +import ( + "crypto/x509" + "fmt" + "net" + "net/http" + "net/url" + + "github.com/smallstep/certificates/errs" +) + +// ConstraintError is the typed error that will be returned if a constraint +// error is found. +type ConstraintError struct { + Type string + Name string + Detail string +} + +// Error implements the error interface. +func (e ConstraintError) Error() string { + return e.Detail +} + +// As implements the As(any) bool interface and allows to use "errors.As()" to +// convert the ConstraintError to an errs.Error. +func (e ConstraintError) As(v any) bool { + if err, ok := v.(**errs.Error); ok { + *err = &errs.Error{ + Status: http.StatusForbidden, + Msg: e.Detail, + Err: e, + } + return true + } + return false +} + +// Engine implements a constraint validator for DNS names, IP addresses, Email +// addresses and URIs. +type Engine struct { + hasNameConstraints bool + permittedDNSDomains []string + excludedDNSDomains []string + permittedIPRanges []*net.IPNet + excludedIPRanges []*net.IPNet + permittedEmailAddresses []string + excludedEmailAddresses []string + permittedURIDomains []string + excludedURIDomains []string +} + +// New creates a constraint validation engine that contains the given chain of +// certificates. +func New(chain ...*x509.Certificate) *Engine { + e := new(Engine) + for _, crt := range chain { + e.permittedDNSDomains = append(e.permittedDNSDomains, crt.PermittedDNSDomains...) + e.excludedDNSDomains = append(e.excludedDNSDomains, crt.ExcludedDNSDomains...) + e.permittedIPRanges = append(e.permittedIPRanges, crt.PermittedIPRanges...) + e.excludedIPRanges = append(e.excludedIPRanges, crt.ExcludedIPRanges...) + e.permittedEmailAddresses = append(e.permittedEmailAddresses, crt.PermittedEmailAddresses...) + e.excludedEmailAddresses = append(e.excludedEmailAddresses, crt.ExcludedEmailAddresses...) + e.permittedURIDomains = append(e.permittedURIDomains, crt.PermittedURIDomains...) + e.excludedURIDomains = append(e.excludedURIDomains, crt.ExcludedURIDomains...) + } + + e.hasNameConstraints = len(e.permittedDNSDomains) > 0 || len(e.excludedDNSDomains) > 0 || + len(e.permittedIPRanges) > 0 || len(e.excludedIPRanges) > 0 || + len(e.permittedEmailAddresses) > 0 || len(e.excludedEmailAddresses) > 0 || + len(e.permittedURIDomains) > 0 || len(e.excludedURIDomains) > 0 + + return e +} + +// Validate checks the given names with the name constraints defined in the +// service. +func (e *Engine) Validate(dnsNames []string, ipAddresses []net.IP, emailAddresses []string, uris []*url.URL) error { + if e == nil || !e.hasNameConstraints { + return nil + } + + for _, name := range dnsNames { + if err := checkNameConstraints("DNS name", name, name, e.permittedDNSDomains, e.excludedDNSDomains, + func(parsedName, constraint any) (bool, error) { + return matchDomainConstraint(parsedName.(string), constraint.(string)) + }, + ); err != nil { + return err + } + } + + for _, ip := range ipAddresses { + if err := checkNameConstraints("IP address", ip.String(), ip, e.permittedIPRanges, e.excludedIPRanges, + func(parsedName, constraint any) (bool, error) { + return matchIPConstraint(parsedName.(net.IP), constraint.(*net.IPNet)) + }, + ); err != nil { + return err + } + } + + for _, email := range emailAddresses { + mailbox, ok := parseRFC2821Mailbox(email) + if !ok { + return fmt.Errorf("cannot parse rfc822Name %q", email) + } + if err := checkNameConstraints("Email address", email, mailbox, e.permittedEmailAddresses, e.excludedEmailAddresses, + func(parsedName, constraint any) (bool, error) { + return matchEmailConstraint(parsedName.(rfc2821Mailbox), constraint.(string)) + }, + ); err != nil { + return err + } + } + + for _, uri := range uris { + if err := checkNameConstraints("URI", uri.String(), uri, e.permittedURIDomains, e.excludedURIDomains, + func(parsedName, constraint any) (bool, error) { + return matchURIConstraint(parsedName.(*url.URL), constraint.(string)) + }, + ); err != nil { + return err + } + } + + return nil +} + +// ValidateCertificate validates the DNS names, IP addresses, Email addresses +// and URIs present in the given certificate. +func (e *Engine) ValidateCertificate(cert *x509.Certificate) error { + return e.Validate(cert.DNSNames, cert.IPAddresses, cert.EmailAddresses, cert.URIs) +} diff --git a/authority/internal/constraints/constraints_test.go b/authority/internal/constraints/constraints_test.go new file mode 100644 index 00000000..0f6d0ef1 --- /dev/null +++ b/authority/internal/constraints/constraints_test.go @@ -0,0 +1,334 @@ +package constraints + +import ( + "crypto/x509" + "net" + "net/url" + "reflect" + "testing" + + "go.step.sm/crypto/minica" +) + +func TestNew(t *testing.T) { + ca1, err := minica.New() + if err != nil { + t.Fatal(err) + } + + ca2, err := minica.New( + minica.WithIntermediateTemplate(`{ + "subject": {{ toJson .Subject }}, + "keyUsage": ["certSign", "crlSign"], + "basicConstraints": { + "isCA": true, + "maxPathLen": 0 + }, + "nameConstraints": { + "critical": true, + "permittedDNSDomains": ["internal.example.org"], + "excludedDNSDomains": ["internal.example.com"], + "permittedIPRanges": ["192.168.1.0/24", "192.168.2.1/32"], + "excludedIPRanges": ["192.168.3.0/24", "192.168.4.0/28"], + "permittedEmailAddresses": ["root@example.org", "example.org", ".acme.org"], + "excludedEmailAddresses": ["root@example.com", "example.com", ".acme.com"], + "permittedURIDomains": ["host.example.org", ".acme.org"], + "excludedURIDomains": ["host.example.com", ".acme.com"] + } + }`), + ) + if err != nil { + t.Fatal(err) + } + + type args struct { + chain []*x509.Certificate + } + tests := []struct { + name string + args args + want *Engine + }{ + {"ok", args{[]*x509.Certificate{ca1.Intermediate, ca1.Root}}, &Engine{ + hasNameConstraints: false, + }}, + {"ok with constraints", args{[]*x509.Certificate{ca2.Intermediate, ca2.Root}}, &Engine{ + hasNameConstraints: true, + permittedDNSDomains: []string{"internal.example.org"}, + excludedDNSDomains: []string{"internal.example.com"}, + permittedIPRanges: []*net.IPNet{ + {IP: net.ParseIP("192.168.1.0").To4(), Mask: net.IPMask{255, 255, 255, 0}}, + {IP: net.ParseIP("192.168.2.1").To4(), Mask: net.IPMask{255, 255, 255, 255}}, + }, + excludedIPRanges: []*net.IPNet{ + {IP: net.ParseIP("192.168.3.0").To4(), Mask: net.IPMask{255, 255, 255, 0}}, + {IP: net.ParseIP("192.168.4.0").To4(), Mask: net.IPMask{255, 255, 255, 240}}, + }, + permittedEmailAddresses: []string{"root@example.org", "example.org", ".acme.org"}, + excludedEmailAddresses: []string{"root@example.com", "example.com", ".acme.com"}, + permittedURIDomains: []string{"host.example.org", ".acme.org"}, + excludedURIDomains: []string{"host.example.com", ".acme.com"}, + }}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := New(tt.args.chain...); !reflect.DeepEqual(got, tt.want) { + t.Errorf("New() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestNew_hasNameConstraints(t *testing.T) { + tests := []struct { + name string + fn func(c *x509.Certificate) + want bool + }{ + {"no constraints", func(c *x509.Certificate) {}, false}, + {"permittedDNSDomains", func(c *x509.Certificate) { c.PermittedDNSDomains = []string{"constraint"} }, true}, + {"excludedDNSDomains", func(c *x509.Certificate) { c.ExcludedDNSDomains = []string{"constraint"} }, true}, + {"permittedIPRanges", func(c *x509.Certificate) { + c.PermittedIPRanges = []*net.IPNet{{IP: net.ParseIP("192.168.3.0").To4(), Mask: net.IPMask{255, 255, 255, 0}}} + }, true}, + {"excludedIPRanges", func(c *x509.Certificate) { + c.ExcludedIPRanges = []*net.IPNet{{IP: net.ParseIP("192.168.3.0").To4(), Mask: net.IPMask{255, 255, 255, 0}}} + }, true}, + {"permittedEmailAddresses", func(c *x509.Certificate) { c.PermittedEmailAddresses = []string{"constraint"} }, true}, + {"excludedEmailAddresses", func(c *x509.Certificate) { c.ExcludedEmailAddresses = []string{"constraint"} }, true}, + {"permittedURIDomains", func(c *x509.Certificate) { c.PermittedURIDomains = []string{"constraint"} }, true}, + {"excludedURIDomains", func(c *x509.Certificate) { c.ExcludedURIDomains = []string{"constraint"} }, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + cert := &x509.Certificate{} + tt.fn(cert) + if e := New(cert); e.hasNameConstraints != tt.want { + t.Errorf("Engine.hasNameConstraints = %v, want %v", e.hasNameConstraints, tt.want) + } + }) + } +} + +func TestEngine_Validate(t *testing.T) { + type fields struct { + hasNameConstraints bool + permittedDNSDomains []string + excludedDNSDomains []string + permittedIPRanges []*net.IPNet + excludedIPRanges []*net.IPNet + permittedEmailAddresses []string + excludedEmailAddresses []string + permittedURIDomains []string + excludedURIDomains []string + } + type args struct { + dnsNames []string + ipAddresses []net.IP + emailAddresses []string + uris []*url.URL + } + tests := []struct { + name string + fields fields + args args + wantErr bool + }{ + {"ok", fields{hasNameConstraints: false}, args{ + dnsNames: []string{"example.com", "host.example.com"}, + ipAddresses: []net.IP{{192, 168, 1, 1}, {0x26, 0x00, 0x1f, 0x1c, 0x47, 0x01, 0x9d, 0x00, 0xc3, 0xa7, 0x66, 0x94, 0x87, 0x0f, 0x20, 0x72}}, + emailAddresses: []string{"root@example.com"}, + uris: []*url.URL{{Scheme: "https", Host: "example.com", Path: "/uuid/c6d1a755-0c12-431e-9136-b64cb3173ec7"}}, + }, false}, + {"ok permitted dns", fields{ + hasNameConstraints: true, + permittedDNSDomains: []string{"example.com"}, + }, args{dnsNames: []string{"example.com", "www.example.com"}}, false}, + {"ok not excluded dns", fields{ + hasNameConstraints: true, + excludedDNSDomains: []string{"example.org"}, + }, args{dnsNames: []string{"example.com", "www.example.com"}}, false}, + {"ok permitted ip", fields{ + hasNameConstraints: true, + permittedIPRanges: []*net.IPNet{ + {IP: net.ParseIP("192.168.1.0"), Mask: net.IPMask{255, 255, 255, 0}}, + {IP: net.ParseIP("192.168.2.1").To4(), Mask: net.IPMask{255, 255, 255, 255}}, + {IP: net.ParseIP("2600:1700:22f8:2600:e559:bd88:350a:34d6"), Mask: net.IPMask{255, 255, 255, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}, + }, + }, args{ipAddresses: []net.IP{{192, 168, 1, 10}, {192, 168, 2, 1}, {0x26, 0x0, 0x17, 0x00, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb, 0xc}}}, false}, + {"ok not excluded ip", fields{ + hasNameConstraints: true, + excludedIPRanges: []*net.IPNet{ + {IP: net.ParseIP("192.168.1.0"), Mask: net.IPMask{255, 255, 255, 0}}, + {IP: net.ParseIP("192.168.2.1").To4(), Mask: net.IPMask{255, 255, 255, 255}}, + }, + }, args{ipAddresses: []net.IP{{192, 168, 2, 2}, {192, 168, 3, 1}}}, false}, + {"ok permitted emails", fields{ + hasNameConstraints: true, + permittedEmailAddresses: []string{"root@example.com", "acme.org", ".acme.com"}, + }, args{emailAddresses: []string{"root@example.com", "name@acme.org", "name@coyote.acme.com", `"(quoted)"@www.acme.com`}}, false}, + {"ok not excluded emails", fields{ + hasNameConstraints: true, + excludedEmailAddresses: []string{"root@example.com", "acme.org", ".acme.com"}, + }, args{emailAddresses: []string{"name@example.com", "root@acme.com", "root@other.com"}}, false}, + {"ok permitted uris", fields{ + hasNameConstraints: true, + permittedURIDomains: []string{"example.com", ".acme.com"}, + }, args{uris: []*url.URL{{Scheme: "https", Host: "example.com", Path: "/path"}, {Scheme: "https", Host: "www.acme.com", Path: "/path"}}}, false}, + {"ok not excluded uris", fields{ + hasNameConstraints: true, + excludedURIDomains: []string{"example.com", ".acme.com"}, + }, args{uris: []*url.URL{{Scheme: "https", Host: "example.org", Path: "/path"}, {Scheme: "https", Host: "acme.com", Path: "/path"}}}, false}, + {"fail permitted dns", fields{ + hasNameConstraints: true, + permittedDNSDomains: []string{"example.com"}, + }, args{dnsNames: []string{"www.example.com", "www.example.org"}}, true}, + {"fail not excluded dns", fields{ + hasNameConstraints: true, + excludedDNSDomains: []string{"example.org"}, + }, args{dnsNames: []string{"example.com", "www.example.org"}}, true}, + {"fail permitted ip", fields{ + hasNameConstraints: true, + permittedIPRanges: []*net.IPNet{ + {IP: net.ParseIP("192.168.1.0").To4(), Mask: net.IPMask{255, 255, 255, 0}}, + {IP: net.ParseIP("192.168.2.1").To4(), Mask: net.IPMask{255, 255, 255, 255}}, + }, + }, args{ipAddresses: []net.IP{{192, 168, 1, 10}, {192, 168, 2, 10}}}, true}, + {"fail not excluded ip", fields{ + hasNameConstraints: true, + excludedIPRanges: []*net.IPNet{ + {IP: net.ParseIP("192.168.1.0").To4(), Mask: net.IPMask{255, 255, 255, 0}}, + {IP: net.ParseIP("192.168.2.1").To4(), Mask: net.IPMask{255, 255, 255, 255}}, + }, + }, args{ipAddresses: []net.IP{{192, 168, 2, 2}, {192, 168, 1, 1}}}, true}, + {"fail permitted emails", fields{ + hasNameConstraints: true, + permittedEmailAddresses: []string{"root@example.com", "acme.org", ".acme.com"}, + }, args{emailAddresses: []string{"root@example.com", "name@acme.org", "name@acme.com"}}, true}, + {"fail not excluded emails", fields{ + hasNameConstraints: true, + excludedEmailAddresses: []string{"root@example.com", "acme.org", ".acme.com"}, + }, args{emailAddresses: []string{"name@example.com", "root@example.com"}}, true}, + {"fail permitted uris", fields{ + hasNameConstraints: true, + permittedURIDomains: []string{"example.com", ".acme.com"}, + }, args{uris: []*url.URL{{Scheme: "https", Host: "example.com", Path: "/path"}, {Scheme: "https", Host: "acme.com", Path: "/path"}}}, true}, + {"fail not excluded uris", fields{ + hasNameConstraints: true, + excludedURIDomains: []string{"example.com", ".acme.com"}, + }, args{uris: []*url.URL{{Scheme: "https", Host: "www.example.com", Path: "/path"}, {Scheme: "https", Host: "acme.com", Path: "/path"}}}, true}, + {"fail parse emails", fields{ + hasNameConstraints: true, + permittedEmailAddresses: []string{"example.com"}, + }, args{emailAddresses: []string{`(notquoted)@example.com`}}, true}, + {"fail match dns", fields{ + hasNameConstraints: true, + permittedDNSDomains: []string{"example.com"}, + }, args{dnsNames: []string{`www.example.com.`}}, true}, + {"fail match email", fields{ + hasNameConstraints: true, + excludedEmailAddresses: []string{`(notquoted)@example.com`}, + }, args{emailAddresses: []string{`ok@example.com`}}, true}, + {"fail match uri", fields{ + hasNameConstraints: true, + permittedURIDomains: []string{"example.com"}, + }, args{uris: []*url.URL{{Scheme: "urn", Opaque: "uuid:36efb1ae-6617-4b23-b799-874a37aaea1c"}}}, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + e := &Engine{ + hasNameConstraints: tt.fields.hasNameConstraints, + permittedDNSDomains: tt.fields.permittedDNSDomains, + excludedDNSDomains: tt.fields.excludedDNSDomains, + permittedIPRanges: tt.fields.permittedIPRanges, + excludedIPRanges: tt.fields.excludedIPRanges, + permittedEmailAddresses: tt.fields.permittedEmailAddresses, + excludedEmailAddresses: tt.fields.excludedEmailAddresses, + permittedURIDomains: tt.fields.permittedURIDomains, + excludedURIDomains: tt.fields.excludedURIDomains, + } + if err := e.Validate(tt.args.dnsNames, tt.args.ipAddresses, tt.args.emailAddresses, tt.args.uris); (err != nil) != tt.wantErr { + t.Errorf("service.Validate() error = %v, wantErr %v", err, tt.wantErr) + } + }) + } +} + +func TestEngine_Validate_nil(t *testing.T) { + var e *Engine + if err := e.Validate([]string{"www.example.com"}, nil, nil, nil); err != nil { + t.Errorf("service.Validate() error = %v, wantErr false", err) + } +} + +func TestEngine_ValidateCertificate(t *testing.T) { + type fields struct { + hasNameConstraints bool + permittedDNSDomains []string + excludedDNSDomains []string + permittedIPRanges []*net.IPNet + excludedIPRanges []*net.IPNet + permittedEmailAddresses []string + excludedEmailAddresses []string + permittedURIDomains []string + excludedURIDomains []string + } + type args struct { + cert *x509.Certificate + } + tests := []struct { + name string + fields fields + args args + wantErr bool + }{ + {"ok", fields{hasNameConstraints: false}, args{&x509.Certificate{ + DNSNames: []string{"example.com"}, + IPAddresses: []net.IP{{127, 0, 0, 1}}, + EmailAddresses: []string{"info@example.com"}, + URIs: []*url.URL{{Scheme: "https", Host: "uuid.example.com", Path: "/dc4c76b5-5262-4551-a881-48094a604d63"}}, + }}, false}, + {"ok with constraints", fields{ + hasNameConstraints: true, + permittedDNSDomains: []string{"example.com"}, + permittedIPRanges: []*net.IPNet{ + {IP: net.ParseIP("127.0.0.1").To4(), Mask: net.IPMask{255, 255, 255, 255}}, + {IP: net.ParseIP("10.3.0.0").To4(), Mask: net.IPMask{255, 255, 0, 0}}, + }, + permittedEmailAddresses: []string{"example.com"}, + permittedURIDomains: []string{".example.com"}, + }, args{&x509.Certificate{ + DNSNames: []string{"www.example.com"}, + IPAddresses: []net.IP{{127, 0, 0, 1}, {10, 3, 1, 1}}, + EmailAddresses: []string{"info@example.com"}, + URIs: []*url.URL{{Scheme: "https", Host: "uuid.example.com", Path: "/dc4c76b5-5262-4551-a881-48094a604d63"}}, + }}, false}, + {"fail", fields{ + hasNameConstraints: true, + permittedURIDomains: []string{".example.com"}, + }, args{&x509.Certificate{ + DNSNames: []string{"example.com"}, + IPAddresses: []net.IP{{127, 0, 0, 1}}, + EmailAddresses: []string{"info@example.com"}, + URIs: []*url.URL{{Scheme: "https", Host: "uuid.example.org", Path: "/dc4c76b5-5262-4551-a881-48094a604d63"}}, + }}, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + e := &Engine{ + hasNameConstraints: tt.fields.hasNameConstraints, + permittedDNSDomains: tt.fields.permittedDNSDomains, + excludedDNSDomains: tt.fields.excludedDNSDomains, + permittedIPRanges: tt.fields.permittedIPRanges, + excludedIPRanges: tt.fields.excludedIPRanges, + permittedEmailAddresses: tt.fields.permittedEmailAddresses, + excludedEmailAddresses: tt.fields.excludedEmailAddresses, + permittedURIDomains: tt.fields.permittedURIDomains, + excludedURIDomains: tt.fields.excludedURIDomains, + } + if err := e.ValidateCertificate(tt.args.cert); (err != nil) != tt.wantErr { + t.Errorf("Engine.ValidateCertificate() error = %v, wantErr %v", err, tt.wantErr) + } + }) + } +} diff --git a/authority/internal/constraints/verify.go b/authority/internal/constraints/verify.go new file mode 100644 index 00000000..5d070f1e --- /dev/null +++ b/authority/internal/constraints/verify.go @@ -0,0 +1,383 @@ +// Copyright (c) 2009 The Go Authors. All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following disclaimer +// in the documentation and/or other materials provided with the +// distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived from +// this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +package constraints + +import ( + "bytes" + "fmt" + "net" + "net/url" + "reflect" + "strings" +) + +func checkNameConstraints(nameType, name string, parsedName, permitted, excluded any, match func(name, constraint any) (bool, error)) error { + excludedValue := reflect.ValueOf(excluded) + for i := 0; i < excludedValue.Len(); i++ { + constraint := excludedValue.Index(i).Interface() + match, err := match(parsedName, constraint) + if err != nil { + return ConstraintError{ + Type: nameType, + Name: name, + Detail: err.Error(), + } + } + + if match { + return ConstraintError{ + Type: nameType, + Name: name, + Detail: fmt.Sprintf("%s %q is excluded by constraint %q", nameType, name, constraint), + } + } + } + + var ( + err error + ok = true + ) + + permittedValue := reflect.ValueOf(permitted) + for i := 0; i < permittedValue.Len(); i++ { + constraint := permittedValue.Index(i).Interface() + if ok, err = match(parsedName, constraint); err != nil { + return ConstraintError{ + Type: nameType, + Name: name, + Detail: err.Error(), + } + } + if ok { + break + } + } + if !ok { + return ConstraintError{ + Type: nameType, + Name: name, + Detail: fmt.Sprintf("%s %q is not permitted by any constraint", nameType, name), + } + } + + return nil +} + +func matchDomainConstraint(domain, constraint string) (bool, error) { + // The meaning of zero length constraints is not specified, but this + // code follows NSS and accepts them as matching everything. + if constraint == "" { + return true, nil + } + + domainLabels, ok := domainToReverseLabels(domain) + if !ok { + return false, fmt.Errorf("internal error: cannot parse domain %q", domain) + } + + // RFC 5280 says that a leading period in a domain name means that at least + // one label must be prepended, but only for URI and email constraints, not + // DNS constraints. The code also supports that behavior for DNS + // constraints. + + mustHaveSubdomains := false + if constraint[0] == '.' { + mustHaveSubdomains = true + constraint = constraint[1:] + } + + constraintLabels, ok := domainToReverseLabels(constraint) + if !ok { + return false, fmt.Errorf("internal error: cannot parse domain %q", constraint) + } + + if len(domainLabels) < len(constraintLabels) || + (mustHaveSubdomains && len(domainLabels) == len(constraintLabels)) { + return false, nil + } + + for i, constraintLabel := range constraintLabels { + if !strings.EqualFold(constraintLabel, domainLabels[i]) { + return false, nil + } + } + + return true, nil +} + +func normalizeIP(ip net.IP) net.IP { + if ip4 := ip.To4(); ip4 != nil { + return ip4 + } + return ip +} + +func matchIPConstraint(ip net.IP, constraint *net.IPNet) (bool, error) { + ip = normalizeIP(ip) + constraintIP := normalizeIP(constraint.IP) + if len(ip) != len(constraintIP) { + return false, nil + } + + for i := range ip { + if mask := constraint.Mask[i]; ip[i]&mask != constraintIP[i]&mask { + return false, nil + } + } + + return true, nil +} + +func matchEmailConstraint(mailbox rfc2821Mailbox, constraint string) (bool, error) { + // If the constraint contains an @, then it specifies an exact mailbox + // name. + if strings.Contains(constraint, "@") { + constraintMailbox, ok := parseRFC2821Mailbox(constraint) + if !ok { + return false, fmt.Errorf("internal error: cannot parse constraint %q", constraint) + } + return mailbox.local == constraintMailbox.local && strings.EqualFold(mailbox.domain, constraintMailbox.domain), nil + } + + // Otherwise the constraint is like a DNS constraint of the domain part + // of the mailbox. + return matchDomainConstraint(mailbox.domain, constraint) +} + +func matchURIConstraint(uri *url.URL, constraint string) (bool, error) { + // From RFC 5280, Section 4.2.1.10: + // “a uniformResourceIdentifier that does not include an authority + // component with a host name specified as a fully qualified domain + // name (e.g., if the URI either does not include an authority + // component or includes an authority component in which the host name + // is specified as an IP address), then the application MUST reject the + // certificate.” + + host := uri.Host + if host == "" { + return false, fmt.Errorf("URI with empty host (%q) cannot be matched against constraints", uri.String()) + } + + if strings.Contains(host, ":") && !strings.HasSuffix(host, "]") { + var err error + host, _, err = net.SplitHostPort(uri.Host) + if err != nil { + return false, err + } + } + + if strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]") || + net.ParseIP(host) != nil { + return false, fmt.Errorf("URI with IP (%q) cannot be matched against constraints", uri.String()) + } + + return matchDomainConstraint(host, constraint) +} + +// domainToReverseLabels converts a textual domain name like foo.example.com to +// the list of labels in reverse order, e.g. ["com", "example", "foo"]. +func domainToReverseLabels(domain string) (reverseLabels []string, ok bool) { + for len(domain) > 0 { + if i := strings.LastIndexByte(domain, '.'); i == -1 { + reverseLabels = append(reverseLabels, domain) + domain = "" + } else { + reverseLabels = append(reverseLabels, domain[i+1:]) + domain = domain[:i] + } + } + + if len(reverseLabels) > 0 && reverseLabels[0] == "" { + // An empty label at the end indicates an absolute value. + return nil, false + } + + for _, label := range reverseLabels { + if label == "" { + // Empty labels are otherwise invalid. + return nil, false + } + + for _, c := range label { + if c < 33 || c > 126 { + // Invalid character. + return nil, false + } + } + } + + return reverseLabels, true +} + +// rfc2821Mailbox represents a “mailbox” (which is an email address to most +// people) by breaking it into the “local” (i.e. before the '@') and “domain” +// parts. +type rfc2821Mailbox struct { + local, domain string +} + +// parseRFC2821Mailbox parses an email address into local and domain parts, +// based on the ABNF for a “Mailbox” from RFC 2821. According to RFC 5280, +// Section 4.2.1.6 that's correct for an rfc822Name from a certificate: “The +// format of an rfc822Name is a "Mailbox" as defined in RFC 2821, Section 4.1.2”. +func parseRFC2821Mailbox(in string) (mailbox rfc2821Mailbox, ok bool) { + if in == "" { + return mailbox, false + } + + localPartBytes := make([]byte, 0, len(in)/2) + + if in[0] == '"' { + // Quoted-string = DQUOTE *qcontent DQUOTE + // non-whitespace-control = %d1-8 / %d11 / %d12 / %d14-31 / %d127 + // qcontent = qtext / quoted-pair + // qtext = non-whitespace-control / + // %d33 / %d35-91 / %d93-126 + // quoted-pair = ("\" text) / obs-qp + // text = %d1-9 / %d11 / %d12 / %d14-127 / obs-text + // + // (Names beginning with “obs-” are the obsolete syntax from RFC 2822, + // Section 4. Since it has been 16 years, we no longer accept that.) + in = in[1:] + QuotedString: + for { + if in == "" { + return mailbox, false + } + c := in[0] + in = in[1:] + + switch { + case c == '"': + break QuotedString + + case c == '\\': + // quoted-pair + if in == "" { + return mailbox, false + } + if in[0] == 11 || + in[0] == 12 || + (1 <= in[0] && in[0] <= 9) || + (14 <= in[0] && in[0] <= 127) { + localPartBytes = append(localPartBytes, in[0]) + in = in[1:] + } else { + return mailbox, false + } + + case c == 11 || + c == 12 || + // Space (char 32) is not allowed based on the + // BNF, but RFC 3696 gives an example that + // assumes that it is. Several “verified” + // errata continue to argue about this point. + // We choose to accept it. + c == 32 || + c == 33 || + c == 127 || + (1 <= c && c <= 8) || + (14 <= c && c <= 31) || + (35 <= c && c <= 91) || + (93 <= c && c <= 126): + // qtext + localPartBytes = append(localPartBytes, c) + + default: + return mailbox, false + } + } + } else { + // Atom ("." Atom)* + NextChar: + for len(in) > 0 { + // atext from RFC 2822, Section 3.2.4 + c := in[0] + + switch { + case c == '\\': + // Examples given in RFC 3696 suggest that + // escaped characters can appear outside of a + // quoted string. Several “verified” errata + // continue to argue the point. We choose to + // accept it. + in = in[1:] + if in == "" { + return mailbox, false + } + fallthrough + + case ('0' <= c && c <= '9') || + ('a' <= c && c <= 'z') || + ('A' <= c && c <= 'Z') || + c == '!' || c == '#' || c == '$' || c == '%' || + c == '&' || c == '\'' || c == '*' || c == '+' || + c == '-' || c == '/' || c == '=' || c == '?' || + c == '^' || c == '_' || c == '`' || c == '{' || + c == '|' || c == '}' || c == '~' || c == '.': + localPartBytes = append(localPartBytes, in[0]) + in = in[1:] + + default: + break NextChar + } + } + + if len(localPartBytes) == 0 { + return mailbox, false + } + + // From RFC 3696, Section 3: + // “period (".") may also appear, but may not be used to start + // or end the local part, nor may two or more consecutive + // periods appear.” + twoDots := []byte{'.', '.'} + if localPartBytes[0] == '.' || + localPartBytes[len(localPartBytes)-1] == '.' || + bytes.Contains(localPartBytes, twoDots) { + return mailbox, false + } + } + + if in == "" || in[0] != '@' { + return mailbox, false + } + in = in[1:] + + // The RFC species a format for domains, but that's known to be + // violated in practice so we accept that anything after an '@' is the + // domain part. + if _, ok := domainToReverseLabels(in); !ok { + return mailbox, false + } + + mailbox.local = string(localPartBytes) + mailbox.domain = in + return mailbox, true +} diff --git a/authority/linkedca.go b/authority/linkedca.go index 133ae616..7179b1d7 100644 --- a/authority/linkedca.go +++ b/authority/linkedca.go @@ -461,7 +461,7 @@ func getRootCertificate(endpoint, fingerprint string) (*x509.Certificate, error) defer cancel() conn, err := grpc.DialContext(ctx, endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{ - // nolint:gosec // used in bootstrap protocol + //nolint:gosec // used in bootstrap protocol InsecureSkipVerify: true, // lgtm[go/disabled-certificate-check] }))) if err != nil { diff --git a/authority/options.go b/authority/options.go index 9cef89f0..8e1a01ff 100644 --- a/authority/options.go +++ b/authority/options.go @@ -151,16 +151,23 @@ func WithKeyManager(k kms.KeyManager) Option { // WithX509Signer defines the signer used to sign X509 certificates. func WithX509Signer(crt *x509.Certificate, s crypto.Signer) Option { + return WithX509SignerChain([]*x509.Certificate{crt}, s) +} + +// WithX509SignerChain defines the signer used to sign X509 certificates. This +// option is similar to WithX509Signer but it supports a chain of intermediates. +func WithX509SignerChain(issuerChain []*x509.Certificate, s crypto.Signer) Option { return func(a *Authority) error { srv, err := cas.New(context.Background(), casapi.Options{ Type: casapi.SoftCAS, Signer: s, - CertificateChain: []*x509.Certificate{crt}, + CertificateChain: issuerChain, }) if err != nil { return err } a.x509CAService = srv + a.intermediateX509Certs = append(a.intermediateX509Certs, issuerChain...) return nil } } @@ -233,6 +240,25 @@ func WithX509FederatedCerts(certs ...*x509.Certificate) Option { } } +// WithX509IntermediateCerts is an option that allows to define the list of +// intermediate certificates that the CA will be using. This option will replace +// any intermediate certificate defined before. +// +// Note that these certificates will not be bundled with the certificates signed +// by the CA, because the CAS service will take care of that. They should match, +// but that's not guaranteed. These certificates will be mainly used for name +// constraint validation before a certificate is issued. +// +// This option should only be used on specific configurations, for example when +// WithX509SignerFunc is used, as we don't know the list of intermediates in +// advance. +func WithX509IntermediateCerts(intermediateCerts ...*x509.Certificate) Option { + return func(a *Authority) error { + a.intermediateX509Certs = intermediateCerts + return nil + } +} + // WithX509RootBundle is an option that allows to define the list of root // certificates. This option will replace any root certificate defined before. func WithX509RootBundle(pemCerts []byte) Option { diff --git a/authority/policy.go b/authority/policy.go index 258873af..d3078e10 100644 --- a/authority/policy.go +++ b/authority/policy.go @@ -119,7 +119,6 @@ func (a *Authority) RemoveAuthorityPolicy(ctx context.Context) error { } func (a *Authority) checkAuthorityPolicy(ctx context.Context, currentAdmin *linkedca.Admin, p *linkedca.Policy) error { - // no policy and thus nothing to evaluate; return early if p == nil { return nil @@ -138,7 +137,6 @@ func (a *Authority) checkAuthorityPolicy(ctx context.Context, currentAdmin *link } func (a *Authority) checkProvisionerPolicy(ctx context.Context, provName string, p *linkedca.Policy) error { - // no policy and thus nothing to evaluate; return early if p == nil { return nil @@ -157,7 +155,6 @@ func (a *Authority) checkProvisionerPolicy(ctx context.Context, provName string, // checkPolicy checks if a new or updated policy configuration results in the user // locking themselves or other admins out of the CA. func (a *Authority) checkPolicy(ctx context.Context, currentAdmin *linkedca.Admin, otherAdmins []*linkedca.Admin, p *linkedca.Policy) error { - // convert the policy; return early if nil policyOptions := authPolicy.LinkedToCertificates(p) if policyOptions == nil { @@ -216,7 +213,6 @@ func (a *Authority) reloadPolicyEngines(ctx context.Context) error { ) if a.config.AuthorityConfig.EnableAdmin { - // temporarily disable policy loading when LinkedCA is in use if _, ok := a.adminDB.(*linkedCaClient); ok { return nil diff --git a/authority/policy/engine.go b/authority/policy/engine.go index 4b21f66b..d3881d9b 100644 --- a/authority/policy/engine.go +++ b/authority/policy/engine.go @@ -17,9 +17,9 @@ type Engine struct { // New returns a new Engine using Options. func New(options *Options) (*Engine, error) { - // if no options provided, return early if options == nil { + //nolint:nilnil // legacy return nil, nil } @@ -56,7 +56,6 @@ func New(options *Options) (*Engine, error) { // the X.509 policy (if available) and returns an error if one of the // names in the certificate is not allowed. func (e *Engine) IsX509CertificateAllowed(cert *x509.Certificate) error { - // return early if there's no policy to evaluate if e == nil || e.x509Policy == nil { return nil @@ -69,7 +68,6 @@ func (e *Engine) IsX509CertificateAllowed(cert *x509.Certificate) error { // AreSANsAllowed evaluates the slice of SANs against the X.509 policy // (if available) and returns an error if one of the SANs is not allowed. func (e *Engine) AreSANsAllowed(sans []string) error { - // return early if there's no policy to evaluate if e == nil || e.x509Policy == nil { return nil @@ -83,7 +81,6 @@ func (e *Engine) AreSANsAllowed(sans []string) error { // user or host policy (if configured) and returns an error if one of the // principals in the certificate is not allowed. func (e *Engine) IsSSHCertificateAllowed(cert *ssh.Certificate) error { - // return early if there's no policy to evaluate if e == nil || (e.sshHostPolicy == nil && e.sshUserPolicy == nil) { return nil diff --git a/authority/policy/policy.go b/authority/policy/policy.go index 3c53b704..96c7d7ea 100644 --- a/authority/policy/policy.go +++ b/authority/policy/policy.go @@ -19,7 +19,6 @@ type HostPolicy policy.SSHNamePolicyEngine // NewX509PolicyEngine creates a new x509 name policy engine func NewX509PolicyEngine(policyOptions X509PolicyOptionsInterface) (X509Policy, error) { - // return early if no policy engine options to configure if policyOptions == nil { return nil, nil @@ -92,7 +91,6 @@ func NewSSHHostPolicyEngine(policyOptions SSHPolicyOptionsInterface) (HostPolicy // newSSHPolicyEngine creates a new SSH name policy engine func newSSHPolicyEngine(policyOptions SSHPolicyOptionsInterface, typ sshPolicyEngineType) (policy.SSHNamePolicyEngine, error) { - // return early if no policy engine options to configure if policyOptions == nil { return nil, nil @@ -143,7 +141,6 @@ func newSSHPolicyEngine(policyOptions SSHPolicyOptionsInterface, typ sshPolicyEn } func LinkedToCertificates(p *linkedca.Policy) *Options { - // return early if p == nil { return nil diff --git a/authority/policy_test.go b/authority/policy_test.go index 1dccf0d1..8e2e0df4 100644 --- a/authority/policy_test.go +++ b/authority/policy_test.go @@ -185,11 +185,11 @@ func TestAuthority_checkPolicy(t *testing.T) { } else { assert.IsType(t, &PolicyError{}, err) - pe, ok := err.(*PolicyError) - assert.True(t, ok) - - assert.Equal(t, tc.err.Typ, pe.Typ) - assert.Equal(t, tc.err.Error(), pe.Error()) + var pe *PolicyError + if assert.True(t, errors.As(err, &pe)) { + assert.Equal(t, tc.err.Typ, pe.Typ) + assert.Equal(t, tc.err.Error(), pe.Error()) + } } }) } @@ -1179,10 +1179,11 @@ func TestAuthority_RemoveAuthorityPolicy(t *testing.T) { } err := a.RemoveAuthorityPolicy(tt.args.ctx) if err != nil { - pe, ok := err.(*PolicyError) - assert.True(t, ok) - assert.Equal(t, tt.wantErr.Typ, pe.Typ) - assert.Equal(t, tt.wantErr.Err.Error(), pe.Err.Error()) + var pe *PolicyError + if assert.True(t, errors.As(err, &pe)) { + assert.Equal(t, tt.wantErr.Typ, pe.Typ) + assert.Equal(t, tt.wantErr.Err.Error(), pe.Err.Error()) + } return } }) @@ -1250,10 +1251,11 @@ func TestAuthority_GetAuthorityPolicy(t *testing.T) { } got, err := a.GetAuthorityPolicy(tt.args.ctx) if err != nil { - pe, ok := err.(*PolicyError) - assert.True(t, ok) - assert.Equal(t, tt.wantErr.Typ, pe.Typ) - assert.Equal(t, tt.wantErr.Err.Error(), pe.Err.Error()) + var pe *PolicyError + if assert.True(t, errors.As(err, &pe)) { + assert.Equal(t, tt.wantErr.Typ, pe.Typ) + assert.Equal(t, tt.wantErr.Err.Error(), pe.Err.Error()) + } return } if !reflect.DeepEqual(got, tt.want) { @@ -1429,10 +1431,11 @@ func TestAuthority_CreateAuthorityPolicy(t *testing.T) { } got, err := a.CreateAuthorityPolicy(tt.args.ctx, tt.args.adm, tt.args.p) if err != nil { - pe, ok := err.(*PolicyError) - assert.True(t, ok) - assert.Equal(t, tt.wantErr.Typ, pe.Typ) - assert.Equal(t, tt.wantErr.Err.Error(), pe.Err.Error()) + var pe *PolicyError + if assert.True(t, errors.As(err, &pe)) { + assert.Equal(t, tt.wantErr.Typ, pe.Typ) + assert.Equal(t, tt.wantErr.Err.Error(), pe.Err.Error()) + } return } if !reflect.DeepEqual(got, tt.want) { @@ -1611,10 +1614,11 @@ func TestAuthority_UpdateAuthorityPolicy(t *testing.T) { } got, err := a.UpdateAuthorityPolicy(tt.args.ctx, tt.args.adm, tt.args.p) if err != nil { - pe, ok := err.(*PolicyError) - assert.True(t, ok) - assert.Equal(t, tt.wantErr.Typ, pe.Typ) - assert.Equal(t, tt.wantErr.Err.Error(), pe.Err.Error()) + var pe *PolicyError + if assert.True(t, errors.As(err, &pe)) { + assert.Equal(t, tt.wantErr.Typ, pe.Typ) + assert.Equal(t, tt.wantErr.Err.Error(), pe.Err.Error()) + } return } if !reflect.DeepEqual(got, tt.want) { diff --git a/authority/provisioner/acme.go b/authority/provisioner/acme.go index 9374d985..9a5e9f1c 100644 --- a/authority/provisioner/acme.go +++ b/authority/provisioner/acme.go @@ -3,13 +3,78 @@ package provisioner import ( "context" "crypto/x509" + "encoding/pem" "fmt" "net" + "strings" "time" "github.com/pkg/errors" ) +// ACMEChallenge represents the supported acme challenges. +type ACMEChallenge string + +//nolint:stylecheck,revive // better names +const ( + // HTTP_01 is the http-01 ACME challenge. + HTTP_01 ACMEChallenge = "http-01" + // DNS_01 is the dns-01 ACME challenge. + DNS_01 ACMEChallenge = "dns-01" + // TLS_ALPN_01 is the tls-alpn-01 ACME challenge. + TLS_ALPN_01 ACMEChallenge = "tls-alpn-01" + // DEVICE_ATTEST_01 is the device-attest-01 ACME challenge. + DEVICE_ATTEST_01 ACMEChallenge = "device-attest-01" +) + +// String returns a normalized version of the challenge. +func (c ACMEChallenge) String() string { + return strings.ToLower(string(c)) +} + +// Validate returns an error if the acme challenge is not a valid one. +func (c ACMEChallenge) Validate() error { + switch ACMEChallenge(c.String()) { + case HTTP_01, DNS_01, TLS_ALPN_01, DEVICE_ATTEST_01: + return nil + default: + return fmt.Errorf("acme challenge %q is not supported", c) + } +} + +// ACMEAttestationFormat represents the format used on a device-attest-01 +// challenge. +type ACMEAttestationFormat string + +const ( + // APPLE is the format used to enable device-attest-01 on apple devices. + APPLE ACMEAttestationFormat = "apple" + + // STEP is the format used to enable device-attest-01 on devices that + // provide attestation certificates like the PIV interface on YubiKeys. + // + // TODO(mariano): should we rename this to something else. + STEP ACMEAttestationFormat = "step" + + // TPM is the format used to enable device-attest-01 on TPMs. + TPM ACMEAttestationFormat = "tpm" +) + +// String returns a normalized version of the attestation format. +func (f ACMEAttestationFormat) String() string { + return strings.ToLower(string(f)) +} + +// Validate returns an error if the attestation format is not a valid one. +func (f ACMEAttestationFormat) Validate() error { + switch ACMEAttestationFormat(f.String()) { + case APPLE, STEP, TPM: + return nil + default: + return fmt.Errorf("acme attestation format %q is not supported", f) + } +} + // ACME is the acme provisioner type, an entity that can authorize the ACME // provisioning flow. type ACME struct { @@ -22,11 +87,23 @@ type ACME struct { // by clients when creating a new Account. If set to true, the provided // EAB will be verified. If set to false and an EAB is provided, it is // not verified. Defaults to false. - RequireEAB bool `json:"requireEAB,omitempty"` - Claims *Claims `json:"claims,omitempty"` - Options *Options `json:"options,omitempty"` - - ctl *Controller + RequireEAB bool `json:"requireEAB,omitempty"` + // Challenges contains the enabled challenges for this provisioner. If this + // value is not set the default http-01, dns-01 and tls-alpn-01 challenges + // will be enabled, device-attest-01 will be disabled. + Challenges []ACMEChallenge `json:"challenges,omitempty"` + // AttestationFormats contains the enabled attestation formats for this + // provisioner. If this value is not set the default apple, step and tpm + // will be used. + AttestationFormats []ACMEAttestationFormat `json:"attestationFormats,omitempty"` + // AttestationRoots contains a bundle of root certificates in PEM format + // that will be used to verify the attestation certificates. If provided, + // this bundle will be used even for well-known CAs like Apple and Yubico. + AttestationRoots []byte `json:"attestationRoots,omitempty"` + Claims *Claims `json:"claims,omitempty"` + Options *Options `json:"options,omitempty"` + attestationRootPool *x509.CertPool + ctl *Controller } // GetID returns the provisioner unique identifier. @@ -83,6 +160,40 @@ func (p *ACME) Init(config Config) (err error) { return errors.New("provisioner name cannot be empty") } + for _, c := range p.Challenges { + if err := c.Validate(); err != nil { + return err + } + } + for _, f := range p.AttestationFormats { + if err := f.Validate(); err != nil { + return err + } + } + + // Parse attestation roots. + // The pool will be nil if the there are not roots. + if rest := p.AttestationRoots; len(rest) > 0 { + var block *pem.Block + var hasCert bool + p.attestationRootPool = x509.NewCertPool() + for rest != nil { + block, rest = pem.Decode(rest) + if block == nil { + break + } + cert, err := x509.ParseCertificate(block.Bytes) + if err != nil { + return errors.New("error parsing attestationRoots: malformed certificate") + } + p.attestationRootPool.AddCert(cert) + hasCert = true + } + if !hasCert { + return errors.New("error parsing attestationRoots: no certificates found") + } + } + p.ctl, err = NewController(p, p.Claims, config, p.Options) return } @@ -106,7 +217,6 @@ type ACMEIdentifier struct { // AuthorizeOrderIdentifier verifies the provisioner is allowed to issue a // certificate for an ACME Order Identifier. func (p *ACME) AuthorizeOrderIdentifier(ctx context.Context, identifier ACMEIdentifier) error { - x509Policy := p.ctl.getPolicy().getX509() // identifier is allowed if no policy is configured @@ -163,3 +273,48 @@ func (p *ACME) AuthorizeRevoke(ctx context.Context, token string) error { func (p *ACME) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error { return p.ctl.AuthorizeRenew(ctx, cert) } + +// IsChallengeEnabled checks if the given challenge is enabled. By default +// http-01, dns-01 and tls-alpn-01 are enabled, to disable any of them the +// Challenge provisioner property should have at least one element. +func (p *ACME) IsChallengeEnabled(ctx context.Context, challenge ACMEChallenge) bool { + enabledChallenges := []ACMEChallenge{ + HTTP_01, DNS_01, TLS_ALPN_01, + } + if len(p.Challenges) > 0 { + enabledChallenges = p.Challenges + } + for _, ch := range enabledChallenges { + if strings.EqualFold(string(ch), string(challenge)) { + return true + } + } + return false +} + +// IsAttestationFormatEnabled checks if the given attestation format is enabled. +// By default apple, step and tpm are enabled, to disable any of them the +// AttestationFormat provisioner property should have at least one element. +func (p *ACME) IsAttestationFormatEnabled(ctx context.Context, format ACMEAttestationFormat) bool { + enabledFormats := []ACMEAttestationFormat{ + APPLE, STEP, TPM, + } + if len(p.AttestationFormats) > 0 { + enabledFormats = p.AttestationFormats + } + for _, f := range enabledFormats { + if strings.EqualFold(string(f), string(format)) { + return true + } + } + return false +} + +// GetAttestationRoots returns certificate pool with the configured attestation +// roots and reports if the pool contains at least one certificate. +// +// TODO(hs): we may not want to expose the root pool like this; call into an +// interface function instead to authorize? +func (p *ACME) GetAttestationRoots() (*x509.CertPool, bool) { + return p.attestationRootPool, p.attestationRootPool != nil +} diff --git a/authority/provisioner/acme_118_test.go b/authority/provisioner/acme_118_test.go new file mode 100644 index 00000000..e47dd3f6 --- /dev/null +++ b/authority/provisioner/acme_118_test.go @@ -0,0 +1,82 @@ +//go:build go1.18 +// +build go1.18 + +package provisioner + +import ( + "bytes" + "crypto/x509" + "os" + "testing" +) + +func TestACME_GetAttestationRoots(t *testing.T) { + appleCA, err := os.ReadFile("testdata/certs/apple-att-ca.crt") + if err != nil { + t.Fatal(err) + } + yubicoCA, err := os.ReadFile("testdata/certs/yubico-piv-ca.crt") + if err != nil { + t.Fatal(err) + } + + pool := x509.NewCertPool() + pool.AppendCertsFromPEM(appleCA) + pool.AppendCertsFromPEM(yubicoCA) + + type fields struct { + Type string + Name string + AttestationRoots []byte + } + tests := []struct { + name string + fields fields + want *x509.CertPool + want1 bool + }{ + {"ok", fields{"ACME", "acme", bytes.Join([][]byte{appleCA, yubicoCA}, []byte("\n"))}, pool, true}, + {"nil", fields{"ACME", "acme", nil}, nil, false}, + {"empty", fields{"ACME", "acme", []byte{}}, nil, false}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + p := &ACME{ + Type: tt.fields.Type, + Name: tt.fields.Name, + AttestationRoots: tt.fields.AttestationRoots, + } + if err := p.Init(Config{ + Claims: globalProvisionerClaims, + Audiences: testAudiences, + }); err != nil { + t.Fatal(err) + } + got, got1 := p.GetAttestationRoots() + switch { + case tt.want == nil && got == nil: + break + case tt.want == nil && got != nil, tt.want != nil && got == nil: + t.Errorf("ACME.GetAttestationRoots() got = %v, want %v", got, tt.want) + default: + //nolint:staticcheck // this file only runs in go1.18 + gotSubjects := got.Subjects() + //nolint:staticcheck // this file only runs in go1.18 + wantSubjects := tt.want.Subjects() + if len(gotSubjects) != len(wantSubjects) { + t.Errorf("ACME.GetAttestationRoots() got = %v, want %v", got, tt.want) + } else { + for i, gotSub := range gotSubjects { + if !bytes.Equal(gotSub, wantSubjects[i]) { + t.Errorf("ACME.GetAttestationRoots() got = %v, want %v", got, tt.want) + break + } + } + } + } + if got1 != tt.want1 { + t.Errorf("ACME.GetAttestationRoots() got1 = %v, want %v", got1, tt.want1) + } + }) + } +} diff --git a/authority/provisioner/acme_119_test.go b/authority/provisioner/acme_119_test.go new file mode 100644 index 00000000..608bdd82 --- /dev/null +++ b/authority/provisioner/acme_119_test.go @@ -0,0 +1,66 @@ +//go:build !go1.18 +// +build !go1.18 + +package provisioner + +import ( + "bytes" + "crypto/x509" + "os" + "testing" +) + +func TestACME_GetAttestationRoots(t *testing.T) { + appleCA, err := os.ReadFile("testdata/certs/apple-att-ca.crt") + if err != nil { + t.Fatal(err) + } + yubicoCA, err := os.ReadFile("testdata/certs/yubico-piv-ca.crt") + if err != nil { + t.Fatal(err) + } + + pool := x509.NewCertPool() + pool.AppendCertsFromPEM(appleCA) + pool.AppendCertsFromPEM(yubicoCA) + + type fields struct { + Type string + Name string + AttestationRoots []byte + } + tests := []struct { + name string + fields fields + want *x509.CertPool + want1 bool + }{ + {"ok", fields{"ACME", "acme", bytes.Join([][]byte{appleCA, yubicoCA}, []byte("\n"))}, pool, true}, + {"nil", fields{"ACME", "acme", nil}, nil, false}, + {"empty", fields{"ACME", "acme", []byte{}}, nil, false}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + p := &ACME{ + Type: tt.fields.Type, + Name: tt.fields.Name, + AttestationRoots: tt.fields.AttestationRoots, + } + if err := p.Init(Config{ + Claims: globalProvisionerClaims, + Audiences: testAudiences, + }); err != nil { + t.Fatal(err) + } + got, got1 := p.GetAttestationRoots() + if tt.want == nil && got != nil { + t.Errorf("ACME.GetAttestationRoots() got = %v, want %v", got, tt.want) + } else if !tt.want.Equal(got) { + t.Errorf("ACME.GetAttestationRoots() got = %v, want %v", got, tt.want) + } + if got1 != tt.want1 { + t.Errorf("ACME.GetAttestationRoots() got1 = %v, want %v", got1, tt.want1) + } + }) + } +} diff --git a/authority/provisioner/acme_test.go b/authority/provisioner/acme_test.go index 33cbbc75..d476ef08 100644 --- a/authority/provisioner/acme_test.go +++ b/authority/provisioner/acme_test.go @@ -1,11 +1,16 @@ +//go:build !go1.18 +// +build !go1.18 + package provisioner import ( + "bytes" "context" "crypto/x509" "errors" "fmt" "net/http" + "os" "testing" "time" @@ -13,6 +18,49 @@ import ( "github.com/smallstep/certificates/api/render" ) +func TestACMEChallenge_Validate(t *testing.T) { + tests := []struct { + name string + c ACMEChallenge + wantErr bool + }{ + {"http-01", HTTP_01, false}, + {"dns-01", DNS_01, false}, + {"tls-alpn-01", TLS_ALPN_01, false}, + {"device-attest-01", DEVICE_ATTEST_01, false}, + {"uppercase", "HTTP-01", false}, + {"fail", "http-02", true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if err := tt.c.Validate(); (err != nil) != tt.wantErr { + t.Errorf("ACMEChallenge.Validate() error = %v, wantErr %v", err, tt.wantErr) + } + }) + } +} + +func TestACMEAttestationFormat_Validate(t *testing.T) { + tests := []struct { + name string + f ACMEAttestationFormat + wantErr bool + }{ + {"apple", APPLE, false}, + {"step", STEP, false}, + {"tpm", TPM, false}, + {"uppercase", "APPLE", false}, + {"fail", "FOO", true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if err := tt.f.Validate(); (err != nil) != tt.wantErr { + t.Errorf("ACMEAttestationFormat.Validate() error = %v, wantErr %v", err, tt.wantErr) + } + }) + } +} + func TestACME_Getters(t *testing.T) { p, err := generateACME() assert.FatalError(t, err) @@ -34,6 +82,15 @@ func TestACME_Getters(t *testing.T) { } func TestACME_Init(t *testing.T) { + appleCA, err := os.ReadFile("testdata/certs/apple-att-ca.crt") + if err != nil { + t.Fatal(err) + } + yubicoCA, err := os.ReadFile("testdata/certs/yubico-piv-ca.crt") + if err != nil { + t.Fatal(err) + } + type ProvisionerValidateTest struct { p *ACME err error @@ -65,11 +122,46 @@ func TestACME_Init(t *testing.T) { err: errors.New("claims: MinTLSCertDuration must be greater than 0"), } }, + "fail-bad-challenge": func(t *testing.T) ProvisionerValidateTest { + return ProvisionerValidateTest{ + p: &ACME{Name: "foo", Type: "bar", Challenges: []ACMEChallenge{HTTP_01, "zar"}}, + err: errors.New("acme challenge \"zar\" is not supported"), + } + }, + "fail-bad-attestation-format": func(t *testing.T) ProvisionerValidateTest { + return ProvisionerValidateTest{ + p: &ACME{Name: "foo", Type: "bar", AttestationFormats: []ACMEAttestationFormat{APPLE, "zar"}}, + err: errors.New("acme attestation format \"zar\" is not supported"), + } + }, + "fail-parse-attestation-roots": func(t *testing.T) ProvisionerValidateTest { + return ProvisionerValidateTest{ + p: &ACME{Name: "foo", Type: "bar", AttestationRoots: []byte("-----BEGIN CERTIFICATE-----\nZm9v\n-----END CERTIFICATE-----")}, + err: errors.New("error parsing attestationRoots: malformed certificate"), + } + }, + "fail-empty-attestation-roots": func(t *testing.T) ProvisionerValidateTest { + return ProvisionerValidateTest{ + p: &ACME{Name: "foo", Type: "bar", AttestationRoots: []byte("\n")}, + err: errors.New("error parsing attestationRoots: no certificates found"), + } + }, "ok": func(t *testing.T) ProvisionerValidateTest { return ProvisionerValidateTest{ p: &ACME{Name: "foo", Type: "bar"}, } }, + "ok attestation": func(t *testing.T) ProvisionerValidateTest { + return ProvisionerValidateTest{ + p: &ACME{ + Name: "foo", + Type: "bar", + Challenges: []ACMEChallenge{DNS_01, DEVICE_ATTEST_01}, + AttestationFormats: []ACMEAttestationFormat{APPLE, STEP}, + AttestationRoots: bytes.Join([][]byte{appleCA, yubicoCA}, []byte("\n")), + }, + } + }, } config := Config{ @@ -79,6 +171,7 @@ func TestACME_Init(t *testing.T) { for name, get := range tests { t.Run(name, func(t *testing.T) { tc := get(t) + t.Log(string(tc.p.AttestationRoots)) err := tc.p.Init(config) if err != nil { if assert.NotNil(t, tc.err) { @@ -204,3 +297,80 @@ func TestACME_AuthorizeSign(t *testing.T) { }) } } + +func TestACME_IsChallengeEnabled(t *testing.T) { + ctx := context.Background() + type fields struct { + Challenges []ACMEChallenge + } + type args struct { + ctx context.Context + challenge ACMEChallenge + } + tests := []struct { + name string + fields fields + args args + want bool + }{ + {"ok http-01", fields{nil}, args{ctx, HTTP_01}, true}, + {"ok dns-01", fields{nil}, args{ctx, DNS_01}, true}, + {"ok tls-alpn-01", fields{[]ACMEChallenge{}}, args{ctx, TLS_ALPN_01}, true}, + {"fail device-attest-01", fields{[]ACMEChallenge{}}, args{ctx, "device-attest-01"}, false}, + {"ok http-01 enabled", fields{[]ACMEChallenge{"http-01"}}, args{ctx, "HTTP-01"}, true}, + {"ok dns-01 enabled", fields{[]ACMEChallenge{"http-01", "dns-01"}}, args{ctx, DNS_01}, true}, + {"ok tls-alpn-01 enabled", fields{[]ACMEChallenge{"http-01", "dns-01", "tls-alpn-01"}}, args{ctx, TLS_ALPN_01}, true}, + {"ok device-attest-01 enabled", fields{[]ACMEChallenge{"device-attest-01", "dns-01"}}, args{ctx, DEVICE_ATTEST_01}, true}, + {"fail http-01", fields{[]ACMEChallenge{"dns-01"}}, args{ctx, "http-01"}, false}, + {"fail dns-01", fields{[]ACMEChallenge{"http-01", "tls-alpn-01"}}, args{ctx, "dns-01"}, false}, + {"fail tls-alpn-01", fields{[]ACMEChallenge{"http-01", "dns-01", "device-attest-01"}}, args{ctx, "tls-alpn-01"}, false}, + {"fail device-attest-01", fields{[]ACMEChallenge{"http-01", "dns-01"}}, args{ctx, "device-attest-01"}, false}, + {"fail unknown", fields{[]ACMEChallenge{"http-01", "dns-01", "tls-alpn-01", "device-attest-01"}}, args{ctx, "unknown"}, false}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + p := &ACME{ + Challenges: tt.fields.Challenges, + } + if got := p.IsChallengeEnabled(tt.args.ctx, tt.args.challenge); got != tt.want { + t.Errorf("ACME.AuthorizeChallenge() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestACME_IsAttestationFormatEnabled(t *testing.T) { + ctx := context.Background() + type fields struct { + AttestationFormats []ACMEAttestationFormat + } + type args struct { + ctx context.Context + format ACMEAttestationFormat + } + tests := []struct { + name string + fields fields + args args + want bool + }{ + {"ok", fields{[]ACMEAttestationFormat{APPLE, STEP, TPM}}, args{ctx, TPM}, true}, + {"ok empty apple", fields{nil}, args{ctx, APPLE}, true}, + {"ok empty step", fields{nil}, args{ctx, STEP}, true}, + {"ok empty tpm", fields{[]ACMEAttestationFormat{}}, args{ctx, "tpm"}, true}, + {"ok uppercase", fields{[]ACMEAttestationFormat{APPLE, STEP, TPM}}, args{ctx, "STEP"}, true}, + {"fail apple", fields{[]ACMEAttestationFormat{STEP, TPM}}, args{ctx, APPLE}, false}, + {"fail step", fields{[]ACMEAttestationFormat{APPLE, TPM}}, args{ctx, STEP}, false}, + {"fail step", fields{[]ACMEAttestationFormat{APPLE, STEP}}, args{ctx, TPM}, false}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + p := &ACME{ + AttestationFormats: tt.fields.AttestationFormats, + } + if got := p.IsAttestationFormatEnabled(tt.args.ctx, tt.args.format); got != tt.want { + t.Errorf("ACME.IsAttestationFormatEnabled() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/authority/provisioner/aws.go b/authority/provisioner/aws.go index 463a4aee..caf72142 100644 --- a/authority/provisioner/aws.go +++ b/authority/provisioner/aws.go @@ -35,20 +35,17 @@ const awsIdentityURL = "http://169.254.169.254/latest/dynamic/instance-identity/ const awsSignatureURL = "http://169.254.169.254/latest/dynamic/instance-identity/signature" // awsAPITokenURL is the url used to get the IMDSv2 API token -// nolint:gosec // no credentials here -const awsAPITokenURL = "http://169.254.169.254/latest/api/token" +const awsAPITokenURL = "http://169.254.169.254/latest/api/token" //nolint:gosec // no credentials here // awsAPITokenTTL is the default TTL to use when requesting IMDSv2 API tokens // -- we keep this short-lived since we get a new token with every call to readURL() const awsAPITokenTTL = "30" // awsMetadataTokenHeader is the header that must be passed with every IMDSv2 request -// nolint:gosec // no credentials here -const awsMetadataTokenHeader = "X-aws-ec2-metadata-token" +const awsMetadataTokenHeader = "X-aws-ec2-metadata-token" //nolint:gosec // no credentials here // awsMetadataTokenTTLHeader is the header used to indicate the token TTL requested -// nolint:gosec // no credentials here -const awsMetadataTokenTTLHeader = "X-aws-ec2-metadata-token-ttl-seconds" +const awsMetadataTokenTTLHeader = "X-aws-ec2-metadata-token-ttl-seconds" //nolint:gosec // no credentials here // awsCertificate is the certificate used to validate the instance identity // signature. diff --git a/authority/provisioner/aws_test.go b/authority/provisioner/aws_test.go index 0660c3f0..0ad1eca9 100644 --- a/authority/provisioner/aws_test.go +++ b/authority/provisioner/aws_test.go @@ -522,8 +522,8 @@ func TestAWS_authorizeToken(t *testing.T) { tc := tt(t) if claims, err := tc.p.authorizeToken(tc.token); err != nil { if assert.NotNil(t, tc.err) { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tc.code) assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -669,8 +669,8 @@ func TestAWS_AuthorizeSign(t *testing.T) { t.Errorf("AWS.AuthorizeSign() error = %v, wantErr %v", err, tt.wantErr) return case err != nil: - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tt.code) default: assert.Equals(t, tt.wantLen, len(got)) @@ -748,7 +748,7 @@ func TestAWS_AuthorizeSSHSign(t *testing.T) { pub := key.Public().Key rsa2048, err := rsa.GenerateKey(rand.Reader, 2048) assert.FatalError(t, err) - // nolint:gosec // tests minimum size of the key + //nolint:gosec // tests minimum size of the key rsa1024, err := rsa.GenerateKey(rand.Reader, 1024) assert.FatalError(t, err) @@ -807,8 +807,8 @@ func TestAWS_AuthorizeSSHSign(t *testing.T) { return } if err != nil { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tt.code) assert.Nil(t, got) } else if assert.NotNil(t, got) { @@ -864,8 +864,8 @@ func TestAWS_AuthorizeRenew(t *testing.T) { if err := tt.aws.AuthorizeRenew(context.Background(), tt.args.cert); (err != nil) != tt.wantErr { t.Errorf("AWS.AuthorizeRenew() error = %v, wantErr %v", err, tt.wantErr) } else if err != nil { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tt.code) } }) diff --git a/authority/provisioner/azure.go b/authority/provisioner/azure.go index 3f714a3e..d6f71a89 100644 --- a/authority/provisioner/azure.go +++ b/authority/provisioner/azure.go @@ -24,8 +24,7 @@ import ( // azureOIDCBaseURL is the base discovery url for Microsoft Azure tokens. const azureOIDCBaseURL = "https://login.microsoftonline.com" -// azureIdentityTokenURL is the URL to get the identity token for an instance. -// nolint:gosec // no credentials here +//nolint:gosec // azureIdentityTokenURL is the URL to get the identity token for an instance. const azureIdentityTokenURL = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F" // azureDefaultAudience is the default audience used. diff --git a/authority/provisioner/azure_test.go b/authority/provisioner/azure_test.go index 7f8b70d0..539a9d16 100644 --- a/authority/provisioner/azure_test.go +++ b/authority/provisioner/azure_test.go @@ -336,8 +336,8 @@ func TestAzure_authorizeToken(t *testing.T) { tc := tt(t) if claims, name, group, subscriptionID, objectID, err := tc.p.authorizeToken(tc.token); err != nil { if assert.NotNil(t, tc.err) { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tc.code) assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -498,8 +498,8 @@ func TestAzure_AuthorizeSign(t *testing.T) { t.Errorf("Azure.AuthorizeSign() error = %v, wantErr %v", err, tt.wantErr) return case err != nil: - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tt.code) default: assert.Equals(t, tt.wantLen, len(got)) @@ -576,8 +576,8 @@ func TestAzure_AuthorizeRenew(t *testing.T) { if err := tt.azure.AuthorizeRenew(context.Background(), tt.args.cert); (err != nil) != tt.wantErr { t.Errorf("Azure.AuthorizeRenew() error = %v, wantErr %v", err, tt.wantErr) } else if err != nil { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tt.code) } }) @@ -624,7 +624,7 @@ func TestAzure_AuthorizeSSHSign(t *testing.T) { pub := key.Public().Key rsa2048, err := rsa.GenerateKey(rand.Reader, 2048) assert.FatalError(t, err) - // nolint:gosec // tests minimum size of the key + //nolint:gosec // tests minimum size of the key rsa1024, err := rsa.GenerateKey(rand.Reader, 1024) assert.FatalError(t, err) @@ -673,8 +673,8 @@ func TestAzure_AuthorizeSSHSign(t *testing.T) { return } if err != nil { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tt.code) assert.Nil(t, got) } else if assert.NotNil(t, got) { diff --git a/authority/provisioner/claims.go b/authority/provisioner/claims.go index 96f19b37..b6a5a81e 100644 --- a/authority/provisioner/claims.go +++ b/authority/provisioner/claims.go @@ -38,7 +38,8 @@ type Claimer struct { // NewClaimer initializes a new claimer with the given claims. func NewClaimer(claims *Claims, global Claims) (*Claimer, error) { c := &Claimer{global: global, claims: claims} - return c, c.Validate() + err := c.Validate() + return c, err } // Claims returns the merge of the inner and global claims. diff --git a/authority/provisioner/collection.go b/authority/provisioner/collection.go index 85b489c1..c483a50d 100644 --- a/authority/provisioner/collection.go +++ b/authority/provisioner/collection.go @@ -1,7 +1,7 @@ package provisioner import ( - "crypto/sha1" // nolint:gosec // not used for cryptographic security + "crypto/sha1" //nolint:gosec // not used for cryptographic security "crypto/x509" "encoding/asn1" "encoding/binary" @@ -319,7 +319,7 @@ func loadProvisioner(m *sync.Map, key string) (Interface, bool) { // provisionerSum returns the SHA1 of the provisioners ID. From this we will // create the unique and sorted id. func provisionerSum(p Interface) []byte { - // nolint:gosec // not used for cryptographic security + //nolint:gosec // not used for cryptographic security sum := sha1.Sum([]byte(p.GetID())) return sum[:] } diff --git a/authority/provisioner/gcp.go b/authority/provisioner/gcp.go index a116312d..19b731fa 100644 --- a/authority/provisioner/gcp.go +++ b/authority/provisioner/gcp.go @@ -102,7 +102,6 @@ func (p *GCP) GetID() string { return p.ID } return p.GetIDForToken() - } // GetIDForToken returns an identifier that will be used to load the provisioner diff --git a/authority/provisioner/gcp_test.go b/authority/provisioner/gcp_test.go index 3d6b5d75..0aa12301 100644 --- a/authority/provisioner/gcp_test.go +++ b/authority/provisioner/gcp_test.go @@ -391,8 +391,8 @@ func TestGCP_authorizeToken(t *testing.T) { tc := tt(t) if claims, err := tc.p.authorizeToken(tc.token); err != nil { if assert.NotNil(t, tc.err) { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tc.code) assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -541,8 +541,8 @@ func TestGCP_AuthorizeSign(t *testing.T) { t.Errorf("GCP.AuthorizeSign() error = %v, wantErr %v", err, tt.wantErr) return case err != nil: - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tt.code) default: assert.Equals(t, tt.wantLen, len(got)) @@ -623,7 +623,7 @@ func TestGCP_AuthorizeSSHSign(t *testing.T) { pub := key.Public().Key rsa2048, err := rsa.GenerateKey(rand.Reader, 2048) assert.FatalError(t, err) - // nolint:gosec // tests minimum size of the key + //nolint:gosec // tests minimum size of the key rsa1024, err := rsa.GenerateKey(rand.Reader, 1024) assert.FatalError(t, err) @@ -682,8 +682,8 @@ func TestGCP_AuthorizeSSHSign(t *testing.T) { return } if err != nil { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tt.code) assert.Nil(t, got) } else if assert.NotNil(t, got) { @@ -739,8 +739,8 @@ func TestGCP_AuthorizeRenew(t *testing.T) { if err := tt.prov.AuthorizeRenew(context.Background(), tt.args.cert); (err != nil) != tt.wantErr { t.Errorf("GCP.AuthorizeRenew() error = %v, wantErr %v", err, tt.wantErr) } else if err != nil { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCoder interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tt.code) } }) diff --git a/authority/provisioner/jwk_test.go b/authority/provisioner/jwk_test.go index 723ccf56..c34ce918 100644 --- a/authority/provisioner/jwk_test.go +++ b/authority/provisioner/jwk_test.go @@ -185,8 +185,8 @@ func TestJWK_authorizeToken(t *testing.T) { t.Run(tt.name, func(t *testing.T) { if got, err := tt.prov.authorizeToken(tt.args.token, testAudiences.Sign); err != nil { if assert.NotNil(t, tt.err) { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tt.code) assert.HasPrefix(t, err.Error(), tt.err.Error()) } @@ -225,8 +225,8 @@ func TestJWK_AuthorizeRevoke(t *testing.T) { t.Run(tt.name, func(t *testing.T) { if err := tt.prov.AuthorizeRevoke(context.Background(), tt.args.token); err != nil { if assert.NotNil(t, tt.err) { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tt.code) assert.HasPrefix(t, err.Error(), tt.err.Error()) } @@ -290,8 +290,8 @@ func TestJWK_AuthorizeSign(t *testing.T) { ctx := NewContextWithMethod(context.Background(), SignMethod) if got, err := tt.prov.AuthorizeSign(ctx, tt.args.token); err != nil { if assert.NotNil(t, tt.err) { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tt.code) assert.HasPrefix(t, err.Error(), tt.err.Error()) } @@ -366,8 +366,8 @@ func TestJWK_AuthorizeRenew(t *testing.T) { if err := tt.prov.AuthorizeRenew(context.Background(), tt.args.cert); (err != nil) != tt.wantErr { t.Errorf("JWK.AuthorizeRenew() error = %v, wantErr %v", err, tt.wantErr) } else if err != nil { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tt.code) } }) @@ -411,7 +411,7 @@ func TestJWK_AuthorizeSSHSign(t *testing.T) { pub := key.Public().Key rsa2048, err := rsa.GenerateKey(rand.Reader, 2048) assert.FatalError(t, err) - // nolint:gosec // tests minimum size of the key + //nolint:gosec // tests minimum size of the key rsa1024, err := rsa.GenerateKey(rand.Reader, 1024) assert.FatalError(t, err) @@ -461,8 +461,8 @@ func TestJWK_AuthorizeSSHSign(t *testing.T) { return } if err != nil { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tt.code) assert.Nil(t, got) } else if assert.NotNil(t, got) { @@ -626,8 +626,8 @@ func TestJWK_AuthorizeSSHRevoke(t *testing.T) { tc := tt(t) if err := tc.p.AuthorizeSSHRevoke(context.Background(), tc.token); err != nil { if assert.NotNil(t, tc.err) { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tc.code) assert.HasPrefix(t, err.Error(), tc.err.Error()) } diff --git a/authority/provisioner/k8sSA.go b/authority/provisioner/k8sSA.go index 28be0d5c..3d79933a 100644 --- a/authority/provisioner/k8sSA.go +++ b/authority/provisioner/k8sSA.go @@ -93,7 +93,6 @@ func (p *K8sSA) GetEncryptedKey() (string, string, bool) { // Init initializes and validates the fields of a K8sSA type. func (p *K8sSA) Init(config Config) (err error) { - switch { case p.Type == "": return errors.New("provisioner type cannot be empty") diff --git a/authority/provisioner/k8sSA_test.go b/authority/provisioner/k8sSA_test.go index 2458babb..8cf06e53 100644 --- a/authority/provisioner/k8sSA_test.go +++ b/authority/provisioner/k8sSA_test.go @@ -118,8 +118,8 @@ func TestK8sSA_authorizeToken(t *testing.T) { tc := tt(t) if claims, err := tc.p.authorizeToken(tc.token, testAudiences.Sign); err != nil { if assert.NotNil(t, tc.err) { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tc.code) assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -167,8 +167,8 @@ func TestK8sSA_AuthorizeRevoke(t *testing.T) { t.Run(name, func(t *testing.T) { tc := tt(t) if err := tc.p.AuthorizeRevoke(context.Background(), tc.token); err != nil { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tc.code) if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) @@ -223,8 +223,8 @@ func TestK8sSA_AuthorizeRenew(t *testing.T) { t.Run(name, func(t *testing.T) { tc := tt(t) if err := tc.p.AuthorizeRenew(context.Background(), tc.cert); err != nil { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tc.code) if assert.NotNil(t, tc.err) { assert.HasPrefix(t, err.Error(), tc.err.Error()) @@ -272,8 +272,8 @@ func TestK8sSA_AuthorizeSign(t *testing.T) { tc := tt(t) if opts, err := tc.p.AuthorizeSign(context.Background(), tc.token); err != nil { if assert.NotNil(t, tc.err) { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tc.code) assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -360,8 +360,8 @@ func TestK8sSA_AuthorizeSSHSign(t *testing.T) { tc := tt(t) if opts, err := tc.p.AuthorizeSSHSign(context.Background(), tc.token); err != nil { if assert.NotNil(t, tc.err) { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tc.code) assert.HasPrefix(t, err.Error(), tc.err.Error()) } diff --git a/authority/provisioner/keystore.go b/authority/provisioner/keystore.go index 8b276a75..e74a6b8a 100644 --- a/authority/provisioner/keystore.go +++ b/authority/provisioner/keystore.go @@ -85,14 +85,14 @@ func (ks *keyStore) reload() { // 0 it will randomly rotate between 0-12 hours, but every time we call to Get // it will automatically rotate. func (ks *keyStore) nextReloadDuration(age time.Duration) time.Duration { - n := rand.Int63n(int64(ks.jitter)) // nolint:gosec // not used for cryptographic security + n := rand.Int63n(int64(ks.jitter)) //nolint:gosec // not used for cryptographic security age -= time.Duration(n) return abs(age) } func getKeysFromJWKsURI(uri string) (jose.JSONWebKeySet, time.Duration, error) { var keys jose.JSONWebKeySet - resp, err := http.Get(uri) // nolint:gosec // openid-configuration jwks_uri + resp, err := http.Get(uri) //nolint:gosec // openid-configuration jwks_uri if err != nil { return keys, 0, errors.Wrapf(err, "failed to connect to %s", uri) } diff --git a/authority/provisioner/noop.go b/authority/provisioner/noop.go index 9ccd0c8c..bba64eb8 100644 --- a/authority/provisioner/noop.go +++ b/authority/provisioner/noop.go @@ -54,6 +54,7 @@ func (p *noop) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption } func (p *noop) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error) { + //nolint:nilnil // fine for noop return nil, nil } diff --git a/authority/provisioner/oidc.go b/authority/provisioner/oidc.go index bb3745b7..5463f20c 100644 --- a/authority/provisioner/oidc.go +++ b/authority/provisioner/oidc.go @@ -479,7 +479,7 @@ func (o *OIDC) AuthorizeSSHRevoke(ctx context.Context, token string) error { } func getAndDecode(uri string, v interface{}) error { - resp, err := http.Get(uri) // nolint:gosec // openid-configuration uri + resp, err := http.Get(uri) //nolint:gosec // openid-configuration uri if err != nil { return errors.Wrapf(err, "failed to connect to %s", uri) } diff --git a/authority/provisioner/oidc_test.go b/authority/provisioner/oidc_test.go index 7f80315f..3aa969e3 100644 --- a/authority/provisioner/oidc_test.go +++ b/authority/provisioner/oidc_test.go @@ -247,8 +247,8 @@ func TestOIDC_authorizeToken(t *testing.T) { return } if err != nil { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tt.code) assert.Nil(t, got) } else { @@ -318,8 +318,8 @@ func TestOIDC_AuthorizeSign(t *testing.T) { return } if err != nil { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tt.code) assert.Nil(t, got) } else if assert.NotNil(t, got) { @@ -406,8 +406,8 @@ func TestOIDC_AuthorizeRevoke(t *testing.T) { t.Errorf("OIDC.Authorize() error = %v, wantErr %v", err, tt.wantErr) return } else if err != nil { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tt.code) } }) @@ -452,8 +452,8 @@ func TestOIDC_AuthorizeRenew(t *testing.T) { if (err != nil) != tt.wantErr { t.Errorf("OIDC.AuthorizeRenew() error = %v, wantErr %v", err, tt.wantErr) } else if err != nil { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tt.code) } }) @@ -540,7 +540,7 @@ func TestOIDC_AuthorizeSSHSign(t *testing.T) { pub := key.Public().Key rsa2048, err := rsa.GenerateKey(rand.Reader, 2048) assert.FatalError(t, err) - // nolint:gosec // tests minimum size of the key + //nolint:gosec // tests minimum size of the key rsa1024, err := rsa.GenerateKey(rand.Reader, 1024) assert.FatalError(t, err) @@ -614,8 +614,8 @@ func TestOIDC_AuthorizeSSHSign(t *testing.T) { return } if err != nil { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tt.code) assert.Nil(t, got) } else if assert.NotNil(t, got) { @@ -682,8 +682,8 @@ func TestOIDC_AuthorizeSSHRevoke(t *testing.T) { if (err != nil) != tt.wantErr { t.Errorf("OIDC.AuthorizeSSHRevoke() error = %v, wantErr %v", err, tt.wantErr) } else if err != nil { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tt.code) } }) diff --git a/authority/provisioner/options_test.go b/authority/provisioner/options_test.go index 652fff73..aaf4b36c 100644 --- a/authority/provisioner/options_test.go +++ b/authority/provisioner/options_test.go @@ -254,7 +254,7 @@ func TestCustomTemplateOptions(t *testing.T) { } func Test_unsafeParseSigned(t *testing.T) { - // nolint:gosec // no credentials here + //nolint:gosec // no credentials here okToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJqYW5lQGRvZS5jb20iLCJpc3MiOiJodHRwczovL2RvZS5jb20iLCJqdGkiOiI4ZmYzMjQ4MS1mZDVmLTRlMmUtOTZkZi05MDhjMTI3Yzg1ZjciLCJpYXQiOjE1OTUzNjAwMjgsImV4cCI6MTU5NTM2MzYyOH0.aid8UuhFucJOFHXaob9zpNtVvhul9ulTGsA52mU6XIw" type args struct { s string diff --git a/authority/provisioner/policy.go b/authority/provisioner/policy.go index 95ef4163..caf8c782 100644 --- a/authority/provisioner/policy.go +++ b/authority/provisioner/policy.go @@ -9,8 +9,8 @@ type policyEngine struct { } func newPolicyEngine(options *Options) (*policyEngine, error) { - if options == nil { + //nolint:nilnil // legacy return nil, nil } diff --git a/authority/provisioner/sign_options.go b/authority/provisioner/sign_options.go index 2eefd331..bc0d88ff 100644 --- a/authority/provisioner/sign_options.go +++ b/authority/provisioner/sign_options.go @@ -5,7 +5,6 @@ import ( "crypto/ed25519" "crypto/rsa" "crypto/x509" - "crypto/x509/pkix" "encoding/json" "net" "net/http" @@ -78,6 +77,12 @@ func (fn CertificateEnforcerFunc) Enforce(cert *x509.Certificate) error { return fn(cert) } +// AttestationData is a SignOption used to pass attestation information to the +// sign methods. +type AttestationData struct { + PermanentIdentifier string +} + // emailOnlyIdentity is a CertificateRequestValidator that checks that the only // SAN provided is the given email address. type emailOnlyIdentity string @@ -305,7 +310,6 @@ func (v profileDefaultDuration) Modify(cert *x509.Certificate, so SignOptions) e if notBefore.IsZero() { notBefore = now() backdate = -1 * so.Backdate - } notAfter := so.NotAfter.RelativeTime(notBefore) if notAfter.IsZero() { @@ -425,18 +429,6 @@ func (v *x509NamePolicyValidator) Valid(cert *x509.Certificate, _ SignOptions) e return v.policyEngine.IsX509CertificateAllowed(cert) } -// var ( -// stepOIDRoot = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37476, 9000, 64} -// stepOIDProvisioner = append(asn1.ObjectIdentifier(nil), append(stepOIDRoot, 1)...) -// ) - -// type stepProvisionerASN1 struct { -// Type int -// Name []byte -// CredentialID []byte -// KeyValuePairs []string `asn1:"optional,omitempty"` -// } - type forceCNOption struct { ForceCN bool } @@ -481,13 +473,14 @@ func (o *provisionerExtensionOption) Modify(cert *x509.Certificate, _ SignOption if err != nil { return errs.NewError(http.StatusInternalServerError, err, "error creating certificate") } - // Prepend the provisioner extension. In the auth.Sign code we will - // force the resulting certificate to only have one extension, the - // first stepOIDProvisioner that is found in the ExtraExtensions. - // A client could pass a csr containing a malicious stepOIDProvisioner - // ExtraExtension. If we were to append (rather than prepend) the correct - // stepOIDProvisioner extension, then the resulting certificate would - // contain the malicious extension, rather than the one applied by step-ca. - cert.ExtraExtensions = append([]pkix.Extension{ext}, cert.ExtraExtensions...) + // Replace or append the provisioner extension to avoid the inclusions of + // malicious stepOIDProvisioner using templates. + for i, e := range cert.ExtraExtensions { + if e.Id.Equal(StepOIDProvisioner) { + cert.ExtraExtensions[i] = ext + return nil + } + } + cert.ExtraExtensions = append(cert.ExtraExtensions, ext) return nil } diff --git a/authority/provisioner/sign_options_test.go b/authority/provisioner/sign_options_test.go index fc4d675a..198462c7 100644 --- a/authority/provisioner/sign_options_test.go +++ b/authority/provisioner/sign_options_test.go @@ -3,6 +3,7 @@ package provisioner import ( "crypto/x509" "crypto/x509/pkix" + "encoding/asn1" "fmt" "net" "net/url" @@ -625,6 +626,16 @@ func Test_profileDefaultDuration_Option(t *testing.T) { } func Test_newProvisionerExtension_Option(t *testing.T) { + expectedValue, err := asn1.Marshal(extensionASN1{ + Type: int(TypeJWK), + Name: []byte("name"), + CredentialID: []byte("credentialId"), + KeyValuePairs: []string{"key", "value"}, + }) + if err != nil { + t.Fatal(err) + } + type test struct { cert *x509.Certificate valid func(*x509.Certificate) @@ -636,18 +647,22 @@ func Test_newProvisionerExtension_Option(t *testing.T) { valid: func(cert *x509.Certificate) { if assert.Len(t, 1, cert.ExtraExtensions) { ext := cert.ExtraExtensions[0] - assert.Equals(t, ext.Id, StepOIDProvisioner) + assert.Equals(t, StepOIDProvisioner, ext.Id) + assert.Equals(t, expectedValue, ext.Value) + assert.False(t, ext.Critical) + } }, } }, - "ok/prepend": func() test { + "ok/replace": func() test { return test{ cert: &x509.Certificate{ExtraExtensions: []pkix.Extension{{Id: StepOIDProvisioner, Critical: true}, {Id: []int{1, 2, 3}}}}, valid: func(cert *x509.Certificate) { - if assert.Len(t, 3, cert.ExtraExtensions) { + if assert.Len(t, 2, cert.ExtraExtensions) { ext := cert.ExtraExtensions[0] - assert.Equals(t, ext.Id, StepOIDProvisioner) + assert.Equals(t, StepOIDProvisioner, ext.Id) + assert.Equals(t, expectedValue, ext.Value) assert.False(t, ext.Critical) } }, @@ -657,7 +672,7 @@ func Test_newProvisionerExtension_Option(t *testing.T) { for name, run := range tests { t.Run(name, func(t *testing.T) { tt := run() - assert.FatalError(t, newProvisionerExtensionOption(TypeJWK, "foo", "bar", "baz", "zap").Modify(tt.cert, SignOptions{})) + assert.FatalError(t, newProvisionerExtensionOption(TypeJWK, "name", "credentialId", "key", "value").Modify(tt.cert, SignOptions{})) tt.valid(tt.cert) }) } diff --git a/authority/provisioner/sign_ssh_options_test.go b/authority/provisioner/sign_ssh_options_test.go index 28a35639..1993295b 100644 --- a/authority/provisioner/sign_ssh_options_test.go +++ b/authority/provisioner/sign_ssh_options_test.go @@ -287,7 +287,7 @@ func Test_sshCertTypeModifier_Modify(t *testing.T) { t.Run(name, func(t *testing.T) { tc := run() if assert.Nil(t, tc.modifier.Modify(tc.cert, SignSSHOptions{})) { - assert.Equals(t, tc.cert.CertType, uint32(tc.expected)) + assert.Equals(t, tc.cert.CertType, tc.expected) } }) } diff --git a/authority/provisioner/ssh_test.go b/authority/provisioner/ssh_test.go index b86945a3..3fd97f9d 100644 --- a/authority/provisioner/ssh_test.go +++ b/authority/provisioner/ssh_test.go @@ -2,6 +2,7 @@ package provisioner import ( "crypto" + "errors" "fmt" "net/http" "reflect" @@ -84,9 +85,10 @@ func signSSHCertificate(key crypto.PublicKey, opts SignSSHOptions, signOpts []Si // Create certificate from template. certificate, err := sshutil.NewCertificate(cr, certOptions...) if err != nil { - if _, ok := err.(*sshutil.TemplateError); ok { - return nil, errs.NewErr(http.StatusBadRequest, err, - errs.WithMessage(err.Error()), + var templErr *sshutil.TemplateError + if errors.As(err, &templErr) { + return nil, errs.NewErr(http.StatusBadRequest, templErr, + errs.WithMessage(templErr.Error()), errs.WithKeyVal("signOptions", signOpts), ) } diff --git a/authority/provisioner/testdata/certs/apple-att-ca.crt b/authority/provisioner/testdata/certs/apple-att-ca.crt new file mode 100644 index 00000000..2e5e3b3b --- /dev/null +++ b/authority/provisioner/testdata/certs/apple-att-ca.crt @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICJDCCAamgAwIBAgIUQsDCuyxyfFxeq/bxpm8frF15hzcwCgYIKoZIzj0EAwMw +UTEtMCsGA1UEAwwkQXBwbGUgRW50ZXJwcmlzZSBBdHRlc3RhdGlvbiBSb290IENB +MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzAeFw0yMjAyMTYxOTAx +MjRaFw00NzAyMjAwMDAwMDBaMFExLTArBgNVBAMMJEFwcGxlIEVudGVycHJpc2Ug +QXR0ZXN0YXRpb24gUm9vdCBDQTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UE +BhMCVVMwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT6Jigq+Ps9Q4CoT8t8q+UnOe2p +oT9nRaUfGhBTbgvqSGXPjVkbYlIWYO+1zPk2Sz9hQ5ozzmLrPmTBgEWRcHjA2/y7 +7GEicps9wn2tj+G89l3INNDKETdxSPPIZpPj8VmjQjBAMA8GA1UdEwEB/wQFMAMB +Af8wHQYDVR0OBBYEFPNqTQGd8muBpV5du+UIbVbi+d66MA4GA1UdDwEB/wQEAwIB +BjAKBggqhkjOPQQDAwNpADBmAjEA1xpWmTLSpr1VH4f8Ypk8f3jMUKYz4QPG8mL5 +8m9sX/b2+eXpTv2pH4RZgJjucnbcAjEA4ZSB6S45FlPuS/u4pTnzoz632rA+xW/T +ZwFEh9bhKjJ+5VQ9/Do1os0u3LEkgN/r +-----END CERTIFICATE----- \ No newline at end of file diff --git a/authority/provisioner/testdata/certs/yubico-piv-ca.crt b/authority/provisioner/testdata/certs/yubico-piv-ca.crt new file mode 100644 index 00000000..b0a92199 --- /dev/null +++ b/authority/provisioner/testdata/certs/yubico-piv-ca.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDFzCCAf+gAwIBAgIDBAZHMA0GCSqGSIb3DQEBCwUAMCsxKTAnBgNVBAMMIFl1 +YmljbyBQSVYgUm9vdCBDQSBTZXJpYWwgMjYzNzUxMCAXDTE2MDMxNDAwMDAwMFoY +DzIwNTIwNDE3MDAwMDAwWjArMSkwJwYDVQQDDCBZdWJpY28gUElWIFJvb3QgQ0Eg +U2VyaWFsIDI2Mzc1MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMN2 +cMTNR6YCdcTFRxuPy31PabRn5m6pJ+nSE0HRWpoaM8fc8wHC+Tmb98jmNvhWNE2E +ilU85uYKfEFP9d6Q2GmytqBnxZsAa3KqZiCCx2LwQ4iYEOb1llgotVr/whEpdVOq +joU0P5e1j1y7OfwOvky/+AXIN/9Xp0VFlYRk2tQ9GcdYKDmqU+db9iKwpAzid4oH +BVLIhmD3pvkWaRA2H3DA9t7H/HNq5v3OiO1jyLZeKqZoMbPObrxqDg+9fOdShzgf +wCqgT3XVmTeiwvBSTctyi9mHQfYd2DwkaqxRnLbNVyK9zl+DzjSGp9IhVPiVtGet +X02dxhQnGS7K6BO0Qe8CAwEAAaNCMEAwHQYDVR0OBBYEFMpfyvLEojGc6SJf8ez0 +1d8Cv4O/MA8GA1UdEwQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3 +DQEBCwUAA4IBAQBc7Ih8Bc1fkC+FyN1fhjWioBCMr3vjneh7MLbA6kSoyWF70N3s +XhbXvT4eRh0hvxqvMZNjPU/VlRn6gLVtoEikDLrYFXN6Hh6Wmyy1GTnspnOvMvz2 +lLKuym9KYdYLDgnj3BeAvzIhVzzYSeU77/Cupofj093OuAswW0jYvXsGTyix6B3d +bW5yWvyS9zNXaqGaUmP3U9/b6DlHdDogMLu3VLpBB9bm5bjaKWWJYgWltCVgUbFq +Fqyi4+JE014cSgR57Jcu3dZiehB6UtAPgad9L5cNvua/IWRmm+ANy3O2LH++Pyl8 +SREzU8onbBsjMg9QDiSf5oJLKvd/Ren+zGY7 +-----END CERTIFICATE----- \ No newline at end of file diff --git a/authority/provisioner/utils_test.go b/authority/provisioner/utils_test.go index 265c7b08..f0e6949f 100644 --- a/authority/provisioner/utils_test.go +++ b/authority/provisioner/utils_test.go @@ -100,7 +100,7 @@ func generateJSONWebKey() (*jose.JSONWebKey, error) { if err != nil { return nil, err } - jwk.KeyID = string(hex.EncodeToString(fp)) + jwk.KeyID = hex.EncodeToString(fp) return jwk, nil } @@ -449,7 +449,7 @@ func generateAWSWithServer() (*AWS, *httptest.Server, error) { if err != nil { return nil, nil, errors.Wrap(err, "error signing document") } - // nolint:gosec // tests minimum size of the key + //nolint:gosec // tests minimum size of the key token := "AQAEAEEO9-7Z88ewKFpboZuDlFYWz9A3AN-wMOVzjEhfAyXW31BvVw==" srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { switch r.URL.Path { diff --git a/authority/provisioner/x5c_test.go b/authority/provisioner/x5c_test.go index 3bcf30d1..eb4f7def 100644 --- a/authority/provisioner/x5c_test.go +++ b/authority/provisioner/x5c_test.go @@ -120,7 +120,7 @@ M46l92gdOozT return ProvisionerValidateTest{ p: p, extraValid: func(p *X5C) error { - // nolint:staticcheck // We don't have a different way to + //nolint:staticcheck // We don't have a different way to // check the number of certificates in the pool. numCerts := len(p.rootPool.Subjects()) if numCerts != 2 { diff --git a/authority/provisioners.go b/authority/provisioners.go index 1fd34ef0..b98b1811 100644 --- a/authority/provisioners.go +++ b/authority/provisioners.go @@ -145,7 +145,6 @@ func (a *Authority) generateProvisionerConfig(ctx context.Context) (provisioner. AuthorizeRenewFunc: a.authorizeRenewFunc, AuthorizeSSHRenewFunc: a.authorizeSSHRenewFunc, }, nil - } // StoreProvisioner stores a provisioner to the authority. @@ -530,6 +529,7 @@ func durationsToLinkedca(d *provisioner.Duration) string { // certifictes claims type. func claimsToCertificates(c *linkedca.Claims) (*provisioner.Claims, error) { if c == nil { + //nolint:nilnil // nil claims do not pose an issue. return nil, nil } @@ -676,6 +676,17 @@ func provisionerPEMToLinkedca(b []byte) [][]byte { return roots } +func provisionerPEMToCertificates(bs [][]byte) []byte { + var roots []byte + for i, root := range bs { + if i > 0 && !bytes.HasSuffix(root, []byte{'\n'}) { + roots = append(roots, '\n') + } + roots = append(roots, root...) + } + return roots +} + // ProvisionerToCertificates converts the linkedca provisioner type to the certificates provisioner // interface. func ProvisionerToCertificates(p *linkedca.Provisioner) (provisioner.Interface, error) { @@ -748,13 +759,16 @@ func ProvisionerToCertificates(p *linkedca.Provisioner) (provisioner.Interface, case *linkedca.ProvisionerDetails_ACME: cfg := d.ACME return &provisioner.ACME{ - ID: p.Id, - Type: p.Type.String(), - Name: p.Name, - ForceCN: cfg.ForceCn, - RequireEAB: cfg.RequireEab, - Claims: claims, - Options: options, + ID: p.Id, + Type: p.Type.String(), + Name: p.Name, + ForceCN: cfg.ForceCn, + RequireEAB: cfg.RequireEab, + Challenges: challengesToCertificates(cfg.Challenges), + AttestationFormats: attestationFormatsToCertificates(cfg.AttestationFormats), + AttestationRoots: provisionerPEMToCertificates(cfg.AttestationRoots), + Claims: claims, + Options: options, }, nil case *linkedca.ProvisionerDetails_OIDC: cfg := d.OIDC @@ -1001,7 +1015,10 @@ func ProvisionerToLinkedca(p provisioner.Interface) (*linkedca.Provisioner, erro Details: &linkedca.ProvisionerDetails{ Data: &linkedca.ProvisionerDetails_ACME{ ACME: &linkedca.ACMEProvisioner{ - ForceCn: p.ForceCN, + ForceCn: p.ForceCN, + Challenges: challengesToLinkedca(p.Challenges), + AttestationFormats: attestationFormatsToLinkedca(p.AttestationFormats), + AttestationRoots: provisionerPEMToLinkedca(p.AttestationRoots), }, }, }, @@ -1122,3 +1139,75 @@ func parseInstanceAge(age string) (provisioner.Duration, error) { } return instanceAge, nil } + +// challengesToCertificates converts linkedca challenges to provisioner ones +// skipping the unknown ones. +func challengesToCertificates(challenges []linkedca.ACMEProvisioner_ChallengeType) []provisioner.ACMEChallenge { + ret := make([]provisioner.ACMEChallenge, 0, len(challenges)) + for _, ch := range challenges { + switch ch { + case linkedca.ACMEProvisioner_HTTP_01: + ret = append(ret, provisioner.HTTP_01) + case linkedca.ACMEProvisioner_DNS_01: + ret = append(ret, provisioner.DNS_01) + case linkedca.ACMEProvisioner_TLS_ALPN_01: + ret = append(ret, provisioner.TLS_ALPN_01) + case linkedca.ACMEProvisioner_DEVICE_ATTEST_01: + ret = append(ret, provisioner.DEVICE_ATTEST_01) + } + } + return ret +} + +// challengesToLinkedca converts provisioner challenges to linkedca ones +// skipping the unknown ones. +func challengesToLinkedca(challenges []provisioner.ACMEChallenge) []linkedca.ACMEProvisioner_ChallengeType { + ret := make([]linkedca.ACMEProvisioner_ChallengeType, 0, len(challenges)) + for _, ch := range challenges { + switch provisioner.ACMEChallenge(ch.String()) { + case provisioner.HTTP_01: + ret = append(ret, linkedca.ACMEProvisioner_HTTP_01) + case provisioner.DNS_01: + ret = append(ret, linkedca.ACMEProvisioner_DNS_01) + case provisioner.TLS_ALPN_01: + ret = append(ret, linkedca.ACMEProvisioner_TLS_ALPN_01) + case provisioner.DEVICE_ATTEST_01: + ret = append(ret, linkedca.ACMEProvisioner_DEVICE_ATTEST_01) + } + } + return ret +} + +// attestationFormatsToCertificates converts linkedca attestation formats to +// provisioner ones skipping the unknown ones. +func attestationFormatsToCertificates(formats []linkedca.ACMEProvisioner_AttestationFormatType) []provisioner.ACMEAttestationFormat { + ret := make([]provisioner.ACMEAttestationFormat, 0, len(formats)) + for _, f := range formats { + switch f { + case linkedca.ACMEProvisioner_APPLE: + ret = append(ret, provisioner.APPLE) + case linkedca.ACMEProvisioner_STEP: + ret = append(ret, provisioner.STEP) + case linkedca.ACMEProvisioner_TPM: + ret = append(ret, provisioner.TPM) + } + } + return ret +} + +// attestationFormatsToLinkedca converts provisioner attestation formats to +// linkedca ones skipping the unknown ones. +func attestationFormatsToLinkedca(formats []provisioner.ACMEAttestationFormat) []linkedca.ACMEProvisioner_AttestationFormatType { + ret := make([]linkedca.ACMEProvisioner_AttestationFormatType, 0, len(formats)) + for _, f := range formats { + switch provisioner.ACMEAttestationFormat(f.String()) { + case provisioner.APPLE: + ret = append(ret, linkedca.ACMEProvisioner_APPLE) + case provisioner.STEP: + ret = append(ret, linkedca.ACMEProvisioner_STEP) + case provisioner.TPM: + ret = append(ret, linkedca.ACMEProvisioner_TPM) + } + } + return ret +} diff --git a/authority/root_test.go b/authority/root_test.go index a1b08fac..e570b0be 100644 --- a/authority/root_test.go +++ b/authority/root_test.go @@ -32,8 +32,8 @@ func TestRoot(t *testing.T) { crt, err := a.Root(tc.sum) if err != nil { if assert.NotNil(t, tc.err) { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCoder interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tc.code) assert.HasPrefix(t, err.Error(), tc.err.Error()) } diff --git a/authority/ssh.go b/authority/ssh.go index d8d5375c..1b243b39 100644 --- a/authority/ssh.go +++ b/authority/ssh.go @@ -6,7 +6,6 @@ import ( "crypto/x509" "encoding/binary" "errors" - "fmt" "net/http" "strings" "time" @@ -20,7 +19,6 @@ import ( "github.com/smallstep/certificates/authority/provisioner" "github.com/smallstep/certificates/db" "github.com/smallstep/certificates/errs" - policy "github.com/smallstep/certificates/policy" "github.com/smallstep/certificates/templates" ) @@ -140,6 +138,7 @@ func (a *Authority) GetSSHBastion(ctx context.Context, user, hostname string) (* return a.config.SSH.Bastion, nil } } + //nolint:nilnil // legacy return nil, nil } return nil, errs.NotFound("authority.GetSSHBastion; ssh is not configured") @@ -202,7 +201,8 @@ func (a *Authority) SignSSH(ctx context.Context, key ssh.PublicKey, opts provisi // Create certificate from template. certificate, err := sshutil.NewCertificate(cr, certOptions...) if err != nil { - if _, ok := err.(*sshutil.TemplateError); ok { + var te *sshutil.TemplateError + if errors.As(err, &te) { return nil, errs.ApplyOptions( errs.BadRequestErr(err, err.Error()), errs.WithKeyVal("signOptions", signOpts), @@ -253,15 +253,9 @@ func (a *Authority) SignSSH(ctx context.Context, key ssh.PublicKey, opts provisi // Check if authority is allowed to sign the certificate if err := a.isAllowedToSignSSHCertificate(certTpl); err != nil { - var pe *policy.NamePolicyError - if errors.As(err, &pe) && pe.Reason == policy.NotAllowed { - return nil, &errs.Error{ - // NOTE: custom forbidden error, so that denied name is sent to client - // as well as shown in the logs. - Status: http.StatusForbidden, - Err: fmt.Errorf("authority not allowed to sign: %w", err), - Msg: fmt.Sprintf("The request was forbidden by the certificate authority: %s", err.Error()), - } + var ee *errs.Error + if errors.As(err, &ee) { + return nil, ee } return nil, errs.InternalServerErr(err, errs.WithMessage("authority.SignSSH: error creating ssh certificate"), @@ -281,7 +275,7 @@ func (a *Authority) SignSSH(ctx context.Context, key ssh.PublicKey, opts provisi } } - if err = a.storeSSHCertificate(prov, cert); err != nil && err != db.ErrNotImplemented { + if err = a.storeSSHCertificate(prov, cert); err != nil && !errors.Is(err, db.ErrNotImplemented) { return nil, errs.Wrap(http.StatusInternalServerError, err, "authority.SignSSH: error storing certificate in db") } @@ -351,7 +345,7 @@ func (a *Authority) RenewSSH(ctx context.Context, oldCert *ssh.Certificate) (*ss return nil, errs.Wrap(http.StatusInternalServerError, err, "signSSH: error signing certificate") } - if err = a.storeRenewedSSHCertificate(prov, oldCert, cert); err != nil && err != db.ErrNotImplemented { + if err = a.storeRenewedSSHCertificate(prov, oldCert, cert); err != nil && !errors.Is(err, db.ErrNotImplemented) { return nil, errs.Wrap(http.StatusInternalServerError, err, "renewSSH: error storing certificate in db") } @@ -434,7 +428,7 @@ func (a *Authority) RekeySSH(ctx context.Context, oldCert *ssh.Certificate, pub } } - if err = a.storeRenewedSSHCertificate(prov, oldCert, cert); err != nil && err != db.ErrNotImplemented { + if err = a.storeRenewedSSHCertificate(prov, oldCert, cert); err != nil && !errors.Is(err, db.ErrNotImplemented) { return nil, errs.Wrap(http.StatusInternalServerError, err, "rekeySSH; error storing certificate in db") } @@ -570,7 +564,7 @@ func (a *Authority) SignSSHAddUser(ctx context.Context, key ssh.PublicKey, subje } cert.Signature = sig - if err = a.storeRenewedSSHCertificate(prov, subject, cert); err != nil && err != db.ErrNotImplemented { + if err = a.storeRenewedSSHCertificate(prov, subject, cert); err != nil && !errors.Is(err, db.ErrNotImplemented) { return nil, errs.Wrap(http.StatusInternalServerError, err, "signSSHAddUser: error storing certificate in db") } @@ -589,7 +583,7 @@ func (a *Authority) CheckSSHHost(ctx context.Context, principal, token string) ( } exists, err := a.db.IsSSHHost(principal) if err != nil { - if err == db.ErrNotImplemented { + if errors.Is(err, db.ErrNotImplemented) { return false, errs.Wrap(http.StatusNotImplemented, err, "checkSSHHost: isSSHHost is not implemented") } diff --git a/authority/ssh_test.go b/authority/ssh_test.go index 4fd7eaa0..73916c03 100644 --- a/authority/ssh_test.go +++ b/authority/ssh_test.go @@ -850,8 +850,8 @@ func TestAuthority_GetSSHHosts(t *testing.T) { hosts, err := auth.GetSSHHosts(context.Background(), tc.cert) if err != nil { if assert.NotNil(t, tc.err) { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tc.code) assert.HasPrefix(t, err.Error(), tc.err.Error()) } @@ -1077,8 +1077,8 @@ func TestAuthority_RekeySSH(t *testing.T) { cert, err := auth.RekeySSH(context.Background(), tc.cert, tc.key, tc.signOpts...) if err != nil { if assert.NotNil(t, tc.err) { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tc.code) assert.HasPrefix(t, err.Error(), tc.err.Error()) } diff --git a/authority/tls.go b/authority/tls.go index 4652735a..d70c1558 100644 --- a/authority/tls.go +++ b/authority/tls.go @@ -30,7 +30,6 @@ import ( casapi "github.com/smallstep/certificates/cas/apiv1" "github.com/smallstep/certificates/db" "github.com/smallstep/certificates/errs" - "github.com/smallstep/certificates/policy" ) // GetTLSOptions returns the tls options configured. @@ -96,6 +95,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign var prov provisioner.Interface var pInfo *casapi.ProvisionerInfo + var attData provisioner.AttestationData for _, op := range extraOpts { switch k := op.(type) { // Capture current provisioner @@ -131,6 +131,11 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign case provisioner.CertificateEnforcer: certEnforcers = append(certEnforcers, k) + // Extra information from ACME attestations. + case provisioner.AttestationData: + attData = k + // TODO(mariano,areed): remove me once attData is used. + _ = attData default: return nil, errs.InternalServer("authority.Sign; invalid extra option type %T", append([]interface{}{k}, opts...)...) } @@ -138,7 +143,8 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign cert, err := x509util.NewCertificate(csr, certOptions...) if err != nil { - if _, ok := err.(*x509util.TemplateError); ok { + var te *x509util.TemplateError + if errors.As(err, &te) { return nil, errs.ApplyOptions( errs.BadRequestErr(err, err.Error()), errs.WithKeyVal("csr", csr), @@ -208,15 +214,9 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign // Check if authority is allowed to sign the certificate if err := a.isAllowedToSignX509Certificate(leaf); err != nil { - var pe *policy.NamePolicyError - if errors.As(err, &pe) && pe.Reason == policy.NotAllowed { - return nil, errs.ApplyOptions(&errs.Error{ - // NOTE: custom forbidden error, so that denied name is sent to client - // as well as shown in the logs. - Status: http.StatusForbidden, - Err: fmt.Errorf("authority not allowed to sign: %w", err), - Msg: fmt.Sprintf("The request was forbidden by the certificate authority: %s", err.Error()), - }, opts...) + var ee *errs.Error + if errors.As(err, &ee) { + return nil, errs.ApplyOptions(ee, opts...) } return nil, errs.InternalServerErr(err, errs.WithKeyVal("csr", csr), @@ -240,7 +240,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign fullchain := append([]*x509.Certificate{resp.Certificate}, resp.CertificateChain...) if err = a.storeCertificate(prov, fullchain); err != nil { - if err != db.ErrNotImplemented { + if !errors.Is(err, db.ErrNotImplemented) { return nil, errs.Wrap(http.StatusInternalServerError, err, "authority.Sign; error storing certificate in db", opts...) } @@ -252,6 +252,9 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign // isAllowedToSignX509Certificate checks if the Authority is allowed // to sign the X.509 certificate. func (a *Authority) isAllowedToSignX509Certificate(cert *x509.Certificate) error { + if err := a.constraintsEngine.ValidateCertificate(cert); err != nil { + return err + } return a.policyEngine.IsX509CertificateAllowed(cert) } @@ -347,6 +350,22 @@ func (a *Authority) Rekey(oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x5 newCert.ExtraExtensions = append(newCert.ExtraExtensions, ext) } + // Check if the certificate is allowed to be renewed, name constraints might + // change over time. + // + // TODO(hslatman,maraino): consider adding policies too and consider if + // RenewSSH should check policies. + if err := a.constraintsEngine.ValidateCertificate(newCert); err != nil { + var ee *errs.Error + if errors.As(err, &ee) { + return nil, errs.ApplyOptions(ee, opts...) + } + return nil, errs.InternalServerErr(err, + errs.WithKeyVal("serialNumber", oldCert.SerialNumber.String()), + errs.WithMessage("error renewing certificate"), + ) + } + resp, err := a.x509CAService.RenewCertificate(&casapi.RenewCertificateRequest{ Template: newCert, Lifetime: lifetime, @@ -358,7 +377,7 @@ func (a *Authority) Rekey(oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x5 fullchain := append([]*x509.Certificate{resp.Certificate}, resp.CertificateChain...) if err = a.storeRenewedCertificate(oldCert, fullchain); err != nil { - if err != db.ErrNotImplemented { + if !errors.Is(err, db.ErrNotImplemented) { return nil, errs.Wrap(http.StatusInternalServerError, err, "authority.Rekey; error storing certificate in db", opts...) } } @@ -559,12 +578,12 @@ func (a *Authority) Revoke(ctx context.Context, revokeOpts *RevokeOptions) error return errs.Wrap(http.StatusInternalServerError, err, "authority.Revoke", opts...) } } - switch err { - case nil: + switch { + case err == nil: return nil - case db.ErrNotImplemented: + case errors.Is(err, db.ErrNotImplemented): return errs.NotImplemented("authority.Revoke; no persistence layer configured", opts...) - case db.ErrAlreadyExists: + case errors.Is(err, db.ErrAlreadyExists): return errs.ApplyOptions( errs.BadRequest("certificate with serial number '%s' is already revoked", rci.Serial), opts..., @@ -752,6 +771,18 @@ func (a *Authority) GetTLSCertificate() (*tls.Certificate, error) { certTpl.NotBefore = now.Add(-1 * time.Minute) certTpl.NotAfter = now.Add(24 * time.Hour) + // Policy and constraints require this fields to be set. At this moment they + // are only present in the extra extension. + certTpl.DNSNames = cr.DNSNames + certTpl.IPAddresses = cr.IPAddresses + certTpl.EmailAddresses = cr.EmailAddresses + certTpl.URIs = cr.URIs + + // Fail if name constraints do not allow the server names. + if err := a.constraintsEngine.ValidateCertificate(certTpl); err != nil { + return fatal(err) + } + resp, err := a.x509CAService.CreateCertificate(&casapi.CreateCertificateRequest{ Template: certTpl, CSR: cr, @@ -799,7 +830,7 @@ func templatingError(err error) error { ) if errors.As(err, &syntaxError) { // offset is arguably not super clear to the user, but it's the best we can do here - cause = fmt.Errorf("%s at offset %d", cause.Error(), syntaxError.Offset) + cause = fmt.Errorf("%w at offset %d", cause, syntaxError.Offset) } else if errors.As(err, &typeError) { // slightly rewriting the default error message to include the offset cause = fmt.Errorf("cannot unmarshal %s at offset %d into Go value of type %s", typeError.Value, typeError.Offset, typeError.Type) diff --git a/authority/tls_test.go b/authority/tls_test.go index a8521b51..bc9e3e3a 100644 --- a/authority/tls_test.go +++ b/authority/tls_test.go @@ -6,7 +6,7 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/sha1" // nolint:gosec // used to create the Subject Key Identifier by RFC 5280 + "crypto/sha1" //nolint:gosec // used to create the Subject Key Identifier by RFC 5280 "crypto/x509" "crypto/x509/pkix" "encoding/asn1" @@ -22,6 +22,7 @@ import ( "go.step.sm/crypto/jose" "go.step.sm/crypto/keyutil" + "go.step.sm/crypto/minica" "go.step.sm/crypto/pemutil" "go.step.sm/crypto/x509util" @@ -199,7 +200,7 @@ func generateSubjectKeyID(pub crypto.PublicKey) ([]byte, error) { if _, err = asn1.Unmarshal(b, &info); err != nil { return nil, fmt.Errorf("error unmarshaling public key: %w", err) } - // nolint:gosec // used to create the Subject Key Identifier by RFC 5280 + //nolint:gosec // used to create the Subject Key Identifier by RFC 5280 hash := sha1.Sum(info.SubjectPublicKey.Bytes) return hash[:], nil } @@ -542,7 +543,7 @@ ZYtQ9Ot36qc= notBefore: signOpts.NotBefore.Time().Truncate(time.Second), notAfter: signOpts.NotAfter.Time().Truncate(time.Second), extensionsCount: 6, - err: errors.New("authority not allowed to sign"), + err: errors.New("dns name \"test.smallstep.com\" not allowed"), code: http.StatusForbidden, } }, @@ -577,7 +578,7 @@ ZYtQ9Ot36qc= {Id: stepOIDProvisioner, Value: []byte("foo")}, {Id: []int{1, 1, 1}, Value: []byte("bar")}})) now := time.Now().UTC() - // nolint:gocritic + //nolint:gocritic enforcedExtraOptions := append(extraOpts, &certificateDurationEnforcer{ NotBefore: now, NotAfter: now.Add(365 * 24 * time.Hour), @@ -730,13 +731,13 @@ ZYtQ9Ot36qc= if err != nil { if assert.NotNil(t, tc.err, fmt.Sprintf("unexpected error: %s", err)) { assert.Nil(t, certChain) - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tc.code) assert.HasPrefix(t, err.Error(), tc.err.Error()) - ctxErr, ok := err.(*errs.Error) - assert.Fatal(t, ok, "error is not of type *errs.Error") + var ctxErr *errs.Error + assert.Fatal(t, errors.As(err, &ctxErr), "error is not of type *errs.Error") assert.Equals(t, ctxErr.Details["csr"], tc.csr) assert.Equals(t, ctxErr.Details["signOptions"], tc.signOpts) } @@ -929,13 +930,13 @@ func TestAuthority_Renew(t *testing.T) { if err != nil { if assert.NotNil(t, tc.err, fmt.Sprintf("unexpected error: %s", err)) { assert.Nil(t, certChain) - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tc.code) assert.HasPrefix(t, err.Error(), tc.err.Error()) - ctxErr, ok := err.(*errs.Error) - assert.Fatal(t, ok, "error is not of type *errs.Error") + var ctxErr *errs.Error + assert.Fatal(t, errors.As(err, &ctxErr), "error is not of type *errs.Error") assert.Equals(t, ctxErr.Details["serialNumber"], tc.cert.SerialNumber.String()) } } else { @@ -1136,13 +1137,13 @@ func TestAuthority_Rekey(t *testing.T) { if err != nil { if assert.NotNil(t, tc.err, fmt.Sprintf("unexpected error: %s", err)) { assert.Nil(t, certChain) - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tc.code) assert.HasPrefix(t, err.Error(), tc.err.Error()) - ctxErr, ok := err.(*errs.Error) - assert.Fatal(t, ok, "error is not of type *errs.Error") + var ctxErr *errs.Error + assert.Fatal(t, errors.As(err, &ctxErr), "error is not of type *errs.Error") assert.Equals(t, ctxErr.Details["serialNumber"], tc.cert.SerialNumber.String()) } } else { @@ -1566,13 +1567,13 @@ func TestAuthority_Revoke(t *testing.T) { t.Run(name, func(t *testing.T) { if err := tc.auth.Revoke(tc.ctx, tc.opts); err != nil { if assert.NotNil(t, tc.err, fmt.Sprintf("unexpected error: %s", err)) { - sc, ok := err.(render.StatusCodedError) - assert.Fatal(t, ok, "error does not implement StatusCodedError interface") + var sc render.StatusCodedError + assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") assert.Equals(t, sc.StatusCode(), tc.code) assert.HasPrefix(t, err.Error(), tc.err.Error()) - ctxErr, ok := err.(*errs.Error) - assert.Fatal(t, ok, "error is not of type *errs.Error") + var ctxErr *errs.Error + assert.Fatal(t, errors.As(err, &ctxErr), "error is not of type *errs.Error") assert.Equals(t, ctxErr.Details["serialNumber"], tc.opts.Serial) assert.Equals(t, ctxErr.Details["reasonCode"], tc.opts.ReasonCode) assert.Equals(t, ctxErr.Details["reason"], tc.opts.Reason) @@ -1589,3 +1590,86 @@ func TestAuthority_Revoke(t *testing.T) { }) } } + +func TestAuthority_constraints(t *testing.T) { + ca, err := minica.New( + minica.WithIntermediateTemplate(`{ + "subject": {{ toJson .Subject }}, + "keyUsage": ["certSign", "crlSign"], + "basicConstraints": { + "isCA": true, + "maxPathLen": 0 + }, + "nameConstraints": { + "critical": true, + "permittedDNSDomains": ["internal.example.org"], + "excludedDNSDomains": ["internal.example.com"], + "permittedIPRanges": ["192.168.1.0/24", "192.168.2.1/32"], + "excludedIPRanges": ["192.168.3.0/24", "192.168.4.0/28"], + "permittedEmailAddresses": ["root@example.org", "example.org", ".acme.org"], + "excludedEmailAddresses": ["root@example.com", "example.com", ".acme.com"], + "permittedURIDomains": ["uuid.example.org", ".acme.org"], + "excludedURIDomains": ["uuid.example.com", ".acme.com"] + } + }`), + ) + if err != nil { + t.Fatal(err) + } + + auth, err := NewEmbedded(WithX509RootCerts(ca.Root), WithX509Signer(ca.Intermediate, ca.Signer)) + if err != nil { + t.Fatal(err) + } + signer, err := keyutil.GenerateDefaultSigner() + if err != nil { + t.Fatal(err) + } + + tests := []struct { + name string + sans []string + wantErr bool + }{ + {"ok dns", []string{"internal.example.org", "host.internal.example.org"}, false}, + {"ok ip", []string{"192.168.1.10", "192.168.2.1"}, false}, + {"ok email", []string{"root@example.org", "info@example.org", "info@www.acme.org"}, false}, + {"ok uri", []string{"https://uuid.example.org/b908d973-5167-4a62-abe3-6beda358d82a", "https://uuid.acme.org/1724aae1-1bb3-44fb-83c3-9a1a18df67c8"}, false}, + {"fail permitted dns", []string{"internal.acme.org"}, true}, + {"fail excluded dns", []string{"internal.example.com"}, true}, + {"fail permitted ips", []string{"192.168.2.10"}, true}, + {"fail excluded ips", []string{"192.168.3.1"}, true}, + {"fail permitted emails", []string{"root@acme.org"}, true}, + {"fail excluded emails", []string{"root@example.com"}, true}, + {"fail permitted uris", []string{"https://acme.org/uuid/7848819c-9d0b-4e12-bbff-cd66079a3444"}, true}, + {"fail excluded uris", []string{"https://uuid.example.com/d325eda7-6356-4d60-b8f6-3d64724afeb3"}, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + csr, err := x509util.CreateCertificateRequest(tt.sans[0], tt.sans, signer) + if err != nil { + t.Fatal(err) + } + cert, err := ca.SignCSR(csr) + if err != nil { + t.Fatal(err) + } + + data := x509util.CreateTemplateData(tt.sans[0], tt.sans) + templateOption, err := provisioner.TemplateOptions(nil, data) + if err != nil { + t.Fatal(err) + } + + _, err = auth.Sign(csr, provisioner.SignOptions{}, templateOption) + if (err != nil) != tt.wantErr { + t.Errorf("Authority.Sign() error = %v, wantErr %v", err, tt.wantErr) + } + + _, err = auth.Renew(cert) + if (err != nil) != tt.wantErr { + t.Errorf("Authority.Renew() error = %v, wantErr %v", err, tt.wantErr) + } + }) + } +} diff --git a/ca/acmeClient.go b/ca/acmeClient.go index cca35b93..1c195efd 100644 --- a/ca/acmeClient.go +++ b/ca/acmeClient.go @@ -52,6 +52,7 @@ func NewACMEClient(endpoint string, contact []string, opts ...ClientOption) (*AC if err != nil { return nil, errors.Wrapf(err, "client GET %s failed", endpoint) } + defer resp.Body.Close() if resp.StatusCode >= 400 { return nil, readACMEError(resp.Body) } @@ -80,6 +81,7 @@ func NewACMEClient(endpoint string, contact []string, opts ...ClientOption) (*AC if err != nil { return nil, err } + defer resp.Body.Close() if resp.StatusCode >= 400 { return nil, readACMEError(resp.Body) } @@ -111,6 +113,7 @@ func (c *ACMEClient) GetNonce() (string, error) { if err != nil { return "", errors.Wrapf(err, "client GET %s failed", c.dir.NewNonce) } + defer resp.Body.Close() if resp.StatusCode >= 400 { return "", readACMEError(resp.Body) } @@ -198,6 +201,7 @@ func (c *ACMEClient) NewOrder(payload []byte) (*acme.Order, error) { if err != nil { return nil, err } + defer resp.Body.Close() if resp.StatusCode >= 400 { return nil, readACMEError(resp.Body) } @@ -218,6 +222,7 @@ func (c *ACMEClient) GetChallenge(url string) (*acme.Challenge, error) { if err != nil { return nil, err } + defer resp.Body.Close() if resp.StatusCode >= 400 { return nil, readACMEError(resp.Body) } @@ -237,6 +242,21 @@ func (c *ACMEClient) ValidateChallenge(url string) error { if err != nil { return err } + defer resp.Body.Close() + if resp.StatusCode >= 400 { + return readACMEError(resp.Body) + } + return nil +} + +// ValidateWithPayload will attempt to validate the challenge at the given url +// with the given attestation payload. +func (c *ACMEClient) ValidateWithPayload(url string, payload []byte) error { + resp, err := c.post(payload, url, withKid(c)) + if err != nil { + return err + } + defer resp.Body.Close() if resp.StatusCode >= 400 { return readACMEError(resp.Body) } @@ -249,6 +269,7 @@ func (c *ACMEClient) GetAuthz(url string) (*acme.Authorization, error) { if err != nil { return nil, err } + defer resp.Body.Close() if resp.StatusCode >= 400 { return nil, readACMEError(resp.Body) } @@ -266,6 +287,7 @@ func (c *ACMEClient) GetOrder(url string) (*acme.Order, error) { if err != nil { return nil, err } + defer resp.Body.Close() if resp.StatusCode >= 400 { return nil, readACMEError(resp.Body) } @@ -289,6 +311,7 @@ func (c *ACMEClient) FinalizeOrder(url string, csr *x509.CertificateRequest) err if err != nil { return err } + defer resp.Body.Close() if resp.StatusCode >= 400 { return readACMEError(resp.Body) } @@ -301,6 +324,7 @@ func (c *ACMEClient) GetCertificate(url string) (*x509.Certificate, []*x509.Cert if err != nil { return nil, nil, err } + defer resp.Body.Close() if resp.StatusCode >= 400 { return nil, nil, readACMEError(resp.Body) } @@ -337,6 +361,7 @@ func (c *ACMEClient) GetAccountOrders() ([]string, error) { if err != nil { return nil, err } + defer resp.Body.Close() if resp.StatusCode >= 400 { return nil, readACMEError(resp.Body) } diff --git a/ca/acmeClient_test.go b/ca/acmeClient_test.go index f17a2f7a..77d380f9 100644 --- a/ca/acmeClient_test.go +++ b/ca/acmeClient_test.go @@ -12,13 +12,12 @@ import ( "time" "github.com/pkg/errors" - "go.step.sm/crypto/jose" - "go.step.sm/crypto/pemutil" - "github.com/smallstep/assert" "github.com/smallstep/certificates/acme" acmeAPI "github.com/smallstep/certificates/acme/api" "github.com/smallstep/certificates/api/render" + "go.step.sm/crypto/jose" + "go.step.sm/crypto/pemutil" ) func TestNewACMEClient(t *testing.T) { @@ -980,6 +979,100 @@ func TestACMEClient_ValidateChallenge(t *testing.T) { } } +func TestACMEClient_ValidateWithPayload(t *testing.T) { + key, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0) + assert.FatalError(t, err) + + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { + assert.Equals(t, "step-http-client/1.0", req.Header.Get("User-Agent")) // check default User-Agent header + + t.Log(req.RequestURI) + w.Header().Set("Replay-Nonce", "nonce") + switch req.RequestURI { + case "/nonce": + render.JSONStatus(w, []byte{}, 200) + return + case "/fail-nonce": + render.JSONStatus(w, acme.NewError(acme.ErrorMalformedType, "malformed request"), 400) + return + } + + // validate jws request protected headers and body + body, err := io.ReadAll(req.Body) + assert.FatalError(t, err) + + jws, err := jose.ParseJWS(string(body)) + assert.FatalError(t, err) + + hdr := jws.Signatures[0].Protected + assert.Equals(t, hdr.Nonce, "nonce") + + _, ok := hdr.ExtraHeaders["url"].(string) + assert.Fatal(t, ok) + assert.Equals(t, hdr.KeyID, "kid") + + payload, err := jws.Verify(key.Public()) + assert.FatalError(t, err) + assert.Equals(t, payload, []byte("the-payload")) + + switch req.RequestURI { + case "/ok": + render.JSONStatus(w, acme.Challenge{ + Type: "device-attestation-01", + Status: "valid", + Token: "foo", + }, 200) + case "/fail": + render.JSONStatus(w, acme.NewError(acme.ErrorMalformedType, "malformed request"), 400) + } + })) + defer srv.Close() + + type fields struct { + client *http.Client + dirLoc string + dir *acmeAPI.Directory + acc *acme.Account + Key *jose.JSONWebKey + kid string + } + type args struct { + url string + payload []byte + } + tests := []struct { + name string + fields fields + args args + wantErr bool + }{ + {"ok", fields{srv.Client(), srv.URL, &acmeAPI.Directory{ + NewNonce: srv.URL + "/nonce", + }, nil, key, "kid"}, args{srv.URL + "/ok", []byte("the-payload")}, false}, + {"fail nonce", fields{srv.Client(), srv.URL, &acmeAPI.Directory{ + NewNonce: srv.URL + "/fail-nonce", + }, nil, key, "kid"}, args{srv.URL + "/ok", []byte("the-payload")}, true}, + {"fail payload", fields{srv.Client(), srv.URL, &acmeAPI.Directory{ + NewNonce: srv.URL + "/nonce", + }, nil, key, "kid"}, args{srv.URL + "/fail", []byte("the-payload")}, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + c := &ACMEClient{ + client: tt.fields.client, + dirLoc: tt.fields.dirLoc, + dir: tt.fields.dir, + acc: tt.fields.acc, + Key: tt.fields.Key, + kid: tt.fields.kid, + } + if err := c.ValidateWithPayload(tt.args.url, tt.args.payload); (err != nil) != tt.wantErr { + t.Errorf("ACMEClient.ValidateWithPayload() error = %v, wantErr %v", err, tt.wantErr) + } + }) + } +} + func TestACMEClient_FinalizeOrder(t *testing.T) { type test struct { r1, r2 interface{} @@ -1266,7 +1359,7 @@ func TestACMEClient_GetCertificate(t *testing.T) { Type: "Certificate", Bytes: leaf.Raw, }) - // nolint:gocritic + //nolint:gocritic certBytes := append(leafb, leafb...) certBytes = append(certBytes, leafb...) ac := &ACMEClient{ diff --git a/ca/adminClient.go b/ca/adminClient.go index 6532b000..84a0d413 100644 --- a/ca/adminClient.go +++ b/ca/adminClient.go @@ -116,7 +116,6 @@ func (c *AdminClient) generateAdminToken(aud *url.URL) (string, error) { } return tok.SignedString(c.x5cJWK.Algorithm, c.x5cJWK.Key) - } func (c *AdminClient) retryOnError(r *http.Response) bool { diff --git a/ca/bootstrap_test.go b/ca/bootstrap_test.go index 2a837a3d..974ba1f1 100644 --- a/ca/bootstrap_test.go +++ b/ca/bootstrap_test.go @@ -200,7 +200,7 @@ func TestBootstrap(t *testing.T) { } } -// nolint:gosec // insecure test servers +//nolint:gosec // insecure test servers func TestBootstrapServerWithoutMTLS(t *testing.T) { srv := startCABootstrapServer() defer srv.Close() @@ -246,6 +246,7 @@ func TestBootstrapServerWithoutMTLS(t *testing.T) { expected := &http.Server{ TLSConfig: got.TLSConfig, } + //nolint:govet // not comparing errors if !reflect.DeepEqual(got, expected) { t.Errorf("BootstrapServer() = %v, want %v", got, expected) } @@ -257,7 +258,7 @@ func TestBootstrapServerWithoutMTLS(t *testing.T) { } } -// nolint:gosec // insecure test servers +//nolint:gosec // insecure test servers func TestBootstrapServerWithMTLS(t *testing.T) { srv := startCABootstrapServer() defer srv.Close() @@ -303,6 +304,7 @@ func TestBootstrapServerWithMTLS(t *testing.T) { expected := &http.Server{ TLSConfig: got.TLSConfig, } + //nolint:govet // not comparing errors if !reflect.DeepEqual(got, expected) { t.Errorf("BootstrapServer() = %v, want %v", got, expected) } @@ -407,7 +409,7 @@ func TestBootstrapClientServerRotation(t *testing.T) { // Create bootstrap server token := generateBootstrapToken(caURL, "127.0.0.1", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7") - // nolint:gosec // insecure test server + //nolint:gosec // insecure test server server, err := BootstrapServer(context.Background(), token, &http.Server{ Addr: ":0", Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { @@ -526,7 +528,7 @@ func TestBootstrapClientServerFederation(t *testing.T) { // Create bootstrap server token := generateBootstrapToken(caURL1, "127.0.0.1", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7") - // nolint:gosec // insecure test server + //nolint:gosec // insecure test server server, err := BootstrapServer(context.Background(), token, &http.Server{ Addr: ":0", Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { diff --git a/ca/ca.go b/ca/ca.go index bddcab79..01b321d7 100644 --- a/ca/ca.go +++ b/ca/ca.go @@ -529,9 +529,9 @@ func (ca *CA) shouldServeSCEPEndpoints() bool { return ca.auth.GetSCEPService() != nil } -// nolint // ignore linters to allow keeping this function around for debugging +//nolint:unused // useful for debugging func dumpRoutes(mux chi.Routes) { - // helpful routine for logging all routes // + // helpful routine for logging all routes walkFunc := func(method string, route string, handler http.Handler, middlewares ...func(http.Handler) http.Handler) error { fmt.Printf("%s %s\n", method, route) return nil diff --git a/ca/ca_test.go b/ca/ca_test.go index e76ca8ff..7ad25cc6 100644 --- a/ca/ca_test.go +++ b/ca/ca_test.go @@ -5,7 +5,7 @@ import ( "context" "crypto" "crypto/rand" - "crypto/sha1" // nolint:gosec // used to create the Subject Key Identifier by RFC 5280 + "crypto/sha1" //nolint:gosec // used to create the Subject Key Identifier by RFC 5280 "crypto/tls" "crypto/x509" "crypto/x509/pkix" @@ -66,7 +66,7 @@ func generateSubjectKeyID(pub crypto.PublicKey) ([]byte, error) { return nil, errors.Wrap(err, "error unmarshaling public key") } - // nolint:gosec // used to create the Subject Key Identifier by RFC 5280 + //nolint:gosec // used to create the Subject Key Identifier by RFC 5280 hash := sha1.Sum(info.SubjectPublicKey.Bytes) return hash[:], nil } diff --git a/ca/client.go b/ca/client.go index 19fcd0bd..8519e5c5 100644 --- a/ca/client.go +++ b/ca/client.go @@ -56,7 +56,7 @@ func newClient(transport http.RoundTripper) *uaClient { } } -// nolint:gosec // used in bootstrap protocol +//nolint:gosec // used in bootstrap protocol func newInsecureClient() *uaClient { return &uaClient{ Client: &http.Client{ @@ -120,9 +120,7 @@ type clientOptions struct { } func (o *clientOptions) apply(opts []ClientOption) (err error) { - if err = o.applyDefaultIdentity(); err != nil { - return - } + o.applyDefaultIdentity() for _, fn := range opts { if err = fn(o); err != nil { return @@ -133,26 +131,25 @@ func (o *clientOptions) apply(opts []ClientOption) (err error) { // applyDefaultIdentity sets the options for the default identity if the // identity file is present. The identity is enabled by default. -func (o *clientOptions) applyDefaultIdentity() error { +func (o *clientOptions) applyDefaultIdentity() { if DisableIdentity { - return nil + return } // Do not load an identity if something fails i, err := identity.LoadDefaultIdentity() if err != nil { - return nil + return } if err := i.Validate(); err != nil { - return nil + return } crt, err := i.TLSCertificate() if err != nil { - return nil + return } o.certificate = crt o.getClientCertificate = i.GetClientCertificateFunc() - return nil } // checkTransport checks if other ways to set up a transport have been provided. @@ -241,13 +238,13 @@ func WithTransport(tr http.RoundTripper) ClientOption { } // WithInsecure adds a insecure transport that bypasses TLS verification. -// nolint:gosec // insecure option func WithInsecure() ClientOption { return func(o *clientOptions) error { o.transport = &http.Transport{ Proxy: http.ProxyFromEnvironment, TLSClientConfig: &tls.Config{ - MinVersion: tls.VersionTLS12, + MinVersion: tls.VersionTLS12, + //nolint:gosec // insecure option InsecureSkipVerify: true, }, } @@ -1139,7 +1136,7 @@ retry: var check api.SSHCheckPrincipalResponse if err := readJSON(resp.Body, &check); err != nil { return nil, errs.Wrapf(http.StatusInternalServerError, err, "error reading %s response", - []interface{}{u, errs.WithMessage("Failed to parse response from /ssh/check-host endpoint")}) + []any{u, errs.WithMessage("Failed to parse response from /ssh/check-host endpoint")}...) } return &check, nil } @@ -1203,6 +1200,7 @@ func (c *Client) RootFingerprint() (string, error) { if err != nil { return "", errors.Wrapf(err, "client GET %s failed", u) } + defer resp.Body.Close() if resp.TLS == nil || len(resp.TLS.VerifiedChains) == 0 { return "", errors.New("missing verified chains") } diff --git a/ca/identity/client.go b/ca/identity/client.go index 4b0aee82..f6c8c213 100644 --- a/ca/identity/client.go +++ b/ca/identity/client.go @@ -82,7 +82,6 @@ func LoadClient() (*Client, error) { Transport: tr, }, }, nil - } type defaultsConfig struct { diff --git a/ca/identity/client_test.go b/ca/identity/client_test.go index 14e6da6c..2ebeb15d 100644 --- a/ca/identity/client_test.go +++ b/ca/identity/client_test.go @@ -242,7 +242,7 @@ func Test_defaultsConfig_Validate(t *testing.T) { } } -// nolint:staticcheck,gocritic +//nolint:staticcheck,gocritic func equalPools(a, b *x509.CertPool) bool { if reflect.DeepEqual(a, b) { return true diff --git a/ca/identity/identity.go b/ca/identity/identity.go index 2a6b4c39..755d270a 100644 --- a/ca/identity/identity.go +++ b/ca/identity/identity.go @@ -261,6 +261,7 @@ func (i *Identity) GetClientCertificateFunc() func(*tls.CertificateRequestInfo) // GetCertPool returns a x509.CertPool if the identity defines a custom root. func (i *Identity) GetCertPool() (*x509.CertPool, error) { if i.Root == "" { + //nolint:nilnil // legacy return nil, nil } b, err := os.ReadFile(i.Root) diff --git a/ca/identity/identity_test.go b/ca/identity/identity_test.go index eb32328a..9a2422b3 100644 --- a/ca/identity/identity_test.go +++ b/ca/identity/identity_test.go @@ -345,7 +345,7 @@ func TestIdentity_GetCertPool(t *testing.T) { return } if got != nil { - // nolint:staticcheck // we don't have a different way to check + //nolint:staticcheck // we don't have a different way to check // the certificates in the pool. subjects := got.Subjects() if !reflect.DeepEqual(subjects, tt.wantSubjects) { diff --git a/ca/provisioner.go b/ca/provisioner.go index c1879c86..d5b23f38 100644 --- a/ca/provisioner.go +++ b/ca/provisioner.go @@ -182,19 +182,17 @@ func loadProvisionerJWKByKid(client *Client, kid string, password []byte) (*jose // loadProvisionerJWKByName retrieves the list of provisioners and encrypted key then // returns the key of the first provisioner with a matching name that can be successfully // decrypted with the specified password. -func loadProvisionerJWKByName(client *Client, name string, password []byte) (key *jose.JSONWebKey, err error) { +func loadProvisionerJWKByName(client *Client, name string, password []byte) (*jose.JSONWebKey, error) { provisioners, err := getProvisioners(client) if err != nil { - err = errors.Wrap(err, "error getting the provisioners") - return + return nil, errors.Wrap(err, "error getting the provisioners") } for _, provisioner := range provisioners { if provisioner.GetName() == name { if _, encryptedKey, ok := provisioner.GetEncryptedKey(); ok { - key, err = decryptProvisionerJWK(encryptedKey, password) - if err == nil { - return + if key, err := decryptProvisionerJWK(encryptedKey, password); err == nil { + return key, nil } } } diff --git a/ca/renew.go b/ca/renew.go index a913e59c..ea4c5764 100644 --- a/ca/renew.go +++ b/ca/renew.go @@ -193,7 +193,7 @@ func (r *TLSRenewer) nextRenewDuration(notAfter time.Time) time.Duration { return d } -// nolint:gosec // not used for cryptographic security +//nolint:gosec // not used for cryptographic security func mathRandInt63n(n int64) int64 { return rand.Int63n(n) } diff --git a/ca/tls.go b/ca/tls.go index b4d54952..282f9778 100644 --- a/ca/tls.go +++ b/ca/tls.go @@ -105,8 +105,8 @@ func (c *Client) getClientTLSConfig(ctx context.Context, sign *api.SignResponse, } tr := getDefaultTransport(tlsConfig) - // Use mutable tls.Config on renew - tr.DialTLS = c.buildDialTLS(tlsCtx) // nolint:staticcheck,gocritic + //nolint:staticcheck // Use mutable tls.Config on renew + tr.DialTLS = c.buildDialTLS(tlsCtx) // tr.DialTLSContext = c.buildDialTLSContext(tlsCtx) renewer.RenewCertificate = getRenewFunc(tlsCtx, c, tr, pk) @@ -153,8 +153,8 @@ func (c *Client) GetServerTLSConfig(ctx context.Context, sign *api.SignResponse, // Update renew function with transport tr := getDefaultTransport(tlsConfig) - // Use mutable tls.Config on renew - tr.DialTLS = c.buildDialTLS(tlsCtx) // nolint:staticcheck,gocritic + //nolint:staticcheck // Use mutable tls.Config on renew + tr.DialTLS = c.buildDialTLS(tlsCtx) // tr.DialTLSContext = c.buildDialTLSContext(tlsCtx) renewer.RenewCertificate = getRenewFunc(tlsCtx, c, tr, pk) @@ -194,8 +194,7 @@ func (c *Client) buildDialTLS(ctx *TLSOptionCtx) func(network, addr string) (net } } -// buildDialTLSContext returns an implementation of DialTLSContext callback in http.Transport. -// nolint:unused,gocritic +//nolint:unused // buildDialTLSContext returns an implementation of DialTLSContext callback in http.Transport. func (c *Client) buildDialTLSContext(tlsCtx *TLSOptionCtx) func(ctx context.Context, network, addr string) (net.Conn, error) { return func(ctx context.Context, network, addr string) (net.Conn, error) { d := getDefaultDialer() @@ -253,8 +252,7 @@ func TLSCertificate(sign *api.SignResponse, pk crypto.PrivateKey) (*tls.Certific return nil, err } - // nolint:gocritic - // using a new variable for clarity + //nolint:gocritic // using a new variable for clarity chain := append(certPEM, caPEM...) cert, err := tls.X509KeyPair(chain, keyPEM) if err != nil { diff --git a/ca/tls_options_test.go b/ca/tls_options_test.go index 65086315..7dea3dc8 100644 --- a/ca/tls_options_test.go +++ b/ca/tls_options_test.go @@ -13,7 +13,7 @@ import ( "github.com/smallstep/certificates/api" ) -// nolint:gosec // test tls config +//nolint:gosec // test tls config func Test_newTLSOptionCtx(t *testing.T) { client, err := NewClient("https://ca.smallstep.com", WithTransport(http.DefaultTransport)) if err != nil { @@ -41,7 +41,7 @@ func Test_newTLSOptionCtx(t *testing.T) { } } -// nolint:gosec // test tls config +//nolint:gosec // test tls config func TestTLSOptionCtx_apply(t *testing.T) { fail := func() TLSOption { return func(ctx *TLSOptionCtx) error { @@ -78,7 +78,7 @@ func TestTLSOptionCtx_apply(t *testing.T) { } } -// nolint:gosec // test tls config +//nolint:gosec // test tls config func TestRequireAndVerifyClientCert(t *testing.T) { tests := []struct { name string @@ -103,7 +103,7 @@ func TestRequireAndVerifyClientCert(t *testing.T) { } } -// nolint:gosec // test tls config +//nolint:gosec // test tls config func TestVerifyClientCertIfGiven(t *testing.T) { tests := []struct { name string @@ -128,7 +128,7 @@ func TestVerifyClientCertIfGiven(t *testing.T) { } } -// nolint:gosec // test tls config +//nolint:gosec // test tls config func TestAddRootCA(t *testing.T) { cert := parseCertificate(rootPEM) pool := x509.NewCertPool() @@ -161,7 +161,7 @@ func TestAddRootCA(t *testing.T) { } } -// nolint:gosec // test tls config +//nolint:gosec // test tls config func TestAddClientCA(t *testing.T) { cert := parseCertificate(rootPEM) pool := x509.NewCertPool() @@ -194,7 +194,7 @@ func TestAddClientCA(t *testing.T) { } } -// nolint:gosec // test tls config +//nolint:gosec // test tls config func TestAddRootsToRootCAs(t *testing.T) { ca := startCATestServer() defer ca.Close() @@ -249,7 +249,7 @@ func TestAddRootsToRootCAs(t *testing.T) { } } -// nolint:gosec // test tls config +//nolint:gosec // test tls config func TestAddRootsToClientCAs(t *testing.T) { ca := startCATestServer() defer ca.Close() @@ -304,7 +304,7 @@ func TestAddRootsToClientCAs(t *testing.T) { } } -// nolint:gosec // test tls config +//nolint:gosec // test tls config func TestAddFederationToRootCAs(t *testing.T) { ca := startCATestServer() defer ca.Close() @@ -369,7 +369,7 @@ func TestAddFederationToRootCAs(t *testing.T) { } } -// nolint:gosec // test tls config +//nolint:gosec // test tls config func TestAddFederationToClientCAs(t *testing.T) { ca := startCATestServer() defer ca.Close() @@ -434,7 +434,7 @@ func TestAddFederationToClientCAs(t *testing.T) { } } -// nolint:gosec // test tls config +//nolint:gosec // test tls config func TestAddRootsToCAs(t *testing.T) { ca := startCATestServer() defer ca.Close() @@ -489,7 +489,7 @@ func TestAddRootsToCAs(t *testing.T) { } } -// nolint:gosec // test tls config +//nolint:gosec // test tls config func TestAddFederationToCAs(t *testing.T) { ca := startCATestServer() defer ca.Close() @@ -554,7 +554,7 @@ func TestAddFederationToCAs(t *testing.T) { } } -// nolint:staticcheck,gocritic +//nolint:staticcheck,gocritic func equalPools(a, b *x509.CertPool) bool { if reflect.DeepEqual(a, b) { return true diff --git a/cas/apiv1/services.go b/cas/apiv1/services.go index 43f95d81..f1d02b3c 100644 --- a/cas/apiv1/services.go +++ b/cas/apiv1/services.go @@ -65,14 +65,13 @@ func (t Type) String() string { return strings.ToLower(string(t)) } -// ErrNotImplemented is the type of error returned if an operation is not -// implemented. -type ErrNotImplemented struct { +// NotImplementedError is the type of error returned if an operation is not implemented. +type NotImplementedError struct { Message string } -// ErrNotImplemented implements the error interface. -func (e ErrNotImplemented) Error() string { +// NotImplementedError implements the error interface. +func (e NotImplementedError) Error() string { if e.Message != "" { return e.Message } @@ -81,6 +80,6 @@ func (e ErrNotImplemented) Error() string { // StatusCode implements the StatusCoder interface and returns the HTTP 501 // error. -func (e ErrNotImplemented) StatusCode() int { +func (e NotImplementedError) StatusCode() int { return http.StatusNotImplemented } diff --git a/cas/apiv1/services_test.go b/cas/apiv1/services_test.go index eb7d502e..f8e16138 100644 --- a/cas/apiv1/services_test.go +++ b/cas/apiv1/services_test.go @@ -24,7 +24,7 @@ func TestType_String(t *testing.T) { } } -func TestErrNotImplemented_Error(t *testing.T) { +func TestNotImplementedError_Error(t *testing.T) { type fields struct { Message string } @@ -38,17 +38,17 @@ func TestErrNotImplemented_Error(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - e := ErrNotImplemented{ + e := NotImplementedError{ Message: tt.fields.Message, } if got := e.Error(); got != tt.want { - t.Errorf("ErrNotImplemented.Error() = %v, want %v", got, tt.want) + t.Errorf("NotImplementedError.Error() = %v, want %v", got, tt.want) } }) } } -func TestErrNotImplemented_StatusCode(t *testing.T) { +func TestNotImplementedError_StatusCode(t *testing.T) { type fields struct { Message string } @@ -62,11 +62,11 @@ func TestErrNotImplemented_StatusCode(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - s := ErrNotImplemented{ + s := NotImplementedError{ Message: tt.fields.Message, } if got := s.StatusCode(); got != tt.want { - t.Errorf("ErrNotImplemented.StatusCode() = %v, want %v", got, tt.want) + t.Errorf("NotImplementedError.StatusCode() = %v, want %v", got, tt.want) } }) } diff --git a/cas/cloudcas/cloudcas_test.go b/cas/cloudcas/cloudcas_test.go index eee25956..880c0488 100644 --- a/cas/cloudcas/cloudcas_test.go +++ b/cas/cloudcas/cloudcas_test.go @@ -14,6 +14,7 @@ import ( "io" "net" "os" + "path/filepath" "reflect" "testing" "time" @@ -103,7 +104,7 @@ MHcCAQEEIN51Rgg6YcQVLeCRzumdw4pjM3VWqFIdCbnsV3Up1e/goAoGCCqGSM49 AwEHoUQDQgAEjJIcDhvvxi7gu4aFkiW/8+E3BfPhmhXU5RlDQusre+MHXc7XYMtk Lm6PXPeTF1DNdS21Ju1G/j1yUykGJOmxkg== -----END EC PRIVATE KEY-----` - // nolint:unused,deadcode,gocritic + //nolint:unused,gocritic,varcheck testIntermediateKey = `-----BEGIN EC PRIVATE KEY----- MHcCAQEEIMMX/XkXGnRDD4fYu7Z4rHACdJn/iyOy2UTwsv+oZ0C+oAoGCCqGSM49 AwEHoUQDQgAE8u6rGAFj5CZpdzzMogLwUyCMnp0X9wtv4OKDRcpzkYf9PU5GuGA6 @@ -398,10 +399,18 @@ func TestNew_real(t *testing.T) { if v, ok := os.LookupEnv("GOOGLE_APPLICATION_CREDENTIALS"); ok { os.Unsetenv("GOOGLE_APPLICATION_CREDENTIALS") t.Cleanup(func() { - os.Setenv("GOOGLE_APPLICATION_CREDENTIALS", v) + t.Setenv("GOOGLE_APPLICATION_CREDENTIALS", v) }) } + failDefaultCredentials := true + if home, err := os.UserHomeDir(); err == nil { + file := filepath.Join(home, ".config", "gcloud", "application_default_credentials.json") + if _, err := os.Stat(file); err == nil { + failDefaultCredentials = false + } + } + type args struct { ctx context.Context opts apiv1.Options @@ -412,7 +421,7 @@ func TestNew_real(t *testing.T) { args args wantErr bool }{ - {"fail default credentials", true, args{context.Background(), apiv1.Options{CertificateAuthority: testAuthorityName}}, true}, + {"fail default credentials", true, args{context.Background(), apiv1.Options{CertificateAuthority: testAuthorityName}}, failDefaultCredentials}, {"fail certificate authority", false, args{context.Background(), apiv1.Options{}}, true}, {"fail with credentials", false, args{context.Background(), apiv1.Options{ CertificateAuthority: testAuthorityName, CredentialsFile: "testdata/missing.json", @@ -872,12 +881,12 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) { fake.LROClient = client // Configure mocks - any := gomock.Any() + anee := gomock.Any() // ok root - m.EXPECT().GetCaPool(any, any).Return(nil, status.Error(codes.NotFound, "not found")) - m.EXPECT().CreateCaPool(any, any).Return(fake.CreateCaPoolOperation("CreateCaPool"), nil) - mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{ + m.EXPECT().GetCaPool(anee, anee).Return(nil, status.Error(codes.NotFound, "not found")) + m.EXPECT().CreateCaPool(anee, anee).Return(fake.CreateCaPoolOperation("CreateCaPool"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(&longrunningpb.Operation{ Name: "CreateCaPool", Done: true, Result: &longrunningpb.Operation_Response{ @@ -886,8 +895,8 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) { })).(*anypb.Any), }, }, nil) - m.EXPECT().CreateCertificateAuthority(any, any).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) - mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{ + m.EXPECT().CreateCertificateAuthority(anee, anee).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(&longrunningpb.Operation{ Name: "CreateCertificateAuthority", Done: true, Result: &longrunningpb.Operation_Response{ @@ -897,8 +906,8 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) { })).(*anypb.Any), }, }, nil) - m.EXPECT().EnableCertificateAuthority(any, any).Return(fake.EnableCertificateAuthorityOperation("EnableCertificateAuthorityOperation"), nil) - mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{ + m.EXPECT().EnableCertificateAuthority(anee, anee).Return(fake.EnableCertificateAuthorityOperation("EnableCertificateAuthorityOperation"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(&longrunningpb.Operation{ Name: "EnableCertificateAuthority", Done: true, Result: &longrunningpb.Operation_Response{ @@ -910,9 +919,9 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) { }, nil) // ok intermediate - m.EXPECT().GetCaPool(any, any).Return(&pb.CaPool{Name: testCaPoolName}, nil) - m.EXPECT().CreateCertificateAuthority(any, any).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) - mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{ + m.EXPECT().GetCaPool(anee, anee).Return(&pb.CaPool{Name: testCaPoolName}, nil) + m.EXPECT().CreateCertificateAuthority(anee, anee).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(&longrunningpb.Operation{ Name: "CreateCertificateAuthority", Done: true, Result: &longrunningpb.Operation_Response{ @@ -921,15 +930,15 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) { })).(*anypb.Any), }, }, nil) - m.EXPECT().FetchCertificateAuthorityCsr(any, any).Return(&pb.FetchCertificateAuthorityCsrResponse{ + m.EXPECT().FetchCertificateAuthorityCsr(anee, anee).Return(&pb.FetchCertificateAuthorityCsrResponse{ PemCsr: testIntermediateCsr, }, nil) - m.EXPECT().CreateCertificate(any, any).Return(&pb.Certificate{ + m.EXPECT().CreateCertificate(anee, anee).Return(&pb.Certificate{ PemCertificate: testIntermediateCertificate, PemCertificateChain: []string{testRootCertificate}, }, nil) - m.EXPECT().ActivateCertificateAuthority(any, any).Return(fake.ActivateCertificateAuthorityOperation("ActivateCertificateAuthority"), nil) - mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{ + m.EXPECT().ActivateCertificateAuthority(anee, anee).Return(fake.ActivateCertificateAuthorityOperation("ActivateCertificateAuthority"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(&longrunningpb.Operation{ Name: "ActivateCertificateAuthority", Done: true, Result: &longrunningpb.Operation_Response{ @@ -939,8 +948,8 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) { })).(*anypb.Any), }, }, nil) - m.EXPECT().EnableCertificateAuthority(any, any).Return(fake.EnableCertificateAuthorityOperation("EnableCertificateAuthorityOperation"), nil) - mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{ + m.EXPECT().EnableCertificateAuthority(anee, anee).Return(fake.EnableCertificateAuthorityOperation("EnableCertificateAuthorityOperation"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(&longrunningpb.Operation{ Name: "EnableCertificateAuthority", Done: true, Result: &longrunningpb.Operation_Response{ @@ -952,9 +961,9 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) { }, nil) // ok intermediate local signer - m.EXPECT().GetCaPool(any, any).Return(&pb.CaPool{Name: testCaPoolName}, nil) - m.EXPECT().CreateCertificateAuthority(any, any).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) - mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{ + m.EXPECT().GetCaPool(anee, anee).Return(&pb.CaPool{Name: testCaPoolName}, nil) + m.EXPECT().CreateCertificateAuthority(anee, anee).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(&longrunningpb.Operation{ Name: "CreateCertificateAuthority", Done: true, Result: &longrunningpb.Operation_Response{ @@ -963,11 +972,11 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) { })).(*anypb.Any), }, }, nil) - m.EXPECT().FetchCertificateAuthorityCsr(any, any).Return(&pb.FetchCertificateAuthorityCsrResponse{ + m.EXPECT().FetchCertificateAuthorityCsr(anee, anee).Return(&pb.FetchCertificateAuthorityCsrResponse{ PemCsr: testIntermediateCsr, }, nil) - m.EXPECT().ActivateCertificateAuthority(any, any).Return(fake.ActivateCertificateAuthorityOperation("ActivateCertificateAuthority"), nil) - mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{ + m.EXPECT().ActivateCertificateAuthority(anee, anee).Return(fake.ActivateCertificateAuthorityOperation("ActivateCertificateAuthority"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(&longrunningpb.Operation{ Name: "ActivateCertificateAuthority", Done: true, Result: &longrunningpb.Operation_Response{ @@ -977,8 +986,8 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) { })).(*anypb.Any), }, }, nil) - m.EXPECT().EnableCertificateAuthority(any, any).Return(fake.EnableCertificateAuthorityOperation("EnableCertificateAuthorityOperation"), nil) - mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{ + m.EXPECT().EnableCertificateAuthority(anee, anee).Return(fake.EnableCertificateAuthorityOperation("EnableCertificateAuthorityOperation"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(&longrunningpb.Operation{ Name: "EnableCertificateAuthority", Done: true, Result: &longrunningpb.Operation_Response{ @@ -990,9 +999,9 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) { }, nil) // ok create key - m.EXPECT().GetCaPool(any, any).Return(&pb.CaPool{Name: testCaPoolName}, nil) - m.EXPECT().CreateCertificateAuthority(any, any).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) - mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{ + m.EXPECT().GetCaPool(anee, anee).Return(&pb.CaPool{Name: testCaPoolName}, nil) + m.EXPECT().CreateCertificateAuthority(anee, anee).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(&longrunningpb.Operation{ Name: "CreateCertificateAuthority", Done: true, Result: &longrunningpb.Operation_Response{ @@ -1002,8 +1011,8 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) { })).(*anypb.Any), }, }, nil) - m.EXPECT().EnableCertificateAuthority(any, any).Return(fake.EnableCertificateAuthorityOperation("EnableCertificateAuthorityOperation"), nil) - mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{ + m.EXPECT().EnableCertificateAuthority(anee, anee).Return(fake.EnableCertificateAuthorityOperation("EnableCertificateAuthorityOperation"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(&longrunningpb.Operation{ Name: "EnableCertificateAuthority", Done: true, Result: &longrunningpb.Operation_Response{ @@ -1015,30 +1024,30 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) { }, nil) // fail GetCaPool - m.EXPECT().GetCaPool(any, any).Return(nil, errTest) + m.EXPECT().GetCaPool(anee, anee).Return(nil, errTest) // fail CreateCaPool - m.EXPECT().GetCaPool(any, any).Return(nil, status.Error(codes.NotFound, "not found")) - m.EXPECT().CreateCaPool(any, any).Return(nil, errTest) + m.EXPECT().GetCaPool(anee, anee).Return(nil, status.Error(codes.NotFound, "not found")) + m.EXPECT().CreateCaPool(anee, anee).Return(nil, errTest) // fail CreateCaPool.Wait - m.EXPECT().GetCaPool(any, any).Return(nil, status.Error(codes.NotFound, "not found")) - m.EXPECT().CreateCaPool(any, any).Return(fake.CreateCaPoolOperation("CreateCaPool"), nil) - mos.EXPECT().GetOperation(any, any).Return(nil, errTest) + m.EXPECT().GetCaPool(anee, anee).Return(nil, status.Error(codes.NotFound, "not found")) + m.EXPECT().CreateCaPool(anee, anee).Return(fake.CreateCaPoolOperation("CreateCaPool"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(nil, errTest) // fail CreateCertificateAuthority - m.EXPECT().GetCaPool(any, any).Return(&pb.CaPool{Name: testCaPoolName}, nil) - m.EXPECT().CreateCertificateAuthority(any, any).Return(nil, errTest) + m.EXPECT().GetCaPool(anee, anee).Return(&pb.CaPool{Name: testCaPoolName}, nil) + m.EXPECT().CreateCertificateAuthority(anee, anee).Return(nil, errTest) // fail CreateCertificateAuthority.Wait - m.EXPECT().GetCaPool(any, any).Return(&pb.CaPool{Name: testCaPoolName}, nil) - m.EXPECT().CreateCertificateAuthority(any, any).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) - mos.EXPECT().GetOperation(any, any).Return(nil, errTest) + m.EXPECT().GetCaPool(anee, anee).Return(&pb.CaPool{Name: testCaPoolName}, nil) + m.EXPECT().CreateCertificateAuthority(anee, anee).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(nil, errTest) // fail EnableCertificateAuthority - m.EXPECT().GetCaPool(any, any).Return(&pb.CaPool{Name: testCaPoolName}, nil) - m.EXPECT().CreateCertificateAuthority(any, any).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) - mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{ + m.EXPECT().GetCaPool(anee, anee).Return(&pb.CaPool{Name: testCaPoolName}, nil) + m.EXPECT().CreateCertificateAuthority(anee, anee).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(&longrunningpb.Operation{ Name: "CreateCertificateAuthority", Done: true, Result: &longrunningpb.Operation_Response{ @@ -1048,12 +1057,12 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) { })).(*anypb.Any), }, }, nil) - m.EXPECT().EnableCertificateAuthority(any, any).Return(nil, errTest) + m.EXPECT().EnableCertificateAuthority(anee, anee).Return(nil, errTest) // fail EnableCertificateAuthority.Wait - m.EXPECT().GetCaPool(any, any).Return(&pb.CaPool{Name: testCaPoolName}, nil) - m.EXPECT().CreateCertificateAuthority(any, any).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) - mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{ + m.EXPECT().GetCaPool(anee, anee).Return(&pb.CaPool{Name: testCaPoolName}, nil) + m.EXPECT().CreateCertificateAuthority(anee, anee).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(&longrunningpb.Operation{ Name: "CreateCertificateAuthority", Done: true, Result: &longrunningpb.Operation_Response{ @@ -1063,13 +1072,13 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) { })).(*anypb.Any), }, }, nil) - m.EXPECT().EnableCertificateAuthority(any, any).Return(fake.EnableCertificateAuthorityOperation("EnableCertificateAuthorityOperation"), nil) - mos.EXPECT().GetOperation(any, any).Return(nil, errTest) + m.EXPECT().EnableCertificateAuthority(anee, anee).Return(fake.EnableCertificateAuthorityOperation("EnableCertificateAuthorityOperation"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(nil, errTest) // fail EnableCertificateAuthority intermediate - m.EXPECT().GetCaPool(any, any).Return(&pb.CaPool{Name: testCaPoolName}, nil) - m.EXPECT().CreateCertificateAuthority(any, any).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) - mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{ + m.EXPECT().GetCaPool(anee, anee).Return(&pb.CaPool{Name: testCaPoolName}, nil) + m.EXPECT().CreateCertificateAuthority(anee, anee).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(&longrunningpb.Operation{ Name: "CreateCertificateAuthority", Done: true, Result: &longrunningpb.Operation_Response{ @@ -1078,15 +1087,15 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) { })).(*anypb.Any), }, }, nil) - m.EXPECT().FetchCertificateAuthorityCsr(any, any).Return(&pb.FetchCertificateAuthorityCsrResponse{ + m.EXPECT().FetchCertificateAuthorityCsr(anee, anee).Return(&pb.FetchCertificateAuthorityCsrResponse{ PemCsr: testIntermediateCsr, }, nil) - m.EXPECT().CreateCertificate(any, any).Return(&pb.Certificate{ + m.EXPECT().CreateCertificate(anee, anee).Return(&pb.Certificate{ PemCertificate: testIntermediateCertificate, PemCertificateChain: []string{testRootCertificate}, }, nil) - m.EXPECT().ActivateCertificateAuthority(any, any).Return(fake.ActivateCertificateAuthorityOperation("ActivateCertificateAuthority"), nil) - mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{ + m.EXPECT().ActivateCertificateAuthority(anee, anee).Return(fake.ActivateCertificateAuthorityOperation("ActivateCertificateAuthority"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(&longrunningpb.Operation{ Name: "ActivateCertificateAuthority", Done: true, Result: &longrunningpb.Operation_Response{ @@ -1096,12 +1105,12 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) { })).(*anypb.Any), }, }, nil) - m.EXPECT().EnableCertificateAuthority(any, any).Return(nil, errTest) + m.EXPECT().EnableCertificateAuthority(anee, anee).Return(nil, errTest) // fail EnableCertificateAuthority.Wait intermediate - m.EXPECT().GetCaPool(any, any).Return(&pb.CaPool{Name: testCaPoolName}, nil) - m.EXPECT().CreateCertificateAuthority(any, any).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) - mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{ + m.EXPECT().GetCaPool(anee, anee).Return(&pb.CaPool{Name: testCaPoolName}, nil) + m.EXPECT().CreateCertificateAuthority(anee, anee).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(&longrunningpb.Operation{ Name: "CreateCertificateAuthority", Done: true, Result: &longrunningpb.Operation_Response{ @@ -1110,15 +1119,15 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) { })).(*anypb.Any), }, }, nil) - m.EXPECT().FetchCertificateAuthorityCsr(any, any).Return(&pb.FetchCertificateAuthorityCsrResponse{ + m.EXPECT().FetchCertificateAuthorityCsr(anee, anee).Return(&pb.FetchCertificateAuthorityCsrResponse{ PemCsr: testIntermediateCsr, }, nil) - m.EXPECT().CreateCertificate(any, any).Return(&pb.Certificate{ + m.EXPECT().CreateCertificate(anee, anee).Return(&pb.Certificate{ PemCertificate: testIntermediateCertificate, PemCertificateChain: []string{testRootCertificate}, }, nil) - m.EXPECT().ActivateCertificateAuthority(any, any).Return(fake.ActivateCertificateAuthorityOperation("ActivateCertificateAuthority"), nil) - mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{ + m.EXPECT().ActivateCertificateAuthority(anee, anee).Return(fake.ActivateCertificateAuthorityOperation("ActivateCertificateAuthority"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(&longrunningpb.Operation{ Name: "ActivateCertificateAuthority", Done: true, Result: &longrunningpb.Operation_Response{ @@ -1128,13 +1137,13 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) { })).(*anypb.Any), }, }, nil) - m.EXPECT().EnableCertificateAuthority(any, any).Return(fake.EnableCertificateAuthorityOperation("EnableCertificateAuthorityOperation"), nil) - mos.EXPECT().GetOperation(any, any).Return(nil, errTest) + m.EXPECT().EnableCertificateAuthority(anee, anee).Return(fake.EnableCertificateAuthorityOperation("EnableCertificateAuthorityOperation"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(nil, errTest) // fail FetchCertificateAuthorityCsr - m.EXPECT().GetCaPool(any, any).Return(&pb.CaPool{Name: testCaPoolName}, nil) - m.EXPECT().CreateCertificateAuthority(any, any).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) - mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{ + m.EXPECT().GetCaPool(anee, anee).Return(&pb.CaPool{Name: testCaPoolName}, nil) + m.EXPECT().CreateCertificateAuthority(anee, anee).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(&longrunningpb.Operation{ Name: "CreateCertificateAuthority", Done: true, Result: &longrunningpb.Operation_Response{ @@ -1143,12 +1152,12 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) { })).(*anypb.Any), }, }, nil) - m.EXPECT().FetchCertificateAuthorityCsr(any, any).Return(nil, errTest) + m.EXPECT().FetchCertificateAuthorityCsr(anee, anee).Return(nil, errTest) // fail CreateCertificate - m.EXPECT().GetCaPool(any, any).Return(&pb.CaPool{Name: testCaPoolName}, nil) - m.EXPECT().CreateCertificateAuthority(any, any).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) - mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{ + m.EXPECT().GetCaPool(anee, anee).Return(&pb.CaPool{Name: testCaPoolName}, nil) + m.EXPECT().CreateCertificateAuthority(anee, anee).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(&longrunningpb.Operation{ Name: "CreateCertificateAuthority", Done: true, Result: &longrunningpb.Operation_Response{ @@ -1157,15 +1166,15 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) { })).(*anypb.Any), }, }, nil) - m.EXPECT().FetchCertificateAuthorityCsr(any, any).Return(&pb.FetchCertificateAuthorityCsrResponse{ + m.EXPECT().FetchCertificateAuthorityCsr(anee, anee).Return(&pb.FetchCertificateAuthorityCsrResponse{ PemCsr: testIntermediateCsr, }, nil) - m.EXPECT().CreateCertificate(any, any).Return(nil, errTest) + m.EXPECT().CreateCertificate(anee, anee).Return(nil, errTest) // fail ActivateCertificateAuthority - m.EXPECT().GetCaPool(any, any).Return(&pb.CaPool{Name: testCaPoolName}, nil) - m.EXPECT().CreateCertificateAuthority(any, any).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) - mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{ + m.EXPECT().GetCaPool(anee, anee).Return(&pb.CaPool{Name: testCaPoolName}, nil) + m.EXPECT().CreateCertificateAuthority(anee, anee).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(&longrunningpb.Operation{ Name: "CreateCertificateAuthority", Done: true, Result: &longrunningpb.Operation_Response{ @@ -1174,19 +1183,19 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) { })).(*anypb.Any), }, }, nil) - m.EXPECT().FetchCertificateAuthorityCsr(any, any).Return(&pb.FetchCertificateAuthorityCsrResponse{ + m.EXPECT().FetchCertificateAuthorityCsr(anee, anee).Return(&pb.FetchCertificateAuthorityCsrResponse{ PemCsr: testIntermediateCsr, }, nil) - m.EXPECT().CreateCertificate(any, any).Return(&pb.Certificate{ + m.EXPECT().CreateCertificate(anee, anee).Return(&pb.Certificate{ PemCertificate: testIntermediateCertificate, PemCertificateChain: []string{testRootCertificate}, }, nil) - m.EXPECT().ActivateCertificateAuthority(any, any).Return(nil, errTest) + m.EXPECT().ActivateCertificateAuthority(anee, anee).Return(nil, errTest) // fail ActivateCertificateAuthority.Wait - m.EXPECT().GetCaPool(any, any).Return(&pb.CaPool{Name: testCaPoolName}, nil) - m.EXPECT().CreateCertificateAuthority(any, any).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) - mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{ + m.EXPECT().GetCaPool(anee, anee).Return(&pb.CaPool{Name: testCaPoolName}, nil) + m.EXPECT().CreateCertificateAuthority(anee, anee).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(&longrunningpb.Operation{ Name: "CreateCertificateAuthority", Done: true, Result: &longrunningpb.Operation_Response{ @@ -1195,20 +1204,20 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) { })).(*anypb.Any), }, }, nil) - m.EXPECT().FetchCertificateAuthorityCsr(any, any).Return(&pb.FetchCertificateAuthorityCsrResponse{ + m.EXPECT().FetchCertificateAuthorityCsr(anee, anee).Return(&pb.FetchCertificateAuthorityCsrResponse{ PemCsr: testIntermediateCsr, }, nil) - m.EXPECT().CreateCertificate(any, any).Return(&pb.Certificate{ + m.EXPECT().CreateCertificate(anee, anee).Return(&pb.Certificate{ PemCertificate: testIntermediateCertificate, PemCertificateChain: []string{testRootCertificate}, }, nil) - m.EXPECT().ActivateCertificateAuthority(any, any).Return(fake.ActivateCertificateAuthorityOperation("ActivateCertificateAuthority"), nil) - mos.EXPECT().GetOperation(any, any).Return(nil, errTest) + m.EXPECT().ActivateCertificateAuthority(anee, anee).Return(fake.ActivateCertificateAuthorityOperation("ActivateCertificateAuthority"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(nil, errTest) // fail x509util.CreateCertificate - m.EXPECT().GetCaPool(any, any).Return(&pb.CaPool{Name: testCaPoolName}, nil) - m.EXPECT().CreateCertificateAuthority(any, any).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) - mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{ + m.EXPECT().GetCaPool(anee, anee).Return(&pb.CaPool{Name: testCaPoolName}, nil) + m.EXPECT().CreateCertificateAuthority(anee, anee).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(&longrunningpb.Operation{ Name: "CreateCertificateAuthority", Done: true, Result: &longrunningpb.Operation_Response{ @@ -1217,14 +1226,14 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) { })).(*anypb.Any), }, }, nil) - m.EXPECT().FetchCertificateAuthorityCsr(any, any).Return(&pb.FetchCertificateAuthorityCsrResponse{ + m.EXPECT().FetchCertificateAuthorityCsr(anee, anee).Return(&pb.FetchCertificateAuthorityCsrResponse{ PemCsr: testIntermediateCsr, }, nil) // fail parseCertificateRequest - m.EXPECT().GetCaPool(any, any).Return(&pb.CaPool{Name: testCaPoolName}, nil) - m.EXPECT().CreateCertificateAuthority(any, any).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) - mos.EXPECT().GetOperation(any, any).Return(&longrunningpb.Operation{ + m.EXPECT().GetCaPool(anee, anee).Return(&pb.CaPool{Name: testCaPoolName}, nil) + m.EXPECT().CreateCertificateAuthority(anee, anee).Return(fake.CreateCertificateAuthorityOperation("CreateCertificateAuthority"), nil) + mos.EXPECT().GetOperation(anee, anee).Return(&longrunningpb.Operation{ Name: "CreateCertificateAuthority", Done: true, Result: &longrunningpb.Operation_Response{ @@ -1233,7 +1242,7 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) { })).(*anypb.Any), }, }, nil) - m.EXPECT().FetchCertificateAuthorityCsr(any, any).Return(&pb.FetchCertificateAuthorityCsrResponse{ + m.EXPECT().FetchCertificateAuthorityCsr(anee, anee).Return(&pb.FetchCertificateAuthorityCsrResponse{ PemCsr: "Not a CSR", }, nil) diff --git a/cas/softcas/softcas.go b/cas/softcas/softcas.go index ed909d6d..af93420d 100644 --- a/cas/softcas/softcas.go +++ b/cas/softcas/softcas.go @@ -231,7 +231,6 @@ func (c *SoftCAS) getCertSigner() ([]*x509.Certificate, crypto.Signer, error) { return c.CertificateSigner() } return c.CertificateChain, c.Signer, nil - } // createKey uses the configured kms to create a key. diff --git a/cas/softcas/softcas_test.go b/cas/softcas/softcas_test.go index 8867b9b4..5c8a2f1f 100644 --- a/cas/softcas/softcas_test.go +++ b/cas/softcas/softcas_test.go @@ -261,9 +261,6 @@ func TestSoftCAS_CreateCertificate(t *testing.T) { tmplNotBefore := *testTemplate tmplNotBefore.NotBefore = testNow - tmplNotAfter := *testTemplate - tmplNotAfter.NotAfter = testNow.Add(24 * time.Hour) - tmplWithLifetime := *testTemplate tmplWithLifetime.NotBefore = testNow tmplWithLifetime.NotAfter = testNow.Add(24 * time.Hour) diff --git a/cas/stepcas/issuer_test.go b/cas/stepcas/issuer_test.go index c968237a..7d468e38 100644 --- a/cas/stepcas/issuer_test.go +++ b/cas/stepcas/issuer_test.go @@ -15,11 +15,11 @@ import ( type mockErrIssuer struct{} func (m mockErrIssuer) SignToken(subject string, sans []string, info *raInfo) (string, error) { - return "", apiv1.ErrNotImplemented{} + return "", apiv1.NotImplementedError{} } func (m mockErrIssuer) RevokeToken(subject string) (string, error) { - return "", apiv1.ErrNotImplemented{} + return "", apiv1.NotImplementedError{} } func (m mockErrIssuer) Lifetime(d time.Duration) time.Duration { @@ -29,7 +29,7 @@ func (m mockErrIssuer) Lifetime(d time.Duration) time.Duration { type mockErrSigner struct{} func (s *mockErrSigner) Sign(payload []byte) (*jose.JSONWebSignature, error) { - return nil, apiv1.ErrNotImplemented{} + return nil, apiv1.NotImplementedError{} } func (s *mockErrSigner) Options() jose.SignerOptions { diff --git a/cas/stepcas/stepcas.go b/cas/stepcas/stepcas.go index f8770923..6c2acc84 100644 --- a/cas/stepcas/stepcas.go +++ b/cas/stepcas/stepcas.go @@ -101,7 +101,7 @@ func (s *StepCAS) CreateCertificate(req *apiv1.CreateCertificateRequest) (*apiv1 // RenewCertificate will always return a non-implemented error as mTLS renewals // are not supported yet. func (s *StepCAS) RenewCertificate(req *apiv1.RenewCertificateRequest) (*apiv1.RenewCertificateResponse, error) { - return nil, apiv1.ErrNotImplemented{Message: "stepCAS does not support mTLS renewals"} + return nil, apiv1.NotImplementedError{Message: "stepCAS does not support mTLS renewals"} } // RevokeCertificate revokes a certificate. diff --git a/cas/vaultcas/vaultcas.go b/cas/vaultcas/vaultcas.go index a5658620..c618a0a0 100644 --- a/cas/vaultcas/vaultcas.go +++ b/cas/vaultcas/vaultcas.go @@ -162,7 +162,7 @@ func (v *VaultCAS) GetCertificateAuthority(req *apiv1.GetCertificateAuthorityReq // RenewCertificate will always return a non-implemented error as renewals // are not supported yet. func (v *VaultCAS) RenewCertificate(req *apiv1.RenewCertificateRequest) (*apiv1.RenewCertificateResponse, error) { - return nil, apiv1.ErrNotImplemented{Message: "vaultCAS does not support renewals"} + return nil, apiv1.NotImplementedError{Message: "vaultCAS does not support renewals"} } // RevokeCertificate revokes a certificate by serial number. diff --git a/cmd/step-awskms-init/main.go b/cmd/step-awskms-init/main.go index ee46ba94..81a91067 100644 --- a/cmd/step-awskms-init/main.go +++ b/cmd/step-awskms-init/main.go @@ -4,7 +4,7 @@ import ( "context" "crypto" "crypto/rand" - "crypto/sha1" // nolint:gosec // used to create the Subject Key Identifier by RFC 5280 + "crypto/sha1" //nolint:gosec // used to create the Subject Key Identifier by RFC 5280 "crypto/x509" "crypto/x509/pkix" "encoding/pem" @@ -242,7 +242,7 @@ func mustSubjectKeyID(key crypto.PublicKey) []byte { if err != nil { panic(err) } - // nolint:gosec // used to create the Subject Key Identifier by RFC 5280 + //nolint:gosec // used to create the Subject Key Identifier by RFC 5280 hash := sha1.Sum(b) return hash[:] } diff --git a/cmd/step-ca/main.go b/cmd/step-ca/main.go index d070b6cf..11756b93 100644 --- a/cmd/step-ca/main.go +++ b/cmd/step-ca/main.go @@ -14,7 +14,7 @@ import ( "time" // Server profiler - // nolint:gosec // profile server, if enabled runs on a different port + //nolint:gosec // profile server, if enabled runs on a different port _ "net/http/pprof" "github.com/smallstep/certificates/authority" @@ -25,6 +25,7 @@ import ( "go.step.sm/cli-utils/step" "go.step.sm/cli-utils/ui" "go.step.sm/cli-utils/usage" + "go.step.sm/crypto/pemutil" // Enabled kms interfaces. _ "go.step.sm/crypto/kms/awskms" @@ -52,6 +53,10 @@ func init() { step.Set("Smallstep CA", Version, BuildTime) authority.GlobalVersion.Version = Version rand.Seed(time.Now().UnixNano()) + // Add support for asking passwords + pemutil.PromptPassword = func(msg string) ([]byte, error) { + return ui.PromptPassword(msg) + } } func exit(code int) { @@ -176,7 +181,11 @@ $ step-ca --context=mybiz --password-file ./password.txt debugProfAddr := os.Getenv("STEP_PROF_ADDR") if debugProfAddr != "" { go func() { - log.Println(http.ListenAndServe(debugProfAddr, nil)) + srv := http.Server{ + Addr: debugProfAddr, + ReadHeaderTimeout: 15 * time.Second, + } + log.Println(srv.ListenAndServe()) }() } diff --git a/cmd/step-cloudkms-init/main.go b/cmd/step-cloudkms-init/main.go index 98d81ac0..6cc36adf 100644 --- a/cmd/step-cloudkms-init/main.go +++ b/cmd/step-cloudkms-init/main.go @@ -4,7 +4,7 @@ import ( "context" "crypto" "crypto/rand" - "crypto/sha1" // nolint:gosec // used to create the Subject Key Identifier by RFC 5280 + "crypto/sha1" //nolint:gosec // used to create the Subject Key Identifier by RFC 5280 "crypto/x509" "crypto/x509/pkix" "encoding/pem" @@ -280,7 +280,7 @@ func mustSubjectKeyID(key crypto.PublicKey) []byte { if err != nil { panic(err) } - // nolint:gosec // used to create the Subject Key Identifier by RFC 5280 + //nolint:gosec // used to create the Subject Key Identifier by RFC 5280 hash := sha1.Sum(b) return hash[:] } diff --git a/cmd/step-pkcs11-init/main.go b/cmd/step-pkcs11-init/main.go index 7595000c..30258cdd 100644 --- a/cmd/step-pkcs11-init/main.go +++ b/cmd/step-pkcs11-init/main.go @@ -6,7 +6,7 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/sha1" // nolint:gosec // used to create the Subject Key Identifier by RFC 5280 + "crypto/sha1" //nolint:gosec // used to create the Subject Key Identifier by RFC 5280 "crypto/x509" "crypto/x509/pkix" "encoding/pem" @@ -547,7 +547,7 @@ func mustSubjectKeyID(key crypto.PublicKey) []byte { if err != nil { panic(err) } - // nolint:gosec // used to create the Subject Key Identifier by RFC 5280 + //nolint:gosec // used to create the Subject Key Identifier by RFC 5280 hash := sha1.Sum(b) return hash[:] } diff --git a/cmd/step-yubikey-init/main.go b/cmd/step-yubikey-init/main.go index a06afe04..cd6018cf 100644 --- a/cmd/step-yubikey-init/main.go +++ b/cmd/step-yubikey-init/main.go @@ -6,7 +6,7 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/sha1" // nolint:gosec // used to create the Subject Key Identifier by RFC 5280 + "crypto/sha1" //nolint:gosec // used to create the Subject Key Identifier by RFC 5280 "crypto/x509" "crypto/x509/pkix" "encoding/hex" @@ -349,7 +349,7 @@ func mustSubjectKeyID(key crypto.PublicKey) []byte { if err != nil { panic(err) } - // nolint:gosec // used to create the Subject Key Identifier by RFC 5280 + //nolint:gosec // used to create the Subject Key Identifier by RFC 5280 hash := sha1.Sum(b) return hash[:] } diff --git a/commands/app.go b/commands/app.go index 7545f1df..7a0b2637 100644 --- a/commands/app.go +++ b/commands/app.go @@ -196,7 +196,7 @@ To get a linked authority token: } go ca.StopReloaderHandler(srv) - if err = srv.Run(); err != nil && err != http.ErrServerClosed { + if err = srv.Run(); err != nil && !errors.Is(err, http.ErrServerClosed) { fatal(err) } return nil diff --git a/commands/onboard.go b/commands/onboard.go index bb704fd4..ef3b7854 100644 --- a/commands/onboard.go +++ b/commands/onboard.go @@ -92,11 +92,12 @@ func onboardAction(ctx *cli.Context) error { token := ctx.Args().Get(0) onboardingURL := u.ResolveReference(&url.URL{Path: token}).String() - // nolint:gosec // onboarding url + //nolint:gosec // onboarding url res, err := http.Get(onboardingURL) if err != nil { return errors.Wrap(err, "error connecting onboarding guide") } + defer res.Body.Close() if res.StatusCode >= 400 { var msg onboardingError if err := readJSON(res.Body, &msg); err != nil { @@ -133,7 +134,7 @@ func onboardAction(ctx *cli.Context) error { return errors.Wrap(err, "error marshaling payload") } - // nolint:gosec // onboarding url + //nolint:gosec // onboarding url resp, err := http.Post(onboardingURL, "application/json", bytes.NewBuffer(payload)) if err != nil { return errors.Wrap(err, "error connecting onboarding guide") @@ -158,7 +159,7 @@ func onboardAction(ctx *cli.Context) error { } go ca.StopReloaderHandler(srv) - if err := srv.Run(); err != nil && err != http.ErrServerClosed { + if err := srv.Run(); err != nil && !errors.Is(err, http.ErrServerClosed) { fatal(err) } diff --git a/errs/error.go b/errs/error.go index c42e342d..14995f0a 100644 --- a/errs/error.go +++ b/errs/error.go @@ -92,7 +92,8 @@ func Wrap(status int, e error, m string, args ...interface{}) error { return nil } _, opts := splitOptionArgs(args) - if err, ok := e.(*Error); ok { + var err *Error + if errors.As(e, &err) { err.Err = errors.Wrap(err.Err, m) e = err } else { @@ -108,7 +109,8 @@ func Wrapf(status int, e error, format string, args ...interface{}) error { return nil } as, opts := splitOptionArgs(args) - if err, ok := e.(*Error); ok { + var err *Error + if errors.As(e, &err) { err.Err = errors.Wrapf(err.Err, format, args...) e = err } else { @@ -246,7 +248,8 @@ func New(status int, format string, args ...interface{}) error { // NewError creates a new http error with the given error and message. func NewError(status int, err error, format string, args ...interface{}) error { - if _, ok := err.(*Error); ok { + var e *Error + if errors.As(err, &e) { return err } msg := fmt.Sprintf(format, args...) @@ -263,11 +266,8 @@ func NewError(status int, err error, format string, args ...interface{}) error { // NewErr returns a new Error. If the given error implements the StatusCoder // interface we will ignore the given status. func NewErr(status int, err error, opts ...Option) error { - var ( - e *Error - ok bool - ) - if e, ok = err.(*Error); !ok { + var e *Error + if !errors.As(err, &e) { if sc, ok := err.(render.StatusCodedError); ok { e = &Error{Status: sc.StatusCode(), Err: err} } else { @@ -299,7 +299,8 @@ func Errorf(code int, format string, args ...interface{}) error { // ApplyOptions applies the given options to the error if is the type *Error. // TODO(mariano): try to get rid of this. func ApplyOptions(err error, opts ...interface{}) error { - if e, ok := err.(*Error); ok { + var e *Error + if errors.As(err, &e) { _, o := splitOptionArgs(opts) for _, fn := range o { fn(e) diff --git a/errs/errors_test.go b/errs/errors_test.go index a2accebb..7b83c8d9 100644 --- a/errs/errors_test.go +++ b/errs/errors_test.go @@ -57,6 +57,7 @@ func TestError_UnmarshalJSON(t *testing.T) { if err := e.UnmarshalJSON(tt.args.data); (err != nil) != tt.wantErr { t.Errorf("Error.UnmarshalJSON() error = %v, wantErr %v", err, tt.wantErr) } + //nolint:govet // best option if !reflect.DeepEqual(tt.expected, e) { t.Errorf("Error.UnmarshalJSON() wants = %+v, got %+v", tt.expected, e) } diff --git a/go.mod b/go.mod index 3edb5eb8..1ba86c92 100644 --- a/go.mod +++ b/go.mod @@ -3,8 +3,8 @@ module github.com/smallstep/certificates go 1.18 require ( - cloud.google.com/go v0.100.2 - cloud.google.com/go/security v1.3.0 + cloud.google.com/go v0.102.1 + cloud.google.com/go/security v1.7.0 github.com/Azure/azure-sdk-for-go v65.0.0+incompatible // indirect github.com/Azure/go-autorest/autorest v0.11.27 // indirect github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect @@ -14,6 +14,7 @@ require ( github.com/aws/aws-sdk-go v1.44.37 // indirect github.com/dgraph-io/ristretto v0.0.4-0.20200906165740-41ebdbffecfd // indirect github.com/fatih/color v1.9.0 // indirect + github.com/fxamacker/cbor/v2 v2.4.0 github.com/go-chi/chi v4.1.2+incompatible github.com/go-kit/kit v0.10.0 // indirect github.com/go-piv/piv-go v1.10.0 // indirect @@ -37,25 +38,26 @@ require ( github.com/slackhq/nebula v1.5.2 github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262 github.com/smallstep/nosql v0.4.0 - github.com/stretchr/testify v1.7.1 + github.com/stretchr/testify v1.8.0 github.com/urfave/cli v1.22.4 go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 go.step.sm/cli-utils v0.7.4 - go.step.sm/crypto v0.18.0 - go.step.sm/linkedca v0.18.0 - golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3 - golang.org/x/net v0.0.0-20220607020251-c690dde0001d + go.step.sm/crypto v0.19.0 + go.step.sm/linkedca v0.19.0-rc.2 + golang.org/x/crypto v0.0.0-20220919173607-35f4265a4bc0 + golang.org/x/net v0.0.0-20220927171203-f486391704dc + golang.org/x/sys v0.0.0-20220928140112-f11e5e49a4ec // indirect golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba // indirect - google.golang.org/api v0.84.0 - google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad - google.golang.org/grpc v1.47.0 - google.golang.org/protobuf v1.28.0 + google.golang.org/api v0.96.0 + google.golang.org/genproto v0.0.0-20220929141241-1ce7b20da813 + google.golang.org/grpc v1.49.0 + google.golang.org/protobuf v1.28.1 gopkg.in/square/go-jose.v2 v2.6.0 ) require ( - cloud.google.com/go/compute v1.6.1 // indirect - cloud.google.com/go/iam v0.1.0 // indirect + cloud.google.com/go/compute v1.7.0 // indirect + cloud.google.com/go/iam v0.3.0 // indirect cloud.google.com/go/kms v1.4.0 // indirect filippo.io/edwards25519 v1.0.0-rc.1 // indirect github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 // indirect @@ -85,7 +87,7 @@ require ( github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.2 // indirect github.com/golang/snappy v0.0.4 // indirect - github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa // indirect + github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-hclog v0.16.2 // indirect @@ -133,14 +135,14 @@ require ( github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect github.com/spf13/cast v1.4.1 // indirect github.com/thales-e-security/pool v0.0.2 // indirect + github.com/x448/float16 v0.8.4 // indirect go.etcd.io/bbolt v1.3.6 // indirect go.opencensus.io v0.23.0 // indirect go.uber.org/atomic v1.9.0 // indirect - golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb // indirect - golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d // indirect + golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 // indirect golang.org/x/text v0.3.8-0.20211004125949-5bd84dd9b33b // indirect google.golang.org/appengine v1.6.7 // indirect - gopkg.in/yaml.v3 v3.0.0 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect ) // replace github.com/smallstep/nosql => ../nosql diff --git a/go.sum b/go.sum index 5d513472..75f369cd 100644 --- a/go.sum +++ b/go.sum @@ -27,8 +27,10 @@ cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc= cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA= cloud.google.com/go v0.100.1/go.mod h1:fs4QogzfH5n2pBXBP9vRiU+eCny7lD2vmFZy79Iuw1U= -cloud.google.com/go v0.100.2 h1:t9Iw5QH5v4XtlEQaCtUY7x6sCABps8sW0acw7e2WQ6Y= cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A= +cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc= +cloud.google.com/go v0.102.1 h1:vpK6iQWv/2uUeFJth4/cBHsQAGjn1iIE6AAlxipRaA0= +cloud.google.com/go v0.102.1/go.mod h1:XZ77E9qnTEnrgEOvr4xzfdX5TRo7fB4T2F4O6+34hIU= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= @@ -39,25 +41,28 @@ cloud.google.com/go/compute v0.1.0/go.mod h1:GAesmwr110a34z04OlxYkATPBEfVhkymfTB cloud.google.com/go/compute v1.3.0/go.mod h1:cCZiE1NHEtai4wiufUhW8I8S1JKkAnhnQJWM7YD99wM= cloud.google.com/go/compute v1.5.0/go.mod h1:9SMHyhJlzhlkJqrPAc839t2BZFTSk6Jdj6mkzQJeu0M= cloud.google.com/go/compute v1.6.0/go.mod h1:T29tfhtVbq1wvAPo0E3+7vhgmkOYeXjhFvz/FMzPu0s= -cloud.google.com/go/compute v1.6.1 h1:2sMmt8prCn7DPaG4Pmh0N3Inmc8cT8ae5k1M6VJ9Wqc= cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU= +cloud.google.com/go/compute v1.7.0 h1:v/k9Eueb8aAJ0vZuxKMrgm6kPhCLZU9HxFU+AFDs9Uk= +cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= -cloud.google.com/go/iam v0.1.0 h1:W2vbGCrE3Z7J/x3WXLxxGl9LMSB2uhsAA7Ss/6u/qRY= cloud.google.com/go/iam v0.1.0/go.mod h1:vcUNEa0pEm0qRVpmWepWaFMIAI8/hjB9mO8rNCJtF6c= +cloud.google.com/go/iam v0.3.0 h1:exkAomrVUuzx9kWFI1wm3KI0uoDeUFPB4kKGzx6x+Gc= +cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY= cloud.google.com/go/kms v1.4.0 h1:iElbfoE61VeLhnZcGOltqL8HIly8Nhbe5t6JlH9GXjo= cloud.google.com/go/kms v1.4.0/go.mod h1:fajBHndQ+6ubNw6Ss2sSd+SWvjL26RNo/dr7uxsnnOA= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= -cloud.google.com/go/security v1.3.0 h1:BhCl33x+KQI4qiZnFrfr2gAGhb2aZ0ZvKB3Y4QlEfgo= -cloud.google.com/go/security v1.3.0/go.mod h1:pQsnLAXfMzuWVJdctBs8BV3tGd3Jr0SMYu6KK3QXYAs= +cloud.google.com/go/security v1.7.0 h1:176N+6wf67OA6HgqhmNN/AfmUtwq50na2VKR6/6l34k= +cloud.google.com/go/security v1.7.0/go.mod h1:mZklORHl6Bg7CNnnjLH//0UlAlaXqiG7Lb9PsPXLfD0= cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= +cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= filippo.io/edwards25519 v1.0.0-rc.1 h1:m0VOOB23frXZvAOK44usCgLWvtsxIoMCTBGJZlpmGfU= filippo.io/edwards25519 v1.0.0-rc.1/go.mod h1:N1IkdkCkiLB6tki+MYJoSx2JTY9NUlxZE7eHn5EwJns= @@ -227,6 +232,8 @@ github.com/frankban/quicktest v1.10.0/go.mod h1:ui7WezCLWMWxVWr1GETZY3smRy0G4KWq github.com/frankban/quicktest v1.13.0 h1:yNZif1OkDfNoDfb9zZa9aXIpejNR4F23Wely0c+Qdqk= github.com/frankban/quicktest v1.13.0/go.mod h1:qLE0fzW0VuyUAJgPU19zByoIr0HtCHN/r/VLSOOIySU= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88= +github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-asn1-ber/asn1-ber v1.3.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec= @@ -346,8 +353,9 @@ github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+ github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa h1:7MYGT2XEMam7Mtzv1yDUYXANedWvwk3HKkR3MyGowy8= github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= +github.com/googleapis/enterprise-certificate-proxy v0.1.0 h1:zO8WHNx/MYiAKJ3d5spxZXZE6KHmIQGQcAzwUzV7qQw= +github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0= @@ -356,6 +364,7 @@ github.com/googleapis/gax-go/v2 v2.2.0/go.mod h1:as02EH8zWkzwUoLbBaFeQ+arQaj/Oth github.com/googleapis/gax-go/v2 v2.3.0/go.mod h1:b8LNqSzNabLiUpXKkY7HAR5jr6bIT99EXz9pXxye9YM= github.com/googleapis/gax-go/v2 v2.4.0 h1:dS9eYAjhrE2RjmzYw2XAPvcXfmcQLtFEQWn0CR82awk= github.com/googleapis/gax-go/v2 v2.4.0/go.mod h1:XOTVJ59hdnfJLIP/dh8n5CGryZR2LxK9wbMD5+iXC6c= +github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gordonklaus/ineffassign v0.0.0-20200309095847-7953dde2c7bf/go.mod h1:cuNKsD1zp2v6XfE/orVX2QE1LC+i254ceGcVeDT3pTU= github.com/gorilla/context v0.0.0-20160226214623-1ea25387ff6f/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= @@ -723,16 +732,18 @@ github.com/streadway/amqp v0.0.0-20190827072141-edfb9018d271/go.mod h1:AZpEONHx3 github.com/streadway/handy v0.0.0-20190108123426-d5acb3125c2a/go.mod h1:qNTQ5P5JnDBl6z3cMAg/SywNDC5ABu5ApDIw6lUbRmI= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.2.0 h1:Hbg2NidpLE8veEBkEZTL3CvlkUIVzuU9jDplZO54c48= github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= +github.com/stretchr/objx v0.4.0 h1:M2gUjqZET1qApGOWNSnZ49BAIMX4F/1plDv3+l31EJ4= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.7.1 h1:5TQK59W5E3v0r2duFAb7P95B6hEeOyEnHRa8MjYSMTY= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gtvVDbmPg= github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU= github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= @@ -743,6 +754,8 @@ github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtX github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/urfave/cli v1.22.4 h1:u7tSpNPPswAFymm8IehJhy4uJMlUuU/GmqSkvJ1InXA= github.com/urfave/cli v1.22.4/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= @@ -770,10 +783,10 @@ go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqe go.step.sm/cli-utils v0.7.4 h1:oI7PStZqlvjPZ0u2EB4lN7yZ4R3ShTotdGL/L84Oorg= go.step.sm/cli-utils v0.7.4/go.mod h1:taSsY8haLmXoXM3ZkywIyRmVij/4Aj0fQbNTlJvv71I= go.step.sm/crypto v0.9.0/go.mod h1:+CYG05Mek1YDqi5WK0ERc6cOpKly2i/a5aZmU1sfGj0= -go.step.sm/crypto v0.18.0 h1:saD/tMG7uKJmUIPyOyudidVTHPnozTU02CDd+oqwKn0= -go.step.sm/crypto v0.18.0/go.mod h1:qZ+pNU1nV+THwP7TPTNCRMRr9xrRURhETTAK7U5psfw= -go.step.sm/linkedca v0.18.0 h1:uxRBd2WDvJNZ2i0nJm/QmG4lkRxWoebYKJinchX7T7o= -go.step.sm/linkedca v0.18.0/go.mod h1:qSuYlIIhvPmA2+DSSS03E2IXhbXWTLW61Xh9zDQJ3VM= +go.step.sm/crypto v0.19.0 h1:WxjUDeTDpuPZ1IR3v6c4jc6WdlQlS5IYYQBhfnG5uW0= +go.step.sm/crypto v0.19.0/go.mod h1:qZ+pNU1nV+THwP7TPTNCRMRr9xrRURhETTAK7U5psfw= +go.step.sm/linkedca v0.19.0-rc.2 h1:IcPqZ5y7MZNq1+VbYQcKoQEvX80NKRncU1WFCDyY+So= +go.step.sm/linkedca v0.19.0-rc.2/go.mod h1:MCZmPIdzElEofZbiw4eyUHayXgFTwa94cNAV34aJ5ew= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= @@ -804,8 +817,9 @@ golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c/go.mod h1:jdWPYTVW3xRLrWP golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3 h1:0es+/5331RGQPcXlMfP+WrnIIS6dNnNRe0WB02W0F4M= golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220919173607-35f4265a4bc0 h1:a5Yg6ylndHHYJqIPrdq0AhvR6KTvDTAvgBtaidhEevY= +golang.org/x/crypto v0.0.0-20220919173607-35f4265a4bc0/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -892,8 +906,11 @@ golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.0.0-20220607020251-c690dde0001d h1:4SFsTMi4UahlKoloni7L4eYzhFRifURQLw+yv0QDCx8= golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.0.0-20220927171203-f486391704dc h1:FxpXZdoBqT8RjqTy6i1E8nXHhW21wK7ptQ/EPIGxzPQ= +golang.org/x/net v0.0.0-20220927171203-f486391704dc/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -913,8 +930,10 @@ golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= -golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb h1:8tDJ3aechhddbdPAxpycgXHJRMLpk/Ab+aa4OgdN5/g= golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE= +golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= +golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 h1:lxqLZaMad/dJHMFZH0NiNpiEZI/nhgWhe4wgzpE+MuA= +golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1003,9 +1022,12 @@ golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d h1:Zu/JngovGLVi6t2J3nmAf3AoTDwuzw85YZ3b9o4yU7s= golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220928140112-f11e5e49a4ec h1:BkDtF2Ih9xZ7le9ndzTA7KJow28VbQW3odyk/8drmuI= +golang.org/x/sys v0.0.0-20220928140112-f11e5e49a4ec/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY= @@ -1096,6 +1118,7 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= @@ -1135,8 +1158,10 @@ google.golang.org/api v0.71.0/go.mod h1:4PyU6e6JogV1f9eA4voyrTY2batOLdgZ5qZ5HOCc google.golang.org/api v0.74.0/go.mod h1:ZpfMZOVRMywNyvJFeqL9HRWBgAuRfSjJFpe9QtRRyDs= google.golang.org/api v0.75.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA= google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw= -google.golang.org/api v0.84.0 h1:NMB9J4cCxs9xEm+1Z9QiO3eFvn7EnQj3Eo3hN6ugVlg= +google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg= google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o= +google.golang.org/api v0.96.0 h1:F60cuQPJq7K7FzsxMYHAUJSiXh2oKctHxBMbDygxhfM= +google.golang.org/api v0.96.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -1187,6 +1212,7 @@ google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210329143202-679c6ae281ee/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= @@ -1221,9 +1247,14 @@ google.golang.org/genproto v0.0.0-20220414192740-2d67ff6cf2b4/go.mod h1:8w6bsBMX google.golang.org/genproto v0.0.0-20220421151946-72621c1f0bd3/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= google.golang.org/genproto v0.0.0-20220429170224-98d788798c3e/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= google.golang.org/genproto v0.0.0-20220505152158-f39f71e6c8f3/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= +google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= +google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= -google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad h1:kqrS+lhvaMHCxul6sKQvKJ8nAAhlVItmZV822hYFH/U= +google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= +google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= +google.golang.org/genproto v0.0.0-20220929141241-1ce7b20da813 h1:buul04Ikd79A5tP8nGhKEyMfr+/HplsO6nqSUapWZ/M= +google.golang.org/genproto v0.0.0-20220929141241-1ce7b20da813/go.mod h1:woMGP53BroOrRY3xTxlbr8Y3eB/nzAvvFM83q7kG2OI= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= @@ -1260,8 +1291,10 @@ google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzI google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ= google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= -google.golang.org/grpc v1.47.0 h1:9n77onPX5F3qfFCqjy9dhn8PbNQsIKeVU04J9G7umt8= +google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= +google.golang.org/grpc v1.49.0 h1:WTLtQzmQori5FUH25Pq4WT22oCsv8USpQ+F6rqtsmxw= +google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= @@ -1277,8 +1310,9 @@ google.golang.org/protobuf v1.25.1-0.20200805231151-a709e31e5d12/go.mod h1:9JNX7 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw= google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w= +google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -1306,8 +1340,8 @@ gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0 h1:hjy8E9ON/egN1tAYqKb61G10WtihqetD4sz2H+8nIeA= -gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= diff --git a/pki/pki.go b/pki/pki.go index 4f3b2127..c05eadbd 100644 --- a/pki/pki.go +++ b/pki/pki.go @@ -389,7 +389,7 @@ func New(o apiv1.Options, opts ...Option) (*PKI, error) { if port == "443" || p.options.isHelm { p.Defaults.CaUrl = fmt.Sprintf("https://%s", p.Defaults.CaUrl) } else { - p.Defaults.CaUrl = fmt.Sprintf("https://%s:%s", p.Defaults.CaUrl, port) + p.Defaults.CaUrl = fmt.Sprintf("https://%s", net.JoinHostPort(p.Defaults.CaUrl, port)) } } diff --git a/policy/engine.go b/policy/engine.go index d1fb4928..c02fd7a9 100755 --- a/policy/engine.go +++ b/policy/engine.go @@ -4,11 +4,13 @@ import ( "crypto/x509" "fmt" "net" + "net/http" "net/url" + "go.step.sm/crypto/x509util" "golang.org/x/crypto/ssh" - "go.step.sm/crypto/x509util" + "github.com/smallstep/certificates/errs" ) type NamePolicyReason int @@ -62,6 +64,22 @@ func (e *NamePolicyError) Error() string { } } +// As implements the As(any) bool interface and allows to use "errors.As()" to +// convert a NotAllowed NamePolicyError to an errs.Error. +func (e *NamePolicyError) As(v any) bool { + if e.Reason == NotAllowed { + if err, ok := v.(**errs.Error); ok { + *err = &errs.Error{ + Status: http.StatusForbidden, + Msg: fmt.Sprintf("The request was forbidden by the certificate authority: %s", e.Error()), + Err: e, + } + return true + } + } + return false +} + func (e *NamePolicyError) Detail() string { return e.detail } @@ -73,7 +91,6 @@ func (e *NamePolicyError) Detail() string { // TODO(hs): implement matching URI schemes, paths, etc; not just the domain part of URI domains type NamePolicyEngine struct { - // verifySubjectCommonName is set when Subject Common Name must be verified verifySubjectCommonName bool // allowLiteralWildcardNames allows literal wildcard DNS domains @@ -107,7 +124,6 @@ type NamePolicyEngine struct { // NewNamePolicyEngine creates a new NamePolicyEngine with NamePolicyOptions func New(opts ...NamePolicyOption) (*NamePolicyEngine, error) { - e := &NamePolicyEngine{} for _, option := range opts { if err := option(e); err != nil { @@ -153,7 +169,6 @@ func New(opts ...NamePolicyOption) (*NamePolicyEngine, error) { // duplicate values removed. It retains the order of elements // in the source slice. func removeDuplicates(items []string) (ret []string) { - // no need to remove dupes; return original if len(items) <= 1 { return items @@ -179,7 +194,6 @@ func removeDuplicates(items []string) (ret []string) { // the source slice. An IPNet is considered duplicate if its CIDR // notation exists multiple times in the slice. func removeDuplicateIPNets(items []*net.IPNet) (ret []*net.IPNet) { - // no need to remove dupes; return original if len(items) <= 1 { return items diff --git a/policy/options_117_test.go b/policy/options_117_test.go deleted file mode 100644 index 916eefe2..00000000 --- a/policy/options_117_test.go +++ /dev/null @@ -1,125 +0,0 @@ -//go:build !go1.18 -// +build !go1.18 - -package policy - -import "testing" - -func Test_normalizeAndValidateURIDomainConstraint(t *testing.T) { - tests := []struct { - name string - constraint string - want string - wantErr bool - }{ - { - name: "fail/empty-constraint", - constraint: "", - want: "", - wantErr: true, - }, - { - name: "fail/scheme-https", - constraint: `https://*.local`, - want: "", - wantErr: true, - }, - { - name: "fail/too-many-asterisks", - constraint: "**.local", - want: "", - wantErr: true, - }, - { - name: "fail/empty-label", - constraint: "..local", - want: "", - wantErr: true, - }, - { - name: "fail/empty-reverse", - constraint: ".", - want: "", - wantErr: true, - }, - { - name: "fail/no-asterisk", - constraint: ".example.com", - want: "", - wantErr: true, - }, - { - name: "fail/domain-with-port", - constraint: "host.local:8443", - want: "", - wantErr: true, - }, - { - name: "fail/ipv4", - constraint: "127.0.0.1", - want: "", - wantErr: true, - }, - { - name: "fail/ipv6-brackets", - constraint: "[::1]", - want: "", - wantErr: true, - }, - { - name: "fail/ipv6-no-brackets", - constraint: "::1", - want: "", - wantErr: true, - }, - { - name: "fail/ipv6-no-brackets", - constraint: "[::1", - want: "", - wantErr: true, - }, - { - name: "fail/idna-internationalized-domain-name-lookup", - constraint: `\00local`, - want: "", - wantErr: true, - }, - { - name: "ok/wildcard", - constraint: "*.local", - want: ".local", - wantErr: false, - }, - { - name: "ok/specific-domain", - constraint: "example.local", - want: "example.local", - wantErr: false, - }, - { - name: "ok/idna-internationalized-domain-name-lookup", - constraint: `*.bücher.example.com`, - want: ".xn--bcher-kva.example.com", - wantErr: false, - }, - { - // IDNA2003 vs. 2008 deviation: https://unicode.org/reports/tr46/#Deviations results - // in a difference between Go 1.18 and lower versions. Go 1.18 expects ".xn--fa-hia.de"; not .fass.de. - name: "ok/idna-internationalized-domain-name-lookup-deviation", - constraint: `*.faß.de`, - want: ".fass.de", - wantErr: false, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - got, err := normalizeAndValidateURIDomainConstraint(tt.constraint) - if (err != nil) != tt.wantErr { - t.Errorf("normalizeAndValidateURIDomainConstraint() error = %v, wantErr %v", err, tt.wantErr) - } - if got != tt.want { - t.Errorf("normalizeAndValidateURIDomainConstraint() = %v, want %v", got, tt.want) - } - }) - } -} diff --git a/policy/options_118_test.go b/policy/options_118_test.go deleted file mode 100644 index 6fa2ded4..00000000 --- a/policy/options_118_test.go +++ /dev/null @@ -1,125 +0,0 @@ -//go:build go1.18 -// +build go1.18 - -package policy - -import "testing" - -func Test_normalizeAndValidateURIDomainConstraint(t *testing.T) { - tests := []struct { - name string - constraint string - want string - wantErr bool - }{ - { - name: "fail/empty-constraint", - constraint: "", - want: "", - wantErr: true, - }, - { - name: "fail/scheme-https", - constraint: `https://*.local`, - want: "", - wantErr: true, - }, - { - name: "fail/too-many-asterisks", - constraint: "**.local", - want: "", - wantErr: true, - }, - { - name: "fail/empty-label", - constraint: "..local", - want: "", - wantErr: true, - }, - { - name: "fail/empty-reverse", - constraint: ".", - want: "", - wantErr: true, - }, - { - name: "fail/domain-with-port", - constraint: "host.local:8443", - want: "", - wantErr: true, - }, - { - name: "fail/no-asterisk", - constraint: ".example.com", - want: "", - wantErr: true, - }, - { - name: "fail/ipv4", - constraint: "127.0.0.1", - want: "", - wantErr: true, - }, - { - name: "fail/ipv6-brackets", - constraint: "[::1]", - want: "", - wantErr: true, - }, - { - name: "fail/ipv6-no-brackets", - constraint: "::1", - want: "", - wantErr: true, - }, - { - name: "fail/ipv6-no-brackets", - constraint: "[::1", - want: "", - wantErr: true, - }, - { - name: "fail/idna-internationalized-domain-name-lookup", - constraint: `\00local`, - want: "", - wantErr: true, - }, - { - name: "ok/wildcard", - constraint: "*.local", - want: ".local", - wantErr: false, - }, - { - name: "ok/specific-domain", - constraint: "example.local", - want: "example.local", - wantErr: false, - }, - { - name: "ok/idna-internationalized-domain-name-lookup", - constraint: `*.bücher.example.com`, - want: ".xn--bcher-kva.example.com", - wantErr: false, - }, - { - // IDNA2003 vs. 2008 deviation: https://unicode.org/reports/tr46/#Deviations results - // in a difference between Go 1.18 and lower versions. Go 1.18 expects ".xn--fa-hia.de"; not .fass.de. - name: "ok/idna-internationalized-domain-name-lookup-deviation", - constraint: `*.faß.de`, - want: ".xn--fa-hia.de", - wantErr: false, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - got, err := normalizeAndValidateURIDomainConstraint(tt.constraint) - if (err != nil) != tt.wantErr { - t.Errorf("normalizeAndValidateURIDomainConstraint() error = %v, wantErr %v", err, tt.wantErr) - } - if got != tt.want { - t.Errorf("normalizeAndValidateURIDomainConstraint() = %v, want %v", got, tt.want) - } - }) - } -} diff --git a/policy/options_test.go b/policy/options_test.go index 697afecf..c8b05aa6 100644 --- a/policy/options_test.go +++ b/policy/options_test.go @@ -658,3 +658,122 @@ func TestNew(t *testing.T) { }) } } + +func Test_normalizeAndValidateURIDomainConstraint(t *testing.T) { + tests := []struct { + name string + constraint string + want string + wantErr bool + }{ + { + name: "fail/empty-constraint", + constraint: "", + want: "", + wantErr: true, + }, + { + name: "fail/scheme-https", + constraint: `https://*.local`, + want: "", + wantErr: true, + }, + { + name: "fail/too-many-asterisks", + constraint: "**.local", + want: "", + wantErr: true, + }, + { + name: "fail/empty-label", + constraint: "..local", + want: "", + wantErr: true, + }, + { + name: "fail/empty-reverse", + constraint: ".", + want: "", + wantErr: true, + }, + { + name: "fail/domain-with-port", + constraint: "host.local:8443", + want: "", + wantErr: true, + }, + { + name: "fail/no-asterisk", + constraint: ".example.com", + want: "", + wantErr: true, + }, + { + name: "fail/ipv4", + constraint: "127.0.0.1", + want: "", + wantErr: true, + }, + { + name: "fail/ipv6-brackets", + constraint: "[::1]", + want: "", + wantErr: true, + }, + { + name: "fail/ipv6-no-brackets", + constraint: "::1", + want: "", + wantErr: true, + }, + { + name: "fail/ipv6-no-brackets", + constraint: "[::1", + want: "", + wantErr: true, + }, + { + name: "fail/idna-internationalized-domain-name-lookup", + constraint: `\00local`, + want: "", + wantErr: true, + }, + { + name: "ok/wildcard", + constraint: "*.local", + want: ".local", + wantErr: false, + }, + { + name: "ok/specific-domain", + constraint: "example.local", + want: "example.local", + wantErr: false, + }, + { + name: "ok/idna-internationalized-domain-name-lookup", + constraint: `*.bücher.example.com`, + want: ".xn--bcher-kva.example.com", + wantErr: false, + }, + { + // IDNA2003 vs. 2008 deviation: https://unicode.org/reports/tr46/#Deviations results + // in a difference between Go 1.18 and lower versions. Go 1.18 expects ".xn--fa-hia.de"; not .fass.de. + name: "ok/idna-internationalized-domain-name-lookup-deviation", + constraint: `*.faß.de`, + want: ".xn--fa-hia.de", + wantErr: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := normalizeAndValidateURIDomainConstraint(tt.constraint) + if (err != nil) != tt.wantErr { + t.Errorf("normalizeAndValidateURIDomainConstraint() error = %v, wantErr %v", err, tt.wantErr) + } + if got != tt.want { + t.Errorf("normalizeAndValidateURIDomainConstraint() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/policy/validate.go b/policy/validate.go index ee6f7e9c..f7cf6e70 100644 --- a/policy/validate.go +++ b/policy/validate.go @@ -8,6 +8,7 @@ package policy import ( "bytes" + "errors" "fmt" "net" "net/url" @@ -21,7 +22,6 @@ import ( // validateNames verifies that all names are allowed. func (e *NamePolicyEngine) validateNames(dnsNames []string, ips []net.IP, emailAddresses []string, uris []*url.URL, principals []string) error { - // nothing to compare against; return early if e.totalNumberOfConstraints == 0 { return nil @@ -182,7 +182,6 @@ func (e *NamePolicyEngine) validateNames(dnsNames []string, ips []net.IP, emailA // validateCommonName verifies that the Subject Common Name is allowed func (e *NamePolicyEngine) validateCommonName(commonName string) error { - // nothing to compare against; return early if e.totalNumberOfConstraints == 0 { return nil @@ -212,7 +211,8 @@ func (e *NamePolicyEngine) validateCommonName(commonName string) error { err := e.validateNames(dnsNames, ips, emails, uris, []string{}) - if pe, ok := err.(*NamePolicyError); ok { + var pe *NamePolicyError + if errors.As(err, &pe) { // override the name type with CN pe.NameType = CNNameType } @@ -229,7 +229,6 @@ func checkNameConstraints( parsedName interface{}, match func(parsedName, constraint interface{}) (match bool, err error), permitted, excluded interface{}) error { - excludedValue := reflect.ValueOf(excluded) for i := 0; i < excludedValue.Len(); i++ { @@ -552,7 +551,6 @@ func (e *NamePolicyEngine) matchDomainConstraint(domain, constraint string) (boo // SOURCE: https://cs.opensource.google/go/go/+/refs/tags/go1.17.5:src/crypto/x509/verify.go func matchIPConstraint(ip net.IP, constraint *net.IPNet) (bool, error) { - // TODO(hs): this is code from Go library, but I got some unexpected result: // with permitted net 127.0.0.0/24, 127.0.0.1 is NOT allowed. When parsing 127.0.0.1 as net.IP // which is in the IPAddresses slice, the underlying length is 16. The contraint.IP has a length diff --git a/scep/api/api.go b/scep/api/api.go index b738a933..346b9c75 100644 --- a/scep/api/api.go +++ b/scep/api/api.go @@ -350,7 +350,6 @@ func formatCapabilities(caps []string) []byte { // writeResponse writes a SCEP response back to the SCEP client. func writeResponse(w http.ResponseWriter, res Response) { - if res.Error != nil { log.Error(w, res.Error) } diff --git a/scep/authority.go b/scep/authority.go index 7dbbb8c5..bdba1d5f 100644 --- a/scep/authority.go +++ b/scep/authority.go @@ -71,7 +71,6 @@ type SignAuthority interface { // New returns a new Authority that implements the SCEP interface. func New(signAuth SignAuthority, ops AuthorityOptions) (*Authority, error) { - authority := &Authority{ prefix: ops.Prefix, dns: ops.DNS, @@ -145,7 +144,6 @@ func (a *Authority) getLinkExplicit(provisionerName string, abs bool, baseURL *u // GetCACertificates returns the certificate (chain) for the CA func (a *Authority) GetCACertificates(ctx context.Context) ([]*x509.Certificate, error) { - // TODO: this should return: the "SCEP Server (RA)" certificate, the issuing CA up to and excl. the root // Some clients do need the root certificate however; also see: https://github.com/openxpki/openxpki/issues/73 // @@ -385,7 +383,6 @@ func (a *Authority) SignCSR(ctx context.Context, csr *x509.CertificateRequest, m // CreateFailureResponse creates an appropriately signed reply for PKI operations func (a *Authority) CreateFailureResponse(ctx context.Context, csr *x509.CertificateRequest, msg *PKIMessage, info FailInfoName, infoText string) (*PKIMessage, error) { - config := pkcs7.SignerInfoConfig{ ExtraSignedAttributes: []pkcs7.Attribute{ { @@ -471,7 +468,6 @@ func (a *Authority) MatchChallengePassword(ctx context.Context, password string) // GetCACaps returns the CA capabilities func (a *Authority) GetCACaps(ctx context.Context) []string { - p, err := provisionerFromContext(ctx) if err != nil { return defaultCapabilities diff --git a/scep/options.go b/scep/options.go index 752b309a..201f1beb 100644 --- a/scep/options.go +++ b/scep/options.go @@ -20,7 +20,6 @@ type Options struct { // Validate checks the fields in Options. func (o *Options) Validate() error { - if o.CertificateChain == nil { return errors.New("certificate chain not configured correctly") } diff --git a/scep/service.go b/scep/service.go index 508bcf77..a4efe27e 100644 --- a/scep/service.go +++ b/scep/service.go @@ -14,7 +14,6 @@ type Service struct { } func NewService(ctx context.Context, opts Options) (*Service, error) { - if err := opts.Validate(); err != nil { return nil, err }