diff --git a/authority/internal/constraints/constraints.go b/authority/internal/constraints/constraints.go index 2755e102..9aa6d9c3 100644 --- a/authority/internal/constraints/constraints.go +++ b/authority/internal/constraints/constraints.go @@ -66,16 +66,13 @@ func New(chain ...*x509.Certificate) *Engine { e.excludedEmailAddresses = append(e.excludedEmailAddresses, crt.ExcludedEmailAddresses...) e.permittedURIDomains = append(e.permittedURIDomains, crt.PermittedURIDomains...) e.excludedURIDomains = append(e.excludedURIDomains, crt.ExcludedURIDomains...) - - if !e.hasNameConstraints { - for _, ext := range crt.Extensions { - if ext.Id.Equal(oidExtensionNameConstraints) { - e.hasNameConstraints = true - break - } - } - } } + + e.hasNameConstraints = len(e.permittedDNSDomains) > 0 || len(e.excludedDNSDomains) > 0 || + len(e.permittedIPRanges) > 0 || len(e.excludedIPRanges) > 0 || + len(e.permittedEmailAddresses) > 0 || len(e.excludedEmailAddresses) > 0 || + len(e.permittedURIDomains) > 0 || len(e.excludedURIDomains) > 0 + return e } diff --git a/authority/internal/constraints/constraints_test.go b/authority/internal/constraints/constraints_test.go index f65e1768..aaf5d410 100644 --- a/authority/internal/constraints/constraints_test.go +++ b/authority/internal/constraints/constraints_test.go @@ -79,6 +79,37 @@ func TestNew(t *testing.T) { } } +func TestNew_hasNameConstraints(t *testing.T) { + tests := []struct { + name string + fn func(c *x509.Certificate) + want bool + }{ + {"no constraints", func(c *x509.Certificate) {}, false}, + {"permittedDNSDomains", func(c *x509.Certificate) { c.PermittedDNSDomains = []string{"constraint"} }, true}, + {"excludedDNSDomains", func(c *x509.Certificate) { c.ExcludedDNSDomains = []string{"constraint"} }, true}, + {"permittedIPRanges", func(c *x509.Certificate) { + c.PermittedIPRanges = []*net.IPNet{{IP: net.ParseIP("192.168.3.0").To4(), Mask: net.IPMask{255, 255, 255, 0}}} + }, true}, + {"excludedIPRanges", func(c *x509.Certificate) { + c.ExcludedIPRanges = []*net.IPNet{{IP: net.ParseIP("192.168.3.0").To4(), Mask: net.IPMask{255, 255, 255, 0}}} + }, true}, + {"permittedEmailAddresses", func(c *x509.Certificate) { c.PermittedEmailAddresses = []string{"constraint"} }, true}, + {"excludedEmailAddresses", func(c *x509.Certificate) { c.ExcludedEmailAddresses = []string{"constraint"} }, true}, + {"permittedURIDomains", func(c *x509.Certificate) { c.PermittedURIDomains = []string{"constraint"} }, true}, + {"excludedURIDomains", func(c *x509.Certificate) { c.ExcludedURIDomains = []string{"constraint"} }, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + cert := &x509.Certificate{} + tt.fn(cert) + if e := New(cert); e.hasNameConstraints != tt.want { + t.Errorf("Engine.hasNameConstraints = %v, want %v", e.hasNameConstraints, tt.want) + } + }) + } +} + func TestEngine_Validate(t *testing.T) { type fields struct { hasNameConstraints bool