From 2959aa676de9ddd3614cb0c6cf398fd77fa5d9c1 Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Tue, 20 Sep 2022 13:12:34 -0700 Subject: [PATCH] Add helper ValidateCertificate --- authority/internal/constraints/constraints.go | 6 ++ .../internal/constraints/constraints_test.go | 72 +++++++++++++++++++ 2 files changed, 78 insertions(+) diff --git a/authority/internal/constraints/constraints.go b/authority/internal/constraints/constraints.go index c994c7a6..327379b7 100644 --- a/authority/internal/constraints/constraints.go +++ b/authority/internal/constraints/constraints.go @@ -115,3 +115,9 @@ func (s *Engine) Validate(dnsNames []string, ipAddresses []net.IP, emailAddresse return nil } + +// ValidateCertificate validates the DNS names, IP addresses, Email address and +// URIs present in the given certificate. +func (s *Engine) ValidateCertificate(cert *x509.Certificate) error { + return s.Validate(cert.DNSNames, cert.IPAddresses, cert.EmailAddresses, cert.URIs) +} diff --git a/authority/internal/constraints/constraints_test.go b/authority/internal/constraints/constraints_test.go index f70d39cb..f4f909bf 100644 --- a/authority/internal/constraints/constraints_test.go +++ b/authority/internal/constraints/constraints_test.go @@ -229,3 +229,75 @@ func Test_service_Validate_nil(t *testing.T) { t.Errorf("service.Validate() error = %v, wantErr false", err) } } + +func TestEngine_ValidateCertificate(t *testing.T) { + type fields struct { + hasNameConstraints bool + permittedDNSDomains []string + excludedDNSDomains []string + permittedIPRanges []*net.IPNet + excludedIPRanges []*net.IPNet + permittedEmailAddresses []string + excludedEmailAddresses []string + permittedURIDomains []string + excludedURIDomains []string + } + type args struct { + cert *x509.Certificate + } + tests := []struct { + name string + fields fields + args args + wantErr bool + }{ + {"ok", fields{hasNameConstraints: false}, args{&x509.Certificate{ + DNSNames: []string{"example.com"}, + IPAddresses: []net.IP{{127, 0, 0, 1}}, + EmailAddresses: []string{"info@example.com"}, + URIs: []*url.URL{{Scheme: "https", Host: "uuid.example.com", Path: "/dc4c76b5-5262-4551-a881-48094a604d63"}}, + }}, false}, + {"ok with constraints", fields{ + hasNameConstraints: false, + permittedDNSDomains: []string{"example.com"}, + permittedIPRanges: []*net.IPNet{ + {IP: net.ParseIP("127.0.0.1").To4(), Mask: net.IPMask{255, 255, 255, 255}}, + {IP: net.ParseIP("10.3.0.0").To4(), Mask: net.IPMask{255, 255, 0, 0}}, + }, + permittedEmailAddresses: []string{"example.com"}, + permittedURIDomains: []string{".example.com"}, + }, args{&x509.Certificate{ + DNSNames: []string{"www.example.com"}, + IPAddresses: []net.IP{{127, 0, 0, 1}, {10, 3, 1, 1}}, + EmailAddresses: []string{"info@example.com"}, + URIs: []*url.URL{{Scheme: "https", Host: "uuid.example.com", Path: "/dc4c76b5-5262-4551-a881-48094a604d63"}}, + }}, false}, + {"fail", fields{ + hasNameConstraints: true, + permittedURIDomains: []string{".example.com"}, + }, args{&x509.Certificate{ + DNSNames: []string{"example.com"}, + IPAddresses: []net.IP{{127, 0, 0, 1}}, + EmailAddresses: []string{"info@example.com"}, + URIs: []*url.URL{{Scheme: "https", Host: "uuid.example.org", Path: "/dc4c76b5-5262-4551-a881-48094a604d63"}}, + }}, true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + s := &Engine{ + hasNameConstraints: tt.fields.hasNameConstraints, + permittedDNSDomains: tt.fields.permittedDNSDomains, + excludedDNSDomains: tt.fields.excludedDNSDomains, + permittedIPRanges: tt.fields.permittedIPRanges, + excludedIPRanges: tt.fields.excludedIPRanges, + permittedEmailAddresses: tt.fields.permittedEmailAddresses, + excludedEmailAddresses: tt.fields.excludedEmailAddresses, + permittedURIDomains: tt.fields.permittedURIDomains, + excludedURIDomains: tt.fields.excludedURIDomains, + } + if err := s.ValidateCertificate(tt.args.cert); (err != nil) != tt.wantErr { + t.Errorf("Engine.ValidateCertificate() error = %v, wantErr %v", err, tt.wantErr) + } + }) + } +}