diff --git a/authority/internal/constraints/constraints.go b/authority/internal/constraints/constraints.go index a9dcf715..0e8c4f27 100644 --- a/authority/internal/constraints/constraints.go +++ b/authority/internal/constraints/constraints.go @@ -10,12 +10,13 @@ import ( var oidExtensionNameConstraints = []int{2, 5, 29, 30} type ConstraintError struct { - Type string - Name string + Type string + Name string + Detail string } func (e ConstraintError) Error() string { - return fmt.Sprintf("%s %q is not allowed", e.Type, e.Name) + return e.Detail } type service struct { @@ -74,7 +75,8 @@ func (s *service) Validate(dnsNames []string, ipAddresses []*net.IP, emailAddres if err := checkNameConstraints("IP address", ip.String(), ip, s.permittedIPRanges, s.excludedIPRanges, func(parsedName, constraint any) (bool, error) { return matchIPConstraint(parsedName.(net.IP), constraint.(*net.IPNet)) - }); err != nil { + }, + ); err != nil { return err } } @@ -97,7 +99,8 @@ func (s *service) Validate(dnsNames []string, ipAddresses []*net.IP, emailAddres if err := checkNameConstraints("URI", uri.String(), uri, s.permittedURIDomains, s.excludedURIDomains, func(parsedName, constraint any) (bool, error) { return matchURIConstraint(parsedName.(*url.URL), constraint.(string)) - }); err != nil { + }, + ); err != nil { return err } } diff --git a/authority/internal/constraints/verify.go b/authority/internal/constraints/verify.go index 767fe304..552c5ea2 100644 --- a/authority/internal/constraints/verify.go +++ b/authority/internal/constraints/verify.go @@ -43,11 +43,19 @@ func checkNameConstraints(nameType string, name string, parsedName any, permitte constraint := excludedValue.Index(i).Interface() match, err := match(parsedName, constraint) if err != nil { - return err + return ConstraintError{ + Type: nameType, + Name: name, + Detail: err.Error(), + } } if match { - return fmt.Errorf("%s %q is excluded by constraint %q", nameType, name, constraint) + return ConstraintError{ + Type: nameType, + Name: name, + Detail: fmt.Sprintf("%s %q is excluded by constraint %q", nameType, name, constraint), + } } } @@ -60,14 +68,22 @@ func checkNameConstraints(nameType string, name string, parsedName any, permitte for i := 0; i < permittedValue.Len(); i++ { constraint := permittedValue.Index(i).Interface() if ok, err = match(parsedName, constraint); err != nil { - return err + return ConstraintError{ + Type: nameType, + Name: name, + Detail: err.Error(), + } } if ok { break } } if !ok { - return fmt.Errorf("%s %q is not permitted by any constraint", nameType, name) + return ConstraintError{ + Type: nameType, + Name: name, + Detail: fmt.Sprintf("%s %q is not permitted by any constraint", nameType, name), + } } return nil