forked from smallstep/certificates
-
Notifications
You must be signed in to change notification settings - Fork 0
/
claims.go
115 lines (102 loc) · 2.94 KB
/
claims.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
package authority
import (
"net"
"reflect"
"time"
"github.com/pkg/errors"
x509 "github.com/smallstep/cli/pkg/x509"
)
// certClaim interface is implemented by types used to validate specific claims in a
// certificate request.
type certClaim interface {
Valid(crt *x509.Certificate) error
}
// ValidateClaims returns nil if all the claims are validated, it will return
// the first error if a claim fails.
func validateClaims(crt *x509.Certificate, claims []certClaim) (err error) {
for _, c := range claims {
if err = c.Valid(crt); err != nil {
return err
}
}
return
}
// commonNameClaim validates the common name of a certificate request.
type commonNameClaim struct {
name string
}
// Valid checks that certificate request common name matches the one configured.
func (c *commonNameClaim) Valid(crt *x509.Certificate) error {
if crt.Subject.CommonName == "" {
return errors.New("common name cannot be empty")
}
if crt.Subject.CommonName != c.name {
return errors.Errorf("common name claim failed - got %s, want %s", crt.Subject.CommonName, c.name)
}
return nil
}
type dnsNamesClaim struct {
names []string
}
// Valid checks that certificate request common name matches the one configured.
func (c *dnsNamesClaim) Valid(crt *x509.Certificate) error {
tokMap := make(map[string]int)
for _, e := range c.names {
tokMap[e] = 1
}
crtMap := make(map[string]int)
for _, e := range crt.DNSNames {
crtMap[e] = 1
}
if !reflect.DeepEqual(tokMap, crtMap) {
return errors.Errorf("DNS names claim failed - got %s, want %s", crt.DNSNames, c.names)
}
return nil
}
type ipAddressesClaim struct {
ips []net.IP
}
// Valid checks that certificate request common name matches the one configured.
func (c *ipAddressesClaim) Valid(crt *x509.Certificate) error {
tokMap := make(map[string]int)
for _, e := range c.ips {
tokMap[e.String()] = 1
}
crtMap := make(map[string]int)
for _, e := range crt.IPAddresses {
crtMap[e.String()] = 1
}
if !reflect.DeepEqual(tokMap, crtMap) {
return errors.Errorf("IP Addresses claim failed - got %v, want %v", crt.IPAddresses, c.ips)
}
return nil
}
// certTemporalClaim validates the certificate temporal validity settings.
type certTemporalClaim struct {
min time.Duration
max time.Duration
}
// Validate validates the certificate temporal validity settings.
func (ctc *certTemporalClaim) Valid(crt *x509.Certificate) error {
var (
na = crt.NotAfter
nb = crt.NotBefore
d = na.Sub(nb)
now = time.Now()
)
if na.Before(now) {
return errors.Errorf("NotAfter: %v cannot be in the past", na)
}
if na.Before(nb) {
return errors.Errorf("NotAfter: %v cannot be before NotBefore: %v", na, nb)
}
if d < ctc.min {
return errors.Errorf("requested duration of %v is less than the authorized minimum certificate duration of %v",
d, ctc.min)
}
if d > ctc.max {
return errors.Errorf("requested duration of %v is more than the authorized maximum certificate duration of %v",
d, ctc.max)
}
return nil
}