forked from zmap/zcrypto
-
Notifications
You must be signed in to change notification settings - Fork 1
/
verify_modified.go
449 lines (400 loc) · 13.8 KB
/
verify_modified.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
// Copyright 2011 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package x509
import (
"net"
"time"
)
const (
// NotAuthorizedToSign results when a certificate is signed by another
// which isn't marked as a CA certificate.
NotAuthorizedToSign InvalidReason = iota
// Expired results when a certificate has expired, based on the time
// given in the VerifyOptions.
Expired
// CANotAuthorizedForThisName results when an intermediate or root
// certificate has a name constraint which doesn't include the name
// being checked.
CANotAuthorizedForThisName
// CANotAuthorizedForThisEmail results when an intermediate or root
// certificate has a name constraint which doesn't include the email
// being checked.
CANotAuthorizedForThisEmail
// CANotAuthorizedForThisIP results when an intermediate or root
// certificate has a name constraint which doesn't include the IP
// being checked.
CANotAuthorizedForThisIP
// CANotAuthorizedForThisDirectory results when an intermediate or root
// certificate has a name constraint which doesn't include the directory
// being checked.
CANotAuthorizedForThisDirectory
// TooManyIntermediates results when a path length constraint is
// violated.
TooManyIntermediates
// IncompatibleUsage results when the certificate's key usage indicates
// that it may only be used for a different purpose.
IncompatibleUsage
// NameMismatch results when the subject name of a parent certificate
// does not match the issuer name in the child.
NameMismatch
// NeverValid results when the certificate could never have been valid due to
// some date-related issue, e.g. NotBefore > NotAfter.
NeverValid
// IsSelfSigned results when the certificate is self-signed and not a trusted
// root.
IsSelfSigned
)
func (e CertificateInvalidError) Error() string {
switch e.Reason {
case NotAuthorizedToSign:
return "x509: certificate is not authorized to sign other certificates"
case Expired:
return "x509: certificate has expired or is not yet valid"
case CANotAuthorizedForThisName:
return "x509: a root or intermediate certificate is not authorized to sign in this domain"
case CANotAuthorizedForThisEmail:
return "x509: a root or intermediate certificate is not authorized to sign this email address"
case CANotAuthorizedForThisIP:
return "x509: a root or intermediate certificate is not authorized to sign this IP address"
case CANotAuthorizedForThisDirectory:
return "x509: a root or intermediate certificate is not authorized to sign in this directory"
case TooManyIntermediates:
return "x509: too many intermediates for path length constraint"
case IncompatibleUsage:
return "x509: certificate specifies an incompatible key usage"
case NameMismatch:
return "x509: issuer name does not match subject from issuing certificate"
case NeverValid:
return "x509: certificate will never be valid"
}
return "x509: unknown error"
}
const maxIntermediateCount = 10
// VerifyOptions contains parameters for Certificate.Verify. It's a structure
// because other PKIX verification APIs have ended up needing many options.
type VerifyOptions struct {
DNSName string
EmailAddress string
IPAddress net.IP
Intermediates *CertPool
Roots *CertPool // if nil, the system roots are used
CurrentTime time.Time // if zero, the current time is used
// KeyUsage specifies which Extended Key Usage values are acceptable.
// An empty list means ExtKeyUsageServerAuth. Key usage is considered a
// constraint down the chain which mirrors Windows CryptoAPI behaviour,
// but not the spec. To accept any key usage, include ExtKeyUsageAny.
KeyUsages []ExtKeyUsage
}
// NOTE: the stdlib function does many more checks and is preferable. For backwards compatibility using this version
// isValid performs validity checks on the c. It will never return a
// date-related error.
func (c *Certificate) isValid(certType CertificateType, currentChain CertificateChain) error {
// KeyUsage status flags are ignored. From Engineering Security, Peter
// Gutmann: A European government CA marked its signing certificates as
// being valid for encryption only, but no-one noticed. Another
// European CA marked its signature keys as not being valid for
// signatures. A different CA marked its own trusted root certificate
// as being invalid for certificate signing. Another national CA
// distributed a certificate to be used to encrypt data for the
// country’s tax authority that was marked as only being usable for
// digital signatures but not for encryption. Yet another CA reversed
// the order of the bit flags in the keyUsage due to confusion over
// encoding endianness, essentially setting a random keyUsage in
// certificates that it issued. Another CA created a self-invalidating
// certificate by adding a certificate policy statement stipulating
// that the certificate had to be used strictly as specified in the
// keyUsage, and a keyUsage containing a flag indicating that the RSA
// encryption key could only be used for Diffie-Hellman key agreement.
if certType == CertificateTypeIntermediate && (!c.BasicConstraintsValid || !c.IsCA) {
return CertificateInvalidError{c, NotAuthorizedToSign}
}
if c.BasicConstraintsValid && c.MaxPathLen >= 0 {
numIntermediates := len(currentChain) - 1
if numIntermediates > c.MaxPathLen {
return CertificateInvalidError{c, TooManyIntermediates}
}
}
if len(currentChain) > maxIntermediateCount {
return CertificateInvalidError{c, TooManyIntermediates}
}
return nil
}
// Verify attempts to verify c by building one or more chains from c to a
// certificate in opts.Roots, using certificates in opts.Intermediates if
// needed. If successful, it returns one or more chains where the first
// element of the chain is c and the last element is from opts.Roots.
//
// If opts.Roots is nil and system roots are unavailable the returned error
// will be of type SystemRootsError.
//
// WARNING: this doesn't do any revocation checking.
func (c *Certificate) Verify(opts VerifyOptions) (current, expired, never []CertificateChain, err error) {
if opts.Roots == nil {
opts.Roots = systemRootsPool()
if opts.Roots == nil {
err = SystemRootsError{}
return
}
}
err = c.isValid(CertificateTypeLeaf, nil)
if err != nil {
return
}
candidateChains, err := c.buildChains(make(map[int][]CertificateChain), []*Certificate{c}, &opts)
if err != nil {
return
}
keyUsages := opts.KeyUsages
if len(keyUsages) == 0 {
keyUsages = []ExtKeyUsage{ExtKeyUsageServerAuth}
}
// If any key usage is acceptable then we're done.
hasKeyUsageAny := false
for _, usage := range keyUsages {
if usage == ExtKeyUsageAny {
hasKeyUsageAny = true
break
}
}
var chains []CertificateChain
if hasKeyUsageAny {
chains = candidateChains
} else {
for _, candidate := range candidateChains {
if checkChainForKeyUsage(candidate, keyUsages) {
chains = append(chains, candidate)
}
}
}
if len(chains) == 0 {
err = CertificateInvalidError{c, IncompatibleUsage}
return
}
current, expired, never = FilterByDate(chains, opts.CurrentTime)
if len(current) == 0 {
if len(expired) > 0 {
err = CertificateInvalidError{c, Expired}
} else if len(never) > 0 {
err = CertificateInvalidError{c, NeverValid}
}
return
}
if len(opts.DNSName) > 0 {
err = c.VerifyHostname(opts.DNSName)
if err != nil {
return
}
}
return
}
//// Verify attempts to verify c by building one or more chains from c to a
//// certificate in opts.Roots, using certificates in opts.Intermediates if
//// needed. If successful, it returns one or more chains where the first
//// element of the chain is c and the last element is from opts.Roots.
////
//// If opts.Roots is nil and system roots are unavailable the returned error
//// will be of type SystemRootsError.
////
//// WARNING: this doesn't do any revocation checking.
//func (c *Certificate) Verify(opts VerifyOptions) (current, expired, never []CertificateChain, err error) {
// // Platform-specific verification needs the ASN.1 contents so
// // this makes the behavior consistent across platforms.
// if len(c.Raw) == 0 {
// err = errNotParsed
// return
// }
// if opts.Intermediates != nil {
// for _, intermediate := range opts.Intermediates.certs {
// if len(intermediate.Raw) == 0 {
// err = errNotParsed
// return
// }
// }
// }
//
// //// Use Windows's own verification and chain building.
// //if opts.Roots == nil && runtime.GOOS == "windows" {
// // return c.systemVerify(&opts)
// //}
//
// if opts.Roots == nil {
// opts.Roots = systemRootsPool()
// if opts.Roots == nil {
// err = SystemRootsError{}
// return
// }
// }
//
// err = c.isValid(leafCertificate, nil, &opts)
// if err != nil {
// return
// }
//
// candidateChains, err := c.buildChains(make(map[int][]CertificateChain), []*Certificate{c}, &opts)
// if err != nil {
// return
// }
//
// if len(opts.DNSName) > 0 {
// err = c.VerifyHostname(opts.DNSName)
// if err != nil {
// return
// }
// }
//
// keyUsages := opts.KeyUsages
// if len(keyUsages) == 0 {
// keyUsages = []ExtKeyUsage{ExtKeyUsageServerAuth}
// }
//
// var hasKeyUsageAny bool
// // If any key usage is acceptable then we're done.
// for _, usage := range keyUsages {
// if usage == ExtKeyUsageAny {
// hasKeyUsageAny = true
// break
// }
// }
//
// var chains []CertificateChain
// if hasKeyUsageAny {
// chains = candidateChains
// } else {
// for _, candidate := range candidateChains {
// if checkChainForKeyUsage(candidate, keyUsages) {
// chains = append(chains, candidate)
// }
// }
// }
//
// if len(chains) == 0 {
// err = CertificateInvalidError{c, IncompatibleUsage}
// return
// }
//
// current, expired, never = FilterByDate(chains, opts.CurrentTime)
// if len(current) == 0 {
// if len(expired) > 0 {
// err = CertificateInvalidError{c, Expired}
// } else if len(never) > 0 {
// err = CertificateInvalidError{c, NeverValid}
// }
// return
// }
//
// return
//}
// buildChains returns all chains of length < maxIntermediateCount. Chains begin
// the certificate being validated (chain[0] = c), and end at a root. It
// enforces that all intermediates can sign certificates, and checks signatures.
// It does not enforce expiration.
func (c *Certificate) buildChains(cache map[int][]CertificateChain, currentChain CertificateChain, opts *VerifyOptions) (chains []CertificateChain, err error) {
// If the certificate being validated is a root, add the chain of length one
// containing just the root. Only do this on the first call to buildChains,
// when the len(currentChain) = 1.
if len(currentChain) == 1 && opts.Roots.Contains(c) {
chains = append(chains, CertificateChain{c})
}
if len(chains) == 0 && c.SelfSigned {
err = CertificateInvalidError{c, IsSelfSigned}
}
// Find roots that signed c and have matching SKID/AKID and Subject/Issuer.
possibleRoots, failedRoot, rootErr := opts.Roots.findVerifiedParents(c)
// If any roots are parents of c, create new chain for each one of them.
for _, rootNum := range possibleRoots {
root := opts.Roots.certs[rootNum]
err = root.isValid(CertificateTypeRoot, currentChain)
if err != nil {
continue
}
if !currentChain.CertificateInChain(root) {
chains = append(chains, currentChain.AppendToFreshChain(root))
}
}
// The root chains of length N+1 are now "done". Now we'll look for any
// intermediates that issue this certificate, meaning that any chain to a root
// through these intermediates is at least length N+2.
possibleIntermediates, failedIntermediate, intermediateErr := opts.Intermediates.findVerifiedParents(c)
for _, intermediateNum := range possibleIntermediates {
intermediate := opts.Intermediates.certs[intermediateNum]
if opts.Roots.Contains(intermediate) {
continue
}
if currentChain.CertificateSubjectAndKeyInChain(intermediate) {
continue
}
err = intermediate.isValid(CertificateTypeIntermediate, currentChain)
if err != nil {
continue
}
// We don't want to add any certificate to chains that doesn't somehow get
// to a root. We don't know if all chains through the intermediates will end
// at a root, so we slice off the back half of the chain and try to build
// that part separately.
childChains, ok := cache[intermediateNum]
if !ok {
childChains, err = intermediate.buildChains(cache, currentChain.AppendToFreshChain(intermediate), opts)
cache[intermediateNum] = childChains
}
chains = append(chains, childChains...)
}
if len(chains) > 0 {
err = nil
}
if len(chains) == 0 && err == nil {
hintErr := rootErr
hintCert := failedRoot
if hintErr == nil {
hintErr = intermediateErr
hintCert = failedIntermediate
}
err = UnknownAuthorityError{c, hintErr, hintCert}
}
return
}
// earlier returns the earlier of a and b
func earlier(a, b time.Time) time.Time {
if a.Before(b) {
return a
}
return b
}
// later returns the later of a and b
func later(a, b time.Time) time.Time {
if a.After(b) {
return a
}
return b
}
// check expirations divides chains into a set of disjoint chains, containing
// current chains valid now, expired chains that were valid at some point, and
// the set of chains that were never valid.
func FilterByDate(chains []CertificateChain, now time.Time) (current, expired, never []CertificateChain) {
for _, chain := range chains {
if len(chain) == 0 {
continue
}
leaf := chain[0]
lowerBound := leaf.NotBefore
upperBound := leaf.NotAfter
for _, c := range chain[1:] {
lowerBound = later(lowerBound, c.NotBefore)
upperBound = earlier(upperBound, c.NotAfter)
}
valid := lowerBound.Before(now) && upperBound.After(now)
wasValid := lowerBound.Before(upperBound)
if valid && !wasValid {
// Math/logic tells us this is impossible.
panic("valid && !wasValid should not be possible")
}
if valid {
current = append(current, chain)
} else if wasValid {
expired = append(expired, chain)
} else {
never = append(never, chain)
}
}
return
}