enforce certificate correctness in TBSCertificate.SignWith (#1266)

* enforce certificate correctness in TBSCertificate.SignWith * check length, not nil * Address review comments * github hates me --------- Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-12-30 18:48:28 +01:00 · 2025-01-09 17:13:10 -05:00
parent 3f31517018
commit 8704047395
8 changed files with 188 additions and 21 deletions
--- a/cmd/nebula-cert/print_test.go
+++ b/cmd/nebula-cert/print_test.go
@@ -73,7 +73,7 @@ func Test_printCert(t *testing.T) {
 	tf.Truncate(0)
 	tf.Seek(0, 0)
 	ca, caKey := NewTestCaCert("test ca", nil, nil, time.Time{}, time.Time{}, nil, nil, nil)
-	c, _ := NewTestCert(ca, caKey, "test", time.Time{}, time.Time{}, nil, nil, []string{"hi"})
+	c, _ := NewTestCert(ca, caKey, "test", time.Time{}, time.Time{}, []netip.Prefix{netip.MustParsePrefix("10.0.0.123/8")}, nil, []string{"hi"})

 	p, _ := c.MarshalPEM()
 	tf.Write(p)
@@ -97,7 +97,9 @@ func Test_printCert(t *testing.T) {
 		"isCa": false,
 		"issuer": "`+c.Issuer()+`",
 		"name": "test",
-		"networks": [],
+		"networks": [
+			"10.0.0.123/8"
+		],
 		"notAfter": "0001-01-01T00:00:00Z",
 		"notBefore": "0001-01-01T00:00:00Z",
 		"publicKey": "`+pk+`",
@@ -116,7 +118,9 @@ func Test_printCert(t *testing.T) {
 		"isCa": false,
 		"issuer": "`+c.Issuer()+`",
 		"name": "test",
-		"networks": [],
+		"networks": [
+			"10.0.0.123/8"
+		],
 		"notAfter": "0001-01-01T00:00:00Z",
 		"notBefore": "0001-01-01T00:00:00Z",
 		"publicKey": "`+pk+`",
@@ -135,7 +139,9 @@ func Test_printCert(t *testing.T) {
 		"isCa": false,
 		"issuer": "`+c.Issuer()+`",
 		"name": "test",
-		"networks": [],
+		"networks": [
+			"10.0.0.123/8"
+		],
 		"notAfter": "0001-01-01T00:00:00Z",
 		"notBefore": "0001-01-01T00:00:00Z",
 		"publicKey": "`+pk+`",
@@ -166,7 +172,7 @@ func Test_printCert(t *testing.T) {
 	assert.Nil(t, err)
 	assert.Equal(
 		t,
-		`[{"details":{"curve":"CURVE25519","groups":["hi"],"isCa":false,"issuer":"`+c.Issuer()+`","name":"test","networks":[],"notAfter":"0001-01-01T00:00:00Z","notBefore":"0001-01-01T00:00:00Z","publicKey":"`+pk+`","unsafeNetworks":[]},"fingerprint":"`+fp+`","signature":"`+sig+`","version":1},{"details":{"curve":"CURVE25519","groups":["hi"],"isCa":false,"issuer":"`+c.Issuer()+`","name":"test","networks":[],"notAfter":"0001-01-01T00:00:00Z","notBefore":"0001-01-01T00:00:00Z","publicKey":"`+pk+`","unsafeNetworks":[]},"fingerprint":"`+fp+`","signature":"`+sig+`","version":1},{"details":{"curve":"CURVE25519","groups":["hi"],"isCa":false,"issuer":"`+c.Issuer()+`","name":"test","networks":[],"notAfter":"0001-01-01T00:00:00Z","notBefore":"0001-01-01T00:00:00Z","publicKey":"`+pk+`","unsafeNetworks":[]},"fingerprint":"`+fp+`","signature":"`+sig+`","version":1}]
+		`[{"details":{"curve":"CURVE25519","groups":["hi"],"isCa":false,"issuer":"`+c.Issuer()+`","name":"test","networks":["10.0.0.123/8"],"notAfter":"0001-01-01T00:00:00Z","notBefore":"0001-01-01T00:00:00Z","publicKey":"`+pk+`","unsafeNetworks":[]},"fingerprint":"`+fp+`","signature":"`+sig+`","version":1},{"details":{"curve":"CURVE25519","groups":["hi"],"isCa":false,"issuer":"`+c.Issuer()+`","name":"test","networks":["10.0.0.123/8"],"notAfter":"0001-01-01T00:00:00Z","notBefore":"0001-01-01T00:00:00Z","publicKey":"`+pk+`","unsafeNetworks":[]},"fingerprint":"`+fp+`","signature":"`+sig+`","version":1},{"details":{"curve":"CURVE25519","groups":["hi"],"isCa":false,"issuer":"`+c.Issuer()+`","name":"test","networks":["10.0.0.123/8"],"notAfter":"0001-01-01T00:00:00Z","notBefore":"0001-01-01T00:00:00Z","publicKey":"`+pk+`","unsafeNetworks":[]},"fingerprint":"`+fp+`","signature":"`+sig+`","version":1}]
 `,
 		ob.String(),
 	)
@@ -212,6 +218,10 @@ func NewTestCert(ca cert.Certificate, signerKey []byte, name string, before, aft
 		after = ca.NotAfter()
 	}

+	if len(networks) == 0 {
+		networks = []netip.Prefix{netip.MustParsePrefix("10.0.0.123/8")}
+	}
+
 	pub, rawPriv := x25519Keypair()
 	nc := &cert.TBSCertificate{
 		Version:        cert.Version1,