mirror of
https://github.com/slackhq/nebula.git
synced 2025-11-22 08:24:25 +01:00
V2 certificate format (#1216)
Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
This commit is contained in:
Nate Brown
@@ -2,14 +2,25 @@
|
||||
|
||||
This is a library for interacting with `nebula` style certificates and authorities.
|
||||
|
||||
A `protobuf` definition of the certificate format is also included
|
||||
There are now 2 versions of `nebula` certificates:
|
||||
|
||||
### Compiling the protobuf definition
|
||||
## v1
|
||||
|
||||
Make sure you have `protoc` installed.
|
||||
This version is deprecated.
|
||||
|
||||
A `protobuf` definition of the certificate format is included at `cert_v1.proto`
|
||||
|
||||
To compile the definition you will need `protoc` installed.
|
||||
|
||||
To compile for `go` with the same version of protobuf specified in go.mod:
|
||||
|
||||
```bash
|
||||
make
|
||||
make proto
|
||||
```
|
||||
|
||||
## v2
|
||||
|
||||
This is the latest version which uses asn.1 DER encoding. It can support ipv4 and ipv6 and tolerate
|
||||
future certificate changes better than v1.
|
||||
|
||||
`cert_v2.asn1` defines the wire format and can be used to compile marshalers.
|
||||
52
cert/asn1.go
Normal file
52
cert/asn1.go
Normal file
@@ -0,0 +1,52 @@
|
||||
package cert
|
||||
|
||||
import (
|
||||
"golang.org/x/crypto/cryptobyte"
|
||||
"golang.org/x/crypto/cryptobyte/asn1"
|
||||
)
|
||||
|
||||
// readOptionalASN1Boolean reads an asn.1 boolean with a specific tag instead of a asn.1 tag wrapping a boolean with a value
|
||||
// https://github.com/golang/go/issues/64811#issuecomment-1944446920
|
||||
func readOptionalASN1Boolean(b *cryptobyte.String, out *bool, tag asn1.Tag, defaultValue bool) bool {
|
||||
var present bool
|
||||
var child cryptobyte.String
|
||||
if !b.ReadOptionalASN1(&child, &present, tag) {
|
||||
return false
|
||||
}
|
||||
|
||||
if !present {
|
||||
*out = defaultValue
|
||||
return true
|
||||
}
|
||||
|
||||
// Ensure we have 1 byte
|
||||
if len(child) == 1 {
|
||||
*out = child[0] > 0
|
||||
return true
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
// readOptionalASN1Byte reads an asn.1 uint8 with a specific tag instead of a asn.1 tag wrapping a uint8 with a value
|
||||
// Similar issue as with readOptionalASN1Boolean
|
||||
func readOptionalASN1Byte(b *cryptobyte.String, out *byte, tag asn1.Tag, defaultValue byte) bool {
|
||||
var present bool
|
||||
var child cryptobyte.String
|
||||
if !b.ReadOptionalASN1(&child, &present, tag) {
|
||||
return false
|
||||
}
|
||||
|
||||
if !present {
|
||||
*out = defaultValue
|
||||
return true
|
||||
}
|
||||
|
||||
// Ensure we have 1 byte
|
||||
if len(child) == 1 {
|
||||
*out = child[0]
|
||||
return true
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
@@ -213,7 +213,7 @@ func (ncp *CAPool) GetCAForCert(c Certificate) (*CachedCertificate, error) {
|
||||
return signer, nil
|
||||
}
|
||||
|
||||
return nil, fmt.Errorf("could not find ca for the certificate")
|
||||
return nil, ErrCaNotFound
|
||||
}
|
||||
|
||||
// GetFingerprints returns an array of trusted CA fingerprints
|
||||
|
||||
@@ -1,7 +1,9 @@
|
||||
package cert
|
||||
|
||||
import (
|
||||
"net/netip"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
@@ -10,15 +12,15 @@ func TestNewCAPoolFromBytes(t *testing.T) {
|
||||
noNewLines := `
|
||||
# Current provisional, Remove once everything moves over to the real root.
|
||||
-----BEGIN NEBULA CERTIFICATE-----
|
||||
CkAKDm5lYnVsYSByb290IGNhKJfap9AFMJfg1+YGOiCUQGByMuNRhIlQBOyzXWbL
|
||||
vcKBwDhov900phEfJ5DN3kABEkDCq5R8qBiu8sl54yVfgRcQXEDt3cHr8UTSLszv
|
||||
bzBEr00kERQxxTzTsH8cpYEgRoipvmExvg8WP8NdAJEYJosB
|
||||
Cj4KDm5lYnVsYSByb290IGNhKM0cMM24zPCvBzogV24YEw5YiqeI/oYo8XXFsoo+
|
||||
PBmiOafNJhLacf9rsspAARJAz9OAnh8TKAUKix1kKVMyQU4iM3LsFfZRf6ODWXIf
|
||||
2qWMpB6fpd3PSoVYziPoOt2bIHIFLlgRLPJz3I3xBEdBCQ==
|
||||
-----END NEBULA CERTIFICATE-----
|
||||
# root-ca01
|
||||
-----BEGIN NEBULA CERTIFICATE-----
|
||||
CkMKEW5lYnVsYSByb290IGNhIDAxKJL2u9EFMJL86+cGOiDPXMH4oU6HZTk/CqTG
|
||||
BVG+oJpAoqokUBbI4U0N8CSfpUABEkB/Pm5A2xyH/nc8mg/wvGUWG3pZ7nHzaDMf
|
||||
8/phAUt+FLzqTECzQKisYswKvE3pl9mbEYKbOdIHrxdIp95mo4sF
|
||||
CkEKEW5lYnVsYSByb290IGNhIDAxKM0cMM24zPCvBzogPzbWTxt8ZgXPQEwup7Br
|
||||
BrtIt1O0q5AuTRT3+t2x1VJAARJAZ+2ib23qBXjdy49oU1YysrwuKkWWKrtJ7Jye
|
||||
rFBQpDXikOukhQD/mfkloFwJ+Yjsfru7IpTN4ZfjXL+kN/2sCA==
|
||||
-----END NEBULA CERTIFICATE-----
|
||||
`
|
||||
|
||||
@@ -26,18 +28,18 @@ BVG+oJpAoqokUBbI4U0N8CSfpUABEkB/Pm5A2xyH/nc8mg/wvGUWG3pZ7nHzaDMf
|
||||
# Current provisional, Remove once everything moves over to the real root.
|
||||
|
||||
-----BEGIN NEBULA CERTIFICATE-----
|
||||
CkAKDm5lYnVsYSByb290IGNhKJfap9AFMJfg1+YGOiCUQGByMuNRhIlQBOyzXWbL
|
||||
vcKBwDhov900phEfJ5DN3kABEkDCq5R8qBiu8sl54yVfgRcQXEDt3cHr8UTSLszv
|
||||
bzBEr00kERQxxTzTsH8cpYEgRoipvmExvg8WP8NdAJEYJosB
|
||||
Cj4KDm5lYnVsYSByb290IGNhKM0cMM24zPCvBzogV24YEw5YiqeI/oYo8XXFsoo+
|
||||
PBmiOafNJhLacf9rsspAARJAz9OAnh8TKAUKix1kKVMyQU4iM3LsFfZRf6ODWXIf
|
||||
2qWMpB6fpd3PSoVYziPoOt2bIHIFLlgRLPJz3I3xBEdBCQ==
|
||||
-----END NEBULA CERTIFICATE-----
|
||||
|
||||
# root-ca01
|
||||
|
||||
|
||||
-----BEGIN NEBULA CERTIFICATE-----
|
||||
CkMKEW5lYnVsYSByb290IGNhIDAxKJL2u9EFMJL86+cGOiDPXMH4oU6HZTk/CqTG
|
||||
BVG+oJpAoqokUBbI4U0N8CSfpUABEkB/Pm5A2xyH/nc8mg/wvGUWG3pZ7nHzaDMf
|
||||
8/phAUt+FLzqTECzQKisYswKvE3pl9mbEYKbOdIHrxdIp95mo4sF
|
||||
CkEKEW5lYnVsYSByb290IGNhIDAxKM0cMM24zPCvBzogPzbWTxt8ZgXPQEwup7Br
|
||||
BrtIt1O0q5AuTRT3+t2x1VJAARJAZ+2ib23qBXjdy49oU1YysrwuKkWWKrtJ7Jye
|
||||
rFBQpDXikOukhQD/mfkloFwJ+Yjsfru7IpTN4ZfjXL+kN/2sCA==
|
||||
-----END NEBULA CERTIFICATE-----
|
||||
|
||||
`
|
||||
@@ -45,65 +47,513 @@ BVG+oJpAoqokUBbI4U0N8CSfpUABEkB/Pm5A2xyH/nc8mg/wvGUWG3pZ7nHzaDMf
|
||||
expired := `
|
||||
# expired certificate
|
||||
-----BEGIN NEBULA CERTIFICATE-----
|
||||
CjkKB2V4cGlyZWQouPmWjQYwufmWjQY6ILCRaoCkJlqHgv5jfDN4lzLHBvDzaQm4
|
||||
vZxfu144hmgjQAESQG4qlnZi8DncvD/LDZnLgJHOaX1DWCHHEh59epVsC+BNgTie
|
||||
WH1M9n4O7cFtGlM6sJJOS+rCVVEJ3ABS7+MPdQs=
|
||||
CjMKB2V4cGlyZWQozRwwzRw6ICJSG94CqX8wn5I65Pwn25V6HftVfWeIySVtp2DA
|
||||
7TY/QAESQMaAk5iJT5EnQwK524ZaaHGEJLUqqbh5yyOHhboIGiVTWkFeH3HccTW8
|
||||
Tq5a8AyWDQdfXbtEZ1FwabeHfH5Asw0=
|
||||
-----END NEBULA CERTIFICATE-----
|
||||
`
|
||||
|
||||
p256 := `
|
||||
# p256 certificate
|
||||
-----BEGIN NEBULA CERTIFICATE-----
|
||||
CmYKEG5lYnVsYSBQMjU2IHRlc3Qo4s+7mgYw4tXrsAc6QQRkaW2jFmllYvN4+/k2
|
||||
6tctO9sPT3jOx8ES6M1nIqOhpTmZeabF/4rELDqPV4aH5jfJut798DUXql0FlF8H
|
||||
76gvQAGgBgESRzBFAiEAib0/te6eMiZOKD8gdDeloMTS0wGuX2t0C7TFdUhAQzgC
|
||||
IBNWYMep3ysx9zCgknfG5dKtwGTaqF++BWKDYdyl34KX
|
||||
CmQKEG5lYnVsYSBQMjU2IHRlc3QozRwwzbjM8K8HOkEEdrmmg40zQp44AkMq6DZp
|
||||
k+coOv04r+zh33ISyhbsafnYduN17p2eD7CmHvHuerguXD9f32gcxo/KsFCKEjMe
|
||||
+0ABoAYBEkcwRQIgVoTg38L7uWku9xQgsr06kxZ/viQLOO/w1Qj1vFUEnhcCIQCq
|
||||
75SjTiV92kv/1GcbT3wWpAZQQDBiUHVMVmh1822szA==
|
||||
-----END NEBULA CERTIFICATE-----
|
||||
`
|
||||
|
||||
rootCA := certificateV1{
|
||||
details: detailsV1{
|
||||
Name: "nebula root ca",
|
||||
name: "nebula root ca",
|
||||
},
|
||||
}
|
||||
|
||||
rootCA01 := certificateV1{
|
||||
details: detailsV1{
|
||||
Name: "nebula root ca 01",
|
||||
name: "nebula root ca 01",
|
||||
},
|
||||
}
|
||||
|
||||
rootCAP256 := certificateV1{
|
||||
details: detailsV1{
|
||||
Name: "nebula P256 test",
|
||||
name: "nebula P256 test",
|
||||
},
|
||||
}
|
||||
|
||||
p, err := NewCAPoolFromPEM([]byte(noNewLines))
|
||||
assert.Nil(t, err)
|
||||
assert.Equal(t, p.CAs[string("c9bfaf7ce8e84b2eeda2e27b469f4b9617bde192efd214b68891ecda6ed49522")].Certificate.Name(), rootCA.details.Name)
|
||||
assert.Equal(t, p.CAs[string("5c9c3f23e7ee7fe97637cbd3a0a5b854154d1d9aaaf7b566a51f4a88f76b64cd")].Certificate.Name(), rootCA01.details.Name)
|
||||
assert.Equal(t, p.CAs["ce4e6c7a596996eb0d82a8875f0f0137a4b53ce22d2421c9fd7150e7a26f6300"].Certificate.Name(), rootCA.details.name)
|
||||
assert.Equal(t, p.CAs["04c585fcd9a49b276df956a22b7ebea3bf23f1fca5a17c0b56ce2e626631969e"].Certificate.Name(), rootCA01.details.name)
|
||||
|
||||
pp, err := NewCAPoolFromPEM([]byte(withNewLines))
|
||||
assert.Nil(t, err)
|
||||
assert.Equal(t, pp.CAs[string("c9bfaf7ce8e84b2eeda2e27b469f4b9617bde192efd214b68891ecda6ed49522")].Certificate.Name(), rootCA.details.Name)
|
||||
assert.Equal(t, pp.CAs[string("5c9c3f23e7ee7fe97637cbd3a0a5b854154d1d9aaaf7b566a51f4a88f76b64cd")].Certificate.Name(), rootCA01.details.Name)
|
||||
assert.Equal(t, pp.CAs["ce4e6c7a596996eb0d82a8875f0f0137a4b53ce22d2421c9fd7150e7a26f6300"].Certificate.Name(), rootCA.details.name)
|
||||
assert.Equal(t, pp.CAs["04c585fcd9a49b276df956a22b7ebea3bf23f1fca5a17c0b56ce2e626631969e"].Certificate.Name(), rootCA01.details.name)
|
||||
|
||||
// expired cert, no valid certs
|
||||
ppp, err := NewCAPoolFromPEM([]byte(expired))
|
||||
assert.Equal(t, ErrExpired, err)
|
||||
assert.Equal(t, ppp.CAs[string("152070be6bb19bc9e3bde4c2f0e7d8f4ff5448b4c9856b8eccb314fade0229b0")].Certificate.Name(), "expired")
|
||||
assert.Equal(t, ppp.CAs["c39b35a0e8f246203fe4f32b9aa8bfd155f1ae6a6be9d78370641e43397f48f5"].Certificate.Name(), "expired")
|
||||
|
||||
// expired cert, with valid certs
|
||||
pppp, err := NewCAPoolFromPEM(append([]byte(expired), noNewLines...))
|
||||
assert.Equal(t, ErrExpired, err)
|
||||
assert.Equal(t, pppp.CAs[string("c9bfaf7ce8e84b2eeda2e27b469f4b9617bde192efd214b68891ecda6ed49522")].Certificate.Name(), rootCA.details.Name)
|
||||
assert.Equal(t, pppp.CAs[string("5c9c3f23e7ee7fe97637cbd3a0a5b854154d1d9aaaf7b566a51f4a88f76b64cd")].Certificate.Name(), rootCA01.details.Name)
|
||||
assert.Equal(t, pppp.CAs[string("152070be6bb19bc9e3bde4c2f0e7d8f4ff5448b4c9856b8eccb314fade0229b0")].Certificate.Name(), "expired")
|
||||
assert.Equal(t, pppp.CAs["ce4e6c7a596996eb0d82a8875f0f0137a4b53ce22d2421c9fd7150e7a26f6300"].Certificate.Name(), rootCA.details.name)
|
||||
assert.Equal(t, pppp.CAs["04c585fcd9a49b276df956a22b7ebea3bf23f1fca5a17c0b56ce2e626631969e"].Certificate.Name(), rootCA01.details.name)
|
||||
assert.Equal(t, pppp.CAs["c39b35a0e8f246203fe4f32b9aa8bfd155f1ae6a6be9d78370641e43397f48f5"].Certificate.Name(), "expired")
|
||||
assert.Equal(t, len(pppp.CAs), 3)
|
||||
|
||||
ppppp, err := NewCAPoolFromPEM([]byte(p256))
|
||||
assert.Nil(t, err)
|
||||
assert.Equal(t, ppppp.CAs[string("a7938893ec8c4ef769b06d7f425e5e46f7a7f5ffa49c3bcf4a86b608caba9159")].Certificate.Name(), rootCAP256.details.Name)
|
||||
assert.Equal(t, ppppp.CAs["552bf7d99bec1fc775a0e4c324bf6d8f789b3078f1919c7960d2e5e0c351ee97"].Certificate.Name(), rootCAP256.details.name)
|
||||
assert.Equal(t, len(ppppp.CAs), 1)
|
||||
}
|
||||
|
||||
func TestCertificateV1_Verify(t *testing.T) {
|
||||
ca, _, caKey, _ := NewTestCaCert(Version1, Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, nil)
|
||||
c, _, _, _ := NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test cert", time.Now(), time.Now().Add(5*time.Minute), nil, nil, nil)
|
||||
|
||||
caPool := NewCAPool()
|
||||
assert.NoError(t, caPool.AddCA(ca))
|
||||
|
||||
f, err := c.Fingerprint()
|
||||
assert.Nil(t, err)
|
||||
caPool.BlocklistFingerprint(f)
|
||||
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.EqualError(t, err, "certificate is in the block list")
|
||||
|
||||
caPool.ResetCertBlocklist()
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
|
||||
_, err = caPool.VerifyCertificate(time.Now().Add(time.Hour*1000), c)
|
||||
assert.EqualError(t, err, "root certificate is expired")
|
||||
|
||||
assert.PanicsWithError(t, "certificate is valid before the signing certificate", func() {
|
||||
NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test cert2", time.Time{}, time.Time{}, nil, nil, nil)
|
||||
})
|
||||
|
||||
// Test group assertion
|
||||
ca, _, caKey, _ = NewTestCaCert(Version1, Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{"test1", "test2"})
|
||||
caPem, err := ca.MarshalPEM()
|
||||
assert.Nil(t, err)
|
||||
|
||||
caPool = NewCAPool()
|
||||
b, err := caPool.AddCAFromPEM(caPem)
|
||||
assert.NoError(t, err)
|
||||
assert.Empty(t, b)
|
||||
|
||||
assert.PanicsWithError(t, "certificate contained a group not present on the signing ca: bad", func() {
|
||||
NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, nil, []string{"test1", "bad"})
|
||||
})
|
||||
|
||||
c, _, _, _ = NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test2", time.Now(), time.Now().Add(5*time.Minute), nil, nil, []string{"test1"})
|
||||
assert.Nil(t, err)
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
}
|
||||
|
||||
func TestCertificateV1_VerifyP256(t *testing.T) {
|
||||
ca, _, caKey, _ := NewTestCaCert(Version1, Curve_P256, time.Now(), time.Now().Add(10*time.Minute), nil, nil, nil)
|
||||
c, _, _, _ := NewTestCert(Version1, Curve_P256, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, nil, nil)
|
||||
|
||||
caPool := NewCAPool()
|
||||
assert.NoError(t, caPool.AddCA(ca))
|
||||
|
||||
f, err := c.Fingerprint()
|
||||
assert.Nil(t, err)
|
||||
caPool.BlocklistFingerprint(f)
|
||||
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.EqualError(t, err, "certificate is in the block list")
|
||||
|
||||
caPool.ResetCertBlocklist()
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
|
||||
_, err = caPool.VerifyCertificate(time.Now().Add(time.Hour*1000), c)
|
||||
assert.EqualError(t, err, "root certificate is expired")
|
||||
|
||||
assert.PanicsWithError(t, "certificate is valid before the signing certificate", func() {
|
||||
NewTestCert(Version1, Curve_P256, ca, caKey, "test", time.Time{}, time.Time{}, nil, nil, nil)
|
||||
})
|
||||
|
||||
// Test group assertion
|
||||
ca, _, caKey, _ = NewTestCaCert(Version1, Curve_P256, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{"test1", "test2"})
|
||||
caPem, err := ca.MarshalPEM()
|
||||
assert.Nil(t, err)
|
||||
|
||||
caPool = NewCAPool()
|
||||
b, err := caPool.AddCAFromPEM(caPem)
|
||||
assert.NoError(t, err)
|
||||
assert.Empty(t, b)
|
||||
|
||||
assert.PanicsWithError(t, "certificate contained a group not present on the signing ca: bad", func() {
|
||||
NewTestCert(Version1, Curve_P256, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, nil, []string{"test1", "bad"})
|
||||
})
|
||||
|
||||
c, _, _, _ = NewTestCert(Version1, Curve_P256, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, nil, []string{"test1"})
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
}
|
||||
|
||||
func TestCertificateV1_Verify_IPs(t *testing.T) {
|
||||
caIp1 := mustParsePrefixUnmapped("10.0.0.0/16")
|
||||
caIp2 := mustParsePrefixUnmapped("192.168.0.0/24")
|
||||
ca, _, caKey, _ := NewTestCaCert(Version1, Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), []netip.Prefix{caIp1, caIp2}, nil, []string{"test"})
|
||||
|
||||
caPem, err := ca.MarshalPEM()
|
||||
assert.Nil(t, err)
|
||||
|
||||
caPool := NewCAPool()
|
||||
b, err := caPool.AddCAFromPEM(caPem)
|
||||
assert.NoError(t, err)
|
||||
assert.Empty(t, b)
|
||||
|
||||
// ip is outside the network
|
||||
cIp1 := mustParsePrefixUnmapped("10.1.0.0/24")
|
||||
cIp2 := mustParsePrefixUnmapped("192.168.0.1/16")
|
||||
assert.PanicsWithError(t, "certificate contained a network assignment outside the limitations of the signing ca: 10.1.0.0/24", func() {
|
||||
NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
|
||||
})
|
||||
|
||||
// ip is outside the network reversed order of above
|
||||
cIp1 = mustParsePrefixUnmapped("192.168.0.1/24")
|
||||
cIp2 = mustParsePrefixUnmapped("10.1.0.0/24")
|
||||
assert.PanicsWithError(t, "certificate contained a network assignment outside the limitations of the signing ca: 10.1.0.0/24", func() {
|
||||
NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
|
||||
})
|
||||
|
||||
// ip is within the network but mask is outside
|
||||
cIp1 = mustParsePrefixUnmapped("10.0.1.0/15")
|
||||
cIp2 = mustParsePrefixUnmapped("192.168.0.1/24")
|
||||
assert.PanicsWithError(t, "certificate contained a network assignment outside the limitations of the signing ca: 10.0.1.0/15", func() {
|
||||
NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
|
||||
})
|
||||
|
||||
// ip is within the network but mask is outside reversed order of above
|
||||
cIp1 = mustParsePrefixUnmapped("192.168.0.1/24")
|
||||
cIp2 = mustParsePrefixUnmapped("10.0.1.0/15")
|
||||
assert.PanicsWithError(t, "certificate contained a network assignment outside the limitations of the signing ca: 10.0.1.0/15", func() {
|
||||
NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
|
||||
})
|
||||
|
||||
// ip and mask are within the network
|
||||
cIp1 = mustParsePrefixUnmapped("10.0.1.0/16")
|
||||
cIp2 = mustParsePrefixUnmapped("192.168.0.1/25")
|
||||
c, _, _, _ := NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
|
||||
// Exact matches
|
||||
c, _, _, _ = NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{caIp1, caIp2}, nil, []string{"test"})
|
||||
assert.Nil(t, err)
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
|
||||
// Exact matches reversed
|
||||
c, _, _, _ = NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{caIp2, caIp1}, nil, []string{"test"})
|
||||
assert.Nil(t, err)
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
|
||||
// Exact matches reversed with just 1
|
||||
c, _, _, _ = NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{caIp1}, nil, []string{"test"})
|
||||
assert.Nil(t, err)
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
}
|
||||
|
||||
func TestCertificateV1_Verify_Subnets(t *testing.T) {
|
||||
caIp1 := mustParsePrefixUnmapped("10.0.0.0/16")
|
||||
caIp2 := mustParsePrefixUnmapped("192.168.0.0/24")
|
||||
ca, _, caKey, _ := NewTestCaCert(Version1, Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, []netip.Prefix{caIp1, caIp2}, []string{"test"})
|
||||
|
||||
caPem, err := ca.MarshalPEM()
|
||||
assert.Nil(t, err)
|
||||
|
||||
caPool := NewCAPool()
|
||||
b, err := caPool.AddCAFromPEM(caPem)
|
||||
assert.NoError(t, err)
|
||||
assert.Empty(t, b)
|
||||
|
||||
// ip is outside the network
|
||||
cIp1 := mustParsePrefixUnmapped("10.1.0.0/24")
|
||||
cIp2 := mustParsePrefixUnmapped("192.168.0.1/16")
|
||||
assert.PanicsWithError(t, "certificate contained an unsafe network assignment outside the limitations of the signing ca: 10.1.0.0/24", func() {
|
||||
NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
|
||||
})
|
||||
|
||||
// ip is outside the network reversed order of above
|
||||
cIp1 = mustParsePrefixUnmapped("192.168.0.1/24")
|
||||
cIp2 = mustParsePrefixUnmapped("10.1.0.0/24")
|
||||
assert.PanicsWithError(t, "certificate contained an unsafe network assignment outside the limitations of the signing ca: 10.1.0.0/24", func() {
|
||||
NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
|
||||
})
|
||||
|
||||
// ip is within the network but mask is outside
|
||||
cIp1 = mustParsePrefixUnmapped("10.0.1.0/15")
|
||||
cIp2 = mustParsePrefixUnmapped("192.168.0.1/24")
|
||||
assert.PanicsWithError(t, "certificate contained an unsafe network assignment outside the limitations of the signing ca: 10.0.1.0/15", func() {
|
||||
NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
|
||||
})
|
||||
|
||||
// ip is within the network but mask is outside reversed order of above
|
||||
cIp1 = mustParsePrefixUnmapped("192.168.0.1/24")
|
||||
cIp2 = mustParsePrefixUnmapped("10.0.1.0/15")
|
||||
assert.PanicsWithError(t, "certificate contained an unsafe network assignment outside the limitations of the signing ca: 10.0.1.0/15", func() {
|
||||
NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
|
||||
})
|
||||
|
||||
// ip and mask are within the network
|
||||
cIp1 = mustParsePrefixUnmapped("10.0.1.0/16")
|
||||
cIp2 = mustParsePrefixUnmapped("192.168.0.1/25")
|
||||
c, _, _, _ := NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
|
||||
assert.Nil(t, err)
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
|
||||
// Exact matches
|
||||
c, _, _, _ = NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{caIp1, caIp2}, []string{"test"})
|
||||
assert.Nil(t, err)
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
|
||||
// Exact matches reversed
|
||||
c, _, _, _ = NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{caIp2, caIp1}, []string{"test"})
|
||||
assert.Nil(t, err)
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
|
||||
// Exact matches reversed with just 1
|
||||
c, _, _, _ = NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{caIp1}, []string{"test"})
|
||||
assert.Nil(t, err)
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
}
|
||||
|
||||
func TestCertificateV2_Verify(t *testing.T) {
|
||||
ca, _, caKey, _ := NewTestCaCert(Version2, Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, nil)
|
||||
c, _, _, _ := NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test cert", time.Now(), time.Now().Add(5*time.Minute), nil, nil, nil)
|
||||
|
||||
caPool := NewCAPool()
|
||||
assert.NoError(t, caPool.AddCA(ca))
|
||||
|
||||
f, err := c.Fingerprint()
|
||||
assert.Nil(t, err)
|
||||
caPool.BlocklistFingerprint(f)
|
||||
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.EqualError(t, err, "certificate is in the block list")
|
||||
|
||||
caPool.ResetCertBlocklist()
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
|
||||
_, err = caPool.VerifyCertificate(time.Now().Add(time.Hour*1000), c)
|
||||
assert.EqualError(t, err, "root certificate is expired")
|
||||
|
||||
assert.PanicsWithError(t, "certificate is valid before the signing certificate", func() {
|
||||
NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test cert2", time.Time{}, time.Time{}, nil, nil, nil)
|
||||
})
|
||||
|
||||
// Test group assertion
|
||||
ca, _, caKey, _ = NewTestCaCert(Version2, Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{"test1", "test2"})
|
||||
caPem, err := ca.MarshalPEM()
|
||||
assert.Nil(t, err)
|
||||
|
||||
caPool = NewCAPool()
|
||||
b, err := caPool.AddCAFromPEM(caPem)
|
||||
assert.NoError(t, err)
|
||||
assert.Empty(t, b)
|
||||
|
||||
assert.PanicsWithError(t, "certificate contained a group not present on the signing ca: bad", func() {
|
||||
NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, nil, []string{"test1", "bad"})
|
||||
})
|
||||
|
||||
c, _, _, _ = NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test2", time.Now(), time.Now().Add(5*time.Minute), nil, nil, []string{"test1"})
|
||||
assert.Nil(t, err)
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
}
|
||||
|
||||
func TestCertificateV2_VerifyP256(t *testing.T) {
|
||||
ca, _, caKey, _ := NewTestCaCert(Version2, Curve_P256, time.Now(), time.Now().Add(10*time.Minute), nil, nil, nil)
|
||||
c, _, _, _ := NewTestCert(Version2, Curve_P256, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, nil, nil)
|
||||
|
||||
caPool := NewCAPool()
|
||||
assert.NoError(t, caPool.AddCA(ca))
|
||||
|
||||
f, err := c.Fingerprint()
|
||||
assert.Nil(t, err)
|
||||
caPool.BlocklistFingerprint(f)
|
||||
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.EqualError(t, err, "certificate is in the block list")
|
||||
|
||||
caPool.ResetCertBlocklist()
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
|
||||
_, err = caPool.VerifyCertificate(time.Now().Add(time.Hour*1000), c)
|
||||
assert.EqualError(t, err, "root certificate is expired")
|
||||
|
||||
assert.PanicsWithError(t, "certificate is valid before the signing certificate", func() {
|
||||
NewTestCert(Version2, Curve_P256, ca, caKey, "test", time.Time{}, time.Time{}, nil, nil, nil)
|
||||
})
|
||||
|
||||
// Test group assertion
|
||||
ca, _, caKey, _ = NewTestCaCert(Version2, Curve_P256, time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{"test1", "test2"})
|
||||
caPem, err := ca.MarshalPEM()
|
||||
assert.Nil(t, err)
|
||||
|
||||
caPool = NewCAPool()
|
||||
b, err := caPool.AddCAFromPEM(caPem)
|
||||
assert.NoError(t, err)
|
||||
assert.Empty(t, b)
|
||||
|
||||
assert.PanicsWithError(t, "certificate contained a group not present on the signing ca: bad", func() {
|
||||
NewTestCert(Version2, Curve_P256, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, nil, []string{"test1", "bad"})
|
||||
})
|
||||
|
||||
c, _, _, _ = NewTestCert(Version2, Curve_P256, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, nil, []string{"test1"})
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
}
|
||||
|
||||
func TestCertificateV2_Verify_IPs(t *testing.T) {
|
||||
caIp1 := mustParsePrefixUnmapped("10.0.0.0/16")
|
||||
caIp2 := mustParsePrefixUnmapped("192.168.0.0/24")
|
||||
ca, _, caKey, _ := NewTestCaCert(Version2, Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), []netip.Prefix{caIp1, caIp2}, nil, []string{"test"})
|
||||
|
||||
caPem, err := ca.MarshalPEM()
|
||||
assert.Nil(t, err)
|
||||
|
||||
caPool := NewCAPool()
|
||||
b, err := caPool.AddCAFromPEM(caPem)
|
||||
assert.NoError(t, err)
|
||||
assert.Empty(t, b)
|
||||
|
||||
// ip is outside the network
|
||||
cIp1 := mustParsePrefixUnmapped("10.1.0.0/24")
|
||||
cIp2 := mustParsePrefixUnmapped("192.168.0.1/16")
|
||||
assert.PanicsWithError(t, "certificate contained a network assignment outside the limitations of the signing ca: 10.1.0.0/24", func() {
|
||||
NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
|
||||
})
|
||||
|
||||
// ip is outside the network reversed order of above
|
||||
cIp1 = mustParsePrefixUnmapped("192.168.0.1/24")
|
||||
cIp2 = mustParsePrefixUnmapped("10.1.0.0/24")
|
||||
assert.PanicsWithError(t, "certificate contained a network assignment outside the limitations of the signing ca: 10.1.0.0/24", func() {
|
||||
NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
|
||||
})
|
||||
|
||||
// ip is within the network but mask is outside
|
||||
cIp1 = mustParsePrefixUnmapped("10.0.1.0/15")
|
||||
cIp2 = mustParsePrefixUnmapped("192.168.0.1/24")
|
||||
assert.PanicsWithError(t, "certificate contained a network assignment outside the limitations of the signing ca: 10.0.1.0/15", func() {
|
||||
NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
|
||||
})
|
||||
|
||||
// ip is within the network but mask is outside reversed order of above
|
||||
cIp1 = mustParsePrefixUnmapped("192.168.0.1/24")
|
||||
cIp2 = mustParsePrefixUnmapped("10.0.1.0/15")
|
||||
assert.PanicsWithError(t, "certificate contained a network assignment outside the limitations of the signing ca: 10.0.1.0/15", func() {
|
||||
NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
|
||||
})
|
||||
|
||||
// ip and mask are within the network
|
||||
cIp1 = mustParsePrefixUnmapped("10.0.1.0/16")
|
||||
cIp2 = mustParsePrefixUnmapped("192.168.0.1/25")
|
||||
c, _, _, _ := NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
|
||||
// Exact matches
|
||||
c, _, _, _ = NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{caIp1, caIp2}, nil, []string{"test"})
|
||||
assert.Nil(t, err)
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
|
||||
// Exact matches reversed
|
||||
c, _, _, _ = NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{caIp2, caIp1}, nil, []string{"test"})
|
||||
assert.Nil(t, err)
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
|
||||
// Exact matches reversed with just 1
|
||||
c, _, _, _ = NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{caIp1}, nil, []string{"test"})
|
||||
assert.Nil(t, err)
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
}
|
||||
|
||||
func TestCertificateV2_Verify_Subnets(t *testing.T) {
|
||||
caIp1 := mustParsePrefixUnmapped("10.0.0.0/16")
|
||||
caIp2 := mustParsePrefixUnmapped("192.168.0.0/24")
|
||||
ca, _, caKey, _ := NewTestCaCert(Version2, Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, []netip.Prefix{caIp1, caIp2}, []string{"test"})
|
||||
|
||||
caPem, err := ca.MarshalPEM()
|
||||
assert.Nil(t, err)
|
||||
|
||||
caPool := NewCAPool()
|
||||
b, err := caPool.AddCAFromPEM(caPem)
|
||||
assert.NoError(t, err)
|
||||
assert.Empty(t, b)
|
||||
|
||||
// ip is outside the network
|
||||
cIp1 := mustParsePrefixUnmapped("10.1.0.0/24")
|
||||
cIp2 := mustParsePrefixUnmapped("192.168.0.1/16")
|
||||
assert.PanicsWithError(t, "certificate contained an unsafe network assignment outside the limitations of the signing ca: 10.1.0.0/24", func() {
|
||||
NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
|
||||
})
|
||||
|
||||
// ip is outside the network reversed order of above
|
||||
cIp1 = mustParsePrefixUnmapped("192.168.0.1/24")
|
||||
cIp2 = mustParsePrefixUnmapped("10.1.0.0/24")
|
||||
assert.PanicsWithError(t, "certificate contained an unsafe network assignment outside the limitations of the signing ca: 10.1.0.0/24", func() {
|
||||
NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
|
||||
})
|
||||
|
||||
// ip is within the network but mask is outside
|
||||
cIp1 = mustParsePrefixUnmapped("10.0.1.0/15")
|
||||
cIp2 = mustParsePrefixUnmapped("192.168.0.1/24")
|
||||
assert.PanicsWithError(t, "certificate contained an unsafe network assignment outside the limitations of the signing ca: 10.0.1.0/15", func() {
|
||||
NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
|
||||
})
|
||||
|
||||
// ip is within the network but mask is outside reversed order of above
|
||||
cIp1 = mustParsePrefixUnmapped("192.168.0.1/24")
|
||||
cIp2 = mustParsePrefixUnmapped("10.0.1.0/15")
|
||||
assert.PanicsWithError(t, "certificate contained an unsafe network assignment outside the limitations of the signing ca: 10.0.1.0/15", func() {
|
||||
NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
|
||||
})
|
||||
|
||||
// ip and mask are within the network
|
||||
cIp1 = mustParsePrefixUnmapped("10.0.1.0/16")
|
||||
cIp2 = mustParsePrefixUnmapped("192.168.0.1/25")
|
||||
c, _, _, _ := NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
|
||||
assert.Nil(t, err)
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
|
||||
// Exact matches
|
||||
c, _, _, _ = NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{caIp1, caIp2}, []string{"test"})
|
||||
assert.Nil(t, err)
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
|
||||
// Exact matches reversed
|
||||
c, _, _, _ = NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{caIp2, caIp1}, []string{"test"})
|
||||
assert.Nil(t, err)
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
|
||||
// Exact matches reversed with just 1
|
||||
c, _, _, _ = NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{caIp1}, []string{"test"})
|
||||
assert.Nil(t, err)
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
}
|
||||
|
||||
64
cert/cert.go
64
cert/cert.go
@@ -1,15 +1,17 @@
|
||||
package cert
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net/netip"
|
||||
"time"
|
||||
)
|
||||
|
||||
type Version int
|
||||
type Version uint8
|
||||
|
||||
const (
|
||||
Version1 Version = 1
|
||||
Version2 Version = 2
|
||||
VersionPre1 Version = 0
|
||||
Version1 Version = 1
|
||||
Version2 Version = 2
|
||||
)
|
||||
|
||||
type Certificate interface {
|
||||
@@ -107,23 +109,57 @@ type CachedCertificate struct {
|
||||
signerFingerprint string
|
||||
}
|
||||
|
||||
// UnmarshalCertificate will attempt to unmarshal a wire protocol level certificate.
|
||||
func UnmarshalCertificate(b []byte) (Certificate, error) {
|
||||
c, err := unmarshalCertificateV1(b, true)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return c, nil
|
||||
func (cc *CachedCertificate) String() string {
|
||||
return cc.Certificate.String()
|
||||
}
|
||||
|
||||
// UnmarshalCertificateFromHandshake will attempt to unmarshal a certificate received in a handshake.
|
||||
// RecombineAndValidate will attempt to unmarshal a certificate received in a handshake.
|
||||
// Handshakes save space by placing the peers public key in a different part of the packet, we have to
|
||||
// reassemble the actual certificate structure with that in mind.
|
||||
func UnmarshalCertificateFromHandshake(b []byte, publicKey []byte) (Certificate, error) {
|
||||
c, err := unmarshalCertificateV1(b, false)
|
||||
func RecombineAndValidate(v Version, rawCertBytes, publicKey []byte, curve Curve, caPool *CAPool) (*CachedCertificate, error) {
|
||||
if publicKey == nil {
|
||||
return nil, ErrNoPeerStaticKey
|
||||
}
|
||||
|
||||
if rawCertBytes == nil {
|
||||
return nil, ErrNoPayload
|
||||
}
|
||||
|
||||
c, err := unmarshalCertificateFromHandshake(v, rawCertBytes, publicKey, curve)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error unmarshaling cert: %w", err)
|
||||
}
|
||||
|
||||
cc, err := caPool.VerifyCertificate(time.Now(), c)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("certificate validation failed: %w", err)
|
||||
}
|
||||
|
||||
return cc, nil
|
||||
}
|
||||
|
||||
func unmarshalCertificateFromHandshake(v Version, b []byte, publicKey []byte, curve Curve) (Certificate, error) {
|
||||
var c Certificate
|
||||
var err error
|
||||
|
||||
switch v {
|
||||
// Implementations must ensure the result is a valid cert!
|
||||
case VersionPre1, Version1:
|
||||
c, err = unmarshalCertificateV1(b, publicKey)
|
||||
case Version2:
|
||||
c, err = unmarshalCertificateV2(b, publicKey, curve)
|
||||
default:
|
||||
//TODO: CERT-V2 make a static var
|
||||
return nil, fmt.Errorf("unknown certificate version %d", v)
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
c.details.PublicKey = publicKey
|
||||
|
||||
if c.Curve() != curve {
|
||||
return nil, fmt.Errorf("certificate curve %s does not match expected %s", c.Curve().String(), curve.String())
|
||||
}
|
||||
|
||||
return c, nil
|
||||
}
|
||||
|
||||
@@ -1,695 +0,0 @@
|
||||
package cert
|
||||
|
||||
import (
|
||||
"crypto/ecdh"
|
||||
"crypto/ecdsa"
|
||||
"crypto/elliptic"
|
||||
"crypto/rand"
|
||||
"fmt"
|
||||
"io"
|
||||
"net/netip"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/slackhq/nebula/test"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"golang.org/x/crypto/curve25519"
|
||||
"golang.org/x/crypto/ed25519"
|
||||
)
|
||||
|
||||
func TestMarshalingNebulaCertificate(t *testing.T) {
|
||||
before := time.Now().Add(time.Second * -60).Round(time.Second)
|
||||
after := time.Now().Add(time.Second * 60).Round(time.Second)
|
||||
pubKey := []byte("1234567890abcedfghij1234567890ab")
|
||||
|
||||
nc := certificateV1{
|
||||
details: detailsV1{
|
||||
Name: "testing",
|
||||
Ips: []netip.Prefix{
|
||||
mustParsePrefixUnmapped("10.1.1.1/24"),
|
||||
mustParsePrefixUnmapped("10.1.1.2/16"),
|
||||
},
|
||||
Subnets: []netip.Prefix{
|
||||
mustParsePrefixUnmapped("9.1.1.2/24"),
|
||||
mustParsePrefixUnmapped("9.1.1.3/16"),
|
||||
},
|
||||
Groups: []string{"test-group1", "test-group2", "test-group3"},
|
||||
NotBefore: before,
|
||||
NotAfter: after,
|
||||
PublicKey: pubKey,
|
||||
IsCA: false,
|
||||
Issuer: "1234567890abcedfghij1234567890ab",
|
||||
},
|
||||
signature: []byte("1234567890abcedfghij1234567890ab"),
|
||||
}
|
||||
|
||||
b, err := nc.Marshal()
|
||||
assert.Nil(t, err)
|
||||
//t.Log("Cert size:", len(b))
|
||||
|
||||
nc2, err := unmarshalCertificateV1(b, true)
|
||||
assert.Nil(t, err)
|
||||
|
||||
assert.Equal(t, nc.signature, nc2.Signature())
|
||||
assert.Equal(t, nc.details.Name, nc2.Name())
|
||||
assert.Equal(t, nc.details.NotBefore, nc2.NotBefore())
|
||||
assert.Equal(t, nc.details.NotAfter, nc2.NotAfter())
|
||||
assert.Equal(t, nc.details.PublicKey, nc2.PublicKey())
|
||||
assert.Equal(t, nc.details.IsCA, nc2.IsCA())
|
||||
|
||||
assert.Equal(t, nc.details.Ips, nc2.Networks())
|
||||
assert.Equal(t, nc.details.Subnets, nc2.UnsafeNetworks())
|
||||
|
||||
assert.Equal(t, nc.details.Groups, nc2.Groups())
|
||||
}
|
||||
|
||||
//func TestNebulaCertificate_Sign(t *testing.T) {
|
||||
// before := time.Now().Add(time.Second * -60).Round(time.Second)
|
||||
// after := time.Now().Add(time.Second * 60).Round(time.Second)
|
||||
// pubKey := []byte("1234567890abcedfghij1234567890ab")
|
||||
//
|
||||
// nc := certificateV1{
|
||||
// details: detailsV1{
|
||||
// Name: "testing",
|
||||
// Ips: []netip.Prefix{
|
||||
// mustParsePrefixUnmapped("10.1.1.1/24"),
|
||||
// mustParsePrefixUnmapped("10.1.1.2/16"),
|
||||
// //TODO: netip cant do it
|
||||
// //{IP: net.ParseIP("10.1.1.3"), Mask: net.IPMask(net.ParseIP("255.0.255.0"))},
|
||||
// },
|
||||
// Subnets: []netip.Prefix{
|
||||
// //TODO: netip cant do it
|
||||
// //{IP: net.ParseIP("9.1.1.1"), Mask: net.IPMask(net.ParseIP("255.0.255.0"))},
|
||||
// mustParsePrefixUnmapped("9.1.1.2/24"),
|
||||
// mustParsePrefixUnmapped("9.1.1.3/24"),
|
||||
// },
|
||||
// Groups: []string{"test-group1", "test-group2", "test-group3"},
|
||||
// NotBefore: before,
|
||||
// NotAfter: after,
|
||||
// PublicKey: pubKey,
|
||||
// IsCA: false,
|
||||
// Issuer: "1234567890abcedfghij1234567890ab",
|
||||
// },
|
||||
// }
|
||||
//
|
||||
// pub, priv, err := ed25519.GenerateKey(rand.Reader)
|
||||
// assert.Nil(t, err)
|
||||
// assert.False(t, nc.CheckSignature(pub))
|
||||
// assert.Nil(t, nc.Sign(Curve_CURVE25519, priv))
|
||||
// assert.True(t, nc.CheckSignature(pub))
|
||||
//
|
||||
// _, err = nc.Marshal()
|
||||
// assert.Nil(t, err)
|
||||
// //t.Log("Cert size:", len(b))
|
||||
//}
|
||||
|
||||
//func TestNebulaCertificate_SignP256(t *testing.T) {
|
||||
// before := time.Now().Add(time.Second * -60).Round(time.Second)
|
||||
// after := time.Now().Add(time.Second * 60).Round(time.Second)
|
||||
// pubKey := []byte("01234567890abcedfghij1234567890ab1234567890abcedfghij1234567890ab")
|
||||
//
|
||||
// nc := certificateV1{
|
||||
// details: detailsV1{
|
||||
// Name: "testing",
|
||||
// Ips: []netip.Prefix{
|
||||
// mustParsePrefixUnmapped("10.1.1.1/24"),
|
||||
// mustParsePrefixUnmapped("10.1.1.2/16"),
|
||||
// //TODO: netip no can do
|
||||
// //{IP: net.ParseIP("10.1.1.3"), Mask: net.IPMask(net.ParseIP("255.0.255.0"))},
|
||||
// },
|
||||
// Subnets: []netip.Prefix{
|
||||
// //TODO: netip bad
|
||||
// //{IP: net.ParseIP("9.1.1.1"), Mask: net.IPMask(net.ParseIP("255.0.255.0"))},
|
||||
// mustParsePrefixUnmapped("9.1.1.2/24"),
|
||||
// mustParsePrefixUnmapped("9.1.1.3/16"),
|
||||
// },
|
||||
// Groups: []string{"test-group1", "test-group2", "test-group3"},
|
||||
// NotBefore: before,
|
||||
// NotAfter: after,
|
||||
// PublicKey: pubKey,
|
||||
// IsCA: false,
|
||||
// Curve: Curve_P256,
|
||||
// Issuer: "1234567890abcedfghij1234567890ab",
|
||||
// },
|
||||
// }
|
||||
//
|
||||
// priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||||
// pub := elliptic.Marshal(elliptic.P256(), priv.PublicKey.X, priv.PublicKey.Y)
|
||||
// rawPriv := priv.D.FillBytes(make([]byte, 32))
|
||||
//
|
||||
// assert.Nil(t, err)
|
||||
// assert.False(t, nc.CheckSignature(pub))
|
||||
// assert.Nil(t, nc.Sign(Curve_P256, rawPriv))
|
||||
// assert.True(t, nc.CheckSignature(pub))
|
||||
//
|
||||
// _, err = nc.Marshal()
|
||||
// assert.Nil(t, err)
|
||||
// //t.Log("Cert size:", len(b))
|
||||
//}
|
||||
|
||||
func TestNebulaCertificate_Expired(t *testing.T) {
|
||||
nc := certificateV1{
|
||||
details: detailsV1{
|
||||
NotBefore: time.Now().Add(time.Second * -60).Round(time.Second),
|
||||
NotAfter: time.Now().Add(time.Second * 60).Round(time.Second),
|
||||
},
|
||||
}
|
||||
|
||||
assert.True(t, nc.Expired(time.Now().Add(time.Hour)))
|
||||
assert.True(t, nc.Expired(time.Now().Add(-time.Hour)))
|
||||
assert.False(t, nc.Expired(time.Now()))
|
||||
}
|
||||
|
||||
func TestNebulaCertificate_MarshalJSON(t *testing.T) {
|
||||
time.Local = time.UTC
|
||||
pubKey := []byte("1234567890abcedfghij1234567890ab")
|
||||
|
||||
nc := certificateV1{
|
||||
details: detailsV1{
|
||||
Name: "testing",
|
||||
Ips: []netip.Prefix{
|
||||
mustParsePrefixUnmapped("10.1.1.1/24"),
|
||||
mustParsePrefixUnmapped("10.1.1.2/16"),
|
||||
},
|
||||
Subnets: []netip.Prefix{
|
||||
mustParsePrefixUnmapped("9.1.1.2/24"),
|
||||
mustParsePrefixUnmapped("9.1.1.3/16"),
|
||||
},
|
||||
Groups: []string{"test-group1", "test-group2", "test-group3"},
|
||||
NotBefore: time.Date(1, 0, 0, 1, 0, 0, 0, time.UTC),
|
||||
NotAfter: time.Date(1, 0, 0, 2, 0, 0, 0, time.UTC),
|
||||
PublicKey: pubKey,
|
||||
IsCA: false,
|
||||
Issuer: "1234567890abcedfghij1234567890ab",
|
||||
},
|
||||
signature: []byte("1234567890abcedfghij1234567890ab"),
|
||||
}
|
||||
|
||||
b, err := nc.MarshalJSON()
|
||||
assert.Nil(t, err)
|
||||
assert.Equal(
|
||||
t,
|
||||
"{\"details\":{\"curve\":\"CURVE25519\",\"groups\":[\"test-group1\",\"test-group2\",\"test-group3\"],\"ips\":[\"10.1.1.1/24\",\"10.1.1.2/16\"],\"isCa\":false,\"issuer\":\"1234567890abcedfghij1234567890ab\",\"name\":\"testing\",\"notAfter\":\"0000-11-30T02:00:00Z\",\"notBefore\":\"0000-11-30T01:00:00Z\",\"publicKey\":\"313233343536373839306162636564666768696a313233343536373839306162\",\"subnets\":[\"9.1.1.2/24\",\"9.1.1.3/16\"]},\"fingerprint\":\"3944c53d4267a229295b56cb2d27d459164c010ac97d655063ba421e0670f4ba\",\"signature\":\"313233343536373839306162636564666768696a313233343536373839306162\"}",
|
||||
string(b),
|
||||
)
|
||||
}
|
||||
|
||||
func TestNebulaCertificate_Verify(t *testing.T) {
|
||||
ca, _, caKey, err := newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), nil, nil, nil)
|
||||
assert.Nil(t, err)
|
||||
|
||||
c, _, _, err := newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, nil, nil)
|
||||
assert.Nil(t, err)
|
||||
|
||||
caPool := NewCAPool()
|
||||
assert.NoError(t, caPool.AddCA(ca))
|
||||
|
||||
f, err := c.Fingerprint()
|
||||
assert.Nil(t, err)
|
||||
caPool.BlocklistFingerprint(f)
|
||||
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.EqualError(t, err, "certificate is in the block list")
|
||||
|
||||
caPool.ResetCertBlocklist()
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
|
||||
_, err = caPool.VerifyCertificate(time.Now().Add(time.Hour*1000), c)
|
||||
assert.EqualError(t, err, "root certificate is expired")
|
||||
|
||||
c, _, _, err = newTestCert(ca, caKey, time.Time{}, time.Time{}, nil, nil, nil)
|
||||
assert.EqualError(t, err, "certificate is valid before the signing certificate")
|
||||
|
||||
// Test group assertion
|
||||
ca, _, caKey, err = newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{"test1", "test2"})
|
||||
assert.Nil(t, err)
|
||||
|
||||
caPem, err := ca.MarshalPEM()
|
||||
assert.Nil(t, err)
|
||||
|
||||
caPool = NewCAPool()
|
||||
b, err := caPool.AddCAFromPEM(caPem)
|
||||
assert.NoError(t, err)
|
||||
assert.Empty(t, b)
|
||||
|
||||
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, nil, []string{"test1", "bad"})
|
||||
assert.EqualError(t, err, "certificate contained a group not present on the signing ca: bad")
|
||||
|
||||
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, nil, []string{"test1"})
|
||||
assert.Nil(t, err)
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
}
|
||||
|
||||
func TestNebulaCertificate_VerifyP256(t *testing.T) {
|
||||
ca, _, caKey, err := newTestCaCertP256(time.Now(), time.Now().Add(10*time.Minute), nil, nil, nil)
|
||||
assert.Nil(t, err)
|
||||
|
||||
c, _, _, err := newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, nil, nil)
|
||||
assert.Nil(t, err)
|
||||
|
||||
caPool := NewCAPool()
|
||||
assert.NoError(t, caPool.AddCA(ca))
|
||||
|
||||
f, err := c.Fingerprint()
|
||||
assert.Nil(t, err)
|
||||
caPool.BlocklistFingerprint(f)
|
||||
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.EqualError(t, err, "certificate is in the block list")
|
||||
|
||||
caPool.ResetCertBlocklist()
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
|
||||
_, err = caPool.VerifyCertificate(time.Now().Add(time.Hour*1000), c)
|
||||
assert.EqualError(t, err, "root certificate is expired")
|
||||
|
||||
c, _, _, err = newTestCert(ca, caKey, time.Time{}, time.Time{}, nil, nil, nil)
|
||||
assert.EqualError(t, err, "certificate is valid before the signing certificate")
|
||||
|
||||
// Test group assertion
|
||||
ca, _, caKey, err = newTestCaCertP256(time.Now(), time.Now().Add(10*time.Minute), nil, nil, []string{"test1", "test2"})
|
||||
assert.Nil(t, err)
|
||||
|
||||
caPem, err := ca.MarshalPEM()
|
||||
assert.Nil(t, err)
|
||||
|
||||
caPool = NewCAPool()
|
||||
b, err := caPool.AddCAFromPEM(caPem)
|
||||
assert.NoError(t, err)
|
||||
assert.Empty(t, b)
|
||||
|
||||
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, nil, []string{"test1", "bad"})
|
||||
assert.EqualError(t, err, "certificate contained a group not present on the signing ca: bad")
|
||||
|
||||
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, nil, []string{"test1"})
|
||||
assert.Nil(t, err)
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
}
|
||||
|
||||
func TestNebulaCertificate_Verify_IPs(t *testing.T) {
|
||||
caIp1 := mustParsePrefixUnmapped("10.0.0.0/16")
|
||||
caIp2 := mustParsePrefixUnmapped("192.168.0.0/24")
|
||||
ca, _, caKey, err := newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), []netip.Prefix{caIp1, caIp2}, nil, []string{"test"})
|
||||
assert.Nil(t, err)
|
||||
|
||||
caPem, err := ca.MarshalPEM()
|
||||
assert.Nil(t, err)
|
||||
|
||||
caPool := NewCAPool()
|
||||
b, err := caPool.AddCAFromPEM(caPem)
|
||||
assert.NoError(t, err)
|
||||
assert.Empty(t, b)
|
||||
|
||||
// ip is outside the network
|
||||
cIp1 := mustParsePrefixUnmapped("10.1.0.0/24")
|
||||
cIp2 := mustParsePrefixUnmapped("192.168.0.1/16")
|
||||
c, _, _, err := newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
|
||||
assert.EqualError(t, err, "certificate contained a network assignment outside the limitations of the signing ca: 10.1.0.0/24")
|
||||
|
||||
// ip is outside the network reversed order of above
|
||||
cIp1 = mustParsePrefixUnmapped("192.168.0.1/24")
|
||||
cIp2 = mustParsePrefixUnmapped("10.1.0.0/24")
|
||||
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
|
||||
assert.EqualError(t, err, "certificate contained a network assignment outside the limitations of the signing ca: 10.1.0.0/24")
|
||||
|
||||
// ip is within the network but mask is outside
|
||||
cIp1 = mustParsePrefixUnmapped("10.0.1.0/15")
|
||||
cIp2 = mustParsePrefixUnmapped("192.168.0.1/24")
|
||||
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
|
||||
assert.EqualError(t, err, "certificate contained a network assignment outside the limitations of the signing ca: 10.0.1.0/15")
|
||||
|
||||
// ip is within the network but mask is outside reversed order of above
|
||||
cIp1 = mustParsePrefixUnmapped("192.168.0.1/24")
|
||||
cIp2 = mustParsePrefixUnmapped("10.0.1.0/15")
|
||||
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
|
||||
assert.EqualError(t, err, "certificate contained a network assignment outside the limitations of the signing ca: 10.0.1.0/15")
|
||||
|
||||
// ip and mask are within the network
|
||||
cIp1 = mustParsePrefixUnmapped("10.0.1.0/16")
|
||||
cIp2 = mustParsePrefixUnmapped("192.168.0.1/25")
|
||||
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{cIp1, cIp2}, nil, []string{"test"})
|
||||
assert.Nil(t, err)
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
|
||||
// Exact matches
|
||||
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{caIp1, caIp2}, nil, []string{"test"})
|
||||
assert.Nil(t, err)
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
|
||||
// Exact matches reversed
|
||||
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{caIp2, caIp1}, nil, []string{"test"})
|
||||
assert.Nil(t, err)
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
|
||||
// Exact matches reversed with just 1
|
||||
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []netip.Prefix{caIp1}, nil, []string{"test"})
|
||||
assert.Nil(t, err)
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
}
|
||||
|
||||
func TestNebulaCertificate_Verify_Subnets(t *testing.T) {
|
||||
caIp1 := mustParsePrefixUnmapped("10.0.0.0/16")
|
||||
caIp2 := mustParsePrefixUnmapped("192.168.0.0/24")
|
||||
ca, _, caKey, err := newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), nil, []netip.Prefix{caIp1, caIp2}, []string{"test"})
|
||||
assert.Nil(t, err)
|
||||
|
||||
caPem, err := ca.MarshalPEM()
|
||||
assert.Nil(t, err)
|
||||
|
||||
caPool := NewCAPool()
|
||||
b, err := caPool.AddCAFromPEM(caPem)
|
||||
assert.NoError(t, err)
|
||||
assert.Empty(t, b)
|
||||
|
||||
// ip is outside the network
|
||||
cIp1 := mustParsePrefixUnmapped("10.1.0.0/24")
|
||||
cIp2 := mustParsePrefixUnmapped("192.168.0.1/16")
|
||||
c, _, _, err := newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
|
||||
assert.EqualError(t, err, "certificate contained an unsafe network assignment outside the limitations of the signing ca: 10.1.0.0/24")
|
||||
|
||||
// ip is outside the network reversed order of above
|
||||
cIp1 = mustParsePrefixUnmapped("192.168.0.1/24")
|
||||
cIp2 = mustParsePrefixUnmapped("10.1.0.0/24")
|
||||
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
|
||||
assert.EqualError(t, err, "certificate contained an unsafe network assignment outside the limitations of the signing ca: 10.1.0.0/24")
|
||||
|
||||
// ip is within the network but mask is outside
|
||||
cIp1 = mustParsePrefixUnmapped("10.0.1.0/15")
|
||||
cIp2 = mustParsePrefixUnmapped("192.168.0.1/24")
|
||||
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
|
||||
assert.EqualError(t, err, "certificate contained an unsafe network assignment outside the limitations of the signing ca: 10.0.1.0/15")
|
||||
|
||||
// ip is within the network but mask is outside reversed order of above
|
||||
cIp1 = mustParsePrefixUnmapped("192.168.0.1/24")
|
||||
cIp2 = mustParsePrefixUnmapped("10.0.1.0/15")
|
||||
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
|
||||
assert.EqualError(t, err, "certificate contained an unsafe network assignment outside the limitations of the signing ca: 10.0.1.0/15")
|
||||
|
||||
// ip and mask are within the network
|
||||
cIp1 = mustParsePrefixUnmapped("10.0.1.0/16")
|
||||
cIp2 = mustParsePrefixUnmapped("192.168.0.1/25")
|
||||
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{cIp1, cIp2}, []string{"test"})
|
||||
assert.Nil(t, err)
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
|
||||
// Exact matches
|
||||
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{caIp1, caIp2}, []string{"test"})
|
||||
assert.Nil(t, err)
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
|
||||
// Exact matches reversed
|
||||
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{caIp2, caIp1}, []string{"test"})
|
||||
assert.Nil(t, err)
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
|
||||
// Exact matches reversed with just 1
|
||||
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, []netip.Prefix{caIp1}, []string{"test"})
|
||||
assert.Nil(t, err)
|
||||
_, err = caPool.VerifyCertificate(time.Now(), c)
|
||||
assert.Nil(t, err)
|
||||
}
|
||||
|
||||
func TestNebulaCertificate_VerifyPrivateKey(t *testing.T) {
|
||||
ca, _, caKey, err := newTestCaCert(time.Time{}, time.Time{}, nil, nil, nil)
|
||||
assert.Nil(t, err)
|
||||
err = ca.VerifyPrivateKey(Curve_CURVE25519, caKey)
|
||||
assert.Nil(t, err)
|
||||
|
||||
_, _, caKey2, err := newTestCaCert(time.Time{}, time.Time{}, nil, nil, nil)
|
||||
assert.Nil(t, err)
|
||||
err = ca.VerifyPrivateKey(Curve_CURVE25519, caKey2)
|
||||
assert.NotNil(t, err)
|
||||
|
||||
c, _, priv, err := newTestCert(ca, caKey, time.Time{}, time.Time{}, nil, nil, nil)
|
||||
err = c.VerifyPrivateKey(Curve_CURVE25519, priv)
|
||||
assert.Nil(t, err)
|
||||
|
||||
_, priv2 := x25519Keypair()
|
||||
err = c.VerifyPrivateKey(Curve_CURVE25519, priv2)
|
||||
assert.NotNil(t, err)
|
||||
}
|
||||
|
||||
func TestNebulaCertificate_VerifyPrivateKeyP256(t *testing.T) {
|
||||
ca, _, caKey, err := newTestCaCertP256(time.Time{}, time.Time{}, nil, nil, nil)
|
||||
assert.Nil(t, err)
|
||||
err = ca.VerifyPrivateKey(Curve_P256, caKey)
|
||||
assert.Nil(t, err)
|
||||
|
||||
_, _, caKey2, err := newTestCaCertP256(time.Time{}, time.Time{}, nil, nil, nil)
|
||||
assert.Nil(t, err)
|
||||
err = ca.VerifyPrivateKey(Curve_P256, caKey2)
|
||||
assert.NotNil(t, err)
|
||||
|
||||
c, _, priv, err := newTestCert(ca, caKey, time.Time{}, time.Time{}, nil, nil, nil)
|
||||
err = c.VerifyPrivateKey(Curve_P256, priv)
|
||||
assert.Nil(t, err)
|
||||
|
||||
_, priv2 := p256Keypair()
|
||||
err = c.VerifyPrivateKey(Curve_P256, priv2)
|
||||
assert.NotNil(t, err)
|
||||
}
|
||||
|
||||
func appendByteSlices(b ...[]byte) []byte {
|
||||
retSlice := []byte{}
|
||||
for _, v := range b {
|
||||
retSlice = append(retSlice, v...)
|
||||
}
|
||||
return retSlice
|
||||
}
|
||||
|
||||
// Ensure that upgrading the protobuf library does not change how certificates
|
||||
// are marshalled, since this would break signature verification
|
||||
//TODO: since netip cant represent 255.0.255.0 netmask we can't verify the old certs are ok
|
||||
//func TestMarshalingNebulaCertificateConsistency(t *testing.T) {
|
||||
// before := time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC)
|
||||
// after := time.Date(2017, time.January, 18, 28, 40, 0, 0, time.UTC)
|
||||
// pubKey := []byte("1234567890abcedfghij1234567890ab")
|
||||
//
|
||||
// nc := certificateV1{
|
||||
// details: detailsV1{
|
||||
// Name: "testing",
|
||||
// Ips: []netip.Prefix{
|
||||
// mustParsePrefixUnmapped("10.1.1.1/24"),
|
||||
// mustParsePrefixUnmapped("10.1.1.2/16"),
|
||||
// //TODO: netip bad
|
||||
// //{IP: net.ParseIP("10.1.1.3"), Mask: net.IPMask(net.ParseIP("255.0.255.0"))},
|
||||
// },
|
||||
// Subnets: []netip.Prefix{
|
||||
// //TODO: netip bad
|
||||
// //{IP: net.ParseIP("9.1.1.1"), Mask: net.IPMask(net.ParseIP("255.0.255.0"))},
|
||||
// mustParsePrefixUnmapped("9.1.1.2/24"),
|
||||
// mustParsePrefixUnmapped("9.1.1.3/16"),
|
||||
// },
|
||||
// Groups: []string{"test-group1", "test-group2", "test-group3"},
|
||||
// NotBefore: before,
|
||||
// NotAfter: after,
|
||||
// PublicKey: pubKey,
|
||||
// IsCA: false,
|
||||
// Issuer: "1234567890abcedfghij1234567890ab",
|
||||
// },
|
||||
// signature: []byte("1234567890abcedfghij1234567890ab"),
|
||||
// }
|
||||
//
|
||||
// b, err := nc.Marshal()
|
||||
// assert.Nil(t, err)
|
||||
// //t.Log("Cert size:", len(b))
|
||||
// assert.Equal(t, "0aa2010a0774657374696e67121b8182845080feffff0f828284508080fcff0f8382845080fe83f80f1a1b8182844880fe83f80f8282844880feffff0f838284488080fcff0f220b746573742d67726f757031220b746573742d67726f757032220b746573742d67726f75703328f0e0e7d70430a08681c4053a20313233343536373839306162636564666768696a3132333435363738393061624a081234567890abcedf1220313233343536373839306162636564666768696a313233343536373839306162", fmt.Sprintf("%x", b))
|
||||
//
|
||||
// b, err = proto.Marshal(nc.getRawDetails())
|
||||
// assert.Nil(t, err)
|
||||
// //t.Log("Raw cert size:", len(b))
|
||||
// assert.Equal(t, "0a0774657374696e67121b8182845080feffff0f828284508080fcff0f8382845080fe83f80f1a1b8182844880fe83f80f8282844880feffff0f838284488080fcff0f220b746573742d67726f757031220b746573742d67726f757032220b746573742d67726f75703328f0e0e7d70430a08681c4053a20313233343536373839306162636564666768696a3132333435363738393061624a081234567890abcedf", fmt.Sprintf("%x", b))
|
||||
//}
|
||||
|
||||
func TestNebulaCertificate_Copy(t *testing.T) {
|
||||
ca, _, caKey, err := newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), nil, nil, nil)
|
||||
assert.Nil(t, err)
|
||||
|
||||
c, _, _, err := newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), nil, nil, nil)
|
||||
assert.Nil(t, err)
|
||||
cc := c.Copy()
|
||||
|
||||
test.AssertDeepCopyEqual(t, c, cc)
|
||||
}
|
||||
|
||||
func TestUnmarshalNebulaCertificate(t *testing.T) {
|
||||
// Test that we don't panic with an invalid certificate (#332)
|
||||
data := []byte("\x98\x00\x00")
|
||||
_, err := unmarshalCertificateV1(data, true)
|
||||
assert.EqualError(t, err, "encoded Details was nil")
|
||||
}
|
||||
|
||||
func newTestCaCert(before, after time.Time, ips, subnets []netip.Prefix, groups []string) (Certificate, []byte, []byte, error) {
|
||||
pub, priv, err := ed25519.GenerateKey(rand.Reader)
|
||||
if before.IsZero() {
|
||||
before = time.Now().Add(time.Second * -60).Round(time.Second)
|
||||
}
|
||||
if after.IsZero() {
|
||||
after = time.Now().Add(time.Second * 60).Round(time.Second)
|
||||
}
|
||||
|
||||
tbs := &TBSCertificate{
|
||||
Version: Version1,
|
||||
Name: "test ca",
|
||||
IsCA: true,
|
||||
NotBefore: time.Unix(before.Unix(), 0),
|
||||
NotAfter: time.Unix(after.Unix(), 0),
|
||||
PublicKey: pub,
|
||||
}
|
||||
|
||||
if len(ips) > 0 {
|
||||
tbs.Networks = ips
|
||||
}
|
||||
|
||||
if len(subnets) > 0 {
|
||||
tbs.UnsafeNetworks = subnets
|
||||
}
|
||||
|
||||
if len(groups) > 0 {
|
||||
tbs.Groups = groups
|
||||
}
|
||||
|
||||
nc, err := tbs.Sign(nil, Curve_CURVE25519, priv)
|
||||
if err != nil {
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
return nc, pub, priv, nil
|
||||
}
|
||||
|
||||
func newTestCaCertP256(before, after time.Time, ips, subnets []netip.Prefix, groups []string) (Certificate, []byte, []byte, error) {
|
||||
priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||||
pub := elliptic.Marshal(elliptic.P256(), priv.PublicKey.X, priv.PublicKey.Y)
|
||||
rawPriv := priv.D.FillBytes(make([]byte, 32))
|
||||
|
||||
if before.IsZero() {
|
||||
before = time.Now().Add(time.Second * -60).Round(time.Second)
|
||||
}
|
||||
if after.IsZero() {
|
||||
after = time.Now().Add(time.Second * 60).Round(time.Second)
|
||||
}
|
||||
|
||||
tbs := &TBSCertificate{
|
||||
Version: Version1,
|
||||
Name: "test ca",
|
||||
IsCA: true,
|
||||
NotBefore: time.Unix(before.Unix(), 0),
|
||||
NotAfter: time.Unix(after.Unix(), 0),
|
||||
PublicKey: pub,
|
||||
Curve: Curve_P256,
|
||||
}
|
||||
|
||||
if len(ips) > 0 {
|
||||
tbs.Networks = ips
|
||||
}
|
||||
|
||||
if len(subnets) > 0 {
|
||||
tbs.UnsafeNetworks = subnets
|
||||
}
|
||||
|
||||
if len(groups) > 0 {
|
||||
tbs.Groups = groups
|
||||
}
|
||||
|
||||
nc, err := tbs.Sign(nil, Curve_P256, rawPriv)
|
||||
if err != nil {
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
return nc, pub, rawPriv, nil
|
||||
}
|
||||
|
||||
func newTestCert(ca Certificate, key []byte, before, after time.Time, ips, subnets []netip.Prefix, groups []string) (Certificate, []byte, []byte, error) {
|
||||
if before.IsZero() {
|
||||
before = time.Now().Add(time.Second * -60).Round(time.Second)
|
||||
}
|
||||
if after.IsZero() {
|
||||
after = time.Now().Add(time.Second * 60).Round(time.Second)
|
||||
}
|
||||
|
||||
if len(groups) == 0 {
|
||||
groups = []string{"test-group1", "test-group2", "test-group3"}
|
||||
}
|
||||
|
||||
if len(ips) == 0 {
|
||||
ips = []netip.Prefix{
|
||||
mustParsePrefixUnmapped("10.1.1.1/24"),
|
||||
mustParsePrefixUnmapped("10.1.1.2/16"),
|
||||
}
|
||||
}
|
||||
|
||||
if len(subnets) == 0 {
|
||||
subnets = []netip.Prefix{
|
||||
mustParsePrefixUnmapped("9.1.1.2/24"),
|
||||
mustParsePrefixUnmapped("9.1.1.3/16"),
|
||||
}
|
||||
}
|
||||
|
||||
var pub, rawPriv []byte
|
||||
|
||||
switch ca.Curve() {
|
||||
case Curve_CURVE25519:
|
||||
pub, rawPriv = x25519Keypair()
|
||||
case Curve_P256:
|
||||
pub, rawPriv = p256Keypair()
|
||||
default:
|
||||
return nil, nil, nil, fmt.Errorf("unknown curve: %v", ca.Curve())
|
||||
}
|
||||
|
||||
tbs := &TBSCertificate{
|
||||
Version: Version1,
|
||||
Name: "testing",
|
||||
Networks: ips,
|
||||
UnsafeNetworks: subnets,
|
||||
Groups: groups,
|
||||
IsCA: false,
|
||||
NotBefore: time.Unix(before.Unix(), 0),
|
||||
NotAfter: time.Unix(after.Unix(), 0),
|
||||
PublicKey: pub,
|
||||
Curve: ca.Curve(),
|
||||
}
|
||||
|
||||
nc, err := tbs.Sign(ca, ca.Curve(), key)
|
||||
if err != nil {
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
|
||||
return nc, pub, rawPriv, nil
|
||||
}
|
||||
|
||||
func x25519Keypair() ([]byte, []byte) {
|
||||
privkey := make([]byte, 32)
|
||||
if _, err := io.ReadFull(rand.Reader, privkey); err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
pubkey, err := curve25519.X25519(privkey, curve25519.Basepoint)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
return pubkey, privkey
|
||||
}
|
||||
|
||||
func p256Keypair() ([]byte, []byte) {
|
||||
privkey, err := ecdh.P256().GenerateKey(rand.Reader)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
pubkey := privkey.PublicKey()
|
||||
return pubkey.Bytes(), privkey.Bytes()
|
||||
}
|
||||
|
||||
func mustParsePrefixUnmapped(s string) netip.Prefix {
|
||||
prefix := netip.MustParsePrefix(s)
|
||||
return netip.PrefixFrom(prefix.Addr().Unmap(), prefix.Bits())
|
||||
}
|
||||
467
cert/cert_v1.go
467
cert/cert_v1.go
@@ -6,19 +6,16 @@ import (
|
||||
"crypto/ecdsa"
|
||||
"crypto/ed25519"
|
||||
"crypto/elliptic"
|
||||
"crypto/rand"
|
||||
"crypto/sha256"
|
||||
"encoding/binary"
|
||||
"encoding/hex"
|
||||
"encoding/json"
|
||||
"encoding/pem"
|
||||
"fmt"
|
||||
"math/big"
|
||||
"net"
|
||||
"net/netip"
|
||||
"time"
|
||||
|
||||
"github.com/slackhq/nebula/pkclient"
|
||||
"golang.org/x/crypto/curve25519"
|
||||
"google.golang.org/protobuf/proto"
|
||||
)
|
||||
@@ -31,71 +28,71 @@ type certificateV1 struct {
|
||||
}
|
||||
|
||||
type detailsV1 struct {
|
||||
Name string
|
||||
Ips []netip.Prefix
|
||||
Subnets []netip.Prefix
|
||||
Groups []string
|
||||
NotBefore time.Time
|
||||
NotAfter time.Time
|
||||
PublicKey []byte
|
||||
IsCA bool
|
||||
Issuer string
|
||||
name string
|
||||
networks []netip.Prefix
|
||||
unsafeNetworks []netip.Prefix
|
||||
groups []string
|
||||
notBefore time.Time
|
||||
notAfter time.Time
|
||||
publicKey []byte
|
||||
isCA bool
|
||||
issuer string
|
||||
|
||||
Curve Curve
|
||||
curve Curve
|
||||
}
|
||||
|
||||
type m map[string]interface{}
|
||||
|
||||
func (nc *certificateV1) Version() Version {
|
||||
func (c *certificateV1) Version() Version {
|
||||
return Version1
|
||||
}
|
||||
|
||||
func (nc *certificateV1) Curve() Curve {
|
||||
return nc.details.Curve
|
||||
func (c *certificateV1) Curve() Curve {
|
||||
return c.details.curve
|
||||
}
|
||||
|
||||
func (nc *certificateV1) Groups() []string {
|
||||
return nc.details.Groups
|
||||
func (c *certificateV1) Groups() []string {
|
||||
return c.details.groups
|
||||
}
|
||||
|
||||
func (nc *certificateV1) IsCA() bool {
|
||||
return nc.details.IsCA
|
||||
func (c *certificateV1) IsCA() bool {
|
||||
return c.details.isCA
|
||||
}
|
||||
|
||||
func (nc *certificateV1) Issuer() string {
|
||||
return nc.details.Issuer
|
||||
func (c *certificateV1) Issuer() string {
|
||||
return c.details.issuer
|
||||
}
|
||||
|
||||
func (nc *certificateV1) Name() string {
|
||||
return nc.details.Name
|
||||
func (c *certificateV1) Name() string {
|
||||
return c.details.name
|
||||
}
|
||||
|
||||
func (nc *certificateV1) Networks() []netip.Prefix {
|
||||
return nc.details.Ips
|
||||
func (c *certificateV1) Networks() []netip.Prefix {
|
||||
return c.details.networks
|
||||
}
|
||||
|
||||
func (nc *certificateV1) NotAfter() time.Time {
|
||||
return nc.details.NotAfter
|
||||
func (c *certificateV1) NotAfter() time.Time {
|
||||
return c.details.notAfter
|
||||
}
|
||||
|
||||
func (nc *certificateV1) NotBefore() time.Time {
|
||||
return nc.details.NotBefore
|
||||
func (c *certificateV1) NotBefore() time.Time {
|
||||
return c.details.notBefore
|
||||
}
|
||||
|
||||
func (nc *certificateV1) PublicKey() []byte {
|
||||
return nc.details.PublicKey
|
||||
func (c *certificateV1) PublicKey() []byte {
|
||||
return c.details.publicKey
|
||||
}
|
||||
|
||||
func (nc *certificateV1) Signature() []byte {
|
||||
return nc.signature
|
||||
func (c *certificateV1) Signature() []byte {
|
||||
return c.signature
|
||||
}
|
||||
|
||||
func (nc *certificateV1) UnsafeNetworks() []netip.Prefix {
|
||||
return nc.details.Subnets
|
||||
func (c *certificateV1) UnsafeNetworks() []netip.Prefix {
|
||||
return c.details.unsafeNetworks
|
||||
}
|
||||
|
||||
func (nc *certificateV1) Fingerprint() (string, error) {
|
||||
b, err := nc.Marshal()
|
||||
func (c *certificateV1) Fingerprint() (string, error) {
|
||||
b, err := c.Marshal()
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
@@ -104,33 +101,33 @@ func (nc *certificateV1) Fingerprint() (string, error) {
|
||||
return hex.EncodeToString(sum[:]), nil
|
||||
}
|
||||
|
||||
func (nc *certificateV1) CheckSignature(key []byte) bool {
|
||||
b, err := proto.Marshal(nc.getRawDetails())
|
||||
func (c *certificateV1) CheckSignature(key []byte) bool {
|
||||
b, err := proto.Marshal(c.getRawDetails())
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
switch nc.details.Curve {
|
||||
switch c.details.curve {
|
||||
case Curve_CURVE25519:
|
||||
return ed25519.Verify(key, b, nc.signature)
|
||||
return ed25519.Verify(key, b, c.signature)
|
||||
case Curve_P256:
|
||||
x, y := elliptic.Unmarshal(elliptic.P256(), key)
|
||||
pubKey := &ecdsa.PublicKey{Curve: elliptic.P256(), X: x, Y: y}
|
||||
hashed := sha256.Sum256(b)
|
||||
return ecdsa.VerifyASN1(pubKey, hashed[:], nc.signature)
|
||||
return ecdsa.VerifyASN1(pubKey, hashed[:], c.signature)
|
||||
default:
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
func (nc *certificateV1) Expired(t time.Time) bool {
|
||||
return nc.details.NotBefore.After(t) || nc.details.NotAfter.Before(t)
|
||||
func (c *certificateV1) Expired(t time.Time) bool {
|
||||
return c.details.notBefore.After(t) || c.details.notAfter.Before(t)
|
||||
}
|
||||
|
||||
func (nc *certificateV1) VerifyPrivateKey(curve Curve, key []byte) error {
|
||||
if curve != nc.details.Curve {
|
||||
func (c *certificateV1) VerifyPrivateKey(curve Curve, key []byte) error {
|
||||
if curve != c.details.curve {
|
||||
return fmt.Errorf("curve in cert and private key supplied don't match")
|
||||
}
|
||||
if nc.details.IsCA {
|
||||
if c.details.isCA {
|
||||
switch curve {
|
||||
case Curve_CURVE25519:
|
||||
// the call to PublicKey below will panic slice bounds out of range otherwise
|
||||
@@ -138,7 +135,7 @@ func (nc *certificateV1) VerifyPrivateKey(curve Curve, key []byte) error {
|
||||
return fmt.Errorf("key was not 64 bytes, is invalid ed25519 private key")
|
||||
}
|
||||
|
||||
if !ed25519.PublicKey(nc.details.PublicKey).Equal(ed25519.PrivateKey(key).Public()) {
|
||||
if !ed25519.PublicKey(c.details.publicKey).Equal(ed25519.PrivateKey(key).Public()) {
|
||||
return fmt.Errorf("public key in cert and private key supplied don't match")
|
||||
}
|
||||
case Curve_P256:
|
||||
@@ -147,7 +144,7 @@ func (nc *certificateV1) VerifyPrivateKey(curve Curve, key []byte) error {
|
||||
return fmt.Errorf("cannot parse private key as P256: %w", err)
|
||||
}
|
||||
pub := privkey.PublicKey().Bytes()
|
||||
if !bytes.Equal(pub, nc.details.PublicKey) {
|
||||
if !bytes.Equal(pub, c.details.publicKey) {
|
||||
return fmt.Errorf("public key in cert and private key supplied don't match")
|
||||
}
|
||||
default:
|
||||
@@ -173,7 +170,7 @@ func (nc *certificateV1) VerifyPrivateKey(curve Curve, key []byte) error {
|
||||
default:
|
||||
return fmt.Errorf("invalid curve: %s", curve)
|
||||
}
|
||||
if !bytes.Equal(pub, nc.details.PublicKey) {
|
||||
if !bytes.Equal(pub, c.details.publicKey) {
|
||||
return fmt.Errorf("public key in cert and private key supplied don't match")
|
||||
}
|
||||
|
||||
@@ -181,173 +178,219 @@ func (nc *certificateV1) VerifyPrivateKey(curve Curve, key []byte) error {
|
||||
}
|
||||
|
||||
// getRawDetails marshals the raw details into protobuf ready struct
|
||||
func (nc *certificateV1) getRawDetails() *RawNebulaCertificateDetails {
|
||||
func (c *certificateV1) getRawDetails() *RawNebulaCertificateDetails {
|
||||
rd := &RawNebulaCertificateDetails{
|
||||
Name: nc.details.Name,
|
||||
Groups: nc.details.Groups,
|
||||
NotBefore: nc.details.NotBefore.Unix(),
|
||||
NotAfter: nc.details.NotAfter.Unix(),
|
||||
PublicKey: make([]byte, len(nc.details.PublicKey)),
|
||||
IsCA: nc.details.IsCA,
|
||||
Curve: nc.details.Curve,
|
||||
Name: c.details.name,
|
||||
Groups: c.details.groups,
|
||||
NotBefore: c.details.notBefore.Unix(),
|
||||
NotAfter: c.details.notAfter.Unix(),
|
||||
PublicKey: make([]byte, len(c.details.publicKey)),
|
||||
IsCA: c.details.isCA,
|
||||
Curve: c.details.curve,
|
||||
}
|
||||
|
||||
for _, ipNet := range nc.details.Ips {
|
||||
for _, ipNet := range c.details.networks {
|
||||
mask := net.CIDRMask(ipNet.Bits(), ipNet.Addr().BitLen())
|
||||
rd.Ips = append(rd.Ips, addr2int(ipNet.Addr()), ip2int(mask))
|
||||
}
|
||||
|
||||
for _, ipNet := range nc.details.Subnets {
|
||||
for _, ipNet := range c.details.unsafeNetworks {
|
||||
mask := net.CIDRMask(ipNet.Bits(), ipNet.Addr().BitLen())
|
||||
rd.Subnets = append(rd.Subnets, addr2int(ipNet.Addr()), ip2int(mask))
|
||||
}
|
||||
|
||||
copy(rd.PublicKey, nc.details.PublicKey[:])
|
||||
copy(rd.PublicKey, c.details.publicKey[:])
|
||||
|
||||
// I know, this is terrible
|
||||
rd.Issuer, _ = hex.DecodeString(nc.details.Issuer)
|
||||
rd.Issuer, _ = hex.DecodeString(c.details.issuer)
|
||||
|
||||
return rd
|
||||
}
|
||||
|
||||
func (nc *certificateV1) String() string {
|
||||
if nc == nil {
|
||||
return "Certificate {}\n"
|
||||
func (c *certificateV1) String() string {
|
||||
b, err := json.MarshalIndent(c.marshalJSON(), "", "\t")
|
||||
if err != nil {
|
||||
return fmt.Sprintf("<error marshalling certificate: %v>", err)
|
||||
}
|
||||
|
||||
s := "NebulaCertificate {\n"
|
||||
s += "\tDetails {\n"
|
||||
s += fmt.Sprintf("\t\tName: %v\n", nc.details.Name)
|
||||
|
||||
if len(nc.details.Ips) > 0 {
|
||||
s += "\t\tIps: [\n"
|
||||
for _, ip := range nc.details.Ips {
|
||||
s += fmt.Sprintf("\t\t\t%v\n", ip.String())
|
||||
}
|
||||
s += "\t\t]\n"
|
||||
} else {
|
||||
s += "\t\tIps: []\n"
|
||||
}
|
||||
|
||||
if len(nc.details.Subnets) > 0 {
|
||||
s += "\t\tSubnets: [\n"
|
||||
for _, ip := range nc.details.Subnets {
|
||||
s += fmt.Sprintf("\t\t\t%v\n", ip.String())
|
||||
}
|
||||
s += "\t\t]\n"
|
||||
} else {
|
||||
s += "\t\tSubnets: []\n"
|
||||
}
|
||||
|
||||
if len(nc.details.Groups) > 0 {
|
||||
s += "\t\tGroups: [\n"
|
||||
for _, g := range nc.details.Groups {
|
||||
s += fmt.Sprintf("\t\t\t\"%v\"\n", g)
|
||||
}
|
||||
s += "\t\t]\n"
|
||||
} else {
|
||||
s += "\t\tGroups: []\n"
|
||||
}
|
||||
|
||||
s += fmt.Sprintf("\t\tNot before: %v\n", nc.details.NotBefore)
|
||||
s += fmt.Sprintf("\t\tNot After: %v\n", nc.details.NotAfter)
|
||||
s += fmt.Sprintf("\t\tIs CA: %v\n", nc.details.IsCA)
|
||||
s += fmt.Sprintf("\t\tIssuer: %s\n", nc.details.Issuer)
|
||||
s += fmt.Sprintf("\t\tPublic key: %x\n", nc.details.PublicKey)
|
||||
s += fmt.Sprintf("\t\tCurve: %s\n", nc.details.Curve)
|
||||
s += "\t}\n"
|
||||
fp, err := nc.Fingerprint()
|
||||
if err == nil {
|
||||
s += fmt.Sprintf("\tFingerprint: %s\n", fp)
|
||||
}
|
||||
s += fmt.Sprintf("\tSignature: %x\n", nc.Signature())
|
||||
s += "}"
|
||||
|
||||
return s
|
||||
return string(b)
|
||||
}
|
||||
|
||||
func (nc *certificateV1) MarshalForHandshakes() ([]byte, error) {
|
||||
pubKey := nc.details.PublicKey
|
||||
nc.details.PublicKey = nil
|
||||
rawCertNoKey, err := nc.Marshal()
|
||||
func (c *certificateV1) MarshalForHandshakes() ([]byte, error) {
|
||||
pubKey := c.details.publicKey
|
||||
c.details.publicKey = nil
|
||||
rawCertNoKey, err := c.Marshal()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
nc.details.PublicKey = pubKey
|
||||
c.details.publicKey = pubKey
|
||||
return rawCertNoKey, nil
|
||||
}
|
||||
|
||||
func (nc *certificateV1) Marshal() ([]byte, error) {
|
||||
func (c *certificateV1) Marshal() ([]byte, error) {
|
||||
rc := RawNebulaCertificate{
|
||||
Details: nc.getRawDetails(),
|
||||
Signature: nc.signature,
|
||||
Details: c.getRawDetails(),
|
||||
Signature: c.signature,
|
||||
}
|
||||
|
||||
return proto.Marshal(&rc)
|
||||
}
|
||||
|
||||
func (nc *certificateV1) MarshalPEM() ([]byte, error) {
|
||||
b, err := nc.Marshal()
|
||||
func (c *certificateV1) MarshalPEM() ([]byte, error) {
|
||||
b, err := c.Marshal()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return pem.EncodeToMemory(&pem.Block{Type: CertificateBanner, Bytes: b}), nil
|
||||
}
|
||||
|
||||
func (nc *certificateV1) MarshalJSON() ([]byte, error) {
|
||||
fp, _ := nc.Fingerprint()
|
||||
jc := m{
|
||||
"details": m{
|
||||
"name": nc.details.Name,
|
||||
"ips": nc.details.Ips,
|
||||
"subnets": nc.details.Subnets,
|
||||
"groups": nc.details.Groups,
|
||||
"notBefore": nc.details.NotBefore,
|
||||
"notAfter": nc.details.NotAfter,
|
||||
"publicKey": fmt.Sprintf("%x", nc.details.PublicKey),
|
||||
"isCa": nc.details.IsCA,
|
||||
"issuer": nc.details.Issuer,
|
||||
"curve": nc.details.Curve.String(),
|
||||
},
|
||||
"fingerprint": fp,
|
||||
"signature": fmt.Sprintf("%x", nc.Signature()),
|
||||
}
|
||||
return json.Marshal(jc)
|
||||
func (c *certificateV1) MarshalJSON() ([]byte, error) {
|
||||
return json.Marshal(c.marshalJSON())
|
||||
}
|
||||
|
||||
func (nc *certificateV1) Copy() Certificate {
|
||||
c := &certificateV1{
|
||||
details: detailsV1{
|
||||
Name: nc.details.Name,
|
||||
Groups: make([]string, len(nc.details.Groups)),
|
||||
Ips: make([]netip.Prefix, len(nc.details.Ips)),
|
||||
Subnets: make([]netip.Prefix, len(nc.details.Subnets)),
|
||||
NotBefore: nc.details.NotBefore,
|
||||
NotAfter: nc.details.NotAfter,
|
||||
PublicKey: make([]byte, len(nc.details.PublicKey)),
|
||||
IsCA: nc.details.IsCA,
|
||||
Issuer: nc.details.Issuer,
|
||||
func (c *certificateV1) marshalJSON() m {
|
||||
fp, _ := c.Fingerprint()
|
||||
return m{
|
||||
"version": Version1,
|
||||
"details": m{
|
||||
"name": c.details.name,
|
||||
"networks": c.details.networks,
|
||||
"unsafeNetworks": c.details.unsafeNetworks,
|
||||
"groups": c.details.groups,
|
||||
"notBefore": c.details.notBefore,
|
||||
"notAfter": c.details.notAfter,
|
||||
"publicKey": fmt.Sprintf("%x", c.details.publicKey),
|
||||
"isCa": c.details.isCA,
|
||||
"issuer": c.details.issuer,
|
||||
"curve": c.details.curve.String(),
|
||||
},
|
||||
signature: make([]byte, len(nc.signature)),
|
||||
"fingerprint": fp,
|
||||
"signature": fmt.Sprintf("%x", c.Signature()),
|
||||
}
|
||||
}
|
||||
|
||||
func (c *certificateV1) Copy() Certificate {
|
||||
nc := &certificateV1{
|
||||
details: detailsV1{
|
||||
name: c.details.name,
|
||||
notBefore: c.details.notBefore,
|
||||
notAfter: c.details.notAfter,
|
||||
publicKey: make([]byte, len(c.details.publicKey)),
|
||||
isCA: c.details.isCA,
|
||||
issuer: c.details.issuer,
|
||||
curve: c.details.curve,
|
||||
},
|
||||
signature: make([]byte, len(c.signature)),
|
||||
}
|
||||
|
||||
copy(c.signature, nc.signature)
|
||||
copy(c.details.Groups, nc.details.Groups)
|
||||
copy(c.details.PublicKey, nc.details.PublicKey)
|
||||
|
||||
for i, p := range nc.details.Ips {
|
||||
c.details.Ips[i] = p
|
||||
if c.details.groups != nil {
|
||||
nc.details.groups = make([]string, len(c.details.groups))
|
||||
copy(nc.details.groups, c.details.groups)
|
||||
}
|
||||
|
||||
for i, p := range nc.details.Subnets {
|
||||
c.details.Subnets[i] = p
|
||||
if c.details.networks != nil {
|
||||
nc.details.networks = make([]netip.Prefix, len(c.details.networks))
|
||||
copy(nc.details.networks, c.details.networks)
|
||||
}
|
||||
|
||||
return c
|
||||
if c.details.unsafeNetworks != nil {
|
||||
nc.details.unsafeNetworks = make([]netip.Prefix, len(c.details.unsafeNetworks))
|
||||
copy(nc.details.unsafeNetworks, c.details.unsafeNetworks)
|
||||
}
|
||||
|
||||
copy(nc.signature, c.signature)
|
||||
copy(nc.details.publicKey, c.details.publicKey)
|
||||
|
||||
return nc
|
||||
}
|
||||
|
||||
func (c *certificateV1) fromTBSCertificate(t *TBSCertificate) error {
|
||||
c.details = detailsV1{
|
||||
name: t.Name,
|
||||
networks: t.Networks,
|
||||
unsafeNetworks: t.UnsafeNetworks,
|
||||
groups: t.Groups,
|
||||
notBefore: t.NotBefore,
|
||||
notAfter: t.NotAfter,
|
||||
publicKey: t.PublicKey,
|
||||
isCA: t.IsCA,
|
||||
curve: t.Curve,
|
||||
issuer: t.issuer,
|
||||
}
|
||||
|
||||
return c.validate()
|
||||
}
|
||||
|
||||
func (c *certificateV1) validate() error {
|
||||
// Empty names are allowed
|
||||
|
||||
if len(c.details.publicKey) == 0 {
|
||||
return ErrInvalidPublicKey
|
||||
}
|
||||
|
||||
// Original v1 rules allowed multiple networks to be present but ignored all but the first one.
|
||||
// Continue to allow this behavior
|
||||
if !c.details.isCA && len(c.details.networks) == 0 {
|
||||
return NewErrInvalidCertificateProperties("non-CA certificates must contain exactly one network")
|
||||
}
|
||||
|
||||
for _, network := range c.details.networks {
|
||||
if !network.IsValid() || !network.Addr().IsValid() {
|
||||
return NewErrInvalidCertificateProperties("invalid network: %s", network)
|
||||
}
|
||||
|
||||
if network.Addr().Is6() {
|
||||
return NewErrInvalidCertificateProperties("certificate may not contain IPv6 networks: %v", network)
|
||||
}
|
||||
|
||||
if network.Addr().IsUnspecified() {
|
||||
return NewErrInvalidCertificateProperties("non-CA certificates must not use the zero address as a network: %s", network)
|
||||
}
|
||||
|
||||
if network.Addr().Zone() != "" {
|
||||
return NewErrInvalidCertificateProperties("networks may not contain zones: %s", network)
|
||||
}
|
||||
}
|
||||
|
||||
for _, network := range c.details.unsafeNetworks {
|
||||
if !network.IsValid() || !network.Addr().IsValid() {
|
||||
return NewErrInvalidCertificateProperties("invalid unsafe network: %s", network)
|
||||
}
|
||||
|
||||
if network.Addr().Is6() {
|
||||
return NewErrInvalidCertificateProperties("certificate may not contain IPv6 unsafe networks: %v", network)
|
||||
}
|
||||
|
||||
if network.Addr().Zone() != "" {
|
||||
return NewErrInvalidCertificateProperties("unsafe networks may not contain zones: %s", network)
|
||||
}
|
||||
}
|
||||
|
||||
// v1 doesn't bother with sort order or uniqueness of networks or unsafe networks.
|
||||
// We can't modify the unmarshalled data because verification requires re-marshalling and a re-ordered
|
||||
// unsafe networks would result in a different signature.
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *certificateV1) marshalForSigning() ([]byte, error) {
|
||||
b, err := proto.Marshal(c.getRawDetails())
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return b, nil
|
||||
}
|
||||
|
||||
func (c *certificateV1) setSignature(b []byte) error {
|
||||
if len(b) == 0 {
|
||||
return ErrEmptySignature
|
||||
}
|
||||
c.signature = b
|
||||
return nil
|
||||
}
|
||||
|
||||
// unmarshalCertificateV1 will unmarshal a protobuf byte representation of a nebula cert
|
||||
func unmarshalCertificateV1(b []byte, assertPublicKey bool) (*certificateV1, error) {
|
||||
// if the publicKey is provided here then it is not required to be present in `b`
|
||||
func unmarshalCertificateV1(b []byte, publicKey []byte) (*certificateV1, error) {
|
||||
if len(b) == 0 {
|
||||
return nil, fmt.Errorf("nil byte array")
|
||||
}
|
||||
@@ -371,27 +414,28 @@ func unmarshalCertificateV1(b []byte, assertPublicKey bool) (*certificateV1, err
|
||||
|
||||
nc := certificateV1{
|
||||
details: detailsV1{
|
||||
Name: rc.Details.Name,
|
||||
Groups: make([]string, len(rc.Details.Groups)),
|
||||
Ips: make([]netip.Prefix, len(rc.Details.Ips)/2),
|
||||
Subnets: make([]netip.Prefix, len(rc.Details.Subnets)/2),
|
||||
NotBefore: time.Unix(rc.Details.NotBefore, 0),
|
||||
NotAfter: time.Unix(rc.Details.NotAfter, 0),
|
||||
PublicKey: make([]byte, len(rc.Details.PublicKey)),
|
||||
IsCA: rc.Details.IsCA,
|
||||
Curve: rc.Details.Curve,
|
||||
name: rc.Details.Name,
|
||||
groups: make([]string, len(rc.Details.Groups)),
|
||||
networks: make([]netip.Prefix, len(rc.Details.Ips)/2),
|
||||
unsafeNetworks: make([]netip.Prefix, len(rc.Details.Subnets)/2),
|
||||
notBefore: time.Unix(rc.Details.NotBefore, 0),
|
||||
notAfter: time.Unix(rc.Details.NotAfter, 0),
|
||||
publicKey: make([]byte, len(rc.Details.PublicKey)),
|
||||
isCA: rc.Details.IsCA,
|
||||
curve: rc.Details.Curve,
|
||||
},
|
||||
signature: make([]byte, len(rc.Signature)),
|
||||
}
|
||||
|
||||
copy(nc.signature, rc.Signature)
|
||||
copy(nc.details.Groups, rc.Details.Groups)
|
||||
nc.details.Issuer = hex.EncodeToString(rc.Details.Issuer)
|
||||
copy(nc.details.groups, rc.Details.Groups)
|
||||
nc.details.issuer = hex.EncodeToString(rc.Details.Issuer)
|
||||
|
||||
if len(rc.Details.PublicKey) < publicKeyLen && assertPublicKey {
|
||||
return nil, fmt.Errorf("public key was fewer than 32 bytes; %v", len(rc.Details.PublicKey))
|
||||
if len(publicKey) > 0 {
|
||||
nc.details.publicKey = publicKey
|
||||
}
|
||||
copy(nc.details.PublicKey, rc.Details.PublicKey)
|
||||
|
||||
copy(nc.details.publicKey, rc.Details.PublicKey)
|
||||
|
||||
var ip netip.Addr
|
||||
for i, rawIp := range rc.Details.Ips {
|
||||
@@ -399,7 +443,7 @@ func unmarshalCertificateV1(b []byte, assertPublicKey bool) (*certificateV1, err
|
||||
ip = int2addr(rawIp)
|
||||
} else {
|
||||
ones, _ := net.IPMask(int2ip(rawIp)).Size()
|
||||
nc.details.Ips[i/2] = netip.PrefixFrom(ip, ones)
|
||||
nc.details.networks[i/2] = netip.PrefixFrom(ip, ones)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -408,67 +452,16 @@ func unmarshalCertificateV1(b []byte, assertPublicKey bool) (*certificateV1, err
|
||||
ip = int2addr(rawIp)
|
||||
} else {
|
||||
ones, _ := net.IPMask(int2ip(rawIp)).Size()
|
||||
nc.details.Subnets[i/2] = netip.PrefixFrom(ip, ones)
|
||||
nc.details.unsafeNetworks[i/2] = netip.PrefixFrom(ip, ones)
|
||||
}
|
||||
}
|
||||
|
||||
return &nc, nil
|
||||
}
|
||||
|
||||
func signV1(t *TBSCertificate, curve Curve, key []byte, client *pkclient.PKClient) (*certificateV1, error) {
|
||||
c := &certificateV1{
|
||||
details: detailsV1{
|
||||
Name: t.Name,
|
||||
Ips: t.Networks,
|
||||
Subnets: t.UnsafeNetworks,
|
||||
Groups: t.Groups,
|
||||
NotBefore: t.NotBefore,
|
||||
NotAfter: t.NotAfter,
|
||||
PublicKey: t.PublicKey,
|
||||
IsCA: t.IsCA,
|
||||
Curve: t.Curve,
|
||||
Issuer: t.issuer,
|
||||
},
|
||||
}
|
||||
b, err := proto.Marshal(c.getRawDetails())
|
||||
err = nc.validate()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
var sig []byte
|
||||
|
||||
switch curve {
|
||||
case Curve_CURVE25519:
|
||||
signer := ed25519.PrivateKey(key)
|
||||
sig = ed25519.Sign(signer, b)
|
||||
case Curve_P256:
|
||||
if client != nil {
|
||||
sig, err = client.SignASN1(b)
|
||||
} else {
|
||||
signer := &ecdsa.PrivateKey{
|
||||
PublicKey: ecdsa.PublicKey{
|
||||
Curve: elliptic.P256(),
|
||||
},
|
||||
// ref: https://github.com/golang/go/blob/go1.19/src/crypto/x509/sec1.go#L95
|
||||
D: new(big.Int).SetBytes(key),
|
||||
}
|
||||
// ref: https://github.com/golang/go/blob/go1.19/src/crypto/x509/sec1.go#L119
|
||||
signer.X, signer.Y = signer.Curve.ScalarBaseMult(key)
|
||||
|
||||
// We need to hash first for ECDSA
|
||||
// - https://pkg.go.dev/crypto/ecdsa#SignASN1
|
||||
hashed := sha256.Sum256(b)
|
||||
sig, err = ecdsa.SignASN1(rand.Reader, signer, hashed[:])
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
default:
|
||||
return nil, fmt.Errorf("invalid curve: %s", c.details.Curve)
|
||||
}
|
||||
|
||||
c.signature = sig
|
||||
return c, nil
|
||||
return &nc, nil
|
||||
}
|
||||
|
||||
func ip2int(ip []byte) uint32 {
|
||||
|
||||
218
cert/cert_v1_test.go
Normal file
218
cert/cert_v1_test.go
Normal file
@@ -0,0 +1,218 @@
|
||||
package cert
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net/netip"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/slackhq/nebula/test"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
"google.golang.org/protobuf/proto"
|
||||
)
|
||||
|
||||
func TestCertificateV1_Marshal(t *testing.T) {
|
||||
before := time.Now().Add(time.Second * -60).Round(time.Second)
|
||||
after := time.Now().Add(time.Second * 60).Round(time.Second)
|
||||
pubKey := []byte("1234567890abcedfghij1234567890ab")
|
||||
|
||||
nc := certificateV1{
|
||||
details: detailsV1{
|
||||
name: "testing",
|
||||
networks: []netip.Prefix{
|
||||
mustParsePrefixUnmapped("10.1.1.1/24"),
|
||||
mustParsePrefixUnmapped("10.1.1.2/16"),
|
||||
},
|
||||
unsafeNetworks: []netip.Prefix{
|
||||
mustParsePrefixUnmapped("9.1.1.2/24"),
|
||||
mustParsePrefixUnmapped("9.1.1.3/16"),
|
||||
},
|
||||
groups: []string{"test-group1", "test-group2", "test-group3"},
|
||||
notBefore: before,
|
||||
notAfter: after,
|
||||
publicKey: pubKey,
|
||||
isCA: false,
|
||||
issuer: "1234567890abcedfghij1234567890ab",
|
||||
},
|
||||
signature: []byte("1234567890abcedfghij1234567890ab"),
|
||||
}
|
||||
|
||||
b, err := nc.Marshal()
|
||||
assert.Nil(t, err)
|
||||
//t.Log("Cert size:", len(b))
|
||||
|
||||
nc2, err := unmarshalCertificateV1(b, nil)
|
||||
assert.Nil(t, err)
|
||||
|
||||
assert.Equal(t, nc.Version(), Version1)
|
||||
assert.Equal(t, nc.Curve(), Curve_CURVE25519)
|
||||
assert.Equal(t, nc.Signature(), nc2.Signature())
|
||||
assert.Equal(t, nc.Name(), nc2.Name())
|
||||
assert.Equal(t, nc.NotBefore(), nc2.NotBefore())
|
||||
assert.Equal(t, nc.NotAfter(), nc2.NotAfter())
|
||||
assert.Equal(t, nc.PublicKey(), nc2.PublicKey())
|
||||
assert.Equal(t, nc.IsCA(), nc2.IsCA())
|
||||
|
||||
assert.Equal(t, nc.Networks(), nc2.Networks())
|
||||
assert.Equal(t, nc.UnsafeNetworks(), nc2.UnsafeNetworks())
|
||||
|
||||
assert.Equal(t, nc.Groups(), nc2.Groups())
|
||||
}
|
||||
|
||||
func TestCertificateV1_Expired(t *testing.T) {
|
||||
nc := certificateV1{
|
||||
details: detailsV1{
|
||||
notBefore: time.Now().Add(time.Second * -60).Round(time.Second),
|
||||
notAfter: time.Now().Add(time.Second * 60).Round(time.Second),
|
||||
},
|
||||
}
|
||||
|
||||
assert.True(t, nc.Expired(time.Now().Add(time.Hour)))
|
||||
assert.True(t, nc.Expired(time.Now().Add(-time.Hour)))
|
||||
assert.False(t, nc.Expired(time.Now()))
|
||||
}
|
||||
|
||||
func TestCertificateV1_MarshalJSON(t *testing.T) {
|
||||
time.Local = time.UTC
|
||||
pubKey := []byte("1234567890abcedfghij1234567890ab")
|
||||
|
||||
nc := certificateV1{
|
||||
details: detailsV1{
|
||||
name: "testing",
|
||||
networks: []netip.Prefix{
|
||||
mustParsePrefixUnmapped("10.1.1.1/24"),
|
||||
mustParsePrefixUnmapped("10.1.1.2/16"),
|
||||
},
|
||||
unsafeNetworks: []netip.Prefix{
|
||||
mustParsePrefixUnmapped("9.1.1.2/24"),
|
||||
mustParsePrefixUnmapped("9.1.1.3/16"),
|
||||
},
|
||||
groups: []string{"test-group1", "test-group2", "test-group3"},
|
||||
notBefore: time.Date(1, 0, 0, 1, 0, 0, 0, time.UTC),
|
||||
notAfter: time.Date(1, 0, 0, 2, 0, 0, 0, time.UTC),
|
||||
publicKey: pubKey,
|
||||
isCA: false,
|
||||
issuer: "1234567890abcedfghij1234567890ab",
|
||||
},
|
||||
signature: []byte("1234567890abcedfghij1234567890ab"),
|
||||
}
|
||||
|
||||
b, err := nc.MarshalJSON()
|
||||
assert.Nil(t, err)
|
||||
assert.Equal(
|
||||
t,
|
||||
"{\"details\":{\"curve\":\"CURVE25519\",\"groups\":[\"test-group1\",\"test-group2\",\"test-group3\"],\"isCa\":false,\"issuer\":\"1234567890abcedfghij1234567890ab\",\"name\":\"testing\",\"networks\":[\"10.1.1.1/24\",\"10.1.1.2/16\"],\"notAfter\":\"0000-11-30T02:00:00Z\",\"notBefore\":\"0000-11-30T01:00:00Z\",\"publicKey\":\"313233343536373839306162636564666768696a313233343536373839306162\",\"unsafeNetworks\":[\"9.1.1.2/24\",\"9.1.1.3/16\"]},\"fingerprint\":\"3944c53d4267a229295b56cb2d27d459164c010ac97d655063ba421e0670f4ba\",\"signature\":\"313233343536373839306162636564666768696a313233343536373839306162\",\"version\":1}",
|
||||
string(b),
|
||||
)
|
||||
}
|
||||
|
||||
func TestCertificateV1_VerifyPrivateKey(t *testing.T) {
|
||||
ca, _, caKey, _ := NewTestCaCert(Version1, Curve_CURVE25519, time.Time{}, time.Time{}, nil, nil, nil)
|
||||
err := ca.VerifyPrivateKey(Curve_CURVE25519, caKey)
|
||||
assert.Nil(t, err)
|
||||
|
||||
_, _, caKey2, _ := NewTestCaCert(Version1, Curve_CURVE25519, time.Time{}, time.Time{}, nil, nil, nil)
|
||||
assert.Nil(t, err)
|
||||
err = ca.VerifyPrivateKey(Curve_CURVE25519, caKey2)
|
||||
assert.NotNil(t, err)
|
||||
|
||||
c, _, priv, _ := NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Time{}, time.Time{}, nil, nil, nil)
|
||||
rawPriv, b, curve, err := UnmarshalPrivateKeyFromPEM(priv)
|
||||
assert.NoError(t, err)
|
||||
assert.Empty(t, b)
|
||||
assert.Equal(t, Curve_CURVE25519, curve)
|
||||
err = c.VerifyPrivateKey(Curve_CURVE25519, rawPriv)
|
||||
assert.Nil(t, err)
|
||||
|
||||
_, priv2 := X25519Keypair()
|
||||
err = c.VerifyPrivateKey(Curve_CURVE25519, priv2)
|
||||
assert.NotNil(t, err)
|
||||
}
|
||||
|
||||
func TestCertificateV1_VerifyPrivateKeyP256(t *testing.T) {
|
||||
ca, _, caKey, _ := NewTestCaCert(Version1, Curve_P256, time.Time{}, time.Time{}, nil, nil, nil)
|
||||
err := ca.VerifyPrivateKey(Curve_P256, caKey)
|
||||
assert.Nil(t, err)
|
||||
|
||||
_, _, caKey2, _ := NewTestCaCert(Version1, Curve_P256, time.Time{}, time.Time{}, nil, nil, nil)
|
||||
assert.Nil(t, err)
|
||||
err = ca.VerifyPrivateKey(Curve_P256, caKey2)
|
||||
assert.NotNil(t, err)
|
||||
|
||||
c, _, priv, _ := NewTestCert(Version1, Curve_P256, ca, caKey, "test", time.Time{}, time.Time{}, nil, nil, nil)
|
||||
rawPriv, b, curve, err := UnmarshalPrivateKeyFromPEM(priv)
|
||||
assert.NoError(t, err)
|
||||
assert.Empty(t, b)
|
||||
assert.Equal(t, Curve_P256, curve)
|
||||
err = c.VerifyPrivateKey(Curve_P256, rawPriv)
|
||||
assert.Nil(t, err)
|
||||
|
||||
_, priv2 := P256Keypair()
|
||||
err = c.VerifyPrivateKey(Curve_P256, priv2)
|
||||
assert.NotNil(t, err)
|
||||
}
|
||||
|
||||
// Ensure that upgrading the protobuf library does not change how certificates
|
||||
// are marshalled, since this would break signature verification
|
||||
func TestMarshalingCertificateV1Consistency(t *testing.T) {
|
||||
before := time.Date(1970, time.January, 1, 1, 1, 1, 1, time.UTC)
|
||||
after := time.Date(9999, time.January, 1, 1, 1, 1, 1, time.UTC)
|
||||
pubKey := []byte("1234567890abcedfghij1234567890ab")
|
||||
|
||||
nc := certificateV1{
|
||||
details: detailsV1{
|
||||
name: "testing",
|
||||
networks: []netip.Prefix{
|
||||
mustParsePrefixUnmapped("10.1.1.2/16"),
|
||||
mustParsePrefixUnmapped("10.1.1.1/24"),
|
||||
},
|
||||
unsafeNetworks: []netip.Prefix{
|
||||
mustParsePrefixUnmapped("9.1.1.3/16"),
|
||||
mustParsePrefixUnmapped("9.1.1.2/24"),
|
||||
},
|
||||
groups: []string{"test-group1", "test-group2", "test-group3"},
|
||||
notBefore: before,
|
||||
notAfter: after,
|
||||
publicKey: pubKey,
|
||||
isCA: false,
|
||||
issuer: "1234567890abcedfghij1234567890ab",
|
||||
},
|
||||
signature: []byte("1234567890abcedfghij1234567890ab"),
|
||||
}
|
||||
|
||||
b, err := nc.Marshal()
|
||||
require.Nil(t, err)
|
||||
assert.Equal(t, "0a8e010a0774657374696e671212828284508080fcff0f8182845080feffff0f1a12838284488080fcff0f8282844880feffff0f220b746573742d67726f757031220b746573742d67726f757032220b746573742d67726f75703328cd1c30cdb8ccf0af073a20313233343536373839306162636564666768696a3132333435363738393061624a081234567890abcedf1220313233343536373839306162636564666768696a313233343536373839306162", fmt.Sprintf("%x", b))
|
||||
|
||||
b, err = proto.Marshal(nc.getRawDetails())
|
||||
assert.Nil(t, err)
|
||||
assert.Equal(t, "0a0774657374696e671212828284508080fcff0f8182845080feffff0f1a12838284488080fcff0f8282844880feffff0f220b746573742d67726f757031220b746573742d67726f757032220b746573742d67726f75703328cd1c30cdb8ccf0af073a20313233343536373839306162636564666768696a3132333435363738393061624a081234567890abcedf", fmt.Sprintf("%x", b))
|
||||
}
|
||||
|
||||
func TestCertificateV1_Copy(t *testing.T) {
|
||||
ca, _, caKey, _ := NewTestCaCert(Version1, Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, nil)
|
||||
c, _, _, _ := NewTestCert(Version1, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, nil, nil)
|
||||
cc := c.Copy()
|
||||
test.AssertDeepCopyEqual(t, c, cc)
|
||||
}
|
||||
|
||||
func TestUnmarshalCertificateV1(t *testing.T) {
|
||||
// Test that we don't panic with an invalid certificate (#332)
|
||||
data := []byte("\x98\x00\x00")
|
||||
_, err := unmarshalCertificateV1(data, nil)
|
||||
assert.EqualError(t, err, "encoded Details was nil")
|
||||
}
|
||||
|
||||
func appendByteSlices(b ...[]byte) []byte {
|
||||
retSlice := []byte{}
|
||||
for _, v := range b {
|
||||
retSlice = append(retSlice, v...)
|
||||
}
|
||||
return retSlice
|
||||
}
|
||||
|
||||
func mustParsePrefixUnmapped(s string) netip.Prefix {
|
||||
prefix := netip.MustParsePrefix(s)
|
||||
return netip.PrefixFrom(prefix.Addr().Unmap(), prefix.Bits())
|
||||
}
|
||||
37
cert/cert_v2.asn1
Normal file
37
cert/cert_v2.asn1
Normal file
@@ -0,0 +1,37 @@
|
||||
Nebula DEFINITIONS AUTOMATIC TAGS ::= BEGIN
|
||||
|
||||
Name ::= UTF8String (SIZE (1..253))
|
||||
Time ::= INTEGER (0..18446744073709551615) -- Seconds since unix epoch, uint64 maximum
|
||||
Network ::= OCTET STRING (SIZE (5,17)) -- IP addresses are 4 or 16 bytes + 1 byte for the prefix length
|
||||
Curve ::= ENUMERATED {
|
||||
curve25519 (0),
|
||||
p256 (1)
|
||||
}
|
||||
|
||||
-- The maximum size of a certificate must not exceed 65536 bytes
|
||||
Certificate ::= SEQUENCE {
|
||||
details OCTET STRING,
|
||||
curve Curve DEFAULT curve25519,
|
||||
publicKey OCTET STRING,
|
||||
-- signature(details + curve + publicKey) using the appropriate method for curve
|
||||
signature OCTET STRING
|
||||
}
|
||||
|
||||
Details ::= SEQUENCE {
|
||||
name Name,
|
||||
|
||||
-- At least 1 ipv4 or ipv6 address must be present if isCA is false
|
||||
networks SEQUENCE OF Network OPTIONAL,
|
||||
unsafeNetworks SEQUENCE OF Network OPTIONAL,
|
||||
groups SEQUENCE OF Name OPTIONAL,
|
||||
isCA BOOLEAN DEFAULT false,
|
||||
notBefore Time,
|
||||
notAfter Time,
|
||||
|
||||
-- issuer is only required if isCA is false, if isCA is true then it must not be present
|
||||
issuer OCTET STRING OPTIONAL,
|
||||
...
|
||||
-- New fields can be added below here
|
||||
}
|
||||
|
||||
END
|
||||
730
cert/cert_v2.go
Normal file
730
cert/cert_v2.go
Normal file
@@ -0,0 +1,730 @@
|
||||
package cert
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/ecdh"
|
||||
"crypto/ecdsa"
|
||||
"crypto/ed25519"
|
||||
"crypto/elliptic"
|
||||
"crypto/sha256"
|
||||
"encoding/hex"
|
||||
"encoding/json"
|
||||
"encoding/pem"
|
||||
"fmt"
|
||||
"net/netip"
|
||||
"slices"
|
||||
"time"
|
||||
|
||||
"golang.org/x/crypto/cryptobyte"
|
||||
"golang.org/x/crypto/cryptobyte/asn1"
|
||||
"golang.org/x/crypto/curve25519"
|
||||
)
|
||||
|
||||
const (
|
||||
classConstructed = 0x20
|
||||
classContextSpecific = 0x80
|
||||
|
||||
TagCertDetails = 0 | classConstructed | classContextSpecific
|
||||
TagCertCurve = 1 | classContextSpecific
|
||||
TagCertPublicKey = 2 | classContextSpecific
|
||||
TagCertSignature = 3 | classContextSpecific
|
||||
|
||||
TagDetailsName = 0 | classContextSpecific
|
||||
TagDetailsNetworks = 1 | classConstructed | classContextSpecific
|
||||
TagDetailsUnsafeNetworks = 2 | classConstructed | classContextSpecific
|
||||
TagDetailsGroups = 3 | classConstructed | classContextSpecific
|
||||
TagDetailsIsCA = 4 | classContextSpecific
|
||||
TagDetailsNotBefore = 5 | classContextSpecific
|
||||
TagDetailsNotAfter = 6 | classContextSpecific
|
||||
TagDetailsIssuer = 7 | classContextSpecific
|
||||
)
|
||||
|
||||
const (
|
||||
// MaxCertificateSize is the maximum length a valid certificate can be
|
||||
MaxCertificateSize = 65536
|
||||
|
||||
// MaxNameLength is limited to a maximum realistic DNS domain name to help facilitate DNS systems
|
||||
MaxNameLength = 253
|
||||
|
||||
// MaxNetworkLength is the maximum length a network value can be.
|
||||
// 16 bytes for an ipv6 address + 1 byte for the prefix length
|
||||
MaxNetworkLength = 17
|
||||
)
|
||||
|
||||
type certificateV2 struct {
|
||||
details detailsV2
|
||||
|
||||
// RawDetails contains the entire asn.1 DER encoded Details struct
|
||||
// This is to benefit forwards compatibility in signature checking.
|
||||
// signature(RawDetails + Curve + PublicKey) == Signature
|
||||
rawDetails []byte
|
||||
curve Curve
|
||||
publicKey []byte
|
||||
signature []byte
|
||||
}
|
||||
|
||||
type detailsV2 struct {
|
||||
name string
|
||||
networks []netip.Prefix // MUST BE SORTED
|
||||
unsafeNetworks []netip.Prefix // MUST BE SORTED
|
||||
groups []string
|
||||
isCA bool
|
||||
notBefore time.Time
|
||||
notAfter time.Time
|
||||
issuer string
|
||||
}
|
||||
|
||||
func (c *certificateV2) Version() Version {
|
||||
return Version2
|
||||
}
|
||||
|
||||
func (c *certificateV2) Curve() Curve {
|
||||
return c.curve
|
||||
}
|
||||
|
||||
func (c *certificateV2) Groups() []string {
|
||||
return c.details.groups
|
||||
}
|
||||
|
||||
func (c *certificateV2) IsCA() bool {
|
||||
return c.details.isCA
|
||||
}
|
||||
|
||||
func (c *certificateV2) Issuer() string {
|
||||
return c.details.issuer
|
||||
}
|
||||
|
||||
func (c *certificateV2) Name() string {
|
||||
return c.details.name
|
||||
}
|
||||
|
||||
func (c *certificateV2) Networks() []netip.Prefix {
|
||||
return c.details.networks
|
||||
}
|
||||
|
||||
func (c *certificateV2) NotAfter() time.Time {
|
||||
return c.details.notAfter
|
||||
}
|
||||
|
||||
func (c *certificateV2) NotBefore() time.Time {
|
||||
return c.details.notBefore
|
||||
}
|
||||
|
||||
func (c *certificateV2) PublicKey() []byte {
|
||||
return c.publicKey
|
||||
}
|
||||
|
||||
func (c *certificateV2) Signature() []byte {
|
||||
return c.signature
|
||||
}
|
||||
|
||||
func (c *certificateV2) UnsafeNetworks() []netip.Prefix {
|
||||
return c.details.unsafeNetworks
|
||||
}
|
||||
|
||||
func (c *certificateV2) Fingerprint() (string, error) {
|
||||
if len(c.rawDetails) == 0 {
|
||||
return "", ErrMissingDetails
|
||||
}
|
||||
|
||||
b := make([]byte, len(c.rawDetails)+1+len(c.publicKey)+len(c.signature))
|
||||
copy(b, c.rawDetails)
|
||||
b[len(c.rawDetails)] = byte(c.curve)
|
||||
copy(b[len(c.rawDetails)+1:], c.publicKey)
|
||||
copy(b[len(c.rawDetails)+1+len(c.publicKey):], c.signature)
|
||||
sum := sha256.Sum256(b)
|
||||
return hex.EncodeToString(sum[:]), nil
|
||||
}
|
||||
|
||||
func (c *certificateV2) CheckSignature(key []byte) bool {
|
||||
if len(c.rawDetails) == 0 {
|
||||
return false
|
||||
}
|
||||
b := make([]byte, len(c.rawDetails)+1+len(c.publicKey))
|
||||
copy(b, c.rawDetails)
|
||||
b[len(c.rawDetails)] = byte(c.curve)
|
||||
copy(b[len(c.rawDetails)+1:], c.publicKey)
|
||||
|
||||
switch c.curve {
|
||||
case Curve_CURVE25519:
|
||||
return ed25519.Verify(key, b, c.signature)
|
||||
case Curve_P256:
|
||||
x, y := elliptic.Unmarshal(elliptic.P256(), key)
|
||||
pubKey := &ecdsa.PublicKey{Curve: elliptic.P256(), X: x, Y: y}
|
||||
hashed := sha256.Sum256(b)
|
||||
return ecdsa.VerifyASN1(pubKey, hashed[:], c.signature)
|
||||
default:
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
func (c *certificateV2) Expired(t time.Time) bool {
|
||||
return c.details.notBefore.After(t) || c.details.notAfter.Before(t)
|
||||
}
|
||||
|
||||
func (c *certificateV2) VerifyPrivateKey(curve Curve, key []byte) error {
|
||||
if curve != c.curve {
|
||||
return ErrPublicPrivateCurveMismatch
|
||||
}
|
||||
if c.details.isCA {
|
||||
switch curve {
|
||||
case Curve_CURVE25519:
|
||||
// the call to PublicKey below will panic slice bounds out of range otherwise
|
||||
if len(key) != ed25519.PrivateKeySize {
|
||||
return ErrInvalidPrivateKey
|
||||
}
|
||||
|
||||
if !ed25519.PublicKey(c.publicKey).Equal(ed25519.PrivateKey(key).Public()) {
|
||||
return ErrPublicPrivateKeyMismatch
|
||||
}
|
||||
case Curve_P256:
|
||||
privkey, err := ecdh.P256().NewPrivateKey(key)
|
||||
if err != nil {
|
||||
return ErrInvalidPrivateKey
|
||||
}
|
||||
pub := privkey.PublicKey().Bytes()
|
||||
if !bytes.Equal(pub, c.publicKey) {
|
||||
return ErrPublicPrivateKeyMismatch
|
||||
}
|
||||
default:
|
||||
return fmt.Errorf("invalid curve: %s", curve)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
var pub []byte
|
||||
switch curve {
|
||||
case Curve_CURVE25519:
|
||||
var err error
|
||||
pub, err = curve25519.X25519(key, curve25519.Basepoint)
|
||||
if err != nil {
|
||||
return ErrInvalidPrivateKey
|
||||
}
|
||||
case Curve_P256:
|
||||
privkey, err := ecdh.P256().NewPrivateKey(key)
|
||||
if err != nil {
|
||||
return ErrInvalidPrivateKey
|
||||
}
|
||||
pub = privkey.PublicKey().Bytes()
|
||||
default:
|
||||
return fmt.Errorf("invalid curve: %s", curve)
|
||||
}
|
||||
if !bytes.Equal(pub, c.publicKey) {
|
||||
return ErrPublicPrivateKeyMismatch
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *certificateV2) String() string {
|
||||
mb, err := c.marshalJSON()
|
||||
if err != nil {
|
||||
return fmt.Sprintf("<error marshalling certificate: %v>", err)
|
||||
}
|
||||
|
||||
b, err := json.MarshalIndent(mb, "", "\t")
|
||||
if err != nil {
|
||||
return fmt.Sprintf("<error marshalling certificate: %v>", err)
|
||||
}
|
||||
return string(b)
|
||||
}
|
||||
|
||||
func (c *certificateV2) MarshalForHandshakes() ([]byte, error) {
|
||||
if c.rawDetails == nil {
|
||||
return nil, ErrEmptyRawDetails
|
||||
}
|
||||
var b cryptobyte.Builder
|
||||
// Outermost certificate
|
||||
b.AddASN1(asn1.SEQUENCE, func(b *cryptobyte.Builder) {
|
||||
|
||||
// Add the cert details which is already marshalled
|
||||
b.AddBytes(c.rawDetails)
|
||||
|
||||
// Skipping the curve and public key since those come across in a different part of the handshake
|
||||
|
||||
// Add the signature
|
||||
b.AddASN1(TagCertSignature, func(b *cryptobyte.Builder) {
|
||||
b.AddBytes(c.signature)
|
||||
})
|
||||
})
|
||||
|
||||
return b.Bytes()
|
||||
}
|
||||
|
||||
func (c *certificateV2) Marshal() ([]byte, error) {
|
||||
if c.rawDetails == nil {
|
||||
return nil, ErrEmptyRawDetails
|
||||
}
|
||||
var b cryptobyte.Builder
|
||||
// Outermost certificate
|
||||
b.AddASN1(asn1.SEQUENCE, func(b *cryptobyte.Builder) {
|
||||
|
||||
// Add the cert details which is already marshalled
|
||||
b.AddBytes(c.rawDetails)
|
||||
|
||||
// Add the curve only if its not the default value
|
||||
if c.curve != Curve_CURVE25519 {
|
||||
b.AddASN1(TagCertCurve, func(b *cryptobyte.Builder) {
|
||||
b.AddBytes([]byte{byte(c.curve)})
|
||||
})
|
||||
}
|
||||
|
||||
// Add the public key if it is not empty
|
||||
if c.publicKey != nil {
|
||||
b.AddASN1(TagCertPublicKey, func(b *cryptobyte.Builder) {
|
||||
b.AddBytes(c.publicKey)
|
||||
})
|
||||
}
|
||||
|
||||
// Add the signature
|
||||
b.AddASN1(TagCertSignature, func(b *cryptobyte.Builder) {
|
||||
b.AddBytes(c.signature)
|
||||
})
|
||||
})
|
||||
|
||||
return b.Bytes()
|
||||
}
|
||||
|
||||
func (c *certificateV2) MarshalPEM() ([]byte, error) {
|
||||
b, err := c.Marshal()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return pem.EncodeToMemory(&pem.Block{Type: CertificateV2Banner, Bytes: b}), nil
|
||||
}
|
||||
|
||||
func (c *certificateV2) MarshalJSON() ([]byte, error) {
|
||||
b, err := c.marshalJSON()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return json.Marshal(b)
|
||||
}
|
||||
|
||||
func (c *certificateV2) marshalJSON() (m, error) {
|
||||
fp, err := c.Fingerprint()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return m{
|
||||
"details": m{
|
||||
"name": c.details.name,
|
||||
"networks": c.details.networks,
|
||||
"unsafeNetworks": c.details.unsafeNetworks,
|
||||
"groups": c.details.groups,
|
||||
"notBefore": c.details.notBefore,
|
||||
"notAfter": c.details.notAfter,
|
||||
"isCa": c.details.isCA,
|
||||
"issuer": c.details.issuer,
|
||||
},
|
||||
"version": Version2,
|
||||
"publicKey": fmt.Sprintf("%x", c.publicKey),
|
||||
"curve": c.curve.String(),
|
||||
"fingerprint": fp,
|
||||
"signature": fmt.Sprintf("%x", c.Signature()),
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (c *certificateV2) Copy() Certificate {
|
||||
nc := &certificateV2{
|
||||
details: detailsV2{
|
||||
name: c.details.name,
|
||||
notBefore: c.details.notBefore,
|
||||
notAfter: c.details.notAfter,
|
||||
isCA: c.details.isCA,
|
||||
issuer: c.details.issuer,
|
||||
},
|
||||
curve: c.curve,
|
||||
publicKey: make([]byte, len(c.publicKey)),
|
||||
signature: make([]byte, len(c.signature)),
|
||||
rawDetails: make([]byte, len(c.rawDetails)),
|
||||
}
|
||||
|
||||
if c.details.groups != nil {
|
||||
nc.details.groups = make([]string, len(c.details.groups))
|
||||
copy(nc.details.groups, c.details.groups)
|
||||
}
|
||||
|
||||
if c.details.networks != nil {
|
||||
nc.details.networks = make([]netip.Prefix, len(c.details.networks))
|
||||
copy(nc.details.networks, c.details.networks)
|
||||
}
|
||||
|
||||
if c.details.unsafeNetworks != nil {
|
||||
nc.details.unsafeNetworks = make([]netip.Prefix, len(c.details.unsafeNetworks))
|
||||
copy(nc.details.unsafeNetworks, c.details.unsafeNetworks)
|
||||
}
|
||||
|
||||
copy(nc.rawDetails, c.rawDetails)
|
||||
copy(nc.signature, c.signature)
|
||||
copy(nc.publicKey, c.publicKey)
|
||||
|
||||
return nc
|
||||
}
|
||||
|
||||
func (c *certificateV2) fromTBSCertificate(t *TBSCertificate) error {
|
||||
c.details = detailsV2{
|
||||
name: t.Name,
|
||||
networks: t.Networks,
|
||||
unsafeNetworks: t.UnsafeNetworks,
|
||||
groups: t.Groups,
|
||||
isCA: t.IsCA,
|
||||
notBefore: t.NotBefore,
|
||||
notAfter: t.NotAfter,
|
||||
issuer: t.issuer,
|
||||
}
|
||||
c.curve = t.Curve
|
||||
c.publicKey = t.PublicKey
|
||||
return c.validate()
|
||||
}
|
||||
|
||||
func (c *certificateV2) validate() error {
|
||||
// Empty names are allowed
|
||||
|
||||
if len(c.publicKey) == 0 {
|
||||
return ErrInvalidPublicKey
|
||||
}
|
||||
|
||||
if !c.details.isCA && len(c.details.networks) == 0 {
|
||||
return NewErrInvalidCertificateProperties("non-CA certificate must contain at least 1 network")
|
||||
}
|
||||
|
||||
hasV4Networks := false
|
||||
hasV6Networks := false
|
||||
for _, network := range c.details.networks {
|
||||
if !network.IsValid() || !network.Addr().IsValid() {
|
||||
return NewErrInvalidCertificateProperties("invalid network: %s", network)
|
||||
}
|
||||
|
||||
if network.Addr().IsUnspecified() {
|
||||
return NewErrInvalidCertificateProperties("non-CA certificates must not use the zero address as a network: %s", network)
|
||||
}
|
||||
|
||||
if network.Addr().Zone() != "" {
|
||||
return NewErrInvalidCertificateProperties("networks may not contain zones: %s", network)
|
||||
}
|
||||
|
||||
if network.Addr().Is4In6() {
|
||||
return NewErrInvalidCertificateProperties("4in6 networks are not allowed: %s", network)
|
||||
}
|
||||
|
||||
hasV4Networks = hasV4Networks || network.Addr().Is4()
|
||||
hasV6Networks = hasV6Networks || network.Addr().Is6()
|
||||
}
|
||||
|
||||
slices.SortFunc(c.details.networks, comparePrefix)
|
||||
err := findDuplicatePrefix(c.details.networks)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
for _, network := range c.details.unsafeNetworks {
|
||||
if !network.IsValid() || !network.Addr().IsValid() {
|
||||
return NewErrInvalidCertificateProperties("invalid unsafe network: %s", network)
|
||||
}
|
||||
|
||||
if network.Addr().Zone() != "" {
|
||||
return NewErrInvalidCertificateProperties("unsafe networks may not contain zones: %s", network)
|
||||
}
|
||||
|
||||
if !c.details.isCA {
|
||||
if network.Addr().Is6() {
|
||||
if !hasV6Networks {
|
||||
return NewErrInvalidCertificateProperties("IPv6 unsafe networks require an IPv6 address assignment: %s", network)
|
||||
}
|
||||
} else if network.Addr().Is4() {
|
||||
if !hasV4Networks {
|
||||
return NewErrInvalidCertificateProperties("IPv4 unsafe networks require an IPv4 address assignment: %s", network)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
slices.SortFunc(c.details.unsafeNetworks, comparePrefix)
|
||||
err = findDuplicatePrefix(c.details.unsafeNetworks)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *certificateV2) marshalForSigning() ([]byte, error) {
|
||||
d, err := c.details.Marshal()
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("marshalling certificate details failed: %w", err)
|
||||
}
|
||||
c.rawDetails = d
|
||||
|
||||
b := make([]byte, len(c.rawDetails)+1+len(c.publicKey))
|
||||
copy(b, c.rawDetails)
|
||||
b[len(c.rawDetails)] = byte(c.curve)
|
||||
copy(b[len(c.rawDetails)+1:], c.publicKey)
|
||||
return b, nil
|
||||
}
|
||||
|
||||
func (c *certificateV2) setSignature(b []byte) error {
|
||||
if len(b) == 0 {
|
||||
return ErrEmptySignature
|
||||
}
|
||||
c.signature = b
|
||||
return nil
|
||||
}
|
||||
|
||||
func (d *detailsV2) Marshal() ([]byte, error) {
|
||||
var b cryptobyte.Builder
|
||||
var err error
|
||||
|
||||
// Details are a structure
|
||||
b.AddASN1(TagCertDetails, func(b *cryptobyte.Builder) {
|
||||
|
||||
// Add the name
|
||||
b.AddASN1(TagDetailsName, func(b *cryptobyte.Builder) {
|
||||
b.AddBytes([]byte(d.name))
|
||||
})
|
||||
|
||||
// Add the networks if any exist
|
||||
if len(d.networks) > 0 {
|
||||
b.AddASN1(TagDetailsNetworks, func(b *cryptobyte.Builder) {
|
||||
for _, n := range d.networks {
|
||||
sb, innerErr := n.MarshalBinary()
|
||||
if innerErr != nil {
|
||||
// MarshalBinary never returns an error
|
||||
err = fmt.Errorf("unable to marshal network: %w", innerErr)
|
||||
return
|
||||
}
|
||||
b.AddASN1OctetString(sb)
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
// Add the unsafe networks if any exist
|
||||
if len(d.unsafeNetworks) > 0 {
|
||||
b.AddASN1(TagDetailsUnsafeNetworks, func(b *cryptobyte.Builder) {
|
||||
for _, n := range d.unsafeNetworks {
|
||||
sb, innerErr := n.MarshalBinary()
|
||||
if innerErr != nil {
|
||||
// MarshalBinary never returns an error
|
||||
err = fmt.Errorf("unable to marshal unsafe network: %w", innerErr)
|
||||
return
|
||||
}
|
||||
b.AddASN1OctetString(sb)
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
// Add groups if any exist
|
||||
if len(d.groups) > 0 {
|
||||
b.AddASN1(TagDetailsGroups, func(b *cryptobyte.Builder) {
|
||||
for _, group := range d.groups {
|
||||
b.AddASN1(asn1.UTF8String, func(b *cryptobyte.Builder) {
|
||||
b.AddBytes([]byte(group))
|
||||
})
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
// Add IsCA only if true
|
||||
if d.isCA {
|
||||
b.AddASN1(TagDetailsIsCA, func(b *cryptobyte.Builder) {
|
||||
b.AddUint8(0xff)
|
||||
})
|
||||
}
|
||||
|
||||
// Add not before
|
||||
b.AddASN1Int64WithTag(d.notBefore.Unix(), TagDetailsNotBefore)
|
||||
|
||||
// Add not after
|
||||
b.AddASN1Int64WithTag(d.notAfter.Unix(), TagDetailsNotAfter)
|
||||
|
||||
// Add the issuer if present
|
||||
if d.issuer != "" {
|
||||
issuerBytes, innerErr := hex.DecodeString(d.issuer)
|
||||
if innerErr != nil {
|
||||
err = fmt.Errorf("failed to decode issuer: %w", innerErr)
|
||||
return
|
||||
}
|
||||
b.AddASN1(TagDetailsIssuer, func(b *cryptobyte.Builder) {
|
||||
b.AddBytes(issuerBytes)
|
||||
})
|
||||
}
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return b.Bytes()
|
||||
}
|
||||
|
||||
func unmarshalCertificateV2(b []byte, publicKey []byte, curve Curve) (*certificateV2, error) {
|
||||
l := len(b)
|
||||
if l == 0 || l > MaxCertificateSize {
|
||||
return nil, ErrBadFormat
|
||||
}
|
||||
|
||||
input := cryptobyte.String(b)
|
||||
// Open the envelope
|
||||
if !input.ReadASN1(&input, asn1.SEQUENCE) || input.Empty() {
|
||||
return nil, ErrBadFormat
|
||||
}
|
||||
|
||||
// Grab the cert details, we need to preserve the tag and length
|
||||
var rawDetails cryptobyte.String
|
||||
if !input.ReadASN1Element(&rawDetails, TagCertDetails) || rawDetails.Empty() {
|
||||
return nil, ErrBadFormat
|
||||
}
|
||||
|
||||
//Maybe grab the curve
|
||||
var rawCurve byte
|
||||
if !readOptionalASN1Byte(&input, &rawCurve, TagCertCurve, byte(curve)) {
|
||||
return nil, ErrBadFormat
|
||||
}
|
||||
curve = Curve(rawCurve)
|
||||
|
||||
// Maybe grab the public key
|
||||
var rawPublicKey cryptobyte.String
|
||||
if len(publicKey) > 0 {
|
||||
rawPublicKey = publicKey
|
||||
} else if !input.ReadOptionalASN1(&rawPublicKey, nil, TagCertPublicKey) {
|
||||
return nil, ErrBadFormat
|
||||
}
|
||||
|
||||
if len(rawPublicKey) == 0 {
|
||||
return nil, ErrBadFormat
|
||||
}
|
||||
|
||||
// Grab the signature
|
||||
var rawSignature cryptobyte.String
|
||||
if !input.ReadASN1(&rawSignature, TagCertSignature) || rawSignature.Empty() {
|
||||
return nil, ErrBadFormat
|
||||
}
|
||||
|
||||
// Finally unmarshal the details
|
||||
details, err := unmarshalDetails(rawDetails)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
c := &certificateV2{
|
||||
details: details,
|
||||
rawDetails: rawDetails,
|
||||
curve: curve,
|
||||
publicKey: rawPublicKey,
|
||||
signature: rawSignature,
|
||||
}
|
||||
|
||||
err = c.validate()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return c, nil
|
||||
}
|
||||
|
||||
func unmarshalDetails(b cryptobyte.String) (detailsV2, error) {
|
||||
// Open the envelope
|
||||
if !b.ReadASN1(&b, TagCertDetails) || b.Empty() {
|
||||
return detailsV2{}, ErrBadFormat
|
||||
}
|
||||
|
||||
// Read the name
|
||||
var name cryptobyte.String
|
||||
if !b.ReadASN1(&name, TagDetailsName) || name.Empty() || len(name) > MaxNameLength {
|
||||
return detailsV2{}, ErrBadFormat
|
||||
}
|
||||
|
||||
// Read the network addresses
|
||||
var subString cryptobyte.String
|
||||
var found bool
|
||||
|
||||
if !b.ReadOptionalASN1(&subString, &found, TagDetailsNetworks) {
|
||||
return detailsV2{}, ErrBadFormat
|
||||
}
|
||||
|
||||
var networks []netip.Prefix
|
||||
var val cryptobyte.String
|
||||
if found {
|
||||
for !subString.Empty() {
|
||||
if !subString.ReadASN1(&val, asn1.OCTET_STRING) || val.Empty() || len(val) > MaxNetworkLength {
|
||||
return detailsV2{}, ErrBadFormat
|
||||
}
|
||||
|
||||
var n netip.Prefix
|
||||
if err := n.UnmarshalBinary(val); err != nil {
|
||||
return detailsV2{}, ErrBadFormat
|
||||
}
|
||||
networks = append(networks, n)
|
||||
}
|
||||
}
|
||||
|
||||
// Read out any unsafe networks
|
||||
if !b.ReadOptionalASN1(&subString, &found, TagDetailsUnsafeNetworks) {
|
||||
return detailsV2{}, ErrBadFormat
|
||||
}
|
||||
|
||||
var unsafeNetworks []netip.Prefix
|
||||
if found {
|
||||
for !subString.Empty() {
|
||||
if !subString.ReadASN1(&val, asn1.OCTET_STRING) || val.Empty() || len(val) > MaxNetworkLength {
|
||||
return detailsV2{}, ErrBadFormat
|
||||
}
|
||||
|
||||
var n netip.Prefix
|
||||
if err := n.UnmarshalBinary(val); err != nil {
|
||||
return detailsV2{}, ErrBadFormat
|
||||
}
|
||||
unsafeNetworks = append(unsafeNetworks, n)
|
||||
}
|
||||
}
|
||||
|
||||
// Read out any groups
|
||||
if !b.ReadOptionalASN1(&subString, &found, TagDetailsGroups) {
|
||||
return detailsV2{}, ErrBadFormat
|
||||
}
|
||||
|
||||
var groups []string
|
||||
if found {
|
||||
for !subString.Empty() {
|
||||
if !subString.ReadASN1(&val, asn1.UTF8String) || val.Empty() {
|
||||
return detailsV2{}, ErrBadFormat
|
||||
}
|
||||
groups = append(groups, string(val))
|
||||
}
|
||||
}
|
||||
|
||||
// Read out IsCA
|
||||
var isCa bool
|
||||
if !readOptionalASN1Boolean(&b, &isCa, TagDetailsIsCA, false) {
|
||||
return detailsV2{}, ErrBadFormat
|
||||
}
|
||||
|
||||
// Read not before and not after
|
||||
var notBefore int64
|
||||
if !b.ReadASN1Int64WithTag(¬Before, TagDetailsNotBefore) {
|
||||
return detailsV2{}, ErrBadFormat
|
||||
}
|
||||
|
||||
var notAfter int64
|
||||
if !b.ReadASN1Int64WithTag(¬After, TagDetailsNotAfter) {
|
||||
return detailsV2{}, ErrBadFormat
|
||||
}
|
||||
|
||||
// Read issuer
|
||||
var issuer cryptobyte.String
|
||||
if !b.ReadOptionalASN1(&issuer, nil, TagDetailsIssuer) {
|
||||
return detailsV2{}, ErrBadFormat
|
||||
}
|
||||
|
||||
return detailsV2{
|
||||
name: string(name),
|
||||
networks: networks,
|
||||
unsafeNetworks: unsafeNetworks,
|
||||
groups: groups,
|
||||
isCA: isCa,
|
||||
notBefore: time.Unix(notBefore, 0),
|
||||
notAfter: time.Unix(notAfter, 0),
|
||||
issuer: hex.EncodeToString(issuer),
|
||||
}, nil
|
||||
}
|
||||
267
cert/cert_v2_test.go
Normal file
267
cert/cert_v2_test.go
Normal file
@@ -0,0 +1,267 @@
|
||||
package cert
|
||||
|
||||
import (
|
||||
"crypto/ed25519"
|
||||
"crypto/rand"
|
||||
"encoding/hex"
|
||||
"net/netip"
|
||||
"slices"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/slackhq/nebula/test"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestCertificateV2_Marshal(t *testing.T) {
|
||||
before := time.Now().Add(time.Second * -60).Round(time.Second)
|
||||
after := time.Now().Add(time.Second * 60).Round(time.Second)
|
||||
pubKey := []byte("1234567890abcedfghij1234567890ab")
|
||||
|
||||
nc := certificateV2{
|
||||
details: detailsV2{
|
||||
name: "testing",
|
||||
networks: []netip.Prefix{
|
||||
mustParsePrefixUnmapped("10.1.1.2/16"),
|
||||
mustParsePrefixUnmapped("10.1.1.1/24"),
|
||||
},
|
||||
unsafeNetworks: []netip.Prefix{
|
||||
mustParsePrefixUnmapped("9.1.1.3/16"),
|
||||
mustParsePrefixUnmapped("9.1.1.2/24"),
|
||||
},
|
||||
groups: []string{"test-group1", "test-group2", "test-group3"},
|
||||
notBefore: before,
|
||||
notAfter: after,
|
||||
isCA: false,
|
||||
issuer: "1234567890abcdef1234567890abcdef",
|
||||
},
|
||||
signature: []byte("1234567890abcdef1234567890abcdef"),
|
||||
publicKey: pubKey,
|
||||
}
|
||||
|
||||
db, err := nc.details.Marshal()
|
||||
require.NoError(t, err)
|
||||
nc.rawDetails = db
|
||||
|
||||
b, err := nc.Marshal()
|
||||
require.Nil(t, err)
|
||||
//t.Log("Cert size:", len(b))
|
||||
|
||||
nc2, err := unmarshalCertificateV2(b, nil, Curve_CURVE25519)
|
||||
assert.Nil(t, err)
|
||||
|
||||
assert.Equal(t, nc.Version(), Version2)
|
||||
assert.Equal(t, nc.Curve(), Curve_CURVE25519)
|
||||
assert.Equal(t, nc.Signature(), nc2.Signature())
|
||||
assert.Equal(t, nc.Name(), nc2.Name())
|
||||
assert.Equal(t, nc.NotBefore(), nc2.NotBefore())
|
||||
assert.Equal(t, nc.NotAfter(), nc2.NotAfter())
|
||||
assert.Equal(t, nc.PublicKey(), nc2.PublicKey())
|
||||
assert.Equal(t, nc.IsCA(), nc2.IsCA())
|
||||
assert.Equal(t, nc.Issuer(), nc2.Issuer())
|
||||
|
||||
// unmarshalling will sort networks and unsafeNetworks, we need to do the same
|
||||
// but first make sure it fails
|
||||
assert.NotEqual(t, nc.Networks(), nc2.Networks())
|
||||
assert.NotEqual(t, nc.UnsafeNetworks(), nc2.UnsafeNetworks())
|
||||
|
||||
slices.SortFunc(nc.details.networks, comparePrefix)
|
||||
slices.SortFunc(nc.details.unsafeNetworks, comparePrefix)
|
||||
|
||||
assert.Equal(t, nc.Networks(), nc2.Networks())
|
||||
assert.Equal(t, nc.UnsafeNetworks(), nc2.UnsafeNetworks())
|
||||
|
||||
assert.Equal(t, nc.Groups(), nc2.Groups())
|
||||
}
|
||||
|
||||
func TestCertificateV2_Expired(t *testing.T) {
|
||||
nc := certificateV2{
|
||||
details: detailsV2{
|
||||
notBefore: time.Now().Add(time.Second * -60).Round(time.Second),
|
||||
notAfter: time.Now().Add(time.Second * 60).Round(time.Second),
|
||||
},
|
||||
}
|
||||
|
||||
assert.True(t, nc.Expired(time.Now().Add(time.Hour)))
|
||||
assert.True(t, nc.Expired(time.Now().Add(-time.Hour)))
|
||||
assert.False(t, nc.Expired(time.Now()))
|
||||
}
|
||||
|
||||
func TestCertificateV2_MarshalJSON(t *testing.T) {
|
||||
time.Local = time.UTC
|
||||
pubKey := []byte("1234567890abcedf1234567890abcedf")
|
||||
|
||||
nc := certificateV2{
|
||||
details: detailsV2{
|
||||
name: "testing",
|
||||
networks: []netip.Prefix{
|
||||
mustParsePrefixUnmapped("10.1.1.1/24"),
|
||||
mustParsePrefixUnmapped("10.1.1.2/16"),
|
||||
},
|
||||
unsafeNetworks: []netip.Prefix{
|
||||
mustParsePrefixUnmapped("9.1.1.2/24"),
|
||||
mustParsePrefixUnmapped("9.1.1.3/16"),
|
||||
},
|
||||
groups: []string{"test-group1", "test-group2", "test-group3"},
|
||||
notBefore: time.Date(1, 0, 0, 1, 0, 0, 0, time.UTC),
|
||||
notAfter: time.Date(1, 0, 0, 2, 0, 0, 0, time.UTC),
|
||||
isCA: false,
|
||||
issuer: "1234567890abcedf1234567890abcedf",
|
||||
},
|
||||
publicKey: pubKey,
|
||||
signature: []byte("1234567890abcedf1234567890abcedf1234567890abcedf1234567890abcedf"),
|
||||
}
|
||||
|
||||
b, err := nc.MarshalJSON()
|
||||
assert.ErrorIs(t, err, ErrMissingDetails)
|
||||
|
||||
rd, err := nc.details.Marshal()
|
||||
assert.NoError(t, err)
|
||||
|
||||
nc.rawDetails = rd
|
||||
b, err = nc.MarshalJSON()
|
||||
assert.Nil(t, err)
|
||||
assert.Equal(
|
||||
t,
|
||||
"{\"curve\":\"CURVE25519\",\"details\":{\"groups\":[\"test-group1\",\"test-group2\",\"test-group3\"],\"isCa\":false,\"issuer\":\"1234567890abcedf1234567890abcedf\",\"name\":\"testing\",\"networks\":[\"10.1.1.1/24\",\"10.1.1.2/16\"],\"notAfter\":\"0000-11-30T02:00:00Z\",\"notBefore\":\"0000-11-30T01:00:00Z\",\"unsafeNetworks\":[\"9.1.1.2/24\",\"9.1.1.3/16\"]},\"fingerprint\":\"152d9a7400c1e001cb76cffd035215ebb351f69eeb797f7f847dd086e15e56dd\",\"publicKey\":\"3132333435363738393061626365646631323334353637383930616263656466\",\"signature\":\"31323334353637383930616263656466313233343536373839306162636564663132333435363738393061626365646631323334353637383930616263656466\",\"version\":2}",
|
||||
string(b),
|
||||
)
|
||||
}
|
||||
|
||||
func TestCertificateV2_VerifyPrivateKey(t *testing.T) {
|
||||
ca, _, caKey, _ := NewTestCaCert(Version2, Curve_CURVE25519, time.Time{}, time.Time{}, nil, nil, nil)
|
||||
err := ca.VerifyPrivateKey(Curve_CURVE25519, caKey)
|
||||
assert.Nil(t, err)
|
||||
|
||||
err = ca.VerifyPrivateKey(Curve_CURVE25519, caKey[:16])
|
||||
assert.ErrorIs(t, err, ErrInvalidPrivateKey)
|
||||
|
||||
_, caKey2, err := ed25519.GenerateKey(rand.Reader)
|
||||
require.Nil(t, err)
|
||||
err = ca.VerifyPrivateKey(Curve_CURVE25519, caKey2)
|
||||
assert.ErrorIs(t, err, ErrPublicPrivateKeyMismatch)
|
||||
|
||||
c, _, priv, _ := NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Time{}, time.Time{}, nil, nil, nil)
|
||||
rawPriv, b, curve, err := UnmarshalPrivateKeyFromPEM(priv)
|
||||
assert.NoError(t, err)
|
||||
assert.Empty(t, b)
|
||||
assert.Equal(t, Curve_CURVE25519, curve)
|
||||
err = c.VerifyPrivateKey(Curve_CURVE25519, rawPriv)
|
||||
assert.Nil(t, err)
|
||||
|
||||
_, priv2 := X25519Keypair()
|
||||
err = c.VerifyPrivateKey(Curve_P256, priv2)
|
||||
assert.ErrorIs(t, err, ErrPublicPrivateCurveMismatch)
|
||||
|
||||
err = c.VerifyPrivateKey(Curve_CURVE25519, priv2)
|
||||
assert.ErrorIs(t, err, ErrPublicPrivateKeyMismatch)
|
||||
|
||||
err = c.VerifyPrivateKey(Curve_CURVE25519, priv2[:16])
|
||||
assert.ErrorIs(t, err, ErrInvalidPrivateKey)
|
||||
|
||||
ac, ok := c.(*certificateV2)
|
||||
require.True(t, ok)
|
||||
ac.curve = Curve(99)
|
||||
err = c.VerifyPrivateKey(Curve(99), priv2)
|
||||
assert.EqualError(t, err, "invalid curve: 99")
|
||||
|
||||
ca2, _, caKey2, _ := NewTestCaCert(Version2, Curve_P256, time.Time{}, time.Time{}, nil, nil, nil)
|
||||
err = ca.VerifyPrivateKey(Curve_CURVE25519, caKey)
|
||||
assert.Nil(t, err)
|
||||
|
||||
err = ca2.VerifyPrivateKey(Curve_P256, caKey2[:16])
|
||||
assert.ErrorIs(t, err, ErrInvalidPrivateKey)
|
||||
|
||||
c, _, priv, _ = NewTestCert(Version2, Curve_P256, ca2, caKey2, "test", time.Time{}, time.Time{}, nil, nil, nil)
|
||||
rawPriv, b, curve, err = UnmarshalPrivateKeyFromPEM(priv)
|
||||
|
||||
err = c.VerifyPrivateKey(Curve_P256, priv[:16])
|
||||
assert.ErrorIs(t, err, ErrInvalidPrivateKey)
|
||||
|
||||
err = c.VerifyPrivateKey(Curve_P256, priv)
|
||||
assert.ErrorIs(t, err, ErrInvalidPrivateKey)
|
||||
|
||||
aCa, ok := ca2.(*certificateV2)
|
||||
require.True(t, ok)
|
||||
aCa.curve = Curve(99)
|
||||
err = aCa.VerifyPrivateKey(Curve(99), priv2)
|
||||
assert.EqualError(t, err, "invalid curve: 99")
|
||||
|
||||
}
|
||||
|
||||
func TestCertificateV2_VerifyPrivateKeyP256(t *testing.T) {
|
||||
ca, _, caKey, _ := NewTestCaCert(Version2, Curve_P256, time.Time{}, time.Time{}, nil, nil, nil)
|
||||
err := ca.VerifyPrivateKey(Curve_P256, caKey)
|
||||
assert.Nil(t, err)
|
||||
|
||||
_, _, caKey2, _ := NewTestCaCert(Version2, Curve_P256, time.Time{}, time.Time{}, nil, nil, nil)
|
||||
assert.Nil(t, err)
|
||||
err = ca.VerifyPrivateKey(Curve_P256, caKey2)
|
||||
assert.NotNil(t, err)
|
||||
|
||||
c, _, priv, _ := NewTestCert(Version2, Curve_P256, ca, caKey, "test", time.Time{}, time.Time{}, nil, nil, nil)
|
||||
rawPriv, b, curve, err := UnmarshalPrivateKeyFromPEM(priv)
|
||||
assert.NoError(t, err)
|
||||
assert.Empty(t, b)
|
||||
assert.Equal(t, Curve_P256, curve)
|
||||
err = c.VerifyPrivateKey(Curve_P256, rawPriv)
|
||||
assert.Nil(t, err)
|
||||
|
||||
_, priv2 := P256Keypair()
|
||||
err = c.VerifyPrivateKey(Curve_P256, priv2)
|
||||
assert.NotNil(t, err)
|
||||
}
|
||||
|
||||
func TestCertificateV2_Copy(t *testing.T) {
|
||||
ca, _, caKey, _ := NewTestCaCert(Version2, Curve_CURVE25519, time.Now(), time.Now().Add(10*time.Minute), nil, nil, nil)
|
||||
c, _, _, _ := NewTestCert(Version2, Curve_CURVE25519, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, nil, nil)
|
||||
cc := c.Copy()
|
||||
test.AssertDeepCopyEqual(t, c, cc)
|
||||
}
|
||||
|
||||
func TestUnmarshalCertificateV2(t *testing.T) {
|
||||
data := []byte("\x98\x00\x00")
|
||||
_, err := unmarshalCertificateV2(data, nil, Curve_CURVE25519)
|
||||
assert.EqualError(t, err, "bad wire format")
|
||||
}
|
||||
|
||||
func TestCertificateV2_marshalForSigningStability(t *testing.T) {
|
||||
before := time.Date(1996, time.May, 5, 0, 0, 0, 0, time.UTC)
|
||||
after := before.Add(time.Second * 60).Round(time.Second)
|
||||
pubKey := []byte("1234567890abcedfghij1234567890ab")
|
||||
|
||||
nc := certificateV2{
|
||||
details: detailsV2{
|
||||
name: "testing",
|
||||
networks: []netip.Prefix{
|
||||
mustParsePrefixUnmapped("10.1.1.2/16"),
|
||||
mustParsePrefixUnmapped("10.1.1.1/24"),
|
||||
},
|
||||
unsafeNetworks: []netip.Prefix{
|
||||
mustParsePrefixUnmapped("9.1.1.3/16"),
|
||||
mustParsePrefixUnmapped("9.1.1.2/24"),
|
||||
},
|
||||
groups: []string{"test-group1", "test-group2", "test-group3"},
|
||||
notBefore: before,
|
||||
notAfter: after,
|
||||
isCA: false,
|
||||
issuer: "1234567890abcdef1234567890abcdef",
|
||||
},
|
||||
signature: []byte("1234567890abcdef1234567890abcdef"),
|
||||
publicKey: pubKey,
|
||||
}
|
||||
|
||||
const expectedRawDetailsStr = "a070800774657374696e67a10e04050a0101021004050a01010118a20e0405090101031004050901010218a3270c0b746573742d67726f7570310c0b746573742d67726f7570320c0b746573742d67726f7570338504318bef808604318befbc87101234567890abcdef1234567890abcdef"
|
||||
expectedRawDetails, err := hex.DecodeString(expectedRawDetailsStr)
|
||||
require.NoError(t, err)
|
||||
|
||||
db, err := nc.details.Marshal()
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, expectedRawDetails, db)
|
||||
|
||||
expectedForSigning, err := hex.DecodeString(expectedRawDetailsStr + "00313233343536373839306162636564666768696a313233343536373839306162")
|
||||
b, err := nc.marshalForSigning()
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, expectedForSigning, b)
|
||||
}
|
||||
@@ -2,21 +2,24 @@ package cert
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
)
|
||||
|
||||
var (
|
||||
ErrBadFormat = errors.New("bad wire format")
|
||||
ErrRootExpired = errors.New("root certificate is expired")
|
||||
ErrExpired = errors.New("certificate is expired")
|
||||
ErrNotCA = errors.New("certificate is not a CA")
|
||||
ErrNotSelfSigned = errors.New("certificate is not self-signed")
|
||||
ErrBlockListed = errors.New("certificate is in the block list")
|
||||
ErrFingerprintMismatch = errors.New("certificate fingerprint did not match")
|
||||
ErrSignatureMismatch = errors.New("certificate signature did not match")
|
||||
ErrInvalidPublicKeyLength = errors.New("invalid public key length")
|
||||
ErrInvalidPrivateKeyLength = errors.New("invalid private key length")
|
||||
|
||||
ErrPrivateKeyEncrypted = errors.New("private key must be decrypted")
|
||||
ErrBadFormat = errors.New("bad wire format")
|
||||
ErrRootExpired = errors.New("root certificate is expired")
|
||||
ErrExpired = errors.New("certificate is expired")
|
||||
ErrNotCA = errors.New("certificate is not a CA")
|
||||
ErrNotSelfSigned = errors.New("certificate is not self-signed")
|
||||
ErrBlockListed = errors.New("certificate is in the block list")
|
||||
ErrFingerprintMismatch = errors.New("certificate fingerprint did not match")
|
||||
ErrSignatureMismatch = errors.New("certificate signature did not match")
|
||||
ErrInvalidPublicKey = errors.New("invalid public key")
|
||||
ErrInvalidPrivateKey = errors.New("invalid private key")
|
||||
ErrPublicPrivateCurveMismatch = errors.New("public key does not match private key curve")
|
||||
ErrPublicPrivateKeyMismatch = errors.New("public key and private key are not a pair")
|
||||
ErrPrivateKeyEncrypted = errors.New("private key must be decrypted")
|
||||
ErrCaNotFound = errors.New("could not find ca for the certificate")
|
||||
|
||||
ErrInvalidPEMBlock = errors.New("input did not contain a valid PEM encoded block")
|
||||
ErrInvalidPEMCertificateBanner = errors.New("bytes did not contain a proper certificate banner")
|
||||
@@ -24,4 +27,23 @@ var (
|
||||
ErrInvalidPEMX25519PrivateKeyBanner = errors.New("bytes did not contain a proper X25519 private key banner")
|
||||
ErrInvalidPEMEd25519PublicKeyBanner = errors.New("bytes did not contain a proper Ed25519 public key banner")
|
||||
ErrInvalidPEMEd25519PrivateKeyBanner = errors.New("bytes did not contain a proper Ed25519 private key banner")
|
||||
|
||||
ErrNoPeerStaticKey = errors.New("no peer static key was present")
|
||||
ErrNoPayload = errors.New("provided payload was empty")
|
||||
|
||||
ErrMissingDetails = errors.New("certificate did not contain details")
|
||||
ErrEmptySignature = errors.New("empty signature")
|
||||
ErrEmptyRawDetails = errors.New("empty rawDetails not allowed")
|
||||
)
|
||||
|
||||
type ErrInvalidCertificateProperties struct {
|
||||
str string
|
||||
}
|
||||
|
||||
func NewErrInvalidCertificateProperties(format string, a ...any) error {
|
||||
return &ErrInvalidCertificateProperties{fmt.Sprintf(format, a...)}
|
||||
}
|
||||
|
||||
func (e *ErrInvalidCertificateProperties) Error() string {
|
||||
return e.str
|
||||
}
|
||||
|
||||
141
cert/helper_test.go
Normal file
141
cert/helper_test.go
Normal file
@@ -0,0 +1,141 @@
|
||||
package cert
|
||||
|
||||
import (
|
||||
"crypto/ecdh"
|
||||
"crypto/ecdsa"
|
||||
"crypto/elliptic"
|
||||
"crypto/rand"
|
||||
"io"
|
||||
"net/netip"
|
||||
"time"
|
||||
|
||||
"golang.org/x/crypto/curve25519"
|
||||
"golang.org/x/crypto/ed25519"
|
||||
)
|
||||
|
||||
// NewTestCaCert will create a new ca certificate
|
||||
func NewTestCaCert(version Version, curve Curve, before, after time.Time, networks, unsafeNetworks []netip.Prefix, groups []string) (Certificate, []byte, []byte, []byte) {
|
||||
var err error
|
||||
var pub, priv []byte
|
||||
|
||||
switch curve {
|
||||
case Curve_CURVE25519:
|
||||
pub, priv, err = ed25519.GenerateKey(rand.Reader)
|
||||
case Curve_P256:
|
||||
privk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
pub = elliptic.Marshal(elliptic.P256(), privk.PublicKey.X, privk.PublicKey.Y)
|
||||
priv = privk.D.FillBytes(make([]byte, 32))
|
||||
default:
|
||||
// There is no default to allow the underlying lib to respond with an error
|
||||
}
|
||||
|
||||
if before.IsZero() {
|
||||
before = time.Now().Add(time.Second * -60).Round(time.Second)
|
||||
}
|
||||
if after.IsZero() {
|
||||
after = time.Now().Add(time.Second * 60).Round(time.Second)
|
||||
}
|
||||
|
||||
t := &TBSCertificate{
|
||||
Curve: curve,
|
||||
Version: version,
|
||||
Name: "test ca",
|
||||
NotBefore: time.Unix(before.Unix(), 0),
|
||||
NotAfter: time.Unix(after.Unix(), 0),
|
||||
PublicKey: pub,
|
||||
Networks: networks,
|
||||
UnsafeNetworks: unsafeNetworks,
|
||||
Groups: groups,
|
||||
IsCA: true,
|
||||
}
|
||||
|
||||
c, err := t.Sign(nil, curve, priv)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
pem, err := c.MarshalPEM()
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
return c, pub, priv, pem
|
||||
}
|
||||
|
||||
// NewTestCert will generate a signed certificate with the provided details.
|
||||
// Expiry times are defaulted if you do not pass them in
|
||||
func NewTestCert(v Version, curve Curve, ca Certificate, key []byte, name string, before, after time.Time, networks, unsafeNetworks []netip.Prefix, groups []string) (Certificate, []byte, []byte, []byte) {
|
||||
if before.IsZero() {
|
||||
before = time.Now().Add(time.Second * -60).Round(time.Second)
|
||||
}
|
||||
|
||||
if after.IsZero() {
|
||||
after = time.Now().Add(time.Second * 60).Round(time.Second)
|
||||
}
|
||||
|
||||
if len(networks) == 0 {
|
||||
networks = []netip.Prefix{netip.MustParsePrefix("10.0.0.123/8")}
|
||||
}
|
||||
|
||||
var pub, priv []byte
|
||||
switch curve {
|
||||
case Curve_CURVE25519:
|
||||
pub, priv = X25519Keypair()
|
||||
case Curve_P256:
|
||||
pub, priv = P256Keypair()
|
||||
default:
|
||||
panic("unknown curve")
|
||||
}
|
||||
|
||||
nc := &TBSCertificate{
|
||||
Version: v,
|
||||
Curve: curve,
|
||||
Name: name,
|
||||
Networks: networks,
|
||||
UnsafeNetworks: unsafeNetworks,
|
||||
Groups: groups,
|
||||
NotBefore: time.Unix(before.Unix(), 0),
|
||||
NotAfter: time.Unix(after.Unix(), 0),
|
||||
PublicKey: pub,
|
||||
IsCA: false,
|
||||
}
|
||||
|
||||
c, err := nc.Sign(ca, ca.Curve(), key)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
pem, err := c.MarshalPEM()
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
return c, pub, MarshalPrivateKeyToPEM(curve, priv), pem
|
||||
}
|
||||
|
||||
func X25519Keypair() ([]byte, []byte) {
|
||||
privkey := make([]byte, 32)
|
||||
if _, err := io.ReadFull(rand.Reader, privkey); err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
pubkey, err := curve25519.X25519(privkey, curve25519.Basepoint)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
return pubkey, privkey
|
||||
}
|
||||
|
||||
func P256Keypair() ([]byte, []byte) {
|
||||
privkey, err := ecdh.P256().GenerateKey(rand.Reader)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
pubkey := privkey.PublicKey()
|
||||
return pubkey.Bytes(), privkey.Bytes()
|
||||
}
|
||||
20
cert/pem.go
20
cert/pem.go
@@ -30,19 +30,25 @@ func UnmarshalCertificateFromPEM(b []byte) (Certificate, []byte, error) {
|
||||
return nil, r, ErrInvalidPEMBlock
|
||||
}
|
||||
|
||||
var c Certificate
|
||||
var err error
|
||||
|
||||
switch p.Type {
|
||||
// Implementations must validate the resulting certificate contains valid information
|
||||
case CertificateBanner:
|
||||
c, err := unmarshalCertificateV1(p.Bytes, true)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
return c, r, nil
|
||||
c, err = unmarshalCertificateV1(p.Bytes, nil)
|
||||
case CertificateV2Banner:
|
||||
//TODO
|
||||
panic("TODO")
|
||||
c, err = unmarshalCertificateV2(p.Bytes, nil, Curve_CURVE25519)
|
||||
default:
|
||||
return nil, r, ErrInvalidPEMCertificateBanner
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
return nil, r, err
|
||||
}
|
||||
|
||||
return c, r, nil
|
||||
|
||||
}
|
||||
|
||||
func MarshalPublicKeyToPEM(curve Curve, b []byte) []byte {
|
||||
|
||||
119
cert/sign.go
119
cert/sign.go
@@ -1,11 +1,15 @@
|
||||
package cert
|
||||
|
||||
import (
|
||||
"crypto/ecdsa"
|
||||
"crypto/ed25519"
|
||||
"crypto/elliptic"
|
||||
"crypto/rand"
|
||||
"crypto/sha256"
|
||||
"fmt"
|
||||
"math/big"
|
||||
"net/netip"
|
||||
"time"
|
||||
|
||||
"github.com/slackhq/nebula/pkclient"
|
||||
)
|
||||
|
||||
// TBSCertificate represents a certificate intended to be signed.
|
||||
@@ -24,28 +28,61 @@ type TBSCertificate struct {
|
||||
issuer string
|
||||
}
|
||||
|
||||
type beingSignedCertificate interface {
|
||||
// fromTBSCertificate copies the values from the TBSCertificate to this versions internal representation
|
||||
// Implementations must validate the resulting certificate contains valid information
|
||||
fromTBSCertificate(*TBSCertificate) error
|
||||
|
||||
// marshalForSigning returns the bytes that should be signed
|
||||
marshalForSigning() ([]byte, error)
|
||||
|
||||
// setSignature sets the signature for the certificate that has just been signed. The signature must not be blank.
|
||||
setSignature([]byte) error
|
||||
}
|
||||
|
||||
type SignerLambda func(certBytes []byte) ([]byte, error)
|
||||
|
||||
// Sign will create a sealed certificate using details provided by the TBSCertificate as long as those
|
||||
// details do not violate constraints of the signing certificate.
|
||||
// If the TBSCertificate is a CA then signer must be nil.
|
||||
func (t *TBSCertificate) Sign(signer Certificate, curve Curve, key []byte) (Certificate, error) {
|
||||
return t.sign(signer, curve, key, nil)
|
||||
}
|
||||
|
||||
func (t *TBSCertificate) SignPkcs11(signer Certificate, curve Curve, client *pkclient.PKClient) (Certificate, error) {
|
||||
if curve != Curve_P256 {
|
||||
return nil, fmt.Errorf("only P256 is supported by PKCS#11")
|
||||
switch t.Curve {
|
||||
case Curve_CURVE25519:
|
||||
pk := ed25519.PrivateKey(key)
|
||||
sp := func(certBytes []byte) ([]byte, error) {
|
||||
sig := ed25519.Sign(pk, certBytes)
|
||||
return sig, nil
|
||||
}
|
||||
return t.SignWith(signer, curve, sp)
|
||||
case Curve_P256:
|
||||
pk := &ecdsa.PrivateKey{
|
||||
PublicKey: ecdsa.PublicKey{
|
||||
Curve: elliptic.P256(),
|
||||
},
|
||||
// ref: https://github.com/golang/go/blob/go1.19/src/crypto/x509/sec1.go#L95
|
||||
D: new(big.Int).SetBytes(key),
|
||||
}
|
||||
// ref: https://github.com/golang/go/blob/go1.19/src/crypto/x509/sec1.go#L119
|
||||
pk.X, pk.Y = pk.Curve.ScalarBaseMult(key)
|
||||
sp := func(certBytes []byte) ([]byte, error) {
|
||||
// We need to hash first for ECDSA
|
||||
// - https://pkg.go.dev/crypto/ecdsa#SignASN1
|
||||
hashed := sha256.Sum256(certBytes)
|
||||
return ecdsa.SignASN1(rand.Reader, pk, hashed[:])
|
||||
}
|
||||
return t.SignWith(signer, curve, sp)
|
||||
default:
|
||||
return nil, fmt.Errorf("invalid curve: %s", t.Curve)
|
||||
}
|
||||
|
||||
return t.sign(signer, curve, nil, client)
|
||||
}
|
||||
|
||||
func (t *TBSCertificate) sign(signer Certificate, curve Curve, key []byte, client *pkclient.PKClient) (Certificate, error) {
|
||||
// SignWith does the same thing as sign, but uses the function in `sp` to calculate the signature.
|
||||
// You should only use SignWith if you do not have direct access to your private key.
|
||||
func (t *TBSCertificate) SignWith(signer Certificate, curve Curve, sp SignerLambda) (Certificate, error) {
|
||||
if curve != t.Curve {
|
||||
return nil, fmt.Errorf("curve in cert and private key supplied don't match")
|
||||
}
|
||||
|
||||
//TODO: make sure we have all minimum properties to sign, like a public key
|
||||
|
||||
if signer != nil {
|
||||
if t.IsCA {
|
||||
return nil, fmt.Errorf("can not sign a CA certificate with another")
|
||||
@@ -67,10 +104,64 @@ func (t *TBSCertificate) sign(signer Certificate, curve Curve, key []byte, clien
|
||||
}
|
||||
}
|
||||
|
||||
var c beingSignedCertificate
|
||||
switch t.Version {
|
||||
case Version1:
|
||||
return signV1(t, curve, key, client)
|
||||
c = &certificateV1{}
|
||||
err := c.fromTBSCertificate(t)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
case Version2:
|
||||
c = &certificateV2{}
|
||||
err := c.fromTBSCertificate(t)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
default:
|
||||
return nil, fmt.Errorf("unknown cert version %d", t.Version)
|
||||
}
|
||||
|
||||
certBytes, err := c.marshalForSigning()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
sig, err := sp(certBytes)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
err = c.setSignature(sig)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
sc, ok := c.(Certificate)
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("invalid certificate")
|
||||
}
|
||||
|
||||
return sc, nil
|
||||
}
|
||||
|
||||
func comparePrefix(a, b netip.Prefix) int {
|
||||
addr := a.Addr().Compare(b.Addr())
|
||||
if addr == 0 {
|
||||
return a.Bits() - b.Bits()
|
||||
}
|
||||
return addr
|
||||
}
|
||||
|
||||
// findDuplicatePrefix returns an error if there is a duplicate prefix in the pre-sorted input slice sortedPrefixes
|
||||
func findDuplicatePrefix(sortedPrefixes []netip.Prefix) error {
|
||||
if len(sortedPrefixes) < 2 {
|
||||
return nil
|
||||
}
|
||||
for i := 1; i < len(sortedPrefixes); i++ {
|
||||
if comparePrefix(sortedPrefixes[i], sortedPrefixes[i-1]) == 0 {
|
||||
return NewErrInvalidCertificateProperties("duplicate network detected: %v", sortedPrefixes[i])
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
90
cert/sign_test.go
Normal file
90
cert/sign_test.go
Normal file
@@ -0,0 +1,90 @@
|
||||
package cert
|
||||
|
||||
import (
|
||||
"crypto/ecdsa"
|
||||
"crypto/ed25519"
|
||||
"crypto/elliptic"
|
||||
"crypto/rand"
|
||||
"net/netip"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
func TestCertificateV1_Sign(t *testing.T) {
|
||||
before := time.Now().Add(time.Second * -60).Round(time.Second)
|
||||
after := time.Now().Add(time.Second * 60).Round(time.Second)
|
||||
pubKey := []byte("1234567890abcedfghij1234567890ab")
|
||||
|
||||
tbs := TBSCertificate{
|
||||
Version: Version1,
|
||||
Name: "testing",
|
||||
Networks: []netip.Prefix{
|
||||
mustParsePrefixUnmapped("10.1.1.1/24"),
|
||||
mustParsePrefixUnmapped("10.1.1.2/16"),
|
||||
},
|
||||
UnsafeNetworks: []netip.Prefix{
|
||||
mustParsePrefixUnmapped("9.1.1.2/24"),
|
||||
mustParsePrefixUnmapped("9.1.1.3/24"),
|
||||
},
|
||||
Groups: []string{"test-group1", "test-group2", "test-group3"},
|
||||
NotBefore: before,
|
||||
NotAfter: after,
|
||||
PublicKey: pubKey,
|
||||
IsCA: false,
|
||||
}
|
||||
|
||||
pub, priv, err := ed25519.GenerateKey(rand.Reader)
|
||||
c, err := tbs.Sign(&certificateV1{details: detailsV1{notBefore: before, notAfter: after}}, Curve_CURVE25519, priv)
|
||||
assert.Nil(t, err)
|
||||
assert.NotNil(t, c)
|
||||
assert.True(t, c.CheckSignature(pub))
|
||||
|
||||
b, err := c.Marshal()
|
||||
assert.Nil(t, err)
|
||||
uc, err := unmarshalCertificateV1(b, nil)
|
||||
assert.Nil(t, err)
|
||||
assert.NotNil(t, uc)
|
||||
}
|
||||
|
||||
func TestCertificateV1_SignP256(t *testing.T) {
|
||||
before := time.Now().Add(time.Second * -60).Round(time.Second)
|
||||
after := time.Now().Add(time.Second * 60).Round(time.Second)
|
||||
pubKey := []byte("01234567890abcedfghij1234567890ab1234567890abcedfghij1234567890ab")
|
||||
|
||||
tbs := TBSCertificate{
|
||||
Version: Version1,
|
||||
Name: "testing",
|
||||
Networks: []netip.Prefix{
|
||||
mustParsePrefixUnmapped("10.1.1.1/24"),
|
||||
mustParsePrefixUnmapped("10.1.1.2/16"),
|
||||
},
|
||||
UnsafeNetworks: []netip.Prefix{
|
||||
mustParsePrefixUnmapped("9.1.1.2/24"),
|
||||
mustParsePrefixUnmapped("9.1.1.3/16"),
|
||||
},
|
||||
Groups: []string{"test-group1", "test-group2", "test-group3"},
|
||||
NotBefore: before,
|
||||
NotAfter: after,
|
||||
PublicKey: pubKey,
|
||||
IsCA: false,
|
||||
Curve: Curve_P256,
|
||||
}
|
||||
|
||||
priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||||
assert.NoError(t, err)
|
||||
pub := elliptic.Marshal(elliptic.P256(), priv.PublicKey.X, priv.PublicKey.Y)
|
||||
rawPriv := priv.D.FillBytes(make([]byte, 32))
|
||||
|
||||
c, err := tbs.Sign(&certificateV1{details: detailsV1{notBefore: before, notAfter: after}}, Curve_P256, rawPriv)
|
||||
assert.Nil(t, err)
|
||||
assert.NotNil(t, c)
|
||||
assert.True(t, c.CheckSignature(pub))
|
||||
|
||||
b, err := c.Marshal()
|
||||
assert.Nil(t, err)
|
||||
uc, err := unmarshalCertificateV1(b, nil)
|
||||
assert.Nil(t, err)
|
||||
assert.NotNil(t, uc)
|
||||
}
|
||||
Reference in New Issue
Block a user