Handle certificates with multiple Basic Constraints extensions
This commit is contained in:
Andrew Ayer
parent
65ed742477
commit
a072440db8
|
|
@ -114,8 +114,8 @@ type CertInfo struct {
|
|||
SerialNumberParseError error
|
||||
Validity *CertValidity
|
||||
ValidityParseError error
|
||||
Constraints *BasicConstraints
|
||||
ConstraintsParseError error
|
||||
IsCA *bool
|
||||
IsCAParseError error
|
||||
}
|
||||
|
||||
func MakeCertInfoFromTBS (tbs *TBSCertificate) *CertInfo {
|
||||
|
|
@ -127,7 +127,7 @@ func MakeCertInfoFromTBS (tbs *TBSCertificate) *CertInfo {
|
|||
info.Issuer, info.IssuerParseError = tbs.ParseIssuer()
|
||||
info.SerialNumber, info.SerialNumberParseError = tbs.ParseSerialNumber()
|
||||
info.Validity, info.ValidityParseError = tbs.ParseValidity()
|
||||
info.Constraints, info.ConstraintsParseError = tbs.ParseBasicConstraints()
|
||||
info.IsCA, info.IsCAParseError = tbs.ParseBasicConstraints()
|
||||
|
||||
return info
|
||||
}
|
||||
|
|
@ -256,7 +256,7 @@ func (info *EntryInfo) HasParseErrors () bool {
|
|||
info.CertInfo.IssuerParseError != nil ||
|
||||
info.CertInfo.SerialNumberParseError != nil ||
|
||||
info.CertInfo.ValidityParseError != nil ||
|
||||
info.CertInfo.ConstraintsParseError != nil
|
||||
info.CertInfo.IsCAParseError != nil
|
||||
}
|
||||
|
||||
func (info *EntryInfo) Fingerprint () string {
|
||||
|
|
|
|||
44
x509.go
44
x509.go
|
|
@ -29,7 +29,7 @@ type CertValidity struct {
|
|||
NotAfter time.Time
|
||||
}
|
||||
|
||||
type BasicConstraints struct {
|
||||
type basicConstraints struct {
|
||||
IsCA bool `asn1:"optional"`
|
||||
MaxPathLen int `asn1:"optional,default:-1"`
|
||||
}
|
||||
|
|
@ -164,21 +164,39 @@ func (tbs *TBSCertificate) ParseValidity () (*CertValidity, error) {
|
|||
return &validity, nil
|
||||
}
|
||||
|
||||
func (tbs *TBSCertificate) ParseBasicConstraints () (*BasicConstraints, error) {
|
||||
constraintExts := tbs.GetExtension(oidExtensionBasicConstraints)
|
||||
if len(constraintExts) == 0 {
|
||||
return nil, nil
|
||||
} else if len(constraintExts) > 1 {
|
||||
return nil, fmt.Errorf("Certificate has more than one Basic Constraints extension")
|
||||
func (tbs *TBSCertificate) ParseBasicConstraints () (*bool, error) {
|
||||
isCA := false
|
||||
isNotCA := false
|
||||
|
||||
// Some certs in the wild have multiple BasicConstraints extensions (is there anything
|
||||
// that CAs haven't screwed up???), so we process all of them and only choke if they
|
||||
// are contradictory (which has not been observed...yet).
|
||||
for _, ext := range tbs.GetExtension(oidExtensionBasicConstraints) {
|
||||
var constraints basicConstraints
|
||||
if rest, err := asn1.Unmarshal(ext.Value, &constraints); err != nil {
|
||||
return nil, errors.New("failed to parse Basic Constraints: " + err.Error())
|
||||
} else if len(rest) > 0 {
|
||||
return nil, fmt.Errorf("trailing data after Basic Constraints: %v", rest)
|
||||
}
|
||||
|
||||
if constraints.IsCA {
|
||||
isCA = true
|
||||
} else {
|
||||
isNotCA = true
|
||||
}
|
||||
}
|
||||
|
||||
var constraints BasicConstraints
|
||||
if rest, err := asn1.Unmarshal(constraintExts[0].Value, &constraints); err != nil {
|
||||
return nil, errors.New("failed to parse Basic Constraints: " + err.Error())
|
||||
} else if len(rest) > 0 {
|
||||
return nil, fmt.Errorf("trailing data after Basic Constraints: %v", rest)
|
||||
if !isCA && !isNotCA {
|
||||
return nil, nil
|
||||
} else if isCA && !isNotCA {
|
||||
trueValue := true
|
||||
return &trueValue, nil
|
||||
} else if !isCA && isNotCA {
|
||||
falseValue := false
|
||||
return &falseValue, nil
|
||||
} else {
|
||||
return nil, fmt.Errorf("Certificate has more than one Basic Constraints extension and they are contradictory")
|
||||
}
|
||||
return &constraints, nil
|
||||
}
|
||||
|
||||
func (tbs *TBSCertificate) ParseSerialNumber () (*big.Int, error) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue