1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
|
// This file is dual licensed under the terms of the Apache License, Version
// 2.0, and the BSD License. See the LICENSE file in the root of this repository
// for complete details.
#![forbid(unsafe_code)]
#![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)]
#![allow(unknown_lints, clippy::result_large_err)]
pub mod certificate;
pub mod ops;
pub mod policy;
pub mod trust_store;
pub mod types;
use std::vec;
use cryptography_x509::extensions::{DuplicateExtensionsError, Extensions};
use cryptography_x509::{
extensions::{NameConstraints, SubjectAlternativeName},
name::GeneralName,
oid::{NAME_CONSTRAINTS_OID, SUBJECT_ALTERNATIVE_NAME_OID},
};
use types::{RFC822Constraint, RFC822Name};
use crate::certificate::cert_is_self_issued;
use crate::ops::{CryptoOps, VerificationCertificate};
use crate::policy::Policy;
use crate::trust_store::Store;
use crate::types::DNSName;
use crate::types::{DNSConstraint, IPAddress, IPConstraint};
use crate::ApplyNameConstraintStatus::{Applied, Skipped};
#[derive(Debug)]
pub enum ValidationError {
CandidatesExhausted(Box<ValidationError>),
Malformed(asn1::ParseError),
DuplicateExtension(DuplicateExtensionsError),
FatalError(&'static str),
Other(String),
}
struct Budget {
name_constraint_checks: usize,
}
impl Budget {
// Same limit as other validators
const DEFAULT_NAME_CONSTRAINT_CHECK_LIMIT: usize = 1 << 20;
fn new() -> Budget {
Budget {
name_constraint_checks: Self::DEFAULT_NAME_CONSTRAINT_CHECK_LIMIT,
}
}
fn name_constraint_check(&mut self) -> Result<(), ValidationError> {
self.name_constraint_checks =
self.name_constraint_checks
.checked_sub(1)
.ok_or(ValidationError::FatalError(
"Exceeded maximum name constraint check limit",
))?;
Ok(())
}
}
impl From<asn1::ParseError> for ValidationError {
fn from(value: asn1::ParseError) -> Self {
Self::Malformed(value)
}
}
impl From<DuplicateExtensionsError> for ValidationError {
fn from(value: DuplicateExtensionsError) -> Self {
Self::DuplicateExtension(value)
}
}
struct NameChain<'a, 'chain> {
child: Option<&'a NameChain<'a, 'chain>>,
sans: SubjectAlternativeName<'chain>,
}
impl<'a, 'chain> NameChain<'a, 'chain> {
fn new(
child: Option<&'a NameChain<'a, 'chain>>,
extensions: &Extensions<'chain>,
self_issued_intermediate: bool,
) -> Result<Self, ValidationError> {
let sans = match (
self_issued_intermediate,
extensions.get_extension(&SUBJECT_ALTERNATIVE_NAME_OID),
) {
(false, Some(sans)) => sans.value::<SubjectAlternativeName<'chain>>()?,
// TODO: there really ought to be a better way to express an empty
// `asn1::SequenceOf`.
_ => asn1::parse_single(b"\x30\x00")?,
};
Ok(Self { child, sans })
}
fn evaluate_single_constraint(
&self,
constraint: &GeneralName<'chain>,
san: &GeneralName<'chain>,
budget: &mut Budget,
) -> Result<ApplyNameConstraintStatus, ValidationError> {
budget.name_constraint_check()?;
match (constraint, san) {
(GeneralName::DNSName(pattern), GeneralName::DNSName(name)) => {
match (DNSConstraint::new(pattern.0), DNSName::new(name.0)) {
(Some(pattern), Some(name)) => Ok(Applied(pattern.matches(&name))),
(_, None) => Err(ValidationError::Other(format!(
"unsatisfiable DNS name constraint: malformed SAN {}",
name.0
))),
(None, _) => Err(ValidationError::Other(format!(
"malformed DNS name constraint: {}",
pattern.0
))),
}
}
(GeneralName::IPAddress(pattern), GeneralName::IPAddress(name)) => {
match (
IPConstraint::from_bytes(pattern),
IPAddress::from_bytes(name),
) {
(Some(pattern), Some(name)) => Ok(Applied(pattern.matches(&name))),
(_, None) => Err(ValidationError::Other(format!(
"unsatisfiable IP name constraint: malformed SAN {:?}",
name,
))),
(None, _) => Err(ValidationError::Other(format!(
"malformed IP name constraints: {:?}",
pattern
))),
}
}
(GeneralName::RFC822Name(pattern), GeneralName::RFC822Name(name)) => {
match (RFC822Constraint::new(pattern.0), RFC822Name::new(name.0)) {
(Some(pattern), Some(name)) => Ok(Applied(pattern.matches(&name))),
(_, None) => Err(ValidationError::Other(format!(
"unsatisfiable RFC822 name constraint: malformed SAN {:?}",
name.0,
))),
(None, _) => Err(ValidationError::Other(format!(
"malformed RFC822 name constraints: {:?}",
pattern.0
))),
}
}
// All other matching pairs of (constraint, name) are currently unsupported.
(GeneralName::OtherName(_), GeneralName::OtherName(_))
| (GeneralName::X400Address(_), GeneralName::X400Address(_))
| (GeneralName::DirectoryName(_), GeneralName::DirectoryName(_))
| (GeneralName::EDIPartyName(_), GeneralName::EDIPartyName(_))
| (
GeneralName::UniformResourceIdentifier(_),
GeneralName::UniformResourceIdentifier(_),
)
| (GeneralName::RegisteredID(_), GeneralName::RegisteredID(_)) => Err(
ValidationError::Other("unsupported name constraint".to_string()),
),
_ => Ok(Skipped),
}
}
fn evaluate_constraints(
&self,
constraints: &NameConstraints<'chain>,
budget: &mut Budget,
) -> Result<(), ValidationError> {
if let Some(child) = self.child {
child.evaluate_constraints(constraints, budget)?;
}
for san in self.sans.clone() {
// If there are no applicable constraints, the SAN is considered valid so the default is true.
let mut permit = true;
if let Some(permitted_subtrees) = &constraints.permitted_subtrees {
for p in permitted_subtrees.unwrap_read().clone() {
let status = self.evaluate_single_constraint(&p.base, &san, budget)?;
if status.is_applied() {
permit = status.is_match();
if permit {
break;
}
}
}
}
if !permit {
return Err(ValidationError::Other(
"no permitted name constraints matched SAN".into(),
));
}
if let Some(excluded_subtrees) = &constraints.excluded_subtrees {
for e in excluded_subtrees.unwrap_read().clone() {
let status = self.evaluate_single_constraint(&e.base, &san, budget)?;
if status.is_match() {
return Err(ValidationError::Other(
"excluded name constraint matched SAN".into(),
));
}
}
}
}
Ok(())
}
}
pub type Chain<'a, 'c, B> = Vec<&'a VerificationCertificate<'c, B>>;
pub fn verify<'a, 'chain: 'a, B: CryptoOps>(
leaf: &'a VerificationCertificate<'chain, B>,
intermediates: &'a [&'a VerificationCertificate<'chain, B>],
policy: &'a Policy<'_, B>,
store: &'a Store<'chain, B>,
) -> Result<Chain<'a, 'chain, B>, ValidationError> {
let builder = ChainBuilder::new(intermediates, policy, store);
let mut budget = Budget::new();
builder.build_chain(leaf, &mut budget)
}
struct ChainBuilder<'a, 'chain, B: CryptoOps> {
intermediates: &'a [&'a VerificationCertificate<'chain, B>],
policy: &'a Policy<'a, B>,
store: &'a Store<'chain, B>,
}
// When applying a name constraint, we need to distinguish between a few different scenarios:
// * `Applied(true)`: The name constraint is the same type as the SAN and matches.
// * `Applied(false)`: The name constraint is the same type as the SAN and does not match.
// * `Skipped`: The name constraint is a different type to the SAN.
enum ApplyNameConstraintStatus {
Applied(bool),
Skipped,
}
impl ApplyNameConstraintStatus {
fn is_applied(&self) -> bool {
matches!(self, Applied(_))
}
fn is_match(&self) -> bool {
matches!(self, Applied(true))
}
}
impl<'a, 'chain: 'a, B: CryptoOps> ChainBuilder<'a, 'chain, B> {
fn new(
intermediates: &'a [&'a VerificationCertificate<'chain, B>],
policy: &'a Policy<'a, B>,
store: &'a Store<'chain, B>,
) -> Self {
Self {
intermediates,
policy,
store,
}
}
fn potential_issuers(
&self,
cert: &'a VerificationCertificate<'chain, B>,
) -> impl Iterator<Item = &'a VerificationCertificate<'chain, B>> + '_ {
// TODO: Optimizations:
// * Search by AKI and other identifiers?
self.store
.get_by_subject(&cert.certificate().tbs_cert.issuer)
.iter()
.chain(self.intermediates.iter().copied().filter(|&candidate| {
candidate.certificate().subject() == cert.certificate().issuer()
}))
}
fn build_chain_inner(
&self,
working_cert: &'a VerificationCertificate<'chain, B>,
current_depth: u8,
working_cert_extensions: &Extensions<'chain>,
name_chain: NameChain<'_, 'chain>,
budget: &mut Budget,
) -> Result<Chain<'a, 'chain, B>, ValidationError> {
if let Some(nc) = working_cert_extensions.get_extension(&NAME_CONSTRAINTS_OID) {
name_chain.evaluate_constraints(&nc.value()?, budget)?;
}
// Look in the store's root set to see if the working cert is listed.
// If it is, we've reached the end.
if self.store.contains(working_cert) {
return Ok(vec![working_cert]);
}
// Check that our current depth does not exceed our policy-configured
// max depth. We do this after the root set check, since the depth
// only measures the intermediate chain's length, not the root or leaf.
if current_depth > self.policy.max_chain_depth {
return Err(ValidationError::Other(
"chain construction exceeds max depth".into(),
));
}
// Otherwise, we collect a list of potential issuers for this cert,
// and continue with the first that verifies.
let mut last_err: Option<ValidationError> = None;
for issuing_cert_candidate in self.potential_issuers(working_cert) {
// A candidate issuer is said to verify if it both
// signs for the working certificate and conforms to the
// policy.
let issuer_extensions = issuing_cert_candidate.certificate().extensions()?;
match self.policy.valid_issuer(
issuing_cert_candidate,
working_cert.certificate(),
current_depth,
&issuer_extensions,
) {
Ok(_) => {
match self.build_chain_inner(
issuing_cert_candidate,
// NOTE(ww): According to RFC 5280, we should only
// increase the chain depth when the certificate is **not**
// self-issued. In practice however, implementations widely
// ignore this requirement, and unconditionally increment
// the depth with every chain member. We choose to do the same;
// see `pathlen::self-issued-certs-pathlen` from x509-limbo
// for the testcase we intentionally fail.
//
// Implementation note for someone looking to change this in the future:
// care should be taken to avoid infinite recursion with self-signed
// certificates in the intermediate set; changing this behavior will
// also require a "is not self-signed" check on intermediate candidates.
//
// See https://gist.github.com/woodruffw/776153088e0df3fc2f0675c5e835f7b8
// for an example of this change.
current_depth.checked_add(1).ok_or_else(|| {
ValidationError::Other(
"current depth calculation overflowed".to_string(),
)
})?,
&issuer_extensions,
NameChain::new(
Some(&name_chain),
&issuer_extensions,
// Per RFC 5280 4.2.1.10: Name constraints are not applied
// to subjects in self-issued certificates, *unless* the
// certificate is the "final" (i.e., leaf) certificate in the path.
// We accomplish this by only collecting the SANs when the issuing
// candidate (which is a non-leaf by definition) isn't self-issued.
cert_is_self_issued(issuing_cert_candidate.certificate()),
)?,
budget,
) {
Ok(mut chain) => {
chain.push(working_cert);
return Ok(chain);
}
// Immediately return on fatal error.
Err(e @ ValidationError::FatalError(..)) => return Err(e),
Err(e) => last_err = Some(e),
};
}
Err(e) => last_err = Some(e),
};
}
// We only reach this if we fail to hit our base case above, or if
// a chain building step fails to find a next valid certificate.
Err(ValidationError::CandidatesExhausted(last_err.map_or_else(
|| {
Box::new(ValidationError::Other(
"all candidates exhausted with no interior errors".to_string(),
))
},
|e| match e {
// Avoid spamming the user with nested `CandidatesExhausted` errors.
ValidationError::CandidatesExhausted(e) => e,
_ => Box::new(e),
},
)))
}
fn build_chain(
&self,
leaf: &'a VerificationCertificate<'chain, B>,
budget: &mut Budget,
) -> Result<Chain<'a, 'chain, B>, ValidationError> {
// Before anything else, check whether the given leaf cert
// is well-formed according to our policy (and its underlying
// certificate profile).
//
// The leaf must be an EE; a CA cert in the leaf position will be rejected.
let leaf_extensions = leaf.certificate().extensions()?;
self.policy
.permits_ee(leaf.certificate(), &leaf_extensions)?;
let mut chain = self.build_chain_inner(
leaf,
0,
&leaf_extensions,
NameChain::new(None, &leaf_extensions, false)?,
budget,
)?;
// We build the chain in reverse order, fix it now.
chain.reverse();
Ok(chain)
}
}
|
