From 98d92ee4cfe33ac93f691fc62866bc86e40e3cdd Mon Sep 17 00:00:00 2001 From: Nate Brown Date: Tue, 17 Dec 2019 17:06:13 -0800 Subject: [PATCH 1/3] Support root IP assertions in cert.Verify --- cert/cert.go | 69 ++++++++++++++++- cert/cert_test.go | 184 ++++++++++++++++++++++++++++++++++++++++------ 2 files changed, 230 insertions(+), 23 deletions(-) diff --git a/cert/cert.go b/cert/cert.go index 492f183..ccde8e3 100644 --- a/cert/cert.go +++ b/cert/cert.go @@ -271,7 +271,25 @@ func (nc *NebulaCertificate) Verify(t time.Time, ncp *NebulaCAPool) (bool, error if len(signer.Details.InvertedGroups) > 0 { for _, g := range nc.Details.Groups { if _, ok := signer.Details.InvertedGroups[g]; !ok { - return false, fmt.Errorf("certificate contained a group not present on the signing ca; %s", g) + return false, fmt.Errorf("certificate contained a group not present on the signing ca: %s", g) + } + } + } + + // If the signer has a limited set of ip ranges to issue from make sure the cert only contains a subset + if len(signer.Details.Ips) > 0 { + for _, ip := range nc.Details.Ips { + if !netMatch(ip, signer.Details.Ips) { + return false, fmt.Errorf("certificate contained an ip assignment outside the limitations of the signing ca: %s", ip.String()) + } + } + } + + // If the signer has a limited set of subnet ranges to issue from make sure the cert only contains a subset + if len(signer.Details.Subnets) > 0 { + for _, subnet := range nc.Details.Subnets { + if !netMatch(subnet, signer.Details.Subnets) { + return false, fmt.Errorf("certificate contained a subnet assignment outside the limitations of the signing ca: %s", subnet) } } } @@ -431,6 +449,55 @@ func (nc *NebulaCertificate) MarshalJSON() ([]byte, error) { return json.Marshal(jc) } +func netMatch(certIp *net.IPNet, rootIps []*net.IPNet) bool { + for _, net := range rootIps { + if net.Contains(certIp.IP) && maskContains(net.Mask, certIp.Mask) { + return true + } + } + + return false +} + +func maskContains(caMask, certMask net.IPMask) bool { + caM := maskTo4(caMask) + cM := maskTo4(certMask) + // Make sure forcing to ipv4 didn't nuke us + if caM == nil || cM == nil { + return false + } + + // Make sure the cert mask is not greater than the ca mask + for i := 0; i < len(caMask); i++ { + if caM[i] > cM[i] { + return false + } + } + + return true +} + +func maskTo4(ip net.IPMask) net.IPMask { + if len(ip) == net.IPv4len { + return ip + } + + if len(ip) == net.IPv6len && isZeros(ip[0:10]) && ip[10] == 0xff && ip[11] == 0xff { + return ip[12:16] + } + + return nil +} + +func isZeros(b []byte) bool { + for i := 0; i < len(b); i++ { + if b[i] != 0 { + return false + } + } + return true +} + func ip2int(ip []byte) uint32 { if len(ip) == 16 { return binary.BigEndian.Uint32(ip[12:16]) diff --git a/cert/cert_test.go b/cert/cert_test.go index a864bbe..48d0685 100644 --- a/cert/cert_test.go +++ b/cert/cert_test.go @@ -158,10 +158,10 @@ func TestNebulaCertificate_MarshalJSON(t *testing.T) { } func TestNebulaCertificate_Verify(t *testing.T) { - ca, _, caKey, err := newTestCaCert() + ca, _, caKey, err := newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), []*net.IPNet{}, []*net.IPNet{}, []string{}) assert.Nil(t, err) - c, _, _, err := newTestCert(ca, caKey) + c, _, _, err := newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{}, []*net.IPNet{}, []string{}) assert.Nil(t, err) h, err := ca.Sha256Sum() @@ -186,13 +186,120 @@ func TestNebulaCertificate_Verify(t *testing.T) { v, err = c.Verify(time.Now().Add(time.Hour*1000), caPool) assert.False(t, v) assert.EqualError(t, err, "root certificate is expired") + + c, _, _, err = newTestCert(ca, caKey, time.Time{}, time.Time{}, []*net.IPNet{}, []*net.IPNet{}, []string{}) + assert.Nil(t, err) + v, err = c.Verify(time.Now().Add(time.Minute*6), caPool) + assert.False(t, v) + assert.EqualError(t, err, "certificate is expired") + + // Test group assertion + ca, _, caKey, err = newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), []*net.IPNet{}, []*net.IPNet{}, []string{"test1", "test2"}) + assert.Nil(t, err) + + caPem, err := ca.MarshalToPEM() + assert.Nil(t, err) + + caPool = NewCAPool() + caPool.AddCACertificate(caPem) + + c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{}, []*net.IPNet{}, []string{"test1", "bad"}) + assert.Nil(t, err) + v, err = c.Verify(time.Now(), caPool) + assert.False(t, v) + assert.EqualError(t, err, "certificate contained a group not present on the signing ca: bad") + + c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{}, []*net.IPNet{}, []string{"test1"}) + assert.Nil(t, err) + v, err = c.Verify(time.Now(), caPool) + assert.True(t, v) + assert.Nil(t, err) +} + +func TestNebulaCertificate_Verify_IPs(t *testing.T) { + _, caIp1, _ := net.ParseCIDR("10.0.0.0/16") + _, caIp2, _ := net.ParseCIDR("192.168.0.0/24") + ca, _, caKey, err := newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), []*net.IPNet{caIp1, caIp2}, []*net.IPNet{}, []string{"test"}) + assert.Nil(t, err) + + caPem, err := ca.MarshalToPEM() + assert.Nil(t, err) + + caPool := NewCAPool() + caPool.AddCACertificate(caPem) + + // ip is outside the network + cIp1 := &net.IPNet{IP: net.ParseIP("10.1.0.0"), Mask: []byte{255, 255, 255, 0}} + cIp2 := &net.IPNet{IP: net.ParseIP("192.168.0.1"), Mask: []byte{255, 255, 0, 0}} + c, _, _, err := newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{cIp1, cIp2}, []*net.IPNet{}, []string{"test"}) + assert.Nil(t, err) + v, err := c.Verify(time.Now(), caPool) + assert.False(t, v) + assert.EqualError(t, err, "certificate contained an ip assignment outside the limitations of the signing ca: 10.1.0.0/24") + + // ip is outside the network reversed order of above + cIp1 = &net.IPNet{IP: net.ParseIP("192.168.0.1"), Mask: []byte{255, 255, 255, 0}} + cIp2 = &net.IPNet{IP: net.ParseIP("10.1.0.0"), Mask: []byte{255, 255, 255, 0}} + c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{cIp1, cIp2}, []*net.IPNet{}, []string{"test"}) + assert.Nil(t, err) + v, err = c.Verify(time.Now(), caPool) + assert.False(t, v) + assert.EqualError(t, err, "certificate contained an ip assignment outside the limitations of the signing ca: 10.1.0.0/24") + + // ip is within the network but mask is outside + cIp1 = &net.IPNet{IP: net.ParseIP("10.0.1.0"), Mask: []byte{255, 254, 0, 0}} + cIp2 = &net.IPNet{IP: net.ParseIP("192.168.0.1"), Mask: []byte{255, 255, 255, 0}} + c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{cIp1, cIp2}, []*net.IPNet{}, []string{"test"}) + assert.Nil(t, err) + v, err = c.Verify(time.Now(), caPool) + assert.False(t, v) + assert.EqualError(t, err, "certificate contained an ip assignment outside the limitations of the signing ca: 10.0.1.0/15") + + // ip is within the network but mask is outside reversed order of above + cIp1 = &net.IPNet{IP: net.ParseIP("192.168.0.1"), Mask: []byte{255, 255, 255, 0}} + cIp2 = &net.IPNet{IP: net.ParseIP("10.0.1.0"), Mask: []byte{255, 254, 0, 0}} + c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{cIp1, cIp2}, []*net.IPNet{}, []string{"test"}) + assert.Nil(t, err) + v, err = c.Verify(time.Now(), caPool) + assert.False(t, v) + assert.EqualError(t, err, "certificate contained an ip assignment outside the limitations of the signing ca: 10.0.1.0/15") + + // ip and mask are within the network + cIp1 = &net.IPNet{IP: net.ParseIP("10.0.1.0"), Mask: []byte{255, 255, 0, 0}} + cIp2 = &net.IPNet{IP: net.ParseIP("192.168.0.1"), Mask: []byte{255, 255, 255, 128}} + c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{cIp1, cIp2}, []*net.IPNet{}, []string{"test"}) + assert.Nil(t, err) + v, err = c.Verify(time.Now(), caPool) + assert.True(t, v) + assert.Nil(t, err) + + // Exact matches + c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{caIp1, caIp2}, []*net.IPNet{}, []string{"test"}) + assert.Nil(t, err) + v, err = c.Verify(time.Now(), caPool) + assert.True(t, v) + assert.Nil(t, err) + + // Exact matches reversed + c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{caIp2, caIp1}, []*net.IPNet{}, []string{"test"}) + assert.Nil(t, err) + v, err = c.Verify(time.Now(), caPool) + assert.True(t, v) + assert.Nil(t, err) + + // Exact matches reversed with just 1 + c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{caIp1}, []*net.IPNet{}, []string{"test"}) + assert.Nil(t, err) + v, err = c.Verify(time.Now(), caPool) + assert.True(t, v) + assert.Nil(t, err) } func TestNebulaVerifyPrivateKey(t *testing.T) { - ca, _, caKey, err := newTestCaCert() + ca, _, caKey, err := newTestCaCert(time.Time{}, time.Time{}, []*net.IPNet{}, []*net.IPNet{}, []string{}) assert.Nil(t, err) - c, _, priv, err := newTestCert(ca, caKey) + c, _, priv, err := newTestCert(ca, caKey, time.Time{}, time.Time{}, []*net.IPNet{}, []*net.IPNet{}, []string{}) err = c.VerifyPrivateKey(priv) assert.Nil(t, err) @@ -301,10 +408,14 @@ func TestMarshalingNebulaCertificateConsistency(t *testing.T) { assert.Equal(t, "0a0774657374696e67121b8182845080feffff0f828284508080fcff0f8382845080fe83f80f1a1b8182844880fe83f80f8282844880feffff0f838284488080fcff0f220b746573742d67726f757031220b746573742d67726f757032220b746573742d67726f75703328f0e0e7d70430a08681c4053a20313233343536373839306162636564666768696a3132333435363738393061624a081234567890abcedf", fmt.Sprintf("%x", b)) } -func newTestCaCert() (*NebulaCertificate, []byte, []byte, error) { +func newTestCaCert(before, after time.Time, ips, subnets []*net.IPNet, groups []string) (*NebulaCertificate, []byte, []byte, error) { pub, priv, err := ed25519.GenerateKey(rand.Reader) - before := time.Now().Add(time.Second * -60).Round(time.Second) - after := time.Now().Add(time.Second * 60).Round(time.Second) + if before.IsZero() { + before = time.Now().Add(time.Second * -60).Round(time.Second) + } + if after.IsZero() { + after = time.Now().Add(time.Second * 60).Round(time.Second) + } nc := &NebulaCertificate{ Details: NebulaCertificateDetails{ @@ -316,6 +427,18 @@ func newTestCaCert() (*NebulaCertificate, []byte, []byte, error) { }, } + if len(ips) > 0 { + nc.Details.Ips = ips + } + + if len(subnets) > 0 { + nc.Details.Subnets = subnets + } + + if len(groups) > 0 { + nc.Details.Groups = groups + } + err = nc.Sign(priv) if err != nil { return nil, nil, nil, err @@ -323,30 +446,47 @@ func newTestCaCert() (*NebulaCertificate, []byte, []byte, error) { return nc, pub, priv, nil } -func newTestCert(ca *NebulaCertificate, key []byte) (*NebulaCertificate, []byte, []byte, error) { +func newTestCert(ca *NebulaCertificate, key []byte, before, after time.Time, ips, subnets []*net.IPNet, groups []string) (*NebulaCertificate, []byte, []byte, error) { issuer, err := ca.Sha256Sum() if err != nil { return nil, nil, nil, err } - before := time.Now().Add(time.Second * -60).Round(time.Second) - after := time.Now().Add(time.Second * 60).Round(time.Second) + if before.IsZero() { + before = time.Now().Add(time.Second * -60).Round(time.Second) + } + if after.IsZero() { + after = time.Now().Add(time.Second * 60).Round(time.Second) + } + + if len(groups) == 0 { + groups = []string{"test-group1", "test-group2", "test-group3"} + } + + if len(ips) == 0 { + ips = []*net.IPNet{ + {IP: net.ParseIP("10.1.1.1"), Mask: net.IPMask(net.ParseIP("255.255.255.0"))}, + {IP: net.ParseIP("10.1.1.2"), Mask: net.IPMask(net.ParseIP("255.255.0.0"))}, + {IP: net.ParseIP("10.1.1.3"), Mask: net.IPMask(net.ParseIP("255.0.255.0"))}, + } + } + + if len(subnets) == 0 { + subnets = []*net.IPNet{ + {IP: net.ParseIP("9.1.1.1"), Mask: net.IPMask(net.ParseIP("255.0.255.0"))}, + {IP: net.ParseIP("9.1.1.2"), Mask: net.IPMask(net.ParseIP("255.255.255.0"))}, + {IP: net.ParseIP("9.1.1.3"), Mask: net.IPMask(net.ParseIP("255.255.0.0"))}, + } + } + pub, rawPriv := x25519Keypair() nc := &NebulaCertificate{ Details: NebulaCertificateDetails{ - Name: "testing", - Ips: []*net.IPNet{ - {IP: net.ParseIP("10.1.1.1"), Mask: net.IPMask(net.ParseIP("255.255.255.0"))}, - {IP: net.ParseIP("10.1.1.2"), Mask: net.IPMask(net.ParseIP("255.255.0.0"))}, - {IP: net.ParseIP("10.1.1.3"), Mask: net.IPMask(net.ParseIP("255.0.255.0"))}, - }, - Subnets: []*net.IPNet{ - {IP: net.ParseIP("9.1.1.1"), Mask: net.IPMask(net.ParseIP("255.0.255.0"))}, - {IP: net.ParseIP("9.1.1.2"), Mask: net.IPMask(net.ParseIP("255.255.255.0"))}, - {IP: net.ParseIP("9.1.1.3"), Mask: net.IPMask(net.ParseIP("255.255.0.0"))}, - }, - Groups: []string{"test-group1", "test-group2", "test-group3"}, + Name: "testing", + Ips: ips, + Subnets: subnets, + Groups: groups, NotBefore: before, NotAfter: after, PublicKey: pub, From 0dc9aafa145ab61e4fd11f23d7758836e381aec5 Mon Sep 17 00:00:00 2001 From: Nate Brown Date: Tue, 17 Dec 2019 17:10:46 -0800 Subject: [PATCH 2/3] Support root subnet asserts --- cert/cert_test.go | 79 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) diff --git a/cert/cert_test.go b/cert/cert_test.go index 48d0685..50f53d1 100644 --- a/cert/cert_test.go +++ b/cert/cert_test.go @@ -295,6 +295,85 @@ func TestNebulaCertificate_Verify_IPs(t *testing.T) { assert.Nil(t, err) } +func TestNebulaCertificate_Verify_Subnets(t *testing.T) { + _, caIp1, _ := net.ParseCIDR("10.0.0.0/16") + _, caIp2, _ := net.ParseCIDR("192.168.0.0/24") + ca, _, caKey, err := newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), []*net.IPNet{}, []*net.IPNet{caIp1, caIp2}, []string{"test"}) + assert.Nil(t, err) + + caPem, err := ca.MarshalToPEM() + assert.Nil(t, err) + + caPool := NewCAPool() + caPool.AddCACertificate(caPem) + + // ip is outside the network + cIp1 := &net.IPNet{IP: net.ParseIP("10.1.0.0"), Mask: []byte{255, 255, 255, 0}} + cIp2 := &net.IPNet{IP: net.ParseIP("192.168.0.1"), Mask: []byte{255, 255, 0, 0}} + c, _, _, err := newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{}, []*net.IPNet{cIp1, cIp2}, []string{"test"}) + assert.Nil(t, err) + v, err := c.Verify(time.Now(), caPool) + assert.False(t, v) + assert.EqualError(t, err, "certificate contained a subnet assignment outside the limitations of the signing ca: 10.1.0.0/24") + + // ip is outside the network reversed order of above + cIp1 = &net.IPNet{IP: net.ParseIP("192.168.0.1"), Mask: []byte{255, 255, 255, 0}} + cIp2 = &net.IPNet{IP: net.ParseIP("10.1.0.0"), Mask: []byte{255, 255, 255, 0}} + c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{}, []*net.IPNet{cIp1, cIp2}, []string{"test"}) + assert.Nil(t, err) + v, err = c.Verify(time.Now(), caPool) + assert.False(t, v) + assert.EqualError(t, err, "certificate contained a subnet assignment outside the limitations of the signing ca: 10.1.0.0/24") + + // ip is within the network but mask is outside + cIp1 = &net.IPNet{IP: net.ParseIP("10.0.1.0"), Mask: []byte{255, 254, 0, 0}} + cIp2 = &net.IPNet{IP: net.ParseIP("192.168.0.1"), Mask: []byte{255, 255, 255, 0}} + c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{}, []*net.IPNet{cIp1, cIp2}, []string{"test"}) + assert.Nil(t, err) + v, err = c.Verify(time.Now(), caPool) + assert.False(t, v) + assert.EqualError(t, err, "certificate contained a subnet assignment outside the limitations of the signing ca: 10.0.1.0/15") + + // ip is within the network but mask is outside reversed order of above + cIp1 = &net.IPNet{IP: net.ParseIP("192.168.0.1"), Mask: []byte{255, 255, 255, 0}} + cIp2 = &net.IPNet{IP: net.ParseIP("10.0.1.0"), Mask: []byte{255, 254, 0, 0}} + c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{}, []*net.IPNet{cIp1, cIp2}, []string{"test"}) + assert.Nil(t, err) + v, err = c.Verify(time.Now(), caPool) + assert.False(t, v) + assert.EqualError(t, err, "certificate contained a subnet assignment outside the limitations of the signing ca: 10.0.1.0/15") + + // ip and mask are within the network + cIp1 = &net.IPNet{IP: net.ParseIP("10.0.1.0"), Mask: []byte{255, 255, 0, 0}} + cIp2 = &net.IPNet{IP: net.ParseIP("192.168.0.1"), Mask: []byte{255, 255, 255, 128}} + c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{}, []*net.IPNet{cIp1, cIp2}, []string{"test"}) + assert.Nil(t, err) + v, err = c.Verify(time.Now(), caPool) + assert.True(t, v) + assert.Nil(t, err) + + // Exact matches + c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{}, []*net.IPNet{caIp1, caIp2}, []string{"test"}) + assert.Nil(t, err) + v, err = c.Verify(time.Now(), caPool) + assert.True(t, v) + assert.Nil(t, err) + + // Exact matches reversed + c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{}, []*net.IPNet{caIp2, caIp1}, []string{"test"}) + assert.Nil(t, err) + v, err = c.Verify(time.Now(), caPool) + assert.True(t, v) + assert.Nil(t, err) + + // Exact matches reversed with just 1 + c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{}, []*net.IPNet{caIp1}, []string{"test"}) + assert.Nil(t, err) + v, err = c.Verify(time.Now(), caPool) + assert.True(t, v) + assert.Nil(t, err) +} + func TestNebulaVerifyPrivateKey(t *testing.T) { ca, _, caKey, err := newTestCaCert(time.Time{}, time.Time{}, []*net.IPNet{}, []*net.IPNet{}, []string{}) assert.Nil(t, err) From 328db6bb825c21afeb50cd0b56e22469770b6457 Mon Sep 17 00:00:00 2001 From: Nate Brown Date: Tue, 17 Dec 2019 17:59:21 -0800 Subject: [PATCH 3/3] Root constraint usage and support in nebula-cert --- cert/cert.go | 27 +++++++++++++++++++++---- cmd/nebula-cert/ca.go | 39 +++++++++++++++++++++++++++++++++++- cmd/nebula-cert/ca_test.go | 6 +++++- cmd/nebula-cert/sign.go | 8 ++++---- cmd/nebula-cert/sign_test.go | 2 +- 5 files changed, 71 insertions(+), 11 deletions(-) diff --git a/cert/cert.go b/cert/cert.go index ccde8e3..b868b4f 100644 --- a/cert/cert.go +++ b/cert/cert.go @@ -267,11 +267,30 @@ func (nc *NebulaCertificate) Verify(t time.Time, ncp *NebulaCAPool) (bool, error return false, fmt.Errorf("certificate signature did not match") } + if err := nc.CheckRootConstrains(signer); err != nil { + return false, err + } + + return true, nil +} + +// CheckRootConstrains returns an error if the certificate violates constraints set on the root (groups, ips, subnets) +func (nc *NebulaCertificate) CheckRootConstrains(signer *NebulaCertificate) error { + // Make sure this cert wasn't valid before the root + if signer.Details.NotAfter.Before(nc.Details.NotAfter) { + return fmt.Errorf("certificate expires after signing certificate") + } + + // Make sure this cert isn't valid after the root + if signer.Details.NotBefore.After(nc.Details.NotBefore) { + return fmt.Errorf("certificate is valid before the signing certificate") + } + // If the signer has a limited set of groups make sure the cert only contains a subset if len(signer.Details.InvertedGroups) > 0 { for _, g := range nc.Details.Groups { if _, ok := signer.Details.InvertedGroups[g]; !ok { - return false, fmt.Errorf("certificate contained a group not present on the signing ca: %s", g) + return fmt.Errorf("certificate contained a group not present on the signing ca: %s", g) } } } @@ -280,7 +299,7 @@ func (nc *NebulaCertificate) Verify(t time.Time, ncp *NebulaCAPool) (bool, error if len(signer.Details.Ips) > 0 { for _, ip := range nc.Details.Ips { if !netMatch(ip, signer.Details.Ips) { - return false, fmt.Errorf("certificate contained an ip assignment outside the limitations of the signing ca: %s", ip.String()) + return fmt.Errorf("certificate contained an ip assignment outside the limitations of the signing ca: %s", ip.String()) } } } @@ -289,12 +308,12 @@ func (nc *NebulaCertificate) Verify(t time.Time, ncp *NebulaCAPool) (bool, error if len(signer.Details.Subnets) > 0 { for _, subnet := range nc.Details.Subnets { if !netMatch(subnet, signer.Details.Subnets) { - return false, fmt.Errorf("certificate contained a subnet assignment outside the limitations of the signing ca: %s", subnet) + return fmt.Errorf("certificate contained a subnet assignment outside the limitations of the signing ca: %s", subnet) } } } - return true, nil + return nil } // VerifyPrivateKey checks that the public key in the Nebula certificate and a supplied private key match diff --git a/cmd/nebula-cert/ca.go b/cmd/nebula-cert/ca.go index 2a1486e..00a9661 100644 --- a/cmd/nebula-cert/ca.go +++ b/cmd/nebula-cert/ca.go @@ -6,6 +6,7 @@ import ( "fmt" "io" "io/ioutil" + "net" "os" "strings" "time" @@ -21,6 +22,8 @@ type caFlags struct { outKeyPath *string outCertPath *string groups *string + ips *string + subnets *string } func newCaFlags() *caFlags { @@ -31,6 +34,8 @@ func newCaFlags() *caFlags { cf.outKeyPath = cf.set.String("out-key", "ca.key", "Optional: path to write the private key to") cf.outCertPath = cf.set.String("out-crt", "ca.crt", "Optional: path to write the certificate to") cf.groups = cf.set.String("groups", "", "Optional: comma separated list of groups. This will limit which groups subordinate certs can use") + cf.ips = cf.set.String("ips", "", "Optional: comma separated list of ip and network in CIDR notation. This will limit which ip addresses and networks subordinate certs can use") + cf.subnets = cf.set.String("subnets", "", "Optional: comma separated list of ip and network in CIDR notation. This will limit which subnet addresses and networks subordinate certs can use") return &cf } @@ -55,7 +60,7 @@ func ca(args []string, out io.Writer, errOut io.Writer) error { return &helpError{"-duration must be greater than 0"} } - groups := []string{} + var groups []string if *cf.groups != "" { for _, rg := range strings.Split(*cf.groups, ",") { g := strings.TrimSpace(rg) @@ -65,6 +70,36 @@ func ca(args []string, out io.Writer, errOut io.Writer) error { } } + var ips []*net.IPNet + if *cf.ips != "" { + for _, rs := range strings.Split(*cf.ips, ",") { + rs := strings.Trim(rs, " ") + if rs != "" { + ip, ipNet, err := net.ParseCIDR(rs) + if err != nil { + return newHelpErrorf("invalid ip definition: %s", err) + } + + ipNet.IP = ip + ips = append(ips, ipNet) + } + } + } + + var subnets []*net.IPNet + if *cf.subnets != "" { + for _, rs := range strings.Split(*cf.subnets, ",") { + rs := strings.Trim(rs, " ") + if rs != "" { + _, s, err := net.ParseCIDR(rs) + if err != nil { + return newHelpErrorf("invalid subnet definition: %s", err) + } + subnets = append(subnets, s) + } + } + } + pub, rawPriv, err := ed25519.GenerateKey(rand.Reader) if err != nil { return fmt.Errorf("error while generating ed25519 keys: %s", err) @@ -74,6 +109,8 @@ func ca(args []string, out io.Writer, errOut io.Writer) error { Details: cert.NebulaCertificateDetails{ Name: *cf.name, Groups: groups, + Ips: ips, + Subnets: subnets, NotBefore: time.Now(), NotAfter: time.Now().Add(*cf.duration), PublicKey: pub, diff --git a/cmd/nebula-cert/ca_test.go b/cmd/nebula-cert/ca_test.go index 6eb1e91..70bc74a 100644 --- a/cmd/nebula-cert/ca_test.go +++ b/cmd/nebula-cert/ca_test.go @@ -29,12 +29,16 @@ func Test_caHelp(t *testing.T) { " \tOptional: amount of time the certificate should be valid for. Valid time units are seconds: \"s\", minutes: \"m\", hours: \"h\" (default 8760h0m0s)\n"+ " -groups string\n"+ " \tOptional: comma separated list of groups. This will limit which groups subordinate certs can use\n"+ + " -ips string\n"+ + " \tOptional: comma separated list of ip and network in CIDR notation. This will limit which ip addresses and networks subordinate certs can use\n"+ " -name string\n"+ " \tRequired: name of the certificate authority\n"+ " -out-crt string\n"+ " \tOptional: path to write the certificate to (default \"ca.crt\")\n"+ " -out-key string\n"+ - " \tOptional: path to write the private key to (default \"ca.key\")\n", + " \tOptional: path to write the private key to (default \"ca.key\")\n"+ + " -subnets string\n"+ + " \tOptional: comma separated list of ip and network in CIDR notation. This will limit which subnet addresses and networks subordinate certs can use\n", ob.String(), ) } diff --git a/cmd/nebula-cert/sign.go b/cmd/nebula-cert/sign.go index 200fe13..759065e 100644 --- a/cmd/nebula-cert/sign.go +++ b/cmd/nebula-cert/sign.go @@ -103,10 +103,6 @@ func signCert(args []string, out io.Writer, errOut io.Writer) error { *sf.duration = time.Until(caCert.Details.NotAfter) - time.Second*1 } - if caCert.Details.NotAfter.Before(time.Now().Add(*sf.duration)) { - return fmt.Errorf("refusing to generate certificate with duration beyond root expiration: %s", caCert.Details.NotAfter) - } - ip, ipNet, err := net.ParseCIDR(*sf.ip) if err != nil { return newHelpErrorf("invalid ip definition: %s", err) @@ -165,6 +161,10 @@ func signCert(args []string, out io.Writer, errOut io.Writer) error { }, } + if err := nc.CheckRootConstrains(caCert); err != nil { + return fmt.Errorf("refusing to sign, root certificate constraints violated: %s", err) + } + if *sf.outKeyPath == "" { *sf.outKeyPath = *sf.name + ".key" } diff --git a/cmd/nebula-cert/sign_test.go b/cmd/nebula-cert/sign_test.go index f8bf457..355dc6b 100644 --- a/cmd/nebula-cert/sign_test.go +++ b/cmd/nebula-cert/sign_test.go @@ -253,7 +253,7 @@ func Test_signCert(t *testing.T) { ob.Reset() eb.Reset() args = []string{"-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", crtF.Name(), "-out-key", keyF.Name(), "-duration", "1000m", "-subnets", "10.1.1.1/32, , 10.2.2.2/32 , , ,, 10.5.5.5/32", "-groups", "1,, 2 , ,,,3,4,5"} - assert.EqualError(t, signCert(args, ob, eb), "refusing to generate certificate with duration beyond root expiration: "+ca.Details.NotAfter.Format("2006-01-02 15:04:05 +0000 UTC")) + assert.EqualError(t, signCert(args, ob, eb), "refusing to sign, root certificate constraints violated: certificate expires after signing certificate") assert.Empty(t, ob.String()) assert.Empty(t, eb.String())