Merge pull request #107 from slackhq/ca-ip
Support extra root assertions in `cert.Verify`
This commit is contained in:
commit
8e6b72516b
90
cert/cert.go
90
cert/cert.go
|
@ -267,16 +267,53 @@ func (nc *NebulaCertificate) Verify(t time.Time, ncp *NebulaCAPool) (bool, error
|
||||||
return false, fmt.Errorf("certificate signature did not match")
|
return false, fmt.Errorf("certificate signature did not match")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if err := nc.CheckRootConstrains(signer); err != nil {
|
||||||
|
return false, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return true, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// CheckRootConstrains returns an error if the certificate violates constraints set on the root (groups, ips, subnets)
|
||||||
|
func (nc *NebulaCertificate) CheckRootConstrains(signer *NebulaCertificate) error {
|
||||||
|
// Make sure this cert wasn't valid before the root
|
||||||
|
if signer.Details.NotAfter.Before(nc.Details.NotAfter) {
|
||||||
|
return fmt.Errorf("certificate expires after signing certificate")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Make sure this cert isn't valid after the root
|
||||||
|
if signer.Details.NotBefore.After(nc.Details.NotBefore) {
|
||||||
|
return fmt.Errorf("certificate is valid before the signing certificate")
|
||||||
|
}
|
||||||
|
|
||||||
// If the signer has a limited set of groups make sure the cert only contains a subset
|
// If the signer has a limited set of groups make sure the cert only contains a subset
|
||||||
if len(signer.Details.InvertedGroups) > 0 {
|
if len(signer.Details.InvertedGroups) > 0 {
|
||||||
for _, g := range nc.Details.Groups {
|
for _, g := range nc.Details.Groups {
|
||||||
if _, ok := signer.Details.InvertedGroups[g]; !ok {
|
if _, ok := signer.Details.InvertedGroups[g]; !ok {
|
||||||
return false, fmt.Errorf("certificate contained a group not present on the signing ca; %s", g)
|
return fmt.Errorf("certificate contained a group not present on the signing ca: %s", g)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return true, nil
|
// If the signer has a limited set of ip ranges to issue from make sure the cert only contains a subset
|
||||||
|
if len(signer.Details.Ips) > 0 {
|
||||||
|
for _, ip := range nc.Details.Ips {
|
||||||
|
if !netMatch(ip, signer.Details.Ips) {
|
||||||
|
return fmt.Errorf("certificate contained an ip assignment outside the limitations of the signing ca: %s", ip.String())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// If the signer has a limited set of subnet ranges to issue from make sure the cert only contains a subset
|
||||||
|
if len(signer.Details.Subnets) > 0 {
|
||||||
|
for _, subnet := range nc.Details.Subnets {
|
||||||
|
if !netMatch(subnet, signer.Details.Subnets) {
|
||||||
|
return fmt.Errorf("certificate contained a subnet assignment outside the limitations of the signing ca: %s", subnet)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// VerifyPrivateKey checks that the public key in the Nebula certificate and a supplied private key match
|
// VerifyPrivateKey checks that the public key in the Nebula certificate and a supplied private key match
|
||||||
|
@ -431,6 +468,55 @@ func (nc *NebulaCertificate) MarshalJSON() ([]byte, error) {
|
||||||
return json.Marshal(jc)
|
return json.Marshal(jc)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func netMatch(certIp *net.IPNet, rootIps []*net.IPNet) bool {
|
||||||
|
for _, net := range rootIps {
|
||||||
|
if net.Contains(certIp.IP) && maskContains(net.Mask, certIp.Mask) {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
func maskContains(caMask, certMask net.IPMask) bool {
|
||||||
|
caM := maskTo4(caMask)
|
||||||
|
cM := maskTo4(certMask)
|
||||||
|
// Make sure forcing to ipv4 didn't nuke us
|
||||||
|
if caM == nil || cM == nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
// Make sure the cert mask is not greater than the ca mask
|
||||||
|
for i := 0; i < len(caMask); i++ {
|
||||||
|
if caM[i] > cM[i] {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
func maskTo4(ip net.IPMask) net.IPMask {
|
||||||
|
if len(ip) == net.IPv4len {
|
||||||
|
return ip
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(ip) == net.IPv6len && isZeros(ip[0:10]) && ip[10] == 0xff && ip[11] == 0xff {
|
||||||
|
return ip[12:16]
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func isZeros(b []byte) bool {
|
||||||
|
for i := 0; i < len(b); i++ {
|
||||||
|
if b[i] != 0 {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
func ip2int(ip []byte) uint32 {
|
func ip2int(ip []byte) uint32 {
|
||||||
if len(ip) == 16 {
|
if len(ip) == 16 {
|
||||||
return binary.BigEndian.Uint32(ip[12:16])
|
return binary.BigEndian.Uint32(ip[12:16])
|
||||||
|
|
|
@ -158,10 +158,10 @@ func TestNebulaCertificate_MarshalJSON(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestNebulaCertificate_Verify(t *testing.T) {
|
func TestNebulaCertificate_Verify(t *testing.T) {
|
||||||
ca, _, caKey, err := newTestCaCert()
|
ca, _, caKey, err := newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), []*net.IPNet{}, []*net.IPNet{}, []string{})
|
||||||
assert.Nil(t, err)
|
assert.Nil(t, err)
|
||||||
|
|
||||||
c, _, _, err := newTestCert(ca, caKey)
|
c, _, _, err := newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{}, []*net.IPNet{}, []string{})
|
||||||
assert.Nil(t, err)
|
assert.Nil(t, err)
|
||||||
|
|
||||||
h, err := ca.Sha256Sum()
|
h, err := ca.Sha256Sum()
|
||||||
|
@ -186,13 +186,199 @@ func TestNebulaCertificate_Verify(t *testing.T) {
|
||||||
v, err = c.Verify(time.Now().Add(time.Hour*1000), caPool)
|
v, err = c.Verify(time.Now().Add(time.Hour*1000), caPool)
|
||||||
assert.False(t, v)
|
assert.False(t, v)
|
||||||
assert.EqualError(t, err, "root certificate is expired")
|
assert.EqualError(t, err, "root certificate is expired")
|
||||||
|
|
||||||
|
c, _, _, err = newTestCert(ca, caKey, time.Time{}, time.Time{}, []*net.IPNet{}, []*net.IPNet{}, []string{})
|
||||||
|
assert.Nil(t, err)
|
||||||
|
v, err = c.Verify(time.Now().Add(time.Minute*6), caPool)
|
||||||
|
assert.False(t, v)
|
||||||
|
assert.EqualError(t, err, "certificate is expired")
|
||||||
|
|
||||||
|
// Test group assertion
|
||||||
|
ca, _, caKey, err = newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), []*net.IPNet{}, []*net.IPNet{}, []string{"test1", "test2"})
|
||||||
|
assert.Nil(t, err)
|
||||||
|
|
||||||
|
caPem, err := ca.MarshalToPEM()
|
||||||
|
assert.Nil(t, err)
|
||||||
|
|
||||||
|
caPool = NewCAPool()
|
||||||
|
caPool.AddCACertificate(caPem)
|
||||||
|
|
||||||
|
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{}, []*net.IPNet{}, []string{"test1", "bad"})
|
||||||
|
assert.Nil(t, err)
|
||||||
|
v, err = c.Verify(time.Now(), caPool)
|
||||||
|
assert.False(t, v)
|
||||||
|
assert.EqualError(t, err, "certificate contained a group not present on the signing ca: bad")
|
||||||
|
|
||||||
|
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{}, []*net.IPNet{}, []string{"test1"})
|
||||||
|
assert.Nil(t, err)
|
||||||
|
v, err = c.Verify(time.Now(), caPool)
|
||||||
|
assert.True(t, v)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestNebulaCertificate_Verify_IPs(t *testing.T) {
|
||||||
|
_, caIp1, _ := net.ParseCIDR("10.0.0.0/16")
|
||||||
|
_, caIp2, _ := net.ParseCIDR("192.168.0.0/24")
|
||||||
|
ca, _, caKey, err := newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), []*net.IPNet{caIp1, caIp2}, []*net.IPNet{}, []string{"test"})
|
||||||
|
assert.Nil(t, err)
|
||||||
|
|
||||||
|
caPem, err := ca.MarshalToPEM()
|
||||||
|
assert.Nil(t, err)
|
||||||
|
|
||||||
|
caPool := NewCAPool()
|
||||||
|
caPool.AddCACertificate(caPem)
|
||||||
|
|
||||||
|
// ip is outside the network
|
||||||
|
cIp1 := &net.IPNet{IP: net.ParseIP("10.1.0.0"), Mask: []byte{255, 255, 255, 0}}
|
||||||
|
cIp2 := &net.IPNet{IP: net.ParseIP("192.168.0.1"), Mask: []byte{255, 255, 0, 0}}
|
||||||
|
c, _, _, err := newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{cIp1, cIp2}, []*net.IPNet{}, []string{"test"})
|
||||||
|
assert.Nil(t, err)
|
||||||
|
v, err := c.Verify(time.Now(), caPool)
|
||||||
|
assert.False(t, v)
|
||||||
|
assert.EqualError(t, err, "certificate contained an ip assignment outside the limitations of the signing ca: 10.1.0.0/24")
|
||||||
|
|
||||||
|
// ip is outside the network reversed order of above
|
||||||
|
cIp1 = &net.IPNet{IP: net.ParseIP("192.168.0.1"), Mask: []byte{255, 255, 255, 0}}
|
||||||
|
cIp2 = &net.IPNet{IP: net.ParseIP("10.1.0.0"), Mask: []byte{255, 255, 255, 0}}
|
||||||
|
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{cIp1, cIp2}, []*net.IPNet{}, []string{"test"})
|
||||||
|
assert.Nil(t, err)
|
||||||
|
v, err = c.Verify(time.Now(), caPool)
|
||||||
|
assert.False(t, v)
|
||||||
|
assert.EqualError(t, err, "certificate contained an ip assignment outside the limitations of the signing ca: 10.1.0.0/24")
|
||||||
|
|
||||||
|
// ip is within the network but mask is outside
|
||||||
|
cIp1 = &net.IPNet{IP: net.ParseIP("10.0.1.0"), Mask: []byte{255, 254, 0, 0}}
|
||||||
|
cIp2 = &net.IPNet{IP: net.ParseIP("192.168.0.1"), Mask: []byte{255, 255, 255, 0}}
|
||||||
|
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{cIp1, cIp2}, []*net.IPNet{}, []string{"test"})
|
||||||
|
assert.Nil(t, err)
|
||||||
|
v, err = c.Verify(time.Now(), caPool)
|
||||||
|
assert.False(t, v)
|
||||||
|
assert.EqualError(t, err, "certificate contained an ip assignment outside the limitations of the signing ca: 10.0.1.0/15")
|
||||||
|
|
||||||
|
// ip is within the network but mask is outside reversed order of above
|
||||||
|
cIp1 = &net.IPNet{IP: net.ParseIP("192.168.0.1"), Mask: []byte{255, 255, 255, 0}}
|
||||||
|
cIp2 = &net.IPNet{IP: net.ParseIP("10.0.1.0"), Mask: []byte{255, 254, 0, 0}}
|
||||||
|
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{cIp1, cIp2}, []*net.IPNet{}, []string{"test"})
|
||||||
|
assert.Nil(t, err)
|
||||||
|
v, err = c.Verify(time.Now(), caPool)
|
||||||
|
assert.False(t, v)
|
||||||
|
assert.EqualError(t, err, "certificate contained an ip assignment outside the limitations of the signing ca: 10.0.1.0/15")
|
||||||
|
|
||||||
|
// ip and mask are within the network
|
||||||
|
cIp1 = &net.IPNet{IP: net.ParseIP("10.0.1.0"), Mask: []byte{255, 255, 0, 0}}
|
||||||
|
cIp2 = &net.IPNet{IP: net.ParseIP("192.168.0.1"), Mask: []byte{255, 255, 255, 128}}
|
||||||
|
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{cIp1, cIp2}, []*net.IPNet{}, []string{"test"})
|
||||||
|
assert.Nil(t, err)
|
||||||
|
v, err = c.Verify(time.Now(), caPool)
|
||||||
|
assert.True(t, v)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
|
||||||
|
// Exact matches
|
||||||
|
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{caIp1, caIp2}, []*net.IPNet{}, []string{"test"})
|
||||||
|
assert.Nil(t, err)
|
||||||
|
v, err = c.Verify(time.Now(), caPool)
|
||||||
|
assert.True(t, v)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
|
||||||
|
// Exact matches reversed
|
||||||
|
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{caIp2, caIp1}, []*net.IPNet{}, []string{"test"})
|
||||||
|
assert.Nil(t, err)
|
||||||
|
v, err = c.Verify(time.Now(), caPool)
|
||||||
|
assert.True(t, v)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
|
||||||
|
// Exact matches reversed with just 1
|
||||||
|
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{caIp1}, []*net.IPNet{}, []string{"test"})
|
||||||
|
assert.Nil(t, err)
|
||||||
|
v, err = c.Verify(time.Now(), caPool)
|
||||||
|
assert.True(t, v)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestNebulaCertificate_Verify_Subnets(t *testing.T) {
|
||||||
|
_, caIp1, _ := net.ParseCIDR("10.0.0.0/16")
|
||||||
|
_, caIp2, _ := net.ParseCIDR("192.168.0.0/24")
|
||||||
|
ca, _, caKey, err := newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), []*net.IPNet{}, []*net.IPNet{caIp1, caIp2}, []string{"test"})
|
||||||
|
assert.Nil(t, err)
|
||||||
|
|
||||||
|
caPem, err := ca.MarshalToPEM()
|
||||||
|
assert.Nil(t, err)
|
||||||
|
|
||||||
|
caPool := NewCAPool()
|
||||||
|
caPool.AddCACertificate(caPem)
|
||||||
|
|
||||||
|
// ip is outside the network
|
||||||
|
cIp1 := &net.IPNet{IP: net.ParseIP("10.1.0.0"), Mask: []byte{255, 255, 255, 0}}
|
||||||
|
cIp2 := &net.IPNet{IP: net.ParseIP("192.168.0.1"), Mask: []byte{255, 255, 0, 0}}
|
||||||
|
c, _, _, err := newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{}, []*net.IPNet{cIp1, cIp2}, []string{"test"})
|
||||||
|
assert.Nil(t, err)
|
||||||
|
v, err := c.Verify(time.Now(), caPool)
|
||||||
|
assert.False(t, v)
|
||||||
|
assert.EqualError(t, err, "certificate contained a subnet assignment outside the limitations of the signing ca: 10.1.0.0/24")
|
||||||
|
|
||||||
|
// ip is outside the network reversed order of above
|
||||||
|
cIp1 = &net.IPNet{IP: net.ParseIP("192.168.0.1"), Mask: []byte{255, 255, 255, 0}}
|
||||||
|
cIp2 = &net.IPNet{IP: net.ParseIP("10.1.0.0"), Mask: []byte{255, 255, 255, 0}}
|
||||||
|
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{}, []*net.IPNet{cIp1, cIp2}, []string{"test"})
|
||||||
|
assert.Nil(t, err)
|
||||||
|
v, err = c.Verify(time.Now(), caPool)
|
||||||
|
assert.False(t, v)
|
||||||
|
assert.EqualError(t, err, "certificate contained a subnet assignment outside the limitations of the signing ca: 10.1.0.0/24")
|
||||||
|
|
||||||
|
// ip is within the network but mask is outside
|
||||||
|
cIp1 = &net.IPNet{IP: net.ParseIP("10.0.1.0"), Mask: []byte{255, 254, 0, 0}}
|
||||||
|
cIp2 = &net.IPNet{IP: net.ParseIP("192.168.0.1"), Mask: []byte{255, 255, 255, 0}}
|
||||||
|
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{}, []*net.IPNet{cIp1, cIp2}, []string{"test"})
|
||||||
|
assert.Nil(t, err)
|
||||||
|
v, err = c.Verify(time.Now(), caPool)
|
||||||
|
assert.False(t, v)
|
||||||
|
assert.EqualError(t, err, "certificate contained a subnet assignment outside the limitations of the signing ca: 10.0.1.0/15")
|
||||||
|
|
||||||
|
// ip is within the network but mask is outside reversed order of above
|
||||||
|
cIp1 = &net.IPNet{IP: net.ParseIP("192.168.0.1"), Mask: []byte{255, 255, 255, 0}}
|
||||||
|
cIp2 = &net.IPNet{IP: net.ParseIP("10.0.1.0"), Mask: []byte{255, 254, 0, 0}}
|
||||||
|
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{}, []*net.IPNet{cIp1, cIp2}, []string{"test"})
|
||||||
|
assert.Nil(t, err)
|
||||||
|
v, err = c.Verify(time.Now(), caPool)
|
||||||
|
assert.False(t, v)
|
||||||
|
assert.EqualError(t, err, "certificate contained a subnet assignment outside the limitations of the signing ca: 10.0.1.0/15")
|
||||||
|
|
||||||
|
// ip and mask are within the network
|
||||||
|
cIp1 = &net.IPNet{IP: net.ParseIP("10.0.1.0"), Mask: []byte{255, 255, 0, 0}}
|
||||||
|
cIp2 = &net.IPNet{IP: net.ParseIP("192.168.0.1"), Mask: []byte{255, 255, 255, 128}}
|
||||||
|
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{}, []*net.IPNet{cIp1, cIp2}, []string{"test"})
|
||||||
|
assert.Nil(t, err)
|
||||||
|
v, err = c.Verify(time.Now(), caPool)
|
||||||
|
assert.True(t, v)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
|
||||||
|
// Exact matches
|
||||||
|
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{}, []*net.IPNet{caIp1, caIp2}, []string{"test"})
|
||||||
|
assert.Nil(t, err)
|
||||||
|
v, err = c.Verify(time.Now(), caPool)
|
||||||
|
assert.True(t, v)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
|
||||||
|
// Exact matches reversed
|
||||||
|
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{}, []*net.IPNet{caIp2, caIp1}, []string{"test"})
|
||||||
|
assert.Nil(t, err)
|
||||||
|
v, err = c.Verify(time.Now(), caPool)
|
||||||
|
assert.True(t, v)
|
||||||
|
assert.Nil(t, err)
|
||||||
|
|
||||||
|
// Exact matches reversed with just 1
|
||||||
|
c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{}, []*net.IPNet{caIp1}, []string{"test"})
|
||||||
|
assert.Nil(t, err)
|
||||||
|
v, err = c.Verify(time.Now(), caPool)
|
||||||
|
assert.True(t, v)
|
||||||
|
assert.Nil(t, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestNebulaVerifyPrivateKey(t *testing.T) {
|
func TestNebulaVerifyPrivateKey(t *testing.T) {
|
||||||
ca, _, caKey, err := newTestCaCert()
|
ca, _, caKey, err := newTestCaCert(time.Time{}, time.Time{}, []*net.IPNet{}, []*net.IPNet{}, []string{})
|
||||||
assert.Nil(t, err)
|
assert.Nil(t, err)
|
||||||
|
|
||||||
c, _, priv, err := newTestCert(ca, caKey)
|
c, _, priv, err := newTestCert(ca, caKey, time.Time{}, time.Time{}, []*net.IPNet{}, []*net.IPNet{}, []string{})
|
||||||
err = c.VerifyPrivateKey(priv)
|
err = c.VerifyPrivateKey(priv)
|
||||||
assert.Nil(t, err)
|
assert.Nil(t, err)
|
||||||
|
|
||||||
|
@ -301,10 +487,14 @@ func TestMarshalingNebulaCertificateConsistency(t *testing.T) {
|
||||||
assert.Equal(t, "0a0774657374696e67121b8182845080feffff0f828284508080fcff0f8382845080fe83f80f1a1b8182844880fe83f80f8282844880feffff0f838284488080fcff0f220b746573742d67726f757031220b746573742d67726f757032220b746573742d67726f75703328f0e0e7d70430a08681c4053a20313233343536373839306162636564666768696a3132333435363738393061624a081234567890abcedf", fmt.Sprintf("%x", b))
|
assert.Equal(t, "0a0774657374696e67121b8182845080feffff0f828284508080fcff0f8382845080fe83f80f1a1b8182844880fe83f80f8282844880feffff0f838284488080fcff0f220b746573742d67726f757031220b746573742d67726f757032220b746573742d67726f75703328f0e0e7d70430a08681c4053a20313233343536373839306162636564666768696a3132333435363738393061624a081234567890abcedf", fmt.Sprintf("%x", b))
|
||||||
}
|
}
|
||||||
|
|
||||||
func newTestCaCert() (*NebulaCertificate, []byte, []byte, error) {
|
func newTestCaCert(before, after time.Time, ips, subnets []*net.IPNet, groups []string) (*NebulaCertificate, []byte, []byte, error) {
|
||||||
pub, priv, err := ed25519.GenerateKey(rand.Reader)
|
pub, priv, err := ed25519.GenerateKey(rand.Reader)
|
||||||
before := time.Now().Add(time.Second * -60).Round(time.Second)
|
if before.IsZero() {
|
||||||
after := time.Now().Add(time.Second * 60).Round(time.Second)
|
before = time.Now().Add(time.Second * -60).Round(time.Second)
|
||||||
|
}
|
||||||
|
if after.IsZero() {
|
||||||
|
after = time.Now().Add(time.Second * 60).Round(time.Second)
|
||||||
|
}
|
||||||
|
|
||||||
nc := &NebulaCertificate{
|
nc := &NebulaCertificate{
|
||||||
Details: NebulaCertificateDetails{
|
Details: NebulaCertificateDetails{
|
||||||
|
@ -316,6 +506,18 @@ func newTestCaCert() (*NebulaCertificate, []byte, []byte, error) {
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if len(ips) > 0 {
|
||||||
|
nc.Details.Ips = ips
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(subnets) > 0 {
|
||||||
|
nc.Details.Subnets = subnets
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(groups) > 0 {
|
||||||
|
nc.Details.Groups = groups
|
||||||
|
}
|
||||||
|
|
||||||
err = nc.Sign(priv)
|
err = nc.Sign(priv)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, nil, err
|
return nil, nil, nil, err
|
||||||
|
@ -323,30 +525,47 @@ func newTestCaCert() (*NebulaCertificate, []byte, []byte, error) {
|
||||||
return nc, pub, priv, nil
|
return nc, pub, priv, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func newTestCert(ca *NebulaCertificate, key []byte) (*NebulaCertificate, []byte, []byte, error) {
|
func newTestCert(ca *NebulaCertificate, key []byte, before, after time.Time, ips, subnets []*net.IPNet, groups []string) (*NebulaCertificate, []byte, []byte, error) {
|
||||||
issuer, err := ca.Sha256Sum()
|
issuer, err := ca.Sha256Sum()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, nil, err
|
return nil, nil, nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
before := time.Now().Add(time.Second * -60).Round(time.Second)
|
if before.IsZero() {
|
||||||
after := time.Now().Add(time.Second * 60).Round(time.Second)
|
before = time.Now().Add(time.Second * -60).Round(time.Second)
|
||||||
|
}
|
||||||
|
if after.IsZero() {
|
||||||
|
after = time.Now().Add(time.Second * 60).Round(time.Second)
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(groups) == 0 {
|
||||||
|
groups = []string{"test-group1", "test-group2", "test-group3"}
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(ips) == 0 {
|
||||||
|
ips = []*net.IPNet{
|
||||||
|
{IP: net.ParseIP("10.1.1.1"), Mask: net.IPMask(net.ParseIP("255.255.255.0"))},
|
||||||
|
{IP: net.ParseIP("10.1.1.2"), Mask: net.IPMask(net.ParseIP("255.255.0.0"))},
|
||||||
|
{IP: net.ParseIP("10.1.1.3"), Mask: net.IPMask(net.ParseIP("255.0.255.0"))},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(subnets) == 0 {
|
||||||
|
subnets = []*net.IPNet{
|
||||||
|
{IP: net.ParseIP("9.1.1.1"), Mask: net.IPMask(net.ParseIP("255.0.255.0"))},
|
||||||
|
{IP: net.ParseIP("9.1.1.2"), Mask: net.IPMask(net.ParseIP("255.255.255.0"))},
|
||||||
|
{IP: net.ParseIP("9.1.1.3"), Mask: net.IPMask(net.ParseIP("255.255.0.0"))},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
pub, rawPriv := x25519Keypair()
|
pub, rawPriv := x25519Keypair()
|
||||||
|
|
||||||
nc := &NebulaCertificate{
|
nc := &NebulaCertificate{
|
||||||
Details: NebulaCertificateDetails{
|
Details: NebulaCertificateDetails{
|
||||||
Name: "testing",
|
Name: "testing",
|
||||||
Ips: []*net.IPNet{
|
Ips: ips,
|
||||||
{IP: net.ParseIP("10.1.1.1"), Mask: net.IPMask(net.ParseIP("255.255.255.0"))},
|
Subnets: subnets,
|
||||||
{IP: net.ParseIP("10.1.1.2"), Mask: net.IPMask(net.ParseIP("255.255.0.0"))},
|
Groups: groups,
|
||||||
{IP: net.ParseIP("10.1.1.3"), Mask: net.IPMask(net.ParseIP("255.0.255.0"))},
|
|
||||||
},
|
|
||||||
Subnets: []*net.IPNet{
|
|
||||||
{IP: net.ParseIP("9.1.1.1"), Mask: net.IPMask(net.ParseIP("255.0.255.0"))},
|
|
||||||
{IP: net.ParseIP("9.1.1.2"), Mask: net.IPMask(net.ParseIP("255.255.255.0"))},
|
|
||||||
{IP: net.ParseIP("9.1.1.3"), Mask: net.IPMask(net.ParseIP("255.255.0.0"))},
|
|
||||||
},
|
|
||||||
Groups: []string{"test-group1", "test-group2", "test-group3"},
|
|
||||||
NotBefore: before,
|
NotBefore: before,
|
||||||
NotAfter: after,
|
NotAfter: after,
|
||||||
PublicKey: pub,
|
PublicKey: pub,
|
||||||
|
|
|
@ -6,6 +6,7 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
|
"net"
|
||||||
"os"
|
"os"
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
@ -21,6 +22,8 @@ type caFlags struct {
|
||||||
outKeyPath *string
|
outKeyPath *string
|
||||||
outCertPath *string
|
outCertPath *string
|
||||||
groups *string
|
groups *string
|
||||||
|
ips *string
|
||||||
|
subnets *string
|
||||||
}
|
}
|
||||||
|
|
||||||
func newCaFlags() *caFlags {
|
func newCaFlags() *caFlags {
|
||||||
|
@ -31,6 +34,8 @@ func newCaFlags() *caFlags {
|
||||||
cf.outKeyPath = cf.set.String("out-key", "ca.key", "Optional: path to write the private key to")
|
cf.outKeyPath = cf.set.String("out-key", "ca.key", "Optional: path to write the private key to")
|
||||||
cf.outCertPath = cf.set.String("out-crt", "ca.crt", "Optional: path to write the certificate to")
|
cf.outCertPath = cf.set.String("out-crt", "ca.crt", "Optional: path to write the certificate to")
|
||||||
cf.groups = cf.set.String("groups", "", "Optional: comma separated list of groups. This will limit which groups subordinate certs can use")
|
cf.groups = cf.set.String("groups", "", "Optional: comma separated list of groups. This will limit which groups subordinate certs can use")
|
||||||
|
cf.ips = cf.set.String("ips", "", "Optional: comma separated list of ip and network in CIDR notation. This will limit which ip addresses and networks subordinate certs can use")
|
||||||
|
cf.subnets = cf.set.String("subnets", "", "Optional: comma separated list of ip and network in CIDR notation. This will limit which subnet addresses and networks subordinate certs can use")
|
||||||
return &cf
|
return &cf
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -55,7 +60,7 @@ func ca(args []string, out io.Writer, errOut io.Writer) error {
|
||||||
return &helpError{"-duration must be greater than 0"}
|
return &helpError{"-duration must be greater than 0"}
|
||||||
}
|
}
|
||||||
|
|
||||||
groups := []string{}
|
var groups []string
|
||||||
if *cf.groups != "" {
|
if *cf.groups != "" {
|
||||||
for _, rg := range strings.Split(*cf.groups, ",") {
|
for _, rg := range strings.Split(*cf.groups, ",") {
|
||||||
g := strings.TrimSpace(rg)
|
g := strings.TrimSpace(rg)
|
||||||
|
@ -65,6 +70,36 @@ func ca(args []string, out io.Writer, errOut io.Writer) error {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var ips []*net.IPNet
|
||||||
|
if *cf.ips != "" {
|
||||||
|
for _, rs := range strings.Split(*cf.ips, ",") {
|
||||||
|
rs := strings.Trim(rs, " ")
|
||||||
|
if rs != "" {
|
||||||
|
ip, ipNet, err := net.ParseCIDR(rs)
|
||||||
|
if err != nil {
|
||||||
|
return newHelpErrorf("invalid ip definition: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
ipNet.IP = ip
|
||||||
|
ips = append(ips, ipNet)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
var subnets []*net.IPNet
|
||||||
|
if *cf.subnets != "" {
|
||||||
|
for _, rs := range strings.Split(*cf.subnets, ",") {
|
||||||
|
rs := strings.Trim(rs, " ")
|
||||||
|
if rs != "" {
|
||||||
|
_, s, err := net.ParseCIDR(rs)
|
||||||
|
if err != nil {
|
||||||
|
return newHelpErrorf("invalid subnet definition: %s", err)
|
||||||
|
}
|
||||||
|
subnets = append(subnets, s)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
pub, rawPriv, err := ed25519.GenerateKey(rand.Reader)
|
pub, rawPriv, err := ed25519.GenerateKey(rand.Reader)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("error while generating ed25519 keys: %s", err)
|
return fmt.Errorf("error while generating ed25519 keys: %s", err)
|
||||||
|
@ -74,6 +109,8 @@ func ca(args []string, out io.Writer, errOut io.Writer) error {
|
||||||
Details: cert.NebulaCertificateDetails{
|
Details: cert.NebulaCertificateDetails{
|
||||||
Name: *cf.name,
|
Name: *cf.name,
|
||||||
Groups: groups,
|
Groups: groups,
|
||||||
|
Ips: ips,
|
||||||
|
Subnets: subnets,
|
||||||
NotBefore: time.Now(),
|
NotBefore: time.Now(),
|
||||||
NotAfter: time.Now().Add(*cf.duration),
|
NotAfter: time.Now().Add(*cf.duration),
|
||||||
PublicKey: pub,
|
PublicKey: pub,
|
||||||
|
|
|
@ -29,12 +29,16 @@ func Test_caHelp(t *testing.T) {
|
||||||
" \tOptional: amount of time the certificate should be valid for. Valid time units are seconds: \"s\", minutes: \"m\", hours: \"h\" (default 8760h0m0s)\n"+
|
" \tOptional: amount of time the certificate should be valid for. Valid time units are seconds: \"s\", minutes: \"m\", hours: \"h\" (default 8760h0m0s)\n"+
|
||||||
" -groups string\n"+
|
" -groups string\n"+
|
||||||
" \tOptional: comma separated list of groups. This will limit which groups subordinate certs can use\n"+
|
" \tOptional: comma separated list of groups. This will limit which groups subordinate certs can use\n"+
|
||||||
|
" -ips string\n"+
|
||||||
|
" \tOptional: comma separated list of ip and network in CIDR notation. This will limit which ip addresses and networks subordinate certs can use\n"+
|
||||||
" -name string\n"+
|
" -name string\n"+
|
||||||
" \tRequired: name of the certificate authority\n"+
|
" \tRequired: name of the certificate authority\n"+
|
||||||
" -out-crt string\n"+
|
" -out-crt string\n"+
|
||||||
" \tOptional: path to write the certificate to (default \"ca.crt\")\n"+
|
" \tOptional: path to write the certificate to (default \"ca.crt\")\n"+
|
||||||
" -out-key string\n"+
|
" -out-key string\n"+
|
||||||
" \tOptional: path to write the private key to (default \"ca.key\")\n",
|
" \tOptional: path to write the private key to (default \"ca.key\")\n"+
|
||||||
|
" -subnets string\n"+
|
||||||
|
" \tOptional: comma separated list of ip and network in CIDR notation. This will limit which subnet addresses and networks subordinate certs can use\n",
|
||||||
ob.String(),
|
ob.String(),
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
|
@ -103,10 +103,6 @@ func signCert(args []string, out io.Writer, errOut io.Writer) error {
|
||||||
*sf.duration = time.Until(caCert.Details.NotAfter) - time.Second*1
|
*sf.duration = time.Until(caCert.Details.NotAfter) - time.Second*1
|
||||||
}
|
}
|
||||||
|
|
||||||
if caCert.Details.NotAfter.Before(time.Now().Add(*sf.duration)) {
|
|
||||||
return fmt.Errorf("refusing to generate certificate with duration beyond root expiration: %s", caCert.Details.NotAfter)
|
|
||||||
}
|
|
||||||
|
|
||||||
ip, ipNet, err := net.ParseCIDR(*sf.ip)
|
ip, ipNet, err := net.ParseCIDR(*sf.ip)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return newHelpErrorf("invalid ip definition: %s", err)
|
return newHelpErrorf("invalid ip definition: %s", err)
|
||||||
|
@ -165,6 +161,10 @@ func signCert(args []string, out io.Writer, errOut io.Writer) error {
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if err := nc.CheckRootConstrains(caCert); err != nil {
|
||||||
|
return fmt.Errorf("refusing to sign, root certificate constraints violated: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
if *sf.outKeyPath == "" {
|
if *sf.outKeyPath == "" {
|
||||||
*sf.outKeyPath = *sf.name + ".key"
|
*sf.outKeyPath = *sf.name + ".key"
|
||||||
}
|
}
|
||||||
|
|
|
@ -253,7 +253,7 @@ func Test_signCert(t *testing.T) {
|
||||||
ob.Reset()
|
ob.Reset()
|
||||||
eb.Reset()
|
eb.Reset()
|
||||||
args = []string{"-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", crtF.Name(), "-out-key", keyF.Name(), "-duration", "1000m", "-subnets", "10.1.1.1/32, , 10.2.2.2/32 , , ,, 10.5.5.5/32", "-groups", "1,, 2 , ,,,3,4,5"}
|
args = []string{"-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", crtF.Name(), "-out-key", keyF.Name(), "-duration", "1000m", "-subnets", "10.1.1.1/32, , 10.2.2.2/32 , , ,, 10.5.5.5/32", "-groups", "1,, 2 , ,,,3,4,5"}
|
||||||
assert.EqualError(t, signCert(args, ob, eb), "refusing to generate certificate with duration beyond root expiration: "+ca.Details.NotAfter.Format("2006-01-02 15:04:05 +0000 UTC"))
|
assert.EqualError(t, signCert(args, ob, eb), "refusing to sign, root certificate constraints violated: certificate expires after signing certificate")
|
||||||
assert.Empty(t, ob.String())
|
assert.Empty(t, ob.String())
|
||||||
assert.Empty(t, eb.String())
|
assert.Empty(t, eb.String())
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue