Support root IP assertions in cert.Verify
This commit is contained in:
Nate Brown
69
cert/cert.go
69
cert/cert.go
@ -271,7 +271,25 @@ func (nc *NebulaCertificate) Verify(t time.Time, ncp *NebulaCAPool) (bool, error
|
||||
if len(signer.Details.InvertedGroups) > 0 {
|
||||
for _, g := range nc.Details.Groups {
|
||||
if _, ok := signer.Details.InvertedGroups[g]; !ok {
|
||||
return false, fmt.Errorf("certificate contained a group not present on the signing ca; %s", g)
|
||||
return false, fmt.Errorf("certificate contained a group not present on the signing ca: %s", g)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// If the signer has a limited set of ip ranges to issue from make sure the cert only contains a subset
|
||||
if len(signer.Details.Ips) > 0 {
|
||||
for _, ip := range nc.Details.Ips {
|
||||
if !netMatch(ip, signer.Details.Ips) {
|
||||
return false, fmt.Errorf("certificate contained an ip assignment outside the limitations of the signing ca: %s", ip.String())
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// If the signer has a limited set of subnet ranges to issue from make sure the cert only contains a subset
|
||||
if len(signer.Details.Subnets) > 0 {
|
||||
for _, subnet := range nc.Details.Subnets {
|
||||
if !netMatch(subnet, signer.Details.Subnets) {
|
||||
return false, fmt.Errorf("certificate contained a subnet assignment outside the limitations of the signing ca: %s", subnet)
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -431,6 +449,55 @@ func (nc *NebulaCertificate) MarshalJSON() ([]byte, error) {
|
||||
return json.Marshal(jc)
|
||||
}
|
||||
|
||||
func netMatch(certIp *net.IPNet, rootIps []*net.IPNet) bool {
|
||||
for _, net := range rootIps {
|
||||
if net.Contains(certIp.IP) && maskContains(net.Mask, certIp.Mask) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
func maskContains(caMask, certMask net.IPMask) bool {
|
||||
caM := maskTo4(caMask)
|
||||
cM := maskTo4(certMask)
|
||||
// Make sure forcing to ipv4 didn't nuke us
|
||||
if caM == nil || cM == nil {
|
||||
return false
|
||||
}
|
||||
|
||||
// Make sure the cert mask is not greater than the ca mask
|
||||
for i := 0; i < len(caMask); i++ {
|
||||
if caM[i] > cM[i] {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
func maskTo4(ip net.IPMask) net.IPMask {
|
||||
if len(ip) == net.IPv4len {
|
||||
return ip
|
||||
}
|
||||
|
||||
if len(ip) == net.IPv6len && isZeros(ip[0:10]) && ip[10] == 0xff && ip[11] == 0xff {
|
||||
return ip[12:16]
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func isZeros(b []byte) bool {
|
||||
for i := 0; i < len(b); i++ {
|
||||
if b[i] != 0 {
|
||||
return false
|
||||
}
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
func ip2int(ip []byte) uint32 {
|
||||
if len(ip) == 16 {
|
||||
return binary.BigEndian.Uint32(ip[12:16])
|
||||
|
||||
Reference in New Issue
Block a user