Add otherName detection to TestSecretDataAltNamesMatchSpec

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
2024-01-09 14:01:09 +00:00 · 2024-01-09 14:01:09 +00:00 · 38c2b33a71
commit 38c2b33a71
parent b6fdcede90
2 changed files with 103 additions and 16 deletions
--- a/pkg/util/pki/match.go
+++ b/pkg/util/pki/match.go
@ -151,27 +151,13 @@ func RequestMatchesSpec(req *cmapi.CertificateRequest, spec cmapi.CertificateSpe
 	}

 	if spec.OtherNames != nil {
-		sanExtension, err := extractSANExtension(x509req.Extensions)
-		if err != nil {
-			violations = append(violations, "spec.otherNames")
-		}
-
-		generalNames, err := UnmarshalSANs(sanExtension.Value)
+		matched, err := matchOtherNames(x509req.Extensions, spec.OtherNames)
 		if err != nil {
 			return nil, err
 		}
-
-		CertificateRequestOtherNameSpec, err := ToOtherNameSpec(generalNames.OtherNames)
-		if err != nil {
-			// This means the CertificateRequest's otherName was not a utf8 valued
-			violations = append(violations, "spec.otherName")
-		}
-		if !util.EqualOtherNamesUnsorted(CertificateRequestOtherNameSpec, spec.OtherNames) {
-
-			// This means the oid or utf8Value did not match
+		if !matched {
 			violations = append(violations, "spec.otherNames")
 		}
-
 	}

 	if spec.LiteralSubject == "" {
@ -242,6 +228,30 @@ func RequestMatchesSpec(req *cmapi.CertificateRequest, spec cmapi.CertificateSpe
 	return violations, nil
 }

+func matchOtherNames(extension []pkix.Extension, otherNames []cmapi.OtherName) (bool, error) {
+	sanExtension, err := extractSANExtension(extension)
+	if err != nil {
+		return false, nil
+	}
+
+	generalNames, err := UnmarshalSANs(sanExtension.Value)
+	if err != nil {
+		return false, err
+	}
+
+	CertificateRequestOtherNameSpec, err := ToOtherNameSpec(generalNames.OtherNames)
+	if err != nil {
+		// This means the CertificateRequest's otherName was not a utf8 valued
+		return false, nil
+	}
+
+	if !util.EqualOtherNamesUnsorted(CertificateRequestOtherNameSpec, otherNames) {
+		return false, nil
+	}
+
+	return true, nil
+}
+
 func ToOtherNameSpec(parsedOtherName []OtherName) ([]cmapi.OtherName, error) {
 	ret := make([]cmapi.OtherName, len(parsedOtherName))
 	for index, otherName := range parsedOtherName {
@ -312,6 +322,16 @@ func SecretDataAltNamesMatchSpec(secret *corev1.Secret, spec cmapi.CertificateSp
 		violations = append(violations, "spec.emailAddresses")
 	}

+	if spec.OtherNames != nil {
+		matched, err := matchOtherNames(x509cert.Extensions, spec.OtherNames)
+		if err != nil {
+			return nil, err
+		}
+		if !matched {
+			violations = append(violations, "spec.otherNames")
+		}
+	}
+
 	return violations, nil
 }

--- a/pkg/util/pki/match_test.go
+++ b/pkg/util/pki/match_test.go
@ -346,6 +346,73 @@ func TestSecretDataAltNamesMatchSpec(t *testing.T) {
 			}),
 			violations: []string{"spec.ipAddresses"},
 		},
+		"should match if otherNames are equal": {
+			spec: cmapi.CertificateSpec{
+				OtherNames: []cmapi.OtherName{
+					{
+						OID:       "1.3.6.1.4.1.311.20.2.3",
+						UTF8Value: "upn2@testdomain.local",
+					},
+					{
+						OID:       "1.3.6.1.4.1.311.20.2.3",
+						UTF8Value: "upn@testdomain.local",
+					},
+				},
+			}, // openssl req -nodes -newkey rsa:2048 -subj "/CN=someCN" \
+			// -addext 'subjectAltName=otherName:msUPN;UTF8:upn@testdomain.local,otherName:msUPN;UTF8:upn2@testdomain.local' -x509 |
+			data: []byte(`-----BEGIN CERTIFICATE-----
+MIIDOzCCAiOgAwIBAgIUJGyXr7GsoPVGC9PkG/QR5NQ3doQwDQYJKoZIhvcNAQEL
+BQAwADAeFw0yNDAxMDkxMzQwNDZaFw0yNDAyMDgxMzQwNDZaMAAwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFVLGrwoVnLaVERh5l6/+Wc1bDrEOCrsZz
+FUYOBJNpoJmbcl6Cp3DLyqrgkzAXWusUft77DmOpMz5C/2IWtI0Ju/NBg2wCwu6U
+NcL70WTx2h1v7fN0YHdzElGcO018bPpA9QEfzoB07G+G8dqTwUMrCq6qE5vbmY3
+PywXfvCKbES4AFvQAcrm8qBOs4RPMlHp59gTAh9G3oVp1xJBoAHJr4CWbg65+ed9
+d2YbVZjZ3aNbVGGc2Qp2vr9p/pcTtb1oyioCmryQmm3fIOMef6smn/LpFhnFoHUN
+bJkBICG2JfHfygYkqukrhGFGv/UnVx7nmkeU5nooh7e0t5/cFbxzAgMBAAGjgaww
+gakwHQYDVR0OBBYEFDIkbk6FammEuY6X2HODbctYOIHTMB8GA1UdIwQYMBaAFDIk
+bk6FammEuY6X2HODbctYOIHTMA8GA1UdEwEB/wQFMAMBAf8wVgYDVR0RBE8wTaAk
+BgorBgEEAYI3FAIDoBYMFHVwbkB0ZXN0ZG9tYWluLmxvY2FsoCUGCisGAQQBgjcU
+AgOgFwwVdXBuMkB0ZXN0ZG9tYWluLmxvY2FsMA0GCSqGSIb3DQEBCwUAA4IBAQBq
+jj/eTo0ZN6rNYPFYW3Uw4nZLasf3bEQlHG7QPJLaBvg87Yrt+1kWEzDhjlIK1bWi
+ns56oLuaXIXjzF6KwkqBRLdqD/1bjPn7qX9uIhdncWs1Fi09mQMdI8Mnasx0IPOe
+kosmem3A/RnylWmbaCLON/APhAXrPPbW1abI8gXyH5104T0470PY1CvR4Q6MTbXH
+LCOnSiou3CO93H1Rnu9AWDXx5c6Fe1LO+AdaihdXLMAJN6NuMZRcXBChAo6d6/kh
+/O44u3tp/z6trRdH+D8D68nyx/xjFqq2BFCfyau9T3KmFjZacUWXQv6tTpElFUlZ
+7WkwZWxxkjzh9z529B9h
+-----END CERTIFICATE-----`),
+		},
+		"should not match if OtherNames are not equal": {
+			spec: cmapi.CertificateSpec{
+				OtherNames: []cmapi.OtherName{
+					{
+						OID:       "1.3.6.1.4.1.311.20.2.3",
+						UTF8Value: "upn@testdomain.local",
+					},
+				},
+			},
+			// generated with openssl with:  openssl req -nodes -newkey rsa:2048 -subj "/" \
+			// -addext 'subjectAltName=otherName:msUPN;UTF8:ANOTHERUPN@testdomain.local' -x509
+			data: []byte(`-----BEGIN CERTIFICATE-----
+MIIDGzCCAgOgAwIBAgIULTMrWMewcF6XSc8hM6TnL9L8NrgwDQYJKoZIhvcNAQEL
+BQAwADAeFw0yNDAxMDkxMzQyMTVaFw0yNDAyMDgxMzQyMTVaMAAwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnIvWN7Nj/+bST7R1tmxu0olvjwgfPBhCp
+/6OiPuANxZtYkQiqIx4KxnA5KErpQHzp9zlExE2FJUd5Fn83V5+we8/tXRT4mdVg
+uOhVab8KHXciW2Ia0B6zdJakYL0qy6ol6kQDUansZi+0vBVbRzJIDAJLRSHGjXRT
+BlYuZxgyOawD19vdBKDg3zz2vszQprSONM5qefnk0S3nbsIN3rPprifwjCjn+GMc
+pcVXF1UizhyGFTxX7CiTNQg2sD6eAxvNHwyPfYo0cAWVXk1Ctoy+nGWX70zYQIw5
+PI9+hagoFBy8AMhg2MgwAJV3Iay8JRnItCkE5xrh6XxMaGzBDTybAgMBAAGjgYww
+gYkwHQYDVR0OBBYEFMjP9HapmDU06sI25oFVVX7h4mziMB8GA1UdIwQYMBaAFMjP
+9HapmDU06sI25oFVVX7h4mziMA8GA1UdEwEB/wQFMAMBAf8wNgYDVR0RBC8wLaAr
+BgorBgEEAYI3FAIDoB0MG0FOT1RIRVJVUE5AdGVzdGRvbWFpbi5sb2NhbDANBgkq
+hkiG9w0BAQsFAAOCAQEAbQLZXPWqT78YmhWich59tiQ+3VStjamS/dI9qrgjo3CN
+phYWiTe5anIv1tp2MOFD0eueO+zDLtSfFWLTBq4Qce+fDZK4WEPJrj9A/77WP55R
+1IGvQVYhEAGVAiSFudp5loUx6LhcADcO45zWq/RBgWKDI4oUu744UZUJ5e68Vb/O
+43QVvRF9qkte8X7LCBr1lX1mElh1d+qD2BiTuLzkMJeDNonmBfD1JM1zCZgYXCoE
+20gLNilYVngZprTUOjjBYQMdrovC3XG2ByUTAXREyonQpmzRPKRnV+125kQooLXx
+PvQpPM/KS8XNIJZXrbaEw0feitL6Pb+8+W5BHVcDkQ==
+-----END CERTIFICATE-----`),
+			violations: []string{"spec.otherNames"},
+		},
 		"should not match if ipAddresses has been made the commonName": {
 			spec: cmapi.CertificateSpec{
 				IPAddresses: []string{"127.0.0.1"},