weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Addressed review comments

Browse Source 
Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
This commit is contained in:
tanujd11 2023-12-12 17:05:33 +05:30
parent 5f0a715863
commit 652feb50cc
6 changed files with 129 additions and 371 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
pkg/util/pki/csr.go
View File

@ -319,7 +319,28 @@ func GenerateCSR(crt *v1.Certificate, optFuncs ...GenerateCSROption) (*x509.Cert
}
if opts.EncodeNameConstraintsInRequest && crt.Spec.NameConstraints != nil {
extension, err := MarshalNameConstraints(crt.Spec.NameConstraints)
nameConstraints := &NameConstraints{}
nameConstraints.PermittedDNSDomainsCritical = crt.Spec.NameConstraints.Critical
if crt.Spec.NameConstraints.Permitted != nil {
nameConstraints.PermittedDNSDomains = crt.Spec.NameConstraints.Permitted.DNSDomains
nameConstraints.PermittedIPRanges, err = parseCIDRs(crt.Spec.NameConstraints.Permitted.IPRanges)
if err != nil {
return nil, err
}
nameConstraints.PermittedEmailAddresses = crt.Spec.NameConstraints.Permitted.EmailAddresses
nameConstraints.ExcludedURIDomains = crt.Spec.NameConstraints.Permitted.URIDomains
}
if crt.Spec.NameConstraints.Excluded != nil {
nameConstraints.ExcludedDNSDomains = crt.Spec.NameConstraints.Excluded.DNSDomains
nameConstraints.ExcludedIPRanges, err = parseCIDRs(crt.Spec.NameConstraints.Excluded.IPRanges)
if err != nil {
return nil, err
}
nameConstraints.ExcludedEmailAddresses = crt.Spec.NameConstraints.Excluded.EmailAddresses
nameConstraints.ExcludedURIDomains = crt.Spec.NameConstraints.Excluded.URIDomains
}
extension, err := MarshalNameConstraints(nameConstraints)
if err != nil {
return nil, err
}

276
pkg/util/pki/nameconstraints.go
View File

@ -17,15 +17,12 @@ limitations under the License.
package pki
import (
"bytes"
"crypto/x509/pkix"
"errors"
"fmt"
"net"
"strings"
"unicode"
v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
"golang.org/x/crypto/cryptobyte"
cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1"
)
@ -49,11 +46,11 @@ type NameConstraints struct {
}
// Adapted from x509.go
func MarshalNameConstraints(nameConstraints *v1.NameConstraints) (pkix.Extension, error) {
func MarshalNameConstraints(nameConstraints *NameConstraints) (pkix.Extension, error) {
ext := pkix.Extension{}
if doMarshalNameConstraints(nameConstraints) {
ext.Id = OIDExtensionNameConstraints
ext.Critical = nameConstraints.Critical
ext.Critical = nameConstraints.PermittedDNSDomainsCritical
ipAndMask := func(ipNet *net.IPNet) []byte {
maskedIP := ipNet.IP.Mask(ipNet.Mask)
@ -115,27 +112,15 @@ func MarshalNameConstraints(nameConstraints *v1.NameConstraints) (pkix.Extension
var permitted []byte
var err error
if nameConstraints.Permitted != nil {
permittedIPRanges, err := parseCIDRs(nameConstraints.Permitted.IPRanges)
if err != nil {
return pkix.Extension{}, err
}
permitted, err = serialiseConstraints(nameConstraints.Permitted.DNSDomains, permittedIPRanges, nameConstraints.Permitted.EmailAddresses, nameConstraints.Permitted.URIDomains)
if err != nil {
return pkix.Extension{}, err
}
permitted, err = serialiseConstraints(nameConstraints.PermittedDNSDomains, nameConstraints.PermittedIPRanges, nameConstraints.PermittedEmailAddresses, nameConstraints.PermittedURIDomains)
if err != nil {
return pkix.Extension{}, err
}
var excluded []byte
if nameConstraints.Excluded != nil {
excludedIPRanges, err := parseCIDRs(nameConstraints.Excluded.IPRanges)
if err != nil {
return pkix.Extension{}, err
}
excluded, err = serialiseConstraints(nameConstraints.Excluded.DNSDomains, excludedIPRanges, nameConstraints.Excluded.EmailAddresses, nameConstraints.Excluded.URIDomains)
if err != nil {
return pkix.Extension{}, err
}
excluded, err = serialiseConstraints(nameConstraints.ExcludedDNSDomains, nameConstraints.ExcludedIPRanges, nameConstraints.ExcludedEmailAddresses, nameConstraints.ExcludedURIDomains)
if err != nil {
return pkix.Extension{}, err
}
var b cryptobyte.Builder
@ -161,18 +146,16 @@ func MarshalNameConstraints(nameConstraints *v1.NameConstraints) (pkix.Extension
return ext, nil
}
func doMarshalNameConstraints(nameConstraints *v1.NameConstraints) bool {
func doMarshalNameConstraints(nameConstraints *NameConstraints) bool {
return nameConstraints != nil &&
(nameConstraints.Permitted != nil &&
(len(nameConstraints.Permitted.DNSDomains) > 0 ||
len(nameConstraints.Permitted.IPRanges) > 0 ||
len(nameConstraints.Permitted.EmailAddresses) > 0 ||
len(nameConstraints.Permitted.URIDomains) > 0)) ||
(nameConstraints.Excluded != nil &&
(len(nameConstraints.Excluded.DNSDomains) > 0 ||
len(nameConstraints.Excluded.IPRanges) > 0 ||
len(nameConstraints.Excluded.EmailAddresses) > 0 ||
len(nameConstraints.Excluded.URIDomains) > 0))
(len(nameConstraints.PermittedDNSDomains) > 0 ||
len(nameConstraints.PermittedIPRanges) > 0 ||
len(nameConstraints.PermittedEmailAddresses) > 0 ||
len(nameConstraints.PermittedURIDomains) > 0 ||
len(nameConstraints.ExcludedDNSDomains) > 0 ||
len(nameConstraints.ExcludedIPRanges) > 0 ||
len(nameConstraints.ExcludedEmailAddresses) > 0 ||
len(nameConstraints.ExcludedURIDomains) > 0)
}
func isIA5String(s string) error {
@ -201,6 +184,7 @@ func parseCIDRs(cidrs []string) ([]*net.IPNet, error) {
return ipRanges, nil
}
// Adapted from crypto/x509/parser.go
func UnmarshalNameConstraints(e pkix.Extension) (*NameConstraints, error) {
out := &NameConstraints{}
// RFC 5280, 4.2.1.10
@ -260,17 +244,6 @@ func UnmarshalNameConstraints(e pkix.Extension) (*NameConstraints, error) {
return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
}
trimmedDomain := domain
if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' {
// constraints can have a leading
// period to exclude the domain
// itself, but that's not valid in a
// normal domain name.
trimmedDomain = trimmedDomain[1:]
}
if _, ok := domainToReverseLabels(trimmedDomain); !ok {
return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse dnsName constraint %q", domain)
}
dnsNames = append(dnsNames, domain)
case ipTag:
@ -302,22 +275,6 @@ func UnmarshalNameConstraints(e pkix.Extension) (*NameConstraints, error) {
return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
}
// If the constraint contains an @ then
// it specifies an exact mailbox name.
if strings.Contains(constraint, "@") {
if _, ok := parseRFC2821Mailbox(constraint); !ok {
return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint)
}
} else {
// Otherwise it's a domain name.
domain := constraint
if len(domain) > 0 && domain[0] == '.' {
domain = domain[1:]
}
if _, ok := domainToReverseLabels(domain); !ok {
return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint)
}
}
emails = append(emails, constraint)
case uriTag:
@ -326,21 +283,6 @@ func UnmarshalNameConstraints(e pkix.Extension) (*NameConstraints, error) {
return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
}
if net.ParseIP(domain) != nil {
return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q: cannot be IP address", domain)
}
trimmedDomain := domain
if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' {
// constraints can have a leading
// period to exclude the domain itself,
// but that's not valid in a normal
// domain name.
trimmedDomain = trimmedDomain[1:]
}
if _, ok := domainToReverseLabels(trimmedDomain); !ok {
return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q", domain)
}
uriDomains = append(uriDomains, domain)
}
}
@ -360,41 +302,6 @@ func UnmarshalNameConstraints(e pkix.Extension) (*NameConstraints, error) {
return out, nil
}
// domainToReverseLabels converts a textual domain name like foo.example.com to
// the list of labels in reverse order, e.g. ["com", "example", "foo"].
func domainToReverseLabels(domain string) (reverseLabels []string, ok bool) {
for len(domain) > 0 {
if i := strings.LastIndexByte(domain, '.'); i == -1 {
reverseLabels = append(reverseLabels, domain)
domain = ""
} else {
reverseLabels = append(reverseLabels, domain[i+1:])
domain = domain[:i]
}
}
if len(reverseLabels) > 0 && len(reverseLabels[0]) == 0 {
// An empty label at the end indicates an absolute value.
return nil, false
}
for _, label := range reverseLabels {
if len(label) == 0 {
// Empty labels are otherwise invalid.
return nil, false
}
for _, c := range label {
if c < 33 || c > 126 {
// Invalid character.
return nil, false
}
}
}
return reverseLabels, true
}
// isValidIPMask reports whether mask consists of zero or more 1 bits, followed by zero bits.
func isValidIPMask(mask []byte) bool {
seenZero := false
@ -419,150 +326,3 @@ func isValidIPMask(mask []byte) bool {
return true
}
// rfc2821Mailbox represents a “mailbox” (which is an email address to most
// people) by breaking it into the “local” (i.e. before the '@') and “domain”
// parts.
type rfc2821Mailbox struct {
local, domain string
}
// parseRFC2821Mailbox parses an email address into local and domain parts,
// based on the ABNF for a “Mailbox” from RFC 2821. According to RFC 5280,
// Section 4.2.1.6 that's correct for an rfc822Name from a certificate: “The
// format of an rfc822Name is a "Mailbox" as defined in RFC 2821, Section 4.1.2”.
func parseRFC2821Mailbox(in string) (mailbox rfc2821Mailbox, ok bool) {
if len(in) == 0 {
return mailbox, false
}
localPartBytes := make([]byte, 0, len(in)/2)
if in[0] == '"' {
// Quoted-string = DQUOTE *qcontent DQUOTE
// non-whitespace-control = %d1-8 / %d11 / %d12 / %d14-31 / %d127
// qcontent = qtext / quoted-pair
// qtext = non-whitespace-control /
// %d33 / %d35-91 / %d93-126
// quoted-pair = ("\" text) / obs-qp
// text = %d1-9 / %d11 / %d12 / %d14-127 / obs-text
//
// (Names beginning with “obs-” are the obsolete syntax from RFC 2822,
// Section 4. Since it has been 16 years, we no longer accept that.)
in = in[1:]
QuotedString:
for {
if len(in) == 0 {
return mailbox, false
}
c := in[0]
in = in[1:]
switch {
case c == '"':
break QuotedString
case c == '\\':
// quoted-pair
if len(in) == 0 {
return mailbox, false
}
if in[0] == 11 ||
in[0] == 12 ||
(1 <= in[0] && in[0] <= 9) ||
(14 <= in[0] && in[0] <= 127) {
localPartBytes = append(localPartBytes, in[0])
in = in[1:]
} else {
return mailbox, false
}
case c == 11 ||
c == 12 ||
// Space (char 32) is not allowed based on the
// BNF, but RFC 3696 gives an example that
// assumes that it is. Several “verified”
// errata continue to argue about this point.
// We choose to accept it.
c == 32 ||
c == 33 ||
c == 127 ||
(1 <= c && c <= 8) ||
(14 <= c && c <= 31) ||
(35 <= c && c <= 91) ||
(93 <= c && c <= 126):
// qtext
localPartBytes = append(localPartBytes, c)
default:
return mailbox, false
}
}
} else {
// Atom ("." Atom)*
NextChar:
for len(in) > 0 {
// atext from RFC 2822, Section 3.2.4
c := in[0]
switch {
case c == '\\':
// Examples given in RFC 3696 suggest that
// escaped characters can appear outside of a
// quoted string. Several “verified” errata
// continue to argue the point. We choose to
// accept it.
in = in[1:]
if len(in) == 0 {
return mailbox, false
}
fallthrough
case ('0' <= c && c <= '9') ||
('a' <= c && c <= 'z') ||
('A' <= c && c <= 'Z') ||
c == '!' || c == '#' || c == '$' || c == '%' ||
c == '&' || c == '\'' || c == '*' || c == '+' ||
c == '-' || c == '/' || c == '=' || c == '?' ||
c == '^' || c == '_' || c == '`' || c == '{' ||
c == '|' || c == '}' || c == '~' || c == '.':
localPartBytes = append(localPartBytes, in[0])
in = in[1:]
default:
break NextChar
}
}
if len(localPartBytes) == 0 {
return mailbox, false
}
// From RFC 3696, Section 3:
// “period (".") may also appear, but may not be used to start
// or end the local part, nor may two or more consecutive
// periods appear.”
twoDots := []byte{'.', '.'}
if localPartBytes[0] == '.' ||
localPartBytes[len(localPartBytes)-1] == '.' ||
bytes.Contains(localPartBytes, twoDots) {
return mailbox, false
}
}
if len(in) == 0 || in[0] != '@' {
return mailbox, false
}
in = in[1:]
// The RFC species a format for domains, but that's known to be
// violated in practice so we accept that anything after an '@' is the
// domain part.
if _, ok := domainToReverseLabels(in); !ok {
return mailbox, false
}
mailbox.local = string(localPartBytes)
mailbox.domain = in
return mailbox, true
}

148
pkg/util/pki/nameconstraints_test.go
View File

@ -21,15 +21,15 @@ import (
"crypto/x509/pkix"
"encoding/pem"
"fmt"
"os"
"net"
"strings"
"testing"
v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
"github.com/stretchr/testify/assert"
)
// TestMarshalNameConstraints tests the MarshalNameConstraints function
// To generate the testdata at testdata/nameconstraints, do something like this:
// To generate the expectedPEM, do something like this:
// openssl req -new -key private_key.pem -out csr1.pem -subj "/CN=example.org" -config config.cnf
//
// where config.cnf is(replace nameConstraints with the values mentioned in the testcase):
@ -45,82 +45,114 @@ func TestMarshalNameConstraints(t *testing.T) {
// Test data
testCases := []struct {
name string
input *v1.NameConstraints
input *NameConstraints
expectedErr error
expectedFile string
expectedPEM string
}{
{
name: "Permitted constraints",
input: &v1.NameConstraints{
Critical: true,
Permitted: &v1.NameConstraintItem{
DNSDomains: []string{"example.com"},
IPRanges: []string{"192.168.1.0/24"},
EmailAddresses: []string{"user@example.com"},
URIDomains: []string{"https://example.com"},
input: &NameConstraints{
PermittedDNSDomainsCritical: true,
PermittedDNSDomains: []string{"example.com"},
PermittedIPRanges: []*net.IPNet{{IP: net.IPv4(192, 168, 1, 0), Mask: net.IPv4Mask(255, 255, 255, 0)}},
PermittedEmailAddresses: []string{"user@example.com"},
PermittedURIDomains: []string{"https://example.com"},
},
},
expectedErr: nil,
// nameConstraints = critical,permitted;DNS:example.com,permitted;IP:192.168.1.0/255.255.255.0,permitted;email:user@example.com,permitted;URI:https://example.com
expectedFile: "permitted-constraints.pem",
expectedPEM: `-----BEGIN CERTIFICATE REQUEST-----
MIICwjCCAaoCAQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCXy2XEkqESyr8/Y2x1A7AQaQlu3wry8QSmVwcb
QYQ12xpA9derxd6f2qV+UZq/7tSwvaFfcdzbY4MTG+dq3QmlyXNEpVmzg/CbQJpQ
ae/aacnb7MEvPGQpD8eHBt14QdoH0B5qreARa/IND4I+BazEAn9yAWc9o5BQMqPb
5OGa5PMWR8apRyJrMfupMS0R3Nnmi+BP0fWepbOZHzRA6d2rbwkPBNBHQUyinxXS
oIMg/WbrG0tbps8H6PTZg3Ki+XutPm5rFJ3CKVCzIfWLFIa3jHDNbeRc359EgBI9
r1H7ecuPKxhxewugl0NirKIaEgzc609FIP++pmm3J5P10HF7AgMBAAGgZzBlBgkq
hkiG9w0BCQ4xWDBWMFQGA1UdHgEB/wRKMEigRjANggtleGFtcGxlLmNvbTAKhwjA
qAEA////ADASgRB1c2VyQGV4YW1wbGUuY29tMBWGE2h0dHBzOi8vZXhhbXBsZS5j
b20wDQYJKoZIhvcNAQELBQADggEBAG4mhMt9iOGu1LInHW7oZyD8/FILhhafO7NF
OLPLNK37yZmPWn3idIei/oooFspKspLSMqyCGgibr6jo613+6ENCHgzM/MUDrbfP
i0VmriogMVB6qF73Qozylk1HPMcNe32aKsZygFAzKT586aO/F/exMx3NlKWa36m2
rXKPgtD+T4R+hBxmsYAGVWFlvish+L1UIXtxddna4dYHSbLBz+uZXzrxyuJgSQV3
2wF++GJ1zOi47CEUukqQOAZKPCE59erY+vUas8hwMTHMT22D5ZGbdjg6qVBCQdqW
Nu6OGP4KFgW0HWyeGeNBzioGUeyIHFKILLvj2n94WJMqXNyT5eE=
-----END CERTIFICATE REQUEST-----`,
},
{
name: "Mixed constraints",
input: &v1.NameConstraints{
Critical: true,
Permitted: &v1.NameConstraintItem{
DNSDomains: []string{"example.com"},
IPRanges: []string{"192.168.1.0/24"},
EmailAddresses: []string{"user@example.com"},
URIDomains: []string{"https://example.com"},
},
Excluded: &v1.NameConstraintItem{
DNSDomains: []string{"excluded.com"},
IPRanges: []string{"192.168.0.0/24"},
EmailAddresses: []string{"user@excluded.com"},
URIDomains: []string{"https://excluded.com"},
},
input: &NameConstraints{
PermittedDNSDomainsCritical: true,
PermittedDNSDomains: []string{"example.com"},
PermittedIPRanges: []*net.IPNet{{IP: net.IPv4(192, 168, 1, 0), Mask: net.IPv4Mask(255, 255, 255, 0)}},
PermittedEmailAddresses: []string{"user@example.com"},
PermittedURIDomains: []string{"https://example.com"},
ExcludedDNSDomains: []string{"excluded.com"},
ExcludedIPRanges: []*net.IPNet{{IP: net.IPv4(192, 168, 0, 0), Mask: net.IPv4Mask(255, 255, 255, 0)}},
ExcludedEmailAddresses: []string{"user@excluded.com"},
ExcludedURIDomains: []string{"https://excluded.com"},
},
expectedErr: nil,
// nameConstraints = critical,permitted;DNS:example.com,permitted;IP:192.168.1.0/255.255.255.0,permitted;email:user@example.com,permitted;URI:https://example.com,excluded;DNS:excluded.com,excluded;IP:192.168.0.0/255.255.255.0,excluded;email:user@excluded.com,excluded;URI:https://excluded.com
expectedFile: "mixed-constraints.pem",
expectedPEM: `-----BEGIN CERTIFICATE REQUEST-----
MIIDFDCCAfwCAQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCXy2XEkqESyr8/Y2x1A7AQaQlu3wry8QSmVwcb
QYQ12xpA9derxd6f2qV+UZq/7tSwvaFfcdzbY4MTG+dq3QmlyXNEpVmzg/CbQJpQ
ae/aacnb7MEvPGQpD8eHBt14QdoH0B5qreARa/IND4I+BazEAn9yAWc9o5BQMqPb
5OGa5PMWR8apRyJrMfupMS0R3Nnmi+BP0fWepbOZHzRA6d2rbwkPBNBHQUyinxXS
oIMg/WbrG0tbps8H6PTZg3Ki+XutPm5rFJ3CKVCzIfWLFIa3jHDNbeRc359EgBI9
r1H7ecuPKxhxewugl0NirKIaEgzc609FIP++pmm3J5P10HF7AgMBAAGggbgwgbUG
CSqGSIb3DQEJDjGBpzCBpDCBoQYDVR0eAQH/BIGWMIGToEYwDYILZXhhbXBsZS5j
b20wCocIwKgBAP///wAwEoEQdXNlckBleGFtcGxlLmNvbTAVhhNodHRwczovL2V4
YW1wbGUuY29toUkwDoIMZXhjbHVkZWQuY29tMAqHCMCoAAD///8AMBOBEXVzZXJA
ZXhjbHVkZWQuY29tMBaGFGh0dHBzOi8vZXhjbHVkZWQuY29tMA0GCSqGSIb3DQEB
CwUAA4IBAQCEBMhHw4wbP+aBDViKtvpaMar3ZWYVuV7j2qck5yDlXYGhpTQlwg5C
XEIP7zKM1yGgCITEpA5KML4PV55rEU6TCa2E9oQfy51QQcmSTGYLjolOahpALwzn
38n9e4WBiHwDVMVsSR5Zhw2dy9tqSslAHjp3TFFCcx7gaKoTs6OOJzv784PzX7xp
Vbm68hvWwkdD0lwGJlNkykPmNGxpC1kVn6L1p7LUubWOkkqBHwgny+DW3fPtKpvO
AHpUq+yDI0oaIz6BIfn2Vs7jUSXCZIoQBwajALg9kGqh3O6+ds617+AzxGXk0LBQ
0GsHVWCimOgcqgU5Qg4K6iMUtlDU2WAW
-----END CERTIFICATE REQUEST-----`,
},
{
name: "Empty constraints",
input: &v1.NameConstraints{},
input: &NameConstraints{},
expectedErr: nil,
expectedFile: "",
expectedPEM: "",
},
{
name: "Excluded constraints",
input: &v1.NameConstraints{
Critical: true,
Excluded: &v1.NameConstraintItem{
DNSDomains: []string{"excluded.com"},
IPRanges: []string{"192.168.0.0/24"},
EmailAddresses: []string{"user@excluded.com"},
URIDomains: []string{"https://excluded.com"},
},
input: &NameConstraints{
PermittedDNSDomainsCritical: true,
ExcludedDNSDomains: []string{"excluded.com"},
ExcludedIPRanges: []*net.IPNet{{IP: net.IPv4(192, 168, 0, 0), Mask: net.IPv4Mask(255, 255, 255, 0)}},
ExcludedEmailAddresses: []string{"user@excluded.com"},
ExcludedURIDomains: []string{"https://excluded.com"},
},
expectedErr: nil,
// nameConstraints = critical,excluded;DNS:excluded.com,excluded;IP:192.168.0.0/255.255.255.0,excluded;email:user@excluded.com,excluded;URI:https://excluded.com
expectedFile: "excluded-constraints.pem",
},
{
name: "Invalid NameConstraints",
input: &v1.NameConstraints{
Excluded: &v1.NameConstraintItem{
IPRanges: []string{"invalidCIDR"},
},
},
expectedErr: fmt.Errorf("invalid CIDR address: invalidCIDR"),
expectedFile: "",
expectedPEM: `-----BEGIN CERTIFICATE REQUEST-----
MIICxTCCAa0CAQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCXy2XEkqESyr8/Y2x1A7AQaQlu3wry8QSmVwcb
QYQ12xpA9derxd6f2qV+UZq/7tSwvaFfcdzbY4MTG+dq3QmlyXNEpVmzg/CbQJpQ
ae/aacnb7MEvPGQpD8eHBt14QdoH0B5qreARa/IND4I+BazEAn9yAWc9o5BQMqPb
5OGa5PMWR8apRyJrMfupMS0R3Nnmi+BP0fWepbOZHzRA6d2rbwkPBNBHQUyinxXS
oIMg/WbrG0tbps8H6PTZg3Ki+XutPm5rFJ3CKVCzIfWLFIa3jHDNbeRc359EgBI9
r1H7ecuPKxhxewugl0NirKIaEgzc609FIP++pmm3J5P10HF7AgMBAAGgajBoBgkq
hkiG9w0BCQ4xWzBZMFcGA1UdHgEB/wRNMEuhSTAOggxleGNsdWRlZC5jb20wCocI
wKgAAP///wAwE4ERdXNlckBleGNsdWRlZC5jb20wFoYUaHR0cHM6Ly9leGNsdWRl
ZC5jb20wDQYJKoZIhvcNAQELBQADggEBABQGXpovgvk8Ag+FSv0fVcHAalNrNHkL
8kJmLjJKMjYhrI4KwkrVDwRvm96ueSfDYLMu56Vd/cLzVbqgFNEeGY+7/fwty/PK
PwjPjMC3i09D1JZjrpc2gpIxmrwP/vf1DpxPUVF5wzE9xRiYvKu3/ZHy1d3FYYgT
cpf+w2cqzt2J8imToJUtjbVTACqBwhwRrn7xyP0trvAo1tfHS4qK7urJxbuT+OAf
mYfy24EOPhpvyIyYS+lbkc9wdYT4BSIjQCFNAjcBD+/04SkHgtbFLy0i8xsKcfOy
3haWYno4zTZ0v6LAdn3CgtbvUtFBfIMjmEfsldVZpIbpuSEqjMFDGls=
-----END CERTIFICATE REQUEST-----`,
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
expectedResult, err := getExtensionFromFile(tc.expectedFile)
expectedResult, err := getExtensionFromPem(tc.expectedPEM)
assert.NoError(t, err)
result, err := MarshalNameConstraints(tc.input)
if tc.expectedErr != nil {
@ -136,16 +168,14 @@ func TestMarshalNameConstraints(t *testing.T) {
}
}
func getExtensionFromFile(csrPath string) (pkix.Extension, error) {
if csrPath == "" {
func getExtensionFromPem(pemData string) (pkix.Extension, error) {
if pemData == "" {
return pkix.Extension{}, nil
}
csrPEM, err := os.ReadFile("testdata/nameconstraints/" + csrPath)
if err != nil {
return pkix.Extension{}, fmt.Errorf("Error reading CSR file: %v", err)
}
pemData = strings.TrimSpace(pemData)
fmt.Println(pemData)
csrPEM := []byte(pemData)
block, _ := pem.Decode(csrPEM)
if block == nil || block.Type != "CERTIFICATE REQUEST" {
return pkix.Extension{}, fmt.Errorf("Failed to decode PEM block or the type is not 'CERTIFICATE REQUEST'")

17
pkg/util/pki/testdata/nameconstraints/excluded-constraints.pem vendored
View File

@ -1,17 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
MIICxTCCAa0CAQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCXy2XEkqESyr8/Y2x1A7AQaQlu3wry8QSmVwcb
QYQ12xpA9derxd6f2qV+UZq/7tSwvaFfcdzbY4MTG+dq3QmlyXNEpVmzg/CbQJpQ
ae/aacnb7MEvPGQpD8eHBt14QdoH0B5qreARa/IND4I+BazEAn9yAWc9o5BQMqPb
5OGa5PMWR8apRyJrMfupMS0R3Nnmi+BP0fWepbOZHzRA6d2rbwkPBNBHQUyinxXS
oIMg/WbrG0tbps8H6PTZg3Ki+XutPm5rFJ3CKVCzIfWLFIa3jHDNbeRc359EgBI9
r1H7ecuPKxhxewugl0NirKIaEgzc609FIP++pmm3J5P10HF7AgMBAAGgajBoBgkq
hkiG9w0BCQ4xWzBZMFcGA1UdHgEB/wRNMEuhSTAOggxleGNsdWRlZC5jb20wCocI
wKgAAP///wAwE4ERdXNlckBleGNsdWRlZC5jb20wFoYUaHR0cHM6Ly9leGNsdWRl
ZC5jb20wDQYJKoZIhvcNAQELBQADggEBABQGXpovgvk8Ag+FSv0fVcHAalNrNHkL
8kJmLjJKMjYhrI4KwkrVDwRvm96ueSfDYLMu56Vd/cLzVbqgFNEeGY+7/fwty/PK
PwjPjMC3i09D1JZjrpc2gpIxmrwP/vf1DpxPUVF5wzE9xRiYvKu3/ZHy1d3FYYgT
cpf+w2cqzt2J8imToJUtjbVTACqBwhwRrn7xyP0trvAo1tfHS4qK7urJxbuT+OAf
mYfy24EOPhpvyIyYS+lbkc9wdYT4BSIjQCFNAjcBD+/04SkHgtbFLy0i8xsKcfOy
3haWYno4zTZ0v6LAdn3CgtbvUtFBfIMjmEfsldVZpIbpuSEqjMFDGls=
-----END CERTIFICATE REQUEST-----

19
pkg/util/pki/testdata/nameconstraints/mixed-constraints.pem vendored
View File

@ -1,19 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIDFDCCAfwCAQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCXy2XEkqESyr8/Y2x1A7AQaQlu3wry8QSmVwcb
QYQ12xpA9derxd6f2qV+UZq/7tSwvaFfcdzbY4MTG+dq3QmlyXNEpVmzg/CbQJpQ
ae/aacnb7MEvPGQpD8eHBt14QdoH0B5qreARa/IND4I+BazEAn9yAWc9o5BQMqPb
5OGa5PMWR8apRyJrMfupMS0R3Nnmi+BP0fWepbOZHzRA6d2rbwkPBNBHQUyinxXS
oIMg/WbrG0tbps8H6PTZg3Ki+XutPm5rFJ3CKVCzIfWLFIa3jHDNbeRc359EgBI9
r1H7ecuPKxhxewugl0NirKIaEgzc609FIP++pmm3J5P10HF7AgMBAAGggbgwgbUG
CSqGSIb3DQEJDjGBpzCBpDCBoQYDVR0eAQH/BIGWMIGToEYwDYILZXhhbXBsZS5j
b20wCocIwKgBAP///wAwEoEQdXNlckBleGFtcGxlLmNvbTAVhhNodHRwczovL2V4
YW1wbGUuY29toUkwDoIMZXhjbHVkZWQuY29tMAqHCMCoAAD///8AMBOBEXVzZXJA
ZXhjbHVkZWQuY29tMBaGFGh0dHBzOi8vZXhjbHVkZWQuY29tMA0GCSqGSIb3DQEB
CwUAA4IBAQCEBMhHw4wbP+aBDViKtvpaMar3ZWYVuV7j2qck5yDlXYGhpTQlwg5C
XEIP7zKM1yGgCITEpA5KML4PV55rEU6TCa2E9oQfy51QQcmSTGYLjolOahpALwzn
38n9e4WBiHwDVMVsSR5Zhw2dy9tqSslAHjp3TFFCcx7gaKoTs6OOJzv784PzX7xp
Vbm68hvWwkdD0lwGJlNkykPmNGxpC1kVn6L1p7LUubWOkkqBHwgny+DW3fPtKpvO
AHpUq+yDI0oaIz6BIfn2Vs7jUSXCZIoQBwajALg9kGqh3O6+ds617+AzxGXk0LBQ
0GsHVWCimOgcqgU5Qg4K6iMUtlDU2WAW
-----END CERTIFICATE REQUEST-----

17
pkg/util/pki/testdata/nameconstraints/permitted-constraints.pem vendored
View File

@ -1,17 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
MIICwjCCAaoCAQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCXy2XEkqESyr8/Y2x1A7AQaQlu3wry8QSmVwcb
QYQ12xpA9derxd6f2qV+UZq/7tSwvaFfcdzbY4MTG+dq3QmlyXNEpVmzg/CbQJpQ
ae/aacnb7MEvPGQpD8eHBt14QdoH0B5qreARa/IND4I+BazEAn9yAWc9o5BQMqPb
5OGa5PMWR8apRyJrMfupMS0R3Nnmi+BP0fWepbOZHzRA6d2rbwkPBNBHQUyinxXS
oIMg/WbrG0tbps8H6PTZg3Ki+XutPm5rFJ3CKVCzIfWLFIa3jHDNbeRc359EgBI9
r1H7ecuPKxhxewugl0NirKIaEgzc609FIP++pmm3J5P10HF7AgMBAAGgZzBlBgkq
hkiG9w0BCQ4xWDBWMFQGA1UdHgEB/wRKMEigRjANggtleGFtcGxlLmNvbTAKhwjA
qAEA////ADASgRB1c2VyQGV4YW1wbGUuY29tMBWGE2h0dHBzOi8vZXhhbXBsZS5j
b20wDQYJKoZIhvcNAQELBQADggEBAG4mhMt9iOGu1LInHW7oZyD8/FILhhafO7NF
OLPLNK37yZmPWn3idIei/oooFspKspLSMqyCGgibr6jo613+6ENCHgzM/MUDrbfP
i0VmriogMVB6qF73Qozylk1HPMcNe32aKsZygFAzKT586aO/F/exMx3NlKWa36m2
rXKPgtD+T4R+hBxmsYAGVWFlvish+L1UIXtxddna4dYHSbLBz+uZXzrxyuJgSQV3
2wF++GJ1zOi47CEUukqQOAZKPCE59erY+vUas8hwMTHMT22D5ZGbdjg6qVBCQdqW
Nu6OGP4KFgW0HWyeGeNBzioGUeyIHFKILLvj2n94WJMqXNyT5eE=
-----END CERTIFICATE REQUEST-----