diff --git a/pkg/util/pki/csr.go b/pkg/util/pki/csr.go index d2b1ca2aa..9c1af3d4b 100644 --- a/pkg/util/pki/csr.go +++ b/pkg/util/pki/csr.go @@ -319,7 +319,28 @@ func GenerateCSR(crt *v1.Certificate, optFuncs ...GenerateCSROption) (*x509.Cert } if opts.EncodeNameConstraintsInRequest && crt.Spec.NameConstraints != nil { - extension, err := MarshalNameConstraints(crt.Spec.NameConstraints) + nameConstraints := &NameConstraints{} + nameConstraints.PermittedDNSDomainsCritical = crt.Spec.NameConstraints.Critical + if crt.Spec.NameConstraints.Permitted != nil { + nameConstraints.PermittedDNSDomains = crt.Spec.NameConstraints.Permitted.DNSDomains + nameConstraints.PermittedIPRanges, err = parseCIDRs(crt.Spec.NameConstraints.Permitted.IPRanges) + if err != nil { + return nil, err + } + nameConstraints.PermittedEmailAddresses = crt.Spec.NameConstraints.Permitted.EmailAddresses + nameConstraints.ExcludedURIDomains = crt.Spec.NameConstraints.Permitted.URIDomains + } + + if crt.Spec.NameConstraints.Excluded != nil { + nameConstraints.ExcludedDNSDomains = crt.Spec.NameConstraints.Excluded.DNSDomains + nameConstraints.ExcludedIPRanges, err = parseCIDRs(crt.Spec.NameConstraints.Excluded.IPRanges) + if err != nil { + return nil, err + } + nameConstraints.ExcludedEmailAddresses = crt.Spec.NameConstraints.Excluded.EmailAddresses + nameConstraints.ExcludedURIDomains = crt.Spec.NameConstraints.Excluded.URIDomains + } + extension, err := MarshalNameConstraints(nameConstraints) if err != nil { return nil, err } diff --git a/pkg/util/pki/nameconstraints.go b/pkg/util/pki/nameconstraints.go index 816f615ef..fc7f859f8 100644 --- a/pkg/util/pki/nameconstraints.go +++ b/pkg/util/pki/nameconstraints.go @@ -17,15 +17,12 @@ limitations under the License. package pki import ( - "bytes" "crypto/x509/pkix" "errors" "fmt" "net" - "strings" "unicode" - v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" "golang.org/x/crypto/cryptobyte" cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1" ) @@ -49,11 +46,11 @@ type NameConstraints struct { } // Adapted from x509.go -func MarshalNameConstraints(nameConstraints *v1.NameConstraints) (pkix.Extension, error) { +func MarshalNameConstraints(nameConstraints *NameConstraints) (pkix.Extension, error) { ext := pkix.Extension{} if doMarshalNameConstraints(nameConstraints) { ext.Id = OIDExtensionNameConstraints - ext.Critical = nameConstraints.Critical + ext.Critical = nameConstraints.PermittedDNSDomainsCritical ipAndMask := func(ipNet *net.IPNet) []byte { maskedIP := ipNet.IP.Mask(ipNet.Mask) @@ -115,27 +112,15 @@ func MarshalNameConstraints(nameConstraints *v1.NameConstraints) (pkix.Extension var permitted []byte var err error - if nameConstraints.Permitted != nil { - permittedIPRanges, err := parseCIDRs(nameConstraints.Permitted.IPRanges) - if err != nil { - return pkix.Extension{}, err - } - permitted, err = serialiseConstraints(nameConstraints.Permitted.DNSDomains, permittedIPRanges, nameConstraints.Permitted.EmailAddresses, nameConstraints.Permitted.URIDomains) - if err != nil { - return pkix.Extension{}, err - } + permitted, err = serialiseConstraints(nameConstraints.PermittedDNSDomains, nameConstraints.PermittedIPRanges, nameConstraints.PermittedEmailAddresses, nameConstraints.PermittedURIDomains) + if err != nil { + return pkix.Extension{}, err } var excluded []byte - if nameConstraints.Excluded != nil { - excludedIPRanges, err := parseCIDRs(nameConstraints.Excluded.IPRanges) - if err != nil { - return pkix.Extension{}, err - } - excluded, err = serialiseConstraints(nameConstraints.Excluded.DNSDomains, excludedIPRanges, nameConstraints.Excluded.EmailAddresses, nameConstraints.Excluded.URIDomains) - if err != nil { - return pkix.Extension{}, err - } + excluded, err = serialiseConstraints(nameConstraints.ExcludedDNSDomains, nameConstraints.ExcludedIPRanges, nameConstraints.ExcludedEmailAddresses, nameConstraints.ExcludedURIDomains) + if err != nil { + return pkix.Extension{}, err } var b cryptobyte.Builder @@ -161,18 +146,16 @@ func MarshalNameConstraints(nameConstraints *v1.NameConstraints) (pkix.Extension return ext, nil } -func doMarshalNameConstraints(nameConstraints *v1.NameConstraints) bool { +func doMarshalNameConstraints(nameConstraints *NameConstraints) bool { return nameConstraints != nil && - (nameConstraints.Permitted != nil && - (len(nameConstraints.Permitted.DNSDomains) > 0 || - len(nameConstraints.Permitted.IPRanges) > 0 || - len(nameConstraints.Permitted.EmailAddresses) > 0 || - len(nameConstraints.Permitted.URIDomains) > 0)) || - (nameConstraints.Excluded != nil && - (len(nameConstraints.Excluded.DNSDomains) > 0 || - len(nameConstraints.Excluded.IPRanges) > 0 || - len(nameConstraints.Excluded.EmailAddresses) > 0 || - len(nameConstraints.Excluded.URIDomains) > 0)) + (len(nameConstraints.PermittedDNSDomains) > 0 || + len(nameConstraints.PermittedIPRanges) > 0 || + len(nameConstraints.PermittedEmailAddresses) > 0 || + len(nameConstraints.PermittedURIDomains) > 0 || + len(nameConstraints.ExcludedDNSDomains) > 0 || + len(nameConstraints.ExcludedIPRanges) > 0 || + len(nameConstraints.ExcludedEmailAddresses) > 0 || + len(nameConstraints.ExcludedURIDomains) > 0) } func isIA5String(s string) error { @@ -201,6 +184,7 @@ func parseCIDRs(cidrs []string) ([]*net.IPNet, error) { return ipRanges, nil } +// Adapted from crypto/x509/parser.go func UnmarshalNameConstraints(e pkix.Extension) (*NameConstraints, error) { out := &NameConstraints{} // RFC 5280, 4.2.1.10 @@ -260,17 +244,6 @@ func UnmarshalNameConstraints(e pkix.Extension) (*NameConstraints, error) { return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error()) } - trimmedDomain := domain - if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' { - // constraints can have a leading - // period to exclude the domain - // itself, but that's not valid in a - // normal domain name. - trimmedDomain = trimmedDomain[1:] - } - if _, ok := domainToReverseLabels(trimmedDomain); !ok { - return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse dnsName constraint %q", domain) - } dnsNames = append(dnsNames, domain) case ipTag: @@ -302,22 +275,6 @@ func UnmarshalNameConstraints(e pkix.Extension) (*NameConstraints, error) { return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error()) } - // If the constraint contains an @ then - // it specifies an exact mailbox name. - if strings.Contains(constraint, "@") { - if _, ok := parseRFC2821Mailbox(constraint); !ok { - return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint) - } - } else { - // Otherwise it's a domain name. - domain := constraint - if len(domain) > 0 && domain[0] == '.' { - domain = domain[1:] - } - if _, ok := domainToReverseLabels(domain); !ok { - return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint) - } - } emails = append(emails, constraint) case uriTag: @@ -326,21 +283,6 @@ func UnmarshalNameConstraints(e pkix.Extension) (*NameConstraints, error) { return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error()) } - if net.ParseIP(domain) != nil { - return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q: cannot be IP address", domain) - } - - trimmedDomain := domain - if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' { - // constraints can have a leading - // period to exclude the domain itself, - // but that's not valid in a normal - // domain name. - trimmedDomain = trimmedDomain[1:] - } - if _, ok := domainToReverseLabels(trimmedDomain); !ok { - return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q", domain) - } uriDomains = append(uriDomains, domain) } } @@ -360,41 +302,6 @@ func UnmarshalNameConstraints(e pkix.Extension) (*NameConstraints, error) { return out, nil } -// domainToReverseLabels converts a textual domain name like foo.example.com to -// the list of labels in reverse order, e.g. ["com", "example", "foo"]. -func domainToReverseLabels(domain string) (reverseLabels []string, ok bool) { - for len(domain) > 0 { - if i := strings.LastIndexByte(domain, '.'); i == -1 { - reverseLabels = append(reverseLabels, domain) - domain = "" - } else { - reverseLabels = append(reverseLabels, domain[i+1:]) - domain = domain[:i] - } - } - - if len(reverseLabels) > 0 && len(reverseLabels[0]) == 0 { - // An empty label at the end indicates an absolute value. - return nil, false - } - - for _, label := range reverseLabels { - if len(label) == 0 { - // Empty labels are otherwise invalid. - return nil, false - } - - for _, c := range label { - if c < 33 || c > 126 { - // Invalid character. - return nil, false - } - } - } - - return reverseLabels, true -} - // isValidIPMask reports whether mask consists of zero or more 1 bits, followed by zero bits. func isValidIPMask(mask []byte) bool { seenZero := false @@ -419,150 +326,3 @@ func isValidIPMask(mask []byte) bool { return true } - -// rfc2821Mailbox represents a “mailbox” (which is an email address to most -// people) by breaking it into the “local” (i.e. before the '@') and “domain” -// parts. -type rfc2821Mailbox struct { - local, domain string -} - -// parseRFC2821Mailbox parses an email address into local and domain parts, -// based on the ABNF for a “Mailbox” from RFC 2821. According to RFC 5280, -// Section 4.2.1.6 that's correct for an rfc822Name from a certificate: “The -// format of an rfc822Name is a "Mailbox" as defined in RFC 2821, Section 4.1.2”. -func parseRFC2821Mailbox(in string) (mailbox rfc2821Mailbox, ok bool) { - if len(in) == 0 { - return mailbox, false - } - - localPartBytes := make([]byte, 0, len(in)/2) - - if in[0] == '"' { - // Quoted-string = DQUOTE *qcontent DQUOTE - // non-whitespace-control = %d1-8 / %d11 / %d12 / %d14-31 / %d127 - // qcontent = qtext / quoted-pair - // qtext = non-whitespace-control / - // %d33 / %d35-91 / %d93-126 - // quoted-pair = ("\" text) / obs-qp - // text = %d1-9 / %d11 / %d12 / %d14-127 / obs-text - // - // (Names beginning with “obs-” are the obsolete syntax from RFC 2822, - // Section 4. Since it has been 16 years, we no longer accept that.) - in = in[1:] - QuotedString: - for { - if len(in) == 0 { - return mailbox, false - } - c := in[0] - in = in[1:] - - switch { - case c == '"': - break QuotedString - - case c == '\\': - // quoted-pair - if len(in) == 0 { - return mailbox, false - } - if in[0] == 11 || - in[0] == 12 || - (1 <= in[0] && in[0] <= 9) || - (14 <= in[0] && in[0] <= 127) { - localPartBytes = append(localPartBytes, in[0]) - in = in[1:] - } else { - return mailbox, false - } - - case c == 11 || - c == 12 || - // Space (char 32) is not allowed based on the - // BNF, but RFC 3696 gives an example that - // assumes that it is. Several “verified” - // errata continue to argue about this point. - // We choose to accept it. - c == 32 || - c == 33 || - c == 127 || - (1 <= c && c <= 8) || - (14 <= c && c <= 31) || - (35 <= c && c <= 91) || - (93 <= c && c <= 126): - // qtext - localPartBytes = append(localPartBytes, c) - - default: - return mailbox, false - } - } - } else { - // Atom ("." Atom)* - NextChar: - for len(in) > 0 { - // atext from RFC 2822, Section 3.2.4 - c := in[0] - - switch { - case c == '\\': - // Examples given in RFC 3696 suggest that - // escaped characters can appear outside of a - // quoted string. Several “verified” errata - // continue to argue the point. We choose to - // accept it. - in = in[1:] - if len(in) == 0 { - return mailbox, false - } - fallthrough - - case ('0' <= c && c <= '9') || - ('a' <= c && c <= 'z') || - ('A' <= c && c <= 'Z') || - c == '!' || c == '#' || c == '$' || c == '%' || - c == '&' || c == '\'' || c == '*' || c == '+' || - c == '-' || c == '/' || c == '=' || c == '?' || - c == '^' || c == '_' || c == '`' || c == '{' || - c == '|' || c == '}' || c == '~' || c == '.': - localPartBytes = append(localPartBytes, in[0]) - in = in[1:] - - default: - break NextChar - } - } - - if len(localPartBytes) == 0 { - return mailbox, false - } - - // From RFC 3696, Section 3: - // “period (".") may also appear, but may not be used to start - // or end the local part, nor may two or more consecutive - // periods appear.” - twoDots := []byte{'.', '.'} - if localPartBytes[0] == '.' || - localPartBytes[len(localPartBytes)-1] == '.' || - bytes.Contains(localPartBytes, twoDots) { - return mailbox, false - } - } - - if len(in) == 0 || in[0] != '@' { - return mailbox, false - } - in = in[1:] - - // The RFC species a format for domains, but that's known to be - // violated in practice so we accept that anything after an '@' is the - // domain part. - if _, ok := domainToReverseLabels(in); !ok { - return mailbox, false - } - - mailbox.local = string(localPartBytes) - mailbox.domain = in - return mailbox, true -} diff --git a/pkg/util/pki/nameconstraints_test.go b/pkg/util/pki/nameconstraints_test.go index 8a239fac6..d89dd003f 100644 --- a/pkg/util/pki/nameconstraints_test.go +++ b/pkg/util/pki/nameconstraints_test.go @@ -21,15 +21,15 @@ import ( "crypto/x509/pkix" "encoding/pem" "fmt" - "os" + "net" + "strings" "testing" - v1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" "github.com/stretchr/testify/assert" ) // TestMarshalNameConstraints tests the MarshalNameConstraints function -// To generate the testdata at testdata/nameconstraints, do something like this: +// To generate the expectedPEM, do something like this: // openssl req -new -key private_key.pem -out csr1.pem -subj "/CN=example.org" -config config.cnf // // where config.cnf is(replace nameConstraints with the values mentioned in the testcase): @@ -45,82 +45,114 @@ func TestMarshalNameConstraints(t *testing.T) { // Test data testCases := []struct { name string - input *v1.NameConstraints + input *NameConstraints expectedErr error - expectedFile string + expectedPEM string }{ { name: "Permitted constraints", - input: &v1.NameConstraints{ - Critical: true, - Permitted: &v1.NameConstraintItem{ - DNSDomains: []string{"example.com"}, - IPRanges: []string{"192.168.1.0/24"}, - EmailAddresses: []string{"user@example.com"}, - URIDomains: []string{"https://example.com"}, + input: &NameConstraints{ + PermittedDNSDomainsCritical: true, + PermittedDNSDomains: []string{"example.com"}, + PermittedIPRanges: []*net.IPNet{{IP: net.IPv4(192, 168, 1, 0), Mask: net.IPv4Mask(255, 255, 255, 0)}}, + PermittedEmailAddresses: []string{"user@example.com"}, + PermittedURIDomains: []string{"https://example.com"}, }, - }, expectedErr: nil, // nameConstraints = critical,permitted;DNS:example.com,permitted;IP:192.168.1.0/255.255.255.0,permitted;email:user@example.com,permitted;URI:https://example.com - expectedFile: "permitted-constraints.pem", + expectedPEM: `-----BEGIN CERTIFICATE REQUEST----- +MIICwjCCAaoCAQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCXy2XEkqESyr8/Y2x1A7AQaQlu3wry8QSmVwcb +QYQ12xpA9derxd6f2qV+UZq/7tSwvaFfcdzbY4MTG+dq3QmlyXNEpVmzg/CbQJpQ +ae/aacnb7MEvPGQpD8eHBt14QdoH0B5qreARa/IND4I+BazEAn9yAWc9o5BQMqPb +5OGa5PMWR8apRyJrMfupMS0R3Nnmi+BP0fWepbOZHzRA6d2rbwkPBNBHQUyinxXS +oIMg/WbrG0tbps8H6PTZg3Ki+XutPm5rFJ3CKVCzIfWLFIa3jHDNbeRc359EgBI9 +r1H7ecuPKxhxewugl0NirKIaEgzc609FIP++pmm3J5P10HF7AgMBAAGgZzBlBgkq +hkiG9w0BCQ4xWDBWMFQGA1UdHgEB/wRKMEigRjANggtleGFtcGxlLmNvbTAKhwjA +qAEA////ADASgRB1c2VyQGV4YW1wbGUuY29tMBWGE2h0dHBzOi8vZXhhbXBsZS5j +b20wDQYJKoZIhvcNAQELBQADggEBAG4mhMt9iOGu1LInHW7oZyD8/FILhhafO7NF +OLPLNK37yZmPWn3idIei/oooFspKspLSMqyCGgibr6jo613+6ENCHgzM/MUDrbfP +i0VmriogMVB6qF73Qozylk1HPMcNe32aKsZygFAzKT586aO/F/exMx3NlKWa36m2 +rXKPgtD+T4R+hBxmsYAGVWFlvish+L1UIXtxddna4dYHSbLBz+uZXzrxyuJgSQV3 +2wF++GJ1zOi47CEUukqQOAZKPCE59erY+vUas8hwMTHMT22D5ZGbdjg6qVBCQdqW +Nu6OGP4KFgW0HWyeGeNBzioGUeyIHFKILLvj2n94WJMqXNyT5eE= +-----END CERTIFICATE REQUEST-----`, }, { name: "Mixed constraints", - input: &v1.NameConstraints{ - Critical: true, - Permitted: &v1.NameConstraintItem{ - DNSDomains: []string{"example.com"}, - IPRanges: []string{"192.168.1.0/24"}, - EmailAddresses: []string{"user@example.com"}, - URIDomains: []string{"https://example.com"}, - }, - Excluded: &v1.NameConstraintItem{ - DNSDomains: []string{"excluded.com"}, - IPRanges: []string{"192.168.0.0/24"}, - EmailAddresses: []string{"user@excluded.com"}, - URIDomains: []string{"https://excluded.com"}, - }, + input: &NameConstraints{ + PermittedDNSDomainsCritical: true, + PermittedDNSDomains: []string{"example.com"}, + PermittedIPRanges: []*net.IPNet{{IP: net.IPv4(192, 168, 1, 0), Mask: net.IPv4Mask(255, 255, 255, 0)}}, + PermittedEmailAddresses: []string{"user@example.com"}, + PermittedURIDomains: []string{"https://example.com"}, + ExcludedDNSDomains: []string{"excluded.com"}, + ExcludedIPRanges: []*net.IPNet{{IP: net.IPv4(192, 168, 0, 0), Mask: net.IPv4Mask(255, 255, 255, 0)}}, + ExcludedEmailAddresses: []string{"user@excluded.com"}, + ExcludedURIDomains: []string{"https://excluded.com"}, }, expectedErr: nil, // nameConstraints = critical,permitted;DNS:example.com,permitted;IP:192.168.1.0/255.255.255.0,permitted;email:user@example.com,permitted;URI:https://example.com,excluded;DNS:excluded.com,excluded;IP:192.168.0.0/255.255.255.0,excluded;email:user@excluded.com,excluded;URI:https://excluded.com - expectedFile: "mixed-constraints.pem", + expectedPEM: `-----BEGIN CERTIFICATE REQUEST----- +MIIDFDCCAfwCAQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCXy2XEkqESyr8/Y2x1A7AQaQlu3wry8QSmVwcb +QYQ12xpA9derxd6f2qV+UZq/7tSwvaFfcdzbY4MTG+dq3QmlyXNEpVmzg/CbQJpQ +ae/aacnb7MEvPGQpD8eHBt14QdoH0B5qreARa/IND4I+BazEAn9yAWc9o5BQMqPb +5OGa5PMWR8apRyJrMfupMS0R3Nnmi+BP0fWepbOZHzRA6d2rbwkPBNBHQUyinxXS +oIMg/WbrG0tbps8H6PTZg3Ki+XutPm5rFJ3CKVCzIfWLFIa3jHDNbeRc359EgBI9 +r1H7ecuPKxhxewugl0NirKIaEgzc609FIP++pmm3J5P10HF7AgMBAAGggbgwgbUG +CSqGSIb3DQEJDjGBpzCBpDCBoQYDVR0eAQH/BIGWMIGToEYwDYILZXhhbXBsZS5j +b20wCocIwKgBAP///wAwEoEQdXNlckBleGFtcGxlLmNvbTAVhhNodHRwczovL2V4 +YW1wbGUuY29toUkwDoIMZXhjbHVkZWQuY29tMAqHCMCoAAD///8AMBOBEXVzZXJA +ZXhjbHVkZWQuY29tMBaGFGh0dHBzOi8vZXhjbHVkZWQuY29tMA0GCSqGSIb3DQEB +CwUAA4IBAQCEBMhHw4wbP+aBDViKtvpaMar3ZWYVuV7j2qck5yDlXYGhpTQlwg5C +XEIP7zKM1yGgCITEpA5KML4PV55rEU6TCa2E9oQfy51QQcmSTGYLjolOahpALwzn +38n9e4WBiHwDVMVsSR5Zhw2dy9tqSslAHjp3TFFCcx7gaKoTs6OOJzv784PzX7xp +Vbm68hvWwkdD0lwGJlNkykPmNGxpC1kVn6L1p7LUubWOkkqBHwgny+DW3fPtKpvO +AHpUq+yDI0oaIz6BIfn2Vs7jUSXCZIoQBwajALg9kGqh3O6+ds617+AzxGXk0LBQ +0GsHVWCimOgcqgU5Qg4K6iMUtlDU2WAW +-----END CERTIFICATE REQUEST-----`, }, { name: "Empty constraints", - input: &v1.NameConstraints{}, + input: &NameConstraints{}, expectedErr: nil, - expectedFile: "", + expectedPEM: "", }, { name: "Excluded constraints", - input: &v1.NameConstraints{ - Critical: true, - Excluded: &v1.NameConstraintItem{ - DNSDomains: []string{"excluded.com"}, - IPRanges: []string{"192.168.0.0/24"}, - EmailAddresses: []string{"user@excluded.com"}, - URIDomains: []string{"https://excluded.com"}, - }, + input: &NameConstraints{ + PermittedDNSDomainsCritical: true, + ExcludedDNSDomains: []string{"excluded.com"}, + ExcludedIPRanges: []*net.IPNet{{IP: net.IPv4(192, 168, 0, 0), Mask: net.IPv4Mask(255, 255, 255, 0)}}, + ExcludedEmailAddresses: []string{"user@excluded.com"}, + ExcludedURIDomains: []string{"https://excluded.com"}, }, expectedErr: nil, // nameConstraints = critical,excluded;DNS:excluded.com,excluded;IP:192.168.0.0/255.255.255.0,excluded;email:user@excluded.com,excluded;URI:https://excluded.com - expectedFile: "excluded-constraints.pem", - }, - { - name: "Invalid NameConstraints", - input: &v1.NameConstraints{ - Excluded: &v1.NameConstraintItem{ - IPRanges: []string{"invalidCIDR"}, - }, - }, - expectedErr: fmt.Errorf("invalid CIDR address: invalidCIDR"), - expectedFile: "", + expectedPEM: `-----BEGIN CERTIFICATE REQUEST----- +MIICxTCCAa0CAQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCXy2XEkqESyr8/Y2x1A7AQaQlu3wry8QSmVwcb +QYQ12xpA9derxd6f2qV+UZq/7tSwvaFfcdzbY4MTG+dq3QmlyXNEpVmzg/CbQJpQ +ae/aacnb7MEvPGQpD8eHBt14QdoH0B5qreARa/IND4I+BazEAn9yAWc9o5BQMqPb +5OGa5PMWR8apRyJrMfupMS0R3Nnmi+BP0fWepbOZHzRA6d2rbwkPBNBHQUyinxXS +oIMg/WbrG0tbps8H6PTZg3Ki+XutPm5rFJ3CKVCzIfWLFIa3jHDNbeRc359EgBI9 +r1H7ecuPKxhxewugl0NirKIaEgzc609FIP++pmm3J5P10HF7AgMBAAGgajBoBgkq +hkiG9w0BCQ4xWzBZMFcGA1UdHgEB/wRNMEuhSTAOggxleGNsdWRlZC5jb20wCocI +wKgAAP///wAwE4ERdXNlckBleGNsdWRlZC5jb20wFoYUaHR0cHM6Ly9leGNsdWRl +ZC5jb20wDQYJKoZIhvcNAQELBQADggEBABQGXpovgvk8Ag+FSv0fVcHAalNrNHkL +8kJmLjJKMjYhrI4KwkrVDwRvm96ueSfDYLMu56Vd/cLzVbqgFNEeGY+7/fwty/PK +PwjPjMC3i09D1JZjrpc2gpIxmrwP/vf1DpxPUVF5wzE9xRiYvKu3/ZHy1d3FYYgT +cpf+w2cqzt2J8imToJUtjbVTACqBwhwRrn7xyP0trvAo1tfHS4qK7urJxbuT+OAf +mYfy24EOPhpvyIyYS+lbkc9wdYT4BSIjQCFNAjcBD+/04SkHgtbFLy0i8xsKcfOy +3haWYno4zTZ0v6LAdn3CgtbvUtFBfIMjmEfsldVZpIbpuSEqjMFDGls= +-----END CERTIFICATE REQUEST-----`, }, } for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { - expectedResult, err := getExtensionFromFile(tc.expectedFile) + expectedResult, err := getExtensionFromPem(tc.expectedPEM) assert.NoError(t, err) result, err := MarshalNameConstraints(tc.input) if tc.expectedErr != nil { @@ -136,16 +168,14 @@ func TestMarshalNameConstraints(t *testing.T) { } } -func getExtensionFromFile(csrPath string) (pkix.Extension, error) { - if csrPath == "" { +func getExtensionFromPem(pemData string) (pkix.Extension, error) { + if pemData == "" { return pkix.Extension{}, nil } - - csrPEM, err := os.ReadFile("testdata/nameconstraints/" + csrPath) - if err != nil { - return pkix.Extension{}, fmt.Errorf("Error reading CSR file: %v", err) - } - + pemData = strings.TrimSpace(pemData) + fmt.Println(pemData) + csrPEM := []byte(pemData) + block, _ := pem.Decode(csrPEM) if block == nil || block.Type != "CERTIFICATE REQUEST" { return pkix.Extension{}, fmt.Errorf("Failed to decode PEM block or the type is not 'CERTIFICATE REQUEST'") diff --git a/pkg/util/pki/testdata/nameconstraints/excluded-constraints.pem b/pkg/util/pki/testdata/nameconstraints/excluded-constraints.pem deleted file mode 100644 index ab9702435..000000000 --- a/pkg/util/pki/testdata/nameconstraints/excluded-constraints.pem +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIICxTCCAa0CAQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3 -DQEBAQUAA4IBDwAwggEKAoIBAQCXy2XEkqESyr8/Y2x1A7AQaQlu3wry8QSmVwcb -QYQ12xpA9derxd6f2qV+UZq/7tSwvaFfcdzbY4MTG+dq3QmlyXNEpVmzg/CbQJpQ -ae/aacnb7MEvPGQpD8eHBt14QdoH0B5qreARa/IND4I+BazEAn9yAWc9o5BQMqPb -5OGa5PMWR8apRyJrMfupMS0R3Nnmi+BP0fWepbOZHzRA6d2rbwkPBNBHQUyinxXS -oIMg/WbrG0tbps8H6PTZg3Ki+XutPm5rFJ3CKVCzIfWLFIa3jHDNbeRc359EgBI9 -r1H7ecuPKxhxewugl0NirKIaEgzc609FIP++pmm3J5P10HF7AgMBAAGgajBoBgkq -hkiG9w0BCQ4xWzBZMFcGA1UdHgEB/wRNMEuhSTAOggxleGNsdWRlZC5jb20wCocI -wKgAAP///wAwE4ERdXNlckBleGNsdWRlZC5jb20wFoYUaHR0cHM6Ly9leGNsdWRl -ZC5jb20wDQYJKoZIhvcNAQELBQADggEBABQGXpovgvk8Ag+FSv0fVcHAalNrNHkL -8kJmLjJKMjYhrI4KwkrVDwRvm96ueSfDYLMu56Vd/cLzVbqgFNEeGY+7/fwty/PK -PwjPjMC3i09D1JZjrpc2gpIxmrwP/vf1DpxPUVF5wzE9xRiYvKu3/ZHy1d3FYYgT -cpf+w2cqzt2J8imToJUtjbVTACqBwhwRrn7xyP0trvAo1tfHS4qK7urJxbuT+OAf -mYfy24EOPhpvyIyYS+lbkc9wdYT4BSIjQCFNAjcBD+/04SkHgtbFLy0i8xsKcfOy -3haWYno4zTZ0v6LAdn3CgtbvUtFBfIMjmEfsldVZpIbpuSEqjMFDGls= ------END CERTIFICATE REQUEST----- diff --git a/pkg/util/pki/testdata/nameconstraints/mixed-constraints.pem b/pkg/util/pki/testdata/nameconstraints/mixed-constraints.pem deleted file mode 100644 index 9d0888da1..000000000 --- a/pkg/util/pki/testdata/nameconstraints/mixed-constraints.pem +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIIDFDCCAfwCAQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3 -DQEBAQUAA4IBDwAwggEKAoIBAQCXy2XEkqESyr8/Y2x1A7AQaQlu3wry8QSmVwcb -QYQ12xpA9derxd6f2qV+UZq/7tSwvaFfcdzbY4MTG+dq3QmlyXNEpVmzg/CbQJpQ -ae/aacnb7MEvPGQpD8eHBt14QdoH0B5qreARa/IND4I+BazEAn9yAWc9o5BQMqPb -5OGa5PMWR8apRyJrMfupMS0R3Nnmi+BP0fWepbOZHzRA6d2rbwkPBNBHQUyinxXS -oIMg/WbrG0tbps8H6PTZg3Ki+XutPm5rFJ3CKVCzIfWLFIa3jHDNbeRc359EgBI9 -r1H7ecuPKxhxewugl0NirKIaEgzc609FIP++pmm3J5P10HF7AgMBAAGggbgwgbUG -CSqGSIb3DQEJDjGBpzCBpDCBoQYDVR0eAQH/BIGWMIGToEYwDYILZXhhbXBsZS5j -b20wCocIwKgBAP///wAwEoEQdXNlckBleGFtcGxlLmNvbTAVhhNodHRwczovL2V4 -YW1wbGUuY29toUkwDoIMZXhjbHVkZWQuY29tMAqHCMCoAAD///8AMBOBEXVzZXJA -ZXhjbHVkZWQuY29tMBaGFGh0dHBzOi8vZXhjbHVkZWQuY29tMA0GCSqGSIb3DQEB -CwUAA4IBAQCEBMhHw4wbP+aBDViKtvpaMar3ZWYVuV7j2qck5yDlXYGhpTQlwg5C -XEIP7zKM1yGgCITEpA5KML4PV55rEU6TCa2E9oQfy51QQcmSTGYLjolOahpALwzn -38n9e4WBiHwDVMVsSR5Zhw2dy9tqSslAHjp3TFFCcx7gaKoTs6OOJzv784PzX7xp -Vbm68hvWwkdD0lwGJlNkykPmNGxpC1kVn6L1p7LUubWOkkqBHwgny+DW3fPtKpvO -AHpUq+yDI0oaIz6BIfn2Vs7jUSXCZIoQBwajALg9kGqh3O6+ds617+AzxGXk0LBQ -0GsHVWCimOgcqgU5Qg4K6iMUtlDU2WAW ------END CERTIFICATE REQUEST----- diff --git a/pkg/util/pki/testdata/nameconstraints/permitted-constraints.pem b/pkg/util/pki/testdata/nameconstraints/permitted-constraints.pem deleted file mode 100644 index 856690c42..000000000 --- a/pkg/util/pki/testdata/nameconstraints/permitted-constraints.pem +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIICwjCCAaoCAQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3 -DQEBAQUAA4IBDwAwggEKAoIBAQCXy2XEkqESyr8/Y2x1A7AQaQlu3wry8QSmVwcb -QYQ12xpA9derxd6f2qV+UZq/7tSwvaFfcdzbY4MTG+dq3QmlyXNEpVmzg/CbQJpQ -ae/aacnb7MEvPGQpD8eHBt14QdoH0B5qreARa/IND4I+BazEAn9yAWc9o5BQMqPb -5OGa5PMWR8apRyJrMfupMS0R3Nnmi+BP0fWepbOZHzRA6d2rbwkPBNBHQUyinxXS -oIMg/WbrG0tbps8H6PTZg3Ki+XutPm5rFJ3CKVCzIfWLFIa3jHDNbeRc359EgBI9 -r1H7ecuPKxhxewugl0NirKIaEgzc609FIP++pmm3J5P10HF7AgMBAAGgZzBlBgkq -hkiG9w0BCQ4xWDBWMFQGA1UdHgEB/wRKMEigRjANggtleGFtcGxlLmNvbTAKhwjA -qAEA////ADASgRB1c2VyQGV4YW1wbGUuY29tMBWGE2h0dHBzOi8vZXhhbXBsZS5j -b20wDQYJKoZIhvcNAQELBQADggEBAG4mhMt9iOGu1LInHW7oZyD8/FILhhafO7NF -OLPLNK37yZmPWn3idIei/oooFspKspLSMqyCGgibr6jo613+6ENCHgzM/MUDrbfP -i0VmriogMVB6qF73Qozylk1HPMcNe32aKsZygFAzKT586aO/F/exMx3NlKWa36m2 -rXKPgtD+T4R+hBxmsYAGVWFlvish+L1UIXtxddna4dYHSbLBz+uZXzrxyuJgSQV3 -2wF++GJ1zOi47CEUukqQOAZKPCE59erY+vUas8hwMTHMT22D5ZGbdjg6qVBCQdqW -Nu6OGP4KFgW0HWyeGeNBzioGUeyIHFKILLvj2n94WJMqXNyT5eE= ------END CERTIFICATE REQUEST-----