Fix handling of EXFLAG_INVALID_POLICY on the leaf.
X509_policy_check returns -1 if some certificate had an unparseable
extension, in which case it sets EXFLAG_INVALID_POLICY on it. The
calling code then iterates over the certificates to find the offending
one, so the callback has a chance to undo it. But it skips i = 0, the
leaf, and instead just silentely returns success.
We really should cut down on the callback's ability to mess things up
here but, in the meantime, fix this. Also add a test covering this case.
While I'm here, I've updated make_invalid_extensions.go, which I pulled
some code from, to rename fooOrPanic to mustFoo. That seems to be the
convention in the Go standard library. (regexp.MustCompile, etc.)
Change-Id: Ib07c9f4175e66483bd7c0f7d49aea931bf36e53f
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/55748
Auto-Submit: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/crypto/x509/test/make_invalid_extensions.go b/crypto/x509/test/make_invalid_extensions.go
index d0c2cee..aba2d71 100644
--- a/crypto/x509/test/make_invalid_extensions.go
+++ b/crypto/x509/test/make_invalid_extensions.go
@@ -49,9 +49,9 @@
var leafKey, intermediateKey, rootKey *ecdsa.PrivateKey
func init() {
- leafKey = ecdsaKeyFromPEMOrPanic(leafKeyPEM)
- intermediateKey = ecdsaKeyFromPEMOrPanic(intermediateKeyPEM)
- rootKey = ecdsaKeyFromPEMOrPanic(rootKeyPEM)
+ leafKey = mustParseECDSAKey(leafKeyPEM)
+ intermediateKey = mustParseECDSAKey(intermediateKeyPEM)
+ rootKey = mustParseECDSAKey(rootKeyPEM)
}
type templateAndKey struct {
@@ -59,7 +59,7 @@
key *ecdsa.PrivateKey
}
-func generateCertificateOrPanic(path string, subject, issuer *templateAndKey) []byte {
+func mustGenerateCertificate(path string, subject, issuer *templateAndKey) []byte {
cert, err := x509.CreateCertificate(rand.Reader, &subject.template, &issuer.template, &subject.key.PublicKey, issuer.key)
if err != nil {
panic(err)
@@ -135,9 +135,9 @@
}
// Generate a valid certificate chain from the templates.
- generateCertificateOrPanic("invalid_extension_root.pem", &root, &root)
- generateCertificateOrPanic("invalid_extension_intermediate.pem", &intermediate, &root)
- leafDER := generateCertificateOrPanic("invalid_extension_leaf.pem", &leaf, &intermediate)
+ mustGenerateCertificate("invalid_extension_root.pem", &root, &root)
+ mustGenerateCertificate("invalid_extension_intermediate.pem", &intermediate, &root)
+ leafDER := mustGenerateCertificate("invalid_extension_leaf.pem", &leaf, &intermediate)
leafCert, err := x509.ParseCertificate(leafDER)
if err != nil {
@@ -151,15 +151,15 @@
rootInvalid := root
rootInvalid.template.ExtraExtensions = invalidExtension
- generateCertificateOrPanic(fmt.Sprintf("invalid_extension_root_%s.pem", ext.name), &rootInvalid, &rootInvalid)
+ mustGenerateCertificate(fmt.Sprintf("invalid_extension_root_%s.pem", ext.name), &rootInvalid, &rootInvalid)
intermediateInvalid := intermediate
intermediateInvalid.template.ExtraExtensions = invalidExtension
- generateCertificateOrPanic(fmt.Sprintf("invalid_extension_intermediate_%s.pem", ext.name), &intermediateInvalid, &root)
+ mustGenerateCertificate(fmt.Sprintf("invalid_extension_intermediate_%s.pem", ext.name), &intermediateInvalid, &root)
leafInvalid := leaf
leafInvalid.template.ExtraExtensions = invalidExtension
- generateCertificateOrPanic(fmt.Sprintf("invalid_extension_leaf_%s.pem", ext.name), &leafInvalid, &intermediate)
+ mustGenerateCertificate(fmt.Sprintf("invalid_extension_leaf_%s.pem", ext.name), &leafInvalid, &intermediate)
// Additionally generate a copy of the leaf certificate with extra data in
// the extension.
@@ -177,7 +177,7 @@
leafTrailingData := leaf
leafTrailingData.template.ExtraExtensions = trailingDataExtension
- generateCertificateOrPanic(fmt.Sprintf("trailing_data_leaf_%s.pem", ext.name), &leafTrailingData, &intermediate)
+ mustGenerateCertificate(fmt.Sprintf("trailing_data_leaf_%s.pem", ext.name), &leafTrailingData, &intermediate)
}
}
@@ -199,7 +199,7 @@
ChRYI6IeV9tIB6jIsOY+Qol1bk8x/7A5FGOnUWFVLEAPEPSJwPndjolt
-----END PRIVATE KEY-----`
-func ecdsaKeyFromPEMOrPanic(in string) *ecdsa.PrivateKey {
+func mustParseECDSAKey(in string) *ecdsa.PrivateKey {
keyBlock, _ := pem.Decode([]byte(in))
if keyBlock == nil || keyBlock.Type != "PRIVATE KEY" {
panic("could not decode private key")
