enforce certificate correctness in TBSCertificate.SignWith #1266
Conversation
| if n.Addr().Zone() != "" { | ||
| return fmt.Errorf("unsafe_networks may not contain zones: %s", n) | ||
| } | ||
| //todo are unsafe networks that overlap networks allowed? |
There was a problem hiding this comment.
Yes, you might have 10.0.0.0/8 point to one host but 10.0.0.0/16 to another, it makes less sense to have overlapping in a CA certificate but that's also fine.
| @@ -76,15 +76,89 @@ func (t *TBSCertificate) Sign(signer Certificate, curve Curve, key []byte) (Cert | |||
| } | |||
| } | |||
|
|
|||
| // readyToSign checks all signing requirements that don't require us to cross-reference with a CA | |||
| func (t *TBSCertificate) readyToSign() error { | |||
There was a problem hiding this comment.
I had started on this validation in cert_v1.go and cert_v2.go specifically that way we don't accidentally leak rules from one version to the other that shouldn't apply. We also need to do these things at unmarshal (or at a minimum at handshake and cert loading time) to ensure we are working with a valid certificate.
There was a problem hiding this comment.
ah yeah nice catch, I'll move this
| if t.Version == Version1 { | ||
| return fmt.Errorf("certificate v1 may not contain IPv6 unsafe networks: %v", t.Networks) | ||
| } | ||
| if !hasV6Networks && !t.IsCA { |
There was a problem hiding this comment.
I don't disagree but I am curious if this will haunt us in the future
| return fmt.Errorf("IPv6 unsafe networks require an IPv6 address assignment") | ||
| } | ||
| } else if n.Addr().Is4() { | ||
| if !hasV4Networks && !t.IsCA { |
There was a problem hiding this comment.
I don't disagree but I am curious if this will haunt us in the future
No description provided.