fix: fix the certs validation in trust store (#147)

binbin-li · web-flow · commit 84d4de1c2173 · 2022-09-23T21:54:10.000+08:00
Signed-off-by: Binbin Li &lt;libinbin@microsoft.com&gt;
diff --git a/verification/store.go b/verification/store.go
@@ -52,14 +52,8 @@ func LoadX509TrustStore(path string) (*X509TrustStore, error) {
 			return nil, fmt.Errorf("error while reading certificates from %q: %w", joinedPath, err)
 		}
 
-		// to prevent any trust store misconfigurations, ensure there is at least one certificate from each file
-		if len(certs) < 1 {
-			return nil, fmt.Errorf("could not parse a certificate from %q, every file in a trust store must have a PEM or DER certificate in it", joinedPath)
-		}
-		for _, cert := range certs {
-			if !cert.IsCA {
-				return nil, fmt.Errorf("certificate with subject %q from file %q is not a CA certificate, only CA certificates (BasicConstraint CA=True) are allowed", cert.Subject, joinedPath)
-			}
+		if err := validateCerts(certs, joinedPath); err != nil {
+			return nil, err
 		}
 
 		trustStore.Certificates = append(trustStore.Certificates, certs...)
@@ -75,3 +69,25 @@ func LoadX509TrustStore(path string) (*X509TrustStore, error) {
 
 	return &trustStore, nil
 }
+
+func validateCerts(certs []*x509.Certificate, path string) error {
+	// to prevent any trust store misconfigurations, ensure there is at least
+	// one certificate from each file.
+	if len(certs) < 1 {
+		return fmt.Errorf("could not parse a certificate from %q, every file in a trust store must have a PEM or DER certificate in it", path)
+	}
+
+	for _, cert := range certs {
+		if !cert.IsCA {
+			if err := cert.CheckSignatureFrom(cert); err != nil {
+				return fmt.Errorf(
+					"certificate with subject %q from file %q is not a CA certificate or self-signed signing certificate",
+					cert.Subject,
+					path,
+				)
+			}
+		}
+	}
+
+	return nil
+}
diff --git a/verification/store_test.go b/verification/store_test.go
@@ -68,7 +68,16 @@ func TestLoadTrustStoreWithLeafCerts(t *testing.T) {
 	path := filepath.FromSlash("testdata/truststore/x509/trust-store-with-leaf-certs")
 	failurePath := filepath.FromSlash("testdata/truststore/x509/trust-store-with-leaf-certs/non-ca.crt")
 	_, err := LoadX509TrustStore(path)
-	if err == nil || err.Error() != fmt.Sprintf("certificate with subject \"CN=lol,OU=lol,O=lol,L=lol,ST=Some-State,C=AU,1.2.840.113549.1.9.1=#13036c6f6c\" from file %q is not a CA certificate, only CA certificates (BasicConstraint CA=True) are allowed", failurePath) {
+	if err == nil || err.Error() != fmt.Sprintf("certificate with subject \"CN=wabbit-networks.io,O=Notary,L=Seattle,ST=WA,C=US\" from file %q is not a CA certificate or self-signed signing certificate", failurePath) {
+		t.Fatalf("leaf cert in a trust store should return error : %q", err)
+	}
+}
+
+func TestLoadTrustStoreWithLeafCertsInSingleFile(t *testing.T) {
+	path := filepath.FromSlash("testdata/truststore/x509/trust-store-with-leaf-certs-in-single-file")
+	failurePath := filepath.FromSlash("testdata/truststore/x509/trust-store-with-leaf-certs-in-single-file/RootAndLeafCerts.crt")
+	_, err := LoadX509TrustStore(path)
+	if err == nil || err.Error() != fmt.Sprintf("certificate with subject \"CN=wabbit-networks.io,O=Notary,L=Seattle,ST=WA,C=US\" from file %q is not a CA certificate or self-signed signing certificate", failurePath) {
 		t.Fatalf("leaf cert in a trust store should return error : %q", err)
 	}
 }
diff --git a/verification/testdata/truststore/x509/trust-store-with-leaf-certs-in-single-file/RootAndLeafCerts.crt b/verification/testdata/truststore/x509/trust-store-with-leaf-certs-in-single-file/RootAndLeafCerts.crt
@@ -0,0 +1,43 @@
+-----BEGIN CERTIFICATE-----
+MIIDejCCAmKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQGEwJVUzEL
+MAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEe
+MBwGA1UEAxMVd2FiYml0LW5ldHdvcmtzLmlvIENBMB4XDTIyMDkyMDA2MzExM1oX
+DTIyMDkyMTA2MzExM1owWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD
+VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3RhcnkxGzAZBgNVBAMTEndhYmJpdC1u
+ZXR3b3Jrcy5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiZp5O+
+6YtaNO5GbWaZUxvJPXktJ7k7LBX5G/Kn6eh9JkJln1agqbax9MRDB/5YCdQBKMBq
+NE2wYIwmCs7ArFU5DxvRhoBnCGLjcsIZ9pfaZ6lBppEvxMmUAYDmgjze0J13PwRp
+WAZMfBlisZnJAWokgE5sWtggUXURyFk67H0R+4sWlm8SSZOiJCA/e0bYPCHTfFA/
+2zg6koNRSwvI6zvftGnnJ9ny0BTuGOjZ6lDfIX5awFrgRdO8wmwejo4oJ45tUotF
+/Rt/yHkmjdGhONbJjcMLf9AIyVwMHg6t6mj2SYbHqzIyTcpjk90HgeiU5eS5JMqj
+Jkug5U9XrGGCqIcCAwEAAaNIMEYwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoG
+CCsGAQUFBwMDMB8GA1UdIwQYMBaAFLAy4Il5S9zOd/AMWF8hATmldAjYMA0GCSqG
+SIb3DQEBCwUAA4IBAQBLYBnSuMNCzzLmeqH/wBr6kKUtF10AN9VF8/3iZW8iCj4B
+Bx7VDq7iZR/G9UTLsWdZqkkxnOGu4QffBHz2Lc1v9D923EEPDAP5mJYvUchvdXYT
+lmyQr9QEjRC6IFhlBB27Bi207QJ8UxYgmbseQ3FQFE16Usdmlg9iWDn5tx/DZn9/
+yUd81yKKYp2uLx0x2sQDJh61QSZB6jtzjN7w4Xax2NViabLaH7raMrDbIqigkXJh
+iXG9fWx1Ax7S3dJVIglbZGPgYDW14Ass40gs8vcOBg8CwszrKiEuwp20d12Ky87/
+0pLsOWJmcNyXbd3gztX01N1frSEbvTBJNI9E/jmI
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDjzCCAnegAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQGEwJVUzEL
+MAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEe
+MBwGA1UEAxMVd2FiYml0LW5ldHdvcmtzLmlvIENBMB4XDTIyMDkyMDA2MzExM1oX
+DTIyMTAyMDA2MzExM1owXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD
+VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3RhcnkxHjAcBgNVBAMTFXdhYmJpdC1u
+ZXR3b3Jrcy5pbyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKNM
+3dUToC4TyegGMw47ax9aZt13pQgTeV7xZbVsOmZiv/8gZ9tEZWgQbvBJrWUH8y4o
+eQLCVQOTESNP2TSyTqizNtG1ex6YfSpWKSqUkfGX2II9xCX8hNXZqTphAjrGGf2Z
+EOLRIIkbhjkuiAR+7q4TF/KJhdfYD1HQBJ2PF92egV5JEZTrxIjVIi+WK19VKSwx
+m7oFiijve4VPaQYQnWgj0dk+Tn9cMB/OMX6cszoJbn98ogQIvWaY3dd1qba4uGJ9
+vmkNKDJcUd1PbkaVlikXC4UM+PxXy7/ZvSihOXurAPIChS6JgWC8Ru2vxm9SC+BN
+5J/hr92W2TdsrvLkrc8CAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQM
+MAoGCCsGAQUFBwMDMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFLAy4Il5
+S9zOd/AMWF8hATmldAjYMA0GCSqGSIb3DQEBCwUAA4IBAQCTf6GbT5Z0x5ciNr9i
+8i+QsIAg7ZHzv5RLLJuocGcKwbdi+btU6BPl/X4U5ZB6OArv4oiyPSbECoxkgGRq
+cj+mfzXdm/3jEyRskHDfoxcJFYmcBsEykS7DoLYEy5HxgKSaGOLl4dMWbbj/E8mR
+e9XC5ruvPNZX52pQMqSqUUTYlbR4YQojsp7ShcLLD/Iea90wXk44+wHAKNFpwkN1
+h5JMlYm+jKkol6u/Nmd3vNqhzrL91ZLPVtSWpfsBxh7l4BsDns2uPl+/fgCav9MJ
+jUkWJbEaDPY5bSbHDhCbxMO37VbvkkFUvz7lfKAkXj6DnkPzMj3++KTFNdw3fJ4+
+WzLe
+-----END CERTIFICATE-----
diff --git a/verification/testdata/truststore/x509/trust-store-with-leaf-certs/GlobalSignRootCA.crt b/verification/testdata/truststore/x509/trust-store-with-leaf-certs/GlobalSignRootCA.crt
@@ -1,21 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G
-A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp
-Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4
-MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG
-A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8
-RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT
-gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm
-KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd
-QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ
-XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw
-DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o
-LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU
-RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp
-jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK
-6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX
-mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs
-Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH
-WD9f
+MIIDjzCCAnegAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQGEwJVUzEL
+MAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEe
+MBwGA1UEAxMVd2FiYml0LW5ldHdvcmtzLmlvIENBMB4XDTIyMDkyMDA2MzExM1oX
+DTIyMTAyMDA2MzExM1owXTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD
+VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3RhcnkxHjAcBgNVBAMTFXdhYmJpdC1u
+ZXR3b3Jrcy5pbyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKNM
+3dUToC4TyegGMw47ax9aZt13pQgTeV7xZbVsOmZiv/8gZ9tEZWgQbvBJrWUH8y4o
+eQLCVQOTESNP2TSyTqizNtG1ex6YfSpWKSqUkfGX2II9xCX8hNXZqTphAjrGGf2Z
+EOLRIIkbhjkuiAR+7q4TF/KJhdfYD1HQBJ2PF92egV5JEZTrxIjVIi+WK19VKSwx
+m7oFiijve4VPaQYQnWgj0dk+Tn9cMB/OMX6cszoJbn98ogQIvWaY3dd1qba4uGJ9
+vmkNKDJcUd1PbkaVlikXC4UM+PxXy7/ZvSihOXurAPIChS6JgWC8Ru2vxm9SC+BN
+5J/hr92W2TdsrvLkrc8CAwEAAaNaMFgwDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQM
+MAoGCCsGAQUFBwMDMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFLAy4Il5
+S9zOd/AMWF8hATmldAjYMA0GCSqGSIb3DQEBCwUAA4IBAQCTf6GbT5Z0x5ciNr9i
+8i+QsIAg7ZHzv5RLLJuocGcKwbdi+btU6BPl/X4U5ZB6OArv4oiyPSbECoxkgGRq
+cj+mfzXdm/3jEyRskHDfoxcJFYmcBsEykS7DoLYEy5HxgKSaGOLl4dMWbbj/E8mR
+e9XC5ruvPNZX52pQMqSqUUTYlbR4YQojsp7ShcLLD/Iea90wXk44+wHAKNFpwkN1
+h5JMlYm+jKkol6u/Nmd3vNqhzrL91ZLPVtSWpfsBxh7l4BsDns2uPl+/fgCav9MJ
+jUkWJbEaDPY5bSbHDhCbxMO37VbvkkFUvz7lfKAkXj6DnkPzMj3++KTFNdw3fJ4+
+WzLe
 -----END CERTIFICATE-----
diff --git a/verification/testdata/truststore/x509/trust-store-with-leaf-certs/non-ca.crt b/verification/testdata/truststore/x509/trust-store-with-leaf-certs/non-ca.crt
@@ -1,21 +1,21 @@
 -----BEGIN CERTIFICATE-----
-MIIDZTCCAk0CFDdMWsovoK72JCA5YAxXSF+aTb50MA0GCSqGSIb3DQEBCwUAMG4x
-CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYDVQQHDANsb2wx
-DDAKBgNVBAoMA2xvbDEMMAoGA1UECwwDbG9sMQwwCgYDVQQDDANsb2wxEjAQBgkq
-hkiG9w0BCQEWA2xvbDAgFw0yMjA1MjQxOTE2NDFaGA8yMTIyMDQzMDE5MTY0MVow
-bjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAcMA2xv
-bDEMMAoGA1UECgwDbG9sMQwwCgYDVQQLDANsb2wxDDAKBgNVBAMMA2xvbDESMBAG
-CSqGSIb3DQEJARYDbG9sMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
-wre/7J4WeS0UwcOKe4qv4pcsl0mbG2riLAWv4E3ZhMdJdzCYYk6+k8NjY05AR6AQ
-KbRw8Ree1lsHa7hXfL5Gg8sER4Gq4vMN9VBqbljWI7KNsd9C16wTTlZEJaaery5j
-3GI0Co59rYjt9FcoqilkJuWnxr7+m7qdnFFa5ASoPQJPwE1LF1Aq1iTUdxeMxIO7
-wlu7hNfWom33JS71rnlfIx5/ja0r+LrJ8M0YfjFmBlTP6SBHtSLhV3W0eNZLEGF1
-iuULYrpbo51fT4f5j1T6gtAlCDMgBzg1aItargqz2SsG1j3OAt5HsJgVViF+xC02
-tsHRhkkLQELsTZUg/QpyIwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBVntmzsNiu
-QlXqwATAGVZ2MGxziXXVTqG/nbBGFJy1Ge3VEjMgu9AqJEBSlPXTDU1jQvSLlyvg
-+381CyeBuXrrvTjUziM398s3QqZqDrs3eyW9j4AuOicRao4Dfu/HP7cCWQemuOB4
-yihhGdaJMlExhV0fsi36OJZOw6fasvAsnjr+S1IkojxNRJLhpduAC6IY1s1/SRgn
-5u3/5erMgmVCnJSlIDkGSJZzCXhzSDgW4ui3VB//+JsO1OsP0p2kzftXOQpcEaEh
-DVnY2YybASxFJTXAFo3CKIoaeOW30fGCKi2hzocK0w5ky18703/lN/Bx2CPFVS8e
-dP9/ttZCG47o
+MIIDejCCAmKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQGEwJVUzEL
+MAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEe
+MBwGA1UEAxMVd2FiYml0LW5ldHdvcmtzLmlvIENBMB4XDTIyMDkyMDA2MzExM1oX
+DTIyMDkyMTA2MzExM1owWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD
+VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3RhcnkxGzAZBgNVBAMTEndhYmJpdC1u
+ZXR3b3Jrcy5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiZp5O+
+6YtaNO5GbWaZUxvJPXktJ7k7LBX5G/Kn6eh9JkJln1agqbax9MRDB/5YCdQBKMBq
+NE2wYIwmCs7ArFU5DxvRhoBnCGLjcsIZ9pfaZ6lBppEvxMmUAYDmgjze0J13PwRp
+WAZMfBlisZnJAWokgE5sWtggUXURyFk67H0R+4sWlm8SSZOiJCA/e0bYPCHTfFA/
+2zg6koNRSwvI6zvftGnnJ9ny0BTuGOjZ6lDfIX5awFrgRdO8wmwejo4oJ45tUotF
+/Rt/yHkmjdGhONbJjcMLf9AIyVwMHg6t6mj2SYbHqzIyTcpjk90HgeiU5eS5JMqj
+Jkug5U9XrGGCqIcCAwEAAaNIMEYwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoG
+CCsGAQUFBwMDMB8GA1UdIwQYMBaAFLAy4Il5S9zOd/AMWF8hATmldAjYMA0GCSqG
+SIb3DQEBCwUAA4IBAQBLYBnSuMNCzzLmeqH/wBr6kKUtF10AN9VF8/3iZW8iCj4B
+Bx7VDq7iZR/G9UTLsWdZqkkxnOGu4QffBHz2Lc1v9D923EEPDAP5mJYvUchvdXYT
+lmyQr9QEjRC6IFhlBB27Bi207QJ8UxYgmbseQ3FQFE16Usdmlg9iWDn5tx/DZn9/
+yUd81yKKYp2uLx0x2sQDJh61QSZB6jtzjN7w4Xax2NViabLaH7raMrDbIqigkXJh
+iXG9fWx1Ax7S3dJVIglbZGPgYDW14Ass40gs8vcOBg8CwszrKiEuwp20d12Ky87/
+0pLsOWJmcNyXbd3gztX01N1frSEbvTBJNI9E/jmI
 -----END CERTIFICATE-----
