Support name constraints

glasserc · glasserc · commit c7279e56fea8 · 2019-10-28T17:55:36.000-04:00
diff --git a/autograph_utils/__init__.py b/autograph_utils/__init__.py
@@ -181,6 +181,20 @@ def detail(self):
         return f"Unknown public key type for {self.cert!r}: {self.key!r}"
 
 
+class CertificateChainNameNotPermitted(BadCertificate):
+    def __init__(self, permitted_subtrees, current, next):
+        self.permitted_subtrees = permitted_subtrees
+        self.current = current
+        self.next = next
+
+    @property
+    def detail(self):
+        return (
+            f"Certificate name of {self.next!r} does not match the permitted names "
+            f"for {self.current!r}: {self.permitted_subtrees!r}"
+        )
+
+
 class CertificateLeafHasWrongKeyUsage(BadCertificate):
     def __init__(self, cert, key_usage):
         self.cert = cert
@@ -194,6 +208,20 @@ def detail(self):
         )
 
 
+class CertificateChainNameExcluded(BadCertificate):
+    def __init__(self, excluded_subtrees, current, next):
+        self.excluded_subtrees = excluded_subtrees
+        self.current = current
+        self.next = next
+
+    @property
+    def detail(self):
+        return (
+            f"Certificate name of {self.next!r} matches the excluded names "
+            f"for {self.current!r}: {self.excluded_subtrees!r}"
+        )
+
+
 class BadSignature(Exception):
     detail = "Unknown signature problem"
 
@@ -317,6 +345,7 @@ async def verify_x5u(self, url):
         current_cert = chain[0]
         for next_cert in chain[1:]:
             self._verify_cert_link(current_cert, next_cert)
+            self._check_name_constraints(current_cert, next_cert)
 
             current_cert = next_cert
 
@@ -368,6 +397,51 @@ def _verify_cert_link(self, current_cert, next_cert):
         else:
             raise CertificateUnknownPublicKey(current_cert, key)
 
+    def _check_name_constraints(self, current_cert, next_cert):
+        try:
+            nc = current_cert.extensions.get_extension_for_class(
+                cryptography.x509.NameConstraints
+            ).value
+        except x509.ExtensionNotFound:
+            return
+
+        name = next_cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
+        if nc.permitted_subtrees:
+            for constraint in nc.permitted_subtrees:
+                if _name_constraint_matches(name, constraint):
+                    break
+            else:
+                raise CertificateChainNameNotPermitted(
+                    nc.permitted_subtrees, current=current_cert, next=next_cert
+                )
+
+        excluded_subtrees = nc.excluded_subtrees or []
+
+        for constraint in excluded_subtrees:
+            if _name_constraint_matches(name, constraint):
+                raise CertificateChainNameExcluded(
+                    nc.excluded_subtrees, current=current_cert, next=next_cert
+                )
+
+
+def _name_constraint_matches(hostname, name_constraint):
+    """Check if a name matches a constraint.
+
+    Taken from
+    https://github.com/alex/x509-validator/blob/master/validator.py.
+
+    """
+    if not isinstance(name_constraint, x509.DNSName):
+        return False
+    constraint_hostname = name_constraint.value
+
+    if constraint_hostname.startswith("."):
+        return hostname.endswith(constraint_hostname)
+    else:
+        return hostname == constraint_hostname or hostname.endswith(
+            "." + constraint_hostname
+        )
+
 
 def split_pem(s):
     """Split a string containing many ASCII-armored PEM structures.
diff --git a/tests/test_autograph_utils.py b/tests/test_autograph_utils.py
@@ -313,6 +313,78 @@ async def test_unknown_key(aiohttp_session, mock_with_x5u, cache, now_fixed):
     assert excinfo.value.key == mock_intermediate.public_key()
 
 
+async def test_verify_name_constraints_raises(
+    aiohttp_session, mock_with_x5u, cache, now_fixed
+):
+    certs = [
+        cryptography.x509.load_pem_x509_certificate(pem, backend=default_backend())
+        for pem in STAGE_CERT_LIST
+    ]
+    # Intermediate cert has the name constraint.
+    intermediate = certs[1]
+    # Change name of leaf cert.
+    mock_leaf = mock_cert(certs[0])
+    fake_name = mock.Mock()
+    fake_name.value = "bazinga.allizom.org"
+    mock_leaf.subject = mock.Mock()
+    mock_leaf.subject.get_attributes_for_oid.return_value = [fake_name]
+    certs[0] = mock_leaf
+
+    with mock.patch("cryptography.x509.load_pem_x509_certificate") as load_cert_mock:
+        load_cert_mock.side_effect = lambda *args, **kwargs: certs.pop(0)
+        s = SignatureVerifier(aiohttp_session, cache, STAGE_ROOT_HASH)
+        with pytest.raises(autograph_utils.CertificateChainNameNotPermitted) as excinfo:
+            await s.verify_x5u(FAKE_CERT_URL)
+
+    assert " does not match the permitted names " in excinfo.value.detail
+    assert excinfo.value.current == intermediate
+    assert excinfo.value.next == mock_leaf
+
+
+async def test_verify_name_constraints_excludes(
+    aiohttp_session, mock_with_x5u, cache, now_fixed
+):
+    certs = [
+        cryptography.x509.load_pem_x509_certificate(pem, backend=default_backend())
+        for pem in STAGE_CERT_LIST
+    ]
+    # Intermediate cert has the name constraint.
+    real_intermediate = certs[1]
+    real_constraints = real_intermediate.extensions.get_extension_for_class(
+        cryptography.x509.NameConstraints
+    ).value
+
+    # Reverse meaning of constraints.
+    def get_extension_mock(x509_cls):
+        if x509_cls == cryptography.x509.NameConstraints:
+            reversed = mock.Mock()
+            reversed.permitted_subtrees = real_constraints.excluded_subtrees
+            reversed.excluded_subtrees = real_constraints.permitted_subtrees
+
+            m = mock.Mock()
+            m.value = reversed
+            return m
+
+        return real_intermediate.get_extension_for_class(x509_cls)
+
+    intermediate = mock_cert(real_intermediate)
+    intermediate.extensions = mock.Mock()
+    intermediate.extensions.get_extension_for_class.side_effect = get_extension_mock
+    certs[1] = intermediate
+
+    leaf = certs[0]
+
+    with mock.patch("cryptography.x509.load_pem_x509_certificate") as load_cert_mock:
+        load_cert_mock.side_effect = lambda *args, **kwargs: certs.pop(0)
+        s = SignatureVerifier(aiohttp_session, cache, STAGE_ROOT_HASH)
+        with pytest.raises(autograph_utils.CertificateChainNameExcluded) as excinfo:
+            await s.verify_x5u(FAKE_CERT_URL)
+
+    assert " matches the excluded names " in excinfo.value.detail
+    assert excinfo.value.current == intermediate
+    assert excinfo.value.next == leaf
+
+
 async def test_verify_leaf_code_signing(
     aiohttp_session, mock_with_x5u, cache, now_fixed
 ):
