Inicio Explorar Axuda
Iniciar sesión
golang
/
nebula
réplica de https://github.com/slackhq/nebula
2
0
Fork 0
Ficheiros Incidencias 0 Wiki
Explorar o código

Support root IP assertions in cert.Verify

Nate Brown %!s(int64=5) %!d(string=hai) anos
pai
8b2ee5cf34
achega
98d92ee4cf
Modificáronse 2 ficheiros con 230 adicións e 23 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 68 1
      cert/cert.go
  2. 162 22
      cert/cert_test.go

+ 68 - 1
cert/cert.go
Ver ficheiro 

@@ -271,7 +271,25 @@ func (nc *NebulaCertificate) Verify(t time.Time, ncp *NebulaCAPool) (bool, error
 
 	if len(signer.Details.InvertedGroups) > 0 {
 
 		for _, g := range nc.Details.Groups {
 
 			if _, ok := signer.Details.InvertedGroups[g]; !ok {
 
-				return false, fmt.Errorf("certificate contained a group not present on the signing ca; %s", g)
 
+				return false, fmt.Errorf("certificate contained a group not present on the signing ca: %s", g)
 
+			}
 
+		}
 
+	}
 
+
 
+	// If the signer has a limited set of ip ranges to issue from make sure the cert only contains a subset
 
+	if len(signer.Details.Ips) > 0 {
 
+		for _, ip := range nc.Details.Ips {
 
+			if !netMatch(ip, signer.Details.Ips) {
 
+				return false, fmt.Errorf("certificate contained an ip assignment outside the limitations of the signing ca: %s", ip.String())
 
+			}
 
+		}
 
+	}
 
+
 
+	// If the signer has a limited set of subnet ranges to issue from make sure the cert only contains a subset
 
+	if len(signer.Details.Subnets) > 0 {
 
+		for _, subnet := range nc.Details.Subnets {
 
+			if !netMatch(subnet, signer.Details.Subnets) {
 
+				return false, fmt.Errorf("certificate contained a subnet assignment outside the limitations of the signing ca: %s", subnet)
 
 			}
 
 		}
 
 	}
 
@@ -431,6 +449,55 @@ func (nc *NebulaCertificate) MarshalJSON() ([]byte, error) {
 
 	return json.Marshal(jc)
 
 }
 
 
+func netMatch(certIp *net.IPNet, rootIps []*net.IPNet) bool {
 
+	for _, net := range rootIps {
 
+		if net.Contains(certIp.IP) && maskContains(net.Mask, certIp.Mask) {
 
+			return true
 
+		}
 
+	}
 
+
 
+	return false
 
+}
 
+
 
+func maskContains(caMask, certMask net.IPMask) bool {
 
+	caM := maskTo4(caMask)
 
+	cM := maskTo4(certMask)
 
+	// Make sure forcing to ipv4 didn't nuke us
 
+	if caM == nil || cM == nil {
 
+		return false
 
+	}
 
+
 
+	// Make sure the cert mask is not greater than the ca mask
 
+	for i := 0; i < len(caMask); i++ {
 
+		if caM[i] > cM[i] {
 
+			return false
 
+		}
 
+	}
 
+
 
+	return true
 
+}
 
+
 
+func maskTo4(ip net.IPMask) net.IPMask {
 
+	if len(ip) == net.IPv4len {
 
+		return ip
 
+	}
 
+
 
+	if len(ip) == net.IPv6len && isZeros(ip[0:10]) && ip[10] == 0xff && ip[11] == 0xff {
 
+		return ip[12:16]
 
+	}
 
+
 
+	return nil
 
+}
 
+
 
+func isZeros(b []byte) bool {
 
+	for i := 0; i < len(b); i++ {
 
+		if b[i] != 0 {
 
+			return false
 
+		}
 
+	}
 
+	return true
 
+}
 
+
 
 func ip2int(ip []byte) uint32 {
 
 	if len(ip) == 16 {
 
 		return binary.BigEndian.Uint32(ip[12:16])

+ 162 - 22
cert/cert_test.go
Ver ficheiro 

@@ -158,10 +158,10 @@ func TestNebulaCertificate_MarshalJSON(t *testing.T) {
 
 }
 
 
 func TestNebulaCertificate_Verify(t *testing.T) {
 
-	ca, _, caKey, err := newTestCaCert()
 
+	ca, _, caKey, err := newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), []*net.IPNet{}, []*net.IPNet{}, []string{})
 
 	assert.Nil(t, err)
 
 
-	c, _, _, err := newTestCert(ca, caKey)
 
+	c, _, _, err := newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{}, []*net.IPNet{}, []string{})
 
 	assert.Nil(t, err)
 
 
 	h, err := ca.Sha256Sum()
 
@@ -186,13 +186,120 @@ func TestNebulaCertificate_Verify(t *testing.T) {
 
 	v, err = c.Verify(time.Now().Add(time.Hour*1000), caPool)
 
 	assert.False(t, v)
 
 	assert.EqualError(t, err, "root certificate is expired")
 
+
 
+	c, _, _, err = newTestCert(ca, caKey, time.Time{}, time.Time{}, []*net.IPNet{}, []*net.IPNet{}, []string{})
 
+	assert.Nil(t, err)
 
+	v, err = c.Verify(time.Now().Add(time.Minute*6), caPool)
 
+	assert.False(t, v)
 
+	assert.EqualError(t, err, "certificate is expired")
 
+
 
+	// Test group assertion
 
+	ca, _, caKey, err = newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), []*net.IPNet{}, []*net.IPNet{}, []string{"test1", "test2"})
 
+	assert.Nil(t, err)
 
+
 
+	caPem, err := ca.MarshalToPEM()
 
+	assert.Nil(t, err)
 
+
 
+	caPool = NewCAPool()
 
+	caPool.AddCACertificate(caPem)
 
+
 
+	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{}, []*net.IPNet{}, []string{"test1", "bad"})
 
+	assert.Nil(t, err)
 
+	v, err = c.Verify(time.Now(), caPool)
 
+	assert.False(t, v)
 
+	assert.EqualError(t, err, "certificate contained a group not present on the signing ca: bad")
 
+
 
+	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{}, []*net.IPNet{}, []string{"test1"})
 
+	assert.Nil(t, err)
 
+	v, err = c.Verify(time.Now(), caPool)
 
+	assert.True(t, v)
 
+	assert.Nil(t, err)
 
+}
 
+
 
+func TestNebulaCertificate_Verify_IPs(t *testing.T) {
 
+	_, caIp1, _ := net.ParseCIDR("10.0.0.0/16")
 
+	_, caIp2, _ := net.ParseCIDR("192.168.0.0/24")
 
+	ca, _, caKey, err := newTestCaCert(time.Now(), time.Now().Add(10*time.Minute), []*net.IPNet{caIp1, caIp2}, []*net.IPNet{}, []string{"test"})
 
+	assert.Nil(t, err)
 
+
 
+	caPem, err := ca.MarshalToPEM()
 
+	assert.Nil(t, err)
 
+
 
+	caPool := NewCAPool()
 
+	caPool.AddCACertificate(caPem)
 
+
 
+	// ip is outside the network
 
+	cIp1 := &net.IPNet{IP: net.ParseIP("10.1.0.0"), Mask: []byte{255, 255, 255, 0}}
 
+	cIp2 := &net.IPNet{IP: net.ParseIP("192.168.0.1"), Mask: []byte{255, 255, 0, 0}}
 
+	c, _, _, err := newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{cIp1, cIp2}, []*net.IPNet{}, []string{"test"})
 
+	assert.Nil(t, err)
 
+	v, err := c.Verify(time.Now(), caPool)
 
+	assert.False(t, v)
 
+	assert.EqualError(t, err, "certificate contained an ip assignment outside the limitations of the signing ca: 10.1.0.0/24")
 
+
 
+	// ip is outside the network reversed order of above
 
+	cIp1 = &net.IPNet{IP: net.ParseIP("192.168.0.1"), Mask: []byte{255, 255, 255, 0}}
 
+	cIp2 = &net.IPNet{IP: net.ParseIP("10.1.0.0"), Mask: []byte{255, 255, 255, 0}}
 
+	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{cIp1, cIp2}, []*net.IPNet{}, []string{"test"})
 
+	assert.Nil(t, err)
 
+	v, err = c.Verify(time.Now(), caPool)
 
+	assert.False(t, v)
 
+	assert.EqualError(t, err, "certificate contained an ip assignment outside the limitations of the signing ca: 10.1.0.0/24")
 
+
 
+	// ip is within the network but mask is outside
 
+	cIp1 = &net.IPNet{IP: net.ParseIP("10.0.1.0"), Mask: []byte{255, 254, 0, 0}}
 
+	cIp2 = &net.IPNet{IP: net.ParseIP("192.168.0.1"), Mask: []byte{255, 255, 255, 0}}
 
+	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{cIp1, cIp2}, []*net.IPNet{}, []string{"test"})
 
+	assert.Nil(t, err)
 
+	v, err = c.Verify(time.Now(), caPool)
 
+	assert.False(t, v)
 
+	assert.EqualError(t, err, "certificate contained an ip assignment outside the limitations of the signing ca: 10.0.1.0/15")
 
+
 
+	// ip is within the network but mask is outside reversed order of above
 
+	cIp1 = &net.IPNet{IP: net.ParseIP("192.168.0.1"), Mask: []byte{255, 255, 255, 0}}
 
+	cIp2 = &net.IPNet{IP: net.ParseIP("10.0.1.0"), Mask: []byte{255, 254, 0, 0}}
 
+	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{cIp1, cIp2}, []*net.IPNet{}, []string{"test"})
 
+	assert.Nil(t, err)
 
+	v, err = c.Verify(time.Now(), caPool)
 
+	assert.False(t, v)
 
+	assert.EqualError(t, err, "certificate contained an ip assignment outside the limitations of the signing ca: 10.0.1.0/15")
 
+
 
+	// ip and mask are within the network
 
+	cIp1 = &net.IPNet{IP: net.ParseIP("10.0.1.0"), Mask: []byte{255, 255, 0, 0}}
 
+	cIp2 = &net.IPNet{IP: net.ParseIP("192.168.0.1"), Mask: []byte{255, 255, 255, 128}}
 
+	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{cIp1, cIp2}, []*net.IPNet{}, []string{"test"})
 
+	assert.Nil(t, err)
 
+	v, err = c.Verify(time.Now(), caPool)
 
+	assert.True(t, v)
 
+	assert.Nil(t, err)
 
+
 
+	// Exact matches
 
+	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{caIp1, caIp2}, []*net.IPNet{}, []string{"test"})
 
+	assert.Nil(t, err)
 
+	v, err = c.Verify(time.Now(), caPool)
 
+	assert.True(t, v)
 
+	assert.Nil(t, err)
 
+
 
+	// Exact matches reversed
 
+	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{caIp2, caIp1}, []*net.IPNet{}, []string{"test"})
 
+	assert.Nil(t, err)
 
+	v, err = c.Verify(time.Now(), caPool)
 
+	assert.True(t, v)
 
+	assert.Nil(t, err)
 
+
 
+	// Exact matches reversed with just 1
 
+	c, _, _, err = newTestCert(ca, caKey, time.Now(), time.Now().Add(5*time.Minute), []*net.IPNet{caIp1}, []*net.IPNet{}, []string{"test"})
 
+	assert.Nil(t, err)
 
+	v, err = c.Verify(time.Now(), caPool)
 
+	assert.True(t, v)
 
+	assert.Nil(t, err)
 
 }
 
 
 func TestNebulaVerifyPrivateKey(t *testing.T) {
 
-	ca, _, caKey, err := newTestCaCert()
 
+	ca, _, caKey, err := newTestCaCert(time.Time{}, time.Time{}, []*net.IPNet{}, []*net.IPNet{}, []string{})
 
 	assert.Nil(t, err)
 
 
-	c, _, priv, err := newTestCert(ca, caKey)
 
+	c, _, priv, err := newTestCert(ca, caKey, time.Time{}, time.Time{}, []*net.IPNet{}, []*net.IPNet{}, []string{})
 
 	err = c.VerifyPrivateKey(priv)
 
 	assert.Nil(t, err)
 
 
@@ -301,10 +408,14 @@ func TestMarshalingNebulaCertificateConsistency(t *testing.T) {
 
 	assert.Equal(t, "0a0774657374696e67121b8182845080feffff0f828284508080fcff0f8382845080fe83f80f1a1b8182844880fe83f80f8282844880feffff0f838284488080fcff0f220b746573742d67726f757031220b746573742d67726f757032220b746573742d67726f75703328f0e0e7d70430a08681c4053a20313233343536373839306162636564666768696a3132333435363738393061624a081234567890abcedf", fmt.Sprintf("%x", b))
 
 }
 
 
-func newTestCaCert() (*NebulaCertificate, []byte, []byte, error) {
 
+func newTestCaCert(before, after time.Time, ips, subnets []*net.IPNet, groups []string) (*NebulaCertificate, []byte, []byte, error) {
 
 	pub, priv, err := ed25519.GenerateKey(rand.Reader)
 
-	before := time.Now().Add(time.Second * -60).Round(time.Second)
 
-	after := time.Now().Add(time.Second * 60).Round(time.Second)
 
+	if before.IsZero() {
 
+		before = time.Now().Add(time.Second * -60).Round(time.Second)
 
+	}
 
+	if after.IsZero() {
 
+		after = time.Now().Add(time.Second * 60).Round(time.Second)
 
+	}
 
 
 	nc := &NebulaCertificate{
 
 		Details: NebulaCertificateDetails{
 
@@ -316,6 +427,18 @@ func newTestCaCert() (*NebulaCertificate, []byte, []byte, error) {
 
 		},
 
 	}
 
 
+	if len(ips) > 0 {
 
+		nc.Details.Ips = ips
 
+	}
 
+
 
+	if len(subnets) > 0 {
 
+		nc.Details.Subnets = subnets
 
+	}
 
+
 
+	if len(groups) > 0 {
 
+		nc.Details.Groups = groups
 
+	}
 
+
 
 	err = nc.Sign(priv)
 
 	if err != nil {
 
 		return nil, nil, nil, err
 
@@ -323,30 +446,47 @@ func newTestCaCert() (*NebulaCertificate, []byte, []byte, error) {
 
 	return nc, pub, priv, nil
 
 }
 
 
-func newTestCert(ca *NebulaCertificate, key []byte) (*NebulaCertificate, []byte, []byte, error) {
 
+func newTestCert(ca *NebulaCertificate, key []byte, before, after time.Time, ips, subnets []*net.IPNet, groups []string) (*NebulaCertificate, []byte, []byte, error) {
 
 	issuer, err := ca.Sha256Sum()
 
 	if err != nil {
 
 		return nil, nil, nil, err
 
 	}
 
 
-	before := time.Now().Add(time.Second * -60).Round(time.Second)
 
-	after := time.Now().Add(time.Second * 60).Round(time.Second)
 
+	if before.IsZero() {
 
+		before = time.Now().Add(time.Second * -60).Round(time.Second)
 
+	}
 
+	if after.IsZero() {
 
+		after = time.Now().Add(time.Second * 60).Round(time.Second)
 
+	}
 
+
 
+	if len(groups) == 0 {
 
+		groups = []string{"test-group1", "test-group2", "test-group3"}
 
+	}
 
+
 
+	if len(ips) == 0 {
 
+		ips = []*net.IPNet{
 
+			{IP: net.ParseIP("10.1.1.1"), Mask: net.IPMask(net.ParseIP("255.255.255.0"))},
 
+			{IP: net.ParseIP("10.1.1.2"), Mask: net.IPMask(net.ParseIP("255.255.0.0"))},
 
+			{IP: net.ParseIP("10.1.1.3"), Mask: net.IPMask(net.ParseIP("255.0.255.0"))},
 
+		}
 
+	}
 
+
 
+	if len(subnets) == 0 {
 
+		subnets = []*net.IPNet{
 
+			{IP: net.ParseIP("9.1.1.1"), Mask: net.IPMask(net.ParseIP("255.0.255.0"))},
 
+			{IP: net.ParseIP("9.1.1.2"), Mask: net.IPMask(net.ParseIP("255.255.255.0"))},
 
+			{IP: net.ParseIP("9.1.1.3"), Mask: net.IPMask(net.ParseIP("255.255.0.0"))},
 
+		}
 
+	}
 
+
 
 	pub, rawPriv := x25519Keypair()
 
 
 	nc := &NebulaCertificate{
 
 		Details: NebulaCertificateDetails{
 
-			Name: "testing",
 
-			Ips: []*net.IPNet{
 
-				{IP: net.ParseIP("10.1.1.1"), Mask: net.IPMask(net.ParseIP("255.255.255.0"))},
 
-				{IP: net.ParseIP("10.1.1.2"), Mask: net.IPMask(net.ParseIP("255.255.0.0"))},
 
-				{IP: net.ParseIP("10.1.1.3"), Mask: net.IPMask(net.ParseIP("255.0.255.0"))},
 
-			},
 
-			Subnets: []*net.IPNet{
 
-				{IP: net.ParseIP("9.1.1.1"), Mask: net.IPMask(net.ParseIP("255.0.255.0"))},
 
-				{IP: net.ParseIP("9.1.1.2"), Mask: net.IPMask(net.ParseIP("255.255.255.0"))},
 
-				{IP: net.ParseIP("9.1.1.3"), Mask: net.IPMask(net.ParseIP("255.255.0.0"))},
 
-			},
 
-			Groups:    []string{"test-group1", "test-group2", "test-group3"},
 
+			Name:      "testing",
 
+			Ips:       ips,
 
+			Subnets:   subnets,
 
+			Groups:    groups,
 
 			NotBefore: before,
 
 			NotAfter:  after,
 
 			PublicKey: pub,