From a0bad641d94cecaaac0577615e21e26e2b49dcb2 Mon Sep 17 00:00:00 2001 From: Junjie Gao Date: Fri, 20 Oct 2023 10:48:31 +0800 Subject: [PATCH 1/6] fix: update key usage error message to make it clear Signed-off-by: Junjie Gao --- x509/cert_validations.go | 31 +++++++++++++- x509/cert_validations_test.go | 76 ++++++++++++++++++++++++++++++++++- 2 files changed, 104 insertions(+), 3 deletions(-) diff --git a/x509/cert_validations.go b/x509/cert_validations.go index 84ba24dd..bc5918ae 100644 --- a/x509/cert_validations.go +++ b/x509/cert_validations.go @@ -20,6 +20,7 @@ import ( "crypto/x509" "errors" "fmt" + "strings" "time" ) @@ -186,8 +187,34 @@ func validateLeafKeyUsage(cert *x509.Certificate) error { if cert.KeyUsage&x509.KeyUsageDigitalSignature == 0 { return fmt.Errorf("certificate with subject %q: key usage must have the bit positions for digital signature set", cert.Subject) } - if cert.KeyUsage&kuLeafCertBlocked != 0 { - return fmt.Errorf("certificate with subject %q: key usage must not have the bit positions for %s set", cert.Subject, kuLeafCertBlockedString) + + var invalidKeyUsages []string + if cert.KeyUsage&x509.KeyUsageContentCommitment != 0 { + invalidKeyUsages = append(invalidKeyUsages, "ContentCommitment") + } + if cert.KeyUsage&x509.KeyUsageKeyEncipherment != 0 { + invalidKeyUsages = append(invalidKeyUsages, "KeyEncipherment") + } + if cert.KeyUsage&x509.KeyUsageDataEncipherment != 0 { + invalidKeyUsages = append(invalidKeyUsages, "DataEncipherment") + } + if cert.KeyUsage&x509.KeyUsageKeyAgreement != 0 { + invalidKeyUsages = append(invalidKeyUsages, "KeyAgreement") + } + if cert.KeyUsage&x509.KeyUsageCertSign != 0 { + invalidKeyUsages = append(invalidKeyUsages, "CertSign") + } + if cert.KeyUsage&x509.KeyUsageCRLSign != 0 { + invalidKeyUsages = append(invalidKeyUsages, "CRLSign") + } + if cert.KeyUsage&x509.KeyUsageEncipherOnly != 0 { + invalidKeyUsages = append(invalidKeyUsages, "EncipherOnly") + } + if cert.KeyUsage&x509.KeyUsageDecipherOnly != 0 { + invalidKeyUsages = append(invalidKeyUsages, "DecipherOnly") + } + if len(invalidKeyUsages) > 0 { + return fmt.Errorf("certificate with subject %q: key usage must not have the bit positions for %s set", cert.Subject, strings.Join(invalidKeyUsages, ", ")) } return nil } diff --git a/x509/cert_validations_test.go b/x509/cert_validations_test.go index 69446f2e..569047c5 100644 --- a/x509/cert_validations_test.go +++ b/x509/cert_validations_test.go @@ -15,7 +15,9 @@ package x509 import ( "crypto/x509" + "crypto/x509/pkix" _ "embed" + "encoding/asn1" "testing" "time" @@ -534,7 +536,7 @@ var kuWrongValuesLeaf = parseCertificateFromString(kuWrongValuesLeafPem) func TestFailKuWrongValuesLeaf(t *testing.T) { err := validateLeafCertificate(kuWrongValuesLeaf, x509.ExtKeyUsageCodeSigning) - assertErrorEqual("certificate with subject \"CN=Hello\": key usage must not have the bit positions for ContentCommitment, KeyEncipherment, DataEncipherment, KeyAgreement, CertSign, CRLSign, EncipherOnly, DecipherOnly set", err, t) + assertErrorEqual("certificate with subject \"CN=Hello\": key usage must not have the bit positions for CertSign, CRLSign set", err, t) } var rsaKeyTooSmallLeafPem = "-----BEGIN CERTIFICATE-----\n" + @@ -699,3 +701,75 @@ func assertErrorEqual(expected string, err error, t *testing.T) { t.Fatalf("Expected error \"%v\" but was \"%v\"", expected, err) } } + +func TestValidateLeafKeyUsage(t *testing.T) { + extensions := []pkix.Extension{{ + Id: asn1.ObjectIdentifier{2, 5, 29, 15}, // OID for KeyUsage + Critical: true, + }} + + tests := []struct { + name string + cert *x509.Certificate + expectedErrMsg string + }{ + { + name: "Valid DigitalSignature usage", + cert: &x509.Certificate{ + Subject: pkix.Name{CommonName: "Test CN"}, + KeyUsage: x509.KeyUsageDigitalSignature, + Extensions: extensions, + }, + expectedErrMsg: "", + }, + { + name: "Valid ContentCommitment usage", + cert: &x509.Certificate{ + Subject: pkix.Name{CommonName: "Test CN"}, + KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment, + Extensions: extensions, + }, + expectedErrMsg: "certificate with subject \"CN=Test CN\": key usage must not have the bit positions for ContentCommitment set", + }, + { + name: "Missing DigitalSignature usage", + cert: &x509.Certificate{ + Subject: pkix.Name{CommonName: "Test CN"}, + KeyUsage: x509.KeyUsageCertSign, + Extensions: extensions, + }, + expectedErrMsg: "certificate with subject \"CN=Test CN\": key usage must have the bit positions for digital signature set", + }, + { + name: "Invalid KeyEncipherment usage", + cert: &x509.Certificate{ + Subject: pkix.Name{CommonName: "Test CN"}, + KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment, + Extensions: extensions, + }, + expectedErrMsg: "certificate with subject \"CN=Test CN\": key usage must not have the bit positions for KeyEncipherment set", + }, + { + name: "Multiple Invalid usages", + cert: &x509.Certificate{ + Subject: pkix.Name{CommonName: "Test CN"}, + KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageDataEncipherment | x509.KeyUsageKeyAgreement | x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageEncipherOnly | x509.KeyUsageDecipherOnly | x509.KeyUsageEncipherOnly | x509.KeyUsageDecipherOnly, + Extensions: extensions, + }, + expectedErrMsg: "certificate with subject \"CN=Test CN\": key usage must not have the bit positions for KeyEncipherment, DataEncipherment, KeyAgreement, CertSign, CRLSign, EncipherOnly, DecipherOnly set", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + err := validateLeafKeyUsage(tt.cert) + if err != nil && tt.expectedErrMsg == "" { + t.Fatalf("expected no error, but got: %s", err) + } else if err == nil && tt.expectedErrMsg != "" { + t.Fatalf("expected error %q, but got none", tt.expectedErrMsg) + } else if err != nil && err.Error() != tt.expectedErrMsg { + t.Fatalf("expected error %q, but got: %s", tt.expectedErrMsg, err) + } + }) + } +} From a296f75cc79e1330ef2413deb1c04c9fc4a07331 Mon Sep 17 00:00:00 2001 From: Junjie Gao Date: Fri, 20 Oct 2023 10:52:25 +0800 Subject: [PATCH 2/6] fix: delete unused code Signed-off-by: Junjie Gao --- x509/cert_validations.go | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/x509/cert_validations.go b/x509/cert_validations.go index bc5918ae..29c3c73b 100644 --- a/x509/cert_validations.go +++ b/x509/cert_validations.go @@ -24,17 +24,6 @@ import ( "time" ) -var kuLeafCertBlocked = x509.KeyUsageContentCommitment | - x509.KeyUsageKeyEncipherment | - x509.KeyUsageDataEncipherment | - x509.KeyUsageKeyAgreement | - x509.KeyUsageCertSign | - x509.KeyUsageCRLSign | - x509.KeyUsageEncipherOnly | - x509.KeyUsageDecipherOnly -var kuLeafCertBlockedString = "ContentCommitment, KeyEncipherment, DataEncipherment, KeyAgreement, " + - "CertSign, CRLSign, EncipherOnly, DecipherOnly" - // ValidateCodeSigningCertChain takes an ordered code-signing certificate chain // and validates issuance from leaf to root // Validates certificates according to this spec: From 04677541cba9c4c510de7d865d9b3f6974001ae5 Mon Sep 17 00:00:00 2001 From: Junjie Gao Date: Fri, 20 Oct 2023 13:16:06 +0800 Subject: [PATCH 3/6] fix: update error message Signed-off-by: Junjie Gao --- x509/cert_validations.go | 2 +- x509/cert_validations_test.go | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/x509/cert_validations.go b/x509/cert_validations.go index 29c3c73b..c2ecaf32 100644 --- a/x509/cert_validations.go +++ b/x509/cert_validations.go @@ -203,7 +203,7 @@ func validateLeafKeyUsage(cert *x509.Certificate) error { invalidKeyUsages = append(invalidKeyUsages, "DecipherOnly") } if len(invalidKeyUsages) > 0 { - return fmt.Errorf("certificate with subject %q: key usage must not have the bit positions for %s set", cert.Subject, strings.Join(invalidKeyUsages, ", ")) + return fmt.Errorf("certificate with subject %q is invalid: key usage must be 'Digital Signature' only, found %s", cert.Subject, strings.Join(invalidKeyUsages, ", ")) } return nil } diff --git a/x509/cert_validations_test.go b/x509/cert_validations_test.go index 569047c5..570dfa78 100644 --- a/x509/cert_validations_test.go +++ b/x509/cert_validations_test.go @@ -536,7 +536,7 @@ var kuWrongValuesLeaf = parseCertificateFromString(kuWrongValuesLeafPem) func TestFailKuWrongValuesLeaf(t *testing.T) { err := validateLeafCertificate(kuWrongValuesLeaf, x509.ExtKeyUsageCodeSigning) - assertErrorEqual("certificate with subject \"CN=Hello\": key usage must not have the bit positions for CertSign, CRLSign set", err, t) + assertErrorEqual("certificate with subject \"CN=Hello\" is invalid: key usage must be 'Digital Signature' only, found CertSign, CRLSign", err, t) } var rsaKeyTooSmallLeafPem = "-----BEGIN CERTIFICATE-----\n" + @@ -729,7 +729,7 @@ func TestValidateLeafKeyUsage(t *testing.T) { KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment, Extensions: extensions, }, - expectedErrMsg: "certificate with subject \"CN=Test CN\": key usage must not have the bit positions for ContentCommitment set", + expectedErrMsg: "certificate with subject \"CN=Test CN\" is invalid: key usage must be 'Digital Signature' only, found ContentCommitment", }, { name: "Missing DigitalSignature usage", @@ -747,7 +747,7 @@ func TestValidateLeafKeyUsage(t *testing.T) { KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment, Extensions: extensions, }, - expectedErrMsg: "certificate with subject \"CN=Test CN\": key usage must not have the bit positions for KeyEncipherment set", + expectedErrMsg: "certificate with subject \"CN=Test CN\" is invalid: key usage must be 'Digital Signature' only, found KeyEncipherment", }, { name: "Multiple Invalid usages", @@ -756,7 +756,7 @@ func TestValidateLeafKeyUsage(t *testing.T) { KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageDataEncipherment | x509.KeyUsageKeyAgreement | x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageEncipherOnly | x509.KeyUsageDecipherOnly | x509.KeyUsageEncipherOnly | x509.KeyUsageDecipherOnly, Extensions: extensions, }, - expectedErrMsg: "certificate with subject \"CN=Test CN\": key usage must not have the bit positions for KeyEncipherment, DataEncipherment, KeyAgreement, CertSign, CRLSign, EncipherOnly, DecipherOnly set", + expectedErrMsg: "certificate with subject \"CN=Test CN\" is invalid: key usage must be 'Digital Signature' only, found KeyEncipherment, DataEncipherment, KeyAgreement, CertSign, CRLSign, EncipherOnly, DecipherOnly", }, } From 5ef11031a009e2b18410f67cc3fb02126ad6ef95 Mon Sep 17 00:00:00 2001 From: Junjie Gao Date: Fri, 20 Oct 2023 14:19:18 +0800 Subject: [PATCH 4/6] fix: update code Signed-off-by: Junjie Gao --- x509/cert_validations.go | 4 ++-- x509/cert_validations_test.go | 12 ++++++------ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/x509/cert_validations.go b/x509/cert_validations.go index c2ecaf32..ce045faf 100644 --- a/x509/cert_validations.go +++ b/x509/cert_validations.go @@ -174,7 +174,7 @@ func validateLeafKeyUsage(cert *x509.Certificate) error { return err } if cert.KeyUsage&x509.KeyUsageDigitalSignature == 0 { - return fmt.Errorf("certificate with subject %q: key usage must have the bit positions for digital signature set", cert.Subject) + return fmt.Errorf("The certificate with subject %q is invalid. The key usage must have the bit positions for \"Digital Signature\"", cert.Subject) } var invalidKeyUsages []string @@ -203,7 +203,7 @@ func validateLeafKeyUsage(cert *x509.Certificate) error { invalidKeyUsages = append(invalidKeyUsages, "DecipherOnly") } if len(invalidKeyUsages) > 0 { - return fmt.Errorf("certificate with subject %q is invalid: key usage must be 'Digital Signature' only, found %s", cert.Subject, strings.Join(invalidKeyUsages, ", ")) + return fmt.Errorf("The certificate with subject %q is invalid. The key usage must be \"Digital Signature\" only, but found %s", cert.Subject, strings.Join(invalidKeyUsages, ", ")) } return nil } diff --git a/x509/cert_validations_test.go b/x509/cert_validations_test.go index 570dfa78..d965604f 100644 --- a/x509/cert_validations_test.go +++ b/x509/cert_validations_test.go @@ -512,7 +512,7 @@ var kuNoDigitalSignatureLeaf = parseCertificateFromString(kuNoDigitalSignatureLe func TestFailKuNoDigitalSignatureLeaf(t *testing.T) { err := validateLeafCertificate(kuNoDigitalSignatureLeaf, x509.ExtKeyUsageCodeSigning) - assertErrorEqual("certificate with subject \"CN=Hello\": key usage must have the bit positions for digital signature set", err, t) + assertErrorEqual("The certificate with subject \"CN=Hello\" is invalid. The key usage must have the bit positions for \"Digital Signature\"", err, t) } var kuWrongValuesLeafPem = "-----BEGIN CERTIFICATE-----\n" + @@ -536,7 +536,7 @@ var kuWrongValuesLeaf = parseCertificateFromString(kuWrongValuesLeafPem) func TestFailKuWrongValuesLeaf(t *testing.T) { err := validateLeafCertificate(kuWrongValuesLeaf, x509.ExtKeyUsageCodeSigning) - assertErrorEqual("certificate with subject \"CN=Hello\" is invalid: key usage must be 'Digital Signature' only, found CertSign, CRLSign", err, t) + assertErrorEqual("The certificate with subject \"CN=Hello\" is invalid. The key usage must be \"Digital Signature\" only, but found CertSign, CRLSign", err, t) } var rsaKeyTooSmallLeafPem = "-----BEGIN CERTIFICATE-----\n" + @@ -729,7 +729,7 @@ func TestValidateLeafKeyUsage(t *testing.T) { KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment, Extensions: extensions, }, - expectedErrMsg: "certificate with subject \"CN=Test CN\" is invalid: key usage must be 'Digital Signature' only, found ContentCommitment", + expectedErrMsg: "The certificate with subject \"CN=Test CN\" is invalid. The key usage must be \"Digital Signature\" only, but found ContentCommitment", }, { name: "Missing DigitalSignature usage", @@ -738,7 +738,7 @@ func TestValidateLeafKeyUsage(t *testing.T) { KeyUsage: x509.KeyUsageCertSign, Extensions: extensions, }, - expectedErrMsg: "certificate with subject \"CN=Test CN\": key usage must have the bit positions for digital signature set", + expectedErrMsg: "The certificate with subject \"CN=Test CN\" is invalid. The key usage must have the bit positions for \"Digital Signature\"", }, { name: "Invalid KeyEncipherment usage", @@ -747,7 +747,7 @@ func TestValidateLeafKeyUsage(t *testing.T) { KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment, Extensions: extensions, }, - expectedErrMsg: "certificate with subject \"CN=Test CN\" is invalid: key usage must be 'Digital Signature' only, found KeyEncipherment", + expectedErrMsg: "The certificate with subject \"CN=Test CN\" is invalid. The key usage must be \"Digital Signature\" only, but found KeyEncipherment", }, { name: "Multiple Invalid usages", @@ -756,7 +756,7 @@ func TestValidateLeafKeyUsage(t *testing.T) { KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageDataEncipherment | x509.KeyUsageKeyAgreement | x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageEncipherOnly | x509.KeyUsageDecipherOnly | x509.KeyUsageEncipherOnly | x509.KeyUsageDecipherOnly, Extensions: extensions, }, - expectedErrMsg: "certificate with subject \"CN=Test CN\" is invalid: key usage must be 'Digital Signature' only, found KeyEncipherment, DataEncipherment, KeyAgreement, CertSign, CRLSign, EncipherOnly, DecipherOnly", + expectedErrMsg: "The certificate with subject \"CN=Test CN\" is invalid. The key usage must be \"Digital Signature\" only, but found KeyEncipherment, DataEncipherment, KeyAgreement, CertSign, CRLSign, EncipherOnly, DecipherOnly", }, } From b5856fb19ace874a1d644259b5a88dd3ffb417c4 Mon Sep 17 00:00:00 2001 From: Junjie Gao Date: Mon, 23 Oct 2023 11:03:11 +0800 Subject: [PATCH 5/6] fix: update error message Signed-off-by: Junjie Gao --- x509/cert_validations.go | 18 +++++++++--------- x509/cert_validations_test.go | 12 ++++++------ 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/x509/cert_validations.go b/x509/cert_validations.go index ce045faf..07c96070 100644 --- a/x509/cert_validations.go +++ b/x509/cert_validations.go @@ -174,33 +174,33 @@ func validateLeafKeyUsage(cert *x509.Certificate) error { return err } if cert.KeyUsage&x509.KeyUsageDigitalSignature == 0 { - return fmt.Errorf("The certificate with subject %q is invalid. The key usage must have the bit positions for \"Digital Signature\"", cert.Subject) + return fmt.Errorf("The certificate with subject %q is invalid. The key usage must have the bit positions for \"Digital Signature\" set", cert.Subject) } var invalidKeyUsages []string if cert.KeyUsage&x509.KeyUsageContentCommitment != 0 { - invalidKeyUsages = append(invalidKeyUsages, "ContentCommitment") + invalidKeyUsages = append(invalidKeyUsages, "\"ContentCommitment\"") } if cert.KeyUsage&x509.KeyUsageKeyEncipherment != 0 { - invalidKeyUsages = append(invalidKeyUsages, "KeyEncipherment") + invalidKeyUsages = append(invalidKeyUsages, "\"KeyEncipherment\"") } if cert.KeyUsage&x509.KeyUsageDataEncipherment != 0 { - invalidKeyUsages = append(invalidKeyUsages, "DataEncipherment") + invalidKeyUsages = append(invalidKeyUsages, "\"DataEncipherment\"") } if cert.KeyUsage&x509.KeyUsageKeyAgreement != 0 { - invalidKeyUsages = append(invalidKeyUsages, "KeyAgreement") + invalidKeyUsages = append(invalidKeyUsages, "\"KeyAgreement\"") } if cert.KeyUsage&x509.KeyUsageCertSign != 0 { - invalidKeyUsages = append(invalidKeyUsages, "CertSign") + invalidKeyUsages = append(invalidKeyUsages, "\"CertSign\"") } if cert.KeyUsage&x509.KeyUsageCRLSign != 0 { - invalidKeyUsages = append(invalidKeyUsages, "CRLSign") + invalidKeyUsages = append(invalidKeyUsages, "\"CRLSign\"") } if cert.KeyUsage&x509.KeyUsageEncipherOnly != 0 { - invalidKeyUsages = append(invalidKeyUsages, "EncipherOnly") + invalidKeyUsages = append(invalidKeyUsages, "\"EncipherOnly\"") } if cert.KeyUsage&x509.KeyUsageDecipherOnly != 0 { - invalidKeyUsages = append(invalidKeyUsages, "DecipherOnly") + invalidKeyUsages = append(invalidKeyUsages, "\"DecipherOnly\"") } if len(invalidKeyUsages) > 0 { return fmt.Errorf("The certificate with subject %q is invalid. The key usage must be \"Digital Signature\" only, but found %s", cert.Subject, strings.Join(invalidKeyUsages, ", ")) diff --git a/x509/cert_validations_test.go b/x509/cert_validations_test.go index d965604f..f0eb563a 100644 --- a/x509/cert_validations_test.go +++ b/x509/cert_validations_test.go @@ -512,7 +512,7 @@ var kuNoDigitalSignatureLeaf = parseCertificateFromString(kuNoDigitalSignatureLe func TestFailKuNoDigitalSignatureLeaf(t *testing.T) { err := validateLeafCertificate(kuNoDigitalSignatureLeaf, x509.ExtKeyUsageCodeSigning) - assertErrorEqual("The certificate with subject \"CN=Hello\" is invalid. The key usage must have the bit positions for \"Digital Signature\"", err, t) + assertErrorEqual("The certificate with subject \"CN=Hello\" is invalid. The key usage must have the bit positions for \"Digital Signature\" set", err, t) } var kuWrongValuesLeafPem = "-----BEGIN CERTIFICATE-----\n" + @@ -536,7 +536,7 @@ var kuWrongValuesLeaf = parseCertificateFromString(kuWrongValuesLeafPem) func TestFailKuWrongValuesLeaf(t *testing.T) { err := validateLeafCertificate(kuWrongValuesLeaf, x509.ExtKeyUsageCodeSigning) - assertErrorEqual("The certificate with subject \"CN=Hello\" is invalid. The key usage must be \"Digital Signature\" only, but found CertSign, CRLSign", err, t) + assertErrorEqual("The certificate with subject \"CN=Hello\" is invalid. The key usage must be \"Digital Signature\" only, but found \"CertSign\", \"CRLSign\"", err, t) } var rsaKeyTooSmallLeafPem = "-----BEGIN CERTIFICATE-----\n" + @@ -729,7 +729,7 @@ func TestValidateLeafKeyUsage(t *testing.T) { KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment, Extensions: extensions, }, - expectedErrMsg: "The certificate with subject \"CN=Test CN\" is invalid. The key usage must be \"Digital Signature\" only, but found ContentCommitment", + expectedErrMsg: "The certificate with subject \"CN=Test CN\" is invalid. The key usage must be \"Digital Signature\" only, but found \"ContentCommitment\"", }, { name: "Missing DigitalSignature usage", @@ -738,7 +738,7 @@ func TestValidateLeafKeyUsage(t *testing.T) { KeyUsage: x509.KeyUsageCertSign, Extensions: extensions, }, - expectedErrMsg: "The certificate with subject \"CN=Test CN\" is invalid. The key usage must have the bit positions for \"Digital Signature\"", + expectedErrMsg: "The certificate with subject \"CN=Test CN\" is invalid. The key usage must have the bit positions for \"Digital Signature\" set", }, { name: "Invalid KeyEncipherment usage", @@ -747,7 +747,7 @@ func TestValidateLeafKeyUsage(t *testing.T) { KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment, Extensions: extensions, }, - expectedErrMsg: "The certificate with subject \"CN=Test CN\" is invalid. The key usage must be \"Digital Signature\" only, but found KeyEncipherment", + expectedErrMsg: "The certificate with subject \"CN=Test CN\" is invalid. The key usage must be \"Digital Signature\" only, but found \"KeyEncipherment\"", }, { name: "Multiple Invalid usages", @@ -756,7 +756,7 @@ func TestValidateLeafKeyUsage(t *testing.T) { KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageDataEncipherment | x509.KeyUsageKeyAgreement | x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageEncipherOnly | x509.KeyUsageDecipherOnly | x509.KeyUsageEncipherOnly | x509.KeyUsageDecipherOnly, Extensions: extensions, }, - expectedErrMsg: "The certificate with subject \"CN=Test CN\" is invalid. The key usage must be \"Digital Signature\" only, but found KeyEncipherment, DataEncipherment, KeyAgreement, CertSign, CRLSign, EncipherOnly, DecipherOnly", + expectedErrMsg: "The certificate with subject \"CN=Test CN\" is invalid. The key usage must be \"Digital Signature\" only, but found \"KeyEncipherment\", \"DataEncipherment\", \"KeyAgreement\", \"CertSign\", \"CRLSign\", \"EncipherOnly\", \"DecipherOnly\"", }, } From fd0d70f4b3fd72cae8696c91b2d853bde477bdd2 Mon Sep 17 00:00:00 2001 From: Junjie Gao Date: Mon, 23 Oct 2023 15:31:15 +0800 Subject: [PATCH 6/6] fix: update Signed-off-by: Junjie Gao --- x509/cert_validations.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/x509/cert_validations.go b/x509/cert_validations.go index 07c96070..9e87c681 100644 --- a/x509/cert_validations.go +++ b/x509/cert_validations.go @@ -179,28 +179,28 @@ func validateLeafKeyUsage(cert *x509.Certificate) error { var invalidKeyUsages []string if cert.KeyUsage&x509.KeyUsageContentCommitment != 0 { - invalidKeyUsages = append(invalidKeyUsages, "\"ContentCommitment\"") + invalidKeyUsages = append(invalidKeyUsages, `"ContentCommitment"`) } if cert.KeyUsage&x509.KeyUsageKeyEncipherment != 0 { - invalidKeyUsages = append(invalidKeyUsages, "\"KeyEncipherment\"") + invalidKeyUsages = append(invalidKeyUsages, `"KeyEncipherment"`) } if cert.KeyUsage&x509.KeyUsageDataEncipherment != 0 { - invalidKeyUsages = append(invalidKeyUsages, "\"DataEncipherment\"") + invalidKeyUsages = append(invalidKeyUsages, `"DataEncipherment"`) } if cert.KeyUsage&x509.KeyUsageKeyAgreement != 0 { - invalidKeyUsages = append(invalidKeyUsages, "\"KeyAgreement\"") + invalidKeyUsages = append(invalidKeyUsages, `"KeyAgreement"`) } if cert.KeyUsage&x509.KeyUsageCertSign != 0 { - invalidKeyUsages = append(invalidKeyUsages, "\"CertSign\"") + invalidKeyUsages = append(invalidKeyUsages, `"CertSign"`) } if cert.KeyUsage&x509.KeyUsageCRLSign != 0 { - invalidKeyUsages = append(invalidKeyUsages, "\"CRLSign\"") + invalidKeyUsages = append(invalidKeyUsages, `"CRLSign"`) } if cert.KeyUsage&x509.KeyUsageEncipherOnly != 0 { - invalidKeyUsages = append(invalidKeyUsages, "\"EncipherOnly\"") + invalidKeyUsages = append(invalidKeyUsages, `"EncipherOnly"`) } if cert.KeyUsage&x509.KeyUsageDecipherOnly != 0 { - invalidKeyUsages = append(invalidKeyUsages, "\"DecipherOnly\"") + invalidKeyUsages = append(invalidKeyUsages, `"DecipherOnly"`) } if len(invalidKeyUsages) > 0 { return fmt.Errorf("The certificate with subject %q is invalid. The key usage must be \"Digital Signature\" only, but found %s", cert.Subject, strings.Join(invalidKeyUsages, ", "))