From 507b58f66c1c357aaefb1077079e16fb06bbf98b Mon Sep 17 00:00:00 2001 From: linus-sun Date: Tue, 12 Nov 2024 17:24:29 +0000 Subject: [PATCH] refactor extension functions to support x509 and google_x509 Signed-off-by: linus-sun --- pkg/ct/identity.go | 67 ----------------------------------------- pkg/ct/identity_test.go | 56 ---------------------------------- 2 files changed, 123 deletions(-) delete mode 100644 pkg/ct/identity.go delete mode 100644 pkg/ct/identity_test.go diff --git a/pkg/ct/identity.go b/pkg/ct/identity.go deleted file mode 100644 index 1ae3c1ef..00000000 --- a/pkg/ct/identity.go +++ /dev/null @@ -1,67 +0,0 @@ -// Copyright 2024 The Sigstore Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// This file copies some of the functionality in pkg/identity/identity.go -// related to retrieving OID extension values and matching on them, -// but refactors them to use the Google-specific fork of encoding/asn1 and crypto/x509. - -package ct - -import ( - "encoding/asn1" - "fmt" - - google_asn1 "github.com/google/certificate-transparency-go/asn1" - google_x509 "github.com/google/certificate-transparency-go/x509" -) - -// getExtension gets a certificate extension by OID where the extension value is an -// ASN.1-encoded string -func getExtension(cert *google_x509.Certificate, oid google_asn1.ObjectIdentifier) (string, error) { - for _, ext := range cert.Extensions { - if !ext.Id.Equal(oid) { - continue - } - var extValue string - rest, err := asn1.Unmarshal(ext.Value, &extValue) - if err != nil { - return "", fmt.Errorf("%w", err) - } - if len(rest) != 0 { - return "", fmt.Errorf("unmarshalling extension had rest for oid %v", oid) - } - return extValue, nil - } - return "", nil -} - -// OIDMatchesPolicy returns if a certificate contains both a given OID field and a matching value associated with that field -// if true, it returns the OID extension and extension value that were matched on -func OIDMatchesPolicy(cert *google_x509.Certificate, oid google_asn1.ObjectIdentifier, extensionValues []string) (bool, google_asn1.ObjectIdentifier, string, error) { - extValue, err := getExtension(cert, oid) - if err != nil { - return false, nil, "", fmt.Errorf("error getting extension value: %w", err) - } - if extValue == "" { - return false, nil, "", nil - } - - for _, extensionValue := range extensionValues { - if extValue == extensionValue { - return true, oid, extValue, nil - } - } - - return false, nil, "", nil -} diff --git a/pkg/ct/identity_test.go b/pkg/ct/identity_test.go deleted file mode 100644 index 8ba4a89f..00000000 --- a/pkg/ct/identity_test.go +++ /dev/null @@ -1,56 +0,0 @@ -// Copyright 2024 The Sigstore Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package ct - -import ( - "testing" - - google_asn1 "github.com/google/certificate-transparency-go/asn1" - "github.com/google/certificate-transparency-go/x509" -) - -// Test when OID is not present in the certificate -func TestOIDNotPresent(t *testing.T) { - cert := &x509.Certificate{} // No extensions - oid := google_asn1.ObjectIdentifier{2, 5, 29, 17} - extensionValues := []string{"wrong value"} - - matches, _, _, err := OIDMatchesPolicy(cert, oid, extensionValues) - if matches || err != nil { - t.Errorf("Expected false with nil, got %v, error %v", matches, err) - } -} - -// Test when OID is present and matches value -func TestOIDMatchesValue(t *testing.T) { - cert, err := mockCertificateWithExtension(google_asn1.ObjectIdentifier{2, 5, 29, 17}, "test cert value") - if err != nil { - t.Errorf("Expected nil got %v", err) - } - oid := google_asn1.ObjectIdentifier{2, 5, 29, 17} - extValueString := "test cert value" - extensionValues := []string{extValueString} - - matches, matchedOID, extValue, err := OIDMatchesPolicy(cert, oid, extensionValues) - if !matches || err != nil { - t.Errorf("Expected true, got %v, error %v", matches, err) - } - if matchedOID.String() != oid.String() { - t.Errorf("Expected oid to equal 2.5.29.17, got %s", matchedOID.String()) - } - if extValue != extValueString { - t.Errorf("Expected string to equal 'test cert value', got %s", extValue) - } -}