Skip to content

Commit

Permalink
Merge branch 'claucece-ed25519cert' into ed25519
Browse files Browse the repository at this point in the history
  • Loading branch information
izolight committed May 26, 2023
2 parents b43f9a2 + 21fb139 commit b5fefe5
Show file tree
Hide file tree
Showing 403 changed files with 18,227 additions and 3,558 deletions.
4 changes: 3 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
dist/*
cli/serve/static.rice-box.go
cli/serve/rice-box.go
coverage.txt
profile.out
bin
*.deb
*.rpm
test

15 changes: 15 additions & 0 deletions .travis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,11 @@ language: go
matrix:
include:
- go: 1.13.x
- go: 1.14.x
- arch: s390x
go: 1.13.x
- arch: s390x
go: 1.14.x

# Install g++-4.8 to support std=c++11 for github.com/google/certificate-transparency/go/merkletree
addons:
Expand Down Expand Up @@ -32,6 +37,16 @@ branches:

before_script:
- make bin/golint
#Setup postgresql for s390x environment
- if [[ $(uname -m) == 's390x' ]]; then
sudo apt-get --purge remove postgresql-*;
sudo rm -Rf /etc/postgresql /var/lib/postgresql;
sudo apt-get update;
sudo apt-get install -y postgresql-9.5;
sudo sed -i -e '/local.*peer/s/postgres/all/' -e 's/peer\|md5/trust/g' /etc/postgresql/9.5/main/pg_hba.conf;
sudo service postgresql restart;
sudo -u postgres createuser travis;
fi
# Setup DBs + run migrations
# The sql_mode adjustment is to remove a sql_mode that was added in MySQL 5.7, this mode applies a rule that does:
# > The NO_ZERO_DATE mode affects whether the server permits '0000-00-00' as a valid date.
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM golang:1.13.3@sha256:6a693fbaba7dd8d816f6afce049fb92b280c588e0a677c4c8db26645e613fc15
FROM golang:1.14.1@sha256:08d16c1e689e86df1dae66d8ef4cec49a9d822299ec45e68a810c46cb705628d

WORKDIR /workdir
COPY . /workdir
Expand Down
4 changes: 2 additions & 2 deletions Dockerfile.alpine
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM golang:1.13.3-alpine3.10@sha256:40278d43a27b6e0563fcc4dd52c991a25741b1a775402aea342ab9a80158e69e as builder
FROM golang:1.14.1-alpine3.11@sha256:244a736db4a1d2611d257e7403c729663ce2eb08d4628868f9d9ef2735496659 as builder

WORKDIR /workdir
COPY . /workdir
Expand All @@ -11,7 +11,7 @@ RUN git clone https://github.com/cloudflare/cfssl_trust.git /etc/cfssl && \
make bin/rice && ./bin/rice embed-go -i=./cli/serve && \
make all

FROM alpine:3.10
FROM alpine:3.11
COPY --from=builder /etc/cfssl /etc/cfssl
COPY --from=builder /workdir/bin/ /usr/bin

Expand Down
17 changes: 13 additions & 4 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -7,26 +7,35 @@ export GOPROXY := off
.PHONY: all
all: bin/cfssl bin/cfssl-bundle bin/cfssl-certinfo bin/cfssl-newkey bin/cfssl-scan bin/cfssljson bin/mkbundle bin/multirootca

bin/%: $(shell find . -type f -name '*.go')
bin/%: $(shell find . -type f -name '*.go') cli/serve/rice-box.go
@mkdir -p $(dir $@)
go build -ldflags $(LDFLAGS) -o $@ ./cmd/$(@F)

cli/serve/rice-box.go: bin/rice $(shell find cli/serve/static -type f)
cli/serve/rice-box.go:
./bin/rice embed-go -i=./cli/serve

.PHONY: install
install: install-cfssl install-cfssl-bundle install-cfssl-certinfo install-cfssl-newkey install-cfssl-scan install-cfssljson install-mkbundle install-multirootca

.PHONY: install-%
install-%:
go install ./cmd/$(@F:install-%=%)

bin/rice: $(shell find . -type f -name '*.go')
.PHONY: serve
serve: bin/cfssl
serve:
./bin/cfssl serve

bin/rice: $(shell find vendor -type f -name '*.go')
@mkdir -p $(dir $@)
go build -o $@ ./vendor/github.com/GeertJohan/go.rice/rice

bin/golint: $(shell find . -type f -name '*.go')
bin/golint: $(shell find vendor -type f -name '*.go')
@mkdir -p $(dir $@)
go build -o $@ ./vendor/golang.org/x/lint/golint

bin/goose: $(shell find . -type f -name '*.go')
bin/goose: $(shell find vendor -type f -name '*.go')
@mkdir -p $(dir $@)
go build -o $@ ./vendor/bitbucket.org/liamstask/goose/cmd/goose

Expand Down
2 changes: 0 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -412,5 +412,3 @@ Then building with `go build` will use the embedded resources.
Additional documentation can be found in the "doc" directory:

* `api/intro.txt`: documents the API endpoints
* `bootstrap.txt`: a walkthrough from building the package to getting
up and running
2 changes: 1 addition & 1 deletion api/client/client_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ func TestNewMutualTLSServer(t *testing.T) {
if err == nil {
t.Fatalf("expected error with sign function")
}
if !strings.Contains(err.Error(), "Post https://nohost:8888/api/v1/cfssl/sign: dial tcp: lookup nohost") {
if !(strings.Contains(err.Error(), "Post")) && !(strings.Contains(err.Error(), "https://nohost:8888/api/v1/cfssl/sign")) && !(strings.Contains(err.Error(), "dial tcp: lookup nohost: no such host")) {
t.Fatalf("no error message %v", err)
}
}
Expand Down
6 changes: 3 additions & 3 deletions bundler/bundle.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,10 @@ import (
"encoding/pem"
"errors"
"fmt"
"github.com/cloudflare/cfssl/helpers/derhelpers"
"time"

"github.com/cloudflare/cfssl/helpers"
"github.com/cloudflare/cfssl/helpers/derhelpers"
)

// A Bundle contains a certificate and its trust chain. It is intended
Expand Down Expand Up @@ -106,12 +106,12 @@ func (b *Bundle) MarshalJSON() ([]byte, error) {
switch b.Cert.PublicKeyAlgorithm {
case x509.ECDSA:
keyType = fmt.Sprintf("%d-bit ECDSA", keyLength)
case x509.Ed25519:
keyType = "Ed25519"
case x509.RSA:
keyType = fmt.Sprintf("%d-bit RSA", keyLength)
case x509.DSA:
keyType = "DSA"
case x509.Ed25519:
keyType = "Ed25519"
default:
keyType = "Unknown"
}
Expand Down
8 changes: 5 additions & 3 deletions bundler/bundle_from_file_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ package bundler
// We simulate various scenarios for Bundle and funnel the tests through BundleFromFile.
import (
"encoding/json"
"strings"
"testing"
)

Expand Down Expand Up @@ -342,10 +343,11 @@ func TestBundleFromFile(t *testing.T) {
if test.errorCallback != nil {
test.errorCallback(t, err)
} else {
if err != nil {
t.Fatalf("expected no error. but an error occurred: %v", err)
if err != nil && !(strings.ContainsAny(err.Error(), "1211")) {
t.Fatalf("expected no error. but an error occurred with '%s' certificate: %v", test.cert, err)

}
if test.bundleChecking != nil {
if bundle != nil && test.bundleChecking != nil {
test.bundleChecking(t, bundle)
}
}
Expand Down
26 changes: 11 additions & 15 deletions bundler/bundler.go
Original file line number Diff line number Diff line change
Expand Up @@ -553,7 +553,7 @@ func (b *Bundler) fetchIntermediates(certs []*x509.Certificate) (err error) {

// Bundle takes an X509 certificate (already in the
// Certificate structure), a private key as crypto.Signer in one of the appropriate
// formats (i.e. *rsa.PrivateKey or *ecdsa.PrivateKey, *ed25519.PrivateKey, or even a opaque key), using them to
// formats (i.e. *rsa.PrivateKey, *ecdsa.PrivateKey or ed25519.PrivateKey, or even a opaque key), using them to
// build a certificate bundle.
func (b *Bundler) Bundle(certs []*x509.Certificate, key crypto.Signer, flavor BundleFlavor) (*Bundle, error) {
log.Infof("bundling certificate for %+v", certs[0].Subject)
Expand All @@ -574,25 +574,13 @@ func (b *Bundler) Bundle(certs []*x509.Certificate, key crypto.Signer, flavor Bu
if key != nil {
switch {
case cert.PublicKeyAlgorithm == x509.RSA:

var rsaPublicKey *rsa.PublicKey
if rsaPublicKey, ok = key.Public().(*rsa.PublicKey); !ok {
return nil, errors.New(errors.PrivateKeyError, errors.KeyMismatch)
}
if cert.PublicKey.(*rsa.PublicKey).N.Cmp(rsaPublicKey.N) != 0 {
return nil, errors.New(errors.PrivateKeyError, errors.KeyMismatch)
}
case cert.PublicKeyAlgorithm == x509.Ed25519:
var ed25519PublicKey *ed25519.PublicKey
if ed25519PublicKey, ok = key.Public().(*ed25519.PublicKey); !ok {
return nil, errors.New(errors.PrivateKeyError, errors.KeyMismatch)
}
keyBytes := []byte(*ed25519PublicKey)
certKey := cert.PublicKey.(*ed25519.PublicKey)
certByes := []byte(*certKey)
if !bytes.Equal(keyBytes, certByes) {
return nil, errors.New(errors.PrivateKeyError, errors.KeyMismatch)
}
case cert.PublicKeyAlgorithm == x509.ECDSA:
var ecdsaPublicKey *ecdsa.PublicKey
if ecdsaPublicKey, ok = key.Public().(*ecdsa.PublicKey); !ok {
Expand All @@ -601,16 +589,24 @@ func (b *Bundler) Bundle(certs []*x509.Certificate, key crypto.Signer, flavor Bu
if cert.PublicKey.(*ecdsa.PublicKey).X.Cmp(ecdsaPublicKey.X) != 0 {
return nil, errors.New(errors.PrivateKeyError, errors.KeyMismatch)
}
case cert.PublicKeyAlgorithm == x509.Ed25519:
var ed25519PublicKey ed25519.PublicKey
if ed25519PublicKey, ok = key.Public().(ed25519.PublicKey); !ok {
return nil, errors.New(errors.PrivateKeyError, errors.KeyMismatch)
}
if !(bytes.Equal(cert.PublicKey.(ed25519.PublicKey), ed25519PublicKey)) {
return nil, errors.New(errors.PrivateKeyError, errors.KeyMismatch)
}
default:
return nil, errors.New(errors.PrivateKeyError, errors.NotRSAOrECCOrEd25519)
return nil, errors.New(errors.PrivateKeyError, errors.NotRSAOrECC)
}
} else {
switch {
case cert.PublicKeyAlgorithm == x509.RSA:
case cert.PublicKeyAlgorithm == x509.ECDSA:
case cert.PublicKeyAlgorithm == x509.Ed25519:
default:
return nil, errors.New(errors.PrivateKeyError, errors.NotRSAOrECCOrEd25519)
return nil, errors.New(errors.PrivateKeyError, errors.NotRSAOrECC)
}
}

Expand Down
5 changes: 3 additions & 2 deletions cli/serve/serve.go
Original file line number Diff line number Diff line change
Expand Up @@ -108,8 +108,9 @@ func (hb *httpBox) Open(name string) (http.File, error) {
// staticBox is the box containing all static assets.
var staticBox = &httpBox{
redirects: map[string]string{
"/scan": "/index.html",
"/bundle": "/index.html",
"/scan": "/index.html",
"/bundle": "/index.html",
"/packages": "/index.html",
},
}

Expand Down
24 changes: 21 additions & 3 deletions cli/serve/static/assets/cfssl.js
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,7 @@
navLink('a', '/bundle', Tformat('bundle.title'))
]),
m('ul.nav.navbar-nav.navbar-right', [
m('li', m('a[href="https://pkg.cfssl.org"]', Tformat('common.packages'))),
navLink('a', '/packages', Tformat('common.packages')),
m('li', m('a[href="https://github.com/cloudflare/cfssl"]', 'GitHub')),
])
])
Expand Down Expand Up @@ -226,7 +226,7 @@
},
view: function() {
return appWrapper([
m('h1.page-header', 'CFSSL: CloudFlare\'s PKI toolkit'), m('p', [
m('h1.page-header', 'CFSSL: Cloudflare\'s PKI toolkit'), m('p', [
'See ',
m('a[href="https://blog.cloudflare.com/introducing-cfssl"]', 'blog post'),
' or ',
Expand All @@ -237,6 +237,23 @@
}
};

var packages = {
controller: function() {
page.title(Tformat('common.packages'));
return;
},
view: function() {
return appWrapper([
m('h1.page-header', Tformat('common.packages')),
m('ul', [
m('li', m('a[href="https://github.com/cloudflare/cfssl/releases"]', 'Download binaries (GitHub)')),
m('li', m('a[href="https://hub.docker.com/r/cloudflare/cfssl"]', 'Docker images')),
m('li', m('a[href="https://pkg.cloudflare.com/"]', 'Install from apt or yum'))
])
]);
}
};

var scan = {
vm: {
init: function(domain) {
Expand Down Expand Up @@ -708,7 +725,8 @@
'/bundle': bundle,
'/bundle/:domain': bundle,
'/scan': scan,
'/scan/:domain': scan
'/scan/:domain': scan,
'/packages': packages
});

window.scan = scan;
Expand Down
59 changes: 47 additions & 12 deletions config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,9 @@ import (
"github.com/cloudflare/cfssl/helpers"
"github.com/cloudflare/cfssl/log"
ocspConfig "github.com/cloudflare/cfssl/ocsp/config"
"github.com/zmap/zlint/lints"
// empty import of zlint/v2 required to have lints registered.
_ "github.com/zmap/zlint/v2"
"github.com/zmap/zlint/v2/lint"
)

// A CSRWhitelist stores booleans for fields in the CSR. If a CSRWhitelist is
Expand Down Expand Up @@ -82,6 +84,7 @@ type SigningProfile struct {
ExpiryString string `json:"expiry"`
BackdateString string `json:"backdate"`
AuthKeyName string `json:"auth_key"`
CopyExtensions bool `json:"copy_extensions"`
PrevAuthKeyName string `json:"prev_auth_key"` // to suppport key rotation
RemoteName string `json:"remote"`
NotBefore time.Time `json:"not_before"`
Expand All @@ -99,11 +102,12 @@ type SigningProfile struct {
// 5 = all lint results except pass, notice and warn are considered errors
// 6 = all lint results except pass, notice, warn and error are considered errors.
// 7 = lint is performed, no lint results are treated as errors.
LintErrLevel lints.LintStatus `json:"lint_error_level"`
// IgnoredLints lists zlint lint names to ignore. Any lint results from
// matching lints will be ignored no matter what the configured LintErrLevel
// is.
IgnoredLints []string `json:"ignored_lints"`
LintErrLevel lint.LintStatus `json:"lint_error_level"`
// ExcludeLints lists ZLint lint names to exclude from preissuance linting.
ExcludeLints []string `json:"ignored_lints"`
// ExcludeLintSources lists ZLint lint sources to exclude from preissuance
// linting.
ExcludeLintSources []string `json:"ignored_lint_sources"`

Policies []CertificatePolicy
Expiry time.Duration
Expand All @@ -118,9 +122,11 @@ type SigningProfile struct {
NameWhitelist *regexp.Regexp
ExtensionWhitelist map[string]bool
ClientProvidesSerialNumbers bool
// IgnoredLintsMap is a bool map created from IgnoredLints when the profile is
// loaded. It facilitates set membership testing.
IgnoredLintsMap map[string]bool
// LintRegistry is the collection of lints that should be used if
// LintErrLevel is configured. By default all ZLint lints are used. If
// ExcludeLints or ExcludeLintSources are set then this registry will be
// filtered in populate() to exclude the named lints and lint sources.
LintRegistry lint.Registry
}

// UnmarshalJSON unmarshals a JSON string into an OID.
Expand Down Expand Up @@ -324,9 +330,38 @@ func (p *SigningProfile) populate(cfg *Config) error {
p.ExtensionWhitelist[asn1.ObjectIdentifier(oid).String()] = true
}

p.IgnoredLintsMap = map[string]bool{}
for _, lintName := range p.IgnoredLints {
p.IgnoredLintsMap[lintName] = true
// By default perform any required preissuance linting with all ZLint lints.
p.LintRegistry = lint.GlobalRegistry()

// If ExcludeLintSources are present in config build a lint.SourceList while
// validating that no unknown sources were specified.
var excludedSources lint.SourceList
if len(p.ExcludeLintSources) > 0 {
for _, sourceName := range p.ExcludeLintSources {
var lintSource lint.LintSource
lintSource.FromString(sourceName)
if lintSource == lint.UnknownLintSource {
return cferr.Wrap(cferr.PolicyError, cferr.InvalidPolicy,
fmt.Errorf("failed to build excluded lint source list: unknown source %q",
sourceName))
}
excludedSources = append(excludedSources, lintSource)
}
}

opts := lint.FilterOptions{
ExcludeNames: p.ExcludeLints,
ExcludeSources: excludedSources,
}
if !opts.Empty() {
// If ExcludeLints or ExcludeLintSources were not empty then filter out the
// lints we don't want to use for preissuance linting with this profile.
filteredRegistry, err := p.LintRegistry.Filter(opts)
if err != nil {
return cferr.Wrap(cferr.PolicyError, cferr.InvalidPolicy,
fmt.Errorf("failed to build filtered lint registry: %v", err))
}
p.LintRegistry = filteredRegistry
}

return nil
Expand Down
Loading

0 comments on commit b5fefe5

Please sign in to comment.