Skip to content

Commit

Permalink
feat:invalid signing time prompt improvement
Browse files Browse the repository at this point in the history
Signed-off-by: fanndu <[email protected]>
  • Loading branch information
fanndu committed Nov 18, 2023
1 parent c02eb73 commit b7e384b
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 5 deletions.
16 changes: 12 additions & 4 deletions x509/cert_validations.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,8 +48,8 @@ func validateCertChain(certChain []*x509.Certificate, expectedLeafEku x509.ExtKe
// For self-signed signing certificate (not a CA)
if len(certChain) == 1 {
cert := certChain[0]
if signingTime != nil && (signingTime.Before(cert.NotBefore) || signingTime.After(cert.NotAfter)) {
return fmt.Errorf("certificate with subject %q was not valid at signing time of %s", cert.Subject, signingTime.UTC())
if signedTimeError := validateSignTime(cert, signingTime); signedTimeError != nil {
return signedTimeError
}
if err := cert.CheckSignature(cert.SignatureAlgorithm, cert.RawTBSCertificate, cert.Signature); err != nil {
return fmt.Errorf("invalid self-signed certificate. subject: %q. Error: %w", cert.Subject, err)
Expand All @@ -61,8 +61,8 @@ func validateCertChain(certChain []*x509.Certificate, expectedLeafEku x509.ExtKe
}

for i, cert := range certChain {
if signingTime != nil && (signingTime.Before(cert.NotBefore) || signingTime.After(cert.NotAfter)) {
return fmt.Errorf("certificate with subject %q was not valid at signing time of %s", cert.Subject, signingTime.UTC())
if signedTimeError := validateSignTime(cert, signingTime); signedTimeError != nil {
return signedTimeError
}
if i == len(certChain)-1 {
selfSigned, selfSignedError := isSelfSigned(cert)
Expand Down Expand Up @@ -120,6 +120,14 @@ func isIssuedBy(subject *x509.Certificate, issuer *x509.Certificate) (bool, erro
return bytes.Equal(issuer.RawSubject, subject.RawIssuer), nil
}

func validateSignTime(cert *x509.Certificate, signingTime *time.Time) error {
if signingTime != nil && (signingTime.Before(cert.NotBefore) || signingTime.After(cert.NotAfter)) {
return fmt.Errorf("certificate with subject %q was invalid at signing time of %s. Valid signing time from [%s] to [%s]",
cert.Subject, signingTime.UTC(), cert.NotBefore.UTC(), cert.NotAfter.UTC())
}
return nil
}

func validateCACertificate(cert *x509.Certificate, expectedPathLen int) error {
if err := validateCABasicConstraints(cert, expectedPathLen); err != nil {
return err
Expand Down
32 changes: 31 additions & 1 deletion x509/cert_validations_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -232,7 +232,37 @@ func TestFailInvalidSigningTime(t *testing.T) {

st := time.Unix(1625690922, 0)
err := ValidateCodeSigningCertChain(certChain, &st)
assertErrorEqual("certificate with subject \"CN=CodeSigningLeaf\" was not valid at signing time of 2021-07-07 20:48:42 +0000 UTC", err, t)
assertErrorEqual("certificate with subject \"CN=CodeSigningLeaf\" was invalid at signing time of 2021-07-07 20:48:42 +0000 UTC. Valid signing time from [2022-06-30 19:20:03 +0000 UTC] to [3021-10-31 19:20:03 +0000 UTC]", err, t)
}

func TestValidateSigning(t *testing.T) {
// codeSigningCert is valid from 2022-06-30 19:20:03 +0000 UTC to 3021-10-31 19:20:03 +0000 UTC
testCases := []struct {
name string
certChain *x509.Certificate
signingTime time.Time
expectErr string
}{
{"invalid before certificate period",
codeSigningCert,
time.Date(2022, 6, 29, 0, 0, 0, 0, time.UTC),
"certificate with subject \"CN=CodeSigningLeaf\" was invalid at signing time of 2022-06-29 00:00:00 +0000 UTC. Valid signing time from [2022-06-30 19:20:03 +0000 UTC] to [3021-10-31 19:20:03 +0000 UTC]"},
{"invalid after certificate period",
codeSigningCert,
time.Date(3021, 11, 1, 0, 0, 0, 0, time.UTC),
"certificate with subject \"CN=CodeSigningLeaf\" was invalid at signing time of 3021-11-01 00:00:00 +0000 UTC. Valid signing time from [2022-06-30 19:20:03 +0000 UTC] to [3021-10-31 19:20:03 +0000 UTC]"},
{"valid in certificate period",
codeSigningCert,
time.Date(2023, 10, 10, 0, 0, 0, 0, time.UTC),
""},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
if err := validateSignTime(tc.certChain, &tc.signingTime); err != nil {
assertErrorEqual(tc.expectErr, err, t)
}
})
}
}

func TestFailChainNotEndingInRoot(t *testing.T) {
Expand Down

0 comments on commit b7e384b

Please sign in to comment.