From fc1f13fd84d3e8a9c34a81dbfceb25adb205db2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BE=90=E8=83=96?= Date: Thu, 20 Jan 2022 18:42:15 +0800 Subject: [PATCH] Alias x509 types --- smx509/root_windows.go | 6 +++--- smx509/verify.go | 43 ++++++++++++++++++++++++++++-------------- smx509/verify_test.go | 8 ++++---- 3 files changed, 36 insertions(+), 21 deletions(-) diff --git a/smx509/root_windows.go b/smx509/root_windows.go index 949902b..bd4c319 100644 --- a/smx509/root_windows.go +++ b/smx509/root_windows.go @@ -92,9 +92,9 @@ func checkChainTrustStatus(c *Certificate, chainCtx *syscall.CertChainContext) e status := chainCtx.TrustStatus.ErrorStatus switch status { case syscall.CERT_TRUST_IS_NOT_TIME_VALID: - return x509.CertificateInvalidError{c.asX509(), x509.Expired, ""} + return CertificateInvalidError{c.asX509(), Expired, ""} case syscall.CERT_TRUST_IS_NOT_VALID_FOR_USAGE: - return x509.CertificateInvalidError{c.asX509(), x509.IncompatibleUsage, ""} + return CertificateInvalidError{c.asX509(), IncompatibleUsage, ""} // TODO(filippo): surface more error statuses. default: return UnknownAuthorityError{c, nil, nil} @@ -133,7 +133,7 @@ func checkChainSSLServerPolicy(c *Certificate, chainCtx *syscall.CertChainContex if status.Error != 0 { switch status.Error { case syscall.CERT_E_EXPIRED: - return x509.CertificateInvalidError{Cert: c.asX509(), Reason: x509.Expired, Detail: ""} + return CertificateInvalidError{Cert: c.asX509(), Reason: Expired, Detail: ""} case syscall.CERT_E_CN_NO_MATCH: return x509.HostnameError{Certificate: c.asX509(), Host: opts.DNSName} case syscall.CERT_E_UNTRUSTEDROOT: diff --git a/smx509/verify.go b/smx509/verify.go index 5f564de..2467153 100644 --- a/smx509/verify.go +++ b/smx509/verify.go @@ -14,6 +14,21 @@ import ( "unicode/utf8" ) +const ( + NotAuthorizedToSign = x509.NotAuthorizedToSign + Expired = x509.Expired + CANotAuthorizedForThisName = x509.CANotAuthorizedForThisName + TooManyIntermediates = x509.TooManyIntermediates + IncompatibleUsage = x509.IncompatibleUsage + NameMismatch = x509.NameMismatch + NameConstraintsWithoutSANs = x509.NameConstraintsWithoutSANs + UnconstrainedName = x509.UnconstrainedName + TooManyConstraints = x509.TooManyConstraints + CANotAuthorizedForExtKeyUsage = x509.CANotAuthorizedForExtKeyUsage +) + +type CertificateInvalidError = x509.CertificateInvalidError + // UnknownAuthorityError results when the certificate issuer is unknown type UnknownAuthorityError struct { Cert *Certificate @@ -246,18 +261,18 @@ func (c *Certificate) checkNameConstraints(count *int, *count += excludedValue.Len() if *count > maxConstraintComparisons { - return x509.CertificateInvalidError{c.asX509(), x509.TooManyConstraints, ""} + return CertificateInvalidError{c.asX509(), TooManyConstraints, ""} } for i := 0; i < excludedValue.Len(); i++ { constraint := excludedValue.Index(i).Interface() match, err := match(parsedName, constraint) if err != nil { - return x509.CertificateInvalidError{c.asX509(), x509.CANotAuthorizedForThisName, err.Error()} + return CertificateInvalidError{c.asX509(), CANotAuthorizedForThisName, err.Error()} } if match { - return x509.CertificateInvalidError{c.asX509(), x509.CANotAuthorizedForThisName, fmt.Sprintf("%s %q is excluded by constraint %q", nameType, name, constraint)} + return CertificateInvalidError{c.asX509(), CANotAuthorizedForThisName, fmt.Sprintf("%s %q is excluded by constraint %q", nameType, name, constraint)} } } @@ -265,7 +280,7 @@ func (c *Certificate) checkNameConstraints(count *int, *count += permittedValue.Len() if *count > maxConstraintComparisons { - return x509.CertificateInvalidError{c.asX509(), x509.TooManyConstraints, ""} + return CertificateInvalidError{c.asX509(), TooManyConstraints, ""} } ok := true @@ -274,7 +289,7 @@ func (c *Certificate) checkNameConstraints(count *int, var err error if ok, err = match(parsedName, constraint); err != nil { - return x509.CertificateInvalidError{c.asX509(), x509.CANotAuthorizedForThisName, err.Error()} + return CertificateInvalidError{c.asX509(), CANotAuthorizedForThisName, err.Error()} } if ok { @@ -283,7 +298,7 @@ func (c *Certificate) checkNameConstraints(count *int, } if !ok { - return x509.CertificateInvalidError{c.asX509(), x509.CANotAuthorizedForThisName, fmt.Sprintf("%s %q is not permitted by any constraint", nameType, name)} + return CertificateInvalidError{c.asX509(), CANotAuthorizedForThisName, fmt.Sprintf("%s %q is not permitted by any constraint", nameType, name)} } return nil @@ -334,7 +349,7 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V if len(currentChain) > 0 { child := currentChain[len(currentChain)-1] if !bytes.Equal(child.RawIssuer, c.RawSubject) { - return x509.CertificateInvalidError{c.asX509(), x509.NameMismatch, ""} + return CertificateInvalidError{c.asX509(), NameMismatch, ""} } } @@ -343,15 +358,15 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V now = time.Now() } if now.Before(c.NotBefore) { - return x509.CertificateInvalidError{ + return CertificateInvalidError{ Cert: c.asX509(), - Reason: x509.Expired, + Reason: Expired, Detail: fmt.Sprintf("current time %s is before %s", now.Format(time.RFC3339), c.NotBefore.Format(time.RFC3339)), } } else if now.After(c.NotAfter) { - return x509.CertificateInvalidError{ + return CertificateInvalidError{ Cert: c.asX509(), - Reason: x509.Expired, + Reason: Expired, Detail: fmt.Sprintf("current time %s is after %s", now.Format(time.RFC3339), c.NotAfter.Format(time.RFC3339)), } } @@ -458,13 +473,13 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V // encryption key could only be used for Diffie-Hellman key agreement. if certType == intermediateCertificate && (!c.BasicConstraintsValid || !c.IsCA) { - return x509.CertificateInvalidError{c.asX509(), x509.NotAuthorizedToSign, ""} + return CertificateInvalidError{c.asX509(), NotAuthorizedToSign, ""} } if c.BasicConstraintsValid && c.MaxPathLen >= 0 { numIntermediates := len(currentChain) - 1 if numIntermediates > c.MaxPathLen { - return x509.CertificateInvalidError{c.asX509(), x509.TooManyIntermediates, ""} + return CertificateInvalidError{c.asX509(), TooManyIntermediates, ""} } } @@ -571,7 +586,7 @@ func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err e } if len(chains) == 0 { - return nil, x509.CertificateInvalidError{c.asX509(), x509.IncompatibleUsage, ""} + return nil, CertificateInvalidError{c.asX509(), IncompatibleUsage, ""} } return chains, nil diff --git a/smx509/verify_test.go b/smx509/verify_test.go index 0c3606c..e80423f 100644 --- a/smx509/verify_test.go +++ b/smx509/verify_test.go @@ -377,13 +377,13 @@ func expectHostnameError(msg string) func(*testing.T, error) { } func expectExpired(t *testing.T, err error) { - if inval, ok := err.(x509.CertificateInvalidError); !ok || inval.Reason != x509.Expired { + if inval, ok := err.(CertificateInvalidError); !ok || inval.Reason != Expired { t.Fatalf("error was not Expired: %v", err) } } func expectUsageError(t *testing.T, err error) { - if inval, ok := err.(x509.CertificateInvalidError); !ok || inval.Reason != x509.IncompatibleUsage { + if inval, ok := err.(CertificateInvalidError); !ok || inval.Reason != IncompatibleUsage { t.Fatalf("error was not IncompatibleUsage: %v", err) } } @@ -408,13 +408,13 @@ func expectHashError(t *testing.T, err error) { } func expectNameConstraintsError(t *testing.T, err error) { - if inval, ok := err.(x509.CertificateInvalidError); !ok || inval.Reason != x509.CANotAuthorizedForThisName { + if inval, ok := err.(CertificateInvalidError); !ok || inval.Reason != CANotAuthorizedForThisName { t.Fatalf("error was not a CANotAuthorizedForThisName: %v", err) } } func expectNotAuthorizedError(t *testing.T, err error) { - if inval, ok := err.(x509.CertificateInvalidError); !ok || inval.Reason != x509.NotAuthorizedToSign { + if inval, ok := err.(CertificateInvalidError); !ok || inval.Reason != NotAuthorizedToSign { t.Fatalf("error was not a NotAuthorizedToSign: %v", err) } }