docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Check that leaf cert is first in bundle 

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
This commit is contained in:
Riyaz Faizullabhoy 2016-04-19 10:59:44 -07:00
parent 26a95ef5a3
commit ab4751d4a7
2 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
trustpinning/certs.go
View File

@ -123,7 +123,7 @@ func ValidateRoot(certStore trustmanager.X509Store, root *data.Signed, gun strin
return &ErrValidationFail{Reason: "failed to validate data with current trusted certificates"} return &ErrValidationFail{Reason: "failed to validate data with current trusted certificates"}
} }
} else { } else {
logrus.Debugf("found no currently valid root certificates for %s, using trust_pinning config to bootstrap trust:", gun, trustPinning) logrus.Debugf("found no currently valid root certificates for %s, using trust_pinning config to bootstrap trust", gun)
trustPinCheckFunc, err := NewTrustPinChecker(trustPinning, gun) trustPinCheckFunc, err := NewTrustPinChecker(trustPinning, gun)
if err != nil { if err != nil {
return &ErrValidationFail{Reason: err.Error()} return &ErrValidationFail{Reason: err.Error()}
@ -275,6 +275,11 @@ func parseAllCerts(signedRoot *data.SignedRoot) (map[string]*x509.Certificate, m
logrus.Debugf("invalid chain due to leaf certificate missing or too many leaf certificates for keyID: %s", keyID) logrus.Debugf("invalid chain due to leaf certificate missing or too many leaf certificates for keyID: %s", keyID)
continue continue
} }
// If we found a leaf certificate, assert that the cert bundle started with a leaf
if decodedCerts[0].IsCA {
logrus.Debugf("invalid chain due to leaf certificate not being first certificate for keyID: %s", keyID)
continue
}
// Get the ID of the leaf certificate // Get the ID of the leaf certificate
leafCert := leafCertList[0] leafCert := leafCertList[0]

7
trustpinning/certs_test.go
View File

@ -202,10 +202,11 @@ func TestValidateRoot(t *testing.T) {
require.Equal(t, err, &ErrValidationFail{Reason: "unable to retrieve valid leaf certificates"}) require.Equal(t, err, &ErrValidationFail{Reason: "unable to retrieve valid leaf certificates"})
// //
// This call to ValidateRoot will succeed in getting to the TUF validation, since // This call to ValidateRoot could succeed in getting to the TUF validation, since
// we are using a valid PEM encoded certificate chain of intermediate + leaf cert // we are using a valid PEM encoded certificate chain of intermediate + leaf cert
// that are signed by a trusted root authority and the leaf cert has a correct CN. // that are signed by a trusted root authority and the leaf cert has a correct CN.
// It will, however, fail to validate, because it has an invalid TUF signature // It will, however, fail to validate, because the leaf cert does not precede the
// intermediate in the certificate bundle
// //
// Execute our template deleting the old buffer first // Execute our template deleting the old buffer first
signedRootBytes.Reset() signedRootBytes.Reset()
@ -217,7 +218,7 @@ func TestValidateRoot(t *testing.T) {
err = ValidateRoot(certStore, &testSignedRoot, "secure.example.com", TrustPinConfig{}) err = ValidateRoot(certStore, &testSignedRoot, "secure.example.com", TrustPinConfig{})
require.Error(t, err, "An error was expected") require.Error(t, err, "An error was expected")
require.Equal(t, err, &ErrValidationFail{Reason: "failed to validate integrity of roots"}) require.Equal(t, err, &ErrValidationFail{Reason: "unable to retrieve valid leaf certificates"})
} }
func TestValidateRootWithoutTOFUS(t *testing.T) { func TestValidateRootWithoutTOFUS(t *testing.T) {