Fixed bug in Root Validation and added more test

Signed-off-by: Diogo Monica <diogo@docker.com>
2015-07-16 23:54:32 -07:00 · 2015-07-16 23:54:32 -07:00 · c817ba3606
parent 945691912a
commit c817ba3606
3 changed files with 171 additions and 4 deletions
--- a/client/client_root_validation_test.go
+++ b/client/client_root_validation_test.go
--- a/fixtures/self-signed_secure.example.com.crt
+++ b/fixtures/self-signed_secure.example.com.crt
@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBqDCCAU6gAwIBAgIRAM1vKVhmZuWcrogc3ASBaZUwCgYIKoZIzj0EAwIwOjEb
+MBkGA1UEChMSc2VjdXJlLmV4YW1wbGUuY29tMRswGQYDVQQDExJzZWN1cmUuZXhh
+bXBsZS5jb20wHhcNMTUwNzE3MDU1NTIzWhcNMTcwNzE2MDU1NTIzWjA6MRswGQYD
+VQQKExJzZWN1cmUuZXhhbXBsZS5jb20xGzAZBgNVBAMTEnNlY3VyZS5leGFtcGxl
+LmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABI556M7bS82ICDeXy/GcGG7D
+IoNKYx0jbqVUz4wyKy1GFJ6EHxuiENBNgTIsRBpyPwPVq3nlz9qM9Oi2eEkTjEKj
+NTAzMA4GA1UdDwEB/wQEAwIAoDATBgNVHSUEDDAKBggrBgEFBQcDAzAMBgNVHRMB
+Af8EAjAAMAoGCCqGSM49BAMCA0gAMEUCIER2XCkQ8dUWBZEUeT5kABg7neiHPtSL
+VVE6bJxu2sxlAiEAkRG6u1ieXKGl38gUkCn75Yvo9nOSLdh0gtxUUcOXvUc=
+-----END CERTIFICATE-----
--- a/keystoremanager/keystoremanager.go
+++ b/keystoremanager/keystoremanager.go
@ -210,7 +210,7 @@ func (km *KeyStoreManager) ValidateRoot(root *data.Signed, dnsName string) error

 		// If we got no leaf certificates or we got more than one, fail
 		if len(leafCerts) != 1 {
-			logrus.Debugf("error while parsing root certificate with keyID: %s, %v", keyID, err)
+			logrus.Debugf("wasn't able to find a leaf certificate in the chain of keyID: %s", keyID)
 			continue
 		}

@ -222,11 +222,26 @@ func (km *KeyStoreManager) ValidateRoot(root *data.Signed, dnsName string) error
 			continue
 		}

+		// Validate that this leaf certificate has a CN that matches the exact gun
+		if leafCert.Subject.CommonName != dnsName {
+			logrus.Debugf("error leaf certificate CN: %s doesn't match the given dns name: %s", leafCert.Subject.CommonName, dnsName)
+			continue
+		}
+
 		// Add all the valid leafs to the certificates map so we can refer to them later
 		allCerts[leafID] = leafCert

 		// Retrieve all the trusted certificates that match this dns Name
 		certsForCN, err := km.certificateStore.GetCertificatesByCN(dnsName)
+		if err != nil {
+			// If the error that we get back is different than ErrNoCertificatesFound
+			// we couldn't check if there are any certificates with this CN already
+			// trusted. Let's take the conservative approach and not trust this key
+			if _, ok := err.(*trustmanager.ErrNoCertificatesFound); !ok {
+				logrus.Debugf("error retrieving certificates for: %s, %v", dnsName, err)
+				continue
+			}
+		}

 		// If there are no certificates with this CN, lets TOFUS!
 		// Note that this logic should only exist in docker 1.8