Eventing TLS: validate that Destination.CACerts is a PEM encoded cert (#2743)

* added check to cacerts Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added test Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added csr test Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * OR to AND Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> --------- Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
2023-05-18 20:13:13 +05:30 · 2023-05-18 20:13:13 +05:30 · a170a07b34
parent dfb4bf0463
commit a170a07b34
4 changed files with 189 additions and 0 deletions
--- a/apis/duck/v1/destination.go
+++ b/apis/duck/v1/destination.go
@ -18,6 +18,8 @@ package v1

 import (
 	"context"
+	"crypto/x509"
+	"encoding/pem"

 	"knative.dev/pkg/apis"
 )
@ -53,6 +55,7 @@ func (d *Destination) Validate(ctx context.Context) *apis.FieldError {
 func ValidateDestination(ctx context.Context, dest Destination) *apis.FieldError {
 	ref := dest.Ref
 	uri := dest.URI
+	caCerts := dest.CACerts
 	if ref == nil && uri == nil {
 		return apis.ErrGeneric("expected at least one, got none", "ref", "uri")
 	}
@ -67,6 +70,9 @@ func ValidateDestination(ctx context.Context, dest Destination) *apis.FieldError
 	if ref != nil && uri == nil {
 		return ref.Validate(ctx).ViaField("ref")
 	}
+	if caCerts != nil {
+		return validateCACerts(caCerts)
+	}
 	return nil
 }

@ -88,3 +94,20 @@ func (d *Destination) SetDefaults(ctx context.Context) {
 		d.Ref.Namespace = apis.ParentMeta(ctx).Namespace
 	}
 }
+
+func validateCACerts(CACert *string) *apis.FieldError {
+	// Check the object.
+	var errs *apis.FieldError
+
+	block, err := pem.Decode([]byte(*CACert))
+	if err != nil && block == nil {
+		errs = errs.Also(apis.ErrInvalidValue("CA Cert provided is invalid", "caCert"))
+		return errs
+	}
+	if block.Type != "CERTIFICATE" {
+		errs = errs.Also(apis.ErrInvalidValue("CA Cert provided is not a certificate", "caCert"))
+	} else if _, err := x509.ParseCertificate(block.Bytes); err != nil {
+		errs = errs.Also(apis.ErrInvalidValue("CA Cert provided is invalid", "caCert"))
+	}
+	return errs
+}
--- a/apis/duck/v1/destination_test.go
+++ b/apis/duck/v1/destination_test.go
@ -32,6 +32,51 @@ const (
 	namespace  = "b-namespace"
 )

+var (
+	testCert = `-----BEGIN CERTIFICATE-----
+MIIDmjCCAoKgAwIBAgIUYzA4bTMXevuk3pl2Mn8hpCYL2C0wDQYJKoZIhvcNAQEL
+BQAwLzELMAkGA1UEBhMCVVMxIDAeBgNVBAMMF0tuYXRpdmUtRXhhbXBsZS1Sb290
+LUNBMB4XDTIzMDQwNTEzMTUyNFoXDTI2MDEyMzEzMTUyNFowbTELMAkGA1UEBhMC
+VVMxEjAQBgNVBAgMCVlvdXJTdGF0ZTERMA8GA1UEBwwIWW91ckNpdHkxHTAbBgNV
+BAoMFEV4YW1wbGUtQ2VydGlmaWNhdGVzMRgwFgYDVQQDDA9sb2NhbGhvc3QubG9j
+YWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5teo+En6U5nhqn7Sc
+uanqswUmPlgs9j/8l21Rhb4T+ezlYKGQGhbJyFFMuiCE1Rjn8bpCwi7Nnv12Y2nz
+FhEv2Jx0yL3Tqx0Q593myqKDq7326EtbO7wmDT0XD03twH5i9XZ0L0ihPWn1mjUy
+WxhnHhoFpXrsnQECJorZY6aTrFbGVYelIaj5AriwiqyL0fET8pueI2GwLjgWHFSH
+X8XsGAlcLUhkQG0Z+VO9usy4M1Wpt+cL6cnTiQ+sRmZ6uvaj8fKOT1Slk/oUeAi4
+WqFkChGzGzLik0QrhKGTdw3uUvI1F2sdQj0GYzXaWqRz+tP9qnXdzk1GrszKKSlm
+WBTLAgMBAAGjcDBuMB8GA1UdIwQYMBaAFJJcCftus4vj98N0zQQautsjEu82MAkG
+A1UdEwQCMAAwCwYDVR0PBAQDAgTwMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAdBgNV
+HQ4EFgQUnu/3vqA3VEzm128x/hLyZzR9JlgwDQYJKoZIhvcNAQELBQADggEBAFc+
+1cKt/CNjHXUsirgEhry2Mm96R6Yxuq//mP2+SEjdab+FaXPZkjHx118u3PPX5uTh
+gTT7rMfka6J5xzzQNqJbRMgNpdEFH1bbc11aYuhi0khOAe0cpQDtktyuDJQMMv3/
+3wu6rLr6fmENo0gdcyUY9EiYrglWGtdXhlo4ySRY8UZkUScG2upvyOhHTxVCAjhP
+efbMkNjmDuZOMK+wqanqr5YV6zMPzkQK7DspfRgasMAQmugQu7r2MZpXg8Ilhro1
+s/wImGnMVk5RzpBVrq2VB9SkX/ThTVYEC/Sd9BQM364MCR+TA1l8/ptaLFLuwyw8
+O2dgzikq8iSy1BlRsVw=
+-----END CERTIFICATE-----`
+
+	csr = `-----BEGIN CERTIFICATE REQUEST-----
+MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV
+BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln
+aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo
+wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c
+1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI
+WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ
+wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR
+BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ
+KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D
+hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY
+Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/
+ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn
+29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2
+97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w=
+-----END CERTIFICATE REQUEST-----`
+
+	invaidCert = "certificate"
+)
+
 func TestValidateDestination(t *testing.T) {
 	ctx := context.Background()

@ -117,6 +162,32 @@ func TestValidateDestination(t *testing.T) {
 			},
 			Ref: &validRef,
 		},
+	}, "valid, CACert is valid": {
+		dest: &Destination{
+			URI: &apis.URL{
+				Path: "/handler",
+			},
+			Ref:     &validRef,
+			CACerts: &testCert,
+		},
+	}, "invalid,CACert is invalid": {
+		dest: &Destination{
+			URI: &apis.URL{
+				Path: "/handler",
+			},
+			Ref:     &validRef,
+			CACerts: &invaidCert,
+		},
+		want: "invalid value: CA Cert provided is invalid: caCert",
+	}, "invalid,CSR provided not CA Cert": {
+		dest: &Destination{
+			URI: &apis.URL{
+				Path: "/handler",
+			},
+			Ref:     &validRef,
+			CACerts: &csr,
+		},
+		want: "invalid value: CA Cert provided is not a certificate: caCert",
 	}}

 	for name, tc := range tests {
--- a/apis/duck/v1beta1/destination.go
+++ b/apis/duck/v1beta1/destination.go
@ -18,6 +18,8 @@ package v1beta1

 import (
 	"context"
+	"crypto/x509"
+	"encoding/pem"

 	corev1 "k8s.io/api/core/v1"
 	"knative.dev/pkg/apis"
@ -117,6 +119,9 @@ func ValidateDestination(dest Destination, allowDeprecatedFields bool) *apis.Fie
 		}
 		return validateDestinationRef(*ref)
 	}
+	if dest.CACerts != nil {
+		return validateCACerts(dest.CACerts)
+	}
 	return nil
 }

@ -162,3 +167,19 @@ func validateDestinationRef(ref corev1.ObjectReference) *apis.FieldError {

 	return errs
 }
+func validateCACerts(CACert *string) *apis.FieldError {
+	// Check the object.
+	var errs *apis.FieldError
+
+	block, err := pem.Decode([]byte(*CACert))
+	if err != nil && block == nil {
+		errs = errs.Also(apis.ErrInvalidValue("CA Cert provided is invalid", "caCert"))
+		return errs
+	}
+	if block.Type != "CERTIFICATE" {
+		errs = errs.Also(apis.ErrInvalidValue("CA Cert provided is not a certificate", "caCert"))
+	} else if _, err := x509.ParseCertificate(block.Bytes); err != nil {
+		errs = errs.Also(apis.ErrInvalidValue("CA Cert provided is invalid", "caCert"))
+	}
+	return errs
+}
--- a/apis/duck/v1beta1/destination_test.go
+++ b/apis/duck/v1beta1/destination_test.go
@ -31,6 +31,51 @@ const (
 	name       = "a-name"
 )

+var (
+	testCert = `-----BEGIN CERTIFICATE-----
+MIIDmjCCAoKgAwIBAgIUYzA4bTMXevuk3pl2Mn8hpCYL2C0wDQYJKoZIhvcNAQEL
+BQAwLzELMAkGA1UEBhMCVVMxIDAeBgNVBAMMF0tuYXRpdmUtRXhhbXBsZS1Sb290
+LUNBMB4XDTIzMDQwNTEzMTUyNFoXDTI2MDEyMzEzMTUyNFowbTELMAkGA1UEBhMC
+VVMxEjAQBgNVBAgMCVlvdXJTdGF0ZTERMA8GA1UEBwwIWW91ckNpdHkxHTAbBgNV
+BAoMFEV4YW1wbGUtQ2VydGlmaWNhdGVzMRgwFgYDVQQDDA9sb2NhbGhvc3QubG9j
+YWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5teo+En6U5nhqn7Sc
+uanqswUmPlgs9j/8l21Rhb4T+ezlYKGQGhbJyFFMuiCE1Rjn8bpCwi7Nnv12Y2nz
+FhEv2Jx0yL3Tqx0Q593myqKDq7326EtbO7wmDT0XD03twH5i9XZ0L0ihPWn1mjUy
+WxhnHhoFpXrsnQECJorZY6aTrFbGVYelIaj5AriwiqyL0fET8pueI2GwLjgWHFSH
+X8XsGAlcLUhkQG0Z+VO9usy4M1Wpt+cL6cnTiQ+sRmZ6uvaj8fKOT1Slk/oUeAi4
+WqFkChGzGzLik0QrhKGTdw3uUvI1F2sdQj0GYzXaWqRz+tP9qnXdzk1GrszKKSlm
+WBTLAgMBAAGjcDBuMB8GA1UdIwQYMBaAFJJcCftus4vj98N0zQQautsjEu82MAkG
+A1UdEwQCMAAwCwYDVR0PBAQDAgTwMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAdBgNV
+HQ4EFgQUnu/3vqA3VEzm128x/hLyZzR9JlgwDQYJKoZIhvcNAQELBQADggEBAFc+
+1cKt/CNjHXUsirgEhry2Mm96R6Yxuq//mP2+SEjdab+FaXPZkjHx118u3PPX5uTh
+gTT7rMfka6J5xzzQNqJbRMgNpdEFH1bbc11aYuhi0khOAe0cpQDtktyuDJQMMv3/
+3wu6rLr6fmENo0gdcyUY9EiYrglWGtdXhlo4ySRY8UZkUScG2upvyOhHTxVCAjhP
+efbMkNjmDuZOMK+wqanqr5YV6zMPzkQK7DspfRgasMAQmugQu7r2MZpXg8Ilhro1
+s/wImGnMVk5RzpBVrq2VB9SkX/ThTVYEC/Sd9BQM364MCR+TA1l8/ptaLFLuwyw8
+O2dgzikq8iSy1BlRsVw=
+-----END CERTIFICATE-----`
+
+	csr = `-----BEGIN CERTIFICATE REQUEST-----
+MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV
+BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln
+aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo
+wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c
+1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI
+WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ
+wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR
+BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ
+KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D
+hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY
+Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/
+ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn
+29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2
+97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w=
+-----END CERTIFICATE REQUEST-----`
+
+	invaidCert = "certificate"
+)
+
 func TestValidateDestination(t *testing.T) {
 	ctx := context.Background()

@ -187,6 +232,35 @@ func TestValidateDestination(t *testing.T) {
 				DeprecatedName:       name,
 			},
 		},
+		"valid, CACert is valid": {
+			dest: &Destination{
+				URI: &apis.URL{
+					Path: "/handler",
+				},
+				Ref:     &validRef,
+				CACerts: &testCert,
+			},
+		},
+		"invalid,CACert is invalid": {
+			dest: &Destination{
+				URI: &apis.URL{
+					Path: "/handler",
+				},
+				Ref:     &validRef,
+				CACerts: &invaidCert,
+			},
+			want: "invalid value: CA Cert provided is invalid: caCert",
+		},
+		"invalid,CSR provided not CA Cert": {
+			dest: &Destination{
+				URI: &apis.URL{
+					Path: "/handler",
+				},
+				Ref:     &validRef,
+				CACerts: &csr,
+			},
+			want: "invalid value: CA Cert provided is not a certificate: caCert",
+		},
 	}

 	for name, tc := range tests {