CA: Test that the CT poison extension in CSRs is ignored. (#2915)

ca/ca_test.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"crypto"
 	"crypto/x509"
+	"crypto/x509/pkix"
 	"encoding/asn1"
 	"fmt"
 	"io/ioutil"
@@ -85,6 +86,20 @@ var (
 	//   testing here is concerned.
 	UnsupportedExtensionCSR = mustRead("./testdata/unsupported_extension.der.csr")
 
+	// CSR generated by Go:
+	// * Random public key
+	// * CN = not-example.com
+	// * Includes an extensionRequest attribute for the CT poison extension
+	//   with a valid NULL value.
+	CTPoisonExtensionCSR = mustRead("./testdata/ct_poison_extension.der.csr")
+
+	// CSR generated by Go:
+	// * Random public key
+	// * CN = not-example.com
+	// * Includes an extensionRequest attribute for the CT poison extension
+	//   with an invalid empty value.
+	CTPoisonExtensionEmptyCSR = mustRead("./testdata/ct_poison_extension_empty.der.csr")
+
 	// CSR generated by Go:
 	// * Random ECDSA public key.
 	// * CN = [none]
@@ -95,6 +110,9 @@ var (
 
 	// This is never modified, but it must be a var instead of a const so we can make references to it.
 	arbitraryRegID int64 = 1001
+
+	// OIDExtensionCTPoison is defined in RFC 6962 s3.1.
+	OIDExtensionCTPoison = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3}
 )
 
 // CFSSL config
@@ -268,6 +286,8 @@ func TestIssueCertificate(t *testing.T) {
 		{"MustStapleWhenEnabled", issueCertificateSubTestMustStapleEnabledSetup, issueCertificateSubTestMustStapleWhenEnabled},
 		{"MustStapleDuplicate", issueCertificateSubTestMustStapleEnabledSetup, issueCertificateSubTestDuplicateMustStaple},
 		{"UnknownExtension", issueCertificateSubTestMustStapleEnabledSetup, issueCertificateSubTestUnknownExtension},
+		{"CTPoisonExtension", issueCertificateSubTestDefaultSetup, issueCertificateSubTestCTPoisonExtension},
+		{"CTPoisonExtensionEmpty", issueCertificateSubTestDefaultSetup, issueCertificateSubTestCTPoisonExtensionEmpty},
 	}
 
 	for _, testCase := range testCases {
@@ -710,6 +730,45 @@ func issueCertificateSubTestUnknownExtension(t *testing.T, ca *CertificateAuthor
 	test.AssertEquals(t, len(cert.Extensions), 9)
 }
 
+func issueCertificateSubTestCTPoisonExtension(t *testing.T, ca *CertificateAuthorityImpl, _ *mockSA) {
+	// The CT poison extension in the CSR should be silently ignored like an
+	// unknown extension.
+
+	coreCert, err := ca.IssueCertificate(ctx, &caPB.IssueCertificateRequest{Csr: CTPoisonExtensionCSR, RegistrationID: &arbitraryRegID})
+	test.AssertNotError(t, err, "Failed to issue")
+	cert, err := x509.ParseCertificate(coreCert.DER)
+	test.AssertNotError(t, err, "Error parsing certificate produced by CA")
+
+	test.AssertEquals(t, count(csrExtensionCategory, csrExtensionOther, ca.csrExtensionCount), 1)
+	test.AssertEquals(t, signatureCountByPurpose("cert", ca.signatureCount), 1)
+
+	test.Assert(t, !extensionPresent(cert.Extensions, OIDExtensionCTPoison), "CT poison extension is present")
+}
+
+func issueCertificateSubTestCTPoisonExtensionEmpty(t *testing.T, ca *CertificateAuthorityImpl, _ *mockSA) {
+	// The CT poison extension in the CSR should be silently ignored like an
+	// unknown extension, even if it has an invalid value.
+
+	coreCert, err := ca.IssueCertificate(ctx, &caPB.IssueCertificateRequest{Csr: CTPoisonExtensionEmptyCSR, RegistrationID: &arbitraryRegID})
+	test.AssertNotError(t, err, "Failed to issue")
+	cert, err := x509.ParseCertificate(coreCert.DER)
+	test.AssertNotError(t, err, "Error parsing certificate produced by CA")
+
+	test.AssertEquals(t, count(csrExtensionCategory, csrExtensionOther, ca.csrExtensionCount), 1)
+	test.AssertEquals(t, signatureCountByPurpose("cert", ca.signatureCount), 1)
+
+	test.Assert(t, !extensionPresent(cert.Extensions, OIDExtensionCTPoison), "CT poison extension is present")
+}
+
+func extensionPresent(extensions []pkix.Extension, id asn1.ObjectIdentifier) bool {
+	for _, ext := range extensions {
+		if ext.Id.Equal(id) {
+			return true
+		}
+	}
+	return false
+}
+
 func signatureCountByPurpose(signatureType string, signatureCount *prometheus.CounterVec) int {
 	return count("purpose", signatureType, signatureCount)
 }