Enforce single AIA in signing profiles (#3396)

Fixes #3374.
2018-01-29 10:50:04 -08:00 · 2018-01-29 10:50:04 -08:00 · d7a831b81b
parent cdab3a2ef8
commit d7a831b81b
2 changed files with 52 additions and 0 deletions
--- a/ca/ca.go
+++ b/ca/ca.go
@ -212,6 +212,12 @@ func NewCertificateAuthorityImpl(
 		return nil, errors.New("Config must specify an OCSP lifespan period.")
 	}

+	for _, profile := range cfsslConfigObj.Signing.Profiles {
+		if len(profile.IssuerURL) > 1 {
+			return nil, errors.New("only one issuer_url supported")
+		}
+	}
+
 	internalIssuers, err := makeInternalIssuers(
 		issuers,
 		cfsslConfigObj.Signing,
--- a/ca/ca_test.go
+++ b/ca/ca_test.go
@ -705,6 +705,52 @@ func TestRejectValidityTooLong(t *testing.T) {
 	test.Assert(t, berrors.Is(err, berrors.InternalServer), "Incorrect error type returned")
 }

+func TestSingleAIAEnforcement(t *testing.T) {
+	pa, err := policy.New(nil)
+	test.AssertNotError(t, err, "Couldn't create PA")
+
+	_, err = NewCertificateAuthorityImpl(
+		ca_config.CAConfig{
+			SerialPrefix: 1,
+			LifespanOCSP: cmd.ConfigDuration{Duration: time.Second},
+			CFSSL: cfsslConfig.Config{
+				Signing: &cfsslConfig.Signing{
+					Profiles: map[string]*cfsslConfig.SigningProfile{
+						rsaProfileName: {
+							IssuerURL: []string{"http://not-example.com/issuer-url", "bad"},
+							Usage:     []string{"digital signature", "key encipherment", "server auth"},
+							OCSP:      "http://not-example.com/ocsp",
+							CRL:       "http://not-example.com/crl",
+							Policies: []cfsslConfig.CertificatePolicy{
+								{
+									ID: cfsslConfig.OID(asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1}),
+								},
+							},
+							ExpiryString: "8760h",
+							Backdate:     time.Hour,
+							CSRWhitelist: &cfsslConfig.CSRWhitelist{
+								PublicKeyAlgorithm: true,
+								PublicKey:          true,
+								SignatureAlgorithm: true,
+							},
+							ClientProvidesSerialNumbers: true,
+						},
+					},
+				},
+			},
+		},
+		&mockSA{},
+		pa,
+		clock.New(),
+		metrics.NewNoopScope(),
+		nil,
+		goodkey.KeyPolicy{},
+		&blog.Mock{},
+	)
+	test.AssertError(t, err, "NewCertificateAuthorityImpl allowed a profile with multiple issuer_urls")
+	test.AssertEquals(t, err.Error(), "only one issuer_url supported")
+}
+
 func issueCertificateSubTestAllowNoCN(t *testing.T, i *TestCertificateIssuance) {
 	cert := i.cert