do not panic when loading a V2 CA certificate, but don't try to use i…

…t either
slackhq · Nov 25, 2024 · 1c1faff · 1c1faff
1 parent 3e6c755
commit 1c1faff
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 2 deletions.
diff --git a/cert/ca_pool.go b/cert/ca_pool.go
@@ -32,11 +32,15 @@ func NewCAPoolFromPEM(caPEMs []byte) (*CAPool, error) {
 	pool := NewCAPool()
 	var err error
 	var expired bool
+	var caTooNew bool
 	for {
 		caPEMs, err = pool.AddCAFromPEM(caPEMs)
 		if errors.Is(err, ErrExpired) {
 			expired = true
 			err = nil
+		} else if errors.Is(err, ErrInvalidPEMCertificateUnsupported) {
+			caTooNew = true
+			err = nil
 		}
 		if err != nil {
 			return nil, err
@@ -48,6 +52,8 @@ func NewCAPoolFromPEM(caPEMs []byte) (*CAPool, error) {
 
 	if expired {
 		return pool, ErrExpired
+	} else if caTooNew {
+		return pool, ErrInvalidPEMCertificateUnsupported
 	}
 
 	return pool, nil

diff --git a/cert/ca_pool_test.go b/cert/ca_pool_test.go
@@ -59,6 +59,13 @@ CmYKEG5lYnVsYSBQMjU2IHRlc3Qo4s+7mgYw4tXrsAc6QQRkaW2jFmllYvN4+/k2
 76gvQAGgBgESRzBFAiEAib0/te6eMiZOKD8gdDeloMTS0wGuX2t0C7TFdUhAQzgC
 IBNWYMep3ysx9zCgknfG5dKtwGTaqF++BWKDYdyl34KX
 -----END NEBULA CERTIFICATE-----
+`
+
+	v2 := `
+# valid PEM with the V2 header
+-----BEGIN NEBULA CERTIFICATE V2-----
+CmYKEG5lYnVsYSBQMjU2IHRlc3Qo4s+7mgYw4tXrsAc6QQRkaW2jFmllYvN4+/k2
+-----END NEBULA CERTIFICATE V2-----
 `
 
 	rootCA := certificateV1{
@@ -106,4 +113,9 @@ IBNWYMep3ysx9zCgknfG5dKtwGTaqF++BWKDYdyl34KX
 	assert.Nil(t, err)
 	assert.Equal(t, ppppp.CAs[string("a7938893ec8c4ef769b06d7f425e5e46f7a7f5ffa49c3bcf4a86b608caba9159")].Certificate.Name(), rootCAP256.details.Name)
 	assert.Equal(t, len(ppppp.CAs), 1)
+
+	pppppp, err := NewCAPoolFromPEM(append([]byte(p256), []byte(v2)...))
+	assert.Equal(t, err, ErrInvalidPEMCertificateUnsupported)
+	assert.Equal(t, pppppp.CAs[string("a7938893ec8c4ef769b06d7f425e5e46f7a7f5ffa49c3bcf4a86b608caba9159")].Certificate.Name(), rootCAP256.details.Name)
+	assert.Equal(t, len(pppppp.CAs), 1)
 }
diff --git a/cert/errors.go b/cert/errors.go
@@ -24,4 +24,5 @@ var (
 	ErrInvalidPEMX25519PrivateKeyBanner  = errors.New("bytes did not contain a proper X25519 private key banner")
 	ErrInvalidPEMEd25519PublicKeyBanner  = errors.New("bytes did not contain a proper Ed25519 public key banner")
 	ErrInvalidPEMEd25519PrivateKeyBanner = errors.New("bytes did not contain a proper Ed25519 private key banner")
+	ErrInvalidPEMCertificateUnsupported  = errors.New("bytes contain an unsupported certificate format")
 )
diff --git a/cert/pem.go b/cert/pem.go
@@ -38,8 +38,7 @@ func UnmarshalCertificateFromPEM(b []byte) (Certificate, []byte, error) {
 		}
 		return c, r, nil
 	case CertificateV2Banner:
-		//TODO
-		panic("TODO")
+		return nil, r, ErrInvalidPEMCertificateUnsupported
 	default:
 		return nil, r, ErrInvalidPEMCertificateBanner
 	}

diff --git a/pki.go b/pki.go
@@ -251,6 +251,8 @@ func loadCAPoolFromConfig(l *logrus.Logger, c *config.C) (*cert.CAPool, error) {
 			return nil, errors.New("no valid CA certificates present")
 		}
 
+	} else if errors.Is(err, cert.ErrInvalidPEMCertificateUnsupported) {
+		l.WithError(err).Warn("At least one configured CA is unsupported by this version of nebula. It has been ignored.")
 	} else if err != nil {
 		return nil, fmt.Errorf("error while adding CA certificate to CA trust store: %s", err)
 	}