From 1c1faffa06252444ac7f6593169b795cd2415645 Mon Sep 17 00:00:00 2001 From: Jack Doan Date: Mon, 25 Nov 2024 11:02:47 -0500 Subject: [PATCH] do not panic when loading a V2 CA certificate, but don't try to use it either --- cert/ca_pool.go | 6 ++++++ cert/ca_pool_test.go | 12 ++++++++++++ cert/errors.go | 1 + cert/pem.go | 3 +-- pki.go | 2 ++ 5 files changed, 22 insertions(+), 2 deletions(-) diff --git a/cert/ca_pool.go b/cert/ca_pool.go index d52583035..e041b4bbb 100644 --- a/cert/ca_pool.go +++ b/cert/ca_pool.go @@ -32,11 +32,15 @@ func NewCAPoolFromPEM(caPEMs []byte) (*CAPool, error) { pool := NewCAPool() var err error var expired bool + var caTooNew bool for { caPEMs, err = pool.AddCAFromPEM(caPEMs) if errors.Is(err, ErrExpired) { expired = true err = nil + } else if errors.Is(err, ErrInvalidPEMCertificateUnsupported) { + caTooNew = true + err = nil } if err != nil { return nil, err @@ -48,6 +52,8 @@ func NewCAPoolFromPEM(caPEMs []byte) (*CAPool, error) { if expired { return pool, ErrExpired + } else if caTooNew { + return pool, ErrInvalidPEMCertificateUnsupported } return pool, nil diff --git a/cert/ca_pool_test.go b/cert/ca_pool_test.go index 053640d98..9181f541e 100644 --- a/cert/ca_pool_test.go +++ b/cert/ca_pool_test.go @@ -59,6 +59,13 @@ CmYKEG5lYnVsYSBQMjU2IHRlc3Qo4s+7mgYw4tXrsAc6QQRkaW2jFmllYvN4+/k2 76gvQAGgBgESRzBFAiEAib0/te6eMiZOKD8gdDeloMTS0wGuX2t0C7TFdUhAQzgC IBNWYMep3ysx9zCgknfG5dKtwGTaqF++BWKDYdyl34KX -----END NEBULA CERTIFICATE----- +` + + v2 := ` +# valid PEM with the V2 header +-----BEGIN NEBULA CERTIFICATE V2----- +CmYKEG5lYnVsYSBQMjU2IHRlc3Qo4s+7mgYw4tXrsAc6QQRkaW2jFmllYvN4+/k2 +-----END NEBULA CERTIFICATE V2----- ` rootCA := certificateV1{ @@ -106,4 +113,9 @@ IBNWYMep3ysx9zCgknfG5dKtwGTaqF++BWKDYdyl34KX assert.Nil(t, err) assert.Equal(t, ppppp.CAs[string("a7938893ec8c4ef769b06d7f425e5e46f7a7f5ffa49c3bcf4a86b608caba9159")].Certificate.Name(), rootCAP256.details.Name) assert.Equal(t, len(ppppp.CAs), 1) + + pppppp, err := NewCAPoolFromPEM(append([]byte(p256), []byte(v2)...)) + assert.Equal(t, err, ErrInvalidPEMCertificateUnsupported) + assert.Equal(t, pppppp.CAs[string("a7938893ec8c4ef769b06d7f425e5e46f7a7f5ffa49c3bcf4a86b608caba9159")].Certificate.Name(), rootCAP256.details.Name) + assert.Equal(t, len(pppppp.CAs), 1) } diff --git a/cert/errors.go b/cert/errors.go index da0d1be3f..1c7fda12a 100644 --- a/cert/errors.go +++ b/cert/errors.go @@ -24,4 +24,5 @@ var ( ErrInvalidPEMX25519PrivateKeyBanner = errors.New("bytes did not contain a proper X25519 private key banner") ErrInvalidPEMEd25519PublicKeyBanner = errors.New("bytes did not contain a proper Ed25519 public key banner") ErrInvalidPEMEd25519PrivateKeyBanner = errors.New("bytes did not contain a proper Ed25519 private key banner") + ErrInvalidPEMCertificateUnsupported = errors.New("bytes contain an unsupported certificate format") ) diff --git a/cert/pem.go b/cert/pem.go index 744ae2edf..cbccdb2bb 100644 --- a/cert/pem.go +++ b/cert/pem.go @@ -38,8 +38,7 @@ func UnmarshalCertificateFromPEM(b []byte) (Certificate, []byte, error) { } return c, r, nil case CertificateV2Banner: - //TODO - panic("TODO") + return nil, r, ErrInvalidPEMCertificateUnsupported default: return nil, r, ErrInvalidPEMCertificateBanner } diff --git a/pki.go b/pki.go index fe64ea5ee..e6f30e40f 100644 --- a/pki.go +++ b/pki.go @@ -251,6 +251,8 @@ func loadCAPoolFromConfig(l *logrus.Logger, c *config.C) (*cert.CAPool, error) { return nil, errors.New("no valid CA certificates present") } + } else if errors.Is(err, cert.ErrInvalidPEMCertificateUnsupported) { + l.WithError(err).Warn("At least one configured CA is unsupported by this version of nebula. It has been ignored.") } else if err != nil { return nil, fmt.Errorf("error while adding CA certificate to CA trust store: %s", err) }