diff --git a/certificate.go b/certificate.go index b2778b5..74f87af 100644 --- a/certificate.go +++ b/certificate.go @@ -41,6 +41,16 @@ func ParseCertificate(asn1Data []byte) (*Certificate, error) { // It checks for the correct signature algorithm, identity namespace, and identity. // On success, it sets the ID, Namespace, and PublicKey fields. func NewCertificate(cert *x509.Certificate) (*Certificate, error) { + if !cert.BasicConstraintsValid { + return nil, fmt.Errorf("%w: basic constraints not valid", ErrCertificateInvalid) + } + + if cert.IsCA { + if cert.KeyUsage&x509.KeyUsageCertSign == 0 { + return nil, fmt.Errorf("%w: certificate is a CA but cannot sign", ErrCertificateInvalid) + } + } + // Check for bifrost signature algorithm if cert.SignatureAlgorithm != SignatureAlgorithm { return nil, fmt.Errorf( diff --git a/cmd/bf/ca.go b/cmd/bf/ca.go index 31344e9..7221d49 100644 --- a/cmd/bf/ca.go +++ b/cmd/bf/ca.go @@ -28,7 +28,7 @@ var ( Name: "host", Usage: "listen on `HOST`", Aliases: []string{"H"}, - EnvVars: envvarNames("HOST"), + EnvVars: []string{"HOST"}, Value: "localhost", Destination: &caHost, Action: func(_ *cli.Context, h string) error { @@ -42,7 +42,7 @@ var ( Name: "port", Usage: "listen on `PORT`", Aliases: []string{"p"}, - EnvVars: envvarNames("PORT"), + EnvVars: []string{"PORT"}, Value: 8008, Destination: &caPort, Action: func(_ *cli.Context, p int) error { @@ -56,13 +56,13 @@ var ( Name: "web", Usage: "enable web interface", Aliases: []string{"w"}, - EnvVars: envvarNames("WEB"), + EnvVars: []string{"WEB"}, Destination: &webEnabled, }, &cli.PathFlag{ Name: "web-static-path", Usage: "read web static files from `PATH`", - EnvVars: envvarNames("WEB_STATIC_PATH"), + EnvVars: []string{"WEB_STATIC_PATH"}, Destination: &webStaticPath, }, &cli.BoolFlag{ diff --git a/cmd/bf/flags.go b/cmd/bf/flags.go index 3c35470..073e4c3 100644 --- a/cmd/bf/flags.go +++ b/cmd/bf/flags.go @@ -8,19 +8,14 @@ import ( "github.com/urfave/cli/v2" ) -func envvarNames(s string) []string { - return []string{s, "BF_" + s} -} - // Flags var ( namespace uuid.UUID nsFlag = &cli.StringFlag{ - Name: "namespace", - Usage: "namespace `UUID`", - Required: true, - Aliases: []string{"ns"}, - EnvVars: envvarNames("NS"), + Name: "namespace", + Usage: "namespace `UUID`", + Aliases: []string{"ns"}, + EnvVars: []string{"NS", "NAMESPACE"}, Action: func(_ *cli.Context, ns string) (err error) { namespace, err = uuid.Parse(ns) return err @@ -32,7 +27,7 @@ var ( Name: "ca-certificate", Usage: "read CA certificate from `FILE`", Aliases: []string{"ca-cert"}, - EnvVars: envvarNames("CA_CERT"), + EnvVars: []string{"CA_CERT", "CA_CRT", "CRT"}, TakesFile: true, Value: "cert.pem", Destination: &caCertUri, @@ -43,7 +38,7 @@ var ( Name: "ca-private-key", Usage: "read CA private key from `FILE`", Aliases: []string{"ca-key"}, - EnvVars: envvarNames("CA_PRIVKEY"), + EnvVars: []string{"CA_PRIVKEY", "CA_KEY", "KEY"}, TakesFile: true, Value: "key.pem", Destination: &caPrivKeyUri, diff --git a/cmd/bf/id.go b/cmd/bf/id.go index cefe54f..bc51f37 100644 --- a/cmd/bf/id.go +++ b/cmd/bf/id.go @@ -18,16 +18,7 @@ var ( Name: "identity", Aliases: []string{"id"}, Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "namespace", - Usage: "Bifrost Namespace `UUID`", - Aliases: []string{"n", "ns"}, - EnvVars: envvarNames("NS"), - Action: func(ctx *cli.Context, s string) (err error) { - bfns, err = uuid.Parse(s) - return - }, - }, + nsFlag, }, Action: func(cliCtx *cli.Context) error { ns, id, err := parseUUIDFromFile(bfns, cliCtx.Args().First()) diff --git a/cmd/bf/main.go b/cmd/bf/main.go index cec83bb..67b2db0 100644 --- a/cmd/bf/main.go +++ b/cmd/bf/main.go @@ -21,7 +21,7 @@ func main() { &cli.StringFlag{ Name: "log-level", Aliases: []string{"l"}, - EnvVars: envvarNames("LOG_LEVEL"), + EnvVars: []string{"LOG_LEVEL"}, Value: slog.LevelInfo.String(), Action: func(_ *cli.Context, l string) error { logLevel := new(slog.LevelVar) diff --git a/cmd/bf/new.go b/cmd/bf/new.go index cc8910f..11aef1e 100644 --- a/cmd/bf/new.go +++ b/cmd/bf/new.go @@ -96,12 +96,12 @@ var newCmd = &cli.Command{ CommonName: key.UUID(namespace).String(), Organization: []string{namespace.String()}, }, - NotBefore: notBefore, - NotAfter: notAfter, - KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, - IsCA: true, - BasicConstraintsValid: true, + NotBefore: notBefore, + NotAfter: notAfter, + KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, + IsCA: true, + MaxPathLenZero: true, } certDer, err := x509.CreateCertificate( diff --git a/cmd/bf/proxy.go b/cmd/bf/proxy.go index 5c5165a..e442e85 100644 --- a/cmd/bf/proxy.go +++ b/cmd/bf/proxy.go @@ -46,7 +46,7 @@ var ( Name: "host", Usage: "Listen on `HOST`", Aliases: []string{"H"}, - EnvVars: envvarNames("HOST"), + EnvVars: []string{"HOST"}, Value: "localhost", Destination: &proxyHost, Action: func(_ *cli.Context, h string) error { @@ -60,7 +60,7 @@ var ( Name: "port", Usage: "Listen on `PORT`", Aliases: []string{"p"}, - EnvVars: envvarNames("PORT"), + EnvVars: []string{"PORT"}, Value: 8443, Destination: &proxyPort, Action: func(_ *cli.Context, p int) error { diff --git a/tinyca/ca_test.go b/tinyca/ca_test.go index 02b6724..f20adc9 100644 --- a/tinyca/ca_test.go +++ b/tinyca/ca_test.go @@ -226,11 +226,12 @@ func TestCA_ServeHTTP(t *testing.T) { CommonName: id.String(), Organization: []string{testns.String()}, }, - NotBefore: time.Now(), - NotAfter: time.Now().Add(time.Hour * 24), - KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, - BasicConstraintsValid: true, + NotBefore: time.Now(), + NotAfter: time.Now().Add(time.Hour * 24), + KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, + IsCA: true, + MaxPathLenZero: true, } certDer, err := x509.CreateCertificate(