fix: remove validateSelfSignedCert function

Signed-off-by: Junjie Gao <[email protected]>
notaryproject · Oct 23, 2024 · 91432b0 · 91432b0
1 parent 5941b85
commit 91432b0
Show file tree

Hide file tree

Showing 5 changed files with 64 additions and 132 deletions.
diff --git a/x509/codesigning_cert_validations.go b/x509/codesigning_cert_validations.go
@@ -14,6 +14,7 @@
 package x509
 
 import (
+	"bytes"
 	"crypto/x509"
 	"errors"
 	"fmt"
@@ -34,8 +35,13 @@ func ValidateCodeSigningCertChain(certChain []*x509.Certificate, signingTime *ti
 	// For self-signed signing certificate (not a CA)
 	if len(certChain) == 1 {
 		cert := certChain[0]
-		if err := validateSelfSignedLeaf(cert); err != nil {
-			return err
+		// check self-signed
+		if err := cert.CheckSignature(cert.SignatureAlgorithm, cert.RawTBSCertificate, cert.Signature); err != nil {
+			return fmt.Errorf("invalid self-signed leaf certificate. subject: %q. Error: %w", cert.Subject, err)
+		}
+		// check self-issued
+		if !bytes.Equal(cert.RawSubject, cert.RawIssuer) {
+			return fmt.Errorf("invalid self-signed leaf certificate. subject: %q. Error: issuer and subject are not the same", cert.Subject)
 		}
 		if signedTimeError := validateSigningTime(cert, signingTime); signedTimeError != nil {
 			return signedTimeError

diff --git a/x509/codesigning_cert_validations_test.go b/x509/codesigning_cert_validations_test.go
@@ -14,10 +14,14 @@
 package x509
 
 import (
+	"crypto/rand"
+	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	_ "embed"
+	"encoding/asn1"
 	"errors"
+	"math/big"
 	"os"
 	"strings"
 	"testing"
@@ -762,3 +766,47 @@ func readSingleCertificate(path string) (*x509.Certificate, error) {
 	}
 	return certs[0], nil
 }
+
+func createSelfSignedCert(subject string, issuer string, isTimestamp bool) (*x509.Certificate, error) {
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, err
+	}
+
+	template := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject:      pkix.Name{CommonName: subject},
+		NotBefore:    time.Now(),
+		NotAfter:     time.Now().Add(365 * 24 * time.Hour),
+		KeyUsage:     x509.KeyUsageDigitalSignature,
+	}
+
+	if isTimestamp {
+		oids := []asn1.ObjectIdentifier{{1, 3, 6, 1, 5, 5, 7, 3, 8}}
+		value, err := asn1.Marshal(oids)
+		if err != nil {
+			return nil, err
+		}
+		template.ExtraExtensions = []pkix.Extension{{
+			Id:       oid.ExtKeyUsage,
+			Critical: true,
+			Value:    value,
+		}}
+		template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageTimeStamping}
+	}
+
+	parentTemplate := &x509.Certificate{
+		SerialNumber: big.NewInt(2),
+		Subject:      pkix.Name{CommonName: issuer},
+		NotBefore:    time.Now(),
+		NotAfter:     time.Now().Add(365 * 24 * time.Hour),
+		KeyUsage:     x509.KeyUsageCertSign,
+	}
+
+	certDER, err := x509.CreateCertificate(rand.Reader, template, parentTemplate, &priv.PublicKey, priv)
+	if err != nil {
+		return nil, err
+	}
+
+	return x509.ParseCertificate(certDER)
+}
diff --git a/x509/helper.go b/x509/helper.go
@@ -23,19 +23,6 @@ import (
 	"github.com/notaryproject/notation-core-go/signature"
 )
 
-// validateSelfSignedLeaf validates a self-signed leaf certificate.
-//
-// A self-signed leaf certificate must have the same subject and issuer.
-func validateSelfSignedLeaf(cert *x509.Certificate) error {
-	if err := cert.CheckSignature(cert.SignatureAlgorithm, cert.RawTBSCertificate, cert.Signature); err != nil {
-		return fmt.Errorf("invalid self-signed leaf certificate. subject: %q. Error: %w", cert.Subject, err)
-	}
-	if !bytes.Equal(cert.RawSubject, cert.RawIssuer) {
-		return fmt.Errorf("invalid self-signed leaf certificate. subject: %q. Error: issuer and subject are not the same", cert.Subject)
-	}
-	return nil
-}
-
 func isSelfSigned(cert *x509.Certificate) (bool, error) {
 	return isIssuedBy(cert, cert)
 }

diff --git a/x509/helper_test.go b/x509/helper_test.go
diff --git a/x509/timestamp_cert_validations.go b/x509/timestamp_cert_validations.go
@@ -14,6 +14,7 @@
 package x509
 
 import (
+	"bytes"
 	"crypto/x509"
 	"errors"
 	"fmt"
@@ -33,8 +34,13 @@ func ValidateTimestampingCertChain(certChain []*x509.Certificate) error {
 	// For self-signed signing certificate (not a CA)
 	if len(certChain) == 1 {
 		cert := certChain[0]
-		if err := validateSelfSignedLeaf(cert); err != nil {
-			return err
+		// check self-signed
+		if err := cert.CheckSignature(cert.SignatureAlgorithm, cert.RawTBSCertificate, cert.Signature); err != nil {
+			return fmt.Errorf("invalid self-signed leaf certificate. subject: %q. Error: %w", cert.Subject, err)
+		}
+		// check self-issued
+		if !bytes.Equal(cert.RawSubject, cert.RawIssuer) {
+			return fmt.Errorf("invalid self-signed leaf certificate. subject: %q. Error: issuer and subject are not the same", cert.Subject)
 		}
 		if err := validateTimestampingLeafCertificate(cert); err != nil {
 			return fmt.Errorf("invalid self-signed certificate. Error: %w", err)