fix(x509): enforce leaf SVID validation and reject multiple URI SANs

Signed-off-by: Max Lambrecht <maxlambrecht@gmail.com>

Author: maxlambrecht

java-spiffe-core/src/main/java/io/spiffe/internal/CertificateUtils.java

@@ -13,6 +13,7 @@
 import java.security.spec.EncodedKeySpec;
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.PKCS8EncodedKeySpec;
+import java.util.ArrayList;
 import java.util.Base64;
 import java.util.Collection;
 import java.util.Collections;
@@ -24,15 +25,17 @@
 import static io.spiffe.internal.KeyUsage.CRL_SIGN;
 import static io.spiffe.internal.KeyUsage.DIGITAL_SIGNATURE;
 import static io.spiffe.internal.KeyUsage.KEY_CERT_SIGN;
-import static org.apache.commons.lang3.StringUtils.startsWith;
 
 /**
  * Common certificate utility methods.
  */
 public class CertificateUtils {
 
     private static final String SPIFFE_PREFIX = "spiffe://";
+    private static final int SAN_TYPE_INDEX = 0;
     private static final int SAN_VALUE_INDEX = 1;
+    // X.509 SubjectAlternativeName type for a URI value.
+    private static final int URI_SAN_TYPE = 6;
     private static final String PUBLIC_KEY_INFRASTRUCTURE_ALGORITHM = "PKIX";
     private static final String X509_CERTIFICATE_TYPE = "X.509";
 
@@ -143,16 +146,25 @@ public static boolean isCA(final X509Certificate cert) {
 
     public static boolean hasKeyUsageCertSign(final X509Certificate cert) {
         boolean[] keyUsage = cert.getKeyUsage();
+        if (keyUsage == null) {
+            return false;
+        }
         return keyUsage[KEY_CERT_SIGN.index()];
     }
 
     public static boolean hasKeyUsageDigitalSignature(final X509Certificate cert) {
         boolean[] keyUsage = cert.getKeyUsage();
+        if (keyUsage == null) {
+            return false;
+        }
         return keyUsage[DIGITAL_SIGNATURE.index()];
     }
 
     public static boolean hasKeyUsageCRLSign(final X509Certificate cert) {
         boolean[] keyUsage = cert.getKeyUsage();
+        if (keyUsage == null) {
+            return false;
+        }
         return keyUsage[CRL_SIGN.index()];
     }
 
@@ -168,16 +180,53 @@ private static EncodedKeySpec getEncodedKeySpec(final byte[] privateKeyBytes, Ke
     }
 
     private static List<String> getSpiffeIds(final X509Certificate certificate) throws CertificateParsingException {
-        if (certificate.getSubjectAlternativeNames() == null) {
+        final List<String> uriSans = getUriSubjectAlternativeNames(certificate);
+        if (uriSans.size() > 1) {
+            throw new CertificateParsingException("Certificate contains multiple URI SANs");
+        }
+        if (uriSans.isEmpty()) {
             return Collections.emptyList();
         }
-        return certificate.getSubjectAlternativeNames()
-                .stream()
-                .map(san -> (String) san.get(SAN_VALUE_INDEX))
-                .filter(uri -> startsWith(uri, SPIFFE_PREFIX))
+        return uriSans.stream()
+                .filter(uri -> uri != null && uri.startsWith(SPIFFE_PREFIX))
                 .collect(Collectors.toList());
     }
 
+    private static List<String> getUriSubjectAlternativeNames(final X509Certificate certificate)
+            throws CertificateParsingException {
+        final Collection<List<?>> subjectAlternativeNames = certificate.getSubjectAlternativeNames();
+        if (subjectAlternativeNames == null) {
+            return Collections.emptyList();
+        }
+
+        final List<String> uriSans = new ArrayList<>();
+        for (List<?> sanEntry : subjectAlternativeNames) {
+            final String uriSan = getUriSubjectAlternativeNameValue(sanEntry);
+            if (uriSan != null) {
+                uriSans.add(uriSan);
+            }
+        }
+        return uriSans;
+    }
+
+    private static String getUriSubjectAlternativeNameValue(final List<?> sanEntry) {
+        if (sanEntry == null || sanEntry.size() <= SAN_VALUE_INDEX) {
+            return null;
+        }
+
+        final Object sanType = sanEntry.get(SAN_TYPE_INDEX);
+        if (!(sanType instanceof Integer) || ((Integer) sanType) != URI_SAN_TYPE) {
+            return null;
+        }
+
+        final Object sanValue = sanEntry.get(SAN_VALUE_INDEX);
+        if (!(sanValue instanceof String)) {
+            return null;
+        }
+
+        return (String) sanValue;
+    }
+
     private static PrivateKey generatePrivateKeyWithSpec(final EncodedKeySpec keySpec, AsymmetricKeyAlgorithm algorithm) throws NoSuchAlgorithmException, InvalidKeySpecException {
         PrivateKey privateKey = null;
         switch (algorithm) {

java-spiffe-core/src/main/java/io/spiffe/svid/x509svid/X509Svid.java

@@ -217,24 +217,20 @@ private static X509Svid createX509Svid(final byte[] certsBytes,
         final PrivateKey privateKey = generatePrivateKey(privateKeyBytes, keyFileFormat, x509Certificates);
         final SpiffeId spiffeId = getSpiffeId(x509Certificates);
 
-        validateLeafSpiffeId(spiffeId);
-        validateLeafCertificate(x509Certificates.get(0));
+        try {
+            X509SvidChecks.validateLeafForParsing(x509Certificates.get(0), spiffeId);
 
-        // there are intermediate CA certificates
-        if (x509Certificates.size() > 1) {
-            validateSigningCertificates(x509Certificates);
+            // there are intermediate CA certificates
+            if (x509Certificates.size() > 1) {
+                validateSigningCertificates(x509Certificates);
+            }
+        } catch (CertificateException e) {
+            throw new X509SvidException(e.getMessage(), e);
         }
 
         return new X509Svid(spiffeId, x509Certificates, privateKey, hint);
     }
 
-    private static void validateLeafSpiffeId(final SpiffeId spiffeId) throws X509SvidException {
-        final String path = spiffeId.getPath();
-        if (path == null || path.isEmpty()) {
-            throw new X509SvidException("Leaf certificate SPIFFE ID must have a non-root path");
-        }
-    }
-
     private static SpiffeId getSpiffeId(final List<X509Certificate> x509Certificates) throws X509SvidException {
         final SpiffeId spiffeId;
         try {
@@ -273,35 +269,11 @@ private static List<X509Certificate> generateX509Certificates(final byte[] certs
 
     private static void validateSigningCertificates(final List<X509Certificate> certificates) throws X509SvidException {
         for (int i = 1; i < certificates.size(); i++) {
-            verifyCaCert(certificates.get(i));
-        }
-    }
-
-    private static void verifyCaCert(final X509Certificate cert) throws X509SvidException {
-        if (!CertificateUtils.isCA(cert)) {
-            throw new X509SvidException("Signing certificate must have CA flag set to true");
-        }
-        if (!CertificateUtils.hasKeyUsageCertSign(cert)) {
-            throw new X509SvidException("Signing certificate must have 'keyCertSign' as key usage");
-        }
-    }
-
-    private static void validateLeafCertificate(final X509Certificate leaf) throws X509SvidException {
-        if (CertificateUtils.isCA(leaf)) {
-            throw new X509SvidException("Leaf certificate must not have CA flag set to true");
-        }
-        validateKeyUsageOfLeafCertificate(leaf);
-    }
-
-    private static void validateKeyUsageOfLeafCertificate(final X509Certificate leaf) throws X509SvidException {
-        if (!CertificateUtils.hasKeyUsageDigitalSignature(leaf)) {
-            throw new X509SvidException("Leaf certificate must have 'digitalSignature' as key usage");
-        }
-        if (CertificateUtils.hasKeyUsageCertSign(leaf)) {
-            throw new X509SvidException("Leaf certificate must not have 'keyCertSign' as key usage");
-        }
-        if (CertificateUtils.hasKeyUsageCRLSign(leaf)) {
-            throw new X509SvidException("Leaf certificate must not have 'cRLSign' as key usage");
+            try {
+                X509SvidChecks.validateSigningCertificate(certificates.get(i));
+            } catch (CertificateException e) {
+                throw new X509SvidException(e.getMessage(), e);
+            }
         }
     }
 }

java-spiffe-core/src/main/java/io/spiffe/svid/x509svid/X509SvidValidator.java

@@ -43,14 +43,17 @@ public static void verifyChain(
         Objects.requireNonNull(chain, "chain must not be null");
         Objects.requireNonNull(x509BundleSource, "x509BundleSource must not be null");
 
-        TrustDomain trustDomain = CertificateUtils.getTrustDomain(chain);
+        final SpiffeId spiffeId = CertificateUtils.getSpiffeId(chain.get(0));
+        TrustDomain trustDomain = spiffeId.getTrustDomain();
         X509Bundle x509Bundle = x509BundleSource.getBundleForTrustDomain(trustDomain);
 
         try {
             CertificateUtils.validate(chain, x509Bundle.getX509Authorities());
         } catch (CertPathValidatorException e) {
             throw new CertificateException("Cert chain cannot be verified", e);
         }
+
+        X509SvidChecks.validateLeafConstraints(chain.get(0), spiffeId);
     }
 
     /**
@@ -77,6 +80,7 @@ public static void verifySpiffeId(X509Certificate x509Certificate,
         }
 
         SpiffeId spiffeId = CertificateUtils.getSpiffeId(x509Certificate);
+        X509SvidChecks.validateLeafConstraints(x509Certificate, spiffeId);
         if (!spiffeIdSet.contains(spiffeId)) {
             String error = String.format("SPIFFE ID %s in X.509 certificate is not accepted", spiffeId);
             log.warning(String.format("Client SPIFFE ID validation failed: %s", error));

java-spiffe-core/src/test/java/io/spiffe/internal/CertificateUtilsTest.java

@@ -6,6 +6,7 @@
 import io.spiffe.utils.CertAndKeyPair;
 import io.spiffe.utils.TestUtils;
 import org.junit.jupiter.api.Test;
+import org.mockito.Mockito;
 
 import java.io.IOException;
 import java.net.URISyntaxException;
@@ -40,13 +41,13 @@ void generateCertificates_ofPEMByteArray_returnsListWithOneX509Certificate() thr
         final Path path = Paths.get(toUri("testdata/internal/cert.pem"));
         final byte[] certBytes = Files.readAllBytes(path);
 
-        List<X509Certificate> x509CertificateList;
-        SpiffeId spiffeId = null;
+        final SpiffeId spiffeId;
         try {
-            x509CertificateList = CertificateUtils.generateCertificates(certBytes);
+            List<X509Certificate> x509CertificateList = CertificateUtils.generateCertificates(certBytes);
             spiffeId = CertificateUtils.getSpiffeId(x509CertificateList.get(0));
         } catch (CertificateException e) {
             fail("Not expected exception. Should have generated the certificates", e);
+            return;
         }
 
         assertEquals("spiffe://example.org/test", spiffeId.toString());
@@ -180,6 +181,22 @@ void testGetSpiffeId_certNotContainSpiffeId_throwsCertificateException() throws
         }
     }
 
+    @Test
+    void testGetSpiffeId_certContainsMultipleUriSans_throwsCertificateException() throws Exception {
+        X509Certificate certificate = Mockito.mock(X509Certificate.class);
+        Mockito.when(certificate.getSubjectAlternativeNames()).thenReturn(Arrays.asList(
+                Arrays.asList(6, "spiffe://domain.test/workload"),
+                Arrays.asList(6, "https://example.org/workload")
+        ));
+
+        try {
+            CertificateUtils.getSpiffeId(certificate);
+            fail("exception is expected");
+        } catch (CertificateException e) {
+            assertEquals("Certificate contains multiple URI SANs", e.getMessage());
+        }
+    }
+
     @Test
     void testGetTrustDomain() throws Exception {
         final CertAndKeyPair rootCa = createRootCA("C = US, O = SPIFFE", "spiffe://domain.test");

java-spiffe-core/src/test/java/io/spiffe/svid/x509svid/X509SvidValidatorTest.java

@@ -8,6 +8,7 @@
 import io.spiffe.utils.CertAndKeyPair;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.mockito.Mockito;
 
 import java.io.IOException;
 import java.net.URISyntaxException;
@@ -114,6 +115,70 @@ void verifySpiffeId_givenAnEmptySupplier_throwsCertificateException() {
 
     }
 
+    @Test
+    void verifySpiffeId_leafWithCaFlagSetToTrue_throwsCertificateException() throws Exception {
+        X509Certificate certificate = mockLeafCertificate("spiffe://example.org/test", false, false, true);
+        try {
+            X509SvidValidator.verifySpiffeId(certificate, () -> Sets.newHashSet(SpiffeId.parse("spiffe://example.org/test")));
+            fail("Should have thrown CertificateException");
+        } catch (CertificateException e) {
+            assertEquals("Leaf certificate must not have CA flag set to true", e.getMessage());
+        }
+    }
+
+    @Test
+    void verifySpiffeId_leafWithKeyCertSign_throwsCertificateException() throws Exception {
+        X509Certificate certificate = mockLeafCertificate("spiffe://example.org/test", true, false, false);
+        try {
+            X509SvidValidator.verifySpiffeId(certificate, () -> Sets.newHashSet(SpiffeId.parse("spiffe://example.org/test")));
+            fail("Should have thrown CertificateException");
+        } catch (CertificateException e) {
+            assertEquals("Leaf certificate must not have 'keyCertSign' as key usage", e.getMessage());
+        }
+    }
+
+    @Test
+    void verifySpiffeId_leafWithCRLSign_throwsCertificateException() throws Exception {
+        X509Certificate certificate = mockLeafCertificate("spiffe://example.org/test", false, true, false);
+        try {
+            X509SvidValidator.verifySpiffeId(certificate, () -> Sets.newHashSet(SpiffeId.parse("spiffe://example.org/test")));
+            fail("Should have thrown CertificateException");
+        } catch (CertificateException e) {
+            assertEquals("Leaf certificate must not have 'cRLSign' as key usage", e.getMessage());
+        }
+    }
+
+    @Test
+    void verifySpiffeId_leafSpiffeIdWithoutPath_throwsCertificateException() throws Exception {
+        X509Certificate certificate = mockLeafCertificate("spiffe://example.org", false, false, false);
+        try {
+            X509SvidValidator.verifySpiffeId(certificate, () -> Sets.newHashSet(SpiffeId.parse("spiffe://example.org")));
+            fail("Should have thrown CertificateException");
+        } catch (CertificateException e) {
+            assertEquals("Leaf certificate SPIFFE ID must have a non-root path", e.getMessage());
+        }
+    }
+
+    @Test
+    void verifySpiffeId_multipleUriSans_throwsCertificateException() throws Exception {
+        X509Certificate certificate = Mockito.mock(X509Certificate.class);
+        boolean[] keyUsage = new boolean[9];
+        keyUsage[0] = true;
+        Mockito.when(certificate.getBasicConstraints()).thenReturn(-1);
+        Mockito.when(certificate.getKeyUsage()).thenReturn(keyUsage);
+        Mockito.when(certificate.getSubjectAlternativeNames()).thenReturn(Arrays.asList(
+                Arrays.asList(6, "spiffe://example.org/test"),
+                Arrays.asList(6, "https://example.org/other")
+        ));
+
+        try {
+            X509SvidValidator.verifySpiffeId(certificate, () -> Sets.newHashSet(SpiffeId.parse("spiffe://example.org/test")));
+            fail("Should have thrown CertificateException");
+        } catch (CertificateException e) {
+            assertEquals("Certificate contains multiple URI SANs", e.getMessage());
+        }
+    }
+
     @Test
     void checkSpiffeId_nullX509Certificate_throwsNullPointerException() throws CertificateException {
         try {
@@ -153,4 +218,20 @@ void verifyChain_nullBundleSource_throwsNullPointerException() throws Certificat
             assertEquals("x509BundleSource must not be null", e.getMessage());
         }
     }
+
+    private X509Certificate mockLeafCertificate(String uriSan, boolean keyCertSign, boolean crlSign, boolean isCa)
+            throws Exception {
+        X509Certificate certificate = Mockito.mock(X509Certificate.class);
+        boolean[] keyUsage = new boolean[9];
+        keyUsage[0] = true;
+        keyUsage[5] = keyCertSign;
+        keyUsage[6] = crlSign;
+
+        Mockito.when(certificate.getBasicConstraints()).thenReturn(isCa ? 0 : -1);
+        Mockito.when(certificate.getKeyUsage()).thenReturn(keyUsage);
+        Mockito.when(certificate.getSubjectAlternativeNames()).thenReturn(Collections.singletonList(
+                Arrays.asList(6, uriSan)
+        ));
+        return certificate;
+    }
 }