add constructore, make fields private

Author: phbnf

ctlog.go

@@ -23,6 +23,8 @@ import (
 	"strings"
 	"time"
 
+	"github.com/google/certificate-transparency-go/asn1"
+	"github.com/google/certificate-transparency-go/x509"
 	"github.com/google/certificate-transparency-go/x509util"
 	"github.com/transparency-dev/static-ct/internal/scti"
 	"github.com/transparency-dev/static-ct/storage"
@@ -91,34 +93,29 @@ func newCertValidationOpts(cfg ChainValidationConfig) (*scti.ChainValidationOpts
 		return nil, fmt.Errorf("'Not After' limit %q before start %q", cfg.NotAfterLimit.Format(time.RFC3339), cfg.NotAfterStart.Format(time.RFC3339))
 	}
 
-	validationOpts := scti.ChainValidationOpts{
-		TrustedRoots:    roots,
-		RejectExpired:   cfg.RejectExpired,
-		RejectUnexpired: cfg.RejectUnexpired,
-		NotAfterStart:   cfg.NotAfterStart,
-		NotAfterLimit:   cfg.NotAfterLimit,
-	}
-
 	var err error
+	var extKeyUsages []x509.ExtKeyUsage
 	// Filter which extended key usages are allowed.
 	if cfg.ExtKeyUsages != "" {
 		lExtKeyUsages := strings.Split(cfg.ExtKeyUsages, ",")
-		validationOpts.ExtKeyUsages, err = scti.ParseExtKeyUsages(lExtKeyUsages)
+		extKeyUsages, err = scti.ParseExtKeyUsages(lExtKeyUsages)
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse ExtKeyUsages: %v", err)
 		}
 	}
 
+	var rejectExtIds []asn1.ObjectIdentifier
 	// Filter which extensions are rejected.
 	if cfg.RejectExtensions != "" {
 		lRejectExtensions := strings.Split(cfg.RejectExtensions, ",")
-		validationOpts.RejectExtIds, err = scti.ParseOIDs(lRejectExtensions)
+		rejectExtIds, err = scti.ParseOIDs(lRejectExtensions)
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse RejectExtensions: %v", err)
 		}
 	}
 
-	return &validationOpts, nil
+	vOpts := scti.NewChainValidationOpts(roots, cfg.RejectExpired, cfg.RejectUnexpired, cfg.NotAfterStart, cfg.NotAfterLimit, extKeyUsages, rejectExtIds)
+	return &vOpts, nil
 }
 
 // NewLogHandler creates a Tessera based CT log pluged into HTTP handlers.

internal/scti/chain_validation.go

@@ -87,26 +87,39 @@ func ParseOIDs(oids []string) ([]asn1.ObjectIdentifier, error) {
 
 // ChainValidationOpts contains various parameters for certificate chain validation
 type ChainValidationOpts struct {
-	// TrustedRoots is a pool of certificates that defines the roots the CT log will accept
-	TrustedRoots *x509util.PEMCertPool
-	// CurrentTime is the time used for checking a certificate's validity period
+	// trustedRoots is a pool of certificates that defines the roots the CT log will accept
+	trustedRoots *x509util.PEMCertPool
+	// currentTime is the time used for checking a certificate's validity period
 	// against. If it's zero then time.Now() is used. Only for testing.
-	CurrentTime time.Time
-	// RejectExpired indicates that expired certificates will be rejected.
-	RejectExpired bool
-	// RejectUnexpired indicates that certificates that are currently valid or not yet valid will be rejected.
-	RejectUnexpired bool
-	// NotAfterStart is the earliest notAfter date which will be accepted.
+	currentTime time.Time
+	// rejectExpired indicates that expired certificates will be rejected.
+	rejectExpired bool
+	// rejectUnexpired indicates that certificates that are currently valid or not yet valid will be rejected.
+	rejectUnexpired bool
+	// notAfterStart is the earliest notAfter date which will be accepted.
 	// nil means no lower bound on the accepted range.
-	NotAfterStart *time.Time
-	// NotAfterLimit defines the cut off point of notAfter dates - only notAfter
-	// dates strictly *before* NotAfterLimit will be accepted.
+	notAfterStart *time.Time
+	// notAfterLimit defines the cut off point of notAfter dates - only notAfter
+	// dates strictly *before* notAfterLimit will be accepted.
 	// nil means no upper bound on the accepted range.
-	NotAfterLimit *time.Time
-	// ExtKeyUsages contains the list of EKUs to use during chain verification
-	ExtKeyUsages []x509.ExtKeyUsage
-	// RejectExtIds contains a list of X.509 extension IDs to reject during chain verification.
-	RejectExtIds []asn1.ObjectIdentifier
+	notAfterLimit *time.Time
+	// extKeyUsages contains the list of EKUs to use during chain verification
+	extKeyUsages []x509.ExtKeyUsage
+	// rejectExtIds contains a list of X.509 extension IDs to reject during chain verification.
+	rejectExtIds []asn1.ObjectIdentifier
+}
+
+func NewChainValidationOpts(trustedRoots *x509util.PEMCertPool, currentTime time.Time, rejectExpired, rejectUnexpired bool, notAfterStart, notAfterLimit *time.Time, extKeyUsages []x509.ExtKeyUsage, rejectExtIds []asn1.ObjectIdentifier) ChainValidationOpts {
+	return ChainValidationOpts{
+		trustedRoots:    trustedRoots,
+		currentTime:     currentTime,
+		rejectExpired:   rejectExpired,
+		rejectUnexpired: rejectUnexpired,
+		notAfterStart:   notAfterStart,
+		notAfterLimit:   notAfterLimit,
+		extKeyUsages:    extKeyUsages,
+		rejectExtIds:    rejectExtIds,
+	}
 }
 
 // isPrecertificate tests if a certificate is a pre-certificate as defined in CT.
@@ -151,8 +164,8 @@ func validateChain(rawChain [][]byte, validationOpts ChainValidationOpts) ([]*x5
 		}
 	}
 
-	naStart := validationOpts.NotAfterStart
-	naLimit := validationOpts.NotAfterLimit
+	naStart := validationOpts.notAfterStart
+	naLimit := validationOpts.notAfterLimit
 	cert := chain[0]
 
 	// Check whether the expiry date of the cert is within the acceptable range.
@@ -163,24 +176,24 @@ func validateChain(rawChain [][]byte, validationOpts ChainValidationOpts) ([]*x5
 		return nil, fmt.Errorf("certificate NotAfter (%v) >= %v", cert.NotAfter, *naLimit)
 	}
 
-	now := validationOpts.CurrentTime
+	now := validationOpts.currentTime
 	if now.IsZero() {
 		now = time.Now()
 	}
 	expired := now.After(cert.NotAfter)
-	if validationOpts.RejectExpired && expired {
+	if validationOpts.rejectExpired && expired {
 		return nil, errors.New("rejecting expired certificate")
 	}
-	if validationOpts.RejectUnexpired && !expired {
+	if validationOpts.rejectUnexpired && !expired {
 		return nil, errors.New("rejecting unexpired certificate")
 	}
 
 	// Check for unwanted extension types, if required.
 	// TODO(al): Refactor CertValidationOpts c'tor to a builder pattern and
 	// pre-calc this in there
-	if len(validationOpts.RejectExtIds) != 0 {
+	if len(validationOpts.rejectExtIds) != 0 {
 		badIDs := make(map[string]bool)
-		for _, id := range validationOpts.RejectExtIds {
+		for _, id := range validationOpts.rejectExtIds {
 			badIDs[id.String()] = true
 		}
 		for idx, ext := range cert.Extensions {
@@ -193,9 +206,9 @@ func validateChain(rawChain [][]byte, validationOpts ChainValidationOpts) ([]*x5
 
 	// TODO(al): Refactor CertValidationOpts c'tor to a builder pattern and
 	// pre-calc this in there too.
-	if len(validationOpts.ExtKeyUsages) > 0 {
+	if len(validationOpts.extKeyUsages) > 0 {
 		acceptEKUs := make(map[x509.ExtKeyUsage]bool)
-		for _, eku := range validationOpts.ExtKeyUsages {
+		for _, eku := range validationOpts.extKeyUsages {
 			acceptEKUs[eku] = true
 		}
 		good := false
@@ -206,14 +219,14 @@ func validateChain(rawChain [][]byte, validationOpts ChainValidationOpts) ([]*x5
 			}
 		}
 		if !good {
-			return nil, fmt.Errorf("rejecting certificate without EKU in %v", validationOpts.ExtKeyUsages)
+			return nil, fmt.Errorf("rejecting certificate without EKU in %v", validationOpts.extKeyUsages)
 		}
 	}
 
 	// We can now do the verification.  Use fairly lax options for verification, as
 	// CT is intended to observe certificates rather than police them.
 	verifyOpts := x509.VerifyOptions{
-		Roots:             validationOpts.TrustedRoots.CertPool(),
+		Roots:             validationOpts.trustedRoots.CertPool(),
 		CurrentTime:       now,
 		Intermediates:     intermediatePool.CertPool(),
 		DisableTimeChecks: true,
@@ -232,7 +245,7 @@ func validateChain(rawChain [][]byte, validationOpts ChainValidationOpts) ([]*x5
 		DisablePathLenChecks:        true,
 		DisableNameConstraintChecks: true,
 		DisableNameChecks:           false,
-		KeyUsages:                   validationOpts.ExtKeyUsages,
+		KeyUsages:                   validationOpts.extKeyUsages,
 	}
 
 	verifiedChains, err := cert.Verify(verifyOpts)

internal/scti/chain_validation_test.go

@@ -115,7 +115,7 @@ func TestValidateChain(t *testing.T) {
 		t.Fatal("failed to load real intermediate")
 	}
 	validateOpts := ChainValidationOpts{
-		TrustedRoots: fakeCARoots,
+		trustedRoots: fakeCARoots,
 	}
 
 	var tests = []struct {
@@ -185,7 +185,7 @@ func TestValidateChain(t *testing.T) {
 			chain: pemsToDERChain(t, []string{testdata.LeafSignedByFakeIntermediateCertPEM, testdata.FakeIntermediateCertPEM}),
 			modifyOpts: func(v *ChainValidationOpts) {
 				// reject SubjectKeyIdentifier extension
-				v.RejectExtIds = []asn1.ObjectIdentifier{[]int{99, 99, 99, 99}}
+				v.rejectExtIds = []asn1.ObjectIdentifier{[]int{99, 99, 99, 99}}
 			},
 			wantPathLen: 3,
 		},
@@ -194,7 +194,7 @@ func TestValidateChain(t *testing.T) {
 			chain: pemsToDERChain(t, []string{testdata.PrecertPEMValid}),
 			modifyOpts: func(v *ChainValidationOpts) {
 				// reject SubjectKeyIdentifier extension
-				v.RejectExtIds = []asn1.ObjectIdentifier{[]int{99, 99, 99, 99}}
+				v.rejectExtIds = []asn1.ObjectIdentifier{[]int{99, 99, 99, 99}}
 			},
 			wantPathLen: 2,
 		},
@@ -204,7 +204,7 @@ func TestValidateChain(t *testing.T) {
 			wantErr: true,
 			modifyOpts: func(v *ChainValidationOpts) {
 				// reject SubjectKeyIdentifier extension
-				v.RejectExtIds = []asn1.ObjectIdentifier{[]int{2, 5, 29, 14}}
+				v.rejectExtIds = []asn1.ObjectIdentifier{[]int{2, 5, 29, 14}}
 			},
 		},
 		{
@@ -213,7 +213,7 @@ func TestValidateChain(t *testing.T) {
 			wantErr: true,
 			modifyOpts: func(v *ChainValidationOpts) {
 				// reject SubjectKeyIdentifier extension
-				v.RejectExtIds = []asn1.ObjectIdentifier{[]int{2, 5, 29, 14}}
+				v.rejectExtIds = []asn1.ObjectIdentifier{[]int{2, 5, 29, 14}}
 			},
 		},
 		{
@@ -222,15 +222,15 @@ func TestValidateChain(t *testing.T) {
 			wantErr: true,
 			modifyOpts: func(v *ChainValidationOpts) {
 				// reject cert without ExtKeyUsageEmailProtection
-				v.ExtKeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageEmailProtection}
+				v.extKeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageEmailProtection}
 			},
 		},
 		{
 			desc:        "allow-eku-present-in-cert",
 			chain:       pemsToDERChain(t, []string{testdata.LeafSignedByFakeIntermediateCertPEM, testdata.FakeIntermediateCertPEM}),
 			wantPathLen: 3,
 			modifyOpts: func(v *ChainValidationOpts) {
-				v.ExtKeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
+				v.extKeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
 			},
 		},
 		{
@@ -239,15 +239,15 @@ func TestValidateChain(t *testing.T) {
 			wantErr: true,
 			modifyOpts: func(v *ChainValidationOpts) {
 				// reject cert without ExtKeyUsageEmailProtection
-				v.ExtKeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageEmailProtection}
+				v.extKeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageEmailProtection}
 			},
 		},
 		{
 			desc:        "allow-eku-present-in-precert",
 			chain:       pemsToDERChain(t, []string{testdata.RealPrecertWithEKUPEM}),
 			wantPathLen: 2,
 			modifyOpts: func(v *ChainValidationOpts) {
-				v.ExtKeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
+				v.extKeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
 			},
 		},
 	}
@@ -284,8 +284,8 @@ func TestNotAfterRange(t *testing.T) {
 		t.Fatal("failed to load fake root")
 	}
 	validateOpts := ChainValidationOpts{
-		TrustedRoots:  fakeCARoots,
-		RejectExpired: false,
+		trustedRoots:  fakeCARoots,
+		rejectExpired: false,
 	}
 
 	chain := pemsToDERChain(t, []string{testdata.LeafSignedByFakeIntermediateCertPEM, testdata.FakeIntermediateCertPEM})
@@ -323,10 +323,10 @@ func TestNotAfterRange(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.desc, func(t *testing.T) {
 			if !test.notAfterStart.IsZero() {
-				validateOpts.NotAfterStart = &test.notAfterStart
+				validateOpts.notAfterStart = &test.notAfterStart
 			}
 			if !test.notAfterLimit.IsZero() {
-				validateOpts.NotAfterLimit = &test.notAfterLimit
+				validateOpts.notAfterLimit = &test.notAfterLimit
 			}
 			gotPath, err := validateChain(test.chain, validateOpts)
 			if err != nil {
@@ -351,8 +351,8 @@ func TestRejectExpiredUnexpired(t *testing.T) {
 	// Validity period: May 13, 2016 - Jul 12, 2019.
 	chain := pemsToDERChain(t, []string{testdata.LeafSignedByFakeIntermediateCertPEM, testdata.FakeIntermediateCertPEM})
 	validateOpts := ChainValidationOpts{
-		TrustedRoots: fakeCARoots,
-		ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		trustedRoots: fakeCARoots,
+		extKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 	}
 	beforeValidPeriod := time.Date(1999, 1, 1, 0, 0, 0, 0, time.UTC)
 	currentValidPeriod := time.Date(2017, 1, 1, 0, 0, 0, 0, time.UTC)
@@ -437,9 +437,9 @@ func TestRejectExpiredUnexpired(t *testing.T) {
 		},
 	} {
 		t.Run(tc.desc, func(t *testing.T) {
-			validateOpts.CurrentTime = tc.now
-			validateOpts.RejectExpired = tc.rejectExpired
-			validateOpts.RejectUnexpired = tc.rejectUnexpired
+			validateOpts.currentTime = tc.now
+			validateOpts.rejectExpired = tc.rejectExpired
+			validateOpts.rejectUnexpired = tc.rejectUnexpired
 			_, err := validateChain(chain, validateOpts)
 			if err != nil {
 				if len(tc.wantErr) == 0 {
@@ -528,8 +528,8 @@ func TestCMPreIssuedCert(t *testing.T) {
 	} {
 		t.Run(tc.desc, func(t *testing.T) {
 			opts := ChainValidationOpts{
-				TrustedRoots: cmRoot,
-				ExtKeyUsages: tc.eku,
+				trustedRoots: cmRoot,
+				extKeyUsages: tc.eku,
 			}
 			chain, err := validateChain(rawChain, opts)
 			if err != nil {

internal/scti/ctlog_test.go

@@ -39,7 +39,7 @@ func TestNewLog(t *testing.T) {
 			desc:   "ok",
 			origin: "testlog",
 			cvOpts: ChainValidationOpts{
-				TrustedRoots: roots,
+				trustedRoots: roots,
 			},
 			signer: signer,
 		},

internal/scti/handlers.go

@@ -330,8 +330,8 @@ func addPreChain(ctx context.Context, opts *HandlerOptions, log *log, w http.Res
 
 func getRoots(_ context.Context, opts *HandlerOptions, log *log, w http.ResponseWriter, _ *http.Request) (int, error) {
 	// Pull out the raw certificates from the parsed versions
-	rawCerts := make([][]byte, 0, len(log.chainValidationOpts.TrustedRoots.RawCertificates()))
-	for _, cert := range log.chainValidationOpts.TrustedRoots.RawCertificates() {
+	rawCerts := make([][]byte, 0, len(log.chainValidationOpts.trustedRoots.RawCertificates()))
+	for _, cert := range log.chainValidationOpts.trustedRoots.RawCertificates() {
 		rawCerts = append(rawCerts, cert.Raw)
 	}
 

internal/scti/handlers_test.go

@@ -91,8 +91,8 @@ func setupTest(t *testing.T, pemRoots []string, signer crypto.Signer) handlerTes
 
 	info.storage = mockstorage.NewMockStorage(info.mockCtrl)
 	vOpts := ChainValidationOpts{
-		TrustedRoots:  info.roots,
-		RejectExpired: false,
+		trustedRoots:  info.roots,
+		rejectExpired: false,
 	}
 
 	hOpts := HandlerOptions{