From 2c19321baba110557ae1026fbe5a029839ad9dc2 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Tue, 18 Mar 2025 15:25:28 +0000 Subject: [PATCH 1/2] rename x509fork to lax509 --- internal/{x509fork => lax509}/README.md | 2 +- internal/{x509fork => lax509}/cert_pool.go | 2 +- internal/{x509fork => lax509}/cert_pool_test.go | 2 +- internal/{x509fork => lax509}/verify.go | 2 +- internal/{x509fork => lax509}/verify_test.go | 8 ++++---- internal/{x509fork => lax509}/x509.go | 2 +- internal/scti/chain_validation.go | 6 +++--- internal/x509util/pem_cert_pool.go | 8 ++++---- 8 files changed, 16 insertions(+), 16 deletions(-) rename internal/{x509fork => lax509}/README.md (99%) rename internal/{x509fork => lax509}/cert_pool.go (99%) rename internal/{x509fork => lax509}/cert_pool_test.go (98%) rename internal/{x509fork => lax509}/verify.go (99%) rename internal/{x509fork => lax509}/verify_test.go (99%) rename internal/{x509fork => lax509}/x509.go (77%) diff --git a/internal/x509fork/README.md b/internal/lax509/README.md similarity index 99% rename from internal/x509fork/README.md rename to internal/lax509/README.md index 16ee741c..9e745cf2 100644 --- a/internal/x509fork/README.md +++ b/internal/lax509/README.md @@ -1,4 +1,4 @@ -# x509fork +# lax509 This is a minimalist fork of [`crypto/x509`](https://pkg.go.dev/crypto/x509). diff --git a/internal/x509fork/cert_pool.go b/internal/lax509/cert_pool.go similarity index 99% rename from internal/x509fork/cert_pool.go rename to internal/lax509/cert_pool.go index 0b9e1f61..2b0a8854 100644 --- a/internal/x509fork/cert_pool.go +++ b/internal/lax509/cert_pool.go @@ -2,7 +2,7 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. -package x509fork +package lax509 import ( "bytes" diff --git a/internal/x509fork/cert_pool_test.go b/internal/lax509/cert_pool_test.go similarity index 98% rename from internal/x509fork/cert_pool_test.go rename to internal/lax509/cert_pool_test.go index 873a21bc..01161b5d 100644 --- a/internal/x509fork/cert_pool_test.go +++ b/internal/lax509/cert_pool_test.go @@ -2,7 +2,7 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. -package x509fork +package lax509 import ( "crypto/x509" diff --git a/internal/x509fork/verify.go b/internal/lax509/verify.go similarity index 99% rename from internal/x509fork/verify.go rename to internal/lax509/verify.go index d5262874..34cec269 100644 --- a/internal/x509fork/verify.go +++ b/internal/lax509/verify.go @@ -2,7 +2,7 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. -package x509fork +package lax509 import ( "bytes" diff --git a/internal/x509fork/verify_test.go b/internal/lax509/verify_test.go similarity index 99% rename from internal/x509fork/verify_test.go rename to internal/lax509/verify_test.go index 63954390..5b6e3f9c 100644 --- a/internal/x509fork/verify_test.go +++ b/internal/lax509/verify_test.go @@ -2,7 +2,7 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. -package x509fork +package lax509 import ( "crypto" @@ -1232,7 +1232,7 @@ func TestPathBuilding(t *testing.T) { // * Trust Anchor -> A -> B -> EE // * Trust Anchor -> C -> A -> B -> EE // - // [x509fork edit]: These paths should also be valid since EKU checks have been disabled. + // [lax509 edit]: These paths should also be valid since EKU checks have been disabled. // * Trust Anchor -> A -> C -> B -> EE // * Trust Anchor -> C -> B -> EE // @@ -1315,7 +1315,7 @@ func TestPathBuilding(t *testing.T) { // * Trust Anchor -> A -> B -> EE // * Trust Anchor -> C -> A -> B -> EE // - // [x509fork edit]: These paths should also be valid since EKU checks have been disabled. + // [lax509 edit]: These paths should also be valid since EKU checks have been disabled. // * Trust Anchor -> C -> B -> EE // * Trust Anchor -> A -> C -> B -> EE // @@ -1561,7 +1561,7 @@ func TestPathBuilding(t *testing.T) { // Build a basic graph with two paths from leaf to root, but the path passing // through C should be ignored, because it has invalid EKU nesting. // - // [x509fork edit]: the second path should not be ignored since EKU checks + // [lax509 edit]: the second path should not be ignored since EKU checks // have been disabled. name: "ignore invalid EKU path", graph: trustGraphDescription{ diff --git a/internal/x509fork/x509.go b/internal/lax509/x509.go similarity index 77% rename from internal/x509fork/x509.go rename to internal/lax509/x509.go index 773d2987..075b2bc0 100644 --- a/internal/x509fork/x509.go +++ b/internal/lax509/x509.go @@ -1,4 +1,4 @@ -package x509fork +package lax509 var ( oidExtensionSubjectAltName = []int{2, 5, 29, 17} diff --git a/internal/scti/chain_validation.go b/internal/scti/chain_validation.go index 33e0568a..0ba06461 100644 --- a/internal/scti/chain_validation.go +++ b/internal/scti/chain_validation.go @@ -24,8 +24,8 @@ import ( "strings" "time" + "github.com/transparency-dev/static-ct/internal/lax509" "github.com/transparency-dev/static-ct/internal/types" - "github.com/transparency-dev/static-ct/internal/x509fork" "github.com/transparency-dev/static-ct/internal/x509util" "k8s.io/klog/v2" ) @@ -236,13 +236,13 @@ func validateChain(rawChain [][]byte, validationOpts ChainValidationOpts) ([]*x5 // - allow pre-certificates and chains with pre-issuers // - allow certificate without policing them since this is not CT's responsibility // See /internal/x509fork/README.md for further information. - verifyOpts := x509fork.VerifyOptions{ + verifyOpts := lax509.VerifyOptions{ Roots: validationOpts.trustedRoots.CertPool(), Intermediates: intermediatePool.CertPool(), KeyUsages: validationOpts.extKeyUsages, } - verifiedChains, err := x509fork.Verify(cert, verifyOpts) + verifiedChains, err := lax509.Verify(cert, verifyOpts) if err != nil { return nil, err } diff --git a/internal/x509util/pem_cert_pool.go b/internal/x509util/pem_cert_pool.go index 40361545..59dd1277 100644 --- a/internal/x509util/pem_cert_pool.go +++ b/internal/x509util/pem_cert_pool.go @@ -22,7 +22,7 @@ import ( "fmt" "os" - "github.com/transparency-dev/static-ct/internal/x509fork" + "github.com/transparency-dev/static-ct/internal/lax509" "k8s.io/klog/v2" ) @@ -37,12 +37,12 @@ type PEMCertPool struct { // maps from sha-256 to certificate, used for dup detection fingerprintToCertMap map[[sha256.Size]byte]x509.Certificate rawCerts []*x509.Certificate - certPool *x509fork.CertPool + certPool *lax509.CertPool } // NewPEMCertPool creates a new, empty, instance of PEMCertPool. func NewPEMCertPool() *PEMCertPool { - return &PEMCertPool{fingerprintToCertMap: make(map[[sha256.Size]byte]x509.Certificate), certPool: x509fork.NewCertPool()} + return &PEMCertPool{fingerprintToCertMap: make(map[[sha256.Size]byte]x509.Certificate), certPool: lax509.NewCertPool()} } // AddCert adds a certificate to a pool. Uses fingerprint to weed out duplicates. @@ -111,7 +111,7 @@ func (p *PEMCertPool) Subjects() (res [][]byte) { } // CertPool returns the underlying CertPool. -func (p *PEMCertPool) CertPool() *x509fork.CertPool { +func (p *PEMCertPool) CertPool() *lax509.CertPool { return p.certPool } From 60dd4865a7fb06829938ff4671e48a890260c38c Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Tue, 18 Mar 2025 15:30:47 +0000 Subject: [PATCH 2/2] edit comments --- internal/scti/chain_validation.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/scti/chain_validation.go b/internal/scti/chain_validation.go index 0ba06461..139d578f 100644 --- a/internal/scti/chain_validation.go +++ b/internal/scti/chain_validation.go @@ -231,11 +231,11 @@ func validateChain(rawChain [][]byte, validationOpts ChainValidationOpts) ([]*x5 } } - // We can now do the verification. Use x509fork with looser verification + // We can now do the verification. Use lax509 with looser verification // constraints to: // - allow pre-certificates and chains with pre-issuers // - allow certificate without policing them since this is not CT's responsibility - // See /internal/x509fork/README.md for further information. + // See /internal/lax509/README.md for further information. verifyOpts := lax509.VerifyOptions{ Roots: validationOpts.trustedRoots.CertPool(), Intermediates: intermediatePool.CertPool(),