added certificate chain length checking

author: Rasmus Dahlberg <rasmus.dahlberg@kau.se> 2020-11-04 12:10:33 +0100
committer: Rasmus Dahlberg <rasmus.dahlberg@kau.se> 2020-11-04 12:10:33 +0100
commit: e7d80645f5f3795183ff6062a6529ea226d8ef47 (patch)
tree: d5cbc9431270df7c8f96def1b77ad6b4ba604373 /x509.go
parent: 80c77449756c102381278d7ebeeb7b448cd6a16a (diff)
1 files changed, 8 insertions, 5 deletions
diff --git a/x509.go b/x509.go
index b8e2885..014344d 100644
--- a/x509.go
+++ b/x509.go
@@ -180,13 +180,16 @@ func buildChainFromB64List(lp *LogParameters, b64chain []string) ([]*x509.Certif
 		return nil, fmt.Errorf("chain verification failed: %v", err)
 	}
 	if len(chains) == 0 {
-		return nil, fmt.Errorf("chain verification failed: no chain")
+		return nil, fmt.Errorf("bad certificate chain length: empty")
 	}
 
-	chain := chains[0] // if we found multiple paths just pick the first one
-	// TODO: check that len(chain) is OK
-
-	return chain, nil
+	// there might be several valid chains
+	for _, chain := range chains {
+		if int64(len(chain)) <= lp.MaxChain {
+			return chain, nil // just pick the first valid chain
+		}
+	}
+	return nil, fmt.Errorf("bad certificate chain length: too large")
 }
 
 // verifySignature checks if signature is valid for some serialized data.  The
author	Rasmus Dahlberg <rasmus.dahlberg@kau.se>	2020-11-04 12:10:33 +0100
committer	Rasmus Dahlberg <rasmus.dahlberg@kau.se>	2020-11-04 12:10:33 +0100
commit	e7d80645f5f3795183ff6062a6529ea226d8ef47 (patch)
tree	d5cbc9431270df7c8f96def1b77ad6b4ba604373 /x509.go
parent	80c77449756c102381278d7ebeeb7b448cd6a16a (diff)