From e7d80645f5f3795183ff6062a6529ea226d8ef47 Mon Sep 17 00:00:00 2001
From: Rasmus Dahlberg <rasmus.dahlberg@kau.se>
Date: Wed, 4 Nov 2020 12:10:33 +0100
Subject: added certificate chain length checking

---
 instance.go |  2 ++
 x509.go     | 13 ++++++++-----
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/instance.go b/instance.go
index 461ab6c..178b058 100644
--- a/instance.go
+++ b/instance.go
@@ -27,6 +27,7 @@ type LogParameters struct {
 	TreeId     int64  // used internally by Trillian
 	Prefix     string
 	MaxRange   int64               // max entries per get-entries request
+	MaxChain   int64               // max submitter certificate chain length
 	AnchorPool *x509.CertPool      // for chain verification
 	AnchorList []*x509.Certificate // for access to the raw certificates
 	Signer     crypto.Signer
@@ -77,6 +78,7 @@ func NewLogParameters(treeId int64, prefix string, anchorPath, keyPath string) (
 		TreeId:     treeId,
 		Prefix:     prefix,
 		MaxRange:   2, // TODO: allow configuration
+		MaxChain:   3, // TODO: allow configuration
 		AnchorPool: anchorPool,
 		AnchorList: anchorList,
 		Signer:     key,
diff --git a/x509.go b/x509.go
index b8e2885..014344d 100644
--- a/x509.go
+++ b/x509.go
@@ -180,13 +180,16 @@ func buildChainFromB64List(lp *LogParameters, b64chain []string) ([]*x509.Certif
 		return nil, fmt.Errorf("chain verification failed: %v", err)
 	}
 	if len(chains) == 0 {
-		return nil, fmt.Errorf("chain verification failed: no chain")
+		return nil, fmt.Errorf("bad certificate chain length: empty")
 	}
 
-	chain := chains[0] // if we found multiple paths just pick the first one
-	// TODO: check that len(chain) is OK
-
-	return chain, nil
+	// there might be several valid chains
+	for _, chain := range chains {
+		if int64(len(chain)) <= lp.MaxChain {
+			return chain, nil // just pick the first valid chain
+		}
+	}
+	return nil, fmt.Errorf("bad certificate chain length: too large")
 }
 
 // verifySignature checks if signature is valid for some serialized data.  The
-- 
cgit v1.2.3