From e7d80645f5f3795183ff6062a6529ea226d8ef47 Mon Sep 17 00:00:00 2001 From: Rasmus Dahlberg Date: Wed, 4 Nov 2020 12:10:33 +0100 Subject: added certificate chain length checking --- x509.go | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'x509.go') diff --git a/x509.go b/x509.go index b8e2885..014344d 100644 --- a/x509.go +++ b/x509.go @@ -180,13 +180,16 @@ func buildChainFromB64List(lp *LogParameters, b64chain []string) ([]*x509.Certif return nil, fmt.Errorf("chain verification failed: %v", err) } if len(chains) == 0 { - return nil, fmt.Errorf("chain verification failed: no chain") + return nil, fmt.Errorf("bad certificate chain length: empty") } - chain := chains[0] // if we found multiple paths just pick the first one - // TODO: check that len(chain) is OK - - return chain, nil + // there might be several valid chains + for _, chain := range chains { + if int64(len(chain)) <= lp.MaxChain { + return chain, nil // just pick the first valid chain + } + } + return nil, fmt.Errorf("bad certificate chain length: too large") } // verifySignature checks if signature is valid for some serialized data. The -- cgit v1.2.3