Better support for distinguishedNameMatch in TLS Auth

Signed-off-by: Waldemar Quevedo <wally@synadia.com>
2026-04-02 03:38:42 -07:00 · 2020-09-01 12:08:58 -07:00
parent d794616945
commit 57f2c74d62
6 changed files with 698 additions and 44 deletions
--- a/internal/ldap/dn.go
+++ b/internal/ldap/dn.go
@@ -0,0 +1,234 @@
+// Copyright (c) 2011-2015 Michael Mitton (mmitton@gmail.com)
+// Portions copyright (c) 2015-2016 go-ldap Authors
+package ldap
+
+import (
+	"bytes"
+	"crypto/x509/pkix"
+	enchex "encoding/hex"
+	"errors"
+	"fmt"
+	"strings"
+)
+
+var attributeTypeNames = map[string]string{
+	"2.5.4.6":  "C",
+	"2.5.4.10": "O",
+	"2.5.4.11": "OU",
+	"2.5.4.3":  "CN",
+	"2.5.4.5":  "SERIALNUMBER",
+	"2.5.4.7":  "L",
+	"2.5.4.8":  "ST",
+	"2.5.4.9":  "STREET",
+	"2.5.4.17": "POSTALCODE",
+	// FIXME: Add others.
+	"0.9.2342.19200300.100.1.25": "DC",
+}
+
+// AttributeTypeAndValue represents an attributeTypeAndValue from https://tools.ietf.org/html/rfc4514
+type AttributeTypeAndValue struct {
+	// Type is the attribute type
+	Type string
+	// Value is the attribute value
+	Value string
+}
+
+// RelativeDN represents a relativeDistinguishedName from https://tools.ietf.org/html/rfc4514
+type RelativeDN struct {
+	Attributes []*AttributeTypeAndValue
+}
+
+// DN represents a distinguishedName from https://tools.ietf.org/html/rfc4514
+type DN struct {
+	RDNs []*RelativeDN
+}
+
+// FromCertSubject takes a pkix.Name from a cert and returns a DN
+// that uses the same set.
+func FromCertSubject(subject pkix.Name) (*DN, error) {
+	dn := &DN{
+		RDNs: make([]*RelativeDN, 0),
+	}
+	for i := len(subject.Names) - 1; i >= 0; i-- {
+		name := subject.Names[i]
+		oidString := name.Type.String()
+		typeName, ok := attributeTypeNames[oidString]
+		if !ok {
+			return nil, fmt.Errorf("invalid type name: %+v", name)
+		}
+		v, ok := name.Value.(string)
+		if !ok {
+			return nil, fmt.Errorf("invalid type value: %+v", v)
+		}
+		rdn := &RelativeDN{
+			Attributes: []*AttributeTypeAndValue{
+				{
+					Type:  typeName,
+					Value: v,
+				},
+			},
+		}
+		dn.RDNs = append(dn.RDNs, rdn)
+	}
+	return dn, nil
+}
+
+// ParseDN returns a distinguishedName or an error.
+// The function respects https://tools.ietf.org/html/rfc4514
+func ParseDN(str string) (*DN, error) {
+	dn := new(DN)
+	dn.RDNs = make([]*RelativeDN, 0)
+	rdn := new(RelativeDN)
+	rdn.Attributes = make([]*AttributeTypeAndValue, 0)
+	buffer := bytes.Buffer{}
+	attribute := new(AttributeTypeAndValue)
+	escaping := false
+
+	unescapedTrailingSpaces := 0
+	stringFromBuffer := func() string {
+		s := buffer.String()
+		s = s[0 : len(s)-unescapedTrailingSpaces]
+		buffer.Reset()
+		unescapedTrailingSpaces = 0
+		return s
+	}
+
+	for i := 0; i < len(str); i++ {
+		char := str[i]
+		switch {
+		case escaping:
+			unescapedTrailingSpaces = 0
+			escaping = false
+			switch char {
+			case ' ', '"', '#', '+', ',', ';', '<', '=', '>', '\\':
+				buffer.WriteByte(char)
+				continue
+			}
+			// Not a special character, assume hex encoded octet
+			if len(str) == i+1 {
+				return nil, errors.New("got corrupted escaped character")
+			}
+
+			dst := []byte{0}
+			n, err := enchex.Decode([]byte(dst), []byte(str[i:i+2]))
+			if err != nil {
+				return nil, fmt.Errorf("failed to decode escaped character: %s", err)
+			} else if n != 1 {
+				return nil, fmt.Errorf("expected 1 byte when un-escaping, got %d", n)
+			}
+			buffer.WriteByte(dst[0])
+			i++
+		case char == '\\':
+			unescapedTrailingSpaces = 0
+			escaping = true
+		case char == '=':
+			attribute.Type = stringFromBuffer()
+			// Special case: If the first character in the value is # the following data
+			// is BER encoded. Throw an error since not supported right now.
+			if len(str) > i+1 && str[i+1] == '#' {
+				return nil, errors.New("unsupported BER encoding")
+			}
+		case char == ',' || char == '+':
+			// We're done with this RDN or value, push it
+			if len(attribute.Type) == 0 {
+				return nil, errors.New("incomplete type, value pair")
+			}
+			attribute.Value = stringFromBuffer()
+			rdn.Attributes = append(rdn.Attributes, attribute)
+			attribute = new(AttributeTypeAndValue)
+			if char == ',' {
+				dn.RDNs = append(dn.RDNs, rdn)
+				rdn = new(RelativeDN)
+				rdn.Attributes = make([]*AttributeTypeAndValue, 0)
+			}
+		case char == ' ' && buffer.Len() == 0:
+			// ignore unescaped leading spaces
+			continue
+		default:
+			if char == ' ' {
+				// Track unescaped spaces in case they are trailing and we need to remove them
+				unescapedTrailingSpaces++
+			} else {
+				// Reset if we see a non-space char
+				unescapedTrailingSpaces = 0
+			}
+			buffer.WriteByte(char)
+		}
+	}
+	if buffer.Len() > 0 {
+		if len(attribute.Type) == 0 {
+			return nil, errors.New("DN ended with incomplete type, value pair")
+		}
+		attribute.Value = stringFromBuffer()
+		rdn.Attributes = append(rdn.Attributes, attribute)
+		dn.RDNs = append(dn.RDNs, rdn)
+	}
+	return dn, nil
+}
+
+// Equal returns true if the DNs are equal as defined by rfc4517 4.2.15 (distinguishedNameMatch).
+// Returns true if they have the same number of relative distinguished names
+// and corresponding relative distinguished names (by position) are the same.
+func (d *DN) Equal(other *DN) bool {
+	if len(d.RDNs) != len(other.RDNs) {
+		return false
+	}
+	for i := range d.RDNs {
+		if !d.RDNs[i].Equal(other.RDNs[i]) {
+			return false
+		}
+	}
+	return true
+}
+
+// AncestorOf returns true if the other DN consists of at least one RDN followed by all the RDNs of the current DN.
+// "ou=widgets,o=acme.com" is an ancestor of "ou=sprockets,ou=widgets,o=acme.com"
+// "ou=widgets,o=acme.com" is not an ancestor of "ou=sprockets,ou=widgets,o=foo.com"
+// "ou=widgets,o=acme.com" is not an ancestor of "ou=widgets,o=acme.com"
+func (d *DN) AncestorOf(other *DN) bool {
+	if len(d.RDNs) >= len(other.RDNs) {
+		return false
+	}
+	// Take the last `len(d.RDNs)` RDNs from the other DN to compare against
+	otherRDNs := other.RDNs[len(other.RDNs)-len(d.RDNs):]
+	for i := range d.RDNs {
+		if !d.RDNs[i].Equal(otherRDNs[i]) {
+			return false
+		}
+	}
+	return true
+}
+
+// Equal returns true if the RelativeDNs are equal as defined by rfc4517 4.2.15 (distinguishedNameMatch).
+// Relative distinguished names are the same if and only if they have the same number of AttributeTypeAndValues
+// and each attribute of the first RDN is the same as the attribute of the second RDN with the same attribute type.
+// The order of attributes is not significant.
+// Case of attribute types is not significant.
+func (r *RelativeDN) Equal(other *RelativeDN) bool {
+	if len(r.Attributes) != len(other.Attributes) {
+		return false
+	}
+	return r.hasAllAttributes(other.Attributes) && other.hasAllAttributes(r.Attributes)
+}
+
+func (r *RelativeDN) hasAllAttributes(attrs []*AttributeTypeAndValue) bool {
+	for _, attr := range attrs {
+		found := false
+		for _, myattr := range r.Attributes {
+			if myattr.Equal(attr) {
+				found = true
+				break
+			}
+		}
+		if !found {
+			return false
+		}
+	}
+	return true
+}
+
+// Equal returns true if the AttributeTypeAndValue is equivalent to the specified AttributeTypeAndValue
+// Case of the attribute type is not significant
+func (a *AttributeTypeAndValue) Equal(other *AttributeTypeAndValue) bool {
+	return strings.EqualFold(a.Type, other.Type) && a.Value == other.Value
+}
--- a/internal/ldap/dn_test.go
+++ b/internal/ldap/dn_test.go
@@ -0,0 +1,212 @@
+// Copyright (c) 2011-2015 Michael Mitton (mmitton@gmail.com)
+// Portions copyright (c) 2015-2016 go-ldap Authors
+package ldap
+
+import (
+	"reflect"
+	"testing"
+)
+
+func TestSuccessfulDNParsing(t *testing.T) {
+	testcases := map[string]DN{
+		"": {[]*RelativeDN{}},
+		"cn=Jim\\2C \\22Hasse Hö\\22 Hansson!,dc=dummy,dc=com": {[]*RelativeDN{
+			{[]*AttributeTypeAndValue{{"cn", "Jim, \"Hasse Hö\" Hansson!"}}},
+			{[]*AttributeTypeAndValue{{"dc", "dummy"}}},
+			{[]*AttributeTypeAndValue{{"dc", "com"}}}}},
+		"UID=jsmith,DC=example,DC=net": {[]*RelativeDN{
+			{[]*AttributeTypeAndValue{{"UID", "jsmith"}}},
+			{[]*AttributeTypeAndValue{{"DC", "example"}}},
+			{[]*AttributeTypeAndValue{{"DC", "net"}}}}},
+		"OU=Sales+CN=J. Smith,DC=example,DC=net": {[]*RelativeDN{
+			{[]*AttributeTypeAndValue{
+				{"OU", "Sales"},
+				{"CN", "J. Smith"}}},
+			{[]*AttributeTypeAndValue{{"DC", "example"}}},
+			{[]*AttributeTypeAndValue{{"DC", "net"}}}}},
+		//
+		// "1.3.6.1.4.1.1466.0=#04024869": {[]*RelativeDN{
+		// 	{[]*AttributeTypeAndValue{{"1.3.6.1.4.1.1466.0", "Hi"}}}}},
+		// "1.3.6.1.4.1.1466.0=#04024869,DC=net": {[]*RelativeDN{
+		// 	{[]*AttributeTypeAndValue{{"1.3.6.1.4.1.1466.0", "Hi"}}},
+		// 	{[]*AttributeTypeAndValue{{"DC", "net"}}}}},
+		"CN=Lu\\C4\\8Di\\C4\\87": {[]*RelativeDN{
+			{[]*AttributeTypeAndValue{{"CN", "Lučić"}}}}},
+		"  CN  =  Lu\\C4\\8Di\\C4\\87  ": {[]*RelativeDN{
+			{[]*AttributeTypeAndValue{{"CN", "Lučić"}}}}},
+		`   A   =   1   ,   B   =   2   `: {[]*RelativeDN{
+			{[]*AttributeTypeAndValue{{"A", "1"}}},
+			{[]*AttributeTypeAndValue{{"B", "2"}}}}},
+		`   A   =   1   +   B   =   2   `: {[]*RelativeDN{
+			{[]*AttributeTypeAndValue{
+				{"A", "1"},
+				{"B", "2"}}}}},
+		`   \ \ A\ \    =   \ \ 1\ \    ,   \ \ B\ \    =   \ \ 2\ \    `: {[]*RelativeDN{
+			{[]*AttributeTypeAndValue{{"  A  ", "  1  "}}},
+			{[]*AttributeTypeAndValue{{"  B  ", "  2  "}}}}},
+		`   \ \ A\ \    =   \ \ 1\ \    +   \ \ B\ \    =   \ \ 2\ \    `: {[]*RelativeDN{
+			{[]*AttributeTypeAndValue{
+				{"  A  ", "  1  "},
+				{"  B  ", "  2  "}}}}},
+	}
+
+	for test, answer := range testcases {
+		dn, err := ParseDN(test)
+		if err != nil {
+			t.Errorf(err.Error())
+			continue
+		}
+		if !reflect.DeepEqual(dn, &answer) {
+			t.Errorf("Parsed DN %s is not equal to the expected structure", test)
+			t.Logf("Expected:")
+			for _, rdn := range answer.RDNs {
+				for _, attribs := range rdn.Attributes {
+					t.Logf("#%v\n", attribs)
+				}
+			}
+			t.Logf("Actual:")
+			for _, rdn := range dn.RDNs {
+				for _, attribs := range rdn.Attributes {
+					t.Logf("#%v\n", attribs)
+				}
+			}
+		}
+	}
+}
+
+func TestErrorDNParsing(t *testing.T) {
+	testcases := map[string]string{
+		"*":               "DN ended with incomplete type, value pair",
+		"cn=Jim\\0Test":   "failed to decode escaped character: encoding/hex: invalid byte: U+0054 'T'",
+		"cn=Jim\\0":       "got corrupted escaped character",
+		"DC=example,=net": "DN ended with incomplete type, value pair",
+		// "1=#0402486":              "failed to decode BER encoding: encoding/hex: odd length hex string",
+		"test,DC=example,DC=com":  "incomplete type, value pair",
+		"=test,DC=example,DC=com": "incomplete type, value pair",
+	}
+
+	for test, answer := range testcases {
+		_, err := ParseDN(test)
+		if err == nil {
+			t.Errorf("Expected %s to fail parsing but succeeded\n", test)
+		} else if err.Error() != answer {
+			t.Errorf("Unexpected error on %s:\n%s\nvs.\n%s\n", test, answer, err.Error())
+		}
+	}
+}
+
+func TestDNEqual(t *testing.T) {
+	testcases := []struct {
+		A     string
+		B     string
+		Equal bool
+	}{
+		// Exact match
+		{"", "", true},
+		{"o=A", "o=A", true},
+		{"o=A", "o=B", false},
+
+		{"o=A,o=B", "o=A,o=B", true},
+		{"o=A,o=B", "o=A,o=C", false},
+
+		{"o=A+o=B", "o=A+o=B", true},
+		{"o=A+o=B", "o=A+o=C", false},
+
+		// Case mismatch in type is ignored
+		{"o=A", "O=A", true},
+		{"o=A,o=B", "o=A,O=B", true},
+		{"o=A+o=B", "o=A+O=B", true},
+
+		// Case mismatch in value is significant
+		{"o=a", "O=A", false},
+		{"o=a,o=B", "o=A,O=B", false},
+		{"o=a+o=B", "o=A+O=B", false},
+
+		// Multi-valued RDN order mismatch is ignored
+		{"o=A+o=B", "O=B+o=A", true},
+		// Number of RDN attributes is significant
+		{"o=A+o=B", "O=B+o=A+O=B", false},
+
+		// Missing values are significant
+		{"o=A+o=B", "O=B+o=A+O=C", false}, // missing values matter
+		{"o=A+o=B+o=C", "O=B+o=A", false}, // missing values matter
+
+		// Whitespace tests
+		// Matching
+		{
+			"cn=John Doe, ou=People, dc=sun.com",
+			"cn=John Doe, ou=People, dc=sun.com",
+			true,
+		},
+		// Difference in leading/trailing chars is ignored
+		{
+			"cn=John Doe, ou=People, dc=sun.com",
+			"cn=John Doe,ou=People,dc=sun.com",
+			true,
+		},
+		// Difference in values is significant
+		{
+			"cn=John Doe, ou=People, dc=sun.com",
+			"cn=John  Doe, ou=People, dc=sun.com",
+			false,
+		},
+	}
+
+	for i, tc := range testcases {
+		a, err := ParseDN(tc.A)
+		if err != nil {
+			t.Errorf("%d: %v", i, err)
+			continue
+		}
+		b, err := ParseDN(tc.B)
+		if err != nil {
+			t.Errorf("%d: %v", i, err)
+			continue
+		}
+		if expected, actual := tc.Equal, a.Equal(b); expected != actual {
+			t.Errorf("%d: when comparing '%s' and '%s' expected %v, got %v", i, tc.A, tc.B, expected, actual)
+			continue
+		}
+		if expected, actual := tc.Equal, b.Equal(a); expected != actual {
+			t.Errorf("%d: when comparing '%s' and '%s' expected %v, got %v", i, tc.A, tc.B, expected, actual)
+			continue
+		}
+	}
+}
+
+func TestDNAncestor(t *testing.T) {
+	testcases := []struct {
+		A        string
+		B        string
+		Ancestor bool
+	}{
+		// Exact match returns false
+		{"", "", false},
+		{"o=A", "o=A", false},
+		{"o=A,o=B", "o=A,o=B", false},
+		{"o=A+o=B", "o=A+o=B", false},
+
+		// Mismatch
+		{"ou=C,ou=B,o=A", "ou=E,ou=D,ou=B,o=A", false},
+
+		// Descendant
+		{"ou=C,ou=B,o=A", "ou=E,ou=C,ou=B,o=A", true},
+	}
+
+	for i, tc := range testcases {
+		a, err := ParseDN(tc.A)
+		if err != nil {
+			t.Errorf("%d: %v", i, err)
+			continue
+		}
+		b, err := ParseDN(tc.B)
+		if err != nil {
+			t.Errorf("%d: %v", i, err)
+			continue
+		}
+		if expected, actual := tc.Ancestor, a.AncestorOf(b); expected != actual {
+			t.Errorf("%d: when comparing '%s' and '%s' expected %v, got %v", i, tc.A, tc.B, expected, actual)
+			continue
+		}
+	}
+}