Support wildcard CNs in root leaf certificates

[ecordell]

This adds support for explicit wildcard suffixes in root (leaf) certificates of the form prefix*.

I considered doing something more flexible using filepath.Match but I think this more conservative form is safer and (probably) just as useful. It would be easy to change in the future if more flexibility (e.g. docker.io/*/test) is needed.

Note the wildcard * indicator is required to avoid accidentally using wildcard certs (e.g. docker.io/test and docker.io/test2).

Fixes #883
Possibly addresses #914 as well?

[endophage]

should this be a const?

[endophage]

Glad you avoided filepath.Match, it has weird behaviour. It doesn't support ** and a single * matches exactly one and only one path segment. (it also probably wouldn't be consistent on windows).

One thought, should we require the * comes after a /? I don't have any instinct either way, just throwing it out there.

[endophage]

I figured a const at probably package scope :-P This works too as far as giving us immutability though.

[ecordell]

figured the go compiler would do what I wanted here, didn't really verify though

[endophage]

It probably will as far as optimization, I was thinking more along code organization.

[ecordell]

One thought, should we require the * comes after a /? I don't have any instinct either way, just throwing it out there.

Personally I think that's a little too restrictive; I was considering an organization using a wildcard cert for a subset of their packages, e.g. docker/notary* to cover docker/notary, docker/notary-server, and docker/notary-signer

[riyazdf]

can we add the following test cases:

CN: "", gun: *, out: false
CN: *, gun: "", out: true
CN: *abc*, gun: "abc", out: false (since we check against *abc, no longer wildcarded)
CN: test/*/wild*, gun: "test/test/wild", out: false (since we check against test/*/wild, no longer wildcarded)

[cyli]

Out of curiosity, if the common name is **, should we treat that as *? If not, can we also add one more test?

CN: **, gun: "docker.com/any", out: false

[cyli]

Non-blocking: Since we're not actually checking any trust pinning here, do we need a CA+intermediate+leaf for this test? Might make the test a little shorter to just include the leaf.

[riyazdf]

@cyli: good idea - I like treating ** as * for now to keep things simple so that test would be great 👍

[ecordell]

I went ahead and switched TrimSuffix to TrimRight so that any number of trailing *s will collapse down to 1.

[riyazdf]

nit style: I'd prefer using strings.TrimSuffix instead of indexing directly

[riyazdf]

Also, could we add a log debug to display which prefix we're comparing against?

My concern is if folks use something like prefix** and expect matching against prefix instead of prefix*

[cyli]

nit: "TestCheckingWildcartCert"

[riyazdf]

LGTM, thank you for picking this up @ecordell!

[cyli]

LGTM! Thanks for adding this support, @ecordell!

[lewiada-zz]

How do I enable this feature? Today the root public key in the root.json file is a self-signed cert with CN == GUN. How do I use this such that the CN is a wildcard such as www.example.com/* ?

[endophage]

The functionality to leverage it hasn't been added yet :-( #821 was part of the work on that but I guess @dnwake has been otherwise engaged. I pinged him a few weeks ago checking if he'd get back around to it and he said he would.

[lewiada-zz]

@endophage - we are making the changes (actually already done, just testing now) as well as some others that you and I discussed. You should see a pull request in the next few days. Once this is in place, we are planning to work on CA pinning, and then moving trust pinning into DCT. Once that's all finished, we can work on getting generalizing the pkcs11 interface to support HSMs other than Yubikey :-)