Parse and verify certificates with options

ast/builtins.go

@@ -207,6 +207,7 @@ var DefaultBuiltins = [...]*Builtin{
 	// Crypto
 	CryptoX509ParseCertificates,
 	CryptoX509ParseAndVerifyCertificates,
+	CryptoX509ParseAndVerifyCertificatesWithOptions,
 	CryptoMd5,
 	CryptoSha1,
 	CryptoSha256,
@@ -2327,6 +2328,51 @@ with all others being treated as intermediates.`,
 	),
 }
 
+var CryptoX509ParseAndVerifyCertificatesWithOptions = &Builtin{
+	Name: "crypto.x509.parse_and_verify_certificates_with_options",
+	Description: `Returns one or more certificates from the given string containing PEM
+or base64 encoded DER certificates after verifying the supplied certificates form a complete
+certificate chain back to a trusted root. Second argument is a option object to pass
+extra configs to verify the validity of certificates.
+
+The first certificate is treated as the root and the last is treated as the leaf,
+with all others being treated as intermediates.` +
+		"Example option object: " +
+		"`options := {\"DNSName\" : \"example.dns.com\", \"CurrentTime\": 1708447636000000000,`" +
+		"`\"KeyUsages\": {\"KeyUsageServerAuth\", \"KeyUsageClientAuth\", \"KeyUsageCodeSigning\"},`" +
+		"`\"MaxConstraintComparisons\" : 5,`" +
+		"`}`" +
+		"Then this function call will look like: `crypto.x509.parse_and_verify_certificates_with_options(<cert base64 encoded string>, options)`" +
+		"This option's field has same definitions as fields in [x509.VerifyOptions struct](https://pkg.go.dev/crypto/x509#VerifyOptions)" +
+		"`CurrentTime` is nanoseconds since epoch" +
+		"List of possible values for `KeyUsages` field are: `[\"KeyUsageAny\", \"KeyUsageServerAuth\",`" +
+		"`\"KeyUsageClientAuth\", \"KeyUsageCodeSigning\", \"KeyUsageEmailProtection\", \"KeyUsageIPSECEndSystem\",`" +
+		"`\"KeyUsageIPSECTunnel\", \"KeyUsageIPSECUser\", \"KeyUsageTimeStamping\", \"KeyUsageOCSPSigning\",`" +
+		"`\"KeyUsageMicrosoftServerGatedCrypto\", \"KeyUsageNetscapeServerGatedCrypto\",`" +
+		"`\"KeyUsageMicrosoftCommercialCodeSigning\", \"KeyUsageMicrosoftKernelCodeSigning\"]`",
+
+	Decl: types.NewFunction(
+		types.Args(
+			types.Named("certs", types.S).Description("base64 encoded DER or PEM data containing two or more certificates where the first is a root CA, the last is a leaf certificate, and all others are intermediate CAs"),
+			types.Named("options", types.NewObject(
+				nil,
+				types.NewDynamicProperty(
+					types.A,
+					types.NewAny(
+						types.S,
+						types.N,
+						types.NewSet(types.A),
+					),
+				)),
+			).Description("option object to pass extra configs to verify the validity of certificates."),
+		),
+		types.Named("output", types.NewArray([]types.Type{
+			types.B,
+			types.NewArray(nil, types.NewObject(nil, types.NewDynamicProperty(types.S, types.A))),
+		}, nil)).Description("array of `[valid, certs]`: if the input certificate chain could be verified then `valid` is `true` and `certs` is an array of X.509 certificates represented as objects; if the input certificate chain could not be verified then `valid` is `false` and `certs` is `[]`"),
+	),
+}
+
 var CryptoX509ParseCertificateRequest = &Builtin{
 	Name:        "crypto.x509.parse_certificate_request",
 	Description: "Returns a PKCS #10 certificate signing request from the given PEM-encoded PKCS#10 certificate signing request.",

builtin_metadata.json

@@ -43,6 +43,7 @@
       "crypto.sha1",
       "crypto.sha256",
       "crypto.x509.parse_and_verify_certificates",
+      "crypto.x509.parse_and_verify_certificates_with_options",
       "crypto.x509.parse_certificate_request",
       "crypto.x509.parse_certificates",
       "crypto.x509.parse_keypair",
@@ -4337,6 +4338,31 @@
     },
     "wasm": false
   },
+  "crypto.x509.parse_and_verify_certificates_with_options": {
+    "args": [
+      {
+        "description": "base64 encoded DER or PEM data containing two or more certificates where the first is a root CA, the last is a leaf certificate, and all others are intermediate CAs",
+        "name": "certs",
+        "type": "string"
+      },
+      {
+        "description": "option object to pass extra configs to verify the validity of certificates.",
+        "name": "options",
+        "type": "object[any: any\u003cnumber, string, set[any]\u003e]"
+      }
+    ],
+    "available": [
+      "edge"
+    ],
+    "description": "Returns one or more certificates from the given string containing PEM\nor base64 encoded DER certificates after verifying the supplied certificates form a complete\ncertificate chain back to a trusted root. Second argument is a option object to pass\nextra configs to verify the validity of certificates.\n\nThe first certificate is treated as the root and the last is treated as the leaf,\nwith all others being treated as intermediates.Example option object: `options := {\"DNSName\" : \"example.dns.com\", \"CurrentTime\": 1708447636000000000,``\"KeyUsages\": {\"KeyUsageServerAuth\", \"KeyUsageClientAuth\", \"KeyUsageCodeSigning\"},``\"MaxConstraintComparisons\" : 5,``}`Then this function call will look like: `crypto.x509.parse_and_verify_certificates_with_options(\u003ccert base64 encoded string\u003e, options)`This option's field has same definitions as fields in [x509.VerifyOptions struct](https://pkg.go.dev/crypto/x509#VerifyOptions)`CurrentTime` is nanoseconds since epochList of possible values for `KeyUsages` field are: `[\"KeyUsageAny\", \"KeyUsageServerAuth\",``\"KeyUsageClientAuth\", \"KeyUsageCodeSigning\", \"KeyUsageEmailProtection\", \"KeyUsageIPSECEndSystem\",``\"KeyUsageIPSECTunnel\", \"KeyUsageIPSECUser\", \"KeyUsageTimeStamping\", \"KeyUsageOCSPSigning\",``\"KeyUsageMicrosoftServerGatedCrypto\", \"KeyUsageNetscapeServerGatedCrypto\",``\"KeyUsageMicrosoftCommercialCodeSigning\", \"KeyUsageMicrosoftKernelCodeSigning\"]`",
+    "introduced": "edge",
+    "result": {
+      "description": "array of `[valid, certs]`: if the input certificate chain could be verified then `valid` is `true` and `certs` is an array of X.509 certificates represented as objects; if the input certificate chain could not be verified then `valid` is `false` and `certs` is `[]`",
+      "name": "output",
+      "type": "array\u003cboolean, array[object[string: any]]\u003e"
+    },
+    "wasm": false
+  },
   "crypto.x509.parse_certificate_request": {
     "args": [
       {

capabilities.json

@@ -757,6 +757,64 @@
         "type": "function"
       }
     },
+    {
+      "name": "crypto.x509.parse_and_verify_certificates_with_options",
+      "decl": {
+        "args": [
+          {
+            "type": "string"
+          },
+          {
+            "dynamic": {
+              "key": {
+                "type": "any"
+              },
+              "value": {
+                "of": [
+                  {
+                    "type": "number"
+                  },
+                  {
+                    "type": "string"
+                  },
+                  {
+                    "of": {
+                      "type": "any"
+                    },
+                    "type": "set"
+                  }
+                ],
+                "type": "any"
+              }
+            },
+            "type": "object"
+          }
+        ],
+        "result": {
+          "static": [
+            {
+              "type": "boolean"
+            },
+            {
+              "dynamic": {
+                "dynamic": {
+                  "key": {
+                    "type": "string"
+                  },
+                  "value": {
+                    "type": "any"
+                  }
+                },
+                "type": "object"
+              },
+              "type": "array"
+            }
+          ],
+          "type": "array"
+        },
+        "type": "function"
+      }
+    },
     {
       "name": "crypto.x509.parse_certificate_request",
       "decl": {

topdown/crypto.go

@@ -21,6 +21,7 @@ import (
 	"hash"
 	"os"
 	"strings"
+	"time"
 
 	"github.com/open-policy-agent/opa/internal/jwx/jwk"
 
@@ -104,7 +105,7 @@ func builtinCryptoX509ParseAndVerifyCertificates(_ BuiltinContext, operands []*a
 		return iter(invalid)
 	}
 
-	verified, err := verifyX509CertificateChain(certs)
+	verified, err := verifyX509CertificateChain(certs, x509.VerifyOptions{})
 	if err != nil {
 		return iter(invalid)
 	}
@@ -122,6 +123,130 @@ func builtinCryptoX509ParseAndVerifyCertificates(_ BuiltinContext, operands []*a
 	return iter(valid)
 }
 
+var allowedKeyUsages = map[string]x509.ExtKeyUsage{
+	"KeyUsageAny":                            x509.ExtKeyUsageAny,
+	"KeyUsageServerAuth":                     x509.ExtKeyUsageServerAuth,
+	"KeyUsageClientAuth":                     x509.ExtKeyUsageClientAuth,
+	"KeyUsageCodeSigning":                    x509.ExtKeyUsageCodeSigning,
+	"KeyUsageEmailProtection":                x509.ExtKeyUsageEmailProtection,
+	"KeyUsageIPSECEndSystem":                 x509.ExtKeyUsageIPSECEndSystem,
+	"KeyUsageIPSECTunnel":                    x509.ExtKeyUsageIPSECTunnel,
+	"KeyUsageIPSECUser":                      x509.ExtKeyUsageIPSECUser,
+	"KeyUsageTimeStamping":                   x509.ExtKeyUsageTimeStamping,
+	"KeyUsageOCSPSigning":                    x509.ExtKeyUsageOCSPSigning,
+	"KeyUsageMicrosoftServerGatedCrypto":     x509.ExtKeyUsageMicrosoftServerGatedCrypto,
+	"KeyUsageNetscapeServerGatedCrypto":      x509.ExtKeyUsageNetscapeServerGatedCrypto,
+	"KeyUsageMicrosoftCommercialCodeSigning": x509.ExtKeyUsageMicrosoftCommercialCodeSigning,
+	"KeyUsageMicrosoftKernelCodeSigning":     x509.ExtKeyUsageMicrosoftKernelCodeSigning,
+}
+
+func builtinCryptoX509ParseAndVerifyCertificatesWithOptions(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error {
+
+	input, err := builtins.StringOperand(operands[0].Value, 1)
+	if err != nil {
+		return err
+	}
+	options, err := builtins.ObjectOperand(operands[1].Value, 2)
+	if err != nil {
+		return err
+	}
+
+	invalid := ast.ArrayTerm(
+		ast.BooleanTerm(false),
+		ast.NewTerm(ast.NewArray()),
+	)
+
+	certs, err := getX509CertsFromString(string(input))
+	if err != nil {
+		return iter(invalid)
+	}
+
+	// Collect the cert verification options
+	verifyOpt, err := extractVerifyOpts(options)
+	if err != nil {
+		return err
+	}
+
+	verified, err := verifyX509CertificateChain(certs, verifyOpt)
+	if err != nil {
+		return iter(invalid)
+	}
+
+	value, err := ast.InterfaceToValue(verified)
+	if err != nil {
+		return err
+	}
+
+	valid := ast.ArrayTerm(
+		ast.BooleanTerm(true),
+		ast.NewTerm(value),
+	)
+
+	return iter(valid)
+}
+
+func extractVerifyOpts(options ast.Object) (verifyOpt x509.VerifyOptions, err error) {
+
+	for _, key := range options.Keys() {
+		switch key.String() {
+		case "\"DNSName\"":
+			dns, ok := options.Get(key).Value.(ast.String)
+			if ok {
+				verifyOpt.DNSName = dns.String()[1 : len(dns.String())-1]
+			} else {
+				return verifyOpt, fmt.Errorf("'DNSName' should be a string")
+			}
+		case "\"CurrentTime\"":
+			c, ok := options.Get(key).Value.(ast.Number)
+			if ok {
+				nanosecs, ok := c.Int64()
+				if ok {
+					verifyOpt.CurrentTime = time.Unix(0, nanosecs)
+				} else {
+					return verifyOpt, fmt.Errorf("'CurrentTime' should be a valid int64 number")
+				}
+			} else {
+				return verifyOpt, fmt.Errorf("'CurrentTime' should be a number")
+			}
+		case "\"MaxConstraintComparisons\"":
+			c, ok := options.Get(key).Value.(ast.Number)
+			if ok {
+				maxComparisons, ok := c.Int()
+				if ok {
+					verifyOpt.MaxConstraintComparisions = maxComparisons
+				} else {
+					return verifyOpt, fmt.Errorf("'MaxConstraintComparisons' should be a valid number")
+				}
+			} else {
+				return verifyOpt, fmt.Errorf("'MaxConstraintComparisons' should be a number")
+			}
+		case "\"KeyUsages\"":
+			ks, ok := options.Get(key).Value.(ast.Set)
+			if ok {
+				// Collect the x509.ExtKeyUsage values by looking up the
+				// mapping of key usage strings to x509.ExtKeyUsage
+				ks.Foreach(func(t *ast.Term) {
+					u, ok := t.Value.(ast.String)
+					if ok {
+						c := u.String()[1 : len(u.String())-1]
+						if t, ok := allowedKeyUsages[c]; ok {
+							verifyOpt.KeyUsages = append(verifyOpt.KeyUsages, t)
+						}
+					}
+				})
+
+			} else {
+				return verifyOpt, fmt.Errorf("'KeyUsages' should be a set")
+			}
+		default:
+			return verifyOpt, fmt.Errorf("invalid key option")
+		}
+
+	}
+
+	return verifyOpt, nil
+}
+
 func builtinCryptoX509ParseKeyPair(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error {
 	certificate, err := builtins.StringOperand(operands[0].Value, 1)
 	if err != nil {
@@ -380,6 +505,7 @@ func builtinCryptoHmacEqual(_ BuiltinContext, operands []*ast.Term, iter func(*a
 func init() {
 	RegisterBuiltinFunc(ast.CryptoX509ParseCertificates.Name, builtinCryptoX509ParseCertificates)
 	RegisterBuiltinFunc(ast.CryptoX509ParseAndVerifyCertificates.Name, builtinCryptoX509ParseAndVerifyCertificates)
+	RegisterBuiltinFunc(ast.CryptoX509ParseAndVerifyCertificatesWithOptions.Name, builtinCryptoX509ParseAndVerifyCertificatesWithOptions)
 	RegisterBuiltinFunc(ast.CryptoMd5.Name, builtinCryptoMd5)
 	RegisterBuiltinFunc(ast.CryptoSha1.Name, builtinCryptoSha1)
 	RegisterBuiltinFunc(ast.CryptoSha256.Name, builtinCryptoSha256)
@@ -394,7 +520,7 @@ func init() {
 	RegisterBuiltinFunc(ast.CryptoHmacEqual.Name, builtinCryptoHmacEqual)
 }
 
-func verifyX509CertificateChain(certs []*x509.Certificate) ([]*x509.Certificate, error) {
+func verifyX509CertificateChain(certs []*x509.Certificate, vo x509.VerifyOptions) ([]*x509.Certificate, error) {
 	if len(certs) < 2 {
 		return nil, builtins.NewOperandErr(1, "must supply at least two certificates to be able to verify")
 	}
@@ -414,8 +540,12 @@ func verifyX509CertificateChain(certs []*x509.Certificate) ([]*x509.Certificate,
 
 	// verify the cert chain back to the root
 	verifyOpts := x509.VerifyOptions{
-		Roots:         roots,
-		Intermediates: intermediates,
+		Roots:                     roots,
+		Intermediates:             intermediates,
+		DNSName:                   vo.DNSName,
+		CurrentTime:               vo.CurrentTime,
+		KeyUsages:                 vo.KeyUsages,
+		MaxConstraintComparisions: vo.MaxConstraintComparisions,
 	}
 	chains, err := leaf.Verify(verifyOpts)
 	if err != nil {