SPIFFEIDFromCert parses the SPIFFE ID from x509.Certificate. If the SPIFFE ID format is invalid, return nil with warning.
(cert *x509.Certificate)
| 43 | // SPIFFEIDFromCert parses the SPIFFE ID from x509.Certificate. If the SPIFFE |
| 44 | // ID format is invalid, return nil with warning. |
| 45 | func SPIFFEIDFromCert(cert *x509.Certificate) *url.URL { |
| 46 | if cert == nil || cert.URIs == nil { |
| 47 | return nil |
| 48 | } |
| 49 | var spiffeID *url.URL |
| 50 | for _, uri := range cert.URIs { |
| 51 | if uri == nil || uri.Scheme != "spiffe" || uri.Opaque != "" || (uri.User != nil && uri.User.Username() != "") { |
| 52 | continue |
| 53 | } |
| 54 | // From this point, we assume the uri is intended for a SPIFFE ID. |
| 55 | if len(uri.String()) > 2048 { |
| 56 | logger.Warning("invalid SPIFFE ID: total ID length larger than 2048 bytes") |
| 57 | return nil |
| 58 | } |
| 59 | if len(uri.Host) == 0 || len(uri.Path) == 0 { |
| 60 | logger.Warning("invalid SPIFFE ID: domain or workload ID is empty") |
| 61 | return nil |
| 62 | } |
| 63 | if len(uri.Host) > 255 { |
| 64 | logger.Warning("invalid SPIFFE ID: domain length larger than 255 characters") |
| 65 | return nil |
| 66 | } |
| 67 | // A valid SPIFFE certificate can only have exactly one URI SAN field. |
| 68 | if len(cert.URIs) > 1 { |
| 69 | logger.Warning("invalid SPIFFE ID: multiple URI SANs") |
| 70 | return nil |
| 71 | } |
| 72 | spiffeID = uri |
| 73 | } |
| 74 | return spiffeID |
| 75 | } |