Add support for detecting misordered certificate chain entries #202
Comments
atc0005
added
documentation
OVERVIEW
Add support for generating a certificate metadata payload in JSON
format from a specified metadata payload format version.
Add support for support for decoding a given (valid) certificate
metadata payload. The format is automatically detected from a list of
valid format versions.
The intent is to support all stable format versions indefinitely.
As of this commit / PR, format 0 is still under active development.
This format version is an "unstable" metadata format and is not
covered by this goal; format version 0 is subject to change often as
development continues. Format version 1 is implemented at this time as
a stub version for testing purposes; once stable the plan is to
promote version 0 content as the initial version 1.
CHANGES
Primary changes:
- add support for generating a JSON payload from a specified metadata
payload format version
- this can be generated by calling the `Encode` function from a
specific format version or by calling the top-level `Encode`
function and specifying a valid format version number (e.g., `0`
or `1`)
- add support for decoding a given (valid) certificate metadata
payload
- the intent is to support decoding any given payload matching the
set of supported format versions (e.g., `0`, `1`)
- the caller provides an instance of a specific format version of
the certificate metadata payload and the `Decode` function for
that format version is used
- once a format version is stable, the intent is to support creating
and decoding it using this library indefinitely
- this should allow the sysadmin using the `check_cert` plugin to
specify what version of the payload format they wish to create
- this should allow the sysadmin using a reporting tool to consume
a certificate metadata payload generated by the `check_cert`
plugin in the same fixed version as the one they asked the
`check_cert` plugin to create
- this process should continue to work as-is until the sysadmin
decides to explicitly change the certificate metadata payload
format version they're working with; updating this dependency
should not break payload generation or consumption
Other changes:
- add identification of misordered certificate chains
- add example "test" to illustrate library usage
- initial example uses format 0; the plan is to update the example
once format 1 is released/stable
- documentation updates
- general refactoring work
REFERENCES
- #19
- #31
- #46
- atc0005/check-cert#1004
OVERVIEW
Add support for generating a certificate metadata payload in JSON
format from a specified metadata payload format version.
Add support for support for decoding a given (valid) certificate
metadata payload. The format is automatically detected from a list of
valid format versions.
The intent is to support all stable format versions indefinitely.
As of this commit / PR, format 0 is still under active development.
This format version is an "unstable" metadata format and is not
covered by this goal; format version 0 is subject to change often as
development continues. Format version 1 is implemented at this time as
a stub version for testing purposes; once stable the plan is to
promote version 0 content as the initial version 1.
CHANGES
Primary changes:
- add support for generating a JSON payload from a specified metadata
payload format version
- this can be generated by calling the `Encode` function from a
specific format version or by calling the top-level `Encode`
function and specifying a valid format version number (e.g., `0`
or `1`)
- add support for decoding a given (valid) certificate metadata
payload
- the intent is to support decoding any given payload matching the
set of supported format versions (e.g., `0`, `1`)
- the caller provides an instance of a specific format version of
the certificate metadata payload and the `Decode` function for
that format version is used
- once a format version is stable, the intent is to support creating
and decoding it using this library indefinitely
- this should allow the sysadmin using the `check_cert` plugin to
specify what version of the payload format they wish to create
- this should allow the sysadmin using a reporting tool to consume
a certificate metadata payload generated by the `check_cert`
plugin in the same fixed version as the one they asked the
`check_cert` plugin to create
- this process should continue to work as-is until the sysadmin
decides to explicitly change the certificate metadata payload
format version they're working with; updating this dependency
should not break payload generation or consumption
Other changes:
- add identification of misordered certificate chains
- add example "test" to illustrate library usage
- initial example uses format 0; the plan is to update the example
once format 1 is released/stable
- documentation updates
- general refactoring work
REFERENCES
- #19
- #31
- #46
- atc0005/check-cert#1004
OVERVIEW
Add support for generating a certificate metadata payload in JSON
format from a specified metadata payload format version.
Add support for support for decoding a given (valid) certificate
metadata payload. The format is automatically detected from a list of
valid format versions.
The intent is to support all stable format versions indefinitely.
As of this commit / PR, format 0 is still under active development.
This format version is an "unstable" metadata format and is not
covered by this goal; format version 0 is subject to change often as
development continues. Format version 1 is implemented at this time as
a stub version for testing purposes; once stable the plan is to
promote version 0 content as the initial version 1.
CHANGES
Primary changes:
- add support for generating a JSON payload from a specified metadata
payload format version
- this can be generated by calling the `Encode` function from a
specific format version or by calling the top-level `Encode`
function and specifying a valid format version number (e.g., `0`
or `1`)
- add support for decoding a given (valid) certificate metadata
payload
- the intent is to support decoding any given payload matching the
set of supported format versions (e.g., `0`, `1`)
- the caller provides an instance of a specific format version of
the certificate metadata payload and the `Decode` function for
that format version is used
- once a format version is stable, the intent is to support creating
and decoding it using this library indefinitely
- this should allow the sysadmin using the `check_cert` plugin to
specify what version of the payload format they wish to create
- this should allow the sysadmin using a reporting tool to consume
a certificate metadata payload generated by the `check_cert`
plugin in the same fixed version as the one they asked the
`check_cert` plugin to create
- this process should continue to work as-is until the sysadmin
decides to explicitly change the certificate metadata payload
format version they're working with; updating this dependency
should not break payload generation or consumption
Other changes:
- add identification of misordered certificate chains
- add example "test" to illustrate library usage
- initial example uses format 0; the plan is to update the example
once format 1 is released/stable
- documentation updates
- general refactoring work
REFERENCES
- #19
- #31
- #46
- atc0005/check-cert#1004
|
Question: what happens if there is only one cert in the chain? |
Opted to handle this as an error condition for this validation check. While it probably should be handled by a separate validation check, I think adding it here first can be helpful. Currently I'm treating an incomplete cert chain (of length 1) as CRITICAL state with a misordered cert chain as WARNING state. The thinking is that most modern browsers will handle reordering a cert chain without much complaint while some modern clients will object to just a leaf cert present in a cert chain. Between the two problems, a cert chain of just a leaf seems like it would have the biggest impact on users and so would warrant the strongest non-OK state rating. |
|
This may need to be tracked by a GH issue of its own, but this came up in a conversation today:
This was from a follow-up conversation about the topic of sysadmins unintentionally installing the wrong intermediates bundle from Sectigo (InCommon). In that earlier discussion I shared these guidelines for use when selecting certificate download links from "InCommon SSL certificate" notifications from Sectigo:
In the conversation today I responded with (snippet):
The logic used to provide this advice could be extended to match intermediates used by other common certificate vendors and provide remediation advice for those as well. |
|
While working on #123 (and intentionally testing against a chain with the wrong intermediates bundle and an intentionally wrong intermediates from another CA), I realized that it may be worth combining this validation check with an intermediates validation check. As a sysadmin, I'd first want to know if invalid intermediates are included, then missing intermediates and finally if the intermediates are present, but in the wrong order. As things stand, the misordered check results will be displayed alongside check results for either missing or invalid intermediates. Coming at this with fresh eyes, I don't know if it's helpful to see both of those "needs to be fixed" items listed. Instead, a sysadmin should update/replace the chain to remove invalid certificates or add missing intermediates. Then, if the chain is misordered that should be listed as the ordering may change significantly when the chain is fixed/replaced. Still tinkering, trying to decide the best way to handle this. |
Additionally, the "misordered" validation results are likely to be wrong if the "misordered" detection logic doesn't exclude invalid certificates and first ensure that all intermediates are present. For example, with the cert chain that I intentionally inserted a wrong cert and used an old intermediates bundle from the CA we ended up with this in the chain: Position 0 (not shown) being the leaf cert. After we have the modified "recommendation" logic exclude invalid certs, this is what it recommends: Those two remaining certs are technically correct & ordered properly, but we're missing the issuer for the leaf certificate. We could modify the logic to just drop remaining unlinked elements from the chain, but then we'd just be recommending the leaf cert. Maybe that really is good advice whenever invalid certs are present and there are not enough certs available to construct a full chain, but it feels disjointed. Instead, folding the logic into a single flow (assert no invalid, assert no missing, asserting not misordered) seems like the most reliable/maintainable approach. |
|
Loose thoughts as I continue trying to puzzle out next steps:
|
This is implicitly covered by the goal to provide certificate chain verification (#29), but is worth covering explicitly so it can be singled out as an item in a problems report.
See also:
The text was updated successfully, but these errors were encountered: