Update lscert hostname validation behavior

Update hostname validation logic to ignore the result if a leaf certificate is not present in the given certificate chain OR if the `dns-name` flag was not used. Add a slight addendum/note explaining what is needed (if a leaf cert is present) or that the check is unsupported (if no leaf cert is present). Add new functions to the `internal/certs` package to quickly answer whether any certificate of the specified type is present within a given certificate chain: - `HasLeafCert` - `HasIntermediateCert` - `HasRootCert` refs GH-952
atc0005 · Oct 4, 2024 · b0da4ac · b0da4ac
1 parent 18d4497
commit b0da4ac
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 2 deletions.
diff --git a/cmd/lscert/main.go b/cmd/lscert/main.go
@@ -230,14 +230,15 @@ func main() {
 		)
 	}
 
+	hasLeafCert := certs.HasLeafCert(certChain)
 	hostnameValidationResult := certs.ValidateHostname(
 		certChain,
 		cfg.Server,
 		cfg.DNSName,
 		config.IgnoreHostnameVerificationFailureIfEmptySANsListFlag,
 		certs.CertChainValidationOptions{
 			IgnoreHostnameVerificationFailureIfEmptySANsList: cfg.IgnoreHostnameVerificationFailureIfEmptySANsList,
-			IgnoreValidationResultHostname:                   !cfg.ApplyCertHostnameValidationResults(),
+			IgnoreValidationResultHostname:                   !hasLeafCert || cfg.DNSName == "",
 		},
 	)
 
@@ -259,10 +260,21 @@ func main() {
 			Msgf("%s validation ignored", hostnameValidationResult.CheckName())
 
 		fmt.Printf(
-			"- %s: %s %s\n",
+			"- %s: %s %s%s\n",
 			hostnameValidationResult.ServiceState().Label,
 			hostnameValidationResult.Status(),
 			hostnameValidationResult.Overview(),
+			func() string {
+				switch {
+				case hasLeafCert:
+					return fmt.Sprintf(
+						"(use %q flag to force evaluation)",
+						config.DNSNameFlagLong,
+					)
+				default:
+					return "(not supported for this cert type)"
+				}
+			}(),
 		)
 
 	default:

diff --git a/internal/certs/certs.go b/internal/certs/certs.go
@@ -616,6 +616,43 @@ func IsExpiringCert(cert *x509.Certificate, ageCritical time.Time, ageWarning ti
 
 }
 
+// HasLeafCert receives a slice of x509 certificates and indicates whether
+// any of the certificates in the chain are a leaf certificate.
+func HasLeafCert(certChain []*x509.Certificate) bool {
+	for _, cert := range certChain {
+		if IsLeafCert(cert, certChain) {
+			return true
+		}
+	}
+
+	return false
+}
+
+// HasIntermediateCert receives a slice of x509 certificates and indicates
+// whether any of the certificates in the chain are an intermediate
+// certificate.
+func HasIntermediateCert(certChain []*x509.Certificate) bool {
+	for _, cert := range certChain {
+		if IsIntermediateCert(cert, certChain) {
+			return true
+		}
+	}
+
+	return false
+}
+
+// HasRootCert receives a slice of x509 certificates and indicates whether any
+// of the certificates in the chain are a root certificate.
+func HasRootCert(certChain []*x509.Certificate) bool {
+	for _, cert := range certChain {
+		if IsRootCert(cert, certChain) {
+			return true
+		}
+	}
+
+	return false
+}
+
 // HasExpiredCert receives a slice of x509 certificates and indicates whether
 // any of the certificates in the chain have expired.
 func HasExpiredCert(certChain []*x509.Certificate) bool {