Initial implementation of chain order validation #1183
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
OVERVIEW
This set of changes applies to both the `check_cert` plugin and the
`lscert` CLI tool. While the primary focus is adding a prototype
implementation of "chain order" validation logic, other ergonomic and
display changes have been applied to the `lscert` tool. Some of those
changes are likely to be refined further in near future releases as
additional validation checks are applied.
CHANGES
- update `check_cert` plugin
- add new `Chain Order` validation type
- assert that leaf certificate is first in chain, followed by the
intermediate which signed it, a potential second intermediate
which signed the former and so on
- current implementation objects to a single leaf cert in a chain,
though this behavior may be moved to a separate validation check
specific to intermediates
- current implementation notes the presence of a root certificate
and cautions that some platforms will object to this, though
this behavior may be moved to a separate validation check in the
future
- offers advice for replacing a certificate chain when specific CA
vendors are matched
- currently only Sectigo/InCommon is supported, though the plan
is to support multiple CAs once further feedback is gathered
- add new performance data metrics
- `certs_ordered`
- `certs_misordered`
- extend tests to cover new validation type
- update `lscert`
- incorporate new validation check
- rework summary display to use emoji status indicators
(pass/neutral/warn/crit)
- rename headers to emphasize "cert chain" over just "certs"
- incorporate the same "advice" output that the `check_cert` plugin
now emits for `Chain Order` validation problems
CREDIT
The following LLM sources were used for inspiration or starting code
samples for some of the included changes:
- ChatGPT, OpenAI
- Google Gemini
- Claude (Anthropic AI assistant)
In particular, I used all of these sources for assistance with logic
for certificate chain ordering, signature validation and misc other
tasks. While none provided solutions I could use as-is, all were
helpful in pointing me in the right direction when I needed it.
REFERENCES
- GH-1004
- GH-364
- GH-365
- GH-219
atc0005
added
documentation
atc0005
deleted the
i1004-add-support-for-misordered-chain-validation
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This set of changes applies to both the
check_certplugin and thelscertCLI tool. While the primary focus is adding a prototype implementation of "chain order" validation logic, other ergonomic and display changes have been applied to thelscerttool. Some of those changes are likely to be refined further in near future releases as additional validation checks are applied.Changes
check_certpluginChain Ordervalidation typecerts_orderedcerts_misorderedlscertcheck_certplugin now emits forChain Ordervalidation problemsCredit
The following LLM sources were used for inspiration or starting code samples for some of the included changes:
In particular, I used all of these sources for assistance with logic for certificate chain ordering, signature validation and misc other tasks. While none provided solutions I could use as-is, all were helpful in pointing me in the right direction when I needed it.
References
Intermediatesvalidation check option #364Rootvalidation check option #365