Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update lscert hostname validation behavior #977

Merged
merged 1 commit into from
Oct 4, 2024
Merged

Update lscert hostname validation behavior #977

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 14 additions & 2 deletions cmd/lscert/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -230,14 +230,15 @@ func main() {
)
}

hasLeafCert := certs.HasLeafCert(certChain)
hostnameValidationResult := certs.ValidateHostname(
certChain,
cfg.Server,
cfg.DNSName,
config.IgnoreHostnameVerificationFailureIfEmptySANsListFlag,
certs.CertChainValidationOptions{
IgnoreHostnameVerificationFailureIfEmptySANsList: cfg.IgnoreHostnameVerificationFailureIfEmptySANsList,
IgnoreValidationResultHostname: !cfg.ApplyCertHostnameValidationResults(),
IgnoreValidationResultHostname: !hasLeafCert || cfg.DNSName == "",
},
)

Expand All @@ -259,10 +260,21 @@ func main() {
Msgf("%s validation ignored", hostnameValidationResult.CheckName())

fmt.Printf(
"- %s: %s %s\n",
"- %s: %s %s%s\n",
hostnameValidationResult.ServiceState().Label,
hostnameValidationResult.Status(),
hostnameValidationResult.Overview(),
func() string {
switch {
case hasLeafCert:
return fmt.Sprintf(
"(use %q flag to force evaluation)",
config.DNSNameFlagLong,
)
default:
return "(not supported for this cert type)"
}
}(),
)

default:
Expand Down
37 changes: 37 additions & 0 deletions internal/certs/certs.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -616,6 +616,43 @@ func IsExpiringCert(cert *x509.Certificate, ageCritical time.Time, ageWarning ti

}

// HasLeafCert receives a slice of x509 certificates and indicates whether
// any of the certificates in the chain are a leaf certificate.
func HasLeafCert(certChain []*x509.Certificate) bool {
for _, cert := range certChain {
if IsLeafCert(cert, certChain) {
return true
}
}

return false
}

// HasIntermediateCert receives a slice of x509 certificates and indicates
// whether any of the certificates in the chain are an intermediate
// certificate.
func HasIntermediateCert(certChain []*x509.Certificate) bool {
for _, cert := range certChain {
if IsIntermediateCert(cert, certChain) {
return true
}
}

return false
}

// HasRootCert receives a slice of x509 certificates and indicates whether any
// of the certificates in the chain are a root certificate.
func HasRootCert(certChain []*x509.Certificate) bool {
for _, cert := range certChain {
if IsRootCert(cert, certChain) {
return true
}
}

return false
}

// HasExpiredCert receives a slice of x509 certificates and indicates whether
// any of the certificates in the chain have expired.
func HasExpiredCert(certChain []*x509.Certificate) bool {
Expand Down
Loading