Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Table Request: Certificate Trust Settings (macOS) #2060

Open
FritzX6 opened this issue Jan 23, 2025 · 2 comments
Open

Table Request: Certificate Trust Settings (macOS) #2060

FritzX6 opened this issue Jan 23, 2025 · 2 comments
Labels
component:table Table Changes good-first-issue

Comments

@FritzX6
Copy link
Contributor

FritzX6 commented Jan 23, 2025
edited
Loading

What is being requested?

A new table kolide_certificate_trust, which invokes the macOS security binary for both the system and the admin certs as described in the help text here:

security dump-trust-settings -h
Usage: dump-trust-settings [-s] [-d]
    -s                  Display trusted system certs (default is user)
    -d                  Display trusted admin certs (default is user)

These values roughly correspond to the trust settings displayed in the macOS Keychain Access app:

Image Image

What is the purpose of this table?

Several products rely upon intermediate root certificates to inspect web traffic and provide VPN services. Without a properly installed and trusted root certificate, these products may not function as expected or intended.

Root Certificates can also be used in a similar capacity by a malicious actor to man-in-the-middle (MitM) attack a device and exfiltrate sensitive information and web traffic.

Understanding what root certificates are installed on a device (both desirable and undesirable) allows administrators to better assess its security and compliance posture.

What format does this binary output?

Output of each is a semi-structured format. An example of several different outputs is shown below:

System Certs (No Trust Settings)

security dump-trust-settings -d
Number of trusted certs = 1
Cert 0: SimpleMDM
   Number of trust settings : 0

System Certs (Trust Settings Enabled)

security dump-trust-settings -d
Number of trusted certs = 1
Cert 0: Example Root CA
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2C 72 48 86 D7 63 62 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot

Admin Certs

security dump-trust-settings -s
Number of trusted certs = 153
Cert 0: Go Daddy Root Certificate Authority - G2
   Number of trust settings : 0
Cert 1: HARICA TLS ECC Root CA 2021
   Number of trust settings : 0
Cert 2: NAVER Global Root Certification Authority
   Number of trust settings : 0
Cert 3: DigiCert TLS ECC P384 Root G5
   Number of trust settings : 0
Cert 4: Sectigo Public Time Stamping Root R46
   Number of trust settings : 0
Cert 5: OISTE WISeKey Global Root GA CA
   Number of trust settings : 0
Cert 6: Trustwave Global ECC P384 Certification Authority
   Number of trust settings : 0
Cert 7: Actalis Authentication Root CA
@RebeccaMahany
Copy link
Contributor

Quick implementation note -- we'll want to add /usr/bin/security to the allowedcmd package for this.

@directionless
Copy link
Contributor

I wonder if this is in the API anywhere. https://github.com/keybase/go-keychain

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component:table Table Changes good-first-issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@directionless @FritzX6 @RebeccaMahany