Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ct-fetch should verify certs #35

Open
jcjones opened this issue May 4, 2020 · 0 comments
Open

ct-fetch should verify certs #35

jcjones opened this issue May 4, 2020 · 0 comments

Comments

@jcjones
Copy link
Owner

jcjones commented May 4, 2020

Around these lines:

ct-mapreduce/cmd/ct-fetch/ct-fetch.go

Lines 187 to 198 in a691f52

if len(ep.LogEntry.Chain) < 1 {
glog.Warningf("[%s] No issuer known for certificate precert=%v index=%d serial=%s subject=%+v issuer=%+v",
ep.LogURL, precert, ep.LogEntry.Index, storage.NewSerial(cert).String(), cert.Subject, cert.Issuer)
continue
}
issuingCert, err := x509.ParseCertificate(ep.LogEntry.Chain[0].Data)
if err != nil {
glog.Errorf("[%s] Problem decoding issuing certificate: index: %d error: %s", ep.LogURL, ep.LogEntry.Index, err)
continue
}
metrics.MeasureSince([]string{"insertCTWorker", "ParseCertificates"}, parseTime)

ct-fetch should verify that the certificate was signed by its issuer, to ensure it's a real certificate. This is important in the event that a CT log is coerced to log an invalid certificate.

If the certificate is valid but from an unknown issuer, tools can more readily handle that via whitelisting. But it's much better to ensure that we never log certificates that are actively themselves fraudulent.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jcjones