Fix bug where only a single child certificate chain for a root was

used.

bin/chain.py

@@ -154,6 +154,14 @@ def get_certs():
                         invalid[sha256] = x
                         continue
 
+                    if (trust_bits != TrustBits.NONE and
+                       TrustBits.SERVER_AUTHENTICATION not in trust_bits):
+                        x = 'Intermediate with no %s: %s' % \
+                            (TrustBits.SERVER_AUTHENTICATION.name, sha256)
+                        if args.debug > 1:
+                            print(x, file=sys.stderr)
+                        continue
+
                     intermediates.append(sha256)
                     parents[parent_sha256].append(sha256)
 
@@ -174,23 +182,24 @@ def get_certs():
 
 
 def get_cert_chains(roots, intermediates, parents):
-    chains = {}
+    chains = defaultdict(list)
 
-    for k in roots:
-        if k not in parents:
+    for root in roots:
+        if root not in parents:
             if args.debug:
-                print('Root with no child %s' % k,
+                print('Root with no child %s' % root,
                       file=sys.stderr)
             continue
 
-        for child in parents[k]:
-            chain = [k]
+        for child in parents[root]:
+            chain = []
             follow(chain, child, parents)
+            chainlen = len(chain)
             if args.debug > 1:
-                print('chain[%d]:' % len(chain),
+                print('chain[%d]:' % chainlen,
                       pprint.pformat(chain), file=sys.stderr)
 
-        chains[chain[0]] = chain
+            chains[root].append(chain)
 
     return chains
 
@@ -250,9 +259,10 @@ async def get_panos_intermediates(certs, chains, invalid, warning):
                     total += 1
                     if sha256 in chains:
                         intermediates[row['filename']] = [(ROOT, sha256)]
-                        for x in chains[sha256][1:]:
-                            intermediates[row['filename']].append(
-                                (INTERMEDIATE, x))
+                        for chain in chains[sha256]:
+                            for x in chain:
+                                intermediates[row['filename']].append(
+                                    (INTERMEDIATE, x))
                     elif args.verbose:
                         x = '%s %s' % (row['filename'], 'intermediates 0')
                         if sha256 in not_in_common_store:

doc/admin-guide.rst

@@ -528,9 +528,9 @@ also download the root CA certificates.
 
    $ bin/chain.py --ccadb tmp/AllCertificateRecordsReport.csv --fingerprints tmp/cert-fingerprints.csv \
    > --certs tmp/certificates.tgz 2>tmp/stderr.txt
-   20 invalid certificates found
-   205 intermediate chains found for 273 root CAs
-   All 205 certificate chains were downloaded successfully
+   21 invalid certificates found
+   182 intermediate chains found for 272 root CAs
+   All 182 certificate chains were downloaded successfully
 
    $ echo $?
    0
@@ -563,7 +563,17 @@ For example:
 
    $ tar tzf tmp/certificates.tgz 0555_Certum_Trusted_Root_CA
    0555_Certum_Trusted_Root_CA/root/FE7696573855773E37A95E7AD4D9CC96C30157C15D31765BA9B15704E1AE78FD.crt
+   0555_Certum_Trusted_Root_CA/intermediate/83C0A5A76844C840DFAF820FFD02ADF6573A26823EF6AF758A3384A0AC044083.crt
    0555_Certum_Trusted_Root_CA/intermediate/1C4EEA3A47ABD122568EAB547E06B52111F7F388662C246C8ECBE2660B9F26F1.crt
+   0555_Certum_Trusted_Root_CA/intermediate/4736F1ECF26A043CB4D8F94DA8302EA9E45F3D311048F3A400D01AEED1E99444.crt
+   0555_Certum_Trusted_Root_CA/intermediate/F54CE21EA0F79548F1201A619049CA15F065E49A69F26FB9CF1282C7EECF9C4C.crt
+   0555_Certum_Trusted_Root_CA/intermediate/EF3653AC5056AA4C6EF72AA922F43DAF750CA901AD1198FEA1B81E0D10B51E0A.crt
+   0555_Certum_Trusted_Root_CA/intermediate/43EDFB2C7C93E63D6566D240EB9C69CFF5C0D5C996C4AC9BCC9CE75828C3B9BE.crt
+   0555_Certum_Trusted_Root_CA/intermediate/AA0C4B7801B09FB77E423C91331EFB62A5A2A8B23A9D7C997E6A9BEEA435D2BF.crt
+   0555_Certum_Trusted_Root_CA/intermediate/B5C87A0B2239DAFE0A5285E340626269ACA5E90F57492C38E9050CA5D18BC21A.crt
+   0555_Certum_Trusted_Root_CA/intermediate/509ABBB92864C2C44D7CBC466B63950E350165EE772A3037AE8168E92226A46F.crt
+   0555_Certum_Trusted_Root_CA/intermediate/D79F1F0C8141804B39D04B2592D57AFEBE74F9460654AFF491490DBB7C5A2D74.crt
+   0555_Certum_Trusted_Root_CA/intermediate/B5D46DC027130E5CED3BE5083EB34028DD9230F4D5A36AD1924D21C0EF984CBA.crt
 
 guard.py
 ~~~~~~~~