From 18ae60dc0c6a666704f7b2171726e57fb0748622 Mon Sep 17 00:00:00 2001 From: Kevin Steves Date: Mon, 7 Oct 2024 11:08:54 -0700 Subject: [PATCH] Fix bug where only a single child certificate chain for a root was used. --- bin/chain.py | 32 +++++++++++++++++++++----------- doc/admin-guide.rst | 16 +++++++++++++--- 2 files changed, 34 insertions(+), 14 deletions(-) diff --git a/bin/chain.py b/bin/chain.py index 5681126..45cf593 100755 --- a/bin/chain.py +++ b/bin/chain.py @@ -154,6 +154,14 @@ def get_certs(): invalid[sha256] = x continue + if (trust_bits != TrustBits.NONE and + TrustBits.SERVER_AUTHENTICATION not in trust_bits): + x = 'Intermediate with no %s: %s' % \ + (TrustBits.SERVER_AUTHENTICATION.name, sha256) + if args.debug > 1: + print(x, file=sys.stderr) + continue + intermediates.append(sha256) parents[parent_sha256].append(sha256) @@ -174,23 +182,24 @@ def get_certs(): def get_cert_chains(roots, intermediates, parents): - chains = {} + chains = defaultdict(list) - for k in roots: - if k not in parents: + for root in roots: + if root not in parents: if args.debug: - print('Root with no child %s' % k, + print('Root with no child %s' % root, file=sys.stderr) continue - for child in parents[k]: - chain = [k] + for child in parents[root]: + chain = [] follow(chain, child, parents) + chainlen = len(chain) if args.debug > 1: - print('chain[%d]:' % len(chain), + print('chain[%d]:' % chainlen, pprint.pformat(chain), file=sys.stderr) - chains[chain[0]] = chain + chains[root].append(chain) return chains @@ -250,9 +259,10 @@ async def get_panos_intermediates(certs, chains, invalid, warning): total += 1 if sha256 in chains: intermediates[row['filename']] = [(ROOT, sha256)] - for x in chains[sha256][1:]: - intermediates[row['filename']].append( - (INTERMEDIATE, x)) + for chain in chains[sha256]: + for x in chain: + intermediates[row['filename']].append( + (INTERMEDIATE, x)) elif args.verbose: x = '%s %s' % (row['filename'], 'intermediates 0') if sha256 in not_in_common_store: diff --git a/doc/admin-guide.rst b/doc/admin-guide.rst index c431fe9..693dcdb 100644 --- a/doc/admin-guide.rst +++ b/doc/admin-guide.rst @@ -528,9 +528,9 @@ also download the root CA certificates. $ bin/chain.py --ccadb tmp/AllCertificateRecordsReport.csv --fingerprints tmp/cert-fingerprints.csv \ > --certs tmp/certificates.tgz 2>tmp/stderr.txt - 20 invalid certificates found - 205 intermediate chains found for 273 root CAs - All 205 certificate chains were downloaded successfully + 21 invalid certificates found + 182 intermediate chains found for 272 root CAs + All 182 certificate chains were downloaded successfully $ echo $? 0 @@ -563,7 +563,17 @@ For example: $ tar tzf tmp/certificates.tgz 0555_Certum_Trusted_Root_CA 0555_Certum_Trusted_Root_CA/root/FE7696573855773E37A95E7AD4D9CC96C30157C15D31765BA9B15704E1AE78FD.crt + 0555_Certum_Trusted_Root_CA/intermediate/83C0A5A76844C840DFAF820FFD02ADF6573A26823EF6AF758A3384A0AC044083.crt 0555_Certum_Trusted_Root_CA/intermediate/1C4EEA3A47ABD122568EAB547E06B52111F7F388662C246C8ECBE2660B9F26F1.crt + 0555_Certum_Trusted_Root_CA/intermediate/4736F1ECF26A043CB4D8F94DA8302EA9E45F3D311048F3A400D01AEED1E99444.crt + 0555_Certum_Trusted_Root_CA/intermediate/F54CE21EA0F79548F1201A619049CA15F065E49A69F26FB9CF1282C7EECF9C4C.crt + 0555_Certum_Trusted_Root_CA/intermediate/EF3653AC5056AA4C6EF72AA922F43DAF750CA901AD1198FEA1B81E0D10B51E0A.crt + 0555_Certum_Trusted_Root_CA/intermediate/43EDFB2C7C93E63D6566D240EB9C69CFF5C0D5C996C4AC9BCC9CE75828C3B9BE.crt + 0555_Certum_Trusted_Root_CA/intermediate/AA0C4B7801B09FB77E423C91331EFB62A5A2A8B23A9D7C997E6A9BEEA435D2BF.crt + 0555_Certum_Trusted_Root_CA/intermediate/B5C87A0B2239DAFE0A5285E340626269ACA5E90F57492C38E9050CA5D18BC21A.crt + 0555_Certum_Trusted_Root_CA/intermediate/509ABBB92864C2C44D7CBC466B63950E350165EE772A3037AE8168E92226A46F.crt + 0555_Certum_Trusted_Root_CA/intermediate/D79F1F0C8141804B39D04B2592D57AFEBE74F9460654AFF491490DBB7C5A2D74.crt + 0555_Certum_Trusted_Root_CA/intermediate/B5D46DC027130E5CED3BE5083EB34028DD9230F4D5A36AD1924D21C0EF984CBA.crt guard.py ~~~~~~~~