Add source info to TLS certificate assets and create them from host details #663
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
For consistency with other assets like OS and Hosts, TLS Certificates always deleted completely with delete_tls_certificate.
This adds sha256_fingerprint and serial as table columns and params for get_certificate_info and also adds an incomplete migrator that drops the now unused tls_certificates_trash table and adds the new columns. The migrator will fail intentionally in this commit because more columns are to be added in following commits.
This can be used to get certificate data from "SSLDetails" host details.
This avoids possible issues with unitialized memory. Also the default certificate_format return has been clarified.
This makes it more consistent with the other certificate helper functions that do not perform any database operations.
The SHA-256 fingerprint is used by OpenVAS to identify certificates, the serial is also collected by the scanner and the source data can be used to associate certificates with certain hosts and reports.
The clause was missing in the create_tables() function.
The get_tls_certificates command will now contain sha256_fingerprint and serial elements.
TLS certificates use bigint because some expiry times may not fit into the limits of the integer type.
This gives the most recent time the certificate was found in a scan or imported.
When details are requested, get_tls_certificates command will now return a list of sources giving the locations (hosts and ports) and origins (e.g. reports) where a certificate was found.
The TLS certificate assets are meant to represent the actual certificate contents and replacing them with a different certificate would lead to incosistencies like no longer matching a certificate as found in a scan.
The GMP commands create_tls_certificate and delete_tls_certificate now create/delete sources, locations and origins of the certificate.
A TLS certificate is considered a duplicate if the current user has one with the same fingerprint but copying from other users is still allowed.
The copy_tls_certificate function was missing these columns.
The creation of the TLS certificate from Base64 encoded certificate data has been moved from create_tls_certificate to a new function that can be reused in other contexts like host details.
This separates the insertion of the tls_certificates row from getting the data from a Base64 encoded certificate.
The make_tls_certificate and user_tls_certificate_match_internal functions now quote the given certificate data because DNs can contain single quotes and other fields could contain other arbitrary text.
This adds documentation of the return value of make_tls_certificate and make_tls_certificate_214.
Every time the scan of a host has finished, the collected host details will be used to create TLS certificate assets or amend them with new source information.
This removes some leftover test output, frees the decoded certificate content in add_tls_certificates_from_report_host and adds checks if make_tls_certificate was successful, also ensuring tls_certificate is defined.
mattmundell
requested changes
Aug 7, 2019
The functions have been moved from src/manage.c to the new file manage_tls_certificates.c.
- Placing of the comma and inline comments is made more consistent. - Declaration and initialization of variables is separated in migrate_213_to_214. - Comments have been added to explain the iterators in the migrator.
The summary of the copy element had a superflous period.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains various changes to allow gathering TLS certificates from scan data and a few other smaller improvements:
Checklist: