Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide better guidance on how to filter legitimate certificates #76

Open
AGWA opened this issue Oct 21, 2023 · 2 comments
Open

Provide better guidance on how to filter legitimate certificates #76

AGWA opened this issue Oct 21, 2023 · 2 comments
Labels
refinement An improvement, but not a new feature
Milestone

Comments

@AGWA
Copy link
Member

AGWA commented Oct 21, 2023

Documentation/README should explain:

  • You can't compare certificate fingerprints because precertificates have a different fingerprint.
  • You don't want to compare serial numbers because malicious CAs could reuse the serial number.
  • Ideally you compare the TBS hash, but there are zero tools for computing this.
  • So comparing the public key fingerprint is the best bet.
@AGWA AGWA added the refinement An improvement, but not a new feature label Oct 21, 2023
@AGWA AGWA added this to the Reduce noise milestone Oct 21, 2023
@chayleaf
Copy link
Contributor

chayleaf commented Oct 23, 2023

Would something like this work?

[[ "$EVENT" != discovered_cert ]] && exit
mkdir -p /var/lib/certspotter/allowed_tbs
for cert in $(find /var/lib/acme -regex ".*/fullchain.pem"); do
  hash="$(openssl asn1parse -in "$cert" -strparse 4 -noout -out /dev/stdout | openssl sha256 | cut -d" " -f2)"
  touch "/var/lib/certspotter/allowed_tbs/$hash"
done
[[ -f "/var/lib/certspotter/allowed_tbs/$TBS_SHA256" ]] && exit 0
(echo && echo "WARNING: Unknown certificate detected: $SUMMARY") | sendmail [email protected]

@AGWA
Copy link
Member Author

AGWA commented Oct 23, 2023

@chayleaf That doesn't calculate the TBS certificate correctly as you also need to remove the SCT extension (this is the TBS certificate as defined in RFC 6962 rather than the standard definition; I was not kidding when I said there are zero tools for this).

Here's a script that uses the public key hash instead (warning: not tested):

if [ "$EVENT" = discovered_cert ]
then    
        for cert in $(find /var/lib/acme -regex ".*/fullchain.pem")
        do      
                hash="$(openssl x509 -in "$cert" -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256 | cut -d" " -f2)"
                if [ "$hash" = "$PUBKEY_SHA256" ]
                then
                        exit 0
                fi
        done
fi
(echo "Subject: $SUMMARY" && echo && cat "$TEXT_FILENAME") | sendmail -i [email protected])

This script also ensures you get error notifications (where $EVENT != discovered_cert)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
refinement An improvement, but not a new feature
Projects
None yet
Development

No branches or pull requests

2 participants