Provide better guidance on how to filter legitimate certificates
Opened this issue · 2 comments
AGWA commented
Documentation/README should explain:
- You can't compare certificate fingerprints because precertificates have a different fingerprint.
- You don't want to compare serial numbers because malicious CAs could reuse the serial number.
- Ideally you compare the TBS hash, but there are zero tools for computing this.
- So comparing the public key fingerprint is the best bet.
chayleaf commented
Would something like this work?
[[ "$EVENT" != discovered_cert ]] && exit
mkdir -p /var/lib/certspotter/allowed_tbs
for cert in $(find /var/lib/acme -regex ".*/fullchain.pem"); do
hash="$(openssl asn1parse -in "$cert" -strparse 4 -noout -out /dev/stdout | openssl sha256 | cut -d" " -f2)"
touch "/var/lib/certspotter/allowed_tbs/$hash"
done
[[ -f "/var/lib/certspotter/allowed_tbs/$TBS_SHA256" ]] && exit 0
(echo && echo "WARNING: Unknown certificate detected: $SUMMARY") | sendmail webmaster@example.orgAGWA commented
@chayleaf That doesn't calculate the TBS certificate correctly as you also need to remove the SCT extension (this is the TBS certificate as defined in RFC 6962 rather than the standard definition; I was not kidding when I said there are zero tools for this).
Here's a script that uses the public key hash instead (warning: not tested):
if [ "$EVENT" = discovered_cert ]
then
for cert in $(find /var/lib/acme -regex ".*/fullchain.pem")
do
hash="$(openssl x509 -in "$cert" -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256 | cut -d" " -f2)"
if [ "$hash" = "$PUBKEY_SHA256" ]
then
exit 0
fi
done
fi
(echo "Subject: $SUMMARY" && echo && cat "$TEXT_FILENAME") | sendmail -i webmaster@example.org)This script also ensures you get error notifications (where $EVENT != discovered_cert)