Handle CT precertificates

Question

Handle CT precertificates

titanous opened this issue 7 years ago · 7 comments

If a crt.sh ID is submitted for a precertificate that matches an issued certificate in crt.sh, it should be substituted. If both IDs are submitted, only the issued certificate should be listed.

Answer 1 · 2017-08-11T22:57:46.000Z

The two relevant queries:

SELECT position(E'\\x060a2b06010401d6790204030101ff' in certificate) ct_poison
FROM certificate
WHERE id = $1;

if ct_poison is greater than zero, it's likely a precert.

To find the corresponding issued certificate (if any):

SELECT c.id
FROM certificate pc
LEFT OUTER JOIN certificate c
ON (pc.id != c.id 
    AND pc.issuer_ca_id = c.issuer_ca_id 
    AND x509_serialNumber(pc.certificate) = x509_serialNumber(c.certificate))
WHERE pc.id = $1;

Answer 2 · 2017-08-11T23:01:10.000Z

That first query isn't really correct, is it? Surely 1/N keys will have that in the signature bytes.

…

On Fri, Aug 11, 2017 at 6:57 PM, Jonathan Rudenberg < ***@***.***> wrote: The two relevant queries: SELECT position(E'\\x060a2b06010401d6790204030101ff' in certificate) ct_poisonFROM certificateWHERE id = $1; if ct_poison is greater than zero, it's a precert. To find the corresponding issued certificate (if any): SELECT c.idFROM certificate pcLEFT OUTER JOIN certificate cON (pc.id != c.id AND pc.issuer_ca_id = c.issuer_ca_id AND x509_serialNumber(pc.certificate) = x509_serialNumber(c.certificate))WHERE pc.id = $1; — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#10 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAADBCKQeG1Luc3e1eoiKwyNnhMh44hZks5sXNxqgaJpZM4O0OG9> .

-- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6

Answer 3 · 2017-08-11T23:03:10.000Z

Yeah, true, it can false positive. But all we need is a heuristic to trigger the second query.

Answer 4 · 2017-08-11T23:05:44.000Z

Hmm, I think the right way to structure this is:

Have fetch_details check if it's really a pre-cert; then do a second bulk lookup to replace pre-certs with their real ones.

Change _add_crtsh_ids to check already_tracked after fetch_details (to handle the substition correctly).

Answer 5 · 2017-08-11T23:06:44.000Z

I filed crtsh/libx509pq#2 just in case we end up wanting a way to query for this.

Answer 6 · 2017-08-11T23:07:43.000Z

Probably the easiest way to implement that is a generic `x509HasExtension` API.

…

On Fri, Aug 11, 2017 at 7:06 PM, Jonathan Rudenberg < ***@***.***> wrote: I filed crtsh/libx509pq#2 <crtsh/libx509pq#2> just in case we end up wanting this. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#10 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAADBAGXN2OF2HllR4JG4fOyO89A90Qmks5sXN6FgaJpZM4O0OG9> .

-- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6

Answer 7 · 2017-08-22T15:02:47.000Z

I've addressed crtsh/libx509pq#2. crt.sh now has an x509_hasExtension() function: first parameter is the cert (bytea); second parameter is the OID (either the dotted form, or the OpenSSL short or long name).