Merge pull request #1073 from atc0005/i1063-explicitly-list-root-cert…

…-sig-algs-as-ignored Explicitly list root cert signature algorithms as ignored
atc0005 · Nov 17, 2024 · da4454f · da4454f
2 parents f30a71e + 1b172c1
commit da4454f
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 10 deletions.
diff --git a/cmd/check_cert/paypload.go b/cmd/check_cert/paypload.go
@@ -303,7 +303,15 @@ func buildCertSummary(cfg *config.Config, validationResults certs.CertChainValid
 
 		log := cfg.Log.With().Logger()
 
-		log.Debug().Int("num_certs", len(nonRootCerts)).Msg("Evaluating certificates for weak signature algorithm")
+		log.Debug().Int("num_certs", len(nonRootCerts)).Msg("Evaluating non-root certificates for weak signature algorithm")
+
+		// logIgnored := func(cert *x509.Certificate) {
+		// 	log.Debug().
+		// 		Bool("cert_signature_algorithm_ok", true).
+		// 		Str("cert_signature_algorithm", cert.SignatureAlgorithm.String()).
+		// 		Str("cert_common_name", cert.Subject.CommonName).
+		// 		Msg("Certificate signature algorithm ignored")
+		// }
 
 		logWeak := func(cert *x509.Certificate) {
 			log.Debug().
@@ -322,8 +330,13 @@ func buildCertSummary(cfg *config.Config, validationResults certs.CertChainValid
 		}
 
 		for _, cert := range nonRootCerts {
+			// chainPos := certs.ChainPosition(cert, certChain)
+
 			switch {
-			case certs.HasWeakSignatureAlgorithm(cert):
+			// case chainPos == "root":
+			// 	logIgnored(cert)
+
+			case certs.HasWeakSignatureAlgorithm(cert, certChain):
 				logWeak(cert)
 
 				return true

diff --git a/internal/certs/certs.go b/internal/certs/certs.go
@@ -1145,8 +1145,9 @@ func FormatCertSerialNumber(sn *big.Int) string {
 
 }
 
-// HasWeakSignatureAlgorithm evaluates the given certificate and indicates
-// whether a known weak signature algorithm was found.
+// HasWeakSignatureAlgorithm evaluates the given certificate (within the
+// context of a given certificate chain) and indicates whether a known weak
+// signature algorithm was found.
 //
 // Root certificates evaluate to false as TLS clients trust them by their
 // identity instead of the signature of their hash.
@@ -1157,7 +1158,13 @@ func FormatCertSerialNumber(sn *big.Int) string {
 // - https://developer.mozilla.org/en-US/docs/Web/Security/Weak_Signature_Algorithm
 // - https://www.tenable.com/plugins/nessus/35291
 // - https://docs.ostorlab.co/kb/WEAK_HASHING_ALGO/index.html
-func HasWeakSignatureAlgorithm(cert *x509.Certificate) bool {
+func HasWeakSignatureAlgorithm(cert *x509.Certificate, certChain []*x509.Certificate) bool {
+	chainPos := ChainPosition(cert, certChain)
+
+	if chainPos == certChainPositionRoot {
+		return false
+	}
+
 	switch {
 	case cert.SignatureAlgorithm == x509.MD2WithRSA:
 		return true
@@ -1187,7 +1194,7 @@ func HasWeakSignatureAlgorithm(cert *x509.Certificate) bool {
 // identity instead of the signature of their hash.
 func HasCertWithWeakSignatureAlgorithm(certChain []*x509.Certificate) bool {
 	for _, cert := range certChain {
-		if HasWeakSignatureAlgorithm(cert) {
+		if HasWeakSignatureAlgorithm(cert, certChain) {
 			return true
 		}
 	}
@@ -1198,12 +1205,21 @@ func HasCertWithWeakSignatureAlgorithm(certChain []*x509.Certificate) bool {
 // WeakSignatureAlgorithmStatus returns a human-readable string indicating the
 // signature algorithm used for the certificate and whether it is known to be
 // cryptographically weak.
-func WeakSignatureAlgorithmStatus(cert *x509.Certificate) string {
+//
+// Signature algorithms are ignored for root certificates as TLS clients trust
+// them by their identity instead of the signature of their hash.
+func WeakSignatureAlgorithmStatus(cert *x509.Certificate, certChain []*x509.Certificate) string {
+	chainPos := ChainPosition(cert, certChain)
+
 	switch {
-	case HasWeakSignatureAlgorithm(cert):
+	case HasWeakSignatureAlgorithm(cert, certChain):
 		return "[WEAK] " + cert.SignatureAlgorithm.String()
 
 	default:
+		if chainPos == certChainPositionRoot {
+			return "[IGNORED] " + cert.SignatureAlgorithm.String()
+		}
+
 		return "[OK] " + cert.SignatureAlgorithm.String()
 	}
 }
@@ -1652,7 +1668,7 @@ func GenerateCertChainReport(
 				nagios.CheckOutputEOL,
 				certificate.NotAfter.Format(CertValidityDateLayout),
 				nagios.CheckOutputEOL,
-				WeakSignatureAlgorithmStatus(certificate),
+				WeakSignatureAlgorithmStatus(certificate, certChain),
 				nagios.CheckOutputEOL,
 				expiresText,
 				nagios.CheckOutputEOL,
@@ -1685,7 +1701,7 @@ func GenerateCertChainReport(
 				nagios.CheckOutputEOL,
 				certificate.NotAfter.Format(CertValidityDateLayout),
 				nagios.CheckOutputEOL,
-				WeakSignatureAlgorithmStatus(certificate),
+				WeakSignatureAlgorithmStatus(certificate, certChain),
 				nagios.CheckOutputEOL,
 				expiresText,
 				nagios.CheckOutputEOL,