Compare commits
No commits in common. "1d562e7aa4c29b139d5eb4705813d4e4f407ce1d" and "af04121ff6aa4976f5619dee92646ef261d02825" have entirely different histories.
1d562e7aa4
...
af04121ff6
2 changed files with 16 additions and 23 deletions
|
|
@ -36,7 +36,6 @@ func (p *caaProvider) ParseForm(r *http.Request) (sdk.CheckerOptions, error) {
|
|||
return nil, errors.New("domain is required")
|
||||
}
|
||||
domain = dns.Fqdn(domain)
|
||||
bare := strings.TrimSuffix(domain, ".")
|
||||
|
||||
records, err := lookupCAA(domain)
|
||||
if err != nil {
|
||||
|
|
@ -56,12 +55,12 @@ func (p *caaProvider) ParseForm(r *http.Request) (sdk.CheckerOptions, error) {
|
|||
|
||||
svc := serviceMessage{
|
||||
Type: serviceType,
|
||||
Domain: bare,
|
||||
Domain: strings.TrimSuffix(domain, "."),
|
||||
Service: svcBody,
|
||||
}
|
||||
|
||||
return sdk.CheckerOptions{
|
||||
"domain": bare,
|
||||
"domain": strings.TrimSuffix(domain, "."),
|
||||
"service": svc,
|
||||
}, nil
|
||||
}
|
||||
|
|
@ -75,12 +74,12 @@ func lookupCAA(fqdn string) ([]CAARecord, error) {
|
|||
return nil, err
|
||||
}
|
||||
|
||||
c := new(dns.Client)
|
||||
for name := fqdn; name != "" && name != "."; {
|
||||
msg := new(dns.Msg)
|
||||
msg.SetQuestion(name, dns.TypeCAA)
|
||||
msg.RecursionDesired = true
|
||||
|
||||
c := new(dns.Client)
|
||||
in, _, err := c.Exchange(msg, resolver)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
|
|||
|
|
@ -32,6 +32,7 @@ type issuerAgg struct {
|
|||
severity string
|
||||
code string
|
||||
msg string
|
||||
fix string
|
||||
endpoints map[string]bool
|
||||
}
|
||||
|
||||
|
|
@ -116,7 +117,7 @@ func (r *caaRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, opts
|
|||
// info just because one probe happened to be unresolvable.
|
||||
agg := map[string]*issuerAgg{} // keyed by AKI+DN
|
||||
|
||||
issue := func(p *tlsProbeView, severity, code, msg string) {
|
||||
issue := func(p *tlsProbeView, severity, code, msg, fix string) {
|
||||
k := p.IssuerAKI + "|" + p.IssuerDN
|
||||
cur, ok := agg[k]
|
||||
if !ok {
|
||||
|
|
@ -127,6 +128,7 @@ func (r *caaRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, opts
|
|||
cur.severity = severity
|
||||
cur.code = code
|
||||
cur.msg = msg
|
||||
cur.fix = fix
|
||||
}
|
||||
if addr := p.address(); addr != "" {
|
||||
cur.endpoints[addr] = true
|
||||
|
|
@ -136,14 +138,16 @@ func (r *caaRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, opts
|
|||
for _, p := range probes {
|
||||
if al.disallowIssue {
|
||||
issue(p, SeverityCrit, CodeIssuanceDisallowed,
|
||||
fmt.Sprintf("CAA policy forbids issuance (issue \";\") but a certificate was observed on %s", p.address()))
|
||||
fmt.Sprintf("CAA policy forbids issuance (issue \";\") but a certificate was observed on %s", p.address()),
|
||||
"Remove the CA 0 issue \";\" record, or stop serving TLS certificates for this domain.")
|
||||
continue
|
||||
}
|
||||
|
||||
domains, ok := Lookup(p.IssuerAKI, p.IssuerDN)
|
||||
if !ok {
|
||||
issue(p, SeverityInfo, CodeIssuerUnknown,
|
||||
fmt.Sprintf("Observed issuer not found in CCADB (AKI=%q, DN=%q)", p.IssuerAKI, p.IssuerDN))
|
||||
fmt.Sprintf("Observed issuer not found in CCADB (AKI=%q, DN=%q)", p.IssuerAKI, p.IssuerDN),
|
||||
"File a CCADB update for this CA, or verify the cert was issued by a real CA.")
|
||||
continue
|
||||
}
|
||||
|
||||
|
|
@ -154,18 +158,21 @@ func (r *caaRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, opts
|
|||
if !hasPolicy {
|
||||
issue(p, SeverityInfo, CodeOK,
|
||||
fmt.Sprintf("No CAA records published; certificate on %s issued by %s (CAA identifier %s).",
|
||||
p.address(), issuerLabel(p), strings.Join(domains, ", ")))
|
||||
p.address(), issuerLabel(p), strings.Join(domains, ", ")),
|
||||
fmt.Sprintf("Publish %q IN CAA 0 issue %q to lock future issuance to %s.",
|
||||
data.Domain, domains[0], domains[0]))
|
||||
continue
|
||||
}
|
||||
|
||||
if !intersects(domains, al.issueAll) {
|
||||
issue(p, SeverityCrit, CodeNotAuthorized,
|
||||
fmt.Sprintf("Certificate on %s issued by %s (CAA identifier %s) is not authorized by the zone's CAA issue records",
|
||||
p.address(), issuerLabel(p), strings.Join(domains, ", ")))
|
||||
p.address(), issuerLabel(p), strings.Join(domains, ", ")),
|
||||
"Either update the CAA record to authorize this CA, or re-issue with an authorized CA.")
|
||||
continue
|
||||
}
|
||||
|
||||
issue(p, "", "", "")
|
||||
issue(p, "", "", "", "")
|
||||
}
|
||||
|
||||
// Emit one CheckState per distinct issuer, keyed deterministically so
|
||||
|
|
@ -232,19 +239,6 @@ func severityRank(s string) int {
|
|||
}
|
||||
}
|
||||
|
||||
func severityToStatus(s string) sdk.Status {
|
||||
switch s {
|
||||
case SeverityCrit:
|
||||
return sdk.StatusCrit
|
||||
case SeverityWarn:
|
||||
return sdk.StatusWarn
|
||||
case SeverityInfo:
|
||||
return sdk.StatusInfo
|
||||
default:
|
||||
return sdk.StatusOK
|
||||
}
|
||||
}
|
||||
|
||||
// intersects reports whether any element of lhs is present in the set.
|
||||
func intersects(lhs []string, set map[string]bool) bool {
|
||||
for _, s := range lhs {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue