Initial commit

checker/rules_pkix.go

@@ -0,0 +1,61 @@
+package checker
+
+import (
+	"context"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+)
+
+// pkixChainValidRule reports whether endpoints that publish PKIX-dependent
+// TLSA usages (0 or 1) also present a certificate chain that validates
+// against the system trust store. DANE usages 2/3 are unaffected and
+// skipped entirely by this rule.
+type pkixChainValidRule struct{}
+
+func (r *pkixChainValidRule) Name() string { return "dane.pkix_chain_valid" }
+func (r *pkixChainValidRule) Description() string {
+	return "When TLSA usages 0 or 1 are published, verifies the certificate chain also validates against system trust roots."
+}
+
+func (r *pkixChainValidRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
+	rc := loadRuleContext(ctx, obs)
+	if rc.err != nil {
+		return []sdk.CheckState{observationErrorState(rc.err)}
+	}
+	var out []sdk.CheckState
+	tested := 0
+	for _, t := range rc.data.Targets {
+		probe := rc.probes[t.Ref]
+		if !probeUsable(probe) {
+			continue
+		}
+		if !hasPKIXUsage(t) {
+			continue
+		}
+		tested++
+		if probe.ChainValid == nil || !*probe.ChainValid {
+			out = append(out, sdk.CheckState{
+				Status:  sdk.StatusCrit,
+				Code:    "dane_pkix_chain_invalid",
+				Subject: targetSubject(t),
+				Message: "Usage 0/1 requires a publicly-trusted chain, but the certificate chain did not validate against system roots.",
+				Meta:    targetMeta(t),
+			})
+		}
+	}
+	if len(out) == 0 {
+		if tested == 0 {
+			return []sdk.CheckState{{
+				Status:  sdk.StatusUnknown,
+				Code:    "dane_pkix_chain_valid_skipped",
+				Message: "No endpoint publishes PKIX-dependent TLSA usages (0/1).",
+			}}
+		}
+		return []sdk.CheckState{{
+			Status:  sdk.StatusOK,
+			Code:    "dane_pkix_chain_valid_ok",
+			Message: "Every endpoint with PKIX-dependent usages presents a publicly-trusted chain.",
+		}}
+	}
+	return out
+}