From 3877cde0dca704aa4e75ac0ae48e6d22e833426a Mon Sep 17 00:00:00 2001 From: Gerard Snaauw Date: Fri, 1 Nov 2024 10:43:26 +0100 Subject: [PATCH] PKI Valdiator always fails on unknown CAs --- pki/validator.go | 5 +++-- pki/validator_test.go | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/pki/validator.go b/pki/validator.go index e8e70dbd09..d2273af6ac 100644 --- a/pki/validator.go +++ b/pki/validator.go @@ -135,8 +135,8 @@ func (v *validator) Validate(chain []*x509.Certificate) error { // check in reverse order to prevent CRL expiration errors due to revoked CAs no longer issuing CRLs if err = v.validateCert(cert); err != nil { errOut := fmt.Errorf("%w: subject=%s, S/N=%s, issuer=%s", err, cert.Subject.String(), cert.SerialNumber.String(), cert.Issuer.String()) - if v.softfail && !(errors.Is(err, ErrCertRevoked) || errors.Is(err, ErrCertBanned)) { - // Accept the certificate even if it cannot be properly validated + if v.softfail && (errors.Is(err, ErrCRLExpired) || errors.Is(err, ErrCRLMissing) || errors.Is(err, ErrDenylistMissing)) { + // Accept the certificate even if it cannot be properly validated against the CRL or denylist logger().WithError(errOut).Error("Certificate CRL check softfail bypass. Might be unsafe, find cause of failure!") continue } @@ -169,6 +169,7 @@ func (v *validator) validateCert(cert *x509.Certificate) error { // Validate the cert against the denylist if err := v.denylist.ValidateCert(cert); err != nil { // Return any denylist error, blocking the certificate + // Can only be ErrDenylistMissing or ErrCertBanned return err } } diff --git a/pki/validator_test.go b/pki/validator_test.go index 081275afd1..6437818ce5 100644 --- a/pki/validator_test.go +++ b/pki/validator_test.go @@ -126,7 +126,7 @@ func TestValidator_Validate(t *testing.T) { }) t.Run("unknown issuer", func(t *testing.T) { val := &validator{} - testSoftHard(t, val, validCertA, nil, ErrCertUntrusted) + testSoftHard(t, val, validCertA, ErrCertUntrusted, ErrCertUntrusted) }) t.Run("missing crl", func(t *testing.T) { testSoftHard(t, val, validCertBWithRevokedCA, nil, ErrCRLMissing)