Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trust your own private CA #1528

Open
bwbroersma opened this issue Oct 16, 2024 · 0 comments
Open

Trust your own private CA #1528

bwbroersma opened this issue Oct 16, 2024 · 0 comments
Labels
documentation documentation infrastructure-docker

Comments

@bwbroersma
Copy link
Collaborator

bwbroersma commented Oct 16, 2024
edited
Loading

Currently the root CA's are included in git in /remote_data/certs.
And manually update via the Makefile:

Internet.nl/Makefile

Lines 80 to 83 in b1dde07

update_cert_fingerprints:
chmod +x $(CERTSSDIR)/update-certs.sh
chmod +x $(CERTSSDIR)/mk-ca-bundle.pl
cd $(CERTSSDIR); ./update-certs.sh

E.g. when one wants to add a private root (e.g. PKIoverheid private root for testing DigiNetwerk), or want to use a different root program (or combined one) it should be clear what to do.

It seems only ca-bundle.crt and root_fingerprints are used:

Internet.nl/internetnl/settings.py

Lines 441 to 444 in b1dde07

# --- TLS configuration
#
CA_CERTIFICATES = os.path.join(BASE_DIR, "remote_data/certs/ca-bundle.crt")
CA_FINGERPRINTS = os.path.join(BASE_DIR, "remote_data/certs/root_fingerprints")

Note the root_fingerprints are SHA-1, but it seems they are only used for this check:

Internet.nl/checks/tasks/tls.py

Lines 1252 to 1259 in b1dde07

def is_root_cert(cert):
"""
Check if the certificate is a root certificate.
"""
digest = cert.fingerprint(hashes.SHA1())
digest = hexlify(digest).decode("ascii")
return digest.upper() in root_fingerprints

Which of course is okay and a non-problematic use of SHA-1.

The ca-bundle.crt is fed to:

Internet.nl/checks/tasks/tls_connection.py

Lines 243 to 250 in b1dde07

super().__init__(
ssl_version=self.version,
underlying_socket=self.sock,
ssl_verify=SSL_VERIFY_NONE,
ssl_verify_locations=settings.CA_CERTIFICATES,
ignore_client_authentication_requests=True,
signature_algorithms=self.signature_algorithms,
)

and ldns_dane:

Internet.nl/checks/tasks/tls.py

Lines 1196 to 1210 in b1dde07

with subprocess.Popen(
[
settings.LDNS_DANE,
"-c",
"/dev/stdin", # Read certificate chain from stdin
"-n", # Do not validate hostname
"-T", # Exit status 2 for PKIX without (secure) TLSA records
"-r",
settings.IPV4_IP_RESOLVER_INTERNAL_VALIDATING, # Use internal unbound resolver
"-f",
settings.CA_CERTIFICATES, # CA file
"verify",
hostname,
str(port),
],

see OpenSSL SSL_CTX_load_verify_locations, which means the only thing which is read is the PEM part.

So in the case of PKIoverheid it would be:

$ echo -e "\nStaat der Nederlanden Private Root CA - G1\n"\
"TRUSTED_DELEGATOR: SERVER_AUTH\n"\
"=================================================" >> remote_data/certs/ca-bundle.crt
$ curl -sSfA '' --compressed 'https://cert.pkioverheid.nl/PrivateRootCA-G1.cer' \
  | openssl x509 -inform DER -fingerprint -text >> remote_data/certs/ca-bundle.crt

$ curl -sSfA '' --compressed 'https://zoek.officielebekendmakingen.nl/stcrt-2015-6676.html' \
  | grep -Eo '(\b[0-9A-F]{4}\b ?){10}' | tr -d ' ' >> remote_data/certs/root_fingerprints
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation documentation infrastructure-docker
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bwbroersma