-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pre-issuance certificate linting support. #1008
Comments
Sounds like a great addition to me so long as the default behavior is unchanged. I have no issues with the |
This is a good plan, no objections. Thank you for writing this up @cpu |
Great, thanks for the 👀 @cbroglie, @lgarofalo! I'll aim to have a pull request available for review in the next week or so. |
👉 #1015 |
Hi folks,
At Let's Encrypt we would like to build optional pre-issuance certificate linting into CFSSL. Pre-issuance linting is repeatedly cited as a best-practice in incident post-mortems in the web PKI community. Adding support to CFSSL will help interested parties add more safe-guards to their issuance pipeline. I'd be happy to commit to doing the work provided the proposed design outlined below sounds good.
Boulder already uses zlint, a Go based X.509 Certificate Linter, as a library for post-issuance linting. I think it makes sense to integrate this project as a CFSSL dependency to accomplish pre-issuance linting.
High Level
At a high level we would like to:
zlint
config.SigningProfile
struct to accept two new optional fields:lintErrLevel int
ignoredLints []string
signer.local.Signer
struct to generate one throw-away private key at creation for linting.signer.local.Signer
'ssign(*x509.Certificate)
function to:Adding a dep.
We think integrating
zlint
directly so it can work out-of-box with a config change rather than building in a callback for the same purpose and supplying the linting externally on a project-specific basis will help more folks benefit from the linting. zlint has a bias towards CA/B reqs and RFC 5280 but it is an extensible way to add additional lints and many of the existing lints vet best-practices that are broadly applicable.If it helps you feel better about a new dependency I'm also a committer/maintainer of
zlint
so you would have a contact on that side of the fence from the get-go.Config changes
The
lintErrLevel
will default to 0 for existing configs. We'll match this up with thezlint.LintResult.LintStatus
in the local signer to know when to treat a result as an error. AnyLintStatus
> thelintErrLevel
will be an error, except in the case wherelintErrLevel
is zero and linting is disabled.zlint.lints.Reserved
-> no linting will be done. no results considered. Existing CFSSL behaviour.zlint.lints.NA
andzlint.lints.NE
-> these don't really make sense in this context.zlint.lints.Pass
-> all lint results except pass will be considered errors.zlint.lints.Notice
-> all lint results except pass and notice will be considered errors.zlint.lints.Warn
-> all lint results except pass, notice and warning will be considered errors.zlint.lints.Error
-> all lint results except pass, notice, warning, and error will be considered errors (e.g. fatal errors only)zlint.lints.Fatal
-> no errors will be treated as errors.The
ignoredLints
map offers a more fine-grained way to ignore specific lints by name. E.g.:What do you folks think? CC @cbroglie
The text was updated successfully, but these errors were encountered: