-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(inputs.x509_cert): Add OCSP stapling information for leaf certificates (#10550) #12444
Conversation
@jjh74 can you please run |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jjh74 thanks for looking into this! I have one concern regarding the assumed order of certificates in the answer returned by the server. Currently, we assume (and also you do it) that we always receive the leaf certificate as the first entry. However, I do not see any guarantee for that order, neither by RFC2459 nor by RFC5280 nor by the Golang code.
So IMO we need to order the certs, i.e. construct the trust-path(s)/tree and then determine the leaf nodes instead of blindly use index zero...
What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice update @jjh74! Only two small comments left. Please also resolve the merge conflict...
@jjh74 any news on this PR? |
I tried to do the go.mod require merge + moved I realized that |
Yeah I noticed that. It seems like you are adding those new libs as dependencies. Maybe try to rebase on latest master to fix the merge conflicts and see if the issue is gone. If not, you need to add the two entries to the |
52d6cec
to
8830c6a
Compare
I rebased to master and that seemed to work. After rebase I added two more commits:
|
…icates (influxdata#10550) This adds OCSPResponse information from tls connectionstate for leaf certificates. Fields: ocsp_status_code(Good=0,Revoked=1,Unknown=2), ocsp_produced_at, ocsp_this_update, ocsp_next_update and ocsp_revoked_at (when ocsp_status=2). Tags: ocsp_stapled yes/no, ocsp_status good/revoked/unknown
ocspreponse. If verification fails retry ocsp.ParseResponse w/out issuer certificate.
bd9e577
to
6235dc3
Compare
@jjh74 I pushed a few commits to your PR. Namely, I rebased on master and fixed the conflicts and one linter issue. This should hopefully get us nearly there. I can do a review in a bit. |
Download PR build artifacts for linux_amd64.tar.gz, darwin_amd64.tar.gz, and windows_amd64.zip. 📦 Click here to get additional PR build artifactsArtifact URLs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks everyone for the implementation! |
Required for all PRs
resolves #10550
This PR adds OCSP stapling information from tls connectionstate(https://pkg.go.dev/crypto/tls#ConnectionState) (https://pkg.go.dev/golang.org/x/crypto/ocsp#ParseResponse). OCSPResponse signature is not checked against issuer certificate.
New fields: ocsp_status(Good=0,Revoked=1,Unknown=2), ocsp_produced_at, ocsp_this_update, ocsp_next_update and ocsp_revoked_at (when ocsp_status=2).
New tags: ocsp_stapled yes/no