search

gocsaf / csaf

Tools to download or provide CSAF (Common Security Advisory Framework) documents.
https://csaf.io
42 stars 25 forks source link

Load client certs early to detect misconfiguration #264

Closed s-l-teichmann closed 2 years ago

s-l-teichmann commented 2 years ago

Do not die with log.Fatalf in the middle of checking when client certs are configured badly. Check this right at the start.

bernhardreiter commented 2 years ago

@s-l-teichmann what kind of missconfiguration would trigger this?

s-l-teichmann commented 2 years ago

@s-l-teichmann what kind of missconfiguration would trigger this?

Something not being a valid certificate file like:

./csaf_checker --client-cert=/etc/passwd --client-key=/etc/passwd  
2022/07/26 17:33:25 error: tls: failed to find any PEM data in certificate input

The check is the same as before. It is only done earlier.

bernhardreiter commented 2 years ago

In my tests this already fails early, because the current check is triggered by p.httpClient() which happens to be called by checkProviderMetadata(), which is the first test. Is the change more about the right place where to check and a premature death cannot be triggered?

s-l-teichmann commented 2 years ago

In my tests this already fails early, because the current check is triggered by p.httpClient() which happens to be called by checkProviderMetadata(), which is the first test. Is the change more about the right place where to check and a premature death cannot be triggered?

What ever you mean by premature death. This PR loads the configured certs before the checking machine is started ... and yes, this the right place to do this.

s-l-teichmann commented 2 years ago

p.httpClient() should not die ... if this creates an error, it should be properly handled with an error code path.