open-vault/command/healthcheck/pki_root_issued_leaves.go

package healthcheck

import (
	"bytes"
	"crypto/x509"
	"fmt"

	"github.com/hashicorp/go-secure-stdlib/parseutil"
)

type RootIssuedLeaves struct {
	Enabled            bool
	UnsupportedVersion bool

	CertsToFetch int

	RootCertMap map[string]*x509.Certificate
	LeafCertMap map[string]*x509.Certificate
}

func NewRootIssuedLeavesCheck() Check {
	return &RootIssuedLeaves{
		RootCertMap: make(map[string]*x509.Certificate),
		LeafCertMap: make(map[string]*x509.Certificate),
	}
}

func (h *RootIssuedLeaves) Name() string {
	return "root_issued_leaves"
}

func (h *RootIssuedLeaves) IsEnabled() bool {
	return h.Enabled
}

func (h *RootIssuedLeaves) DefaultConfig() map[string]interface{} {
	return map[string]interface{}{
		"certs_to_fetch": 100,
	}
}

func (h *RootIssuedLeaves) LoadConfig(config map[string]interface{}) error {
	count, err := parseutil.SafeParseIntRange(config["certs_to_fetch"], 1, 100000)
	if err != nil {
		return fmt.Errorf("error parsing %v.certs_to_fetch: %w", h.Name(), err)
	}
	h.CertsToFetch = int(count)

	enabled, err := parseutil.ParseBool(config["enabled"])
	if err != nil {
		return fmt.Errorf("error parsing %v.enabled: %w", h.Name(), err)
	}
	h.Enabled = enabled

	return nil
}

func (h *RootIssuedLeaves) FetchResources(e *Executor) error {
	exit, _, issuers, err := pkiFetchIssuersList(e, func() {
		h.UnsupportedVersion = true
	})
	if exit || err != nil {
		return err
	}

	for _, issuer := range issuers {
		skip, _, cert, err := pkiFetchIssuer(e, issuer, func() {
			h.UnsupportedVersion = true
		})
		if skip || err != nil {
			if err != nil {
				return err
			}
			continue
		}

		// Ensure we only check Root CAs.
		if !bytes.Equal(cert.RawSubject, cert.RawIssuer) {
			continue
		}
		if err := cert.CheckSignatureFrom(cert); err != nil {
			continue
		}

		h.RootCertMap[issuer] = cert
	}

	exit, _, leaves, err := pkiFetchLeavesList(e, func() {
		h.UnsupportedVersion = true
	})
	if exit || err != nil {
		return err
	}

	var leafCount int
	for _, serial := range leaves {
		if leafCount >= h.CertsToFetch {
			break
		}

		skip, _, cert, err := pkiFetchLeaf(e, serial, func() {
			h.UnsupportedVersion = true
		})
		if skip || err != nil {
			if err != nil {
				return err
			}
			continue
		}

		// Ignore other CAs.
		if cert.BasicConstraintsValid && cert.IsCA {
			continue
		}

		leafCount += 1
		h.LeafCertMap[serial] = cert
	}

	return nil
}

func (h *RootIssuedLeaves) Evaluate(e *Executor) (results []*Result, err error) {
	if h.UnsupportedVersion {
		ret := Result{
			Status:   ResultInvalidVersion,
			Endpoint: "/{{mount}}/issuers",
			Message:  "This health check requires Vault 1.11+ but an earlier version of Vault Server was contacted, preventing this health check from running.",
		}
		return []*Result{&ret}, nil
	}

	issuerHasLeaf := make(map[string]bool)
	for serial, leaf := range h.LeafCertMap {
		if len(issuerHasLeaf) == len(h.RootCertMap) {
			break
		}

		for issuer, root := range h.RootCertMap {
			if issuerHasLeaf[issuer] {
				continue
			}

			if !bytes.Equal(leaf.RawIssuer, root.RawSubject) {
				continue
			}

			if err := leaf.CheckSignatureFrom(root); err != nil {
				continue
			}

			ret := Result{
				Status:   ResultWarning,
				Endpoint: "/{{mount}}/issuer/" + issuer,
				Message:  fmt.Sprintf("Root issuer has directly issued non-CA leaf certificates (%v) instead of via an intermediate CA. This can make rotating the root CA harder as direct cross-signing of the roots must be used, rather than cross-signing of the intermediates. It is encouraged to set up and use an intermediate CA and tidy the mount when all directly issued leaves have expired.", serial),
			}

			issuerHasLeaf[issuer] = true

			results = append(results, &ret)
		}
	}

	return
}