Skip to content

Commit

Permalink
Fix CheckCommand misbehaviour with self-signed certs
Browse files Browse the repository at this point in the history
  • Loading branch information
yhabteab committed May 13, 2024
1 parent 8425ede commit a672724
Showing 1 changed file with 15 additions and 4 deletions.
19 changes: 15 additions & 4 deletions application/clicommands/CheckCommand.php
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,10 @@ public function hostAction()
->columns([new Expression('MAX(GREATEST(%s, %s))', ['valid_from', 'issuer_certificate.valid_from'])])
->getSelectBase()
->resetWhere()
->where(new Expression('sub_certificate_link.certificate_chain_id = target_chain.id'));
->where(new Expression('sub_certificate_link.certificate_chain_id = target_chain.id'))
// If the current cert is a self-signed one, we don't need to look for other valid_from timestamps within
// that chain, as there's no other certificate on top of a self-signed one, i.e. it's already the root CA.
->where(new Expression("sub_certificate.self_signed != 'y'"));

// Sub query for `valid_to` column
$validTo = $targets->createSubQuery(new X509Certificate(), 'chain.certificate');
Expand All @@ -102,16 +105,24 @@ public function hostAction()
->getSelectBase()
// Reset the where clause generated within the createSubQuery() method.
->resetWhere()
->where(new Expression('sub_certificate_link.certificate_chain_id = target_chain.id'));
->where(new Expression('sub_certificate_link.certificate_chain_id = target_chain.id'))
// If the current cert is a self-signed one, we don't need to look for other valid_to timestamps within
// that chain, as there's no other certificate on top of a self-signed one, i.e. it's already the root CA.
->where(new Expression("sub_certificate.self_signed != 'y'"));

list($validFromSelect, $_) = $validFrom->dump();
list($validToSelect, $_) = $validTo->dump();
$targets
->withColumns([
'valid_from' => new Expression($validFromSelect),
'valid_to' => new Expression($validToSelect)
'valid_from' => new Expression(
sprintf('COALESCE((%s), target_chain_certificate.valid_from)', $validFromSelect)
),
'valid_to' => new Expression(
sprintf('COALESCE((%s), target_chain_certificate.valid_to)', $validToSelect)
)
])
->getSelectBase()
->distinct()
->where(new Expression('target_chain_link.order = 0'));

if ($ip !== null) {
Expand Down

0 comments on commit a672724

Please sign in to comment.