boulder icon indicating copy to clipboard operation
boulder copied to clipboard
verified publisher icon letsencrypt

If issued cert doesn't match CSR, fail loudly

Open aarongable opened this issue 2 years ago • 1 comments

We have a function which checks that the certificate we issue during finalization matches the CSR which was provided by the client:

https://github.com/letsencrypt/boulder/blob/7a65a61ec04eec24ad2f08968a3d2d0ed786ff93/ra/ra.go#L632-L690

We call this near the end of FinalizeOrder, but we... don't really do anything with the result. We just return the error if there is one:

https://github.com/letsencrypt/boulder/blob/7a65a61ec04eec24ad2f08968a3d2d0ed786ff93/ra/ra.go#L1235-L1238

It seems like hitting this case might be a clear indicator of misissuance, and should possibly fail in a way that sets off alarm bells (audit logging something distinctive, incrementing a metric, etc). We should dig in to figure out exactly what hitting this clause would mean, and add noise if it definitely is misissuance.

aarongable avatar Jan 13 '23 23:01 aarongable

I like the metric idea for this. Searching the past 90 days of prod/staging logs for generate certificate shows no hits, so that's good.

pgporada avatar Apr 29 '24 18:04 pgporada