From b5cdcbb414afa49606ca92fc1f7c7c8cc61e6ea9 Mon Sep 17 00:00:00 2001
From: Arjan H <github@hakwerk.com>
Date: Sun, 5 Dec 2021 10:02:15 +0100
Subject: [PATCH] Fix cert-checker for whitelist/lockdown domains

---
 gui/apply-boulder               |  5 +++
 install                         |  3 ++
 patches/cert-checker_main.patch | 68 +++++++++++++++++++++++++++++++++
 3 files changed, 76 insertions(+)
 create mode 100644 patches/cert-checker_main.patch

diff --git a/gui/apply-boulder b/gui/apply-boulder
index 7914b81..c2ee912 100755
--- a/gui/apply-boulder
+++ b/gui/apply-boulder
@@ -15,6 +15,11 @@ sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config
 sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_DOMAIN\"/" config/wfe.json
 sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_DOMAIN\"/" config/wfe2.json
 
+if ([ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]) || ([ "$PKI_DOMAIN_MODE" == "whitelist" ] && [ "$PKI_WHITELIST_DOMAINS" != "" ]); then
+    perl -i -p0e "s/(\"badResultsOnly\":.*?\n)/\1    \"skipForbiddenDomains\": true,\n/igs" config/cert-checker.json
+    perl -i -p0e "s/(\s+\"ignoredLints\": \[\n)/\1      \"e_dnsname_not_valid_tld\",\n/igs" config/cert-checker.json
+fi
+
 [ -e ../test/hostname-policy.yaml ] && cp ../test/hostname-policy.yaml ./ || true
 [ -e ../boulder/test/hostname-policy.yaml ] && cp ../boulder/test/hostname-policy.yaml ./ || true
 [ -e hostname-policy.json ] && rm hostname-policy.json || true
diff --git a/install b/install
index 0a648f7..09868ec 100755
--- a/install
+++ b/install
@@ -570,6 +570,9 @@ config_boulder() {
     sudo -u labca -H patch -p1 < $cloneDir/patches/bad-key-revoker_main.patch &>>$installLog
     cp cmd/bad-key-revoker/main.go "$boulderLabCADir/.backup/"
 
+    sudo -u labca -H patch -p1 < $cloneDir/patches/cert-checker_main.patch &>>$installLog
+    cp cmd/cert-checker/main.go "$boulderLabCADir/.backup/"
+
     sudo -u labca -H patch -p1 < $cloneDir/patches/log-validator_main.patch &>>$installLog
     cp cmd/log-validator/main.go "$boulderLabCADir/.backup/"
 
diff --git a/patches/cert-checker_main.patch b/patches/cert-checker_main.patch
new file mode 100644
index 0000000..42d553e
--- /dev/null
+++ b/patches/cert-checker_main.patch
@@ -0,0 +1,68 @@
+diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go
+index fbdd9bb8..dc7fa4fd 100644
+--- a/cmd/cert-checker/main.go
++++ b/cmd/cert-checker/main.go
+@@ -90,9 +90,10 @@ type certChecker struct {
+ 	issuedReport                report
+ 	checkPeriod                 time.Duration
+ 	acceptableValidityDurations map[time.Duration]bool
++	skipForbiddenDomains        bool
+ }
+ 
+-func newChecker(saDbMap certDB, clk clock.Clock, pa core.PolicyAuthority, period time.Duration, avd map[time.Duration]bool) certChecker {
++func newChecker(saDbMap certDB, clk clock.Clock, pa core.PolicyAuthority, period time.Duration, avd map[time.Duration]bool, sfd bool) certChecker {
+ 	return certChecker{
+ 		pa:                          pa,
+ 		dbMap:                       saDbMap,
+@@ -102,6 +103,7 @@ func newChecker(saDbMap certDB, clk clock.Clock, pa core.PolicyAuthority, period
+ 		issuedReport:                report{Entries: make(map[string]reportEntry)},
+ 		checkPeriod:                 period,
+ 		acceptableValidityDurations: avd,
++		skipForbiddenDomains:        sfd,
+ 	}
+ }
+ 
+@@ -271,7 +273,7 @@ func (c *certChecker) checkCert(cert core.Certificate, ignoredLints map[string]b
+ 			err = c.pa.WillingToIssueWildcards([]identifier.ACMEIdentifier{id})
+ 			if err != nil {
+ 				problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err))
+-			} else {
++			} else if !c.skipForbiddenDomains {
+ 				// For defense-in-depth, even if the PA was willing to issue for a name
+ 				// we double check it against a list of forbidden domains. This way even
+ 				// if the hostnamePolicyFile malfunctions we will flag the forbidden
+@@ -309,11 +311,12 @@ type config struct {
+ 		DB cmd.DBConfig
+ 		cmd.HostnamePolicyConfig
+ 
+-		Workers             int
+-		ReportDirectoryPath string
+-		UnexpiredOnly       bool
+-		BadResultsOnly      bool
+-		CheckPeriod         cmd.ConfigDuration
++		Workers              int
++		ReportDirectoryPath  string
++		UnexpiredOnly        bool
++		BadResultsOnly       bool
++		SkipForbiddenDomains bool
++		CheckPeriod          cmd.ConfigDuration
+ 
+ 		// AcceptableValidityDurations is a list of durations which are
+ 		// acceptable for certificates we issue.
+@@ -364,6 +367,8 @@ func main() {
+ 		acceptableValidityDurations[ninetyDays] = true
+ 	}
+ 
++	skipForbiddenDomains := config.CertChecker.SkipForbiddenDomains
++
+ 	// Validate PA config and set defaults if needed.
+ 	cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration")
+ 
+@@ -412,6 +417,7 @@ func main() {
+ 		pa,
+ 		config.CertChecker.CheckPeriod.Duration,
+ 		acceptableValidityDurations,
++		skipForbiddenDomains,
+ 	)
+ 	fmt.Fprintf(os.Stderr, "# Getting certificates issued in the last %s\n", config.CertChecker.CheckPeriod)
+