Observer: detect CRL IDP mismatch (#8067)

aarongable · web-flow · commit d045b387efc6 · 2025-03-14T14:52:29.000-07:00
Give boulder-observer the ability to detect if the CRL it fetches is the CRL it expects, by comparing that CRLs issuingDistributionPoint extension to the prober's configured URL. Only do this if instructed to (by configuring the CRL prober as "partitioned") because non-partitioned CRLs do not necessarily contain an IDP. Fixes #7527
diff --git a/observer/probers/crl/crl.go b/observer/probers/crl/crl.go
@@ -4,15 +4,19 @@ import (
 	"crypto/x509"
 	"io"
 	"net/http"
+	"slices"
 	"time"
 
 	"github.com/prometheus/client_golang/prometheus"
+
+	"github.com/letsencrypt/boulder/crl/idp"
 )
 
 // CRLProbe is the exported 'Prober' object for monitors configured to
 // monitor CRL availability & characteristics.
 type CRLProbe struct {
 	url         string
+	partitioned bool
 	cNextUpdate *prometheus.GaugeVec
 	cThisUpdate *prometheus.GaugeVec
 	cCertCount  *prometheus.GaugeVec
@@ -47,6 +51,19 @@ func (p CRLProbe) Probe(timeout time.Duration) (bool, time.Duration) {
 		return false, dur
 	}
 
+	// Partitioned CRLs MUST contain an issuingDistributionPoint extension, which
+	// MUST contain the URL from which they were fetched, to prevent substitution
+	// attacks.
+	if p.partitioned {
+		idps, err := idp.GetIDPURIs(crl.Extensions)
+		if err != nil {
+			return false, dur
+		}
+		if len(idps) != 0 && !slices.Contains(idps, p.url) {
+			return false, dur
+		}
+	}
+
 	// Report metrics for this CRL
 	p.cThisUpdate.WithLabelValues(p.url).Set(float64(crl.ThisUpdate.Unix()))
 	p.cNextUpdate.WithLabelValues(p.url).Set(float64(crl.NextUpdate.Unix()))
diff --git a/observer/probers/crl/crl_conf.go b/observer/probers/crl/crl_conf.go
@@ -4,9 +4,10 @@ import (
 	"fmt"
 	"net/url"
 
+	"github.com/prometheus/client_golang/prometheus"
+
 	"github.com/letsencrypt/boulder/observer/probers"
 	"github.com/letsencrypt/boulder/strictyaml"
-	"github.com/prometheus/client_golang/prometheus"
 )
 
 const (
@@ -17,7 +18,8 @@ const (
 
 // CRLConf is exported to receive YAML configuration
 type CRLConf struct {
-	URL string `yaml:"url"`
+	URL         string `yaml:"url"`
+	Partitioned bool   `yaml:"partitioned"`
 }
 
 // Kind returns a name that uniquely identifies the `Kind` of `Configurer`.
@@ -87,7 +89,7 @@ func (c CRLConf) MakeProber(collectors map[string]prometheus.Collector) (probers
 		return nil, fmt.Errorf("crl prober received collector %q of wrong type, got: %T, expected *prometheus.GaugeVec", certCountName, coll)
 	}
 
-	return CRLProbe{c.URL, nextUpdateColl, thisUpdateColl, certCountColl}, nil
+	return CRLProbe{c.URL, c.Partitioned, nextUpdateColl, thisUpdateColl, certCountColl}, nil
 }
 
 // Instrument constructs any `prometheus.Collector` objects the `CRLProbe` will
diff --git a/observer/probers/crl/crl_conf_test.go b/observer/probers/crl/crl_conf_test.go
@@ -3,10 +3,11 @@ package probers
 import (
 	"testing"
 
-	"github.com/letsencrypt/boulder/observer/probers"
-	"github.com/letsencrypt/boulder/test"
 	"github.com/prometheus/client_golang/prometheus"
 	"gopkg.in/yaml.v3"
+
+	"github.com/letsencrypt/boulder/observer/probers"
+	"github.com/letsencrypt/boulder/test"
 )
 
 func TestCRLConf_MakeProber(t *testing.T) {
@@ -70,25 +71,20 @@ func TestCRLConf_MakeProber(t *testing.T) {
 }
 
 func TestCRLConf_UnmarshalSettings(t *testing.T) {
-	type fields struct {
-		url interface{}
-	}
 	tests := []struct {
 		name    string
-		fields  fields
+		fields  probers.Settings
 		want    probers.Configurer
 		wantErr bool
 	}{
-		{"valid", fields{"google.com"}, CRLConf{"google.com"}, false},
-		{"invalid (map)", fields{make(map[string]interface{})}, nil, true},
-		{"invalid (list)", fields{make([]string, 0)}, nil, true},
+		{"valid", probers.Settings{"url": "google.com"}, CRLConf{"google.com", false}, false},
+		{"valid with partitioned", probers.Settings{"url": "google.com", "partitioned": true}, CRLConf{"google.com", true}, false},
+		{"invalid (map)", probers.Settings{"url": make(map[string]interface{})}, nil, true},
+		{"invalid (list)", probers.Settings{"url": make([]string, 0)}, nil, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			settings := probers.Settings{
-				"url": tt.fields.url,
-			}
-			settingsBytes, _ := yaml.Marshal(settings)
+			settingsBytes, _ := yaml.Marshal(tt.fields)
 			t.Log(string(settingsBytes))
 			c := CRLConf{}
 			got, err := c.UnmarshalSettings(settingsBytes)

Original file line number	Diff line number	Diff line change
`@@ -4,9 +4,10 @@ import (`
`4`	`4`	`"fmt"`
`5`	`5`	`"net/url"`
`6`	`6`
	`7`	`+ "github.com/prometheus/client_golang/prometheus"`
	`8`	`+`
`7`	`9`	`"github.com/letsencrypt/boulder/observer/probers"`
`8`	`10`	`"github.com/letsencrypt/boulder/strictyaml"`
`9`		`- "github.com/prometheus/client_golang/prometheus"`
`10`	`11`	`)`
`11`	`12`
`12`	`13`	`const (`
`@@ -17,7 +18,8 @@ const (`
`17`	`18`
`18`	`19`	`// CRLConf is exported to receive YAML configuration`
`19`	`20`	`type CRLConf struct {`
`20`		- URL string `yaml:"url"`
	`21`	+ URL string `yaml:"url"`
	`22`	+ Partitioned bool `yaml:"partitioned"`
`21`	`23`	`}`
`22`	`24`
`23`	`25`	// Kind returns a name that uniquely identifies the `Kind` of `Configurer`.
`@@ -87,7 +89,7 @@ func (c CRLConf) MakeProber(collectors map[string]prometheus.Collector) (probers`
`87`	`89`	`return nil, fmt.Errorf("crl prober received collector %q of wrong type, got: %T, expected *prometheus.GaugeVec", certCountName, coll)`
`88`	`90`	`}`
`89`	`91`
`90`		`- return CRLProbe{c.URL, nextUpdateColl, thisUpdateColl, certCountColl}, nil`
	`92`	`+ return CRLProbe{c.URL, c.Partitioned, nextUpdateColl, thisUpdateColl, certCountColl}, nil`
`91`	`93`	`}`
`92`	`94`
`93`	`95`	// Instrument constructs any `prometheus.Collector` objects the `CRLProbe` will