Control: Certificates should not use insecure certificate algorithm (e.g., MD2, MD5, SHA1)

Description

MD2 and MD5 are part of the Message Digest Algorithm family which was created to verify the integrity of any message or file that is hashed. It has been cryptographically broken which means they are vulnerable to collision attacks and hence considered insecure. Also SHA1 is considered cryptographically weak. It is recommended not to use these insecure signatures.

Usage

Run the control in your terminal:

powerpipe control run net_insights.control.ssl_certificate_no_insecure_signature

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run net_insights.control.ssl_certificate_no_insecure_signature --share

Steampipe Tables

net_certificate

Params

Args	Name	Default	Description	Variable
$1	domain_names	`["github.com","microsoft.com"]`	DNS domain names.	domain_names

SQL

select
  common_name as resource,
  case
    when signature_algorithm like any (array [ '%SHA1%', '%MD2%', '%MD5%' ]) then 'alarm'
    else 'ok'
  end as status,
  common_name || ' uses ' || signature_algorithm || ' signature algorithm.' as reason
from
  net_certificate
where
  domain in (
    select
      jsonb_array_elements_text(to_jsonb($1 :: text [ ]))
  )
order by
  common_name;