ChallengeHardC++

TLS Certificate Chain Validator

Scenario

A service mesh sidecar validates peer TLS certificates for mutual authentication on every inbound connection. Each peer presents a chain from leaf cert through intermediate CAs to the trusted root. The mesh must reject any chain where a cert is expired, the hostname does not match, or the issuer chain is broken.

Business expectation

Wildcard certificates (e.g. *.svc.internal) must be accepted when the connecting hostname matches the wildcard pattern per RFC 2818. Any chain where an intermediate CA cert is expired must be rejected even if the leaf cert is still valid.

Security expectations

Every certificate in the presented chain — leaf and all intermediates — must be within its validity window at the time of connection. An expired intermediate is a chain break and must cause validateChain to return false.

41 lines

include/cert_validator.h

Declares CertInfo, CertValidator, and the validateChain contract.

// CertValidator: TLS certificate chain validation interface.

#pragma once

#include <ctime>

#include <string>

#include <vector>

struct CertInfo {

  std::string subject;    // CN of this certificate

  std::string issuer;     // CN of the issuing certificate

  time_t      notBefore;  // start of validity window (Unix epoch)

  time_t      notAfter;   // end of validity window (Unix epoch)

};

// Validates TLS certificate chains for mutual authentication.

class CertValidator {

public:

  // Parameters:

  //   chain    - certificate chain: chain[0] is leaf, chain[n-1] is root

  //   hostname - peer hostname to match against the leaf certificate

  //   now      - current time for validity checks (Unix epoch)

  // Returns: true if chain is valid and leaf matches hostname; false if any

  //          cert is expired, the hostname does not match, the chain is empty,

  //          or issuer linkage is broken. Never throws.

  bool validateChain(const std::vector<CertInfo>& chain,

                     const std::string& hostname,

                     time_t now) const;

private:

  // Parameters:

  //   certSubject - CN field from the certificate (may contain wildcard prefix)

  //   hostname    - connecting peer hostname to test

  // Returns: true if hostname matches certSubject per RFC 2818 wildcard rules

  bool isHostnameMatch(const std::string& certSubject,

                       const std::string& hostname) const;

  // Parameters:

  //   cert - certificate whose validity window should be checked

  //   now  - current time (Unix epoch)

  // Returns: true if now falls within [notBefore, notAfter] inclusive

  bool checkValidity(const CertInfo& cert, time_t now) const;

};

No findings yet

Click on a line number in the code to add a finding

You need to log in or sign up to submit.

You can inspect the challenge for free, but AI review and results require an account.

Sign inorSign up