certspotter/cmd/ctwatch/main.go

package main

import (
	"flag"
	"fmt"
	"os"
	"bufio"
	"strings"

	"src.agwa.name/ctwatch"
	"src.agwa.name/ctwatch/ct"
	"src.agwa.name/ctwatch/cmd"
)

func DefaultStateDir () string {
	if envVar := os.Getenv("CTWATCH_STATE_DIR"); envVar != "" {
		return envVar
	} else {
		return cmd.DefaultStateDir("ctwatch")
	}
}

var stateDir = flag.String("state_dir", DefaultStateDir(), "Directory for storing state")
var watchDomains []string
var watchDomainSuffixes []string

func setWatchDomains (domains []string) {
	for _, domain := range domains {
		if domain == "." { // "." as in root zone (matches everything)
			watchDomains = []string{}
			watchDomainSuffixes = []string{""}
			break
		} else {
			watchDomains = append(watchDomains, strings.ToLower(domain))
			watchDomainSuffixes = append(watchDomainSuffixes, "." + strings.ToLower(domain))
		}
	}
}

func dnsNameMatches (dnsName string) bool {
	dnsNameLower := strings.ToLower(dnsName)
	for _, domain := range watchDomains {
		if dnsNameLower == domain {
			return true
		}
	}
	for _, domainSuffix := range watchDomainSuffixes {
		if strings.HasSuffix(dnsNameLower, domainSuffix) {
			return true
		}
	}
	return false
}

func anyDnsNameMatches (dnsNames []string) bool {
	for _, dnsName := range dnsNames {
		if dnsNameMatches(dnsName) {
			return true
		}
	}
	return false
}

func processEntry (scanner *ctwatch.Scanner, entry *ct.LogEntry) {
	info := ctwatch.EntryInfo{
		LogUri:		scanner.LogUri,
		Entry:		entry,
		IsPrecert:	ctwatch.IsPrecert(entry),
		FullChain:	ctwatch.GetFullChain(entry),
	}

	info.CertInfo, info.ParseError = ctwatch.MakeCertInfoFromLogEntry(entry)

	// If there's any sort of parse error related to the identifiers, report
	// the certificate because we can't say for sure it doesn't match a domain
	// we care about (fail safe behavior).  Treat common names as DNS names
	// because many TLS clients do.
	if info.ParseError != nil ||
			info.CertInfo.CommonNamesParseError != nil ||
			info.CertInfo.DNSNamesParseError != nil ||
			anyDnsNameMatches(info.CertInfo.CommonNames) ||
			anyDnsNameMatches(info.CertInfo.DNSNames) {
		cmd.LogEntry(&info)
	}
}

func main() {
	flag.Parse()

	if flag.NArg() == 0 {
		fmt.Fprintf(os.Stderr, "Usage: %s [flags] domain ...\n", os.Args[0])
		fmt.Fprintf(os.Stderr, "\n")
		fmt.Fprintf(os.Stderr, "To read domain list from stdin, use '-'. To monitor all domains, use '.'.\n")
		fmt.Fprintf(os.Stderr, "See '%s -help' for a list of valid flags.\n", os.Args[0])
		os.Exit(2)
	}

	if flag.NArg() == 1 && flag.Arg(0) == "-" {
		var domains []string
		scanner := bufio.NewScanner(os.Stdin)
		for scanner.Scan() {
			domains = append(domains, scanner.Text())
		}
		if err := scanner.Err(); err != nil {
			fmt.Fprintf(os.Stderr, "%s: Error reading standard input: %s\n", os.Args[0], err)
			os.Exit(1)
		}
		setWatchDomains(domains)
	} else {
		setWatchDomains(flag.Args())
	}

	cmd.Main(*stateDir, processEntry)
}
Initial commit 2016-02-05 03:45:37 +01:00			`package main`

			`import (`
			`"flag"`
			`"fmt"`
			`"os"`
			`"bufio"`
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs. 2016-02-09 19:28:52 +01:00			`"strings"`
Initial commit 2016-02-05 03:45:37 +01:00
			`"src.agwa.name/ctwatch"`
Embed Google CT library, with my own changes 2016-02-18 19:44:56 +01:00			`"src.agwa.name/ctwatch/ct"`
Initial commit 2016-02-05 03:45:37 +01:00			`"src.agwa.name/ctwatch/cmd"`
			`)`

ctwatch: allow state dir to be set by $CTWATCH_STATE_DIR 2016-03-08 16:09:26 +01:00			`func DefaultStateDir () string {`
			`if envVar := os.Getenv("CTWATCH_STATE_DIR"); envVar != "" {`
			`return envVar`
			`} else {`
			`return cmd.DefaultStateDir("ctwatch")`
			`}`
			`}`

			`var stateDir = flag.String("state_dir", DefaultStateDir(), "Directory for storing state")`
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs. 2016-02-09 19:28:52 +01:00			`var watchDomains []string`
			`var watchDomainSuffixes []string`

			`func setWatchDomains (domains []string) {`
			`for _, domain := range domains {`
Allow . to be specified on stdin as well 2016-02-22 23:18:56 +01:00			`if domain == "." { // "." as in root zone (matches everything)`
			`watchDomains = []string{}`
			`watchDomainSuffixes = []string{""}`
			`break`
			`} else {`
			`watchDomains = append(watchDomains, strings.ToLower(domain))`
			`watchDomainSuffixes = append(watchDomainSuffixes, "." + strings.ToLower(domain))`
			`}`
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs. 2016-02-09 19:28:52 +01:00			`}`
			`}`

			`func dnsNameMatches (dnsName string) bool {`
			`dnsNameLower := strings.ToLower(dnsName)`
			`for _, domain := range watchDomains {`
			`if dnsNameLower == domain {`
			`return true`
			`}`
			`}`
			`for _, domainSuffix := range watchDomainSuffixes {`
			`if strings.HasSuffix(dnsNameLower, domainSuffix) {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

			`func anyDnsNameMatches (dnsNames []string) bool {`
			`for _, dnsName := range dnsNames {`
			`if dnsNameMatches(dnsName) {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

			`func processEntry (scanner ctwatch.Scanner, entry ct.LogEntry) {`
			`info := ctwatch.EntryInfo{`
			`LogUri: scanner.LogUri,`
			`Entry: entry,`
Replace embedded X509 parser with my own lightweight parser 2016-03-17 00:58:00 +01:00			`IsPrecert: ctwatch.IsPrecert(entry),`
			`FullChain: ctwatch.GetFullChain(entry),`
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs. 2016-02-09 19:28:52 +01:00			`}`

Rename a function for clarity 2016-03-18 00:34:53 +01:00			`info.CertInfo, info.ParseError = ctwatch.MakeCertInfoFromLogEntry(entry)`
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs. 2016-02-09 19:28:52 +01:00
Parse common names separately from DNS names 2016-04-23 05:58:33 +02:00			`// If there's any sort of parse error related to the identifiers, report`
			`// the certificate because we can't say for sure it doesn't match a domain`
			`// we care about (fail safe behavior). Treat common names as DNS names`
			`// because many TLS clients do.`
			`if info.ParseError != nil \|\|`
			`info.CertInfo.CommonNamesParseError != nil \|\|`
			`info.CertInfo.DNSNamesParseError != nil \|\|`
			`anyDnsNameMatches(info.CertInfo.CommonNames) \|\|`
			`anyDnsNameMatches(info.CertInfo.DNSNames) {`
			`cmd.LogEntry(&info)`
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs. 2016-02-09 19:28:52 +01:00			`}`
			`}`
New and simplified multi-log operation 2016-02-05 05:16:25 +01:00
Initial commit 2016-02-05 03:45:37 +01:00			`func main() {`
			`flag.Parse()`

To monitor all domains, require "." to be specified Now that we save all certs by default, we want to prevent people from accidentally monitoring all domains, which could lead to MASSIVE disk usage. "." is used because it denotes the root zone in DNS. 2016-02-05 17:13:11 +01:00			`if flag.NArg() == 0 {`
			`fmt.Fprintf(os.Stderr, "Usage: %s [flags] domain ...\n", os.Args[0])`
			`fmt.Fprintf(os.Stderr, "\n")`
			`fmt.Fprintf(os.Stderr, "To read domain list from stdin, use '-'. To monitor all domains, use '.'.\n")`
			`fmt.Fprintf(os.Stderr, "See '%s -help' for a list of valid flags.\n", os.Args[0])`
			`os.Exit(2)`
			`}`

New and simplified multi-log operation 2016-02-05 05:16:25 +01:00			`if flag.NArg() == 1 && flag.Arg(0) == "-" {`
To monitor all domains, require "." to be specified Now that we save all certs by default, we want to prevent people from accidentally monitoring all domains, which could lead to MASSIVE disk usage. "." is used because it denotes the root zone in DNS. 2016-02-05 17:13:11 +01:00			`var domains []string`
Initial commit 2016-02-05 03:45:37 +01:00			`scanner := bufio.NewScanner(os.Stdin)`
			`for scanner.Scan() {`
			`domains = append(domains, scanner.Text())`
			`}`
			`if err := scanner.Err(); err != nil {`
New and simplified multi-log operation 2016-02-05 05:16:25 +01:00			`fmt.Fprintf(os.Stderr, "%s: Error reading standard input: %s\n", os.Args[0], err)`
Use bits in the exit code to convey what happened 2016-02-22 23:45:50 +01:00			`os.Exit(1)`
Initial commit 2016-02-05 03:45:37 +01:00			`}`
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs. 2016-02-09 19:28:52 +01:00			`setWatchDomains(domains)`
Initial commit 2016-02-05 03:45:37 +01:00			`} else {`
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs. 2016-02-09 19:28:52 +01:00			`setWatchDomains(flag.Args())`
Initial commit 2016-02-05 03:45:37 +01:00			`}`

Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs. 2016-02-09 19:28:52 +01:00			`cmd.Main(*stateDir, processEntry)`
Initial commit 2016-02-05 03:45:37 +01:00			`}`