Tandem
/
certspotter
mirror of https://github.com/SSLMate/certspotter.git
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
certspotter/cmd/ctwatch/main.go

108 lines
2.5 KiB
Go
Raw Normal View History

Initial commit
2016-02-05 03:45:37 +01:00
package main
import (
"flag"
"fmt"
"os"
"bufio"
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs.
2016-02-09 19:28:52 +01:00
"strings"
Initial commit
2016-02-05 03:45:37 +01:00
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs.
2016-02-09 19:28:52 +01:00
"github.com/google/certificate-transparency/go"
Initial commit
2016-02-05 03:45:37 +01:00
"src.agwa.name/ctwatch"
"src.agwa.name/ctwatch/cmd"
)
New and simplified multi-log operation
2016-02-05 05:16:25 +01:00
var stateDir = flag.String("state_dir", cmd.DefaultStateDir("ctwatch"), "Directory for storing state")
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs.
2016-02-09 19:28:52 +01:00
var watchDomains []string
var watchDomainSuffixes []string
func setWatchDomains (domains []string) {
for _, domain := range domains {
watchDomains = append(watchDomains, strings.ToLower(domain))
watchDomainSuffixes = append(watchDomainSuffixes, "." + strings.ToLower(domain))
}
}
func dnsNameMatches (dnsName string) bool {
dnsNameLower := strings.ToLower(dnsName)
for _, domain := range watchDomains {
if dnsNameLower == domain {
return true
}
}
for _, domainSuffix := range watchDomainSuffixes {
if strings.HasSuffix(dnsNameLower, domainSuffix) {
return true
}
}
return false
}
func anyDnsNameMatches (dnsNames []string) bool {
for _, dnsName := range dnsNames {
if dnsNameMatches(dnsName) {
return true
}
}
return false
}
func processEntry (scanner *ctwatch.Scanner, entry *ct.LogEntry) {
info := ctwatch.EntryInfo{
LogUri: scanner.LogUri,
Entry: entry,
}
// Extract DNS names
var dnsNames []string
dnsNames, info.ParseError = ctwatch.EntryDNSNames(entry)
if info.ParseError == nil {
// Match DNS names
if !anyDnsNameMatches(dnsNames) {
return
}
// Parse the certificate
info.ParsedCert, info.ParseError = ctwatch.ParseEntryCertificate(entry)
if info.ParsedCert != nil {
info.CertInfo = ctwatch.MakeCertInfo(info.ParsedCert)
} else {
info.CertInfo.DnsNames = dnsNames
}
}
cmd.LogEntry(&info)
}
New and simplified multi-log operation
2016-02-05 05:16:25 +01:00
Initial commit
2016-02-05 03:45:37 +01:00
func main() {
flag.Parse()
To monitor all domains, require "." to be specified Now that we save all certs by default, we want to prevent people from accidentally monitoring all domains, which could lead to MASSIVE disk usage. "." is used because it denotes the root zone in DNS.
2016-02-05 17:13:11 +01:00
if flag.NArg() == 0 {
fmt.Fprintf(os.Stderr, "Usage: %s [flags] domain ...\n", os.Args[0])
fmt.Fprintf(os.Stderr, "\n")
fmt.Fprintf(os.Stderr, "To read domain list from stdin, use '-'. To monitor all domains, use '.'.\n")
fmt.Fprintf(os.Stderr, "See '%s -help' for a list of valid flags.\n", os.Args[0])
os.Exit(2)
}
New and simplified multi-log operation
2016-02-05 05:16:25 +01:00
if flag.NArg() == 1 && flag.Arg(0) == "-" {
To monitor all domains, require "." to be specified Now that we save all certs by default, we want to prevent people from accidentally monitoring all domains, which could lead to MASSIVE disk usage. "." is used because it denotes the root zone in DNS.
2016-02-05 17:13:11 +01:00
var domains []string
Initial commit
2016-02-05 03:45:37 +01:00
scanner := bufio.NewScanner(os.Stdin)
for scanner.Scan() {
domains = append(domains, scanner.Text())
}
if err := scanner.Err(); err != nil {
New and simplified multi-log operation
2016-02-05 05:16:25 +01:00
fmt.Fprintf(os.Stderr, "%s: Error reading standard input: %s\n", os.Args[0], err)
os.Exit(3)
Initial commit
2016-02-05 03:45:37 +01:00
}
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs.
2016-02-09 19:28:52 +01:00
setWatchDomains(domains)
To monitor all domains, require "." to be specified Now that we save all certs by default, we want to prevent people from accidentally monitoring all domains, which could lead to MASSIVE disk usage. "." is used because it denotes the root zone in DNS.
2016-02-05 17:13:11 +01:00
} else if flag.NArg() == 1 && flag.Arg(0) == "." { // "." as in root zone
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs.
2016-02-09 19:28:52 +01:00
watchDomainSuffixes = []string{""}
Initial commit
2016-02-05 03:45:37 +01:00
} else {
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs.
2016-02-09 19:28:52 +01:00
setWatchDomains(flag.Args())
Initial commit
2016-02-05 03:45:37 +01:00
}
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs.
2016-02-09 19:28:52 +01:00
cmd.Main(*stateDir, processEntry)
Initial commit
2016-02-05 03:45:37 +01:00
}