certspotter/helpers.go

// Copyright (C) 2016 Opsmate, Inc.
//
// This Source Code Form is subject to the terms of the Mozilla
// Public License, v. 2.0. If a copy of the MPL was not distributed
// with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
//
// This software is distributed WITHOUT A WARRANTY OF ANY KIND.
// See the Mozilla Public License for details.

package certspotter

import (
	"fmt"
	"math/big"

	"software.sslmate.com/src/certspotter/ct"
)

func IsPrecert(entry *ct.LogEntry) bool {
	return entry.Leaf.TimestampedEntry.EntryType == ct.PrecertLogEntryType
}

type CertInfo struct {
	TBS *TBSCertificate

	Subject                RDNSequence
	SubjectParseError      error
	Issuer                 RDNSequence
	IssuerParseError       error
	SANs                   []SubjectAltName
	SANsParseError         error
	SerialNumber           *big.Int
	SerialNumberParseError error
	Validity               *CertValidity
	ValidityParseError     error
	IsCA                   *bool
	IsCAParseError         error
	IsPreCert              bool
}

func MakeCertInfoFromTBS(tbs *TBSCertificate) *CertInfo {
	info := &CertInfo{TBS: tbs}

	info.Subject, info.SubjectParseError = tbs.ParseSubject()
	info.Issuer, info.IssuerParseError = tbs.ParseIssuer()
	info.SANs, info.SANsParseError = tbs.ParseSubjectAltNames()
	info.SerialNumber, info.SerialNumberParseError = tbs.ParseSerialNumber()
	info.Validity, info.ValidityParseError = tbs.ParseValidity()
	info.IsCA, info.IsCAParseError = tbs.ParseBasicConstraints()
	info.IsPreCert = len(tbs.GetExtension(oidExtensionCTPoison)) > 0

	return info
}

func MakeCertInfoFromRawTBS(tbsBytes []byte) (*CertInfo, error) {
	tbs, err := ParseTBSCertificate(tbsBytes)
	if err != nil {
		return nil, err
	}
	return MakeCertInfoFromTBS(tbs), nil
}

func MakeCertInfoFromRawCert(certBytes []byte) (*CertInfo, error) {
	cert, err := ParseCertificate(certBytes)
	if err != nil {
		return nil, err
	}
	return MakeCertInfoFromRawTBS(cert.GetRawTBSCertificate())
}

func MakeCertInfoFromLogEntry(entry *ct.LogEntry) (*CertInfo, error) {
	switch entry.Leaf.TimestampedEntry.EntryType {
	case ct.X509LogEntryType:
		return MakeCertInfoFromRawCert(entry.Leaf.TimestampedEntry.X509Entry)

	case ct.PrecertLogEntryType:
		return MakeCertInfoFromRawTBS(entry.Leaf.TimestampedEntry.PrecertEntry.TBSCertificate)

	default:
		return nil, fmt.Errorf("MakeCertInfoFromCTEntry: unknown CT entry type (neither X509 nor precert)")
	}
}

func MatchesWildcard(dnsName string, pattern string) bool {
	for len(pattern) > 0 {
		if pattern[0] == '*' {
			if len(dnsName) > 0 && dnsName[0] != '.' && MatchesWildcard(dnsName[1:], pattern) {
				return true
			}
			pattern = pattern[1:]
		} else {
			if len(dnsName) == 0 || pattern[0] != dnsName[0] {
				return false
			}
			pattern = pattern[1:]
			dnsName = dnsName[1:]
		}
	}
	return len(dnsName) == 0
}
License under the MPL 2.0 2016-05-04 20:53:48 +02:00			`// Copyright (C) 2016 Opsmate, Inc.`
			`//`
			`// This Source Code Form is subject to the terms of the Mozilla`
			`// Public License, v. 2.0. If a copy of the MPL was not distributed`
			`// with this file, You can obtain one at http://mozilla.org/MPL/2.0/.`
			`//`
			`// This software is distributed WITHOUT A WARRANTY OF ANY KIND.`
			`// See the Mozilla Public License for details.`

Rename project to certspotter 2016-05-04 20:49:07 +02:00			`package certspotter`
Initial commit 2016-02-05 03:45:37 +01:00
			`import (`
Run gofmt Signed-off-by: Jonathan Rudenberg <jonathan@titanous.com> 2016-07-28 20:55:46 +02:00			`"fmt"`
Initial commit 2016-02-05 03:45:37 +01:00			`"math/big"`

Move package to software.sslmate.com/src/certspotter 2016-05-04 21:19:59 +02:00			`"software.sslmate.com/src/certspotter/ct"`
Initial commit 2016-02-05 03:45:37 +01:00			`)`

Run gofmt Signed-off-by: Jonathan Rudenberg <jonathan@titanous.com> 2016-07-28 20:55:46 +02:00			`func IsPrecert(entry *ct.LogEntry) bool {`
Replace embedded X509 parser with my own lightweight parser 2016-03-17 00:58:00 +01:00			`return entry.Leaf.TimestampedEntry.EntryType == ct.PrecertLogEntryType`
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs. 2016-02-09 19:28:52 +01:00			`}`

Replace embedded X509 parser with my own lightweight parser 2016-03-17 00:58:00 +01:00			`type CertInfo struct {`
Run gofmt Signed-off-by: Jonathan Rudenberg <jonathan@titanous.com> 2016-07-28 20:55:46 +02:00			`TBS *TBSCertificate`

			`Subject RDNSequence`
			`SubjectParseError error`
			`Issuer RDNSequence`
			`IssuerParseError error`
			`SANs []SubjectAltName`
			`SANsParseError error`
			`SerialNumber *big.Int`
			`SerialNumberParseError error`
			`Validity *CertValidity`
			`ValidityParseError error`
			`IsCA *bool`
			`IsCAParseError error`
Add IsPreCert to CertInfo 2021-10-29 15:28:39 +02:00			`IsPreCert bool`
Replace embedded X509 parser with my own lightweight parser 2016-03-17 00:58:00 +01:00			`}`
Initial commit 2016-02-05 03:45:37 +01:00
Run gofmt Signed-off-by: Jonathan Rudenberg <jonathan@titanous.com> 2016-07-28 20:55:46 +02:00			`func MakeCertInfoFromTBS(tbs TBSCertificate) CertInfo {`
Replace embedded X509 parser with my own lightweight parser 2016-03-17 00:58:00 +01:00			`info := &CertInfo{TBS: tbs}`
Initial commit 2016-02-05 03:45:37 +01:00
Replace embedded X509 parser with my own lightweight parser 2016-03-17 00:58:00 +01:00			`info.Subject, info.SubjectParseError = tbs.ParseSubject()`
			`info.Issuer, info.IssuerParseError = tbs.ParseIssuer()`
Display SANs in output 2016-05-02 20:59:55 +02:00			`info.SANs, info.SANsParseError = tbs.ParseSubjectAltNames()`
Replace embedded X509 parser with my own lightweight parser 2016-03-17 00:58:00 +01:00			`info.SerialNumber, info.SerialNumberParseError = tbs.ParseSerialNumber()`
			`info.Validity, info.ValidityParseError = tbs.ParseValidity()`
Handle certificates with multiple Basic Constraints extensions 2016-04-27 03:06:59 +02:00			`info.IsCA, info.IsCAParseError = tbs.ParseBasicConstraints()`
Add IsPreCert to CertInfo 2021-10-29 15:28:39 +02:00			`info.IsPreCert = len(tbs.GetExtension(oidExtensionCTPoison)) > 0`
Initial commit 2016-02-05 03:45:37 +01:00
Replace embedded X509 parser with my own lightweight parser 2016-03-17 00:58:00 +01:00			`return info`
Initial commit 2016-02-05 03:45:37 +01:00			`}`

Run gofmt Signed-off-by: Jonathan Rudenberg <jonathan@titanous.com> 2016-07-28 20:55:46 +02:00			`func MakeCertInfoFromRawTBS(tbsBytes []byte) (*CertInfo, error) {`
Replace embedded X509 parser with my own lightweight parser 2016-03-17 00:58:00 +01:00			`tbs, err := ParseTBSCertificate(tbsBytes)`
			`if err != nil {`
			`return nil, err`
Initial commit 2016-02-05 03:45:37 +01:00			`}`
Replace embedded X509 parser with my own lightweight parser 2016-03-17 00:58:00 +01:00			`return MakeCertInfoFromTBS(tbs), nil`
Initial commit 2016-02-05 03:45:37 +01:00			`}`

Run gofmt Signed-off-by: Jonathan Rudenberg <jonathan@titanous.com> 2016-07-28 20:55:46 +02:00			`func MakeCertInfoFromRawCert(certBytes []byte) (*CertInfo, error) {`
Replace embedded X509 parser with my own lightweight parser 2016-03-17 00:58:00 +01:00			`cert, err := ParseCertificate(certBytes)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return MakeCertInfoFromRawTBS(cert.GetRawTBSCertificate())`
Initial commit 2016-02-05 03:45:37 +01:00			`}`

Run gofmt Signed-off-by: Jonathan Rudenberg <jonathan@titanous.com> 2016-07-28 20:55:46 +02:00			`func MakeCertInfoFromLogEntry(entry ct.LogEntry) (CertInfo, error) {`
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs. 2016-02-09 19:28:52 +01:00			`switch entry.Leaf.TimestampedEntry.EntryType {`
			`case ct.X509LogEntryType:`
Replace embedded X509 parser with my own lightweight parser 2016-03-17 00:58:00 +01:00			`return MakeCertInfoFromRawCert(entry.Leaf.TimestampedEntry.X509Entry)`

Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs. 2016-02-09 19:28:52 +01:00			`case ct.PrecertLogEntryType:`
Replace embedded X509 parser with my own lightweight parser 2016-03-17 00:58:00 +01:00			`return MakeCertInfoFromRawTBS(entry.Leaf.TimestampedEntry.PrecertEntry.TBSCertificate)`

			`default:`
			`return nil, fmt.Errorf("MakeCertInfoFromCTEntry: unknown CT entry type (neither X509 nor precert)")`
Initial commit 2016-02-05 03:45:37 +01:00			`}`
			`}`

Run gofmt Signed-off-by: Jonathan Rudenberg <jonathan@titanous.com> 2016-07-28 20:55:46 +02:00			`func MatchesWildcard(dnsName string, pattern string) bool {`
Support crazy wildcards (not just in the left-most label) 2016-05-10 19:37:10 +02:00			`for len(pattern) > 0 {`
			`if pattern[0] == '*' {`
Reverse order of certspotter.MatchesWildcard arguments 2016-05-10 23:29:04 +02:00			`if len(dnsName) > 0 && dnsName[0] != '.' && MatchesWildcard(dnsName[1:], pattern) {`
Support crazy wildcards (not just in the left-most label) 2016-05-10 19:37:10 +02:00			`return true`
			`}`
			`pattern = pattern[1:]`
			`} else {`
			`if len(dnsName) == 0 \|\| pattern[0] != dnsName[0] {`
			`return false`
			`}`
			`pattern = pattern[1:]`
			`dnsName = dnsName[1:]`
			`}`
			`}`
			`return len(dnsName) == 0`
			`}`