certspotter/helpers.go

package ctwatch

import (
	"fmt"
	"time"
	"os"
	"os/exec"
	"bytes"
	"io"
	"io/ioutil"
	"math/big"
	"path/filepath"
	"strconv"
	"strings"
	"crypto/sha256"
	"encoding/hex"
	"encoding/pem"
	"encoding/json"

	"github.com/google/certificate-transparency/go"
	"github.com/google/certificate-transparency/go/x509"
	"github.com/google/certificate-transparency/go/x509/pkix"
)

func ReadStateFile (path string) (*ct.SignedTreeHead, error) {
	content, err := ioutil.ReadFile(path)
	if err != nil {
		if os.IsNotExist(err) {
			return nil, nil
		}
		return nil, err
	}

	var sth ct.SignedTreeHead
	if err := json.Unmarshal(content, &sth); err != nil {
		return nil, err
	}

	return &sth, nil
}

func WriteStateFile (path string, sth *ct.SignedTreeHead) error {
	sthJson, err := json.MarshalIndent(sth, "", "\t")
	if err != nil {
		return err
	}
	sthJson = append(sthJson, byte('\n'))
	return ioutil.WriteFile(path, sthJson, 0666)
}

func EntryDNSNames (entry *ct.LogEntry) ([]string, error) {
	switch entry.Leaf.TimestampedEntry.EntryType {
	case ct.X509LogEntryType:
		return ExtractDNSNames(entry.Leaf.TimestampedEntry.X509Entry)
	case ct.PrecertLogEntryType:
		return ExtractDNSNamesFromTBS(entry.Leaf.TimestampedEntry.PrecertEntry.TBSCertificate)
	}
	panic("EntryDNSNames: entry is neither precert nor x509")
}

func ParseEntryCertificate (entry *ct.LogEntry) (*x509.Certificate, error) {
	if entry.Precert != nil {
		// already parsed
		return &entry.Precert.TBSCertificate, nil
	} else if entry.X509Cert != nil {
		// already parsed
		return entry.X509Cert, nil
	} else if entry.Leaf.TimestampedEntry.EntryType == ct.PrecertLogEntryType {
		return x509.ParseTBSCertificate(entry.Leaf.TimestampedEntry.PrecertEntry.TBSCertificate)
	} else if entry.Leaf.TimestampedEntry.EntryType == ct.X509LogEntryType {
		return x509.ParseCertificate(entry.Leaf.TimestampedEntry.X509Entry)
	} else {
		panic("ParseEntryCertificate: entry is neither precert nor x509")
	}
}

func appendDnArray (buf *bytes.Buffer, code string, values []string) {
	for _, value := range values {
		if buf.Len() != 0 {
			buf.WriteString(", ")
		}
		buf.WriteString(code)
		buf.WriteString("=")
		buf.WriteString(value)
	}
}

func appendDnValue (buf *bytes.Buffer, code string, value string) {
	if value != "" {
		appendDnArray(buf, code, []string{value})
	}
}

func formatDN (name pkix.Name) (string) {
	// C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware
	var buf bytes.Buffer
	appendDnArray(&buf, "C", name.Country)
	appendDnArray(&buf, "ST", name.Province)
	appendDnArray(&buf, "L", name.Locality)
	appendDnArray(&buf, "O", name.Organization)
	appendDnArray(&buf, "OU", name.OrganizationalUnit)
	appendDnValue(&buf, "CN", name.CommonName)
	return buf.String()
}

func allDNSNames (cert *x509.Certificate) []string {
	dnsNames := []string{}

	if cert.Subject.CommonName != "" {
		dnsNames = append(dnsNames, cert.Subject.CommonName)
	}

	for _, dnsName := range cert.DNSNames {
		if dnsName != cert.Subject.CommonName {
			dnsNames = append(dnsNames, dnsName)
		}
	}

	return dnsNames
}

func formatSerial (serial *big.Int) string {
	if serial != nil {
		return fmt.Sprintf("%x", serial)
	} else {
		return ""
	}
}

func sha256hex (data []byte) string {
	sum := sha256.Sum256(data)
	return hex.EncodeToString(sum[:])
}

func GetRawCert (entry *ct.LogEntry) []byte {
	switch entry.Leaf.TimestampedEntry.EntryType {
	case ct.X509LogEntryType:
		return entry.Leaf.TimestampedEntry.X509Entry
	case ct.PrecertLogEntryType:
		return entry.Chain[0]
	}
	panic("GetRawCert: entry is neither precert nor x509")
}

func IsPrecert (entry *ct.LogEntry) bool {
	switch entry.Leaf.TimestampedEntry.EntryType {
	case ct.PrecertLogEntryType:
		return true
	case ct.X509LogEntryType:
		return false
	}
	panic("IsPrecert: entry is neither precert nor x509")
}

type EntryInfo struct {
	LogUri		string
	Entry		*ct.LogEntry
	ParsedCert	*x509.Certificate
	ParseError	error
	CertInfo	CertInfo
	Filename	string
}

type CertInfo struct {
	DnsNames	[]string
	SubjectDn	string
	IssuerDn	string
	Serial		string
	PubkeyHash	string
	NotBefore	*time.Time
	NotAfter	*time.Time
}

func MakeCertInfo (cert *x509.Certificate) CertInfo {
	return CertInfo {
		DnsNames:	allDNSNames(cert),
		SubjectDn:	formatDN(cert.Subject),
		IssuerDn:	formatDN(cert.Issuer),
		Serial:		formatSerial(cert.SerialNumber),
		PubkeyHash:	sha256hex(cert.RawSubjectPublicKeyInfo),
		NotBefore:	&cert.NotBefore,
		NotAfter:	&cert.NotAfter,
	}
}

func (info *CertInfo) dnsNamesFriendlyString () string {
	if info.DnsNames != nil {
		return strings.Join(info.DnsNames, ", ")
	} else {
		return "*** UNKNOWN ***"
	}
}

func (info *CertInfo) Environ () []string {
	var env []string
	if info.DnsNames != nil   { env = append(env, "DNS_NAMES=" + strings.Join(info.DnsNames, ",")) }
	if info.SubjectDn != ""   { env = append(env, "SUBJECT_DN=" + info.SubjectDn) }
	if info.IssuerDn != ""    { env = append(env, "ISSUER_DN=" + info.IssuerDn) }
	if info.Serial != ""      { env = append(env, "SERIAL=" + info.Serial) }
	if info.PubkeyHash != ""  { env = append(env, "PUBKEY_HASH=" + info.PubkeyHash) }
	if info.NotBefore != nil  { env = append(env, "NOT_BEFORE=" + strconv.FormatInt(info.NotBefore.Unix(), 10)) }
	if info.NotAfter != nil   { env = append(env, "NOT_AFTER=" + strconv.FormatInt(info.NotAfter.Unix(), 10)) }
	return env
}

func (info *EntryInfo) GetRawCert () []byte {
	return GetRawCert(info.Entry)
}

func (info *EntryInfo) Fingerprint () string {
	return sha256hex(info.GetRawCert())
}

func (info *EntryInfo) IsPrecert () bool {
	return IsPrecert(info.Entry)
}

func (info *EntryInfo) typeString () string {
	if info.IsPrecert() {
		return "precert"
	} else {
		return "cert"
	}
}

func (info *EntryInfo) typeFriendlyString () string {
	if info.IsPrecert() {
		return "Pre-certificate"
	} else {
		return "Certificate"
	}
}

func yesnoString (value bool) string {
	if value {
		return "yes"
	} else {
		return "no"
	}
}

func (info *EntryInfo) Environ () []string {
	env := []string{
		"FINGERPRINT=" + info.Fingerprint(),
		"CERT_TYPE=" + info.typeString(),
		"CERT_PARSEABLE=" + yesnoString(info.ParsedCert != nil),
		"LOG_URI=" + info.LogUri,
		"ENTRY_INDEX=" + strconv.FormatInt(info.Entry.Index, 10),
	}

	if info.Filename != "" {
		env = append(env, "CERT_FILENAME=" + info.Filename)
	}
	if info.ParseError != nil {
		env = append(env, "PARSE_ERROR=" + info.ParseError.Error())
	}

	certEnv := info.CertInfo.Environ()
	env = append(env, certEnv...)

	return env
}

func (info *EntryInfo) Write (out io.Writer) {
	fingerprint := info.Fingerprint()
	fmt.Fprintf(out, "%s:\n", fingerprint)
	if info.ParseError != nil {
		if info.ParsedCert != nil {
			fmt.Fprintf(out, "\tParse Warning = *** %s ***\n", info.ParseError)
		} else {
			fmt.Fprintf(out, "\t  Parse Error = *** %s ***\n", info.ParseError)
		}
	}
	fmt.Fprintf(out, "\t    DNS Names = %s\n", info.CertInfo.dnsNamesFriendlyString())
	if info.CertInfo.PubkeyHash != "" { fmt.Fprintf(out, "\t       Pubkey = %s\n", info.CertInfo.PubkeyHash) }
	if info.CertInfo.SubjectDn != ""  { fmt.Fprintf(out, "\t      Subject = %s\n", info.CertInfo.SubjectDn) }
	if info.CertInfo.IssuerDn != ""   { fmt.Fprintf(out, "\t       Issuer = %s\n", info.CertInfo.IssuerDn) }
	if info.CertInfo.Serial != ""     { fmt.Fprintf(out, "\t       Serial = %s\n", info.CertInfo.Serial) }
	if info.CertInfo.NotBefore != nil { fmt.Fprintf(out, "\t   Not Before = %s\n", *info.CertInfo.NotBefore) }
	if info.CertInfo.NotAfter != nil  { fmt.Fprintf(out, "\t    Not After = %s\n", *info.CertInfo.NotAfter) }
	fmt.Fprintf(out, "\t         Type = %s\n", info.typeFriendlyString())
	fmt.Fprintf(out, "\t    Log Entry = %d @ %s\n", info.Entry.Index, info.LogUri)
	fmt.Fprintf(out, "\t       crt.sh = https://crt.sh/?q=%s\n", fingerprint)
	if info.Filename != ""            { fmt.Fprintf(out, "\t     Filename = %s\n", info.Filename) }
}

func (info *EntryInfo) InvokeHookScript (command string) error {
	cmd := exec.Command(command)
	cmd.Env = os.Environ()
	infoEnv := info.Environ()
	cmd.Env = append(cmd.Env, infoEnv...)
	stderrBuffer := bytes.Buffer{}
	cmd.Stderr = &stderrBuffer
	if err := cmd.Run(); err != nil {
		if _, isExitError := err.(*exec.ExitError); isExitError {
			fmt.Errorf("Script failed: %s: %s", command, strings.TrimSpace(stderrBuffer.String()))
		} else {
			fmt.Errorf("Failed to execute script: %s: %s", command, err)
		}
	}
	return nil
}

func WriteCertRepository (repoPath string, entry *ct.LogEntry) (bool, string, error) {
	fingerprint := sha256hex(GetRawCert(entry))
	prefixPath := filepath.Join(repoPath, fingerprint[0:2])
	var filenameSuffix string
	if entry.Leaf.TimestampedEntry.EntryType == ct.PrecertLogEntryType {
		filenameSuffix = ".precert.pem"
	} else if entry.Leaf.TimestampedEntry.EntryType == ct.X509LogEntryType {
		filenameSuffix = ".cert.pem"
	}
	if err := os.Mkdir(prefixPath, 0777); err != nil && !os.IsExist(err) {
		return false, "", fmt.Errorf("Failed to create prefix directory %s: %s", prefixPath, err)
	}
	path := filepath.Join(prefixPath, fingerprint + filenameSuffix)
	file, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0666)
	if err != nil {
		if os.IsExist(err) {
			return true, path, nil
		} else {
			return false, path, fmt.Errorf("Failed to open %s for writing: %s", path, err)
		}
	}
	if entry.Leaf.TimestampedEntry.EntryType == ct.X509LogEntryType {
		if err := pem.Encode(file, &pem.Block{Type: "CERTIFICATE", Bytes: entry.Leaf.TimestampedEntry.X509Entry}); err != nil {
			file.Close()
			return false, path, fmt.Errorf("Error writing to %s: %s", path, err)
		}
	}
	for _, chainCert := range entry.Chain {
		if err := pem.Encode(file, &pem.Block{Type: "CERTIFICATE", Bytes: chainCert}); err != nil {
			file.Close()
			return false, path, fmt.Errorf("Error writing to %s: %s", path, err)
		}
	}
	if err := file.Close(); err != nil {
		return false, path, fmt.Errorf("Error writing to %s: %s", path, err)
	}

	return false, path, nil
}