certspotter/cmd/ctwatch/main.go

package main

import (
	"flag"
	"fmt"
	"os"
	"bufio"
	"strings"

	"golang.org/x/net/idna"

	"src.agwa.name/ctwatch"
	"src.agwa.name/ctwatch/ct"
	"src.agwa.name/ctwatch/cmd"
)

func DefaultStateDir () string {
	if envVar := os.Getenv("CTWATCH_STATE_DIR"); envVar != "" {
		return envVar
	} else {
		return cmd.DefaultStateDir("ctwatch")
	}
}

func trimTrailingDots (value string) string {
	length := len(value)
	for length > 0 && value[length - 1] == '.' {
		length--
	}
	return value[0:length]
}

var stateDir = flag.String("state_dir", DefaultStateDir(), "Directory for storing state")
var watchDomains []string
var watchDomainSuffixes []string

func addWatchDomain (asciiDomain string) {
	watchDomains = append(watchDomains, asciiDomain)
	watchDomainSuffixes = append(watchDomainSuffixes, "." + asciiDomain)
}

func setWatchDomains (domains []string) error {
	for _, domain := range domains {
		if domain == "." { // "." as in root zone (matches everything)
			watchDomains = []string{}
			watchDomainSuffixes = []string{""}
			break
		} else {
			asciiDomain, err := idna.ToASCII(strings.ToLower(trimTrailingDots(domain)))
			if err != nil {
				return fmt.Errorf("Invalid domain `%s': %s", domain, err)
			}

			addWatchDomain(asciiDomain)

			// Also monitor DNS names that _might_ match this domain (wildcards,
			// label redactions, and unparseable labels).
			// For example, if we're monitoring sub.example.com, also monitor:
			//   *.example.com
			//   ?.example.com
			//   <unparsable>.example.com
			// TODO: support for wildcards that are not the entire label (e.g. ac-*.fr)
			var parentDomain string
			if dot := strings.IndexRune(asciiDomain, '.'); dot != -1 {
				parentDomain = asciiDomain[dot:]
			}
			addWatchDomain("*" + parentDomain)
			addWatchDomain("?" + parentDomain)
			addWatchDomain(ctwatch.UnparsableDNSLabelPlaceholder + parentDomain)
		}
	}
	return nil
}

func dnsNameMatches (dnsName string) bool {
	for _, domain := range watchDomains {
		if dnsName == domain {
			return true
		}
	}
	for _, domainSuffix := range watchDomainSuffixes {
		if strings.HasSuffix(dnsName, domainSuffix) {
			return true
		}
	}
	return false
}

func anyDnsNameMatches (dnsNames []string) bool {
	for _, dnsName := range dnsNames {
		if dnsNameMatches(dnsName) {
			return true
		}
	}
	return false
}

func processEntry (scanner *ctwatch.Scanner, entry *ct.LogEntry) {
	info := ctwatch.EntryInfo{
		LogUri:		scanner.LogUri,
		Entry:		entry,
		IsPrecert:	ctwatch.IsPrecert(entry),
		FullChain:	ctwatch.GetFullChain(entry),
	}

	info.CertInfo, info.ParseError = ctwatch.MakeCertInfoFromLogEntry(entry)

	if info.CertInfo != nil {
		info.Identifiers, info.IdentifiersParseError = info.CertInfo.ParseIdentifiers()
	}

	// Fail safe behavior: if info.Identifiers is nil (which is caused by a
	// parse error), report the certificate because we can't say for sure it
	// doesn't match a domain we care about.  We try very hard to make sure
	// parsing identifiers always succeeds, so false alarms should be rare.
	if info.Identifiers == nil || anyDnsNameMatches(info.Identifiers.DNSNames) {
		cmd.LogEntry(&info)
	}
}

func main() {
	flag.Parse()

	if flag.NArg() == 0 {
		fmt.Fprintf(os.Stderr, "Usage: %s [flags] domain ...\n", os.Args[0])
		fmt.Fprintf(os.Stderr, "\n")
		fmt.Fprintf(os.Stderr, "To read domain list from stdin, use '-'. To monitor all domains, use '.'.\n")
		fmt.Fprintf(os.Stderr, "See '%s -help' for a list of valid flags.\n", os.Args[0])
		os.Exit(2)
	}

	if flag.NArg() == 1 && flag.Arg(0) == "-" {
		var domains []string
		scanner := bufio.NewScanner(os.Stdin)
		for scanner.Scan() {
			domains = append(domains, scanner.Text())
		}
		if err := scanner.Err(); err != nil {
			fmt.Fprintf(os.Stderr, "%s: Error reading standard input: %s\n", os.Args[0], err)
			os.Exit(1)
		}
		if err := setWatchDomains(domains); err != nil {
			fmt.Fprintf(os.Stderr, "%s: %s\n", os.Args[0], err)
			os.Exit(1)
		}
	} else {
		if err := setWatchDomains(flag.Args()); err != nil {
			fmt.Fprintf(os.Stderr, "%s: %s\n", os.Args[0], err)
			os.Exit(1)
		}
	}

	cmd.Main(*stateDir, processEntry)
}
Initial commit 2016-02-05 03:45:37 +01:00			`package main`

			`import (`
			`"flag"`
			`"fmt"`
			`"os"`
			`"bufio"`
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs. 2016-02-09 19:28:52 +01:00			`"strings"`
Initial commit 2016-02-05 03:45:37 +01:00
Add support for IDNs IDNs can be specified in either Unicode or ASCII (as Punycode). Certs can specify the DNS name either way, and we'll match it. 2016-04-26 23:38:09 +02:00			`"golang.org/x/net/idna"`

Initial commit 2016-02-05 03:45:37 +01:00			`"src.agwa.name/ctwatch"`
Embed Google CT library, with my own changes 2016-02-18 19:44:56 +01:00			`"src.agwa.name/ctwatch/ct"`
Initial commit 2016-02-05 03:45:37 +01:00			`"src.agwa.name/ctwatch/cmd"`
			`)`

ctwatch: allow state dir to be set by $CTWATCH_STATE_DIR 2016-03-08 16:09:26 +01:00			`func DefaultStateDir () string {`
			`if envVar := os.Getenv("CTWATCH_STATE_DIR"); envVar != "" {`
			`return envVar`
			`} else {`
			`return cmd.DefaultStateDir("ctwatch")`
			`}`
			`}`

Trim trailing dots from DNS names 2016-05-01 21:49:26 +02:00			`func trimTrailingDots (value string) string {`
			`length := len(value)`
			`for length > 0 && value[length - 1] == '.' {`
			`length--`
			`}`
			`return value[0:length]`
			`}`

ctwatch: allow state dir to be set by $CTWATCH_STATE_DIR 2016-03-08 16:09:26 +01:00			`var stateDir = flag.String("state_dir", DefaultStateDir(), "Directory for storing state")`
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs. 2016-02-09 19:28:52 +01:00			`var watchDomains []string`
			`var watchDomainSuffixes []string`

Monitor for all DNS names that _might_ match a monitored domain Wildcards, redacted labels, and unparseable labels. 2016-04-29 18:02:03 +02:00			`func addWatchDomain (asciiDomain string) {`
			`watchDomains = append(watchDomains, asciiDomain)`
			`watchDomainSuffixes = append(watchDomainSuffixes, "." + asciiDomain)`
			`}`

Add support for IDNs IDNs can be specified in either Unicode or ASCII (as Punycode). Certs can specify the DNS name either way, and we'll match it. 2016-04-26 23:38:09 +02:00			`func setWatchDomains (domains []string) error {`
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs. 2016-02-09 19:28:52 +01:00			`for _, domain := range domains {`
Allow . to be specified on stdin as well 2016-02-22 23:18:56 +01:00			`if domain == "." { // "." as in root zone (matches everything)`
			`watchDomains = []string{}`
			`watchDomainSuffixes = []string{""}`
			`break`
			`} else {`
Trim trailing dots from DNS names 2016-05-01 21:49:26 +02:00			`asciiDomain, err := idna.ToASCII(strings.ToLower(trimTrailingDots(domain)))`
Add support for IDNs IDNs can be specified in either Unicode or ASCII (as Punycode). Certs can specify the DNS name either way, and we'll match it. 2016-04-26 23:38:09 +02:00			`if err != nil {`
			return fmt.Errorf("Invalid domain `%s': %s", domain, err)
			`}`

Monitor for all DNS names that _might_ match a monitored domain Wildcards, redacted labels, and unparseable labels. 2016-04-29 18:02:03 +02:00			`addWatchDomain(asciiDomain)`
Gracefully handle all manner of poorly encoded identifiers Also add preliminary support for IP address identifiers. 2016-04-29 06:26:59 +02:00
Monitor for all DNS names that _might_ match a monitored domain Wildcards, redacted labels, and unparseable labels. 2016-04-29 18:02:03 +02:00			`// Also monitor DNS names that _might_ match this domain (wildcards,`
			`// label redactions, and unparseable labels).`
			`// For example, if we're monitoring sub.example.com, also monitor:`
			`// *.example.com`
			`// ?.example.com`
Only replace DNS label with placeholder if it's utterly unparsable e.g. contains control characters, Punycode conversion fails There are quite simply too many certs with bogus DNS labels out in the wild, and it just doesn't make sense to bother every .com domain holder because GoDaddy signed a cert with a DNS name like "www. just4funpartyrentals.com" It is highly unlikely any validator will ever match that DNS name. 2016-05-04 20:43:02 +02:00			`// <unparsable>.example.com`
			`// TODO: support for wildcards that are not the entire label (e.g. ac-*.fr)`
Monitor for all DNS names that _might_ match a monitored domain Wildcards, redacted labels, and unparseable labels. 2016-04-29 18:02:03 +02:00			`var parentDomain string`
Gracefully handle all manner of poorly encoded identifiers Also add preliminary support for IP address identifiers. 2016-04-29 06:26:59 +02:00			`if dot := strings.IndexRune(asciiDomain, '.'); dot != -1 {`
Monitor for all DNS names that _might_ match a monitored domain Wildcards, redacted labels, and unparseable labels. 2016-04-29 18:02:03 +02:00			`parentDomain = asciiDomain[dot:]`
Add support for IDNs IDNs can be specified in either Unicode or ASCII (as Punycode). Certs can specify the DNS name either way, and we'll match it. 2016-04-26 23:38:09 +02:00			`}`
Monitor for all DNS names that _might_ match a monitored domain Wildcards, redacted labels, and unparseable labels. 2016-04-29 18:02:03 +02:00			`addWatchDomain("*" + parentDomain)`
			`addWatchDomain("?" + parentDomain)`
Only replace DNS label with placeholder if it's utterly unparsable e.g. contains control characters, Punycode conversion fails There are quite simply too many certs with bogus DNS labels out in the wild, and it just doesn't make sense to bother every .com domain holder because GoDaddy signed a cert with a DNS name like "www. just4funpartyrentals.com" It is highly unlikely any validator will ever match that DNS name. 2016-05-04 20:43:02 +02:00			`addWatchDomain(ctwatch.UnparsableDNSLabelPlaceholder + parentDomain)`
Allow . to be specified on stdin as well 2016-02-22 23:18:56 +01:00			`}`
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs. 2016-02-09 19:28:52 +01:00			`}`
Add support for IDNs IDNs can be specified in either Unicode or ASCII (as Punycode). Certs can specify the DNS name either way, and we'll match it. 2016-04-26 23:38:09 +02:00			`return nil`
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs. 2016-02-09 19:28:52 +01:00			`}`

			`func dnsNameMatches (dnsName string) bool {`
			`for _, domain := range watchDomains {`
Gracefully handle all manner of poorly encoded identifiers Also add preliminary support for IP address identifiers. 2016-04-29 06:26:59 +02:00			`if dnsName == domain {`
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs. 2016-02-09 19:28:52 +01:00			`return true`
			`}`
			`}`
			`for _, domainSuffix := range watchDomainSuffixes {`
Gracefully handle all manner of poorly encoded identifiers Also add preliminary support for IP address identifiers. 2016-04-29 06:26:59 +02:00			`if strings.HasSuffix(dnsName, domainSuffix) {`
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs. 2016-02-09 19:28:52 +01:00			`return true`
			`}`
			`}`
			`return false`
			`}`

			`func anyDnsNameMatches (dnsNames []string) bool {`
			`for _, dnsName := range dnsNames {`
			`if dnsNameMatches(dnsName) {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

			`func processEntry (scanner ctwatch.Scanner, entry ct.LogEntry) {`
			`info := ctwatch.EntryInfo{`
			`LogUri: scanner.LogUri,`
			`Entry: entry,`
Replace embedded X509 parser with my own lightweight parser 2016-03-17 00:58:00 +01:00			`IsPrecert: ctwatch.IsPrecert(entry),`
			`FullChain: ctwatch.GetFullChain(entry),`
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs. 2016-02-09 19:28:52 +01:00			`}`

Rename a function for clarity 2016-03-18 00:34:53 +01:00			`info.CertInfo, info.ParseError = ctwatch.MakeCertInfoFromLogEntry(entry)`
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs. 2016-02-09 19:28:52 +01:00
Move Identifiers from CertInfo to EntryInfo It's more logical, and it avoids some redundant parsing. 2016-05-03 20:58:59 +02:00			`if info.CertInfo != nil {`
			`info.Identifiers, info.IdentifiersParseError = info.CertInfo.ParseIdentifiers()`
			`}`

			`// Fail safe behavior: if info.Identifiers is nil (which is caused by a`
			`// parse error), report the certificate because we can't say for sure it`
			`// doesn't match a domain we care about. We try very hard to make sure`
			`// parsing identifiers always succeeds, so false alarms should be rare.`
			`if info.Identifiers == nil \|\| anyDnsNameMatches(info.Identifiers.DNSNames) {`
Parse common names separately from DNS names 2016-04-23 05:58:33 +02:00			`cmd.LogEntry(&info)`
Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs. 2016-02-09 19:28:52 +01:00			`}`
			`}`
New and simplified multi-log operation 2016-02-05 05:16:25 +01:00
Initial commit 2016-02-05 03:45:37 +01:00			`func main() {`
			`flag.Parse()`

To monitor all domains, require "." to be specified Now that we save all certs by default, we want to prevent people from accidentally monitoring all domains, which could lead to MASSIVE disk usage. "." is used because it denotes the root zone in DNS. 2016-02-05 17:13:11 +01:00			`if flag.NArg() == 0 {`
			`fmt.Fprintf(os.Stderr, "Usage: %s [flags] domain ...\n", os.Args[0])`
			`fmt.Fprintf(os.Stderr, "\n")`
			`fmt.Fprintf(os.Stderr, "To read domain list from stdin, use '-'. To monitor all domains, use '.'.\n")`
			`fmt.Fprintf(os.Stderr, "See '%s -help' for a list of valid flags.\n", os.Args[0])`
			`os.Exit(2)`
			`}`

New and simplified multi-log operation 2016-02-05 05:16:25 +01:00			`if flag.NArg() == 1 && flag.Arg(0) == "-" {`
To monitor all domains, require "." to be specified Now that we save all certs by default, we want to prevent people from accidentally monitoring all domains, which could lead to MASSIVE disk usage. "." is used because it denotes the root zone in DNS. 2016-02-05 17:13:11 +01:00			`var domains []string`
Initial commit 2016-02-05 03:45:37 +01:00			`scanner := bufio.NewScanner(os.Stdin)`
			`for scanner.Scan() {`
			`domains = append(domains, scanner.Text())`
			`}`
			`if err := scanner.Err(); err != nil {`
New and simplified multi-log operation 2016-02-05 05:16:25 +01:00			`fmt.Fprintf(os.Stderr, "%s: Error reading standard input: %s\n", os.Args[0], err)`
Use bits in the exit code to convey what happened 2016-02-22 23:45:50 +01:00			`os.Exit(1)`
Initial commit 2016-02-05 03:45:37 +01:00			`}`
Add support for IDNs IDNs can be specified in either Unicode or ASCII (as Punycode). Certs can specify the DNS name either way, and we'll match it. 2016-04-26 23:38:09 +02:00			`if err := setWatchDomains(domains); err != nil {`
			`fmt.Fprintf(os.Stderr, "%s: %s\n", os.Args[0], err)`
			`os.Exit(1)`
			`}`
Initial commit 2016-02-05 03:45:37 +01:00			`} else {`
Add support for IDNs IDNs can be specified in either Unicode or ASCII (as Punycode). Certs can specify the DNS name either way, and we'll match it. 2016-04-26 23:38:09 +02:00			`if err := setWatchDomains(flag.Args()); err != nil {`
			`fmt.Fprintf(os.Stderr, "%s: %s\n", os.Args[0], err)`
			`os.Exit(1)`
			`}`
Initial commit 2016-02-05 03:45:37 +01:00			`}`

Overhaul to be more robust and simpler All certificates are now parsed with a special, extremely lax parser that extracts only the DNS names. Only if the DNS names match the domains we're interested in will we attempt to parse the cert with the real X509 parser. This ensures that we won't miss a very badly encoded certificate that has been issued for a monitored domain. As of the time of commit, the lax parser is able to process every logged certificate in the known logs. 2016-02-09 19:28:52 +01:00			`cmd.Main(*stateDir, processEntry)`
Initial commit 2016-02-05 03:45:37 +01:00			`}`