Add PubkeySHA256 to discoveredCert

This commit is contained in:
Andrew Ayer 2023-02-05 08:08:07 -05:00
parent 05bf3d0c62
commit 03c21ed118
2 changed files with 6 additions and 11 deletions

View File

@ -11,7 +11,6 @@ package monitor
import ( import (
"bytes" "bytes"
"crypto/sha256"
"encoding/hex" "encoding/hex"
"encoding/json" "encoding/json"
"encoding/pem" "encoding/pem"
@ -29,6 +28,7 @@ type discoveredCert struct {
Info *certspotter.CertInfo Info *certspotter.CertInfo
Chain []ct.ASN1Cert // first entry is the leaf certificate or precertificate Chain []ct.ASN1Cert // first entry is the leaf certificate or precertificate
LeafSHA256 [32]byte // computed over Chain[0] LeafSHA256 [32]byte // computed over Chain[0]
PubkeySHA256 [32]byte // computed over Info.TBS.PublicKey.FullBytes
Identifiers *certspotter.Identifiers Identifiers *certspotter.Identifiers
CertPath string // empty if not saved on the filesystem CertPath string // empty if not saved on the filesystem
JSONPath string // empty if not saved on the filesystem JSONPath string // empty if not saved on the filesystem
@ -49,11 +49,9 @@ func (cert *discoveredCert) pemChain() []byte {
} }
func (cert *discoveredCert) json() []byte { func (cert *discoveredCert) json() []byte {
pubkeySha256 := sha256.Sum256(cert.Info.TBS.GetRawPublicKey())
object := map[string]any{ object := map[string]any{
"cert_sha256": hex.EncodeToString(cert.LeafSHA256[:]), "cert_sha256": hex.EncodeToString(cert.LeafSHA256[:]),
"pubkey_sha256": hex.EncodeToString(pubkeySha256[:]), "pubkey_sha256": hex.EncodeToString(cert.PubkeySHA256[:]),
"issuer_der": cert.Info.TBS.Issuer.FullBytes, "issuer_der": cert.Info.TBS.Issuer.FullBytes,
"subject_der": cert.Info.TBS.Subject.FullBytes, "subject_der": cert.Info.TBS.Subject.FullBytes,
"dns_names": cert.Identifiers.DNSNames, "dns_names": cert.Identifiers.DNSNames,
@ -95,8 +93,6 @@ func (cert *discoveredCert) save() error {
} }
func (cert *discoveredCert) Environ() []string { func (cert *discoveredCert) Environ() []string {
pubkeySha256 := sha256.Sum256(cert.Info.TBS.GetRawPublicKey())
env := []string{ env := []string{
"EVENT=discovered_cert", "EVENT=discovered_cert",
"SUMMARY=certificate discovered for " + cert.WatchItem.String(), "SUMMARY=certificate discovered for " + cert.WatchItem.String(),
@ -106,8 +102,8 @@ func (cert *discoveredCert) Environ() []string {
"WATCH_ITEM=" + cert.WatchItem.String(), "WATCH_ITEM=" + cert.WatchItem.String(),
"CERT_SHA256=" + hex.EncodeToString(cert.LeafSHA256[:]), "CERT_SHA256=" + hex.EncodeToString(cert.LeafSHA256[:]),
"FINGERPRINT=" + hex.EncodeToString(cert.LeafSHA256[:]), // backwards compat with pre-0.15.0; not documented "FINGERPRINT=" + hex.EncodeToString(cert.LeafSHA256[:]), // backwards compat with pre-0.15.0; not documented
"PUBKEY_SHA256=" + hex.EncodeToString(pubkeySha256[:]), "PUBKEY_SHA256=" + hex.EncodeToString(cert.PubkeySHA256[:]),
"PUBKEY_HASH=" + hex.EncodeToString(pubkeySha256[:]), // backwards compat with pre-0.15.0; not documented "PUBKEY_HASH=" + hex.EncodeToString(cert.PubkeySHA256[:]), // backwards compat with pre-0.15.0; not documented
"CERT_FILENAME=" + cert.CertPath, "CERT_FILENAME=" + cert.CertPath,
"JSON_FILENAME=" + cert.JSONPath, "JSON_FILENAME=" + cert.JSONPath,
"TEXT_FILENAME=" + cert.TextPath, "TEXT_FILENAME=" + cert.TextPath,
@ -151,8 +147,6 @@ func (cert *discoveredCert) Text() string {
text := new(strings.Builder) text := new(strings.Builder)
writeField := func(name string, value any) { fmt.Fprintf(text, "\t%13s = %s\n", name, value) } writeField := func(name string, value any) { fmt.Fprintf(text, "\t%13s = %s\n", name, value) }
pubkeySha256 := sha256.Sum256(cert.Info.TBS.GetRawPublicKey())
fmt.Fprintf(text, "%x:\n", cert.LeafSHA256) fmt.Fprintf(text, "%x:\n", cert.LeafSHA256)
for _, dnsName := range cert.Identifiers.DNSNames { for _, dnsName := range cert.Identifiers.DNSNames {
writeField("DNS Name", dnsName) writeField("DNS Name", dnsName)
@ -160,7 +154,7 @@ func (cert *discoveredCert) Text() string {
for _, ipaddr := range cert.Identifiers.IPAddrs { for _, ipaddr := range cert.Identifiers.IPAddrs {
writeField("IP Address", ipaddr) writeField("IP Address", ipaddr)
} }
writeField("Pubkey", hex.EncodeToString(pubkeySha256[:])) writeField("Pubkey", hex.EncodeToString(cert.PubkeySHA256[:]))
if cert.Info.IssuerParseError == nil { if cert.Info.IssuerParseError == nil {
writeField("Issuer", cert.Info.Issuer) writeField("Issuer", cert.Info.Issuer)
} else { } else {

View File

@ -93,6 +93,7 @@ func processCertificate(ctx context.Context, config *Config, entry *logEntry, ce
Info: certInfo, Info: certInfo,
Chain: chain, Chain: chain,
LeafSHA256: sha256.Sum256(chain[0]), LeafSHA256: sha256.Sum256(chain[0]),
PubkeySHA256: sha256.Sum256(certInfo.TBS.PublicKey.FullBytes),
Identifiers: identifiers, Identifiers: identifiers,
} }