Andrew Ayer
parent
0dbe647121
commit
196b3e3bef
|
|
@ -1 +0,0 @@
|
|||
/submitct
|
||||
|
|
@ -1,238 +0,0 @@
|
|||
// Copyright (C) 2017 Opsmate, Inc.
|
||||
//
|
||||
// This Source Code Form is subject to the terms of the Mozilla
|
||||
// Public License, v. 2.0. If a copy of the MPL was not distributed
|
||||
// with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
//
|
||||
// This software is distributed WITHOUT A WARRANTY OF ANY KIND.
|
||||
// See the Mozilla Public License for details.
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"software.sslmate.com/src/certspotter"
|
||||
"software.sslmate.com/src/certspotter/ct"
|
||||
"software.sslmate.com/src/certspotter/ct/client"
|
||||
"software.sslmate.com/src/certspotter/loglist"
|
||||
|
||||
"bytes"
|
||||
"context"
|
||||
"crypto/sha256"
|
||||
"crypto/x509"
|
||||
"encoding/pem"
|
||||
"flag"
|
||||
"fmt"
|
||||
"io"
|
||||
"log"
|
||||
"os"
|
||||
"strings"
|
||||
"sync"
|
||||
"sync/atomic"
|
||||
"time"
|
||||
)
|
||||
|
||||
const defaultLogList = "https://loglist.certspotter.org/submit.json"
|
||||
|
||||
var verbose = flag.Bool("v", false, "Enable verbose output")
|
||||
var logsURL = flag.String("logs", defaultLogList, "File path or URL of JSON list of logs to submit to")
|
||||
|
||||
type Certificate struct {
|
||||
Subject []byte
|
||||
Issuer []byte
|
||||
Raw []byte
|
||||
Expiration time.Time
|
||||
}
|
||||
|
||||
func (cert *Certificate) Fingerprint() [32]byte {
|
||||
return sha256.Sum256(cert.Raw)
|
||||
}
|
||||
|
||||
func (cert *Certificate) CommonName() string {
|
||||
subject, err := certspotter.ParseRDNSequence(cert.Subject)
|
||||
if err != nil {
|
||||
return "???"
|
||||
}
|
||||
cns, err := subject.ParseCNs()
|
||||
if err != nil || len(cns) == 0 {
|
||||
return "???"
|
||||
}
|
||||
return cns[0]
|
||||
}
|
||||
|
||||
func parseCertificate(data []byte) (*Certificate, error) {
|
||||
crt, err := certspotter.ParseCertificate(data)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
tbs, err := crt.ParseTBSCertificate()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
validity, err := tbs.ParseValidity()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return &Certificate{
|
||||
Subject: tbs.Subject.FullBytes,
|
||||
Issuer: tbs.Issuer.FullBytes,
|
||||
Raw: data,
|
||||
Expiration: validity.NotAfter,
|
||||
}, nil
|
||||
}
|
||||
|
||||
type Chain []*Certificate
|
||||
|
||||
func (c Chain) GetRawCerts() [][]byte {
|
||||
rawCerts := make([][]byte, len(c))
|
||||
for i := range c {
|
||||
rawCerts[i] = c[i].Raw
|
||||
}
|
||||
return rawCerts
|
||||
}
|
||||
|
||||
type CertificateBunch struct {
|
||||
byFingerprint map[[32]byte]*Certificate
|
||||
bySubject map[[32]byte]*Certificate
|
||||
}
|
||||
|
||||
func MakeCertificateBunch() CertificateBunch {
|
||||
return CertificateBunch{
|
||||
byFingerprint: make(map[[32]byte]*Certificate),
|
||||
bySubject: make(map[[32]byte]*Certificate),
|
||||
}
|
||||
}
|
||||
|
||||
func (certs *CertificateBunch) Add(cert *Certificate) {
|
||||
certs.byFingerprint[cert.Fingerprint()] = cert
|
||||
certs.bySubject[sha256.Sum256(cert.Subject)] = cert
|
||||
}
|
||||
|
||||
func (certs *CertificateBunch) FindBySubject(subject []byte) *Certificate {
|
||||
return certs.bySubject[sha256.Sum256(subject)]
|
||||
}
|
||||
|
||||
type Log struct {
|
||||
*loglist.Log
|
||||
*ct.SignatureVerifier
|
||||
*client.LogClient
|
||||
}
|
||||
|
||||
func (ctlog *Log) SubmitChain(chain Chain) (*ct.SignedCertificateTimestamp, error) {
|
||||
rawCerts := chain.GetRawCerts()
|
||||
sct, err := ctlog.AddChain(context.Background(), rawCerts)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if err := certspotter.VerifyX509SCT(sct, rawCerts[0], ctlog.SignatureVerifier); err != nil {
|
||||
return nil, fmt.Errorf("Bad SCT signature: %s", err)
|
||||
}
|
||||
return sct, nil
|
||||
}
|
||||
|
||||
func buildChain(cert *Certificate, certs *CertificateBunch) Chain {
|
||||
chain := make([]*Certificate, 0)
|
||||
for len(chain) < 16 && cert != nil && !bytes.Equal(cert.Subject, cert.Issuer) {
|
||||
chain = append(chain, cert)
|
||||
cert = certs.FindBySubject(cert.Issuer)
|
||||
}
|
||||
return chain
|
||||
}
|
||||
|
||||
func main() {
|
||||
flag.Parse()
|
||||
log.SetPrefix("submitct: ")
|
||||
|
||||
certsPem, err := io.ReadAll(os.Stdin)
|
||||
if err != nil {
|
||||
log.Fatalf("Error reading stdin: %s", err)
|
||||
}
|
||||
|
||||
list, err := loglist.Load(context.Background(), *logsURL)
|
||||
if err != nil {
|
||||
log.Fatalf("Error loading log list: %s", err)
|
||||
}
|
||||
|
||||
var logs []Log
|
||||
for _, ctlog := range list.AllLogs() {
|
||||
submissionURL := ctlog.GetSubmissionURL()
|
||||
pubkey, err := x509.ParsePKIXPublicKey(ctlog.Key)
|
||||
if err != nil {
|
||||
log.Fatalf("%s: Failed to parse log public key: %s", submissionURL, err)
|
||||
}
|
||||
verifier, err := ct.NewSignatureVerifier(pubkey)
|
||||
if err != nil {
|
||||
log.Fatalf("%s: Failed to create signature verifier for log: %s", submissionURL, err)
|
||||
}
|
||||
logs = append(logs, Log{
|
||||
Log: ctlog,
|
||||
SignatureVerifier: verifier,
|
||||
LogClient: client.New(strings.TrimRight(submissionURL, "/")),
|
||||
})
|
||||
}
|
||||
|
||||
certs := MakeCertificateBunch()
|
||||
var parseErrors uint32
|
||||
var submitErrors uint32
|
||||
|
||||
for len(certsPem) > 0 {
|
||||
var pemBlock *pem.Block
|
||||
pemBlock, certsPem = pem.Decode(certsPem)
|
||||
if pemBlock == nil {
|
||||
log.Fatalf("Invalid PEM read from stdin")
|
||||
}
|
||||
if pemBlock.Type != "CERTIFICATE" {
|
||||
log.Printf("Ignoring non-certificate read from stdin")
|
||||
continue
|
||||
}
|
||||
|
||||
cert, err := parseCertificate(pemBlock.Bytes)
|
||||
if err != nil {
|
||||
log.Printf("Ignoring un-parseable certificate read from stdin: %s", err)
|
||||
parseErrors++
|
||||
continue
|
||||
}
|
||||
certs.Add(cert)
|
||||
}
|
||||
|
||||
wg := sync.WaitGroup{}
|
||||
for fingerprint, cert := range certs.byFingerprint {
|
||||
cn := cert.CommonName()
|
||||
chain := buildChain(cert, &certs)
|
||||
if len(chain) == 0 {
|
||||
continue
|
||||
}
|
||||
for _, ctlog := range logs {
|
||||
if !ctlog.AcceptsExpiration(chain[0].Expiration) {
|
||||
continue
|
||||
}
|
||||
wg.Add(1)
|
||||
go func(fingerprint [32]byte, ctlog Log) {
|
||||
sct, err := ctlog.SubmitChain(chain)
|
||||
if err != nil {
|
||||
log.Printf("%x (%s): %s: Submission Error: %s", fingerprint, cn, ctlog.GetSubmissionURL(), err)
|
||||
atomic.AddUint32(&submitErrors, 1)
|
||||
} else if *verbose {
|
||||
timestamp := time.Unix(int64(sct.Timestamp)/1000, int64(sct.Timestamp%1000)*1000000)
|
||||
log.Printf("%x (%s): %s: Submitted at %s", fingerprint, cn, ctlog.GetSubmissionURL(), timestamp)
|
||||
}
|
||||
wg.Done()
|
||||
}(fingerprint, ctlog)
|
||||
}
|
||||
}
|
||||
wg.Wait()
|
||||
|
||||
exitStatus := 0
|
||||
if parseErrors > 0 {
|
||||
log.Printf("%d certificates failed to parse and were ignored", parseErrors)
|
||||
exitStatus |= 4
|
||||
}
|
||||
if submitErrors > 0 {
|
||||
log.Printf("%d submission errors occurred", submitErrors)
|
||||
exitStatus |= 8
|
||||
}
|
||||
os.Exit(exitStatus)
|
||||
}
|
||||
Loading…
Reference in New Issue