diff --git a/README b/README index 4cf81b1..29ca274 100644 --- a/README +++ b/README @@ -82,7 +82,7 @@ COMMAND LINE FLAGS -state_dir PATH Directory for storing state. Default: ~/.certspotter -bygonessl - Only print certificates which predate domain registration and live into it (requires 'issued_before' option in watchlist) + Only print certificates which predate domain registration and live into it (requires 'valid_at' option in watchlist) -verbose Be verbose. @@ -138,10 +138,10 @@ BygoneSSL Cert Spotter can also notify users of bygone SSL certificates, which are SSL certificates that outlived their prior domain owner's registration into the -next owners registration. To detect these certificates add an issued_before +next owners registration. To detect these certificates add a valid_at argument to each domain in the watchlist followed by the date the domain was registered in t he following format YYYY-MM-DD. For example: -example.com issued_before:2014-05-02 +example.com valid_at:2014-05-02 The optional -bygonessl flag will cause Cert Spotter to only match bygone SSL certificates. diff --git a/cmd/certspotter/main.go b/cmd/certspotter/main.go index 21a876d..62f9232 100644 --- a/cmd/certspotter/main.go +++ b/cmd/certspotter/main.go @@ -51,12 +51,12 @@ func trimTrailingDots(value string) string { var stateDir = flag.String("state_dir", defaultStateDir(), "Directory for storing state") var watchlistFilename = flag.String("watchlist", filepath.Join(defaultConfigDir(), "watchlist"), "File containing identifiers to watch (- for stdin)") -var bygoneSSL = flag.Bool("bygonessl", false, "Only print certificates which predate domain registration and live into it (requires 'issued_before' option in watchlist)") +var bygoneSSL = flag.Bool("bygonessl", false, "Only print certificates which predate domain registration and live into it (requires 'valid_at' option in watchlist)") type watchlistItem struct { Domain []string AcceptSuffix bool - NotBefore *time.Time // optional + ValidAt *time.Time // optional } var watchlist []watchlistItem @@ -67,7 +67,7 @@ func parseWatchlistItem(str string) (watchlistItem, error) { return watchlistItem{}, fmt.Errorf("Empty domain") } domain := fields[0] - var notBefore *time.Time = nil + var validAt *time.Time = nil // parse options for i := 1; i < len(fields); i++ { @@ -76,19 +76,19 @@ func parseWatchlistItem(str string) (watchlistItem, error) { return watchlistItem{}, fmt.Errorf("Missing Value `%s'", fields[i]) } switch chunks[0] { - case "issued_before": - notBeforeTime, err := time.Parse("2006-01-02", chunks[1]) + case "valid_at": + validAtTime, err := time.Parse("2006-01-02", chunks[1]) if err != nil { return watchlistItem{}, fmt.Errorf("Invalid Date `%s': %s", chunks[1], err) } - notBefore = ¬BeforeTime + validAt = &validAtTime default: return watchlistItem{}, fmt.Errorf("Unknown Option `%s'", fields[i]) } } - if *bygoneSSL && notBefore == nil { - return watchlistItem{}, fmt.Errorf("`%s' must have issued_before argument when using -bygonessl", domain) + if *bygoneSSL && validAt == nil { + return watchlistItem{}, fmt.Errorf("`%s' must have valid_at argument when using -bygonessl", domain) } // parse domain @@ -97,7 +97,7 @@ func parseWatchlistItem(str string) (watchlistItem, error) { return watchlistItem{ Domain: []string{}, AcceptSuffix: true, - NotBefore: notBefore, + ValidAt: validAt, }, nil } @@ -114,7 +114,7 @@ func parseWatchlistItem(str string) (watchlistItem, error) { return watchlistItem{ Domain: strings.Split(asciiDomain, "."), AcceptSuffix: acceptSuffix, - NotBefore: notBefore, + ValidAt: validAt, }, nil } @@ -168,12 +168,12 @@ func anyDnsNameIsWatched(info *certspotter.EntryInfo) bool { labels := strings.Split(dnsName, ".") for _, item := range watchlist { if dnsNameMatches(labels, item.Domain, item.AcceptSuffix) { - if item.NotBefore != nil { + if item.ValidAt != nil { // BygoneSSL Check // was the SSL certificate issued before the domain was registered // and valid after - if item.NotBefore.Before(*info.CertInfo.NotAfter()) && - item.NotBefore.After(*info.CertInfo.NotBefore()) { + if item.ValidAt.Before(*info.CertInfo.NotAfter()) && + item.ValidAt.After(*info.CertInfo.NotBefore()) { info.Bygone = true } }