Tandem
/
certspotter
mirror of https://github.com/SSLMate/certspotter.git
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

rename issued_before to valid_at

This commit is contained in:
Ian Foster 2018-07-13 11:11:58 -07:00
parent cfe7adf06c
commit 1b4943c198
2 changed files with 16 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README
View File

@ -82,7 +82,7 @@ COMMAND LINE FLAGS
-state_dir PATH -state_dir PATH
Directory for storing state. Default: ~/.certspotter Directory for storing state. Default: ~/.certspotter
-bygonessl -bygonessl
Only print certificates which predate domain registration and live into it (requires 'issued_before' option in watchlist) Only print certificates which predate domain registration and live into it (requires 'valid_at' option in watchlist)
-verbose -verbose
Be verbose. Be verbose.
@ -138,10 +138,10 @@ BygoneSSL
Cert Spotter can also notify users of bygone SSL certificates, which are SSL Cert Spotter can also notify users of bygone SSL certificates, which are SSL
certificates that outlived their prior domain owner's registration into the certificates that outlived their prior domain owner's registration into the
next owners registration. To detect these certificates add an issued_before next owners registration. To detect these certificates add a valid_at
argument to each domain in the watchlist followed by the date the domain was argument to each domain in the watchlist followed by the date the domain was
registered in t he following format YYYY-MM-DD. For example: registered in t he following format YYYY-MM-DD. For example:
example.com issued_before:2014-05-02 example.com valid_at:2014-05-02
The optional -bygonessl flag will cause Cert Spotter to only match bygone SSL The optional -bygonessl flag will cause Cert Spotter to only match bygone SSL
certificates. certificates.

26
cmd/certspotter/main.go
View File

@ -51,12 +51,12 @@ func trimTrailingDots(value string) string {
var stateDir = flag.String("state_dir", defaultStateDir(), "Directory for storing state") var stateDir = flag.String("state_dir", defaultStateDir(), "Directory for storing state")
var watchlistFilename = flag.String("watchlist", filepath.Join(defaultConfigDir(), "watchlist"), "File containing identifiers to watch (- for stdin)") var watchlistFilename = flag.String("watchlist", filepath.Join(defaultConfigDir(), "watchlist"), "File containing identifiers to watch (- for stdin)")
var bygoneSSL = flag.Bool("bygonessl", false, "Only print certificates which predate domain registration and live into it (requires 'issued_before' option in watchlist)") var bygoneSSL = flag.Bool("bygonessl", false, "Only print certificates which predate domain registration and live into it (requires 'valid_at' option in watchlist)")
type watchlistItem struct { type watchlistItem struct {
Domain []string Domain []string
AcceptSuffix bool AcceptSuffix bool
NotBefore *time.Time // optional ValidAt *time.Time // optional
} }
var watchlist []watchlistItem var watchlist []watchlistItem
@ -67,7 +67,7 @@ func parseWatchlistItem(str string) (watchlistItem, error) {
return watchlistItem{}, fmt.Errorf("Empty domain") return watchlistItem{}, fmt.Errorf("Empty domain")
} }
domain := fields[0] domain := fields[0]
var notBefore *time.Time = nil var validAt *time.Time = nil
// parse options // parse options
for i := 1; i < len(fields); i++ { for i := 1; i < len(fields); i++ {
@ -76,19 +76,19 @@ func parseWatchlistItem(str string) (watchlistItem, error) {
return watchlistItem{}, fmt.Errorf("Missing Value `%s'", fields[i]) return watchlistItem{}, fmt.Errorf("Missing Value `%s'", fields[i])
} }
switch chunks[0] { switch chunks[0] {
case "issued_before": case "valid_at":
notBeforeTime, err := time.Parse("2006-01-02", chunks[1]) validAtTime, err := time.Parse("2006-01-02", chunks[1])
if err != nil { if err != nil {
return watchlistItem{}, fmt.Errorf("Invalid Date `%s': %s", chunks[1], err) return watchlistItem{}, fmt.Errorf("Invalid Date `%s': %s", chunks[1], err)
} }
notBefore = &notBeforeTime validAt = &validAtTime
default: default:
return watchlistItem{}, fmt.Errorf("Unknown Option `%s'", fields[i]) return watchlistItem{}, fmt.Errorf("Unknown Option `%s'", fields[i])
} }
} }
if *bygoneSSL && notBefore == nil { if *bygoneSSL && validAt == nil {
return watchlistItem{}, fmt.Errorf("`%s' must have issued_before argument when using -bygonessl", domain) return watchlistItem{}, fmt.Errorf("`%s' must have valid_at argument when using -bygonessl", domain)
} }
// parse domain // parse domain
@ -97,7 +97,7 @@ func parseWatchlistItem(str string) (watchlistItem, error) {
return watchlistItem{ return watchlistItem{
Domain: []string{}, Domain: []string{},
AcceptSuffix: true, AcceptSuffix: true,
NotBefore: notBefore, ValidAt: validAt,
}, nil }, nil
} }
@ -114,7 +114,7 @@ func parseWatchlistItem(str string) (watchlistItem, error) {
return watchlistItem{ return watchlistItem{
Domain: strings.Split(asciiDomain, "."), Domain: strings.Split(asciiDomain, "."),
AcceptSuffix: acceptSuffix, AcceptSuffix: acceptSuffix,
NotBefore: notBefore, ValidAt: validAt,
}, nil }, nil
} }
@ -168,12 +168,12 @@ func anyDnsNameIsWatched(info *certspotter.EntryInfo) bool {
labels := strings.Split(dnsName, ".") labels := strings.Split(dnsName, ".")
for _, item := range watchlist { for _, item := range watchlist {
if dnsNameMatches(labels, item.Domain, item.AcceptSuffix) { if dnsNameMatches(labels, item.Domain, item.AcceptSuffix) {
if item.NotBefore != nil { if item.ValidAt != nil {
// BygoneSSL Check // BygoneSSL Check
// was the SSL certificate issued before the domain was registered // was the SSL certificate issued before the domain was registered
// and valid after // and valid after
if item.NotBefore.Before(*info.CertInfo.NotAfter()) && if item.ValidAt.Before(*info.CertInfo.NotAfter()) &&
item.NotBefore.After(*info.CertInfo.NotBefore()) { item.ValidAt.After(*info.CertInfo.NotBefore()) {
info.Bygone = true info.Bygone = true
} }
} }