Parse common names separately from DNS names

This commit is contained in:
Andrew Ayer 2016-04-22 20:58:33 -07:00
parent ef0b46b7a5
commit 2d2aa37202
3 changed files with 36 additions and 12 deletions

View File

@ -71,15 +71,18 @@ func processEntry (scanner *ctwatch.Scanner, entry *ct.LogEntry) {
info.CertInfo, info.ParseError = ctwatch.MakeCertInfoFromLogEntry(entry) info.CertInfo, info.ParseError = ctwatch.MakeCertInfoFromLogEntry(entry)
if info.ParseError == nil && info.CertInfo.DNSNamesParseError == nil { // If there's any sort of parse error related to the identifiers, report
// Match DNS names // the certificate because we can't say for sure it doesn't match a domain
if !anyDnsNameMatches(info.CertInfo.DNSNames) { // we care about (fail safe behavior). Treat common names as DNS names
return // because many TLS clients do.
} if info.ParseError != nil ||
} info.CertInfo.CommonNamesParseError != nil ||
info.CertInfo.DNSNamesParseError != nil ||
anyDnsNameMatches(info.CertInfo.CommonNames) ||
anyDnsNameMatches(info.CertInfo.DNSNames) {
cmd.LogEntry(&info) cmd.LogEntry(&info)
} }
}
func main() { func main() {
flag.Parse() flag.Parse()

View File

@ -102,6 +102,8 @@ type EntryInfo struct {
type CertInfo struct { type CertInfo struct {
TBS *TBSCertificate TBS *TBSCertificate
CommonNames []string
CommonNamesParseError error
DNSNames []string DNSNames []string
DNSNamesParseError error DNSNamesParseError error
Subject RDNSequence Subject RDNSequence
@ -119,6 +121,7 @@ type CertInfo struct {
func MakeCertInfoFromTBS (tbs *TBSCertificate) *CertInfo { func MakeCertInfoFromTBS (tbs *TBSCertificate) *CertInfo {
info := &CertInfo{TBS: tbs} info := &CertInfo{TBS: tbs}
info.CommonNames, info.CommonNamesParseError = tbs.ParseCommonNames()
info.DNSNames, info.DNSNamesParseError = tbs.ParseDNSNames() info.DNSNames, info.DNSNamesParseError = tbs.ParseDNSNames()
info.Subject, info.SubjectParseError = tbs.ParseSubject() info.Subject, info.SubjectParseError = tbs.ParseSubject()
info.Issuer, info.IssuerParseError = tbs.ParseIssuer() info.Issuer, info.IssuerParseError = tbs.ParseIssuer()
@ -158,6 +161,14 @@ func MakeCertInfoFromLogEntry (entry *ct.LogEntry) (*CertInfo, error) {
} }
} }
func (info *CertInfo) commonNamesString () string {
if info.CommonNamesParseError == nil {
return strings.Join(info.CommonNames, ", ")
} else {
return ""
}
}
func (info *CertInfo) dnsNamesString () string { func (info *CertInfo) dnsNamesString () string {
if info.DNSNamesParseError == nil { if info.DNSNamesParseError == nil {
return strings.Join(info.DNSNames, ", ") return strings.Join(info.DNSNames, ", ")
@ -195,6 +206,12 @@ func (info *CertInfo) Environ () []string {
env = append(env, "PUBKEY_HASH=" + info.PubkeyHash()) env = append(env, "PUBKEY_HASH=" + info.PubkeyHash())
if info.CommonNamesParseError != nil {
env = append(env, "COMMON_NAMES_PARSE_ERROR=" + info.CommonNamesParseError.Error())
} else {
env = append(env, "COMMON_NAMES=" + strings.Join(info.CommonNames, ","))
}
if info.DNSNamesParseError != nil { if info.DNSNamesParseError != nil {
env = append(env, "DNS_NAMES_PARSE_ERROR=" + info.DNSNamesParseError.Error()) env = append(env, "DNS_NAMES_PARSE_ERROR=" + info.DNSNamesParseError.Error())
} else { } else {
@ -233,6 +250,7 @@ func (info *CertInfo) Environ () []string {
func (info *EntryInfo) HasParseErrors () bool { func (info *EntryInfo) HasParseErrors () bool {
return info.ParseError != nil || return info.ParseError != nil ||
info.CertInfo.CommonNamesParseError != nil ||
info.CertInfo.DNSNamesParseError != nil || info.CertInfo.DNSNamesParseError != nil ||
info.CertInfo.SubjectParseError != nil || info.CertInfo.SubjectParseError != nil ||
info.CertInfo.IssuerParseError != nil || info.CertInfo.IssuerParseError != nil ||
@ -317,6 +335,7 @@ func (info *EntryInfo) Write (out io.Writer) {
if info.ParseError != nil { if info.ParseError != nil {
writeField(out, "Parse Error", "*** " + info.ParseError.Error() + " ***", nil) writeField(out, "Parse Error", "*** " + info.ParseError.Error() + " ***", nil)
} else { } else {
writeField(out, "Common Name", info.CertInfo.commonNamesString(), info.CertInfo.CommonNamesParseError)
writeField(out, "DNS Names", info.CertInfo.dnsNamesString(), info.CertInfo.DNSNamesParseError) writeField(out, "DNS Names", info.CertInfo.dnsNamesString(), info.CertInfo.DNSNamesParseError)
writeField(out, "Pubkey", info.CertInfo.PubkeyHash(), nil) writeField(out, "Pubkey", info.CertInfo.PubkeyHash(), nil)
writeField(out, "Subject", info.CertInfo.Subject, info.CertInfo.SubjectParseError) writeField(out, "Subject", info.CertInfo.Subject, info.CertInfo.SubjectParseError)

12
x509.go
View File

@ -222,10 +222,7 @@ func (tbs *TBSCertificate) ParseIssuer () (RDNSequence, error) {
return issuer, nil return issuer, nil
} }
func (tbs *TBSCertificate) ParseDNSNames () ([]string, error) { func (tbs *TBSCertificate) ParseCommonNames () ([]string, error) {
dnsNames := []string{}
// Extract Common Name from Subject
subject, err := tbs.ParseSubject() subject, err := tbs.ParseSubject()
if err != nil { if err != nil {
return nil, err return nil, err
@ -234,7 +231,12 @@ func (tbs *TBSCertificate) ParseDNSNames () ([]string, error) {
if err != nil { if err != nil {
return nil, errors.New("failed to process certificate subject: " + err.Error()) return nil, errors.New("failed to process certificate subject: " + err.Error())
} }
dnsNames = append(dnsNames, cns...)
return cns, nil
}
func (tbs *TBSCertificate) ParseDNSNames () ([]string, error) {
dnsNames := []string{}
// Extract DNS names from SubjectAlternativeName extension // Extract DNS names from SubjectAlternativeName extension
for _, sanExt := range tbs.GetExtension(oidExtensionSubjectAltName) { for _, sanExt := range tbs.GetExtension(oidExtensionSubjectAltName) {