Parse common names separately from DNS names
This commit is contained in:
Andrew Ayer
parent
ef0b46b7a5
commit
2d2aa37202
|
|
@ -71,14 +71,17 @@ func processEntry (scanner *ctwatch.Scanner, entry *ct.LogEntry) {
|
||||||
|
|
||||||
info.CertInfo, info.ParseError = ctwatch.MakeCertInfoFromLogEntry(entry)
|
info.CertInfo, info.ParseError = ctwatch.MakeCertInfoFromLogEntry(entry)
|
||||||
|
|
||||||
if info.ParseError == nil && info.CertInfo.DNSNamesParseError == nil {
|
// If there's any sort of parse error related to the identifiers, report
|
||||||
// Match DNS names
|
// the certificate because we can't say for sure it doesn't match a domain
|
||||||
if !anyDnsNameMatches(info.CertInfo.DNSNames) {
|
// we care about (fail safe behavior). Treat common names as DNS names
|
||||||
return
|
// because many TLS clients do.
|
||||||
}
|
if info.ParseError != nil ||
|
||||||
|
info.CertInfo.CommonNamesParseError != nil ||
|
||||||
|
info.CertInfo.DNSNamesParseError != nil ||
|
||||||
|
anyDnsNameMatches(info.CertInfo.CommonNames) ||
|
||||||
|
anyDnsNameMatches(info.CertInfo.DNSNames) {
|
||||||
|
cmd.LogEntry(&info)
|
||||||
}
|
}
|
||||||
|
|
||||||
cmd.LogEntry(&info)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
|
|
|
||||||
19
helpers.go
19
helpers.go
|
|
@ -102,6 +102,8 @@ type EntryInfo struct {
|
||||||
type CertInfo struct {
|
type CertInfo struct {
|
||||||
TBS *TBSCertificate
|
TBS *TBSCertificate
|
||||||
|
|
||||||
|
CommonNames []string
|
||||||
|
CommonNamesParseError error
|
||||||
DNSNames []string
|
DNSNames []string
|
||||||
DNSNamesParseError error
|
DNSNamesParseError error
|
||||||
Subject RDNSequence
|
Subject RDNSequence
|
||||||
|
|
@ -119,6 +121,7 @@ type CertInfo struct {
|
||||||
func MakeCertInfoFromTBS (tbs *TBSCertificate) *CertInfo {
|
func MakeCertInfoFromTBS (tbs *TBSCertificate) *CertInfo {
|
||||||
info := &CertInfo{TBS: tbs}
|
info := &CertInfo{TBS: tbs}
|
||||||
|
|
||||||
|
info.CommonNames, info.CommonNamesParseError = tbs.ParseCommonNames()
|
||||||
info.DNSNames, info.DNSNamesParseError = tbs.ParseDNSNames()
|
info.DNSNames, info.DNSNamesParseError = tbs.ParseDNSNames()
|
||||||
info.Subject, info.SubjectParseError = tbs.ParseSubject()
|
info.Subject, info.SubjectParseError = tbs.ParseSubject()
|
||||||
info.Issuer, info.IssuerParseError = tbs.ParseIssuer()
|
info.Issuer, info.IssuerParseError = tbs.ParseIssuer()
|
||||||
|
|
@ -158,6 +161,14 @@ func MakeCertInfoFromLogEntry (entry *ct.LogEntry) (*CertInfo, error) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (info *CertInfo) commonNamesString () string {
|
||||||
|
if info.CommonNamesParseError == nil {
|
||||||
|
return strings.Join(info.CommonNames, ", ")
|
||||||
|
} else {
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func (info *CertInfo) dnsNamesString () string {
|
func (info *CertInfo) dnsNamesString () string {
|
||||||
if info.DNSNamesParseError == nil {
|
if info.DNSNamesParseError == nil {
|
||||||
return strings.Join(info.DNSNames, ", ")
|
return strings.Join(info.DNSNames, ", ")
|
||||||
|
|
@ -195,6 +206,12 @@ func (info *CertInfo) Environ () []string {
|
||||||
|
|
||||||
env = append(env, "PUBKEY_HASH=" + info.PubkeyHash())
|
env = append(env, "PUBKEY_HASH=" + info.PubkeyHash())
|
||||||
|
|
||||||
|
if info.CommonNamesParseError != nil {
|
||||||
|
env = append(env, "COMMON_NAMES_PARSE_ERROR=" + info.CommonNamesParseError.Error())
|
||||||
|
} else {
|
||||||
|
env = append(env, "COMMON_NAMES=" + strings.Join(info.CommonNames, ","))
|
||||||
|
}
|
||||||
|
|
||||||
if info.DNSNamesParseError != nil {
|
if info.DNSNamesParseError != nil {
|
||||||
env = append(env, "DNS_NAMES_PARSE_ERROR=" + info.DNSNamesParseError.Error())
|
env = append(env, "DNS_NAMES_PARSE_ERROR=" + info.DNSNamesParseError.Error())
|
||||||
} else {
|
} else {
|
||||||
|
|
@ -233,6 +250,7 @@ func (info *CertInfo) Environ () []string {
|
||||||
|
|
||||||
func (info *EntryInfo) HasParseErrors () bool {
|
func (info *EntryInfo) HasParseErrors () bool {
|
||||||
return info.ParseError != nil ||
|
return info.ParseError != nil ||
|
||||||
|
info.CertInfo.CommonNamesParseError != nil ||
|
||||||
info.CertInfo.DNSNamesParseError != nil ||
|
info.CertInfo.DNSNamesParseError != nil ||
|
||||||
info.CertInfo.SubjectParseError != nil ||
|
info.CertInfo.SubjectParseError != nil ||
|
||||||
info.CertInfo.IssuerParseError != nil ||
|
info.CertInfo.IssuerParseError != nil ||
|
||||||
|
|
@ -317,6 +335,7 @@ func (info *EntryInfo) Write (out io.Writer) {
|
||||||
if info.ParseError != nil {
|
if info.ParseError != nil {
|
||||||
writeField(out, "Parse Error", "*** " + info.ParseError.Error() + " ***", nil)
|
writeField(out, "Parse Error", "*** " + info.ParseError.Error() + " ***", nil)
|
||||||
} else {
|
} else {
|
||||||
|
writeField(out, "Common Name", info.CertInfo.commonNamesString(), info.CertInfo.CommonNamesParseError)
|
||||||
writeField(out, "DNS Names", info.CertInfo.dnsNamesString(), info.CertInfo.DNSNamesParseError)
|
writeField(out, "DNS Names", info.CertInfo.dnsNamesString(), info.CertInfo.DNSNamesParseError)
|
||||||
writeField(out, "Pubkey", info.CertInfo.PubkeyHash(), nil)
|
writeField(out, "Pubkey", info.CertInfo.PubkeyHash(), nil)
|
||||||
writeField(out, "Subject", info.CertInfo.Subject, info.CertInfo.SubjectParseError)
|
writeField(out, "Subject", info.CertInfo.Subject, info.CertInfo.SubjectParseError)
|
||||||
|
|
|
||||||
12
x509.go
12
x509.go
|
|
@ -222,10 +222,7 @@ func (tbs *TBSCertificate) ParseIssuer () (RDNSequence, error) {
|
||||||
return issuer, nil
|
return issuer, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (tbs *TBSCertificate) ParseDNSNames () ([]string, error) {
|
func (tbs *TBSCertificate) ParseCommonNames () ([]string, error) {
|
||||||
dnsNames := []string{}
|
|
||||||
|
|
||||||
// Extract Common Name from Subject
|
|
||||||
subject, err := tbs.ParseSubject()
|
subject, err := tbs.ParseSubject()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
|
@ -234,7 +231,12 @@ func (tbs *TBSCertificate) ParseDNSNames () ([]string, error) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.New("failed to process certificate subject: " + err.Error())
|
return nil, errors.New("failed to process certificate subject: " + err.Error())
|
||||||
}
|
}
|
||||||
dnsNames = append(dnsNames, cns...)
|
|
||||||
|
return cns, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (tbs *TBSCertificate) ParseDNSNames () ([]string, error) {
|
||||||
|
dnsNames := []string{}
|
||||||
|
|
||||||
// Extract DNS names from SubjectAlternativeName extension
|
// Extract DNS names from SubjectAlternativeName extension
|
||||||
for _, sanExt := range tbs.GetExtension(oidExtensionSubjectAltName) {
|
for _, sanExt := range tbs.GetExtension(oidExtensionSubjectAltName) {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue