Parse common names separately from DNS names

This commit is contained in:
Andrew Ayer 2016-04-22 20:58:33 -07:00
parent ef0b46b7a5
commit 2d2aa37202
3 changed files with 36 additions and 12 deletions

View File

@ -71,14 +71,17 @@ func processEntry (scanner *ctwatch.Scanner, entry *ct.LogEntry) {
info.CertInfo, info.ParseError = ctwatch.MakeCertInfoFromLogEntry(entry)
if info.ParseError == nil && info.CertInfo.DNSNamesParseError == nil {
// Match DNS names
if !anyDnsNameMatches(info.CertInfo.DNSNames) {
return
}
// If there's any sort of parse error related to the identifiers, report
// the certificate because we can't say for sure it doesn't match a domain
// we care about (fail safe behavior). Treat common names as DNS names
// because many TLS clients do.
if info.ParseError != nil ||
info.CertInfo.CommonNamesParseError != nil ||
info.CertInfo.DNSNamesParseError != nil ||
anyDnsNameMatches(info.CertInfo.CommonNames) ||
anyDnsNameMatches(info.CertInfo.DNSNames) {
cmd.LogEntry(&info)
}
cmd.LogEntry(&info)
}
func main() {

View File

@ -102,6 +102,8 @@ type EntryInfo struct {
type CertInfo struct {
TBS *TBSCertificate
CommonNames []string
CommonNamesParseError error
DNSNames []string
DNSNamesParseError error
Subject RDNSequence
@ -119,6 +121,7 @@ type CertInfo struct {
func MakeCertInfoFromTBS (tbs *TBSCertificate) *CertInfo {
info := &CertInfo{TBS: tbs}
info.CommonNames, info.CommonNamesParseError = tbs.ParseCommonNames()
info.DNSNames, info.DNSNamesParseError = tbs.ParseDNSNames()
info.Subject, info.SubjectParseError = tbs.ParseSubject()
info.Issuer, info.IssuerParseError = tbs.ParseIssuer()
@ -158,6 +161,14 @@ func MakeCertInfoFromLogEntry (entry *ct.LogEntry) (*CertInfo, error) {
}
}
func (info *CertInfo) commonNamesString () string {
if info.CommonNamesParseError == nil {
return strings.Join(info.CommonNames, ", ")
} else {
return ""
}
}
func (info *CertInfo) dnsNamesString () string {
if info.DNSNamesParseError == nil {
return strings.Join(info.DNSNames, ", ")
@ -195,6 +206,12 @@ func (info *CertInfo) Environ () []string {
env = append(env, "PUBKEY_HASH=" + info.PubkeyHash())
if info.CommonNamesParseError != nil {
env = append(env, "COMMON_NAMES_PARSE_ERROR=" + info.CommonNamesParseError.Error())
} else {
env = append(env, "COMMON_NAMES=" + strings.Join(info.CommonNames, ","))
}
if info.DNSNamesParseError != nil {
env = append(env, "DNS_NAMES_PARSE_ERROR=" + info.DNSNamesParseError.Error())
} else {
@ -233,6 +250,7 @@ func (info *CertInfo) Environ () []string {
func (info *EntryInfo) HasParseErrors () bool {
return info.ParseError != nil ||
info.CertInfo.CommonNamesParseError != nil ||
info.CertInfo.DNSNamesParseError != nil ||
info.CertInfo.SubjectParseError != nil ||
info.CertInfo.IssuerParseError != nil ||
@ -317,6 +335,7 @@ func (info *EntryInfo) Write (out io.Writer) {
if info.ParseError != nil {
writeField(out, "Parse Error", "*** " + info.ParseError.Error() + " ***", nil)
} else {
writeField(out, "Common Name", info.CertInfo.commonNamesString(), info.CertInfo.CommonNamesParseError)
writeField(out, "DNS Names", info.CertInfo.dnsNamesString(), info.CertInfo.DNSNamesParseError)
writeField(out, "Pubkey", info.CertInfo.PubkeyHash(), nil)
writeField(out, "Subject", info.CertInfo.Subject, info.CertInfo.SubjectParseError)

12
x509.go
View File

@ -222,10 +222,7 @@ func (tbs *TBSCertificate) ParseIssuer () (RDNSequence, error) {
return issuer, nil
}
func (tbs *TBSCertificate) ParseDNSNames () ([]string, error) {
dnsNames := []string{}
// Extract Common Name from Subject
func (tbs *TBSCertificate) ParseCommonNames () ([]string, error) {
subject, err := tbs.ParseSubject()
if err != nil {
return nil, err
@ -234,7 +231,12 @@ func (tbs *TBSCertificate) ParseDNSNames () ([]string, error) {
if err != nil {
return nil, errors.New("failed to process certificate subject: " + err.Error())
}
dnsNames = append(dnsNames, cns...)
return cns, nil
}
func (tbs *TBSCertificate) ParseDNSNames () ([]string, error) {
dnsNames := []string{}
// Extract DNS names from SubjectAlternativeName extension
for _, sanExt := range tbs.GetExtension(oidExtensionSubjectAltName) {