Rework -all_time logic

If -all_time is specified, scan the entirety of all logs, even
existing logs.  This matches user expectation better.  Previously,
-all_time had no impact on existing logs.

The first time Cert Spotter is run, do not scan any logs, unless
-all_time is specified.  This avoids a several hour wait the first
time Cert Spotter is run.  If the user is interested in knowing
about existing certificates, they can use the certspotter.com API
or crt.sh.  This is the same as existing behavior.

When a new log is added, scan it in its entirety even if -all_time is
not specified, so users are alerted to interesting certificates in the
new log.  Hopefully new logs will be small and this won't take too long!
Previously, new logs were not scanned in their entirety unless -all_time
was specified.

Closes: #5
This commit is contained in:
Andrew Ayer 2016-11-15 12:23:24 -08:00
parent 7d2936eada
commit 31f2316aa2
2 changed files with 29 additions and 9 deletions

4
README
View File

@ -72,7 +72,9 @@ COMMAND LINE FLAGS
-no_save -no_save
Do not save a copy of matching certificates. Do not save a copy of matching certificates.
-all_time -all_time
Scan certs from all time, not just since last scan. Scan for certificates from all time, not just those added since
the last run of Cert Spotter. Unless this option is specified,
no certificates are scanned the first time Cert Spotter is run.
-logs FILENAME -logs FILENAME
JSON file containing logs to scan, in the format documented at JSON file containing logs to scan, in the format documented at
<https://www.certificate-transparency.org/known-logs>. <https://www.certificate-transparency.org/known-logs>.

View File

@ -109,6 +109,11 @@ func saveEvidence(logUri string, firstSTH *ct.SignedTreeHead, secondSTH *ct.Sign
return firstFilename, secondFilename, proofFilename, nil return firstFilename, secondFilename, proofFilename, nil
} }
func fileExists (path string) bool {
_, err := os.Lstat(path)
return err == nil
}
func Main(argStateDir string, processCallback certspotter.ProcessCallback) int { func Main(argStateDir string, processCallback certspotter.ProcessCallback) int {
stateDir = argStateDir stateDir = argStateDir
@ -132,6 +137,8 @@ func Main(argStateDir string, processCallback certspotter.ProcessCallback) int {
logs = certspotter.DefaultLogs logs = certspotter.DefaultLogs
} }
firstRun := !fileExists(filepath.Join(stateDir, "once"))
if err := os.Mkdir(stateDir, 0777); err != nil && !os.IsExist(err) { if err := os.Mkdir(stateDir, 0777); err != nil && !os.IsExist(err) {
fmt.Fprintf(os.Stderr, "%s: Error creating state directory: %s: %s\n", os.Args[0], stateDir, err) fmt.Fprintf(os.Stderr, "%s: Error creating state directory: %s: %s\n", os.Args[0], stateDir, err)
return 1 return 1
@ -185,22 +192,26 @@ func Main(argStateDir string, processCallback certspotter.ProcessCallback) int {
} }
if *verbose { if *verbose {
if prevSTH != nil { if *allTime {
log.Printf("Scanning all %d entries in the log because -all_time option specified", latestSTH.TreeSize)
} else if prevSTH != nil {
log.Printf("Existing log; scanning %d new entries since previous scan (previous size %d, previous root hash = %x)", latestSTH.TreeSize-prevSTH.TreeSize, prevSTH.TreeSize, prevSTH.SHA256RootHash) log.Printf("Existing log; scanning %d new entries since previous scan (previous size %d, previous root hash = %x)", latestSTH.TreeSize-prevSTH.TreeSize, prevSTH.TreeSize, prevSTH.SHA256RootHash)
} else if *allTime { } else if firstRun {
log.Printf("new log; scanning all %d entries in the log", latestSTH.TreeSize) log.Printf("First run of Cert Spotter; not scanning %d existing entries because -all_time option not specified", latestSTH.TreeSize)
} else { } else {
log.Printf("new log; not scanning existing entries because -all_time option not specified") log.Printf("New log; scanning all %d entries in the log", latestSTH.TreeSize)
} }
} }
var startIndex uint64 var startIndex uint64
if prevSTH != nil { if *allTime {
startIndex = prevSTH.TreeSize
} else if *allTime {
startIndex = 0 startIndex = 0
} else { } else if prevSTH != nil {
startIndex = prevSTH.TreeSize
} else if firstRun {
startIndex = latestSTH.TreeSize startIndex = latestSTH.TreeSize
} else {
startIndex = 0
} }
if latestSTH.TreeSize > startIndex { if latestSTH.TreeSize > startIndex {
@ -254,5 +265,12 @@ func Main(argStateDir string, processCallback certspotter.ProcessCallback) int {
} }
} }
if firstRun {
if err := ioutil.WriteFile(filepath.Join(stateDir, "once"), []byte{}, 0666); err != nil {
log.Printf("Error writing once file: %s\n", err)
exitCode |= 1
}
}
return exitCode return exitCode
} }