From 6991be261c848de22df2a9380111468b84c38a9e Mon Sep 17 00:00:00 2001 From: Ian Foster Date: Thu, 19 Jul 2018 16:12:17 -0700 Subject: [PATCH] changed bygonessl behavior --- README | 7 +------ cmd/certspotter/main.go | 16 ++++++---------- 2 files changed, 7 insertions(+), 16 deletions(-) diff --git a/README b/README index 29ca274..09f03df 100644 --- a/README +++ b/README @@ -81,8 +81,6 @@ COMMAND LINE FLAGS Default: use the logs trusted by Chromium. -state_dir PATH Directory for storing state. Default: ~/.certspotter - -bygonessl - Only print certificates which predate domain registration and live into it (requires 'valid_at' option in watchlist) -verbose Be verbose. @@ -140,9 +138,6 @@ Cert Spotter can also notify users of bygone SSL certificates, which are SSL certificates that outlived their prior domain owner's registration into the next owners registration. To detect these certificates add a valid_at argument to each domain in the watchlist followed by the date the domain was -registered in t he following format YYYY-MM-DD. For example: +registered in the following format YYYY-MM-DD. For example: example.com valid_at:2014-05-02 -The optional -bygonessl flag will cause Cert Spotter to only match bygone SSL -certificates. - diff --git a/cmd/certspotter/main.go b/cmd/certspotter/main.go index 62f9232..00e62ca 100644 --- a/cmd/certspotter/main.go +++ b/cmd/certspotter/main.go @@ -51,7 +51,6 @@ func trimTrailingDots(value string) string { var stateDir = flag.String("state_dir", defaultStateDir(), "Directory for storing state") var watchlistFilename = flag.String("watchlist", filepath.Join(defaultConfigDir(), "watchlist"), "File containing identifiers to watch (- for stdin)") -var bygoneSSL = flag.Bool("bygonessl", false, "Only print certificates which predate domain registration and live into it (requires 'valid_at' option in watchlist)") type watchlistItem struct { Domain []string @@ -87,10 +86,6 @@ func parseWatchlistItem(str string) (watchlistItem, error) { } } - if *bygoneSSL && validAt == nil { - return watchlistItem{}, fmt.Errorf("`%s' must have valid_at argument when using -bygonessl", domain) - } - // parse domain // "." as in root zone (matches everything) if domain == "." { @@ -164,6 +159,7 @@ func dnsNameMatches(dnsName []string, watchDomain []string, acceptSuffix bool) b func anyDnsNameIsWatched(info *certspotter.EntryInfo) bool { dnsNames := info.Identifiers.DNSNames + matched := false for _, dnsName := range dnsNames { labels := strings.Split(dnsName, ".") for _, item := range watchlist { @@ -175,13 +171,15 @@ func anyDnsNameIsWatched(info *certspotter.EntryInfo) bool { if item.ValidAt.Before(*info.CertInfo.NotAfter()) && item.ValidAt.After(*info.CertInfo.NotBefore()) { info.Bygone = true + return true } } - return true + // keep iterating in case another domain watched matches valid_at + matched = true } } } - return false + return matched } func processEntry(scanner *certspotter.Scanner, entry *ct.LogEntry) { @@ -203,9 +201,7 @@ func processEntry(scanner *certspotter.Scanner, entry *ct.LogEntry) { // doesn't match a domain we care about. We try very hard to make sure // parsing identifiers always succeeds, so false alarms should be rare. if info.Identifiers == nil || anyDnsNameIsWatched(&info) { - if !*bygoneSSL || info.Bygone { - cmd.LogEntry(&info) - } + cmd.LogEntry(&info) } }