changed bygonessl behavior

This commit is contained in:
Ian Foster 2018-07-19 16:12:17 -07:00
parent 1b4943c198
commit 6991be261c
2 changed files with 7 additions and 16 deletions

5
README
View File

@ -81,8 +81,6 @@ COMMAND LINE FLAGS
Default: use the logs trusted by Chromium. Default: use the logs trusted by Chromium.
-state_dir PATH -state_dir PATH
Directory for storing state. Default: ~/.certspotter Directory for storing state. Default: ~/.certspotter
-bygonessl
Only print certificates which predate domain registration and live into it (requires 'valid_at' option in watchlist)
-verbose -verbose
Be verbose. Be verbose.
@ -143,6 +141,3 @@ argument to each domain in the watchlist followed by the date the domain was
registered in the following format YYYY-MM-DD. For example: registered in the following format YYYY-MM-DD. For example:
example.com valid_at:2014-05-02 example.com valid_at:2014-05-02
The optional -bygonessl flag will cause Cert Spotter to only match bygone SSL
certificates.

View File

@ -51,7 +51,6 @@ func trimTrailingDots(value string) string {
var stateDir = flag.String("state_dir", defaultStateDir(), "Directory for storing state") var stateDir = flag.String("state_dir", defaultStateDir(), "Directory for storing state")
var watchlistFilename = flag.String("watchlist", filepath.Join(defaultConfigDir(), "watchlist"), "File containing identifiers to watch (- for stdin)") var watchlistFilename = flag.String("watchlist", filepath.Join(defaultConfigDir(), "watchlist"), "File containing identifiers to watch (- for stdin)")
var bygoneSSL = flag.Bool("bygonessl", false, "Only print certificates which predate domain registration and live into it (requires 'valid_at' option in watchlist)")
type watchlistItem struct { type watchlistItem struct {
Domain []string Domain []string
@ -87,10 +86,6 @@ func parseWatchlistItem(str string) (watchlistItem, error) {
} }
} }
if *bygoneSSL && validAt == nil {
return watchlistItem{}, fmt.Errorf("`%s' must have valid_at argument when using -bygonessl", domain)
}
// parse domain // parse domain
// "." as in root zone (matches everything) // "." as in root zone (matches everything)
if domain == "." { if domain == "." {
@ -164,6 +159,7 @@ func dnsNameMatches(dnsName []string, watchDomain []string, acceptSuffix bool) b
func anyDnsNameIsWatched(info *certspotter.EntryInfo) bool { func anyDnsNameIsWatched(info *certspotter.EntryInfo) bool {
dnsNames := info.Identifiers.DNSNames dnsNames := info.Identifiers.DNSNames
matched := false
for _, dnsName := range dnsNames { for _, dnsName := range dnsNames {
labels := strings.Split(dnsName, ".") labels := strings.Split(dnsName, ".")
for _, item := range watchlist { for _, item := range watchlist {
@ -175,13 +171,15 @@ func anyDnsNameIsWatched(info *certspotter.EntryInfo) bool {
if item.ValidAt.Before(*info.CertInfo.NotAfter()) && if item.ValidAt.Before(*info.CertInfo.NotAfter()) &&
item.ValidAt.After(*info.CertInfo.NotBefore()) { item.ValidAt.After(*info.CertInfo.NotBefore()) {
info.Bygone = true info.Bygone = true
}
}
return true return true
} }
} }
// keep iterating in case another domain watched matches valid_at
matched = true
} }
return false }
}
return matched
} }
func processEntry(scanner *certspotter.Scanner, entry *ct.LogEntry) { func processEntry(scanner *certspotter.Scanner, entry *ct.LogEntry) {
@ -203,11 +201,9 @@ func processEntry(scanner *certspotter.Scanner, entry *ct.LogEntry) {
// doesn't match a domain we care about. We try very hard to make sure // doesn't match a domain we care about. We try very hard to make sure
// parsing identifiers always succeeds, so false alarms should be rare. // parsing identifiers always succeeds, so false alarms should be rare.
if info.Identifiers == nil || anyDnsNameIsWatched(&info) { if info.Identifiers == nil || anyDnsNameIsWatched(&info) {
if !*bygoneSSL || info.Bygone {
cmd.LogEntry(&info) cmd.LogEntry(&info)
} }
} }
}
func main() { func main() {
flag.Parse() flag.Parse()