changed bygonessl behavior
This commit is contained in:
Ian Foster
parent
1b4943c198
commit
6991be261c
7
README
7
README
|
|
@ -81,8 +81,6 @@ COMMAND LINE FLAGS
|
||||||
Default: use the logs trusted by Chromium.
|
Default: use the logs trusted by Chromium.
|
||||||
-state_dir PATH
|
-state_dir PATH
|
||||||
Directory for storing state. Default: ~/.certspotter
|
Directory for storing state. Default: ~/.certspotter
|
||||||
-bygonessl
|
|
||||||
Only print certificates which predate domain registration and live into it (requires 'valid_at' option in watchlist)
|
|
||||||
-verbose
|
-verbose
|
||||||
Be verbose.
|
Be verbose.
|
||||||
|
|
||||||
|
|
@ -140,9 +138,6 @@ Cert Spotter can also notify users of bygone SSL certificates, which are SSL
|
||||||
certificates that outlived their prior domain owner's registration into the
|
certificates that outlived their prior domain owner's registration into the
|
||||||
next owners registration. To detect these certificates add a valid_at
|
next owners registration. To detect these certificates add a valid_at
|
||||||
argument to each domain in the watchlist followed by the date the domain was
|
argument to each domain in the watchlist followed by the date the domain was
|
||||||
registered in t he following format YYYY-MM-DD. For example:
|
registered in the following format YYYY-MM-DD. For example:
|
||||||
example.com valid_at:2014-05-02
|
example.com valid_at:2014-05-02
|
||||||
|
|
||||||
The optional -bygonessl flag will cause Cert Spotter to only match bygone SSL
|
|
||||||
certificates.
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -51,7 +51,6 @@ func trimTrailingDots(value string) string {
|
||||||
|
|
||||||
var stateDir = flag.String("state_dir", defaultStateDir(), "Directory for storing state")
|
var stateDir = flag.String("state_dir", defaultStateDir(), "Directory for storing state")
|
||||||
var watchlistFilename = flag.String("watchlist", filepath.Join(defaultConfigDir(), "watchlist"), "File containing identifiers to watch (- for stdin)")
|
var watchlistFilename = flag.String("watchlist", filepath.Join(defaultConfigDir(), "watchlist"), "File containing identifiers to watch (- for stdin)")
|
||||||
var bygoneSSL = flag.Bool("bygonessl", false, "Only print certificates which predate domain registration and live into it (requires 'valid_at' option in watchlist)")
|
|
||||||
|
|
||||||
type watchlistItem struct {
|
type watchlistItem struct {
|
||||||
Domain []string
|
Domain []string
|
||||||
|
|
@ -87,10 +86,6 @@ func parseWatchlistItem(str string) (watchlistItem, error) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if *bygoneSSL && validAt == nil {
|
|
||||||
return watchlistItem{}, fmt.Errorf("`%s' must have valid_at argument when using -bygonessl", domain)
|
|
||||||
}
|
|
||||||
|
|
||||||
// parse domain
|
// parse domain
|
||||||
// "." as in root zone (matches everything)
|
// "." as in root zone (matches everything)
|
||||||
if domain == "." {
|
if domain == "." {
|
||||||
|
|
@ -164,6 +159,7 @@ func dnsNameMatches(dnsName []string, watchDomain []string, acceptSuffix bool) b
|
||||||
|
|
||||||
func anyDnsNameIsWatched(info *certspotter.EntryInfo) bool {
|
func anyDnsNameIsWatched(info *certspotter.EntryInfo) bool {
|
||||||
dnsNames := info.Identifiers.DNSNames
|
dnsNames := info.Identifiers.DNSNames
|
||||||
|
matched := false
|
||||||
for _, dnsName := range dnsNames {
|
for _, dnsName := range dnsNames {
|
||||||
labels := strings.Split(dnsName, ".")
|
labels := strings.Split(dnsName, ".")
|
||||||
for _, item := range watchlist {
|
for _, item := range watchlist {
|
||||||
|
|
@ -175,13 +171,15 @@ func anyDnsNameIsWatched(info *certspotter.EntryInfo) bool {
|
||||||
if item.ValidAt.Before(*info.CertInfo.NotAfter()) &&
|
if item.ValidAt.Before(*info.CertInfo.NotAfter()) &&
|
||||||
item.ValidAt.After(*info.CertInfo.NotBefore()) {
|
item.ValidAt.After(*info.CertInfo.NotBefore()) {
|
||||||
info.Bygone = true
|
info.Bygone = true
|
||||||
}
|
|
||||||
}
|
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
// keep iterating in case another domain watched matches valid_at
|
||||||
|
matched = true
|
||||||
}
|
}
|
||||||
return false
|
}
|
||||||
|
}
|
||||||
|
return matched
|
||||||
}
|
}
|
||||||
|
|
||||||
func processEntry(scanner *certspotter.Scanner, entry *ct.LogEntry) {
|
func processEntry(scanner *certspotter.Scanner, entry *ct.LogEntry) {
|
||||||
|
|
@ -203,10 +201,8 @@ func processEntry(scanner *certspotter.Scanner, entry *ct.LogEntry) {
|
||||||
// doesn't match a domain we care about. We try very hard to make sure
|
// doesn't match a domain we care about. We try very hard to make sure
|
||||||
// parsing identifiers always succeeds, so false alarms should be rare.
|
// parsing identifiers always succeeds, so false alarms should be rare.
|
||||||
if info.Identifiers == nil || anyDnsNameIsWatched(&info) {
|
if info.Identifiers == nil || anyDnsNameIsWatched(&info) {
|
||||||
if !*bygoneSSL || info.Bygone {
|
|
||||||
cmd.LogEntry(&info)
|
cmd.LogEntry(&info)
|
||||||
}
|
}
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue