Tandem
/
certspotter
mirror of https://github.com/SSLMate/certspotter.git
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

changed bygonessl behavior

This commit is contained in:
Ian Foster 2018-07-19 16:12:17 -07:00
parent 1b4943c198
commit 6991be261c
2 changed files with 7 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README
View File

@ -81,8 +81,6 @@ COMMAND LINE FLAGS
Default: use the logs trusted by Chromium. Default: use the logs trusted by Chromium.
-state_dir PATH -state_dir PATH
Directory for storing state. Default: ~/.certspotter Directory for storing state. Default: ~/.certspotter
-bygonessl
Only print certificates which predate domain registration and live into it (requires 'valid_at' option in watchlist)
-verbose -verbose
Be verbose. Be verbose.
@ -140,9 +138,6 @@ Cert Spotter can also notify users of bygone SSL certificates, which are SSL
certificates that outlived their prior domain owner's registration into the certificates that outlived their prior domain owner's registration into the
next owners registration. To detect these certificates add a valid_at next owners registration. To detect these certificates add a valid_at
argument to each domain in the watchlist followed by the date the domain was argument to each domain in the watchlist followed by the date the domain was
registered in t he following format YYYY-MM-DD. For example: registered in the following format YYYY-MM-DD. For example:
example.com valid_at:2014-05-02 example.com valid_at:2014-05-02
The optional -bygonessl flag will cause Cert Spotter to only match bygone SSL
certificates.

16
cmd/certspotter/main.go
View File

@ -51,7 +51,6 @@ func trimTrailingDots(value string) string {
var stateDir = flag.String("state_dir", defaultStateDir(), "Directory for storing state") var stateDir = flag.String("state_dir", defaultStateDir(), "Directory for storing state")
var watchlistFilename = flag.String("watchlist", filepath.Join(defaultConfigDir(), "watchlist"), "File containing identifiers to watch (- for stdin)") var watchlistFilename = flag.String("watchlist", filepath.Join(defaultConfigDir(), "watchlist"), "File containing identifiers to watch (- for stdin)")
var bygoneSSL = flag.Bool("bygonessl", false, "Only print certificates which predate domain registration and live into it (requires 'valid_at' option in watchlist)")
type watchlistItem struct { type watchlistItem struct {
Domain []string Domain []string
@ -87,10 +86,6 @@ func parseWatchlistItem(str string) (watchlistItem, error) {
} }
} }
if *bygoneSSL && validAt == nil {
return watchlistItem{}, fmt.Errorf("`%s' must have valid_at argument when using -bygonessl", domain)
}
// parse domain // parse domain
// "." as in root zone (matches everything) // "." as in root zone (matches everything)
if domain == "." { if domain == "." {
@ -164,6 +159,7 @@ func dnsNameMatches(dnsName []string, watchDomain []string, acceptSuffix bool) b
func anyDnsNameIsWatched(info *certspotter.EntryInfo) bool { func anyDnsNameIsWatched(info *certspotter.EntryInfo) bool {
dnsNames := info.Identifiers.DNSNames dnsNames := info.Identifiers.DNSNames
matched := false
for _, dnsName := range dnsNames { for _, dnsName := range dnsNames {
labels := strings.Split(dnsName, ".") labels := strings.Split(dnsName, ".")
for _, item := range watchlist { for _, item := range watchlist {
@ -175,13 +171,15 @@ func anyDnsNameIsWatched(info *certspotter.EntryInfo) bool {
if item.ValidAt.Before(*info.CertInfo.NotAfter()) && if item.ValidAt.Before(*info.CertInfo.NotAfter()) &&
item.ValidAt.After(*info.CertInfo.NotBefore()) { item.ValidAt.After(*info.CertInfo.NotBefore()) {
info.Bygone = true info.Bygone = true
return true
} }
} }
return true // keep iterating in case another domain watched matches valid_at
matched = true
} }
} }
} }
return false return matched
} }
func processEntry(scanner *certspotter.Scanner, entry *ct.LogEntry) { func processEntry(scanner *certspotter.Scanner, entry *ct.LogEntry) {
@ -203,9 +201,7 @@ func processEntry(scanner *certspotter.Scanner, entry *ct.LogEntry) {
// doesn't match a domain we care about. We try very hard to make sure // doesn't match a domain we care about. We try very hard to make sure
// parsing identifiers always succeeds, so false alarms should be rare. // parsing identifiers always succeeds, so false alarms should be rare.
if info.Identifiers == nil || anyDnsNameIsWatched(&info) { if info.Identifiers == nil || anyDnsNameIsWatched(&info) {
if !*bygoneSSL || info.Bygone { cmd.LogEntry(&info)
cmd.LogEntry(&info)
}
} }
} }