changed bygonessl behavior
This commit is contained in:
parent
1b4943c198
commit
6991be261c
7
README
7
README
|
@ -81,8 +81,6 @@ COMMAND LINE FLAGS
|
|||
Default: use the logs trusted by Chromium.
|
||||
-state_dir PATH
|
||||
Directory for storing state. Default: ~/.certspotter
|
||||
-bygonessl
|
||||
Only print certificates which predate domain registration and live into it (requires 'valid_at' option in watchlist)
|
||||
-verbose
|
||||
Be verbose.
|
||||
|
||||
|
@ -140,9 +138,6 @@ Cert Spotter can also notify users of bygone SSL certificates, which are SSL
|
|||
certificates that outlived their prior domain owner's registration into the
|
||||
next owners registration. To detect these certificates add a valid_at
|
||||
argument to each domain in the watchlist followed by the date the domain was
|
||||
registered in t he following format YYYY-MM-DD. For example:
|
||||
registered in the following format YYYY-MM-DD. For example:
|
||||
example.com valid_at:2014-05-02
|
||||
|
||||
The optional -bygonessl flag will cause Cert Spotter to only match bygone SSL
|
||||
certificates.
|
||||
|
||||
|
|
|
@ -51,7 +51,6 @@ func trimTrailingDots(value string) string {
|
|||
|
||||
var stateDir = flag.String("state_dir", defaultStateDir(), "Directory for storing state")
|
||||
var watchlistFilename = flag.String("watchlist", filepath.Join(defaultConfigDir(), "watchlist"), "File containing identifiers to watch (- for stdin)")
|
||||
var bygoneSSL = flag.Bool("bygonessl", false, "Only print certificates which predate domain registration and live into it (requires 'valid_at' option in watchlist)")
|
||||
|
||||
type watchlistItem struct {
|
||||
Domain []string
|
||||
|
@ -87,10 +86,6 @@ func parseWatchlistItem(str string) (watchlistItem, error) {
|
|||
}
|
||||
}
|
||||
|
||||
if *bygoneSSL && validAt == nil {
|
||||
return watchlistItem{}, fmt.Errorf("`%s' must have valid_at argument when using -bygonessl", domain)
|
||||
}
|
||||
|
||||
// parse domain
|
||||
// "." as in root zone (matches everything)
|
||||
if domain == "." {
|
||||
|
@ -164,6 +159,7 @@ func dnsNameMatches(dnsName []string, watchDomain []string, acceptSuffix bool) b
|
|||
|
||||
func anyDnsNameIsWatched(info *certspotter.EntryInfo) bool {
|
||||
dnsNames := info.Identifiers.DNSNames
|
||||
matched := false
|
||||
for _, dnsName := range dnsNames {
|
||||
labels := strings.Split(dnsName, ".")
|
||||
for _, item := range watchlist {
|
||||
|
@ -175,13 +171,15 @@ func anyDnsNameIsWatched(info *certspotter.EntryInfo) bool {
|
|||
if item.ValidAt.Before(*info.CertInfo.NotAfter()) &&
|
||||
item.ValidAt.After(*info.CertInfo.NotBefore()) {
|
||||
info.Bygone = true
|
||||
}
|
||||
}
|
||||
return true
|
||||
}
|
||||
}
|
||||
// keep iterating in case another domain watched matches valid_at
|
||||
matched = true
|
||||
}
|
||||
return false
|
||||
}
|
||||
}
|
||||
return matched
|
||||
}
|
||||
|
||||
func processEntry(scanner *certspotter.Scanner, entry *ct.LogEntry) {
|
||||
|
@ -203,10 +201,8 @@ func processEntry(scanner *certspotter.Scanner, entry *ct.LogEntry) {
|
|||
// doesn't match a domain we care about. We try very hard to make sure
|
||||
// parsing identifiers always succeeds, so false alarms should be rare.
|
||||
if info.Identifiers == nil || anyDnsNameIsWatched(&info) {
|
||||
if !*bygoneSSL || info.Bygone {
|
||||
cmd.LogEntry(&info)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func main() {
|
||||
|
|
Loading…
Reference in New Issue