Tandem
/
certspotter
mirror of https://github.com/SSLMate/certspotter.git
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Monitor for all DNS names that _might_ match a monitored domain 

Wildcards, redacted labels, and unparseable labels.
This commit is contained in:
Andrew Ayer 2016-04-29 09:02:03 -07:00
parent ec68dde647
commit 847b7129e8
2 changed files with 20 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
cmd/ctwatch/main.go
View File

@ -26,6 +26,11 @@ var stateDir = flag.String("state_dir", DefaultStateDir(), "Directory for storin
var watchDomains []string var watchDomains []string
var watchDomainSuffixes []string var watchDomainSuffixes []string
func addWatchDomain (asciiDomain string) {
watchDomains = append(watchDomains, asciiDomain)
watchDomainSuffixes = append(watchDomainSuffixes, "." + asciiDomain)
}
func setWatchDomains (domains []string) error { func setWatchDomains (domains []string) error {
for _, domain := range domains { for _, domain := range domains {
if domain == "." { // "." as in root zone (matches everything) if domain == "." { // "." as in root zone (matches everything)
@ -38,15 +43,21 @@ func setWatchDomains (domains []string) error {
return fmt.Errorf("Invalid domain `%s': %s", domain, err) return fmt.Errorf("Invalid domain `%s': %s", domain, err)
} }
watchDomains = append(watchDomains, asciiDomain) addWatchDomain(asciiDomain)
watchDomainSuffixes = append(watchDomainSuffixes, "." + asciiDomain)
// Also monitor DNS names that _might_ match this domain (wildcards,
// label redactions, and unparseable labels).
// For example, if we're monitoring sub.example.com, also monitor:
// *.example.com
// ?.example.com
// <invalid>.example.com
var parentDomain string
if dot := strings.IndexRune(asciiDomain, '.'); dot != -1 { if dot := strings.IndexRune(asciiDomain, '.'); dot != -1 {
// also look for wildcard names that could match parentDomain = asciiDomain[dot:]
// TODO: support exotic wildcards (wildcards besides "*.<DOMAIN>") in case there are CAs that issue them (there are) and clients that support them (less clear)
watchDomains = append(watchDomains, "*" + asciiDomain[dot:])
// TODO: optionally match ?.<DOMAIN> and <invalid>.<DOMAIN> also
} }
addWatchDomain("*" + parentDomain)
addWatchDomain("?" + parentDomain)
addWatchDomain(ctwatch.InvalidDNSLabelPlaceholder + parentDomain)
} }
} }
return nil return nil

6
identifiers.go
View File

@ -9,7 +9,7 @@ import (
"golang.org/x/net/idna" "golang.org/x/net/idna"
) )
const invalidDNSLabelPlaceholder = "<invalid>" const InvalidDNSLabelPlaceholder = "<invalid>"
/* /*
const ( const (
@ -93,7 +93,7 @@ func sanitizeDNSName (value string) string {
labels := strings.Split(value, ".") labels := strings.Split(value, ".")
for i, label := range labels { for i, label := range labels {
if !isValidDNSLabel(label) { if !isValidDNSLabel(label) {
labels[i] = invalidDNSLabelPlaceholder labels[i] = InvalidDNSLabelPlaceholder
} }
} }
return strings.Join(labels, ".") return strings.Join(labels, ".")
@ -107,7 +107,7 @@ func sanitizeUnicodeDNSName (value string) string {
if asciiLabel, err := idna.ToASCII(label); err == nil && isValidDNSLabel(asciiLabel) { if asciiLabel, err := idna.ToASCII(label); err == nil && isValidDNSLabel(asciiLabel) {
labels[i] = asciiLabel labels[i] = asciiLabel
} else { } else {
labels[i] = invalidDNSLabelPlaceholder labels[i] = InvalidDNSLabelPlaceholder
} }
} }
return strings.Join(labels, ".") return strings.Join(labels, ".")