Rename LeafSHA256 to avoid confusion with Merkle leafs
This commit is contained in:
Andrew Ayer
parent
7a8a770d99
commit
9ec3c74400
|
|
@ -28,7 +28,7 @@ type discoveredCert struct {
|
||||||
Info *certspotter.CertInfo
|
Info *certspotter.CertInfo
|
||||||
Chain []ct.ASN1Cert // first entry is the leaf certificate or precertificate
|
Chain []ct.ASN1Cert // first entry is the leaf certificate or precertificate
|
||||||
TBSSHA256 [32]byte // computed over Info.TBS.Raw
|
TBSSHA256 [32]byte // computed over Info.TBS.Raw
|
||||||
LeafSHA256 [32]byte // computed over Chain[0]
|
SHA256 [32]byte // computed over Chain[0]
|
||||||
PubkeySHA256 [32]byte // computed over Info.TBS.PublicKey.FullBytes
|
PubkeySHA256 [32]byte // computed over Info.TBS.PublicKey.FullBytes
|
||||||
Identifiers *certspotter.Identifiers
|
Identifiers *certspotter.Identifiers
|
||||||
CertPath string // empty if not saved on the filesystem
|
CertPath string // empty if not saved on the filesystem
|
||||||
|
|
@ -52,7 +52,7 @@ func (cert *discoveredCert) pemChain() []byte {
|
||||||
func (cert *discoveredCert) json() []byte {
|
func (cert *discoveredCert) json() []byte {
|
||||||
object := map[string]any{
|
object := map[string]any{
|
||||||
"tbs_sha256": hex.EncodeToString(cert.TBSSHA256[:]),
|
"tbs_sha256": hex.EncodeToString(cert.TBSSHA256[:]),
|
||||||
"cert_sha256": hex.EncodeToString(cert.LeafSHA256[:]),
|
"cert_sha256": hex.EncodeToString(cert.SHA256[:]),
|
||||||
"pubkey_sha256": hex.EncodeToString(cert.PubkeySHA256[:]),
|
"pubkey_sha256": hex.EncodeToString(cert.PubkeySHA256[:]),
|
||||||
"issuer_der": cert.Info.TBS.Issuer.FullBytes,
|
"issuer_der": cert.Info.TBS.Issuer.FullBytes,
|
||||||
"subject_der": cert.Info.TBS.Subject.FullBytes,
|
"subject_der": cert.Info.TBS.Subject.FullBytes,
|
||||||
|
|
@ -103,8 +103,8 @@ func (cert *discoveredCert) Environ() []string {
|
||||||
"ENTRY_INDEX=" + fmt.Sprint(cert.LogEntry.Index),
|
"ENTRY_INDEX=" + fmt.Sprint(cert.LogEntry.Index),
|
||||||
"WATCH_ITEM=" + cert.WatchItem.String(),
|
"WATCH_ITEM=" + cert.WatchItem.String(),
|
||||||
"TBS_SHA256=" + hex.EncodeToString(cert.TBSSHA256[:]),
|
"TBS_SHA256=" + hex.EncodeToString(cert.TBSSHA256[:]),
|
||||||
"CERT_SHA256=" + hex.EncodeToString(cert.LeafSHA256[:]),
|
"CERT_SHA256=" + hex.EncodeToString(cert.SHA256[:]),
|
||||||
"FINGERPRINT=" + hex.EncodeToString(cert.LeafSHA256[:]), // backwards compat with pre-0.15.0; not documented
|
"FINGERPRINT=" + hex.EncodeToString(cert.SHA256[:]), // backwards compat with pre-0.15.0; not documented
|
||||||
"PUBKEY_SHA256=" + hex.EncodeToString(cert.PubkeySHA256[:]),
|
"PUBKEY_SHA256=" + hex.EncodeToString(cert.PubkeySHA256[:]),
|
||||||
"PUBKEY_HASH=" + hex.EncodeToString(cert.PubkeySHA256[:]), // backwards compat with pre-0.15.0; not documented
|
"PUBKEY_HASH=" + hex.EncodeToString(cert.PubkeySHA256[:]), // backwards compat with pre-0.15.0; not documented
|
||||||
"CERT_FILENAME=" + cert.CertPath,
|
"CERT_FILENAME=" + cert.CertPath,
|
||||||
|
|
@ -150,7 +150,7 @@ func (cert *discoveredCert) Text() string {
|
||||||
text := new(strings.Builder)
|
text := new(strings.Builder)
|
||||||
writeField := func(name string, value any) { fmt.Fprintf(text, "\t%13s = %s\n", name, value) }
|
writeField := func(name string, value any) { fmt.Fprintf(text, "\t%13s = %s\n", name, value) }
|
||||||
|
|
||||||
fmt.Fprintf(text, "%x:\n", cert.LeafSHA256)
|
fmt.Fprintf(text, "%x:\n", cert.SHA256)
|
||||||
for _, dnsName := range cert.Identifiers.DNSNames {
|
for _, dnsName := range cert.Identifiers.DNSNames {
|
||||||
writeField("DNS Name", dnsName)
|
writeField("DNS Name", dnsName)
|
||||||
}
|
}
|
||||||
|
|
@ -171,7 +171,7 @@ func (cert *discoveredCert) Text() string {
|
||||||
writeField("Not After", fmt.Sprintf("[unable to parse: %s]", cert.Info.ValidityParseError))
|
writeField("Not After", fmt.Sprintf("[unable to parse: %s]", cert.Info.ValidityParseError))
|
||||||
}
|
}
|
||||||
writeField("Log Entry", fmt.Sprintf("%d @ %s", cert.LogEntry.Index, cert.LogEntry.Log.URL))
|
writeField("Log Entry", fmt.Sprintf("%d @ %s", cert.LogEntry.Index, cert.LogEntry.Log.URL))
|
||||||
writeField("crt.sh", "https://crt.sh/?sha256="+hex.EncodeToString(cert.LeafSHA256[:]))
|
writeField("crt.sh", "https://crt.sh/?sha256="+hex.EncodeToString(cert.SHA256[:]))
|
||||||
if cert.CertPath != "" {
|
if cert.CertPath != "" {
|
||||||
writeField("Filename", cert.CertPath)
|
writeField("Filename", cert.CertPath)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -103,14 +103,14 @@ func processCertificate(ctx context.Context, config *Config, entry *logEntry, ce
|
||||||
Info: certInfo,
|
Info: certInfo,
|
||||||
Chain: chain,
|
Chain: chain,
|
||||||
TBSSHA256: sha256.Sum256(certInfo.TBS.Raw),
|
TBSSHA256: sha256.Sum256(certInfo.TBS.Raw),
|
||||||
LeafSHA256: sha256.Sum256(chain[0]),
|
SHA256: sha256.Sum256(chain[0]),
|
||||||
PubkeySHA256: sha256.Sum256(certInfo.TBS.PublicKey.FullBytes),
|
PubkeySHA256: sha256.Sum256(certInfo.TBS.PublicKey.FullBytes),
|
||||||
Identifiers: identifiers,
|
Identifiers: identifiers,
|
||||||
}
|
}
|
||||||
|
|
||||||
var notifiedPath string
|
var notifiedPath string
|
||||||
if config.SaveCerts {
|
if config.SaveCerts {
|
||||||
hexFingerprint := hex.EncodeToString(cert.LeafSHA256[:])
|
hexFingerprint := hex.EncodeToString(cert.SHA256[:])
|
||||||
prefixPath := filepath.Join(config.StateDir, "certs", hexFingerprint[0:2])
|
prefixPath := filepath.Join(config.StateDir, "certs", hexFingerprint[0:2])
|
||||||
|
|
||||||
for _, suffix := range []string{".notified", ".cert.pem", ".precert.pem"} {
|
for _, suffix := range []string{".notified", ".cert.pem", ".precert.pem"} {
|
||||||
|
|
@ -120,7 +120,7 @@ func processCertificate(ctx context.Context, config *Config, entry *logEntry, ce
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := os.Mkdir(prefixPath, 0777); err != nil && !errors.Is(err, fs.ErrExist) {
|
if err := os.Mkdir(prefixPath, 0777); err != nil && !errors.Is(err, fs.ErrExist) {
|
||||||
return fmt.Errorf("error creating directory in which to save certificate %x: %w", cert.LeafSHA256, err)
|
return fmt.Errorf("error creating directory in which to save certificate %x: %w", cert.SHA256, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
notifiedPath = filepath.Join(prefixPath, "."+hexFingerprint+".notified")
|
notifiedPath = filepath.Join(prefixPath, "."+hexFingerprint+".notified")
|
||||||
|
|
@ -129,19 +129,19 @@ func processCertificate(ctx context.Context, config *Config, entry *logEntry, ce
|
||||||
cert.TextPath = filepath.Join(prefixPath, hexFingerprint+".txt")
|
cert.TextPath = filepath.Join(prefixPath, hexFingerprint+".txt")
|
||||||
|
|
||||||
if err := cert.save(); err != nil {
|
if err := cert.save(); err != nil {
|
||||||
return fmt.Errorf("error saving certificate %x: %w", cert.LeafSHA256, err)
|
return fmt.Errorf("error saving certificate %x: %w", cert.SHA256, err)
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
// TODO-4: save cert to temporary files, and defer their unlinking
|
// TODO-4: save cert to temporary files, and defer their unlinking
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := notify(ctx, config, cert); err != nil {
|
if err := notify(ctx, config, cert); err != nil {
|
||||||
return fmt.Errorf("error notifying about discovered certificate for %s (%x): %w", cert.WatchItem, cert.LeafSHA256, err)
|
return fmt.Errorf("error notifying about discovered certificate for %s (%x): %w", cert.WatchItem, cert.SHA256, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
if notifiedPath != "" {
|
if notifiedPath != "" {
|
||||||
if err := os.WriteFile(notifiedPath, nil, 0666); err != nil {
|
if err := os.WriteFile(notifiedPath, nil, 0666); err != nil {
|
||||||
return fmt.Errorf("error saving certificate %x: %w", cert.LeafSHA256, err)
|
return fmt.Errorf("error saving certificate %x: %w", cert.SHA256, err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue