Add $TBS_SHA256 and tbs_sha256 to script environment and JSON

This commit is contained in:
Andrew Ayer 2023-02-05 08:30:27 -05:00
parent bc36175a53
commit c68cf401a3
2 changed files with 10 additions and 0 deletions

View File

@ -27,6 +27,7 @@ type discoveredCert struct {
LogEntry *logEntry LogEntry *logEntry
Info *certspotter.CertInfo Info *certspotter.CertInfo
Chain []ct.ASN1Cert // first entry is the leaf certificate or precertificate Chain []ct.ASN1Cert // first entry is the leaf certificate or precertificate
TBSSHA256 [32]byte // computed over Info.TBS.Raw
LeafSHA256 [32]byte // computed over Chain[0] LeafSHA256 [32]byte // computed over Chain[0]
PubkeySHA256 [32]byte // computed over Info.TBS.PublicKey.FullBytes PubkeySHA256 [32]byte // computed over Info.TBS.PublicKey.FullBytes
Identifiers *certspotter.Identifiers Identifiers *certspotter.Identifiers
@ -50,6 +51,7 @@ func (cert *discoveredCert) pemChain() []byte {
func (cert *discoveredCert) json() []byte { func (cert *discoveredCert) json() []byte {
object := map[string]any{ object := map[string]any{
"tbs_sha256": hex.EncodeToString(cert.TBSSHA256[:]),
"cert_sha256": hex.EncodeToString(cert.LeafSHA256[:]), "cert_sha256": hex.EncodeToString(cert.LeafSHA256[:]),
"pubkey_sha256": hex.EncodeToString(cert.PubkeySHA256[:]), "pubkey_sha256": hex.EncodeToString(cert.PubkeySHA256[:]),
"issuer_der": cert.Info.TBS.Issuer.FullBytes, "issuer_der": cert.Info.TBS.Issuer.FullBytes,
@ -100,6 +102,7 @@ func (cert *discoveredCert) Environ() []string {
"LOG_URI=" + cert.LogEntry.Log.URL, "LOG_URI=" + cert.LogEntry.Log.URL,
"ENTRY_INDEX=" + fmt.Sprint(cert.LogEntry.Index), "ENTRY_INDEX=" + fmt.Sprint(cert.LogEntry.Index),
"WATCH_ITEM=" + cert.WatchItem.String(), "WATCH_ITEM=" + cert.WatchItem.String(),
"TBS_SHA256=" + hex.EncodeToString(cert.TBSSHA256[:]),
"CERT_SHA256=" + hex.EncodeToString(cert.LeafSHA256[:]), "CERT_SHA256=" + hex.EncodeToString(cert.LeafSHA256[:]),
"FINGERPRINT=" + hex.EncodeToString(cert.LeafSHA256[:]), // backwards compat with pre-0.15.0; not documented "FINGERPRINT=" + hex.EncodeToString(cert.LeafSHA256[:]), // backwards compat with pre-0.15.0; not documented
"PUBKEY_SHA256=" + hex.EncodeToString(cert.PubkeySHA256[:]), "PUBKEY_SHA256=" + hex.EncodeToString(cert.PubkeySHA256[:]),

View File

@ -60,6 +60,12 @@ func processX509LogEntry(ctx context.Context, config *Config, entry *logEntry, c
} }
chain = append([]ct.ASN1Cert{cert}, chain...) chain = append([]ct.ASN1Cert{cert}, chain...)
if precertTBS, err := certspotter.ReconstructPrecertTBS(certInfo.TBS); err == nil {
certInfo.TBS = precertTBS
} else {
return processMalformedLogEntry(ctx, config, entry, fmt.Errorf("error reconstructing precertificate TBSCertificate: %w", err))
}
return processCertificate(ctx, config, entry, certInfo, chain) return processCertificate(ctx, config, entry, certInfo, chain)
} }
@ -96,6 +102,7 @@ func processCertificate(ctx context.Context, config *Config, entry *logEntry, ce
LogEntry: entry, LogEntry: entry,
Info: certInfo, Info: certInfo,
Chain: chain, Chain: chain,
TBSSHA256: sha256.Sum256(certInfo.TBS.Raw),
LeafSHA256: sha256.Sum256(chain[0]), LeafSHA256: sha256.Sum256(chain[0]),
PubkeySHA256: sha256.Sum256(certInfo.TBS.PublicKey.FullBytes), PubkeySHA256: sha256.Sum256(certInfo.TBS.PublicKey.FullBytes),
Identifiers: identifiers, Identifiers: identifiers,