eded2ff458
Ensure ParseDNSNames does not return a nil slice
2016-03-22 17:17:38 -07:00
3b59332bf1
Rename a function for clarity
2016-03-17 16:34:53 -07:00
a071e9490a
Replace embedded X509 parser with my own lightweight parser
2016-03-16 16:59:37 -07:00
5ccf9fdcd3
ctwatch: allow state dir to be set by $CTWATCH_STATE_DIR
2016-03-08 07:09:26 -08:00
f988d05b4b
Decode JSON directly into []byte
...
Simplifies the code and hopefully reduces memory usage
2016-03-08 07:01:10 -08:00
2608a74e66
Make trailing garbage a fatal error when extracting DNS names
...
Logging something to stderr was not helpful, and it's best to be
on the safe side anyways.
Whitelist a single null byte following the SAN extension. This
is a harmless and common error.
As of now, all certificates in the CT logs parse successfully.
2016-02-22 19:37:03 -08:00
08fa700d29
scanner: don't prefix log messages with log URI
...
It's redundant now that we're setting prefix with log.SetPrefix()
2016-02-22 19:23:08 -08:00
5803389588
Fix some pointer inconsistencies in code
2016-02-22 15:29:52 -08:00
09c37cfdfd
Clarify a flag
2016-02-22 15:14:17 -08:00
8f3bd3b6ff
Improve logging
2016-02-22 14:58:11 -08:00
b297ba9967
Use bits in the exit code to convey what happened
2016-02-22 14:45:50 -08:00
40123f9ba8
Allow . to be specified on stdin as well
2016-02-22 14:18:56 -08:00
94ccbc0a4f
Add backoff during fetch errors
2016-02-22 14:11:47 -08:00
df6527b165
Change -all_time to only affect logs we haven't seen before
...
It's more useful this way - there's no sense in scanning logs we've
already scanned.
I need a better name for this switch, though.
2016-02-20 12:04:07 -08:00
ff44576c87
Save old and new STHs if consistency proof fails
2016-02-18 12:40:21 -08:00
672491e065
Fix bug where we were returning a nil tree builder
2016-02-18 11:58:00 -08:00
16bf546258
Embed Google CT library, with my own changes
2016-02-18 10:44:56 -08:00
3c33dc8277
Remove sha1watch
2016-02-18 10:41:55 -08:00
e91d7bacbd
Minor cleanup to improve encapsulation
2016-02-18 10:23:07 -08:00
b47d35a005
Rename some types/functions for clarity
2016-02-18 10:15:56 -08:00
35eef25f4a
Rename function for clarity
2016-02-18 10:09:33 -08:00
9558efc955
Verify STH signatures
2016-02-17 16:03:49 -08:00
4b304fd192
Audit Merkle tree when retrieving entries
...
Also add an -all_time command line option to retrieve all certificates,
not just the ones since the last scan.
2016-02-17 14:54:40 -08:00
b6dec7822d
Overhaul to be more robust and simpler
...
All certificates are now parsed with a special, extremely
lax parser that extracts only the DNS names. Only if the
DNS names match the domains we're interested in will we attempt
to parse the cert with the real X509 parser. This ensures that
we won't miss a very badly encoded certificate that has been
issued for a monitored domain.
As of the time of commit, the lax parser is able to process every
logged certificate in the known logs.
2016-02-09 10:28:52 -08:00
1dcbe91877
WriteCertRepository: avoid serializing precerts twice
...
With pre-certs, Chain[0] is the pre-cert itself.
2016-02-07 14:47:05 -08:00
a79cc26570
Include filename of saved cert in output/script invocation
2016-02-05 08:20:12 -08:00
cfaf126284
To monitor all domains, require "." to be specified
...
Now that we save all certs by default, we want to prevent people
from accidentally monitoring all domains, which could lead to MASSIVE
disk usage.
"." is used because it denotes the root zone in DNS.
2016-02-05 08:13:11 -08:00
e73a5a89a7
Ignore non-fatal errors when parsing root certificates
2016-02-05 07:57:15 -08:00
678e8bddc8
Include log URI in error messages
2016-02-05 07:47:42 -08:00
1b17c25747
Decrease log severity of non-fatal parse errors
...
These errors are for things like unhandled critical extensions. The cert
is still processed, so it's not such a bad thing.
2016-02-05 07:45:49 -08:00
3f596730a0
New and simplified multi-log operation
2016-02-04 20:16:25 -08:00
a418a3686d
Initial commit
2016-02-04 18:46:19 -08:00
Andrew Ayer