Commit Graph

177 Commits

Author SHA1 Message Date
Andrew Ayer 2608a74e66 Make trailing garbage a fatal error when extracting DNS names
Logging something to stderr was not helpful, and it's best to be
on the safe side anyways.

Whitelist a single null byte following the SAN extension.  This
is a harmless and common error.

As of now, all certificates in the CT logs parse successfully.
2016-02-22 19:37:03 -08:00
Andrew Ayer 08fa700d29 scanner: don't prefix log messages with log URI
It's redundant now that we're setting prefix with log.SetPrefix()
2016-02-22 19:23:08 -08:00
Andrew Ayer 5803389588 Fix some pointer inconsistencies in code 2016-02-22 15:29:52 -08:00
Andrew Ayer 09c37cfdfd Clarify a flag 2016-02-22 15:14:17 -08:00
Andrew Ayer 8f3bd3b6ff Improve logging 2016-02-22 14:58:11 -08:00
Andrew Ayer b297ba9967 Use bits in the exit code to convey what happened 2016-02-22 14:45:50 -08:00
Andrew Ayer 40123f9ba8 Allow . to be specified on stdin as well 2016-02-22 14:18:56 -08:00
Andrew Ayer 94ccbc0a4f Add backoff during fetch errors 2016-02-22 14:11:47 -08:00
Andrew Ayer df6527b165 Change -all_time to only affect logs we haven't seen before
It's more useful this way - there's no sense in scanning logs we've
already scanned.

I need a better name for this switch, though.
2016-02-20 12:04:07 -08:00
Andrew Ayer ff44576c87 Save old and new STHs if consistency proof fails 2016-02-18 12:40:21 -08:00
Andrew Ayer 672491e065 Fix bug where we were returning a nil tree builder 2016-02-18 11:58:00 -08:00
Andrew Ayer 16bf546258 Embed Google CT library, with my own changes 2016-02-18 10:44:56 -08:00
Andrew Ayer 3c33dc8277 Remove sha1watch 2016-02-18 10:41:55 -08:00
Andrew Ayer e91d7bacbd Minor cleanup to improve encapsulation 2016-02-18 10:23:07 -08:00
Andrew Ayer b47d35a005 Rename some types/functions for clarity 2016-02-18 10:15:56 -08:00
Andrew Ayer 35eef25f4a Rename function for clarity 2016-02-18 10:09:33 -08:00
Andrew Ayer 9558efc955 Verify STH signatures 2016-02-17 16:03:49 -08:00
Andrew Ayer 4b304fd192 Audit Merkle tree when retrieving entries
Also add an -all_time command line option to retrieve all certificates,
not just the ones since the last scan.
2016-02-17 14:54:40 -08:00
Andrew Ayer b6dec7822d Overhaul to be more robust and simpler
All certificates are now parsed with a special, extremely
lax parser that extracts only the DNS names.  Only if the
DNS names match the domains we're interested in will we attempt
to parse the cert with the real X509 parser.  This ensures that
we won't miss a very badly encoded certificate that has been
issued for a monitored domain.

As of the time of commit, the lax parser is able to process every
logged certificate in the known logs.
2016-02-09 10:28:52 -08:00
Andrew Ayer 1dcbe91877 WriteCertRepository: avoid serializing precerts twice
With pre-certs, Chain[0] is the pre-cert itself.
2016-02-07 14:47:05 -08:00
Andrew Ayer a79cc26570 Include filename of saved cert in output/script invocation 2016-02-05 08:20:12 -08:00
Andrew Ayer cfaf126284 To monitor all domains, require "." to be specified
Now that we save all certs by default, we want to prevent people
from accidentally monitoring all domains, which could lead to MASSIVE
disk usage.

"." is used because it denotes the root zone in DNS.
2016-02-05 08:13:11 -08:00
Andrew Ayer e73a5a89a7 Ignore non-fatal errors when parsing root certificates 2016-02-05 07:57:15 -08:00
Andrew Ayer 678e8bddc8 Include log URI in error messages 2016-02-05 07:47:42 -08:00
Andrew Ayer 1b17c25747 Decrease log severity of non-fatal parse errors
These errors are for things like unhandled critical extensions.  The cert
is still processed, so it's not such a bad thing.
2016-02-05 07:45:49 -08:00
Andrew Ayer 3f596730a0 New and simplified multi-log operation 2016-02-04 20:16:25 -08:00
Andrew Ayer a418a3686d Initial commit 2016-02-04 18:46:19 -08:00