Andrew Ayer
c36452f67a
Improve log client error messages
2016-08-25 16:04:29 -07:00
Andrew Ayer
1af6309367
Define tagUTCTime and tagGeneralizedTime
...
They're only exported in Go1.6 and I'd like to support Go1.5 as well.
Closes : #15
2016-08-20 19:43:44 -07:00
Andrew Ayer
b1dc229785
Fix typo
2016-07-28 15:52:32 -07:00
Andrew Ayer
1f97fb3a13
Suppress duplicate identifiers
2016-07-28 14:00:15 -07:00
Andrew Ayer
6cae4942e4
Identifiers: abstract out appendIPAddress
2016-07-28 13:53:24 -07:00
Jonathan Rudenberg
c217200b96
Return errors from InvokeHookScript instead of failing silently
...
Signed-off-by: Jonathan Rudenberg <jonathan@titanous.com>
2016-07-28 12:26:58 -07:00
Jonathan Rudenberg
acc6781f29
Run gofmt
...
Signed-off-by: Jonathan Rudenberg <jonathan@titanous.com>
2016-07-28 14:55:46 -04:00
Andrew Ayer
38b9c920eb
Add README
2016-07-27 14:17:53 -07:00
Andrew Ayer
1dc7e1cda9
Refine command line flag descriptions
2016-07-27 14:14:09 -07:00
Andrew Ayer
902755d4e8
Don't enforce public key compliance
...
You have to trust the public key anyways, so compliance checks are
superfluous.
2016-07-26 17:00:01 -07:00
Andrew Ayer
f75c47d9ca
Always store files in ~/.certspotter, even if running as root
2016-07-26 16:57:26 -07:00
Andrew Ayer
c185657181
Remove Izenpe log, add CNNIC
2016-07-19 10:46:15 -07:00
Andrew Ayer
cf8a5d8703
Remove description field from logs.go
2016-07-19 10:39:01 -07:00
Andrew Ayer
37bc55be2d
Add key hash to logs.go
2016-07-19 10:32:05 -07:00
Andrew Ayer
ebdf2af720
Add some comments
2016-07-19 10:31:23 -07:00
Andrew Ayer
19e05b901a
Remove some dead code from the scanner
2016-06-22 10:32:42 -07:00
Andrew Ayer
74f9ceb6a2
Add attribution of the ct sub-directory
2016-06-22 10:30:16 -07:00
Andrew Ayer
724517e4c4
Update crt.sh link to use sha256= instead of q=
2016-06-20 15:23:15 -07:00
Andrew Ayer
fa1236f434
Use a switch statement instead of an if statement
...
This will make it cleaner to handle other extension types
2016-06-08 15:57:56 -07:00
Andrew Ayer
196bd864cd
Properly handle non-200 responses from logs
2016-06-08 15:18:28 -07:00
Andrew Ayer
1fc964732b
Allow public key to be omitted from log JSON file
...
In which case signatures are not checked.
2016-06-03 08:10:38 -07:00
Andrew Ayer
2c8cb1f402
Return exit code from cmd.Main instead of exiting directly
...
This allows the calling code to do custom cleanup.
2016-06-03 07:21:08 -07:00
Andrew Ayer
6db3f7564c
Add function to reconstruct pre-cert TBS from cert TBS
2016-05-16 11:33:03 -07:00
Andrew Ayer
ae59c317dc
Ignore empty DNS names
2016-05-13 10:31:13 -07:00
Andrew Ayer
2bed88e7c5
Rework watchlist
...
Watchlist is now read from ~/.certspotter/watchlist by default, or from
the file specified by -watchlist (- for stdin).
By default, only exact DNS names are matched. To match both the domain
itself and all sub-domains, prefix with a dot (e.g. .example.com).
Comments are now allowed in watchlist files.
2016-05-12 11:30:59 -07:00
Andrew Ayer
7196ec5217
Use $CERTSPOTTER_STATE_DIR to specify state directory
2016-05-12 10:53:57 -07:00
Andrew Ayer
dac062e17d
Add unit tests for MatchesWildcard
2016-05-10 14:29:10 -07:00
Andrew Ayer
f9432ae4b9
Reverse order of certspotter.MatchesWildcard arguments
2016-05-10 14:29:04 -07:00
Andrew Ayer
92fbdcb947
Support crazy wildcards (not just in the left-most label)
2016-05-10 10:37:10 -07:00
Andrew Ayer
e99ee481a4
Disable check of pre-cert poision value
...
Too many pre-certs in the logs with the wrong value :-(
2016-05-09 15:46:14 -07:00
Andrew Ayer
9342adcd93
Tighten up the cert information output
...
Remove subject and SANs since they are redundant with earlier identifier
listing. Remove serial number because who cares? Put type of entry
on same line as log entry info.
If people want this info they can always examine the saved file or the
crt.sh page.
2016-05-09 15:43:19 -07:00
Andrew Ayer
b79cb31413
Move package to software.sslmate.com/src/certspotter
2016-05-04 12:19:59 -07:00
Andrew Ayer
1e582e2e0c
License under the MPL 2.0
2016-05-04 11:56:13 -07:00
Andrew Ayer
670cddafbc
Rename project to certspotter
2016-05-04 11:49:07 -07:00
Andrew Ayer
ea3db97486
Only replace DNS label with placeholder if it's utterly unparsable
...
e.g. contains control characters, Punycode conversion fails
There are quite simply too many certs with bogus DNS labels out in the wild,
and it just doesn't make sense to bother every .com domain holder because
GoDaddy signed a cert with a DNS name like "www. just4funpartyrentals.com"
It is highly unlikely any validator will ever match that DNS name.
2016-05-04 11:43:02 -07:00
Andrew Ayer
60636ba2d7
Move Identifiers from CertInfo to EntryInfo
...
It's more logical, and it avoids some redundant parsing.
2016-05-03 11:58:59 -07:00
Andrew Ayer
5f4e35843a
Display SANs in output
2016-05-02 11:59:55 -07:00
Andrew Ayer
df5ad71a40
Support for IP addresses encoded as strings in CNs/DNS SANs
2016-05-02 11:38:08 -07:00
Andrew Ayer
82167b8151
Additional handling of pathological DNS names
...
1. Trim leading and trailing whitespace of DNS names.
2. Trim http:// and https:// prefixes.
3. If DNS name contains a slash, ALSO process the DNS name up to
the first slash, since it's probably a URL.
2016-05-01 17:02:52 -07:00
Andrew Ayer
3ec8a0a3db
Ignore IP address SANs with an invalid length
2016-05-01 14:52:19 -07:00
Andrew Ayer
ca8f60740a
Trim trailing dots from DNS names
2016-05-01 12:49:26 -07:00
Andrew Ayer
3c220e56f6
scanner: reduce channel queue buffer length
...
To keep memory consumption down
2016-05-01 12:49:07 -07:00
Andrew Ayer
a0859acad3
Remove defunct Certly log
2016-04-30 15:03:16 -07:00
Andrew Ayer
847b7129e8
Monitor for all DNS names that _might_ match a monitored domain
...
Wildcards, redacted labels, and unparseable labels.
2016-04-29 09:02:03 -07:00
Andrew Ayer
ec68dde647
Only allow * and ? as entire DNS name labels
2016-04-29 08:45:54 -07:00
Andrew Ayer
2c9df274e9
Gracefully handle all manner of poorly encoded identifiers
...
Also add preliminary support for IP address identifiers.
2016-04-28 22:00:32 -07:00
Andrew Ayer
a072440db8
Handle certificates with multiple Basic Constraints extensions
2016-04-26 18:06:59 -07:00
Andrew Ayer
65ed742477
Support wildcards
...
For example, if you're watching subdomain.example.com, a cert for
*.example.com will now match.
2016-04-26 14:49:39 -07:00
Andrew Ayer
4132ed5e9f
Add support for IDNs
...
IDNs can be specified in either Unicode or ASCII (as Punycode).
Certs can specify the DNS name either way, and we'll match it.
2016-04-26 14:38:09 -07:00
Andrew Ayer
19c5f86d23
Allow DNS SANs to contain UTF-8
...
There are too many certs in the wild which have UTF-8 in their DNS SANs.
2016-04-26 14:14:08 -07:00