Commit Graph

33 Commits

Author SHA1 Message Date
Andrew Ayer fff3b01b26 Remove an obsolete TODO 2023-01-16 18:07:28 -05:00
Andrew Ayer cd2bb429fc Remove $CERT_TYPE environment variable for -script
Since first writing certspotter, I have witnessed many people
misunderstand precertificates, and do very bad things like ignore
precertificates under the invalid rationale that "precertificates
are not trusted by browsers."  While it's true that precertificates
themselves are not trusted by browsers, a precertificate implies the
existence of a corresponding certificate that IS trusted by browsers,
and there is NO guarantee that this certificate will ever be logged to CT.
(Sectigo and Let's Encrypt do log certificates but it's on a best-effort
basis and I don't know of any other CAs that do so.)  Therefore, if
you ignore precertificates you WILL fail to be alerted about potential
security threats.

While some PKI/CT researchers may care about the distinction between
certificates and precertificates, certspotter's primary purpose is to
help domain owners monitor their domains for misissued certificates.
Since there is no need to distinguish between certificates and
precertificates for that use case, I am removing $CERT_TYPE to prevent
people from shooting themselves in the foot.  Those who do have a valid
use case for distinguishing between certificates and precertificates
can always parse $CERT_FILE themselves.
2023-01-16 18:02:25 -05:00
Andrew Ayer 8c14597721 Add IsPreCert to CertInfo 2021-10-29 09:28:39 -04:00
Ian Foster e5fd2e9efc Initial BygoneSSL support 2018-07-04 19:03:57 -07:00
Andrew Ayer ef00e22ec1 Remove unused code 2017-01-05 21:02:28 -08:00
Jonathan Rudenberg c217200b96 Return errors from InvokeHookScript instead of failing silently
Signed-off-by: Jonathan Rudenberg <jonathan@titanous.com>
2016-07-28 12:26:58 -07:00
Jonathan Rudenberg acc6781f29 Run gofmt
Signed-off-by: Jonathan Rudenberg <jonathan@titanous.com>
2016-07-28 14:55:46 -04:00
Andrew Ayer 724517e4c4 Update crt.sh link to use sha256= instead of q= 2016-06-20 15:23:15 -07:00
Andrew Ayer f9432ae4b9 Reverse order of certspotter.MatchesWildcard arguments 2016-05-10 14:29:04 -07:00
Andrew Ayer 92fbdcb947 Support crazy wildcards (not just in the left-most label) 2016-05-10 10:37:10 -07:00
Andrew Ayer 9342adcd93 Tighten up the cert information output
Remove subject and SANs since they are redundant with earlier identifier
listing.  Remove serial number because who cares?  Put type of entry
on same line as log entry info.

If people want this info they can always examine the saved file or the
crt.sh page.
2016-05-09 15:43:19 -07:00
Andrew Ayer b79cb31413 Move package to software.sslmate.com/src/certspotter 2016-05-04 12:19:59 -07:00
Andrew Ayer 1e582e2e0c License under the MPL 2.0 2016-05-04 11:56:13 -07:00
Andrew Ayer 670cddafbc Rename project to certspotter 2016-05-04 11:49:07 -07:00
Andrew Ayer 60636ba2d7 Move Identifiers from CertInfo to EntryInfo
It's more logical, and it avoids some redundant parsing.
2016-05-03 11:58:59 -07:00
Andrew Ayer 5f4e35843a Display SANs in output 2016-05-02 11:59:55 -07:00
Andrew Ayer 2c9df274e9 Gracefully handle all manner of poorly encoded identifiers
Also add preliminary support for IP address identifiers.
2016-04-28 22:00:32 -07:00
Andrew Ayer a072440db8 Handle certificates with multiple Basic Constraints extensions 2016-04-26 18:06:59 -07:00
Andrew Ayer 2d2aa37202 Parse common names separately from DNS names 2016-04-22 20:58:33 -07:00
Andrew Ayer e091186d83 Save consistency proof along with evidence of misbehavior
Although the consistency proof is neither necessary nor sufficient
to prove misbehavior by a log, this will help with debugging if a
log returns a bogus consistency proof erroneously (which seems to
be happening with the Rocketeer log lately...).
2016-04-06 08:10:06 -07:00
Andrew Ayer 80bfe1321c Add helpers to get fingerprint/hashes in byte form 2016-03-26 18:04:22 -07:00
Andrew Ayer af14fca70f Add HasParseErrors method to EntryInfo 2016-03-23 20:18:12 -07:00
Andrew Ayer 3b59332bf1 Rename a function for clarity 2016-03-17 16:34:53 -07:00
Andrew Ayer a071e9490a Replace embedded X509 parser with my own lightweight parser 2016-03-16 16:59:37 -07:00
Andrew Ayer 16bf546258 Embed Google CT library, with my own changes 2016-02-18 10:44:56 -08:00
Andrew Ayer 35eef25f4a Rename function for clarity 2016-02-18 10:09:33 -08:00
Andrew Ayer 4b304fd192 Audit Merkle tree when retrieving entries
Also add an -all_time command line option to retrieve all certificates,
not just the ones since the last scan.
2016-02-17 14:54:40 -08:00
Andrew Ayer b6dec7822d Overhaul to be more robust and simpler
All certificates are now parsed with a special, extremely
lax parser that extracts only the DNS names.  Only if the
DNS names match the domains we're interested in will we attempt
to parse the cert with the real X509 parser.  This ensures that
we won't miss a very badly encoded certificate that has been
issued for a monitored domain.

As of the time of commit, the lax parser is able to process every
logged certificate in the known logs.
2016-02-09 10:28:52 -08:00
Andrew Ayer 1dcbe91877 WriteCertRepository: avoid serializing precerts twice
With pre-certs, Chain[0] is the pre-cert itself.
2016-02-07 14:47:05 -08:00
Andrew Ayer a79cc26570 Include filename of saved cert in output/script invocation 2016-02-05 08:20:12 -08:00
Andrew Ayer e73a5a89a7 Ignore non-fatal errors when parsing root certificates 2016-02-05 07:57:15 -08:00
Andrew Ayer 3f596730a0 New and simplified multi-log operation 2016-02-04 20:16:25 -08:00
Andrew Ayer a418a3686d Initial commit 2016-02-04 18:46:19 -08:00