Commit Graph

194 Commits

Author SHA1 Message Date
Andrew Ayer fa81965dee Remove log ID comments from logs.go 2017-03-20 11:33:11 -07:00
Andrew Ayer b051332b1d Release 0.3 2017-02-20 13:13:09 -08:00
Andrew Ayer 8b9c08b984 submitct: apply gofmt 2017-02-05 10:09:42 -08:00
Andrew Ayer 732a660767 submitct: reorganize code 2017-02-05 10:09:19 -08:00
Andrew Ayer b94d850dbe submitct: use maps for efficiency
This will make submitct work better with lots of certificates as input.
2017-02-05 10:07:30 -08:00
Andrew Ayer 74ffda2dc6 x509: factor out ParseRDNSequence 2017-02-05 10:04:43 -08:00
Andrew Ayer 779230cbc8 submitct: include cert index in log entries 2017-02-04 16:09:56 -08:00
Andrew Ayer e7a9ba6e7d Add submitct program for submitting certs 2017-02-04 16:05:51 -08:00
Andrew Ayer 8846cbcbd9 Add OpenLogs array, for logs with open submission policies 2017-02-04 16:04:00 -08:00
Andrew Ayer b6f99bad2c logclient: add support for add-chain request 2017-02-04 16:03:48 -08:00
Andrew Ayer fecfeb033d logclient: add support for POST requests 2017-02-04 16:03:35 -08:00
Andrew Ayer 13b064878b Update NEWS file 2017-01-10 11:25:02 -08:00
Andrew Ayer e8c4f10e97 Use a lock file to prevent certspotter from running concurrently 2017-01-10 10:50:41 -08:00
Andrew Ayer 2f0833ac9c Apply gofmt 2017-01-08 10:17:00 -08:00
Andrew Ayer 9f3e9968ec Rename verified_sth.json to just sth.json 2017-01-08 10:15:41 -08:00
Andrew Ayer 7adbc6cffe Add .json extension to log state filenames
Since they are JSON.
2017-01-08 10:14:44 -08:00
Andrew Ayer b88de6b320 Rename "position" to "tree" in log state 2017-01-06 14:49:42 -08:00
Andrew Ayer 9c3e697231 CollapsedMerkleTree: rename stack to nodes 2017-01-06 14:43:20 -08:00
Andrew Ayer 671814cd9b CollapsedMerkleTree: rename numLeaves to size 2017-01-06 14:41:51 -08:00
Andrew Ayer 9ceedea9ef Rename MerkleTreeBuilder to CollapsedMerkleTree 2017-01-06 14:39:08 -08:00
Andrew Ayer cf742c121e Update NEWS file 2017-01-06 13:36:56 -08:00
Andrew Ayer d8b1877e8d Improve filenames of unverified STHs
Include the tree size in plain decimal, since it's more user-friendly.

Don't include tree size in hash (redundant now that we're storing it
outside of hash) or version (implied by signature).
2017-01-06 12:51:10 -08:00
Andrew Ayer 1719aa5d8e Set log ID in STHs that we download
This will facilitate STH pollination.
2017-01-06 12:50:21 -08:00
Andrew Ayer 0eb6d199a4 Improve the name of a function 2017-01-06 12:24:09 -08:00
Andrew Ayer c8f0a0f9e8 Only write once file if run was 100% successful
Otherwise, if a single log was unreachable, we'd be force to download
all of it on the next run.
2017-01-06 12:23:20 -08:00
Andrew Ayer 0d9b81ecc8 Tweak logic for storing tree position 2017-01-06 12:19:53 -08:00
Andrew Ayer 87c6bc4f1c Add CONTRIBUTING file 2017-01-06 10:55:52 -08:00
Andrew Ayer 8ea4003994 Add some additional logging 2017-01-06 10:31:34 -08:00
Andrew Ayer 0c751f0294 Drop the MerkleTreeBuilder return value from VerifyConsistencyProof 2017-01-05 21:06:37 -08:00
Andrew Ayer ef00e22ec1 Remove unused code 2017-01-05 21:02:28 -08:00
Andrew Ayer 0af0262498 Overhaul log processing and auditing
1. Instead of storing a single STH per log, we now store one verified
STH and any number of unverified STHs.  When we process a log, we verify
each unverified STH using a consistency proof with the verified STH,
and only delete it if it successfully verifies.  We set the verified
STH to the largest STH which we've successfully verified.

This has two important benefits.  First, we never ever delete an STH
unless we can successfully verify it (previously, we would forget about
an STH under certain error conditions).  Second, it lays the groundwork
for STH pollination.  Upon reception of an STH, we can simply drop it in
the log's unverified_sths directory (assuming the signature is valid),
and Cert Spotter will audit it.

There is no more "evidence" directory; if a consistency proof fails,
the STHs will already be present elsewhere in the state directory.

2. We now persist a MerkleTreeBuilder between each run of Cert Spotter,
instead of rebuilding it every time from the consistency proof.  This is
not intrinsically better, but it makes the code simpler considering we
can now fetch numerous consistency proofs per run.

3. To accommodate the above changes, the state directory has a brand
new layout.  The state directory is now versioned, and Cert Spotter
will automatically migrate old state directories to the new layout.
This migration logic will be removed in a future Cert Spotter release.

As a bonus, the code is generally cleaner now :-)
2017-01-05 21:00:35 -08:00
Andrew Ayer 54d9762ff2 Add JSON marshalling for MerkleTreeBuilder 2017-01-05 15:43:26 -08:00
Andrew Ayer 7c55be7d5c Add GetNumLeaves function for MerkleTreeBuilder 2017-01-05 15:00:56 -08:00
Andrew Ayer 3673518b30 Add constructor functions for MerkleTreeBuilder 2017-01-05 14:48:35 -08:00
Andrew Ayer 39737f33ec Rename MerkleTreeBuilder.size to numLeaves 2017-01-05 14:41:54 -08:00
Andrew Ayer f920ef0ec3 Add a TODO 2017-01-05 14:32:28 -08:00
Andrew Ayer 55d12ee013 Support empty trees 2017-01-05 14:32:22 -08:00
Andrew Ayer 4868243259 Add ID function to LogInfo to return log ID 2016-11-26 17:48:15 -08:00
Andrew Ayer ff6d1f21fd Add a TODO comment 2016-11-26 17:47:57 -08:00
Andrew Ayer 0bd48084f0 Add MakeMerkleTreeBuilder 2016-11-25 20:13:17 -08:00
Andrew Ayer adce61e035 Add GetAuditProof to LogClient 2016-11-25 20:09:59 -08:00
Andrew Ayer b63a024876 Replace MerkleTreeBuilder.Finish with non-mutating CalculateRoot 2016-11-25 17:43:07 -08:00
Andrew Ayer ef18092eb9 Add new logs: Icarus, Skydiver, StartCom, WoSign 2016-11-15 15:59:39 -08:00
Andrew Ayer 9bf82346d8 Avoid use of json.Decoder
Per https://ahmetalpbalkan.com/blog/golang-json-decoder-pitfalls/
2016-11-15 15:59:39 -08:00
Andrew Ayer 36210a9544 VerifyConsistencyProof: properly return tree builder when two trees are the same 2016-11-15 15:59:39 -08:00
Andrew Ayer 31f2316aa2 Rework -all_time logic
If -all_time is specified, scan the entirety of all logs, even
existing logs.  This matches user expectation better.  Previously,
-all_time had no impact on existing logs.

The first time Cert Spotter is run, do not scan any logs, unless
-all_time is specified.  This avoids a several hour wait the first
time Cert Spotter is run.  If the user is interested in knowing
about existing certificates, they can use the certspotter.com API
or crt.sh.  This is the same as existing behavior.

When a new log is added, scan it in its entirety even if -all_time is
not specified, so users are alerted to interesting certificates in the
new log.  Hopefully new logs will be small and this won't take too long!
Previously, new logs were not scanned in their entirety unless -all_time
was specified.

Closes: #5
2016-11-15 15:59:38 -08:00
Andrew Ayer 7d2936eada README: document upcoming mandatory CT 2016-11-12 08:09:42 -08:00
Andrew Ayer f706b09bc8 README: document GlobalSign DV logging 2016-11-12 08:09:27 -08:00
Andrew Ayer 2a80e85783 Increase log client request timeout to 60 seconds
This should be configurable, but I need to experiment first.
2016-08-30 10:40:13 -07:00
Andrew Ayer 35c646ae62 Add NEWS file for 0.2 release 2016-08-25 17:13:31 -07:00