Tandem/certspotter
2
0
Fork 0
mirror of https://github.com/SSLMate/certspotter.git synced 2025-07-03 10:47:17 +02:00
Code Issues Packages Projects Releases Wiki Activity
234 Commits 1 Branch 24 Tags
Commit Graph

234 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Andrew Ayer
902755d4e8 Don't enforce public key compliance 
You have to trust the public key anyways, so compliance checks are
superfluous.
 2016-07-26 17:00:01 -07:00
Andrew Ayer
f75c47d9ca Always store files in ~/.certspotter, even if running as root 2016-07-26 16:57:26 -07:00
Andrew Ayer
c185657181 Remove Izenpe log, add CNNIC 2016-07-19 10:46:15 -07:00
Andrew Ayer
cf8a5d8703 Remove description field from logs.go 2016-07-19 10:39:01 -07:00
Andrew Ayer
37bc55be2d Add key hash to logs.go 2016-07-19 10:32:05 -07:00
Andrew Ayer
ebdf2af720 Add some comments 2016-07-19 10:31:23 -07:00
Andrew Ayer
19e05b901a Remove some dead code from the scanner 2016-06-22 10:32:42 -07:00
Andrew Ayer
74f9ceb6a2 Add attribution of the ct sub-directory 2016-06-22 10:30:16 -07:00
Andrew Ayer
724517e4c4 Update crt.sh link to use sha256= instead of q= 2016-06-20 15:23:15 -07:00
Andrew Ayer
fa1236f434 Use a switch statement instead of an if statement 
This will make it cleaner to handle other extension types
 2016-06-08 15:57:56 -07:00
Andrew Ayer
196bd864cd Properly handle non-200 responses from logs 2016-06-08 15:18:28 -07:00
Andrew Ayer
1fc964732b Allow public key to be omitted from log JSON file 
In which case signatures are not checked.
 2016-06-03 08:10:38 -07:00
Andrew Ayer
2c8cb1f402 Return exit code from cmd.Main instead of exiting directly 
This allows the calling code to do custom cleanup.
 2016-06-03 07:21:08 -07:00
Andrew Ayer
6db3f7564c Add function to reconstruct pre-cert TBS from cert TBS 2016-05-16 11:33:03 -07:00
Andrew Ayer
ae59c317dc Ignore empty DNS names 2016-05-13 10:31:13 -07:00
Andrew Ayer
2bed88e7c5 Rework watchlist 
Watchlist is now read from ~/.certspotter/watchlist by default, or from
the file specified by -watchlist (- for stdin).

By default, only exact DNS names are matched.  To match both the domain
itself and all sub-domains, prefix with a dot (e.g. .example.com).

Comments are now allowed in watchlist files.
 2016-05-12 11:30:59 -07:00
Andrew Ayer
7196ec5217 Use $CERTSPOTTER_STATE_DIR to specify state directory 2016-05-12 10:53:57 -07:00
Andrew Ayer
dac062e17d Add unit tests for MatchesWildcard 2016-05-10 14:29:10 -07:00
Andrew Ayer
f9432ae4b9 Reverse order of certspotter.MatchesWildcard arguments 2016-05-10 14:29:04 -07:00
Andrew Ayer
92fbdcb947 Support crazy wildcards (not just in the left-most label) 2016-05-10 10:37:10 -07:00
Andrew Ayer
e99ee481a4 Disable check of pre-cert poision value 
Too many pre-certs in the logs with the wrong value :-(
 2016-05-09 15:46:14 -07:00
Andrew Ayer
9342adcd93 Tighten up the cert information output 
Remove subject and SANs since they are redundant with earlier identifier
listing.  Remove serial number because who cares?  Put type of entry
on same line as log entry info.

If people want this info they can always examine the saved file or the
crt.sh page.
 2016-05-09 15:43:19 -07:00
Andrew Ayer
b79cb31413 Move package to software.sslmate.com/src/certspotter 2016-05-04 12:19:59 -07:00
Andrew Ayer
1e582e2e0c License under the MPL 2.0 2016-05-04 11:56:13 -07:00
Andrew Ayer
670cddafbc Rename project to certspotter 2016-05-04 11:49:07 -07:00
Andrew Ayer
ea3db97486 Only replace DNS label with placeholder if it's utterly unparsable 
e.g. contains control characters, Punycode conversion fails

There are quite simply too many certs with bogus DNS labels out in the wild,
and it just doesn't make sense to bother every .com domain holder because
GoDaddy signed a cert with a DNS name like "www.        just4funpartyrentals.com"
It is highly unlikely any validator will ever match that DNS name.
 2016-05-04 11:43:02 -07:00
Andrew Ayer
60636ba2d7 Move Identifiers from CertInfo to EntryInfo 
It's more logical, and it avoids some redundant parsing.
 2016-05-03 11:58:59 -07:00
Andrew Ayer
5f4e35843a Display SANs in output 2016-05-02 11:59:55 -07:00
Andrew Ayer
df5ad71a40 Support for IP addresses encoded as strings in CNs/DNS SANs 2016-05-02 11:38:08 -07:00
Andrew Ayer
82167b8151 Additional handling of pathological DNS names 
1. Trim leading and trailing whitespace of DNS names.

2. Trim http:// and https:// prefixes.

3. If DNS name contains a slash, ALSO process the DNS name up to
   the first slash, since it's probably a URL.
 2016-05-01 17:02:52 -07:00
Andrew Ayer
3ec8a0a3db Ignore IP address SANs with an invalid length 2016-05-01 14:52:19 -07:00
Andrew Ayer
ca8f60740a Trim trailing dots from DNS names 2016-05-01 12:49:26 -07:00
Andrew Ayer
3c220e56f6 scanner: reduce channel queue buffer length 
To keep memory consumption down
 2016-05-01 12:49:07 -07:00
Andrew Ayer
a0859acad3 Remove defunct Certly log 2016-04-30 15:03:16 -07:00
Andrew Ayer
847b7129e8 Monitor for all DNS names that _might_ match a monitored domain 
Wildcards, redacted labels, and unparseable labels.
 2016-04-29 09:02:03 -07:00
Andrew Ayer
ec68dde647 Only allow * and ? as entire DNS name labels 2016-04-29 08:45:54 -07:00
Andrew Ayer
2c9df274e9 Gracefully handle all manner of poorly encoded identifiers 
Also add preliminary support for IP address identifiers.
 2016-04-28 22:00:32 -07:00
Andrew Ayer
a072440db8 Handle certificates with multiple Basic Constraints extensions 2016-04-26 18:06:59 -07:00
Andrew Ayer
65ed742477 Support wildcards 
For example, if you're watching subdomain.example.com, a cert for
*.example.com will now match.
 2016-04-26 14:49:39 -07:00
Andrew Ayer
4132ed5e9f Add support for IDNs 
IDNs can be specified in either Unicode or ASCII (as Punycode).
Certs can specify the DNS name either way, and we'll match it.
 2016-04-26 14:38:09 -07:00
Andrew Ayer
19c5f86d23 Allow DNS SANs to contain UTF-8 
There are too many certs in the wild which have UTF-8 in their DNS SANs.
 2016-04-26 14:14:08 -07:00
Andrew Ayer
2426817cd5 Raise parse error if certain strings are improperly encoded 
If a UTF8String in the Subject CN isn't valid UTF-8, or if a DNS SAN is
not ASCII, raise a parse error, since we don't know how to interpret
the string.
 2016-04-24 09:11:28 -07:00
Andrew Ayer
2d2aa37202 Parse common names separately from DNS names 2016-04-22 20:58:33 -07:00
Andrew Ayer
ef0b46b7a5 Remove defunct Wosign log 2016-04-14 17:55:50 -07:00
Andrew Ayer
e091186d83 Save consistency proof along with evidence of misbehavior 
Although the consistency proof is neither necessary nor sufficient
to prove misbehavior by a log, this will help with debugging if a
log returns a bogus consistency proof erroneously (which seems to
be happening with the Rocketeer log lately...).
 2016-04-06 08:10:06 -07:00
Andrew Ayer
db2cd2c458 logclient: work around HTTP/2 issue 
See https://github.com/google/certificate-transparency/issues/1136
 2016-03-27 11:54:34 -07:00
Andrew Ayer
80bfe1321c Add helpers to get fingerprint/hashes in byte form 2016-03-26 18:04:22 -07:00
Andrew Ayer
ef395b8e60 Add function to validate a pre-cert 2016-03-23 21:03:00 -07:00
Andrew Ayer
81bfa0bbd8 Add ctparsewatch 
It watches for certificates which we can't fully parse
 2016-03-23 20:19:39 -07:00
Andrew Ayer
786e9e3460 Add a relaxed ASN.1 Time parser 
Since some certs contain invalid times in the validity
 2016-03-23 20:18:26 -07:00