Tandem/certspotter
2
0
Fork 0
mirror of https://github.com/SSLMate/certspotter.git synced 2025-07-03 10:47:17 +02:00
Code Issues Packages Projects Releases Wiki Activity
160 Commits 1 Branch 24 Tags
Commit Graph

160 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Andrew Ayer
39737f33ec Rename MerkleTreeBuilder.size to numLeaves 2017-01-05 14:41:54 -08:00
Andrew Ayer
f920ef0ec3 Add a TODO 2017-01-05 14:32:28 -08:00
Andrew Ayer
55d12ee013 Support empty trees 2017-01-05 14:32:22 -08:00
Andrew Ayer
4868243259 Add ID function to LogInfo to return log ID 2016-11-26 17:48:15 -08:00
Andrew Ayer
ff6d1f21fd Add a TODO comment 2016-11-26 17:47:57 -08:00
Andrew Ayer
0bd48084f0 Add MakeMerkleTreeBuilder 2016-11-25 20:13:17 -08:00
Andrew Ayer
adce61e035 Add GetAuditProof to LogClient 2016-11-25 20:09:59 -08:00
Andrew Ayer
b63a024876 Replace MerkleTreeBuilder.Finish with non-mutating CalculateRoot 2016-11-25 17:43:07 -08:00
Andrew Ayer
ef18092eb9 Add new logs: Icarus, Skydiver, StartCom, WoSign 2016-11-15 15:59:39 -08:00
Andrew Ayer
9bf82346d8 Avoid use of json.Decoder 
Per https://ahmetalpbalkan.com/blog/golang-json-decoder-pitfalls/
 2016-11-15 15:59:39 -08:00
Andrew Ayer
36210a9544 VerifyConsistencyProof: properly return tree builder when two trees are the same 2016-11-15 15:59:39 -08:00
Andrew Ayer
31f2316aa2 Rework -all_time logic 
If -all_time is specified, scan the entirety of all logs, even
existing logs.  This matches user expectation better.  Previously,
-all_time had no impact on existing logs.

The first time Cert Spotter is run, do not scan any logs, unless
-all_time is specified.  This avoids a several hour wait the first
time Cert Spotter is run.  If the user is interested in knowing
about existing certificates, they can use the certspotter.com API
or crt.sh.  This is the same as existing behavior.

When a new log is added, scan it in its entirety even if -all_time is
not specified, so users are alerted to interesting certificates in the
new log.  Hopefully new logs will be small and this won't take too long!
Previously, new logs were not scanned in their entirety unless -all_time
was specified.

Closes: #5
 2016-11-15 15:59:38 -08:00
Andrew Ayer
7d2936eada README: document upcoming mandatory CT 2016-11-12 08:09:42 -08:00
Andrew Ayer
f706b09bc8 README: document GlobalSign DV logging 2016-11-12 08:09:27 -08:00
Andrew Ayer
2a80e85783 Increase log client request timeout to 60 seconds 
This should be configurable, but I need to experiment first.
 2016-08-30 10:40:13 -07:00
Andrew Ayer
35c646ae62 Add NEWS file for 0.2 release 0.2 2016-08-25 17:13:31 -07:00
Joe Tsai
4104152de6 Use io.ReadFull instead of raw Read 
An io.Reader does not guarantee that it can read all bytes possible
to fill the input buffer. Thus, we should use io.ReadFull here instead.

Cherry-picked from ddfd4a2b2d89e20f0a7c63c88420aaa419d4d95c
of https://github.com/google/certificate-transparency
 2016-08-25 16:48:58 -07:00
Andrew Ayer
c36452f67a Improve log client error messages 2016-08-25 16:04:29 -07:00
Andrew Ayer
1af6309367 Define tagUTCTime and tagGeneralizedTime 
They're only exported in Go1.6 and I'd like to support Go1.5 as well.

Closes: #15
 2016-08-20 19:43:44 -07:00
Andrew Ayer
b1dc229785 Fix typo 2016-07-28 15:52:32 -07:00
Andrew Ayer
1f97fb3a13 Suppress duplicate identifiers 2016-07-28 14:00:15 -07:00
Andrew Ayer
6cae4942e4 Identifiers: abstract out appendIPAddress 2016-07-28 13:53:24 -07:00
Jonathan Rudenberg
c217200b96 Return errors from InvokeHookScript instead of failing silently 
Signed-off-by: Jonathan Rudenberg <jonathan@titanous.com>
 2016-07-28 12:26:58 -07:00
Jonathan Rudenberg
acc6781f29 Run gofmt 
Signed-off-by: Jonathan Rudenberg <jonathan@titanous.com>
 2016-07-28 14:55:46 -04:00
Andrew Ayer
38b9c920eb Add README 0.1 2016-07-27 14:17:53 -07:00
Andrew Ayer
1dc7e1cda9 Refine command line flag descriptions 2016-07-27 14:14:09 -07:00
Andrew Ayer
902755d4e8 Don't enforce public key compliance 
You have to trust the public key anyways, so compliance checks are
superfluous.
 2016-07-26 17:00:01 -07:00
Andrew Ayer
f75c47d9ca Always store files in ~/.certspotter, even if running as root 2016-07-26 16:57:26 -07:00
Andrew Ayer
c185657181 Remove Izenpe log, add CNNIC 2016-07-19 10:46:15 -07:00
Andrew Ayer
cf8a5d8703 Remove description field from logs.go 2016-07-19 10:39:01 -07:00
Andrew Ayer
37bc55be2d Add key hash to logs.go 2016-07-19 10:32:05 -07:00
Andrew Ayer
ebdf2af720 Add some comments 2016-07-19 10:31:23 -07:00
Andrew Ayer
19e05b901a Remove some dead code from the scanner 2016-06-22 10:32:42 -07:00
Andrew Ayer
74f9ceb6a2 Add attribution of the ct sub-directory 2016-06-22 10:30:16 -07:00
Andrew Ayer
724517e4c4 Update crt.sh link to use sha256= instead of q= 2016-06-20 15:23:15 -07:00
Andrew Ayer
fa1236f434 Use a switch statement instead of an if statement 
This will make it cleaner to handle other extension types
 2016-06-08 15:57:56 -07:00
Andrew Ayer
196bd864cd Properly handle non-200 responses from logs 2016-06-08 15:18:28 -07:00
Andrew Ayer
1fc964732b Allow public key to be omitted from log JSON file 
In which case signatures are not checked.
 2016-06-03 08:10:38 -07:00
Andrew Ayer
2c8cb1f402 Return exit code from cmd.Main instead of exiting directly 
This allows the calling code to do custom cleanup.
 2016-06-03 07:21:08 -07:00
Andrew Ayer
6db3f7564c Add function to reconstruct pre-cert TBS from cert TBS 2016-05-16 11:33:03 -07:00
Andrew Ayer
ae59c317dc Ignore empty DNS names 2016-05-13 10:31:13 -07:00
Andrew Ayer
2bed88e7c5 Rework watchlist 
Watchlist is now read from ~/.certspotter/watchlist by default, or from
the file specified by -watchlist (- for stdin).

By default, only exact DNS names are matched.  To match both the domain
itself and all sub-domains, prefix with a dot (e.g. .example.com).

Comments are now allowed in watchlist files.
 2016-05-12 11:30:59 -07:00
Andrew Ayer
7196ec5217 Use $CERTSPOTTER_STATE_DIR to specify state directory 2016-05-12 10:53:57 -07:00
Andrew Ayer
dac062e17d Add unit tests for MatchesWildcard 2016-05-10 14:29:10 -07:00
Andrew Ayer
f9432ae4b9 Reverse order of certspotter.MatchesWildcard arguments 2016-05-10 14:29:04 -07:00
Andrew Ayer
92fbdcb947 Support crazy wildcards (not just in the left-most label) 2016-05-10 10:37:10 -07:00
Andrew Ayer
e99ee481a4 Disable check of pre-cert poision value 
Too many pre-certs in the logs with the wrong value :-(
 2016-05-09 15:46:14 -07:00
Andrew Ayer
9342adcd93 Tighten up the cert information output 
Remove subject and SANs since they are redundant with earlier identifier
listing.  Remove serial number because who cares?  Put type of entry
on same line as log entry info.

If people want this info they can always examine the saved file or the
crt.sh page.
 2016-05-09 15:43:19 -07:00
Andrew Ayer
b79cb31413 Move package to software.sslmate.com/src/certspotter 2016-05-04 12:19:59 -07:00
Andrew Ayer
1e582e2e0c License under the MPL 2.0 2016-05-04 11:56:13 -07:00