mirror of
https://github.com/SSLMate/certspotter.git
synced 2025-07-01 10:35:33 +02:00
209cdb181b
Specifically, certspotter no longer terminates unless it receives SIGTERM or SIGINT or there is a serious error. Although using cron made sense in the early days of Certificate Transparency, certspotter now needs to run continuously to reliably keep up with the high growth rate of contemporary CT logs, and to gracefully handle the many transient errors that can arise when monitoring CT. Closes: #63 Closes: #37 Closes: #32 (presumably by eliminating $DNS_NAMES and $IP_ADDRESSES) Closes: #21 (with $WATCH_ITEM) Closes: #25
97 lines
2.7 KiB
Go
97 lines
2.7 KiB
Go
// Copyright (C) 2017, 2023 Opsmate, Inc.
|
|
//
|
|
// This Source Code Form is subject to the terms of the Mozilla
|
|
// Public License, v. 2.0. If a copy of the MPL was not distributed
|
|
// with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
//
|
|
// This software is distributed WITHOUT A WARRANTY OF ANY KIND.
|
|
// See the Mozilla Public License for details.
|
|
|
|
package monitor
|
|
|
|
import (
|
|
"crypto/sha256"
|
|
"encoding/base64"
|
|
"encoding/binary"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"golang.org/x/exp/slices"
|
|
"io/fs"
|
|
"os"
|
|
"path/filepath"
|
|
"software.sslmate.com/src/certspotter/ct"
|
|
"strconv"
|
|
"strings"
|
|
)
|
|
|
|
func loadSTHsFromDir(dirPath string) ([]*ct.SignedTreeHead, error) {
|
|
entries, err := os.ReadDir(dirPath)
|
|
if errors.Is(err, fs.ErrNotExist) {
|
|
return []*ct.SignedTreeHead{}, nil
|
|
} else if err != nil {
|
|
return nil, err
|
|
}
|
|
sths := make([]*ct.SignedTreeHead, 0, len(entries))
|
|
for _, entry := range entries {
|
|
filename := entry.Name()
|
|
if strings.HasPrefix(filename, ".") || !strings.HasSuffix(filename, ".json") {
|
|
continue
|
|
}
|
|
sth, err := readSTHFile(filepath.Join(dirPath, filename))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
sths = append(sths, sth)
|
|
}
|
|
slices.SortFunc(sths, func(a, b *ct.SignedTreeHead) bool { return a.TreeSize < b.TreeSize })
|
|
return sths, nil
|
|
}
|
|
|
|
func readSTHFile(filePath string) (*ct.SignedTreeHead, error) {
|
|
fileBytes, err := os.ReadFile(filePath)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
sth := new(ct.SignedTreeHead)
|
|
if err := json.Unmarshal(fileBytes, sth); err != nil {
|
|
return nil, fmt.Errorf("error parsing %s: %w", filePath, err)
|
|
}
|
|
return sth, nil
|
|
}
|
|
|
|
func storeSTHInDir(dirPath string, sth *ct.SignedTreeHead) error {
|
|
filePath := filepath.Join(dirPath, sthFilename(sth))
|
|
if fileExists(filePath) {
|
|
return nil
|
|
}
|
|
fileBytes, err := json.Marshal(sth)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return writeFile(filePath, fileBytes, 0666)
|
|
}
|
|
|
|
func removeSTHFromDir(dirPath string, sth *ct.SignedTreeHead) error {
|
|
filePath := filepath.Join(dirPath, sthFilename(sth))
|
|
err := os.Remove(filePath)
|
|
if err != nil && !errors.Is(err, fs.ErrNotExist) {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// generate a filename that uniquely identifies the STH (within the context of a particular log)
|
|
func sthFilename(sth *ct.SignedTreeHead) string {
|
|
hasher := sha256.New()
|
|
switch sth.Version {
|
|
case ct.V1:
|
|
binary.Write(hasher, binary.LittleEndian, sth.Timestamp)
|
|
binary.Write(hasher, binary.LittleEndian, sth.SHA256RootHash)
|
|
default:
|
|
panic(fmt.Errorf("sthFilename: invalid STH version %d", sth.Version))
|
|
}
|
|
// For 6962-bis, we will need to handle a variable-length root hash, and include the signature in the filename hash (since signatures must be deterministic)
|
|
return strconv.FormatUint(sth.TreeSize, 10) + "-" + base64.RawURLEncoding.EncodeToString(hasher.Sum(nil)) + ".json"
|
|
}
|