CT log accuracy

From 6895534e0d59eae1b66a080dd390be7ee9c7db0b Mon Sep 17 00:00:00 2001 From: Luke Shumaker Date: Sat, 19 Nov 2016 18:21:50 -0500 Subject: separate diff logic from templating --- diff.go | 173 ++++++++++++++++------------------------------------------------ 1 file changed, 43 insertions(+), 130 deletions(-) (limited to 'diff.go') diff --git a/diff.go b/diff.go index 4a8a559..83b1d2e 100644 --- a/diff.go +++ b/diff.go @@ -4,8 +4,8 @@ import ( "crypto/x509" "encoding/pem" "fmt" + "io" "io/ioutil" - "html/template" "os" "sort" ) @@ -18,7 +18,24 @@ func handleErr(err error, str string, a ...interface{}) { } } -func readTLS(filename string) (map[string]*x509.Certificate, error) { +type Cert struct { + Url string + X509 *x509.Certificate +} + +func (cert Cert) WriteTo(w io.Writer, action string) error { + block := pem.Block{ + Type: "CERTIFICATE", + Headers: map[string]string{ + "X-Crt-Sh-Url": cert.Url, + "X-Diff-Action": action, + }, + Bytes: cert.X509.Raw, + } + return pem.Encode(w, &block) +} + +func readTLS(filename string) (map[string]Cert, error) { file, err := os.Open(filename) if err != nil { return nil, err @@ -28,7 +45,7 @@ func readTLS(filename string) (map[string]*x509.Certificate, error) { return nil, err } - ret := make(map[string]*x509.Certificate) + ret := make(map[string]Cert) for len(data) > 0 { var certPem *pem.Block certPem, data = pem.Decode(data) @@ -36,12 +53,15 @@ func readTLS(filename string) (map[string]*x509.Certificate, error) { if err != nil { return nil, err } - ret[certX509.Subject.CommonName] = certX509 + ret[certX509.Subject.CommonName] = Cert{ + Url: fmt.Sprintf("https://crt.sh/?serial=%036x", certX509.SerialNumber), + X509: certX509, + } } return ret, nil } -func readCrtSh(filename string, hosts []string) (map[string]*x509.Certificate, error) { +func readCrtSh(filename string, hosts []string) (map[string]Cert, error) { file, err := os.Open(filename) if err != nil { return nil, err @@ -51,7 +71,7 @@ func readCrtSh(filename string, hosts []string) (map[string]*x509.Certificate, e return nil, err } - ret := make(map[string]*x509.Certificate) + ret := make(map[string]Cert) for len(data) > 0 { var certPem *pem.Block certPem, data = pem.Decode(data) @@ -61,8 +81,11 @@ func readCrtSh(filename string, hosts []string) (map[string]*x509.Certificate, e } for _, host := range hosts { if certX509.VerifyHostname(host) == nil { - if old, haveold := ret[host]; !haveold || certX509.NotBefore.After(old.NotBefore) { - ret[host] = certX509 + if old, haveold := ret[host]; !haveold || certX509.NotBefore.After(old.X509.NotBefore) { + ret[host] = Cert{ + Url: certPem.Headers["X-Crt-Sh-Url"], + X509: certX509, + } } } } @@ -70,7 +93,7 @@ func readCrtSh(filename string, hosts []string) (map[string]*x509.Certificate, e return ret, nil } -func keys(m map[string]*x509.Certificate) []string { +func keys(m map[string]Cert) []string { ret := make([]string, len(m)) i := 0 for k := range m { @@ -79,113 +102,6 @@ func keys(m map[string]*x509.Certificate) []string { } sort.Strings(ret) return ret -} - -func fmtCert(cert *x509.Certificate) string { - return fmt.Sprintf("%s\t%s\t%s", - cert.Subject.CommonName, - cert.NotBefore.Format("2006-01-02 15:04:05 MST(-07)"), - cert.NotAfter.Format("2006-01-02 15:04:05 MST(-07)")) -} - -var tmpl = template.Must(template.New("2html"). - Funcs(template.FuncMap{ - "class": class, - "link": link, - "join": join, - "isNil": isNil, - }).Parse(` - - - - CT log accuracy - - - - - - - - - -{{define "Row"}} - - - - - - -{{end}} -{{range $cert := .certs}} -{{if isNil $cert.CrtSh}} -{{template "Row" join "-" $cert.TLS}} -{{else if $cert.TLS.Equal $cert.CrtSh | not}} -{{template "Row" join "-" $cert.TLS}} -{{template "Row" join "+" $cert.CrtSh}} -{{else}} -{{template "Row" join " " $cert.TLS}} -{{end}} -{{end}} -

--- {{.fileTLS}}
+++ {{.fileCrtSh}}
@@ -1,{{len .certsTLS}} +1,{{len .certsCrtSh}} @@
{{if eq .pfix " "}} {{else}}{{.pfix}}{{end}}	{{.cert.Subject.CommonName}}	{{.cert.NotBefore.Local.Format "2006-01-02 15:04:05"}}	{{.cert.NotAfter.Local.Format "2006-01-02 15:04:05"}}

- - -`)) - -type Cert struct { - TLS, CrtSh *x509.Certificate -} - -func link(cert *x509.Certificate) string { - return fmt.Sprintf("https://crt.sh/?serial=%036x", cert.SerialNumber) -} - -func isNil(cert *x509.Certificate) bool { - return cert == nil -} - -func class(pfix string) string { - return map[string]string { - "+": "diff-add", - "-": "diff-del", - " ": "diff-ctx", - }[pfix] -} - -func join(pfix string, cert *x509.Certificate) map[string]interface{} { - return map[string]interface{} { - "pfix": pfix, - "cert": cert, - } } func main() { @@ -198,20 +114,17 @@ func main() { certsCrtSh, err := readCrtSh(os.Args[2], hostsTLS) handleErr(err, "Could load crt.sh file: %v\n") - certs := make([]Cert, len(certsTLS)) - i := 0 for _, host := range hostsTLS { - var cert Cert - cert.TLS = certsTLS[host] - cert.CrtSh = certsCrtSh[host] - certs[i] = cert - i++ + certTLS := certsTLS[host] + certCrtSh, haveCrtSh := certsCrtSh[host] + + if !haveCrtSh { + handleErr(certTLS.WriteTo(os.Stdout, "del"), "Could not encode PEM: %v\n") + } else if ! certTLS.X509.Equal(certCrtSh.X509) { + handleErr(certTLS.WriteTo(os.Stdout, "del"), "Could not encode PEM: %v\n") + handleErr(certCrtSh.WriteTo(os.Stdout, "add"), "Could not encode PEM: %v\n") + } else { + handleErr(certCrtSh.WriteTo(os.Stdout, "ctx"), "Could not encode PEM: %v\n") + } } - handleErr(tmpl.Execute(os.Stdout, map[string]interface{}{ - "certs": certs, - "certsTLS": certsTLS, - "certsCrtSh": certsCrtSh, - "fileTLS": os.Args[1], - "fileCrtSh": os.Args[2], - }), "Could not execute template: %v\n") } -- cgit v1.2.3-54-g00ecf