From c4f6d3489ef91c539ba88e372635e4d0d87e6ad2 Mon Sep 17 00:00:00 2001
From: Luke Shumaker <lukeshu@sbcglobal.net>
Date: Fri, 18 Nov 2016 01:21:27 -0500
Subject: Check crt.sh against actual used certs

---
 diff.go | 108 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 108 insertions(+)
 create mode 100644 diff.go

(limited to 'diff.go')

diff --git a/diff.go b/diff.go
new file mode 100644
index 0000000..24fa228
--- /dev/null
+++ b/diff.go
@@ -0,0 +1,108 @@
+package main
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"sort"
+)
+
+func handleErr(err error, str string, a ...interface{}) {
+	a = append([]interface{}{err}, a...)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, str, a...)
+		os.Exit(1)
+	}
+}
+
+func readTLS(filename string) (map[string]*x509.Certificate, error) {
+	file, err := os.Open(filename)
+	if err != nil {
+		return nil, err
+	}
+	data, err := ioutil.ReadAll(file)
+	if err != nil {
+		return nil, err
+	}
+
+	ret := make(map[string]*x509.Certificate) 
+	for len(data) > 0 {
+		var certPem *pem.Block
+		certPem, data = pem.Decode(data)
+		certX509, err := x509.ParseCertificate(certPem.Bytes)
+		if err != nil {
+			return nil, err
+		}
+		ret[certX509.Subject.CommonName] = certX509
+	}
+	return ret, nil
+}
+
+func readCrtSh(filename string, hosts []string) (map[string]*x509.Certificate, error) {
+	file, err := os.Open(filename)
+	if err != nil {
+		return nil, err
+	}
+	data, err := ioutil.ReadAll(file)
+	if err != nil {
+		return nil, err
+	}
+
+	ret := make(map[string]*x509.Certificate) 
+	for len(data) > 0 {
+		var certPem *pem.Block
+		certPem, data = pem.Decode(data)
+		certX509, err := x509.ParseCertificate(certPem.Bytes)
+		if err != nil {
+			return nil, err
+		}
+		for _, host := range hosts {
+			if certX509.VerifyHostname(host) == nil {
+				if old, haveold := ret[host]; !haveold || certX509.NotBefore.After(old.NotBefore) {
+					ret[host] = certX509
+				}
+			}
+		}
+	}
+	return ret, nil
+}
+
+func keys(m map[string]*x509.Certificate) []string {
+	ret := make([]string, len(m))
+	i := 0
+	for k := range m {
+		ret[i] = k
+		i++
+	}
+	sort.Strings(ret)
+	return ret
+}	
+
+func main() {
+	if len(os.Args) != 3 {
+		fmt.Fprintf(os.Stderr, "Usage: %s TLS-file crt.sh-file\n", os.Args[0])
+	}
+	certsTLS, err := readTLS(os.Args[1])
+	handleErr(err, "Could load TLS file: %v\n")
+	hostsTLS := keys(certsTLS)
+	certsCrtSh, err := readCrtSh(os.Args[2], hostsTLS)
+	handleErr(err, "Could load crt.sh file: %v\n")
+
+	fmt.Printf("--- %s\n", os.Args[1])
+	fmt.Printf("+++ %s\n", os.Args[2])
+	fmt.Printf("@@ -1,%d +1,%d @@\n", len(hostsTLS), len(hostsTLS))
+	for _, host := range hostsTLS {
+		certTLS := certsTLS[host]
+		certCrtSh, okCrtSh := certsCrtSh[host]
+		if !okCrtSh {
+			fmt.Printf("-%s %s\n", host, certTLS.NotBefore.Format("2006-01-02 15:04:05 MST(-07)"))
+		} else if !certTLS.Equal(certCrtSh) {
+			fmt.Printf("-%s %s\n", host, certTLS.NotBefore.Format("2006-01-02 15:04:05 MST(-07)"))
+			fmt.Printf("+%s %s\n", host, certCrtSh.NotBefore.Format("2006-01-02 15:04:05 MST(-07)"))
+		} else {
+			fmt.Printf(" %s %s\n", host, certTLS.NotBefore.Format("2006-01-02 15:04:05 MST(-07)"))
+		}
+	}
+}
-- 
cgit v1.2.3-54-g00ecf