forked from GovAuCSU/ctlog-acquisition
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcertutils.go
99 lines (86 loc) · 2.25 KB
/
certutils.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
package ctlogacquisition
import (
"encoding/base64"
"fmt"
"strings"
ct "github.com/google/certificate-transparency-go"
"github.com/google/certificate-transparency-go/tls"
"github.com/google/certificate-transparency-go/x509"
"golang.org/x/net/publicsuffix"
)
var stripLeading = []string{
"*.",
"[",
"cn=",
"san=",
"dns=",
"dns name=",
"name=",
"=",
"-",
"?",
".",
}
var stripTrailing = []string{
".",
"]",
"?",
"#",
"\\",
"\"",
}
// cleanAndValidateHostname sanity check hostname values
func cleanAndValidateHostname(name string) (string, bool) {
// Attempt to salvage names with certain prefixes and suffixes
name = strings.ToLower(name)
for _, item := range stripLeading {
name = strings.TrimPrefix(name, item)
}
for _, item := range stripTrailing {
name = strings.TrimSuffix(name, item)
}
name = strings.Replace(name, "..", ".", -1)
name = strings.TrimSpace(name)
if name == "" || strings.Contains(name, " ") || strings.Contains(name, ":") {
return "", false
}
// The following check alone should be sufficient, but the line above
// should be faster as well as allow us to more easily log invalid
// names for review.
if _, err := publicsuffix.EffectiveTLDPlusOne(name); err != nil {
return "", false
}
return name, true
}
// getDomainFromLeaf read the base64 encoded leaf_entry coming from CT log server and decode+extract CN and SNA from it
func getDomainFromLeaf(leafentrystr string) ([]string, error) {
leafentry, err := base64.StdEncoding.DecodeString(leafentrystr)
if err != nil {
return nil, err
}
var leaf ct.MerkleTreeLeaf
rest, err := tls.Unmarshal(leafentry, &leaf)
if err != nil {
return nil, fmt.Errorf("failed to unmarshal MerkleTreeLeaf: %v", err)
}
if len(rest) > 0 {
return nil, fmt.Errorf("trailing data (%d bytes) after MerkleTreeLeaf", len(rest))
}
x509cert, err := leaf.X509Certificate()
if err != nil {
_, notfatal := err.(x509.NonFatalErrors)
if !notfatal {
return nil, err
}
}
var domainlist []string
for _, name := range x509cert.DNSNames {
if name, ok := cleanAndValidateHostname(name); ok {
domainlist = append(domainlist, name)
}
}
if name, ok := cleanAndValidateHostname(x509cert.Subject.CommonName); ok {
domainlist = append(domainlist, name)
}
return domainlist, nil
}