Open AGWA opened 9 months ago
Would something like this work?
[[ "$EVENT" != discovered_cert ]] && exit
mkdir -p /var/lib/certspotter/allowed_tbs
for cert in $(find /var/lib/acme -regex ".*/fullchain.pem"); do
hash="$(openssl asn1parse -in "$cert" -strparse 4 -noout -out /dev/stdout | openssl sha256 | cut -d" " -f2)"
touch "/var/lib/certspotter/allowed_tbs/$hash"
done
[[ -f "/var/lib/certspotter/allowed_tbs/$TBS_SHA256" ]] && exit 0
(echo && echo "WARNING: Unknown certificate detected: $SUMMARY") | sendmail webmaster@example.org
@chayleaf That doesn't calculate the TBS certificate correctly as you also need to remove the SCT extension (this is the TBS certificate as defined in RFC 6962 rather than the standard definition; I was not kidding when I said there are zero tools for this).
Here's a script that uses the public key hash instead (warning: not tested):
if [ "$EVENT" = discovered_cert ]
then
for cert in $(find /var/lib/acme -regex ".*/fullchain.pem")
do
hash="$(openssl x509 -in "$cert" -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256 | cut -d" " -f2)"
if [ "$hash" = "$PUBKEY_SHA256" ]
then
exit 0
fi
done
fi
(echo "Subject: $SUMMARY" && echo && cat "$TEXT_FILENAME") | sendmail -i webmaster@example.org)
This script also ensures you get error notifications (where $EVENT != discovered_cert
)
Documentation/README should explain: