search

mozilla / tls-observatory

An observatory for TLS configurations, X509 certificates, and more.
Mozilla Public License 2.0
528 stars 88 forks source link

Certificate Transparency Analyzer #21

Open 0xdiba opened 9 years ago

0xdiba commented 9 years ago

The CT extension of certificates should be evaluated to verify the signatures in a new analysis worker. Sample X509 extension:

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : A4:B9:09:90:B4:18:58:14:87:BB:13:A2:CC:67:70:0A:
                                3C:35:98:04:F9:1B:DF:B8:E3:77:CD:0E:C8:0D:DC:10
                    Timestamp : Nov 24 04:10:02.376 2015 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:98:A9:69:0D:E6:B0:9A:D9:61:47:7E:
                                4A:6A:80:B3:AA:A5:93:18:EF:88:63:F2:ED:B5:AA:72:
                                ED:4C:DB:71:21:02:21:00:F6:86:A3:83:4D:83:53:AB:
                                26:AE:3F:2D:28:D3:22:AB:E3:C9:86:A3:8B:A9:91:AE:
                                59:85:48:C7:FF:15:49:28
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : 68:F6:98:F8:1F:64:82:BE:3A:8C:EE:B9:28:1D:4C:FC:
                                71:51:5D:67:93:D4:44:D1:0A:67:AC:BB:4F:4F:FB:C4
                    Timestamp : Nov 24 04:10:02.392 2015 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:0B:91:93:5D:98:61:78:B8:00:17:68:AE:
                                C1:CA:0B:24:D4:46:8F:E1:E0:0F:D5:A2:FD:18:7E:05:
                                B9:2F:4E:0F:02:20:51:98:7C:10:2C:3F:D1:A8:8B:7E:
                                7D:7A:25:8C:5F:2C:E7:79:B5:3C:49:21:B7:28:6B:0D:
                                A0:AE:8D:D0:21:E9
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : 56:14:06:9A:2F:D7:C2:EC:D3:F5:E1:BD:44:B2:3E:C7:
                                46:76:B9:BC:99:11:5C:C0:EF:94:98:55:D6:89:D0:DD
                    Timestamp : Nov 24 04:10:02.643 2015 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:32:4E:28:EB:1F:A8:69:29:C7:D4:9D:CC:
                                B4:09:74:76:03:B3:9E:23:BC:9C:FD:87:FD:29:FB:89:
                                B5:7E:6C:BC:02:20:26:81:30:E3:FD:EF:5A:23:8F:C5:
                                58:FB:80:48:E3:AD:CE:D3:1B:A0:52:24:D0:3A:FD:14:
                                B8:3E:41:0F:8D:C4
jvehent commented 6 years ago

sample code from a worker I poke at a while back and probably doesn't work, for archiving.

package main

import (
        "fmt"
        "net/http"
        "regexp"
        "time"

        "github.com/google/certificate-transparency-go/client"
        "github.com/google/certificate-transparency-go/jsonclient"
        "github.com/google/certificate-transparency-go/scanner"
)

func main() {
        httpCli := &http.Client{
                Transport: &http.Transport{
                        DisableCompression: true,
                        DisableKeepAlives:  false,
                },
                Timeout: 10 * time.Second,
        }

        cli, err := client.New("https://ct.googleapis.com/pilot", httpCli, jsonclient.Options{})
        if err != nil {
                fmt.Printf("ERROR: getting CT log from Google polit, err=%v\n", err)
        }

        opts := scanner.ScannerOptions{
                Matcher:       &scanner.MatchSubjectRegex{regexp.MustCompile(".*\\.google\\.com"), nil},
                BatchSize:     10,
                NumWorkers:    1,
                ParallelFetch: 1,
                StartIndex:    0,
        }
        scan := scanner.NewScanner(cli, opts)
        fmt.Println(scan)
}