scanner

package
v0.0.0-...-96b92c5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 21, 2023 License: Apache-2.0, ISC, MIT Imports: 13 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type ASN1Certificate

type ASN1Certificate struct {
	Raw                asn1.RawContent
	TBSCertificate     asn1.RawValue
	SignatureAlgorithm pkix.AlgorithmIdentifier
	SignatureValue     asn1.BitString
}

ASN1Certificate holds the top-level asn1 fields in a certificate.

It is used to determine if a certificate contains well-formed asn1 data or is corrupted.

type MatchAll

type MatchAll struct{}

MatchAll is a Matcher which will match every possible Certificate and Precertificate.

func (MatchAll) CertificateMatches

func (m MatchAll) CertificateMatches(_ *x509.Certificate) bool

func (MatchAll) PrecertificateMatches

func (m MatchAll) PrecertificateMatches(_ *ct.Precertificate) bool

type MatchIssuerRegex

type MatchIssuerRegex struct {
	CertificateIssuerRegex    *regexp.Regexp
	PrecertificateIssuerRegex *regexp.Regexp
}

Matches on issuer cn by regex

func (MatchIssuerRegex) CertificateMatches

func (m MatchIssuerRegex) CertificateMatches(c *x509.Certificate) bool

func (MatchIssuerRegex) PrecertificateMatches

func (m MatchIssuerRegex) PrecertificateMatches(p *ct.Precertificate) bool

type MatchNone

type MatchNone struct{}

MatchNone is a Matcher which will never match any Certificate or Precertificate.

func (MatchNone) CertificateMatches

func (m MatchNone) CertificateMatches(_ *x509.Certificate) bool

func (MatchNone) PrecertificateMatches

func (m MatchNone) PrecertificateMatches(_ *ct.Precertificate) bool

type MatchSerialNumber

type MatchSerialNumber struct {
	SerialNumber big.Int
}

func (MatchSerialNumber) CertificateMatches

func (m MatchSerialNumber) CertificateMatches(c *x509.Certificate) bool

func (MatchSerialNumber) PrecertificateMatches

func (m MatchSerialNumber) PrecertificateMatches(p *ct.Precertificate) bool

type MatchSubjectRegex

type MatchSubjectRegex struct {
	CertificateSubjectRegex    *regexp.Regexp
	PrecertificateSubjectRegex *regexp.Regexp
}

MatchSubjectRegex is a Matcher which will use |CertificateSubjectRegex| and |PrecertificateSubjectRegex| to determine whether Certificates and Precertificates are interesting. The two regexes are tested against Subject Common Name as well as all Subject Alternative Names

func (MatchSubjectRegex) CertificateMatches

func (m MatchSubjectRegex) CertificateMatches(c *x509.Certificate) bool

Returns true if either CN or any SAN of |c| matches |CertificateSubjectRegex|.

func (MatchSubjectRegex) PrecertificateMatches

func (m MatchSubjectRegex) PrecertificateMatches(p *ct.Precertificate) bool

Returns true if either CN or any SAN of |p| matches |PrecertificatesubjectRegex|.

type Matcher

type Matcher interface {
	// CertificateMatches is called by the scanner for each X509 Certificate found in the log.
	// The implementation should return |true| if the passed Certificate is interesting, and |false| otherwise.
	CertificateMatches(*x509.Certificate) bool

	// PrecertificateMatches is called by the scanner for each CT Precertificate found in the log.
	// The implementation should return |true| if the passed Precertificate is interesting, and |false| otherwise.
	PrecertificateMatches(*ct.Precertificate) bool
}

Clients wishing to implement their own Matchers should implement this interface:

type Scanner

type Scanner struct {
	// contains filtered or unexported fields
}

Scanner is a tool to scan all the entries in a CT Log.

func NewScanner

func NewScanner(client *client.LogClient, opts ScannerOptions, logger *log.Logger) *Scanner

Creates a new Scanner instance using |client| to talk to the log, and taking configuration options from |opts|.

func (*Scanner) Scan

func (s *Scanner) Scan(foundCert func(*ct.LogEntry, string),
	foundPrecert func(*ct.LogEntry, string), updater chan int64) (int64, error)

Performs a scan against the Log. For each x509 certificate found, |foundCert| will be called with the index of the entry and certificate itself as arguments. For each precert found, |foundPrecert| will be called with the index of the entry and the raw precert string as the arguments.

This method blocks until the scan is complete.

type ScannerOptions

type ScannerOptions struct {
	// Custom matcher for x509 Certificates, functor will be called for each
	// Certificate found during scanning.
	Matcher Matcher

	// Match precerts only (Matcher still applies to precerts)
	PrecertOnly bool

	// Number of entries to request in one batch from the Log
	BatchSize int64

	// Number of concurrent matchers to run
	NumWorkers int

	// Number of concurrent fethers to run
	ParallelFetch int

	// Log entry index to start fetching & matching at
	StartIndex int64

	// Don't print any status messages to stdout
	Quiet bool

	// The name of the CT server we're pulling certs from
	Name string

	MaximumIndex int64

	// Always output encountered certificates, so long as they are valid ASN.1
	IgnoreParsingErrors bool
}

ScannerOptions holds configuration options for the Scanner

func DefaultScannerOptions

func DefaultScannerOptions() *ScannerOptions

Creates a new ScannerOptions struct with sensible defaults

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL