summaryrefslogtreecommitdiff
path: root/diff.go
diff options
context:
space:
mode:
authorLuke Shumaker <lukeshu@sbcglobal.net>2016-11-18 01:21:27 -0500
committerLuke Shumaker <lukeshu@sbcglobal.net>2016-11-18 01:21:27 -0500
commitc4f6d3489ef91c539ba88e372635e4d0d87e6ad2 (patch)
treefbfc8755e3ba011e789723e4407b908b39bd5aad /diff.go
parente339617040bde6ef57f4ccc896f9feba60dbe12f (diff)
Check crt.sh against actual used certs
Diffstat (limited to 'diff.go')
-rw-r--r--diff.go108
1 files changed, 108 insertions, 0 deletions
diff --git a/diff.go b/diff.go
new file mode 100644
index 0000000..24fa228
--- /dev/null
+++ b/diff.go
@@ -0,0 +1,108 @@
+package main
+
+import (
+ "crypto/x509"
+ "encoding/pem"
+ "fmt"
+ "io/ioutil"
+ "os"
+ "sort"
+)
+
+func handleErr(err error, str string, a ...interface{}) {
+ a = append([]interface{}{err}, a...)
+ if err != nil {
+ fmt.Fprintf(os.Stderr, str, a...)
+ os.Exit(1)
+ }
+}
+
+func readTLS(filename string) (map[string]*x509.Certificate, error) {
+ file, err := os.Open(filename)
+ if err != nil {
+ return nil, err
+ }
+ data, err := ioutil.ReadAll(file)
+ if err != nil {
+ return nil, err
+ }
+
+ ret := make(map[string]*x509.Certificate)
+ for len(data) > 0 {
+ var certPem *pem.Block
+ certPem, data = pem.Decode(data)
+ certX509, err := x509.ParseCertificate(certPem.Bytes)
+ if err != nil {
+ return nil, err
+ }
+ ret[certX509.Subject.CommonName] = certX509
+ }
+ return ret, nil
+}
+
+func readCrtSh(filename string, hosts []string) (map[string]*x509.Certificate, error) {
+ file, err := os.Open(filename)
+ if err != nil {
+ return nil, err
+ }
+ data, err := ioutil.ReadAll(file)
+ if err != nil {
+ return nil, err
+ }
+
+ ret := make(map[string]*x509.Certificate)
+ for len(data) > 0 {
+ var certPem *pem.Block
+ certPem, data = pem.Decode(data)
+ certX509, err := x509.ParseCertificate(certPem.Bytes)
+ if err != nil {
+ return nil, err
+ }
+ for _, host := range hosts {
+ if certX509.VerifyHostname(host) == nil {
+ if old, haveold := ret[host]; !haveold || certX509.NotBefore.After(old.NotBefore) {
+ ret[host] = certX509
+ }
+ }
+ }
+ }
+ return ret, nil
+}
+
+func keys(m map[string]*x509.Certificate) []string {
+ ret := make([]string, len(m))
+ i := 0
+ for k := range m {
+ ret[i] = k
+ i++
+ }
+ sort.Strings(ret)
+ return ret
+}
+
+func main() {
+ if len(os.Args) != 3 {
+ fmt.Fprintf(os.Stderr, "Usage: %s TLS-file crt.sh-file\n", os.Args[0])
+ }
+ certsTLS, err := readTLS(os.Args[1])
+ handleErr(err, "Could load TLS file: %v\n")
+ hostsTLS := keys(certsTLS)
+ certsCrtSh, err := readCrtSh(os.Args[2], hostsTLS)
+ handleErr(err, "Could load crt.sh file: %v\n")
+
+ fmt.Printf("--- %s\n", os.Args[1])
+ fmt.Printf("+++ %s\n", os.Args[2])
+ fmt.Printf("@@ -1,%d +1,%d @@\n", len(hostsTLS), len(hostsTLS))
+ for _, host := range hostsTLS {
+ certTLS := certsTLS[host]
+ certCrtSh, okCrtSh := certsCrtSh[host]
+ if !okCrtSh {
+ fmt.Printf("-%s %s\n", host, certTLS.NotBefore.Format("2006-01-02 15:04:05 MST(-07)"))
+ } else if !certTLS.Equal(certCrtSh) {
+ fmt.Printf("-%s %s\n", host, certTLS.NotBefore.Format("2006-01-02 15:04:05 MST(-07)"))
+ fmt.Printf("+%s %s\n", host, certCrtSh.NotBefore.Format("2006-01-02 15:04:05 MST(-07)"))
+ } else {
+ fmt.Printf(" %s %s\n", host, certTLS.NotBefore.Format("2006-01-02 15:04:05 MST(-07)"))
+ }
+ }
+}