From a5ec04500013e2e9b46c143fe4bf99e389d686a9 Mon Sep 17 00:00:00 2001 From: Hubert Kario Date: Wed, 20 Jul 2016 21:17:37 +0200 Subject: [PATCH] changing time of verification for certificate chains allow to run the analysis of certificate chains later after the data was collected, allows also for re-analysis of archival data --- top1m/parse_CAs.c | 31 +++++++++++++++++++++---- top1m/process-certificate-statistics.sh | 2 +- 2 files changed, 28 insertions(+), 5 deletions(-) diff --git a/top1m/parse_CAs.c b/top1m/parse_CAs.c index 987d609..8918a3e 100644 --- a/top1m/parse_CAs.c +++ b/top1m/parse_CAs.c @@ -108,7 +108,7 @@ char *hash_to_filename(const char *hash) // will indicate which certificate were used for verification, whatever // the chain was trusted and if all certificates needed for verification // (with the exception of root CA) were present in hashes -int process_chain(const char **cert_hashes) +int process_chain(const char **cert_hashes, time_t v_time) { int ret; int rc; // return code from function @@ -120,6 +120,7 @@ int process_chain(const char **cert_hashes) X509_STORE *store; X509_STORE_CTX *csc; + X509_VERIFY_PARAM *vp; STACK_OF(X509) *ustack; STACK_OF(X509) *vstack; @@ -158,6 +159,14 @@ int process_chain(const char **cert_hashes) free(f_name); } + // prepare store parameters + vp = X509_VERIFY_PARAM_new(); + if (vp == NULL) { + printf("out of memory\n"); + return 1; + } + X509_VERIFY_PARAM_set_time(vp, v_time); + // first try with just trusted certificates store = SSL_CTX_get_cert_store(trusted_only); @@ -166,6 +175,7 @@ int process_chain(const char **cert_hashes) return 1; } X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST); + X509_STORE_set1_param(store, vp); csc = X509_STORE_CTX_new(); @@ -216,6 +226,7 @@ int process_chain(const char **cert_hashes) return 1; } X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST); + X509_STORE_set1_param(store, vp); csc = X509_STORE_CTX_new(); @@ -389,7 +400,7 @@ err: } // process all ciphersuites one by one from a given host results file -int process_host_results(char *filename) +int process_host_results(char *filename, time_t v_time) { int fd; int ret = 0; @@ -456,7 +467,7 @@ int process_host_results(char *filename) if (rc == 0 && j > 0) { if (first_printed != 0) printf(","); - if (process_chain(certs) != 0) { + if (process_chain(certs, v_time) != 0) { fprintf(stderr, "error while processing chains!\n"); } else { first_printed = 1; @@ -489,9 +500,21 @@ int main(int argc, char** argv) DIR *dirp; struct dirent *direntp; + time_t v_time; char buffer[MAX_BUFFER_SIZE] = {}; + if (argc < 2) { + v_time = time(NULL); + } else { + char *endptr; + v_time = (time_t)strtoul(argv[0], &endptr, 10); + if (*endptr != '\0') { + fprintf(stderr, "time parameter is not a valid number\n"); + return 1; + } + } + SSL_load_error_strings(); SSL_library_init(); @@ -534,7 +557,7 @@ int main(int argc, char** argv) abort(); } - ret = process_host_results(buffer); + ret = process_host_results(buffer, v_time); if (ret == 1) { fprintf(stderr, "error while processing %s\n", buffer); } diff --git a/top1m/process-certificate-statistics.sh b/top1m/process-certificate-statistics.sh index b9256d8..dbf01e9 100755 --- a/top1m/process-certificate-statistics.sh +++ b/top1m/process-certificate-statistics.sh @@ -40,7 +40,7 @@ if [ ! -x ./parse_CAs ]; then fi echo "Verifying certificate chains from results files" -./parse_CAs > parsed +./parse_CAs "$@" > parsed echo "Calculating statistics for verified certificate chains" python parse_CAs.py > trust_scan echo "Done!"