mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-24 23:23:40 +01:00
changing time of verification for certificate chains
allow to run the analysis of certificate chains later after the data was collected, allows also for re-analysis of archival data
This commit is contained in:
parent
5d930c2d32
commit
a5ec045000
@ -108,7 +108,7 @@ char *hash_to_filename(const char *hash)
|
|||||||
// will indicate which certificate were used for verification, whatever
|
// will indicate which certificate were used for verification, whatever
|
||||||
// the chain was trusted and if all certificates needed for verification
|
// the chain was trusted and if all certificates needed for verification
|
||||||
// (with the exception of root CA) were present in hashes
|
// (with the exception of root CA) were present in hashes
|
||||||
int process_chain(const char **cert_hashes)
|
int process_chain(const char **cert_hashes, time_t v_time)
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
int rc; // return code from function
|
int rc; // return code from function
|
||||||
@ -120,6 +120,7 @@ int process_chain(const char **cert_hashes)
|
|||||||
X509_STORE *store;
|
X509_STORE *store;
|
||||||
|
|
||||||
X509_STORE_CTX *csc;
|
X509_STORE_CTX *csc;
|
||||||
|
X509_VERIFY_PARAM *vp;
|
||||||
|
|
||||||
STACK_OF(X509) *ustack;
|
STACK_OF(X509) *ustack;
|
||||||
STACK_OF(X509) *vstack;
|
STACK_OF(X509) *vstack;
|
||||||
@ -158,6 +159,14 @@ int process_chain(const char **cert_hashes)
|
|||||||
free(f_name);
|
free(f_name);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// prepare store parameters
|
||||||
|
vp = X509_VERIFY_PARAM_new();
|
||||||
|
if (vp == NULL) {
|
||||||
|
printf("out of memory\n");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
X509_VERIFY_PARAM_set_time(vp, v_time);
|
||||||
|
|
||||||
// first try with just trusted certificates
|
// first try with just trusted certificates
|
||||||
|
|
||||||
store = SSL_CTX_get_cert_store(trusted_only);
|
store = SSL_CTX_get_cert_store(trusted_only);
|
||||||
@ -166,6 +175,7 @@ int process_chain(const char **cert_hashes)
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST);
|
X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST);
|
||||||
|
X509_STORE_set1_param(store, vp);
|
||||||
|
|
||||||
csc = X509_STORE_CTX_new();
|
csc = X509_STORE_CTX_new();
|
||||||
|
|
||||||
@ -216,6 +226,7 @@ int process_chain(const char **cert_hashes)
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST);
|
X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST);
|
||||||
|
X509_STORE_set1_param(store, vp);
|
||||||
|
|
||||||
csc = X509_STORE_CTX_new();
|
csc = X509_STORE_CTX_new();
|
||||||
|
|
||||||
@ -389,7 +400,7 @@ err:
|
|||||||
}
|
}
|
||||||
|
|
||||||
// process all ciphersuites one by one from a given host results file
|
// process all ciphersuites one by one from a given host results file
|
||||||
int process_host_results(char *filename)
|
int process_host_results(char *filename, time_t v_time)
|
||||||
{
|
{
|
||||||
int fd;
|
int fd;
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
@ -456,7 +467,7 @@ int process_host_results(char *filename)
|
|||||||
if (rc == 0 && j > 0) {
|
if (rc == 0 && j > 0) {
|
||||||
if (first_printed != 0)
|
if (first_printed != 0)
|
||||||
printf(",");
|
printf(",");
|
||||||
if (process_chain(certs) != 0) {
|
if (process_chain(certs, v_time) != 0) {
|
||||||
fprintf(stderr, "error while processing chains!\n");
|
fprintf(stderr, "error while processing chains!\n");
|
||||||
} else {
|
} else {
|
||||||
first_printed = 1;
|
first_printed = 1;
|
||||||
@ -489,9 +500,21 @@ int main(int argc, char** argv)
|
|||||||
|
|
||||||
DIR *dirp;
|
DIR *dirp;
|
||||||
struct dirent *direntp;
|
struct dirent *direntp;
|
||||||
|
time_t v_time;
|
||||||
|
|
||||||
char buffer[MAX_BUFFER_SIZE] = {};
|
char buffer[MAX_BUFFER_SIZE] = {};
|
||||||
|
|
||||||
|
if (argc < 2) {
|
||||||
|
v_time = time(NULL);
|
||||||
|
} else {
|
||||||
|
char *endptr;
|
||||||
|
v_time = (time_t)strtoul(argv[0], &endptr, 10);
|
||||||
|
if (*endptr != '\0') {
|
||||||
|
fprintf(stderr, "time parameter is not a valid number\n");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
SSL_load_error_strings();
|
SSL_load_error_strings();
|
||||||
SSL_library_init();
|
SSL_library_init();
|
||||||
|
|
||||||
@ -534,7 +557,7 @@ int main(int argc, char** argv)
|
|||||||
abort();
|
abort();
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = process_host_results(buffer);
|
ret = process_host_results(buffer, v_time);
|
||||||
if (ret == 1) {
|
if (ret == 1) {
|
||||||
fprintf(stderr, "error while processing %s\n", buffer);
|
fprintf(stderr, "error while processing %s\n", buffer);
|
||||||
}
|
}
|
||||||
|
@ -40,7 +40,7 @@ if [ ! -x ./parse_CAs ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
echo "Verifying certificate chains from results files"
|
echo "Verifying certificate chains from results files"
|
||||||
./parse_CAs > parsed
|
./parse_CAs "$@" > parsed
|
||||||
echo "Calculating statistics for verified certificate chains"
|
echo "Calculating statistics for verified certificate chains"
|
||||||
python parse_CAs.py > trust_scan
|
python parse_CAs.py > trust_scan
|
||||||
echo "Done!"
|
echo "Done!"
|
||||||
|
Loading…
Reference in New Issue
Block a user