2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-24 23:23:40 +01:00

changing time of verification for certificate chains

allow to run the analysis of certificate chains later after the
data was collected, allows also for re-analysis of archival data
This commit is contained in:
Hubert Kario 2016-07-20 21:17:37 +02:00
parent 5d930c2d32
commit a5ec045000
2 changed files with 28 additions and 5 deletions

View File

@ -108,7 +108,7 @@ char *hash_to_filename(const char *hash)
// will indicate which certificate were used for verification, whatever // will indicate which certificate were used for verification, whatever
// the chain was trusted and if all certificates needed for verification // the chain was trusted and if all certificates needed for verification
// (with the exception of root CA) were present in hashes // (with the exception of root CA) were present in hashes
int process_chain(const char **cert_hashes) int process_chain(const char **cert_hashes, time_t v_time)
{ {
int ret; int ret;
int rc; // return code from function int rc; // return code from function
@ -120,6 +120,7 @@ int process_chain(const char **cert_hashes)
X509_STORE *store; X509_STORE *store;
X509_STORE_CTX *csc; X509_STORE_CTX *csc;
X509_VERIFY_PARAM *vp;
STACK_OF(X509) *ustack; STACK_OF(X509) *ustack;
STACK_OF(X509) *vstack; STACK_OF(X509) *vstack;
@ -158,6 +159,14 @@ int process_chain(const char **cert_hashes)
free(f_name); free(f_name);
} }
// prepare store parameters
vp = X509_VERIFY_PARAM_new();
if (vp == NULL) {
printf("out of memory\n");
return 1;
}
X509_VERIFY_PARAM_set_time(vp, v_time);
// first try with just trusted certificates // first try with just trusted certificates
store = SSL_CTX_get_cert_store(trusted_only); store = SSL_CTX_get_cert_store(trusted_only);
@ -166,6 +175,7 @@ int process_chain(const char **cert_hashes)
return 1; return 1;
} }
X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST); X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST);
X509_STORE_set1_param(store, vp);
csc = X509_STORE_CTX_new(); csc = X509_STORE_CTX_new();
@ -216,6 +226,7 @@ int process_chain(const char **cert_hashes)
return 1; return 1;
} }
X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST); X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST);
X509_STORE_set1_param(store, vp);
csc = X509_STORE_CTX_new(); csc = X509_STORE_CTX_new();
@ -389,7 +400,7 @@ err:
} }
// process all ciphersuites one by one from a given host results file // process all ciphersuites one by one from a given host results file
int process_host_results(char *filename) int process_host_results(char *filename, time_t v_time)
{ {
int fd; int fd;
int ret = 0; int ret = 0;
@ -456,7 +467,7 @@ int process_host_results(char *filename)
if (rc == 0 && j > 0) { if (rc == 0 && j > 0) {
if (first_printed != 0) if (first_printed != 0)
printf(","); printf(",");
if (process_chain(certs) != 0) { if (process_chain(certs, v_time) != 0) {
fprintf(stderr, "error while processing chains!\n"); fprintf(stderr, "error while processing chains!\n");
} else { } else {
first_printed = 1; first_printed = 1;
@ -489,9 +500,21 @@ int main(int argc, char** argv)
DIR *dirp; DIR *dirp;
struct dirent *direntp; struct dirent *direntp;
time_t v_time;
char buffer[MAX_BUFFER_SIZE] = {}; char buffer[MAX_BUFFER_SIZE] = {};
if (argc < 2) {
v_time = time(NULL);
} else {
char *endptr;
v_time = (time_t)strtoul(argv[0], &endptr, 10);
if (*endptr != '\0') {
fprintf(stderr, "time parameter is not a valid number\n");
return 1;
}
}
SSL_load_error_strings(); SSL_load_error_strings();
SSL_library_init(); SSL_library_init();
@ -534,7 +557,7 @@ int main(int argc, char** argv)
abort(); abort();
} }
ret = process_host_results(buffer); ret = process_host_results(buffer, v_time);
if (ret == 1) { if (ret == 1) {
fprintf(stderr, "error while processing %s\n", buffer); fprintf(stderr, "error while processing %s\n", buffer);
} }

View File

@ -40,7 +40,7 @@ if [ ! -x ./parse_CAs ]; then
fi fi
echo "Verifying certificate chains from results files" echo "Verifying certificate chains from results files"
./parse_CAs > parsed ./parse_CAs "$@" > parsed
echo "Calculating statistics for verified certificate chains" echo "Calculating statistics for verified certificate chains"
python parse_CAs.py > trust_scan python parse_CAs.py > trust_scan
echo "Done!" echo "Done!"