77 "math/big"
88 "regexp"
99
10+ "encoding/base64"
1011 "github.com/google/certificate-transparency/go"
1112 "github.com/google/certificate-transparency/go/client"
1213 "github.com/google/certificate-transparency/go/scanner"
@@ -19,13 +20,15 @@ const (
1920
2021var logUri = flag .String ("log_uri" , "http://ct.googleapis.com/aviator" , "CT log base URI" )
2122var matchSubjectRegex = flag .String ("match_subject_regex" , ".*" , "Regex to match CN/SAN" )
23+ var matchIssuerRegex = flag .String ("match_issuer_regex" , "" , "Regex to match in issuer CN" )
2224var precertsOnly = flag .Bool ("precerts_only" , false , "Only match precerts" )
2325var serialNumber = flag .String ("serial_number" , "" , "Serial number of certificate of interest" )
2426var batchSize = flag .Int ("batch_size" , 1000 , "Max number of entries to request at per call to get-entries" )
2527var numWorkers = flag .Int ("num_workers" , 2 , "Number of concurrent matchers" )
2628var parallelFetch = flag .Int ("parallel_fetch" , 2 , "Number of concurrent GetEntries fetches" )
2729var startIndex = flag .Int64 ("start_index" , 0 , "Log index to start scanning at" )
2830var quiet = flag .Bool ("quiet" , false , "Don't print out extra logging messages, only matches." )
31+ var printChains = flag .Bool ("print_chains" , false , "If true prints the whole chain rather than a summary" )
2932
3033// Prints out a short bit of info about |cert|, found at |index| in the
3134// specified log
@@ -40,7 +43,41 @@ func logPrecertInfo(entry *ct.LogEntry) {
4043 entry .Precert .TBSCertificate .Subject .CommonName , entry .Precert .TBSCertificate .Issuer .CommonName )
4144}
4245
46+ func chainToString (certs []ct.ASN1Cert ) string {
47+ var output []byte
48+
49+ for _ , cert := range certs {
50+ output = append (output , cert ... )
51+ }
52+
53+ return base64 .StdEncoding .EncodeToString (output )
54+ }
55+
56+ func logFullChain (entry * ct.LogEntry ) {
57+ log .Printf ("Index %d: Chain: %s" , entry .Index , chainToString (entry .Chain ))
58+ }
59+
60+ func createRegexes (regexValue string ) (* regexp.Regexp , * regexp.Regexp ) {
61+ // Make a regex matcher
62+ var certRegex * regexp.Regexp
63+ precertRegex := regexp .MustCompile (regexValue )
64+ switch * precertsOnly {
65+ case true :
66+ certRegex = regexp .MustCompile (MatchesNothingRegex )
67+ case false :
68+ certRegex = precertRegex
69+ }
70+
71+ return certRegex , precertRegex
72+ }
73+
4374func createMatcherFromFlags () (scanner.Matcher , error ) {
75+ if * matchIssuerRegex != "" {
76+ certRegex , precertRegex := createRegexes (* matchIssuerRegex )
77+ return scanner.MatchIssuerRegex {
78+ CertificateIssuerRegex : certRegex ,
79+ PrecertificateIssuerRegex : precertRegex }, nil
80+ }
4481 if * serialNumber != "" {
4582 log .Printf ("Using SerialNumber matcher on %s" , * serialNumber )
4683 var sn big.Int
@@ -50,15 +87,7 @@ func createMatcherFromFlags() (scanner.Matcher, error) {
5087 }
5188 return scanner.MatchSerialNumber {SerialNumber : sn }, nil
5289 } else {
53- // Make a regex matcher
54- var certRegex * regexp.Regexp
55- precertRegex := regexp .MustCompile (* matchSubjectRegex )
56- switch * precertsOnly {
57- case true :
58- certRegex = regexp .MustCompile (MatchesNothingRegex )
59- case false :
60- certRegex = precertRegex
61- }
90+ certRegex , precertRegex := createRegexes (* matchSubjectRegex )
6291 return scanner.MatchSubjectRegex {
6392 CertificateSubjectRegex : certRegex ,
6493 PrecertificateSubjectRegex : precertRegex }, nil
@@ -82,5 +111,10 @@ func main() {
82111 Quiet : * quiet ,
83112 }
84113 scanner := scanner .NewScanner (logClient , opts )
85- scanner .Scan (logCertInfo , logPrecertInfo )
114+
115+ if * printChains {
116+ scanner .Scan (logFullChain , logFullChain )
117+ } else {
118+ scanner .Scan (logCertInfo , logPrecertInfo )
119+ }
86120}
0 commit comments