diff options
Diffstat (limited to 'tools')
-rw-r--r-- | tools/certkeys.py | 37 | ||||
-rwxr-xr-x | tools/josef_experimental_auditor.py | 25 | ||||
-rwxr-xr-x | tools/josef_nagios_auditor.py | 32 |
3 files changed, 68 insertions, 26 deletions
diff --git a/tools/certkeys.py b/tools/certkeys.py index 43646ef..dd0570f 100644 --- a/tools/certkeys.py +++ b/tools/certkeys.py @@ -7,4 +7,41 @@ publickeys = { "https://flimsy.ct.nordu.net/": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4qWq6afhBUi0OdcWUYhyJLNXTkGqQ9" "PMS5lqoCgkV2h1ZvpNjBH2u8UbgcOQwqDo66z6BWQJGolozZYmNHE2kQ==", + + "https://plausible.ct.nordu.net/": + "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9UV9+jO2MCTzkabodO2F7LM03MUB" + "c8MrdAtkcW6v6GA9taTTw9QJqofm0BbdAsbtJL/unyEf0zIkRgXjjzaYqQ==", + + "https://ct1.digicert-ct.com/log/": + "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAkbFvhu7gkAW6MHSrBlpE1n4+HCF" + "RkC5OLAjgqhkTH+/uzSfSl8ois8ZxAD2NgaTZe1M9akhYlrYkes4JECs6A==", + + "https://ct.izenpe.com/": + "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJ2Q5DC3cUBj4IQCiDu0s6j51up+T" + "ZAkAEcQRF6tczw90rLWXkJMAW7jr9yc92bIKgV8vDXU4lDeZHvYHduDuvg==", + + "https://log.certly.io/": + "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECyPLhWKYYUgEc+tUXfPQB4wtGS2M" + "NvXrjwFCCnyYJifBtd2Sk7Cu+Js9DNhMTh35FftHaHu6ZrclnNBKwmbbSA==", + + "https://ct.googleapis.com/aviator/": + "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1/TMabLkDpCjiupacAlP7xNi0I1J" + "YP8bQFAHDG1xhtolSY1l4QgNRzRrvSe8liE+NPWHdjGxfx3JhTsN9x8/6Q==", + + "https://ct.googleapis.com/rocketeer/": + "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIFsYyDzBi7MxCAC/oJBXK7dHjG+1" + "aLCOkHjpoHPqTyghLpzA9BYbqvnV16mAw04vUjyYASVGJCUoI3ctBcJAeg==", + + "https://ct.ws.symantec.com/": + "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEluqsHEYMG1XcDfy1lCdGV0JwOmkY" + "4r87xNuroPS2bMBTP01CEDPwWJePa75y9CrsHEKqAy8afig1dpkIPSEUhg==", + + "https://ctlog.api.venafi.com/": + "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAolpIHxdSlTXLo1s6H1OC" + "dpSj/4DyHDc8wLG9wVmLqy1lk9fz4ATVmm+/1iN2Nk8jmctUKK2MFUtlWXZBSpym" + "97M7frGlSaQXUWyA3CqQUEuIJOmlEjKTBEiQAvpfDjCHjlV2Be4qTM6jamkJbiWt" + "gnYPhJL6ONaGTiSPm7Byy57iaz/hbckldSOIoRhYBiMzeNoA0DiRZ9KmfSeXZ1rB" + "8y8X5urSW+iBzf2SaOfzBvDpcoTuAaWx2DPazoOl28fP1hZ+kHUYvxbcMjttjauC" + "Fx+JII0dmuZNIwjfeG/GBb9frpSX219k1O4Wi6OEbHEr8at/XQ0y7gTikOxBn/s5" + "wQIDAQAB", } diff --git a/tools/josef_experimental_auditor.py b/tools/josef_experimental_auditor.py index 1a5b669..57ef9cb 100755 --- a/tools/josef_experimental_auditor.py +++ b/tools/josef_experimental_auditor.py @@ -27,16 +27,16 @@ base_urls = [ # "https://ctlog.api.venafi.com/", ] -logkeys = {} -logkeys["https://plausible.ct.nordu.net/"] = get_public_key_from_file("../../plausible-logkey.pem") -logkeys["https://ct.googleapis.com/rocketeer/"] = get_public_key_from_file("../../rocketeer-logkey.pem") -logkeys["https://ct.googleapis.com/aviator/"] = get_public_key_from_file("../../aviator-logkey.pem") -logkeys["https://ct.googleapis.com/pilot/"] = get_public_key_from_file("../../pilot-logkey.pem") -logkeys["https://log.certly.io/"] = get_public_key_from_file("../../certly-logkey.pem") -logkeys["https://ct.izenpe.com/"] = get_public_key_from_file("../../izenpe-logkey.pem") -logkeys["https://ct.ws.symantec.com/"] = get_public_key_from_file("../../symantec-logkey.pem") -logkeys["https://ctlog.api.venafi.com/"] = get_public_key_from_file("../../venafi-logkey.pem") -logkeys["https://ct1.digicert-ct.com/log/"] = get_public_key_from_file("../../digicert-logkey.pem") +# logkeys = {} +# logkeys["https://plausible.ct.nordu.net/"] = get_public_key_from_file("../../plausible-logkey.pem") +# logkeys["https://ct.googleapis.com/rocketeer/"] = get_public_key_from_file("../../rocketeer-logkey.pem") +# logkeys["https://ct.googleapis.com/aviator/"] = get_public_key_from_file("../../aviator-logkey.pem") +# logkeys["https://ct.googleapis.com/pilot/"] = get_public_key_from_file("../../pilot-logkey.pem") +# logkeys["https://log.certly.io/"] = get_public_key_from_file("../../certly-logkey.pem") +# logkeys["https://ct.izenpe.com/"] = get_public_key_from_file("../../izenpe-logkey.pem") +# logkeys["https://ct.ws.symantec.com/"] = get_public_key_from_file("../../symantec-logkey.pem") +# logkeys["https://ctlog.api.venafi.com/"] = get_public_key_from_file("../../venafi-logkey.pem") +# logkeys["https://ct1.digicert-ct.com/log/"] = get_public_key_from_file("../../digicert-logkey.pem") parser = argparse.ArgumentParser(description="") parser.add_argument('--audit', action='store_true', help="run lightweight auditor verifying consistency in STH") @@ -112,7 +112,8 @@ def fetch_all_sth(): # Check signature on the STH try: - check_sth_signature(base_url, sths[base_url], logkeys[base_url]) + # check_sth_signature(base_url, sths[base_url], logkeys[base_url]) + check_sth_signature(base_url, sths[base_url], None) except: error_str = time.strftime('%H:%M:%S') + " ERROR: Could not verify signature from " + base_url print error_str @@ -439,7 +440,7 @@ def main(args): # Check signature on the STH try: - check_sth_signature(base_url, tmp_sth, logkeys[base_url]) + check_sth_signature(base_url, tmp_sth, None) write_file("plausible-sth.json", tmp_sth) except: error_str = time.strftime('%H:%M:%S') + " ERROR: Could not verify signature from " + base_url diff --git a/tools/josef_nagios_auditor.py b/tools/josef_nagios_auditor.py index 41fefd0..db68bbe 100755 --- a/tools/josef_nagios_auditor.py +++ b/tools/josef_nagios_auditor.py @@ -16,15 +16,16 @@ NAGIOS_UNKNOWN = 3 parser = argparse.ArgumentParser(description="") parser.add_argument('--audit', action='store_true', help="run lightweight auditor verifying consistency in STH") parser.add_argument('--build-sth', action='store_true', help="get all entries and construct STH") +parser.add_argument('--no-inclusion', action='store_true', help="don't check inclusion proofs for new entries") parser.add_argument('--baseurl', required=True, help="Base URL for CT log") parser.add_argument('--sthfile', required=True, metavar='file', help="File containing current STH") -parser.add_argument('--keyfile', - metavar='file', - required=True, - help="File containing current STH") +# parser.add_argument('--keyfile', +# metavar='file', +# required=True, +# help="File containing current STH") class UTC(datetime.tzinfo): def utcoffset(self, dt): @@ -67,7 +68,7 @@ def reduce_subtree_to_root(layers): return next_merkle_layer(layers[0]) return layers[0] -def get_and_verify_sth(url, key): +def get_and_verify_sth(url): try: sth = get_sth(url) except: @@ -76,7 +77,8 @@ def get_and_verify_sth(url, key): # Check signature on the STH try: - check_sth_signature(url, sth, key) + check_sth_signature(url, sth, None) + # check_sth_signature(url, sth, key) # write_file("plausible-sth.json", tmp_sth) except: error_str = time.strftime('%H:%M:%S') + " ERROR: Could not verify signature from " + url @@ -99,7 +101,8 @@ def fetch_all_sth(): # Check signature on the STH try: - check_sth_signature(base_url, sths[base_url], logkeys[base_url]) + # check_sth_signature(base_url, sths[base_url], logkeys[base_url]) + check_sth_signature(base_url, sths[base_url], None) except: error_str = time.strftime('%H:%M:%S') + " ERROR: Could not verify signature from " + base_url print error_str @@ -299,21 +302,22 @@ def write_file(fn, sth): def main(args): - try: - log_key = get_public_key_from_file(args.keyfile) - except: - print time.strftime('%H:%M:%S') + " ERROR: Failed to load keyfile " + args.keyfile - sys.exit(NAGIOS_WARN) + # try: + # log_key = get_public_key_from_file(args.keyfile) + # except: + # print time.strftime('%H:%M:%S') + " ERROR: Failed to load keyfile " + args.keyfile + # sys.exit(NAGIOS_WARN) old_sth = read_sth(args.sthfile) - new_sth = get_and_verify_sth(args.baseurl, log_key) + new_sth = get_and_verify_sth(args.baseurl) write_file(args.sthfile, new_sth) verify_progress(args.baseurl, old_sth, new_sth) verify_consistency(args.baseurl, old_sth, new_sth) - verify_inclusion_all(args.baseurl, old_sth, new_sth) + if not args.no_inclusion: + verify_inclusion_all(args.baseurl, old_sth, new_sth) print "Everything OK from " + args.baseurl sys.exit(NAGIOS_OK) |