Nmap Development mailing list archives

[nse] ssl-cert: add support for Google Certificate Catalog

From: Vasiliy Kulikov <segooon () gmail com>
Date: Sat, 10 Sep 2011 21:27:41 +0400

Hi,

The patch introduces support for Google Certificate Catalog:

http://googleonlinesecurity.blogspot.com/2011/04/improving-ssl-certificate-security.html

"Google’s web crawlers scan the web on a regular basis in order to
provide our search and other services. In the process, we also keep a
record of all the SSL certificates we see. The Google Certificate
Catalog is a database of all of those certificates, published in DNS.

...

The basic idea is that if a certificate doesn’t appear in our database,
despite being correctly signed by a well-known CA and having a matching
domain name, then there may be something suspicious about that
certificate."

Index: scripts/ssl-cert.nse
===================================================================
--- scripts/ssl-cert.nse        (revision 26333)
+++ scripts/ssl-cert.nse        (working copy)
@@ -200,6 +222,26 @@
         lines[#lines + 1] = cert.pem
     end
 
+    if nmap.verbosity() > 0 then
+        local sha1 = stdnse.tohex(cert.digest(cert, "sha1"))
+        local query = sha1 .. ".certs.googlednstest.com"
+        stdnse.print_debug("%s %s", SCRIPT_NAME, query)
+
+        local status, decoded_response = dns.query(query, { dtype = "TXT" } )
+
+        if status then
+            local a, b, c = string.match(status, "(%d+) (%d+) (%d+)")
+            local da, db = os.date("%x", 60*60*24*tonumber(a)), os.date("%x", 60*60*24*tonumber(b))
+
+            lines[#lines + 1] = "Google Certificate Catalog"
+            lines[#lines + 1] = "  First/Last time saw: " .. da .. " / " .. db
+            lines[#lines + 1] = "  Saw between: " .. tonumber(c)
+        else
+            lines[#lines + 1] = "Google Certificate Catalog"
+            lines[#lines + 1] = "  Absent"
+        end
+    end
+
     return stdnse.strjoin("\n", lines)
 end
 

-- 
Vasiliy
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[nse] ssl-cert: add support for Google Certificate Catalog Vasiliy Kulikov (Sep 10)
- Re: [nse] ssl-cert: add support for Google Certificate Catalog Tom Sellers (Sep 10)
- Re: [nse] ssl-cert: add support for Google Certificate Catalog Fyodor (Sep 10)
  - Re: [nse] ssl-cert: add support for Google Certificate Catalog Vasiliy Kulikov (Sep 11)
    - Message not available
    - Re: [nse] ssl-cert: add support for Google Certificate Catalog Vasiliy Kulikov (Sep 14)
    - Re: [nse] ssl-cert: add support for Google Certificate Catalog Henri Doreau (Sep 16)
    - Re: [nse] ssl-cert: add support for Google Certificate Catalog Vasiliy Kulikov (Sep 16)
    - Re: [nse] ssl-cert: add support for Google Certificate Catalog Henri Doreau (Sep 16)
    - Re: [nse] ssl-cert: add support for Google Certificate Catalog Henri Doreau (Sep 22)