项目作者: mozilla

项目描述 :
Queries CRLite
高级语言: Python
项目地址: git://github.com/mozilla/moz_crlite_query.git
创建时间: 2020-04-08T23:32:09Z
项目社区:https://github.com/mozilla/moz_crlite_query

开源协议:Mozilla Public License 2.0

下载


Query CRLite data

This tool queries the published Mozilla CRLite database to determine certificate status.

It maintains a local database in your ~/.crlitedb/ folder, which is updated when older than six hours.

It works on a best-effort basis, and certificates with malformed serial numbers or other serious encoding issues might not be identified correctly, which would lead to false negatives. For a more bulletproof implementation of a CRLite decoder, you might want to consider building one atop the rust-cascade project, or simply rework the ASN.1 parsing here to reveal the exact values from the encoding without converting to intermediate Python types.

Install from PyPi:

  1. pip install moz_crlite_query

Currently, it expects PEM-formatted certificate data, and can process many at once:

  1. for id in 77575263 1988442812 1485147627 2680822568; do
  2. curl --silent https://crt.sh/?d=${id} > /tmp/${id}.pem
  3. done
  4. moz_crlite_query /tmp/*.pem --hosts getfirefox.com
  5. INFO:query_cli:Database was updated at 2020-04-08 16:06:39.400780, skipping.
  6. INFO:query_cli:Status: 2195 Intermediates, Current filter: 2020-04-02T06:00:00Z-full with 18 layers and 12922536 bit-count, 2 stash files with 3307 stashed revocations, up-to-date as of 2020-04-02 12:00:00.
  7. /tmp/1485147627.pem Issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
  8. Enrolled in CRLite:
  9. Result: Not Enrolled
  10. /tmp/1988442812.pem Issuer: CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US
  11. Enrolled in CRLite:
  12. Revoked via CRLite filter: 2020-04-02T06:00:00Z-full
  13. Result: ⛔️ Revoked ⛔️
  14. /tmp/2680822568.pem Issuer: CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US
  15. Enrolled in CRLite:
  16. Result: 🐇 Too New 🐇
  17. /tmp/77575263.pem Issuer: CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US
  18. Enrolled in CRLite:
  19. Result: Expired
  20. getfirefox.com:443 Issuer: CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US
  21. Enrolled in CRLite:
  22. Result: 👍 Valid 👍

You can also pipe in PEM data:

  1. curl --silent https://crt.sh/?d=1988442812 https://crt.sh/?d=1871771575 | moz_crlite_query -v -
  2. INFO:query_cli:Database was updated at 2020-04-08 16:06:39.400780, skipping.
  3. DEBUG:query_cli:Database was last updated 2:27:19.869039 ago.
  4. INFO:query_cli:Status: 2195 Intermediates, Current filter: 2020-04-02T06:00:00Z-full with 18 layers and 12922536 bit-count, 2 stash files with 3307 stashed revocations, up-to-date as of 2020-04-02 12:00:00.
  5. <stdin> Issuer: CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US
  6. Enrolled in CRLite:
  7. CertID(e6426f344330d0a8eb080bbb7976391d976fc824b5dc16c0d15246d5148ff75c-0371b58a86f6ce9c3ecb7bf42f9208fc)
  8. Revoked via CRLite filter: 2020-04-02T06:00:00Z-full
  9. Result: ⛔️ Revoked ⛔️
  10. <stdin> Issuer: CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US
  11. Enrolled in CRLite:
  12. CertID(e6426f344330d0a8eb080bbb7976391d976fc824b5dc16c0d15246d5148ff75c-0f7d9e589e0dd146f55bc6530139d3a6)
  13. Result: 👍 Valid 👍

You can feed in files containing individual lines of the form host:port:

  1. cat >/tmp/top4.txt <<EOF
  2. apple.com
  3. youtube.com
  4. www.google.com:443
  5. # This is definitely half of my top 8 spaces
  6. www.blogger.com
  7. EOF
  8. moz_crlite_query --hosts mozilla.com firefox.com --hosts getfirefox.net --hosts-file /tmp/top4.txt
  9. INFO:query_cli:Database was updated at 2020-07-16 16:10:41.545092, skipping.
  10. INFO:query_cli:Status: 2084 Intermediates, Current filter: 2020-06-18T18:00:18+00:00Z-full with 27 layers and 41536664 bit-count, 0 stash files with 0 stashed revocations, up-to-date as of 2020-06-18 18:00:18+00:00 (28 days, 5:34:39.044502 ago).
  11. mozilla.com:443 Issuer: CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US
  12. Enrolled in CRLite:
  13. CertID(e6426f344330d0a8eb080bbb7976391d976fc824b5dc16c0d15246d5148ff75c-019d2b994ec99445c735d2a6d739e43a)
  14. Result: 👍 Valid 👍
  15. firefox.com:443 Issuer: CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US
  16. Enrolled in CRLite:
  17. CertID(e6426f344330d0a8eb080bbb7976391d976fc824b5dc16c0d15246d5148ff75c-019d2b994ec99445c735d2a6d739e43a)
  18. Result: 👍 Valid 👍
  19. getfirefox.net:443 Issuer: CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US
  20. Enrolled in CRLite:
  21. CertID(e6426f344330d0a8eb080bbb7976391d976fc824b5dc16c0d15246d5148ff75c-019d2b994ec99445c735d2a6d739e43a)
  22. Result: 👍 Valid 👍
  23. apple.com:443 Issuer: CN=DigiCert SHA2 Extended Validation Server CA-3,OU=www.digicert.com,O=DigiCert\, Inc.,C=US
  24. Enrolled in CRLite:
  25. CertID(9704cf37ad50839fb5a8053e32293db056835f984ba360073fcd1847e22037a3-0e7b3ab429e183d07a4fc4dbe9c4c191)
  26. Result: 🐇 Too New 🐇
  27. youtube.com:443 Issuer: CN=GTS CA 1O1,O=Google Trust Services,C=US
  28. Enrolled in CRLite:
  29. CertID(6193e04d9fb0a0d0820885b72c7d82c5078bcc1ff59b8d907024c149d81aca3b-7e10d901f7ac03cd080000000047ef8e)
  30. Result: 👍 Valid 👍
  31. www.google.com:443 Issuer: CN=GTS CA 1O1,O=Google Trust Services,C=US
  32. Enrolled in CRLite:
  33. CertID(6193e04d9fb0a0d0820885b72c7d82c5078bcc1ff59b8d907024c149d81aca3b-25eb382df564aeb608000000004aaba0)
  34. Result: 🐇 Too New 🐇
  35. www.blogger.com:443 Issuer: CN=GTS CA 1O1,O=Google Trust Services,C=US
  36. Enrolled in CRLite:
  37. CertID(6193e04d9fb0a0d0820885b72c7d82c5078bcc1ff59b8d907024c149d81aca3b-be84ce8731c637490200000000715c1a)