mozilla / onecrl-tools Goto Github PK

Some tools for supporting OneCRL

License: Mozilla Public License 2.0

Go 88.14% Shell 0.64% Makefile 0.12% Python 1.88% Dockerfile 0.29% Smarty 3.90% Rust 4.11% CSS 0.02% HTML 0.19% JavaScript 0.72%

onecrl-tools's Introduction

OneCRL-Tools

Some tools for supporting OneCRL.

Below is a description of each folder in this repository.

bugzilla

Status: In use

Description: Defines API for interacting with Bugzilla.

Usage: See ccadb2OneCRL/main.go

Used By: ccadb2OneCRL

ccadb2OneCRL

Status: In use

Description: Automates much of the process for taking reported/verified revocation data from the CCADB and adding it to OneCRL.

Usage: See the README in https://github.com/mozilla/OneCRL-Tools/tree/main/ccadb2OneCRL

Used By: Security Engineers and Cloud Services

cert-storage-inspector

Status: In use

Description: Compares the OneCRL data in a given Firefox profile against the OneCRL data in DEFAULT_ONECRL_URL.

Usage: See the README in https://github.com/mozilla/OneCRL-Tools/tree/main/cert-storage-inspector

Used By: CA Program Managers

containers

Status: In use

Description: This is how ccadb2OneCRL gets deployed

Usage: See the README in https://github.com/mozilla/OneCRL-Tools/tree/main/containers

Used By: Security Engineers and Cloud Services

decodeEntries

Status: In use

Description: Converts OneCRL entry data from hexadecimal serials/hashes to non-encoded human-readable format.

Usage: See the README in https://github.com/mozilla/OneCRL-Tools/tree/main/decodeEntries

Used By: CA Program Managers

entryMaker

Status: In use

Description: Given a certificate, output the corresponding data that can be added to OneCRL.

Usage: See the README in https://github.com/mozilla/OneCRL-Tools/tree/main/entryMaker

Used By: Security Engineers and Cloud Services

kinto

Status: In use

Description: Defines API for interacting with Kinto.

Usage: See ccadb2OneCRL/main.go

Used By: ccadb2OneCRL

tools/Salesforce2OneCRL-scheduler

Status: ???

Description: This is an AWS Lambda to perform scheduled OneCRL updates from the CCADB.

Usage: See README in https://github.com/mozilla/OneCRL-Tools/tree/main/tools/Salesforce2OneCRL-scheduler

Used By: ???

transaction

Status: In Use

Description: Each step in the transaction holds a rollback procedure in the event of a downstream failure. For example, if putting staging into review fails, then Bugzilla ticket will be closed as INVALID with a stacktrace attached and all entries that were pushed to staging will be deleted.

Usage: See ccadb2OneCRL/main.go

Used By: ccadb2OneCRL

onecrl-tools's People

Contributors

Stargazers

Watchers

Forkers

jcjones cr mozmark micheletto mozilla-github-standards jp-e christopher-henderson chez14 hwine preis-hub leplatrem ankushgoel2712 davonteciaran2 jschanck

onecrl-tools's Issues

salesforce2OneCRL should set r? flag on attachment

Salesforce2OneCRL entry errors should not be displayed if the revocation has been validated

Bug title still reads "test bug"

extract common kinto things from oneCRL.go for preloads work

OneCRL2RevocationsTXT does not build

Make integration tests run offline

oneCRL.go's LoadJSONFromURL has a TODO that it should take a Reader; this would help write offline integration tests (like PR #42)

Line in question: https://github.com/mozmark/OneCRL-Tools/blob/12ad599192d7b6cf0c40348a4f87b07c63e2e02b/oneCRL/oneCRL.go#L261

Generate a historical diff

There should be a tool, or tooling, to produce diffs from the historical information of OneCRL. Perhaps this could be reading the history from Kinto, or simply some other data file that is loaded and returned at each invocation.

Salesforce2OneCRL should allow bug comment and title to be overridden.

E.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1373288 has a title that talks about CCADB but one of the entries is not a CCADB managed entry (being an extraordinary addition).

Ensure no bug (or kinto) changes are made if there are no changes in salesforce2OneCRL

Salesforce2OneCRL: Add flag / config option to ignore CCADB entries and only look at exceptions

It's desirable to treat exceptional cases separately in some cases. At the moment, the tool provides no way of doing this.

Add "StartCom BR SSL ICA” and "StartCom EV SSL ICA” intermediate certs to OneCRL

Many non-BR-compliant SSL certs have been issued from the StartCom intermediate certs, and the list provided demonstrates some very sloppy issuance practices.

See https://bugzilla.mozilla.org/show_bug.cgi?id=1386894

Update exceptions to include exceptional revocation for leaked Cisco cert

as per https://bugzilla.mozilla.org/show_bug.cgi?id=1374809

Add TurkTrust Intermediate Certs to OneCRL exceptional revocations per CA's request

See https://bugzilla.mozilla.org/show_bug.cgi?id=1381863

salesforce2OneCRL should include a comment with addition failures

Preview mode should summarize what data changes would be made

Introduce `stable` git tag to prevent downstream breakage

#33 breaks downstream software. go get is unable to fetch specific git commits, but there's a web service that allows to install using specific tags from github repos.

git tag stable master~1  # or any other known-working commit
git push --tags

The idea then is to not replace that tag unless there is a newer commit that is confirmed to be working well.

Project needs license information

Link OneCRL CCADB bugs to block a configured bug

We're linking all CCADB bugs to block one poor bug... let's add a configurable bug# into the config to auto-link that on issue creation.

salesforce2OneCRL should check for correct kinto auth before attempting to compare entries with CCADB

oneCRL2RevocationsTxt fails silently

When running oneCRL2RevocationsTxt without a network connection, it will just fail silently with return code 0. It should at least set a return code larger 0 to indicate failure for scripting, better still, additionally say something to stderr.

OneCRL2CSV does not build

Salesforce2OneCRL Should not file a bug if kinto operations fail

"stable" tag points to broken version

I finally came round to switching TLS Canary over to the brand new stable tag, just to find that it points to a broken commit b7bc37c.

# github.com/mozmark/OneCRL-Tools/oneCRL2RevocationsTxt
../../.tlscanary/go/src/github.com/mozmark/OneCRL-Tools/oneCRL2RevocationsTxt/main.go:51: multiple-value config.GetRecordURL() in single-value context

TLS Canary has been successfully using commit 244e704 in production for a while now. @mozmark, please point your stable tag to that commit as soon as possible, and leave it there until you can find a later commit that is verified to work.

Remove references to the old repo location in sources

Salesforce2OneCRL should request approval on the collection change

Improve oneCRL config so that programs share flag parsing, etc.

salesforce2OneCRL should add bug info to the kinto record metadata

Kinto credentials are ignored for the existing records check

salesforce2OneCRL should explicitly set enabled on revocation records

Extract Bugzilla interactions to allow comments on post-creation failure.

Moving AddEntries to oneCRL.go broke loading config from files

Installation fails with undefined oneCRL.DefineFlags and oneCRL.GetConfig

mozmark@48acb6a broke package installation:

$ GOPATH="/tmp/go" go install github.com/mozmark/OneCRL-Tools/oneCRL2RevocationsTxt
# github.com/mozmark/OneCRL-Tools/oneCRL2RevocationsTxt
/tmp/go/src/github.com/mozmark/OneCRL-Tools/oneCRL2RevocationsTxt/main.go:43: undefined: oneCRL.DefineFlags
/tmp/go/src/github.com/mozmark/OneCRL-Tools/oneCRL2RevocationsTxt/main.go:48: undefined: oneCRL.GetConfig

This is causing downstream breakage in TLS Canary that we're unable to fix without tags: mozilla/tls-canary#106

oneCRL2RevocationsTxt should support use of non-production buckets.

It's useful to be able to get the current state of pending changes before approval so compat testing can take place before a OneCRL change is approved. oneCRL2RevocationsTxt should support this case.

Add FNMT's AC Representación certificate and Firmaprofesional subCA Santander Digital Signature to OneCRL

See https://bugzilla.mozilla.org/show_bug.cgi?id=1393281 and https://bugzilla.mozilla.org/show_bug.cgi?id=1394595

Enforce `go vet` and `go fmt` at TravisCI

Since we're adding Travis in #42, let's also pick a time to go vet and go fmt this repo, and make Travis enforce it. Preferably also lock-down refs/heads/master and enforce a PR-merger workflow.

Salesforce2OneCRL should include the reason code in the "why" record metadata (if it exists)

Add AC FNMT Usuarios certificate to OneCRL - and hold StartCom exceptional revocation

https://bugzilla.mozilla.org/show_bug.cgi?id=1391095

OneCRL-Tools lacks tests

Add (temporarily) the exceptions data so it's in a repo somewhere.

These data should go in mozilla-central - but for now, let's put them here.

Move 'addEntries' functionality from salesforce2OneCRL to oneCRL.go

oneCRL2RevocationsTxt fails with "multiple-value config.GetRecordURL() in single-value context"

Current master is broken:

$ go get github.com/mozmark/OneCRL-Tools/oneCRL2RevocationsTxt
# github.com/mozmark/OneCRL-Tools/oneCRL2RevocationsTxt
/tmp/go/src/github.com/mozmark/OneCRL-Tools/oneCRL2RevocationsTxt/main.go:51: multiple-value config.GetRecordURL() in single-value context

mozilla / onecrl-tools Goto Github PK

onecrl-tools's Introduction

OneCRL-Tools

bugzilla

ccadb2OneCRL

cert-storage-inspector

containers

decodeEntries

entryMaker

kinto

tools/Salesforce2OneCRL-scheduler

transaction

onecrl-tools's People

Contributors

Stargazers

Watchers

Forkers

onecrl-tools's Issues

Recommend Projects

Recommend Topics

Recommend Org