olliencc/whodoineedtotrust.go

## whodoineedtotrust.go
/*

 Understand which CAs you need to trust for the Alexa top million

 Released as open source by NCC Group Plc - http://www.nccgroup.trust/

 Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot trust

 Released under AGPL

 Notes / caveats:
	- not all the hosts in the Alexa top million are TLS enabled
	- there is no timeout on tls.Dial thus this is clunky

*/

package main

import (
	"crypto/tls"
	"fmt"
	"encoding/csv"
	"os"
)

func ProcessHostActual(strHost string){
	config := tls.Config{InsecureSkipVerify: false}

	conn, err := tls.Dial("tcp", strHost+":443", &config)
	if err != nil {
		fmt.Printf("%s,ERR,%s,NULL\n", strHost , err)
		return
	}
	defer conn.Close()

	state := conn.ConnectionState()

	// This returns an unordered list hence we dont use
	/*
	if state.PeerCertificates == nil {
		fmt.Println("[!] No peer certificates\n")
	} else{
		for i, v := range state.PeerCertificates {
			fmt.Printf("[i] %d - %s - %s\n",i,v.Subject.Organization,v.Subject.CommonName)
		}
	}
	*/

	if state.VerifiedChains == nil {
		fmt.Printf("[!] No verified chains\n")
	} else {
		for _, vchain := range state.VerifiedChains {

			//fmt.Printf("[i] Verified chain %d\n", r)

			// Reverse iteration filth
			for i:=len(vchain)-1; i >= 0; i-- {
				fmt.Printf("%s,OK,%s,%s\n",strHost,vchain[i].Subject.Organization,vchain[i].Subject.CommonName)
				return
			}
		}
	}

	return
}

// entry point
func main() {

	// download from here - http://s3.amazonaws.com/alexa-static/top-1m.csv.zip
	csvfile, err := os.Open("top-1m.csv")
	if err != nil {
		fmt.Println(err)
		return
	}

	defer csvfile.Close()
	reader := csv.NewReader(csvfile)

	reader.FieldsPerRecord = -1
	rawCSVdata, err := reader.ReadAll()
	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}

	// iterate through each host
	for _, each := range rawCSVdata {
		ProcessHostActual(each[1])
	}
}
	/*

	Understand which CAs you need to trust for the Alexa top million

	Released as open source by NCC Group Plc - http://www.nccgroup.trust/

	Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot trust

	Released under AGPL

	Notes / caveats:
	- not all the hosts in the Alexa top million are TLS enabled
	- there is no timeout on tls.Dial thus this is clunky

	*/

	package main

	import (
	"crypto/tls"
	"fmt"
	"encoding/csv"
	"os"
	)

	func ProcessHostActual(strHost string){
	config := tls.Config{InsecureSkipVerify: false}

	conn, err := tls.Dial("tcp", strHost+":443", &config)
	if err != nil {
	fmt.Printf("%s,ERR,%s,NULL\n", strHost , err)
	return
	}
	defer conn.Close()

	state := conn.ConnectionState()

	// This returns an unordered list hence we dont use
	/*
	if state.PeerCertificates == nil {
	fmt.Println("[!] No peer certificates\n")
	} else{
	for i, v := range state.PeerCertificates {
	fmt.Printf("[i] %d - %s - %s\n",i,v.Subject.Organization,v.Subject.CommonName)
	}
	}
	*/

	if state.VerifiedChains == nil {
	fmt.Printf("[!] No verified chains\n")
	} else {
	for _, vchain := range state.VerifiedChains {

	//fmt.Printf("[i] Verified chain %d\n", r)

	// Reverse iteration filth
	for i:=len(vchain)-1; i >= 0; i-- {
	fmt.Printf("%s,OK,%s,%s\n",strHost,vchain[i].Subject.Organization,vchain[i].Subject.CommonName)
	return
	}
	}
	}

	return
	}

	// entry point
	func main() {

	// download from here - http://s3.amazonaws.com/alexa-static/top-1m.csv.zip
	csvfile, err := os.Open("top-1m.csv")
	if err != nil {
	fmt.Println(err)
	return
	}

	defer csvfile.Close()
	reader := csv.NewReader(csvfile)

	reader.FieldsPerRecord = -1
	rawCSVdata, err := reader.ReadAll()
	if err != nil {
	fmt.Println(err)
	os.Exit(1)
	}

	// iterate through each host
	for _, each := range rawCSVdata {
	ProcessHostActual(each[1])
	}
	}