Initial commit
This commit is contained in:
parent
b97f30faf4
commit
c1020c8be7
16 changed files with 118 additions and 209 deletions
43
README.md
43
README.md
|
|
@ -1,4 +1,4 @@
|
|||
# checker-openpgpkey
|
||||
# checker-email-keys
|
||||
|
||||
DANE-Email posture checker for happyDomain.
|
||||
|
||||
|
|
@ -66,28 +66,6 @@ rule engine can fold them into a single `CheckState`.
|
|||
| `smimea_self_signed` | info | Self-signed certificate paired with PKIX-EE usage. |
|
||||
| `smimea_hash_only` | info | Matching-type 1/2 only carries a digest; certificate can't be inspected. |
|
||||
|
||||
## Why a bespoke checker instead of a third-party testsuite?
|
||||
|
||||
There is no canonical "OPENPGPKEY / SMIMEA testsuite" in Go or as a
|
||||
self-hostable online service:
|
||||
|
||||
- `ldns-dane` (NLnet Labs) validates DANE-TLSA and handles SMIMEA only
|
||||
shallowly (it parses the record without deep certificate checks).
|
||||
- `hokey` (Paul Wouters) queries OPENPGPKEY but does not validate the
|
||||
key material.
|
||||
- Online DANE validators (e.g. `dane.sys4.de`, `has-tls-rpt.com`) focus
|
||||
on SMTP DANE-TLSA, not email-identity records.
|
||||
|
||||
The heavy lifting here is standard Go parsing:
|
||||
|
||||
- `github.com/ProtonMail/go-crypto/openpgp` (maintained fork of the
|
||||
deprecated `golang.org/x/crypto/openpgp`) for OpenPGP packet parsing,
|
||||
UIDs, subkeys, revocations, key-lifetime self-signatures.
|
||||
- `crypto/x509` for SMIMEA certificate parsing, validity window, EKU,
|
||||
key-usage, signature-algorithm and key-size checks.
|
||||
- `github.com/miekg/dns` for the DNS+EDNS0+DO query and the `AD` flag
|
||||
read-back used as the DNSSEC-validation signal.
|
||||
|
||||
## Options
|
||||
|
||||
| Id | Type | Default | Description |
|
||||
|
|
@ -107,22 +85,5 @@ Auto-filled by the host: `domain_name`, `subdomain`, `service`,
|
|||
make plugin
|
||||
|
||||
# Standalone HTTP server
|
||||
make && ./checker-openpgpkey -listen :8080
|
||||
make && ./checker-email-keys -listen :8080
|
||||
```
|
||||
|
||||
## HTML report
|
||||
|
||||
The report renders as a self-contained HTML document intended for
|
||||
embedding in an `<iframe>` (the same contract as the other happyDomain
|
||||
checkers). It is organised as:
|
||||
|
||||
1. **Header**: status badge, queried owner name, resolver used, DNSSEC
|
||||
flag.
|
||||
2. **Most common issues (fix these first)**: remediation cards shown
|
||||
*only* when a matching finding was emitted. Each card carries the
|
||||
concrete shell commands / zone-file snippets the user needs.
|
||||
3. **OpenPGP key / SMIMEA record**: structured details for the
|
||||
parsed material (fingerprint, UIDs, subkeys, cert subject/issuer,
|
||||
EKU/KU flags, …).
|
||||
4. **Findings**: the full table of per-finding code / severity /
|
||||
message / fix hints, sorted by severity.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue