feat: Use SQLite database instead of loading CSV files into memory.

cmd/dwklint/main.go

@@ -5,22 +5,23 @@ import (
 	"fmt"
 	"os"
 
-	dwklint "github.com/CVE-2008-0166/dwklint"
+	dwklint "github.com/CVE-2008-0166/dwklint/v2"
 )
 
 func main() {
 	exitCode := dwklint.Error
 	defer func() { os.Exit(int(exitCode)) }()
 
 	if len(os.Args) != 3 {
-		fmt.Printf("Usage: %s <blocklist_directory> <cert_file>\n", os.Args[0])
+		fmt.Printf("Usage: %s <blocklist_database_path> <cert_file>\n", os.Args[0])
 		return
 	}
 
-	if err := dwklint.LoadBlocklists(os.Args[1]); err != nil {
+	if err := dwklint.OpenBlocklistDatabase(os.Args[1]); err != nil {
 		fmt.Printf("Error: %v\n", err)
 		return
 	}
+	defer dwklint.CloseBlocklistDatabase()
 
 	certfile, err := os.ReadFile(os.Args[2])
 	if err != nil {

go.mod

@@ -1,3 +1,21 @@
 module github.com/CVE-2008-0166/dwklint
 
-go 1.21.6
+go 1.22.0
+
+toolchain go1.23.2
+
+require zombiezen.com/go/sqlite v1.4.0
+
+require (
+	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/ncruces/go-strftime v0.1.9 // indirect
+	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
+	golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c // indirect
+	golang.org/x/sys v0.26.0 // indirect
+	modernc.org/libc v1.61.0 // indirect
+	modernc.org/mathutil v1.6.0 // indirect
+	modernc.org/memory v1.8.0 // indirect
+	modernc.org/sqlite v1.33.1 // indirect
+)

go.sum

@@ -0,0 +1,51 @@
+github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
+github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4=
+github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
+golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c h1:7dEasQXItcW1xKJ2+gg5VOiBnqWrJc+rq0DPKyvvdbY=
+golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c/go.mod h1:NQtJDoLvd6faHhE7m4T/1IY708gDefGGjR/iUW8yQQ8=
+golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
+golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
+golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
+golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
+golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
+golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
+modernc.org/cc/v4 v4.21.4 h1:3Be/Rdo1fpr8GrQ7IVw9OHtplU4gWbb+wNgeoBMmGLQ=
+modernc.org/cc/v4 v4.21.4/go.mod h1:HM7VJTZbUCR3rV8EYBi9wxnJ0ZBRiGE5OeGXNA0IsLQ=
+modernc.org/ccgo/v4 v4.21.0 h1:kKPI3dF7RIag8YcToh5ZwDcVMIv6VGa0ED5cvh0LMW4=
+modernc.org/ccgo/v4 v4.21.0/go.mod h1:h6kt6H/A2+ew/3MW/p6KEoQmrq/i3pr0J/SiwiaF/g0=
+modernc.org/fileutil v1.3.0 h1:gQ5SIzK3H9kdfai/5x41oQiKValumqNTDXMvKo62HvE=
+modernc.org/fileutil v1.3.0/go.mod h1:XatxS8fZi3pS8/hKG2GH/ArUogfxjpEKs3Ku3aK4JyQ=
+modernc.org/gc/v2 v2.5.0 h1:bJ9ChznK1L1mUtAQtxi0wi5AtAs5jQuw4PrPHO5pb6M=
+modernc.org/gc/v2 v2.5.0/go.mod h1:wzN5dK1AzVGoH6XOzc3YZ+ey/jPgYHLuVckd62P0GYU=
+modernc.org/libc v1.61.0 h1:eGFcvWpqlnoGwzZeZe3PWJkkKbM/3SUGyk1DVZQ0TpE=
+modernc.org/libc v1.61.0/go.mod h1:DvxVX89wtGTu+r72MLGhygpfi3aUGgZRdAYGCAVVud0=
+modernc.org/mathutil v1.6.0 h1:fRe9+AmYlaej+64JsEEhoWuAYBkOtQiMEU7n/XgfYi4=
+modernc.org/mathutil v1.6.0/go.mod h1:Ui5Q9q1TR2gFm0AQRqQUaBWFLAhQpCwNcuhBOSedWPo=
+modernc.org/memory v1.8.0 h1:IqGTL6eFMaDZZhEWwcREgeMXYwmW83LYW8cROZYkg+E=
+modernc.org/memory v1.8.0/go.mod h1:XPZ936zp5OMKGWPqbD3JShgd/ZoQ7899TUuQqxY+peU=
+modernc.org/opt v0.1.3 h1:3XOZf2yznlhC+ibLltsDGzABUGVx8J6pnFMS3E4dcq4=
+modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
+modernc.org/sortutil v1.2.0 h1:jQiD3PfS2REGJNzNCMMaLSp/wdMNieTbKX920Cqdgqc=
+modernc.org/sortutil v1.2.0/go.mod h1:TKU2s7kJMf1AE84OoiGppNHJwvB753OYfNl2WRb++Ss=
+modernc.org/sqlite v1.33.1 h1:trb6Z3YYoeM9eDL1O8do81kP+0ejv+YzgyFo+Gwy0nM=
+modernc.org/sqlite v1.33.1/go.mod h1:pXV2xHxhzXZsgT/RtTFAPY6JJDEvOTcTdwADQCCWD4k=
+modernc.org/strutil v1.2.0 h1:agBi9dp1I+eOnxXeiZawM8F4LawKv4NzGWSaLfyeNZA=
+modernc.org/strutil v1.2.0/go.mod h1:/mdcBmfOibveCTBxUl5B5l6W+TTH1FXPLHZE6bTosX0=
+modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
+modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
+zombiezen.com/go/sqlite v1.4.0 h1:N1s3RIljwtp4541Y8rM880qgGIgq3fTD2yks1xftnKU=
+zombiezen.com/go/sqlite v1.4.0/go.mod h1:0w9F1DN9IZj9AcLS9YDKMboubCACkwYCGkzoy3eG5ik=

v2/dwklint.go

@@ -0,0 +1,118 @@
+package dwklint
+
+import (
+	"crypto/ecdsa"
+	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/x509"
+	"fmt"
+	"strings"
+
+	"zombiezen.com/go/sqlite"
+)
+
+type DebianWeakKeyStatus int
+
+const (
+	// Pass:
+	NotWeak DebianWeakKeyStatus = iota
+	UnknownButTLSBRExceptionGranted
+	// Fail:
+	Weak
+	Unknown
+	Error
+)
+
+var dbConn *sqlite.Conn
+
+func OpenBlocklistDatabase(blocklistDatabasePath string) error {
+	var err error
+	dbConn, err = sqlite.OpenConn(blocklistDatabasePath, sqlite.OpenReadOnly)
+	return err
+}
+
+func CloseBlocklistDatabase() {
+	if dbConn != nil {
+		dbConn.Close()
+	}
+}
+
+func HasDebianWeakKey(cert *x509.Certificate) DebianWeakKeyStatus {
+	switch cert.PublicKeyAlgorithm {
+	case x509.RSA:
+		r, ok := cert.PublicKey.(*rsa.PublicKey)
+		if !ok {
+			return Error
+		}
+
+		sha256Fingerprint := sha256.Sum256(r.N.Bytes())
+		stmt, _, err := dbConn.PrepareTransient(fmt.Sprintf("SELECT 1 FROM debian_weak_modulus_%d WHERE SHA256_FINGERPRINT=$1", r.N.BitLen()))
+		if err != nil {
+			if !strings.Contains(err.Error(), "no such table") {
+				return Error
+			} else if r.N.BitLen() > 8192 {
+				return UnknownButTLSBRExceptionGranted
+			} else {
+				return Unknown
+			}
+		}
+
+		defer stmt.Finalize()
+		stmt.BindBytes(1, sha256Fingerprint[:])
+
+		wasRowReturned, err := stmt.Step()
+		if err != nil {
+			return Error
+		} else if wasRowReturned {
+			return Weak
+		} else {
+			return NotWeak
+		}
+
+	case x509.ECDSA:
+		e, ok := cert.PublicKey.(*ecdsa.PublicKey)
+		if !ok {
+			return Error
+		}
+
+		p := e.Params()
+		if p == nil {
+			return Error
+		}
+
+		var tableSuffix string
+		switch p.Name {
+		case "P-256":
+			tableSuffix = "secp256r1"
+		case "P-384":
+			tableSuffix = "secp384r1"
+		default:
+			return Unknown
+		}
+
+		sha256Fingerprint := sha256.Sum256(e.X.Bytes())
+		stmt, _, err := dbConn.PrepareTransient(fmt.Sprintf("SELECT 1 FROM debian_weak_xcoord_%s WHERE SHA256_FINGERPRINT=$1", tableSuffix))
+		if err != nil {
+			if !strings.Contains(err.Error(), "no such table") {
+				return Error
+			} else {
+				return Unknown
+			}
+		}
+
+		defer stmt.Finalize()
+		stmt.BindBytes(1, sha256Fingerprint[:])
+
+		wasRowReturned, err := stmt.Step()
+		if err != nil {
+			return Error
+		} else if wasRowReturned {
+			return Weak
+		} else {
+			return NotWeak
+		}
+
+	default:
+		return Unknown
+	}
+}