cert_validator 0.0.1

data/lib/cert_validator/ocsp.rb

@@ -0,0 +1,13 @@
+require 'openssl'
+
+if defined? OpenSSL::OCSP
+  require 'cert_validator/ocsp/real_validator.rb'
+
+  CertValidator::OcspValidator = CertValidator::RealOcspValidator
+else
+  require 'cert_validator/ocsp/null_validator.rb'
+
+  # use the null validator as a fallback
+  CertValidator::OcspValidator = CertValidator::NullOcspValidator
+end
+2

data/lib/cert_validator/ocsp/extractor.rb

@@ -0,0 +1,52 @@
+class CertValidator
+  class RealOcspValidator
+    class Extractor
+      attr_reader :certificate
+
+      def initialize(cert)
+        @certificate = cert
+      end
+
+      def endpoint
+        return nil unless has_ocsp_extension?
+
+        ocsp_extension_payload
+      end
+
+      def has_ocsp_extension?
+        !! (ocsp_extension && ocsp_extension_payload)
+      end
+
+      def ocsp_extension
+        @ocsp_extension ||= certificate.extensions.detect{ |e| e.oid == 'authorityInfoAccess' }
+      end
+
+      def decoded_extension
+        @decoded_extension ||= Asn1.new(Asn1.new(ocsp_extension).extension_payload).decode
+      end
+
+      def ocsp_extension_payload
+        return @ocsp_extension_payload if defined? @ocsp_extension_payload
+
+        intermediate = decoded_extension.value.detect do |v|
+          v.first.value == 'OCSP'
+        end.value[1].value
+
+        @ocsp_extension_payload = descend_to_string(intermediate)
+      end
+
+      def descend_to_string(asn_data)
+        return asn_data if asn_data.is_a? String
+        seen = Set.new
+        current = asn_data
+        loop do
+          raise RecursiveExtractError.new if seen.include? current
+          seen.add current
+          current = current.first.value
+
+          return current if current.is_a? String
+        end
+      end
+    end
+  end
+end

data/lib/cert_validator/ocsp/null_validator.rb

@@ -0,0 +1,17 @@
+class CertValidator
+  class NullOcspValidator
+    attr_reader :certificate
+    attr_reader :ca
+    
+    def initialize(_cert, _ca)
+    end
+
+    def available?
+      false
+    end
+
+    def valid?
+      raise OcspNotAvailableError.new
+    end
+  end
+end

data/lib/cert_validator/ocsp/real_validator.rb

@@ -0,0 +1,117 @@
+require 'uri'
+require 'base64'
+require 'net/http'
+require 'cert_validator/ocsp/extractor'
+
+class CertValidator
+  class RealOcspValidator
+    attr_reader :certificate
+    attr_reader :ca
+    attr_accessor :logger
+
+    include OcspFailures
+
+    def initialize(cert, ca)
+      @certificate = cert
+      @ca = ca
+
+      @extractor = Extractor.new @certificate
+    end
+
+    def available?
+      @extractor.has_ocsp_extension?
+    end
+
+    def valid?
+      return false unless available?
+
+      begin
+        validate!
+      rescue => e
+        log e
+        return false
+      end
+      
+      return true
+    end
+
+    def validate!
+      raise FetchError.new unless http_body = fetch(request_uri)
+      
+      body = OpenSSL::OCSP::Response.new http_body
+
+      check_ocsp_response body
+      check_ocsp_payload body.basic.status.first
+    end
+
+    private
+    def log(msg)
+      return unless logger
+
+      logger.info msg
+    end
+
+    def check_ocsp_response(body)
+      raise NonzeroStatus.new(body.status) unless body.status == 0
+      raise ResponseMismatch.new unless body.basic.verify *verify_args
+      raise MissingStatus.new unless body.basic.status.first
+
+      # http://rdoc.info/stdlib/openssl/OpenSSL/OCSP/Request:check_nonce
+      # greater than zero is acceptable
+      nonce_result = req.check_nonce body.basic
+      raise UnacceptableNonce.new(nonce_result) unless nonce_result > 0
+
+      return true
+    end
+
+    def check_ocsp_payload(status)
+      unless status[0].serial == certificate.serial
+        raise SerialMisatch(got, expected) 
+      end
+
+      validity_range = (status[4]..status[5])
+      unless validity_range.cover? Time.now
+        raise NotValidNow.new(validity_range)
+      end
+
+      raise Revoked if status[1] == 1
+      raise UnexpectedStatus(status[1]) if status[1] != 0
+      
+      return true
+    end
+
+    def verify_args
+      store = OpenSSL::X509::Store.new
+      store.add_cert ca
+
+      [[ca], store]
+    end
+
+    def req
+      return @req if defined? @req
+
+      @req = OpenSSL::OCSP::Request.new
+      @req.add_nonce
+      @req.add_certid cert_id
+
+      return @req
+    end
+
+    def request_uri
+      return @request_uri if defined? @request_uri
+      pem = Base64.encode64(req.to_der).strip
+      return @request_uri = URI(@extractor.endpoint + '/' + URI.encode_www_form_component(pem))
+    end
+
+    def fetch(uri)
+      resp = Net::HTTP.get_response URI(uri)
+      return resp.body if resp.code == '200'
+
+      return nil
+    end
+
+    def cert_id
+      @cert_id ||= OpenSSL::OCSP::CertificateId.new certificate, ca
+    end
+  end
+end

data/lib/cert_validator/version.rb

@@ -0,0 +1,3 @@
+class CertValidator
+  VERSION = "0.0.1"
+end

data/lib/tasks/ca.rb

@@ -0,0 +1,112 @@
+require 'r509/certificate_authority/signer'
+require 'r509/crl/administrator'
+require 'erb'
+require_relative 'helper'
+
+namespace :ca do
+  desc 'Generate all the certificates for testing'
+  task :all => %w{ good ocsp_only crl_only empty revoked }
+
+  task :clean do
+    Dir.chdir 'spec/support/ca' do
+      sh 'rm -f *.crt *.crl *.key *.txt *.yaml'
+    end
+  end
+
+  desc 'Generate a signing CA for testing certificates'
+  task :root => 'spec/support/ca/root.key'
+  file 'spec/support/ca/root.key' do |t|
+    subject = OpenSSL::X509::Name.new
+    'C=US/ST=Florida/L=Miami/O=r509-cert-validator/CN='.split('/').each do |s|
+      key, value = s.split '=', 2
+      subject.add_entry key, value
+    end
+    csr = CaHelper.csr
+    cert = R509::CertificateAuthority::Signer.selfsign(
+                                                       csr: csr,
+                                                       not_after: (Time.now.to_i + (86400 * 3650)),
+                                                       message_digest: 'sha1'
+                                                       )
+    
+    csr.key.write_pem 'spec/support/ca/root.key'
+    cert.write_pem 'spec/support/ca/root.crt'
+
+    sh "touch spec/support/ca/rcv_spec_list.txt"
+    sh "touch spec/support/ca/rcv_spec_crlnumber.txt"
+  end
+  file 'spec/support/ca/root.crt' => 'spec/support/ca/root.key'
+  file 'spec/support/ca/rcv_spec_list.txt' => 'spec/support/ca/root.key'
+  file 'spec/support/ca/rcv_spec_crlnumber.txt' => 'spec/support/ca/root.key'
+
+  file 'spec/support/ca/config.yaml' => 'spec/support/ca/config.yaml.erb' do |s|
+    erb = ERB.new File.read s.prerequisites.first
+    b = binding
+    cert_path = File.expand_path 'spec/support/ca/'
+    File.open s.name, 'w' do |f|
+      f.write erb.result b
+    end
+  end
+
+  desc 'Generate a valid certificate with CRL and OCSP data'
+  task :good => 'spec/support/ca/good.crt'
+  file 'spec/support/ca/good.crt' => [:root, 'spec/support/ca/config.yaml'] do
+    ca = CaHelper.ca
+    csr = CaHelper.options_builder.build_and_enforce(
+                                                     csr: CaHelper.csr,
+                                                     profile_name: 'good'
+                                                     )
+
+    cert = ca.sign csr
+    cert.write_pem 'spec/support/ca/good.crt'
+  end
+
+  desc 'Generate a valid certificate with only CRL data'
+  task :crl_only => 'spec/support/ca/crl_only.crt'
+  file 'spec/support/ca/crl_only.crt' => [:root, 'spec/support/ca/config.yaml'] do |t|
+    ca = CaHelper.ca
+    csr = CaHelper.options_builder.build_and_enforce(
+                                                     csr: CaHelper.csr,
+                                                     profile_name: 'crl_only'
+                                                     )
+    cert = ca.sign csr
+    cert.write_pem 'spec/support/ca/crl_only.crt'
+  end
+
+  desc 'Generate a valid certificate with only OCSP data'
+  task :ocsp_only => 'spec/support/ca/ocsp_only.crt'
+  file 'spec/support/ca/ocsp_only.crt' => [:root, 'spec/support/ca/config.yaml'] do |t|
+    ca = CaHelper.ca
+    csr = CaHelper.options_builder.build_and_enforce(
+                                                     csr: CaHelper.csr,
+                                                     profile_name: 'ocsp_only'
+                                                     )
+    cert = ca.sign csr
+    cert.write_pem 'spec/support/ca/ocsp_only.crt'
+  end
+
+  desc 'Generate a certificate and revoke it in both CRL and OCSP'
+  task :revoked => 'spec/support/ca/revoked.crt'
+  file 'spec/support/ca/revoked.crt' => [:root, 'spec/support/ca/config.yaml'] do |t|
+    ca = CaHelper.ca
+    csr = CaHelper.options_builder.build_and_enforce(
+                                                     csr: CaHelper.csr,
+                                                     profile_name: 'good'
+                                                     )
+
+    cert = ca.sign csr
+    cert.write_pem 'spec/support/ca/revoked.crt'
+
+    admin = R509::CRL::Administrator.new CaHelper.pool['rcv_spec_ca']
+    admin.revoke_cert cert.serial
+    crl = admin.generate_crl
+    crl.write_pem 'spec/support/ca/rcv_spec.crl'
+  end
+
+  desc 'Generate a valid certificate with no CRL or OCSP data'
+  task :empty => 'spec/support/ca/empty.crt'
+  file 'spec/support/ca/empty.crt' => [:root, 'spec/support/ca/config.yaml'] do
+    ca = CaHelper.ca
+    cert = ca.sign csr: CaHelper.csr
+    cert.write_pem 'spec/support/ca/empty.crt'
+  end
+end

data/lib/tasks/helper.rb

@@ -0,0 +1,36 @@
+require 'r509/csr'
+require 'r509/certificate_authority/signer'
+require 'r509/certificate_authority/options_builder'
+require 'r509/config/ca_config'
+
+module CaHelper
+  def self.csr
+    R509::CSR.new(
+                  subject: {
+                    C: 'US',
+                    ST: 'Florida',
+                    L: 'Miami',
+                    O: 'r509-cert-validator',
+                    CN: 'localhost'
+                  },
+                  bit_length: 512,
+                  type: 'RSA',
+                  message_digest: 'sha1'
+                  )
+  end
+
+  def self.ca
+    @ca ||= R509::CertificateAuthority::Signer.new pool['rcv_spec_ca']
+  end
+
+  def self.options_builder
+    @builder ||= R509::CertificateAuthority::OptionsBuilder.new pool['rcv_spec_ca']
+  end
+
+  def self.pool
+    @pool ||= R509::Config::CAConfigPool.from_yaml(
+                                                   'certificate_authorities', 
+                                                   File.read('spec/support/ca/config.yaml')
+                                                   )
+  end
+end

data/spec/cert_validator_spec.rb

@@ -0,0 +1,73 @@
+describe CertValidator do
+  subject{ described_class.new good_cert, ca }
+  let(:good_cert){ cert 'good' }
+  let(:ca){ cert 'root' }
+
+  it 'accepts a certificate on construction' do
+    expect{ described_class.new good_cert, ca }.to_not raise_error
+  end
+  it 'provides read-only access to the certificate' do
+    expect(subject.certificate).to eq good_cert
+  end
+
+  describe 'CRL functionality' do
+    let(:matched_crl_validator) do
+      described_class.new(good_cert, ca).tap do |validator|
+        validator.crl = crl 'revoked'
+      end
+    end
+
+    let(:mismatched_crl_validator) do
+      described_class.new(good_cert, ca).tap do |validator|
+        validator.crl = crl 'mismatched'
+      end
+    end
+
+    let(:revoked_crl_validator) do
+      described_class.new(cert('revoked'), ca).tap do |validator|
+        validator.crl = crl 'revoked'
+      end
+    end
+    
+    it 'returns if CRL validation is available or not' do
+      expect(subject.crl_available?).to be
+    end
+
+    it 'positively valdiates a correct CRL' do
+      expect(matched_crl_validator.crl_valid?).to be
+    end
+
+    it 'negatively validates a mismatched CRL' do
+      expect(mismatched_crl_validator.crl_valid?).to_not be
+    end
+
+    it 'negatively validates a revoked certificate' do
+      expect(revoked_crl_validator.crl_valid?).to_not be
+    end
+  end
+
+  describe 'OCSP functionality' do
+    it 'returns if OCSP validation is available or not' do
+      expect(subject.ocsp_available?).to eq(true).or eq(false)
+    end
+
+    describe 'when available', real_ocsp: true do
+      it 'positively validates a non-revoked OCSP response' do
+        v = described_class.new cert('good'), ca
+        expect(v.ocsp_valid?).to be
+      end
+      pending 'negatively validates a mismatched OCSP response'
+
+      it 'negatively validates a revoked certificate' do
+        v = described_class.new cert('revoked'), ca
+        expect(v.ocsp_valid?).to_not be
+      end
+    end
+
+    describe 'when not available', null_ocsp: true do
+      it 'raises when asked to validate OCSP' do
+        expect{ subject.ocsp_valid? }.to raise_error CertValidator::OcspNotAvailableError
+      end
+    end
+  end
+end

data/spec/crl_extractor_spec.rb

@@ -0,0 +1,42 @@
+describe CertValidator::CrlValidator::Extractor do
+  let(:good_cert){ cert 'good' }
+
+  it 'accepts a certificate on construction' do
+    expect{ described_class.new good_cert }.to_not raise_error
+  end
+
+  describe 'with multiple distribution points' do
+    subject{ described_class.new cert 'github' }
+
+    it 'extracts the CRL distribution points' do
+      points = nil
+      expect{ points = subject.distribution_points }.to_not raise_error
+
+      expect(points).to be_an Enumerable
+      expect(points.length).to eq 2
+
+      expect(points).to include 'http://crl3.digicert.com/sha2-ev-server-g1.crl'
+      expect(points).to include 'http://crl4.digicert.com/sha2-ev-server-g1.crl'
+    end
+  end
+
+  describe 'with one distribution point' do
+    subject{ described_class.new good_cert }
+
+    it 'extracts the CRL distribution point' do
+      points = nil
+      expect{ points = subject.distribution_points }.to_not raise_error
+      expect(points).to eq ['http://cert-validator-test.herokuapp.com/revoked.crl']
+    end
+  end
+
+  describe 'with no distribution points' do
+    subject{ described_class.new cert 'ocsp_only' }
+
+    it 'extracts no CRL distribution points' do
+      points = nil
+      expect{ points = subject.distribution_points }.to_not raise_error
+      expect(points).to be_empty
+    end
+  end
+end