cert_validator 0.0.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (43) hide show
  1. checksums.yaml +7 -0
  2. data/.gitignore +22 -0
  3. data/.rspec +4 -0
  4. data/.travis.yml +5 -0
  5. data/Gemfile +4 -0
  6. data/LICENSE.txt +22 -0
  7. data/README.md +55 -0
  8. data/Rakefile +6 -0
  9. data/cert_validator.gemspec +24 -0
  10. data/lib/cert_validator.rb +40 -0
  11. data/lib/cert_validator/asn1.rb +15 -0
  12. data/lib/cert_validator/crl/extractor.rb +48 -0
  13. data/lib/cert_validator/crl_validator.rb +93 -0
  14. data/lib/cert_validator/errors.rb +81 -0
  15. data/lib/cert_validator/ocsp.rb +13 -0
  16. data/lib/cert_validator/ocsp/extractor.rb +52 -0
  17. data/lib/cert_validator/ocsp/null_validator.rb +17 -0
  18. data/lib/cert_validator/ocsp/real_validator.rb +117 -0
  19. data/lib/cert_validator/version.rb +3 -0
  20. data/lib/tasks/ca.rb +112 -0
  21. data/lib/tasks/helper.rb +36 -0
  22. data/spec/cert_validator_spec.rb +73 -0
  23. data/spec/crl_extractor_spec.rb +42 -0
  24. data/spec/crl_validator_spec.rb +59 -0
  25. data/spec/null_ocsp_validator_spec.rb +19 -0
  26. data/spec/ocsp_extractor_spec.rb +31 -0
  27. data/spec/ocsp_validator_spec.rb +34 -0
  28. data/spec/spec_helper.rb +15 -0
  29. data/spec/support/ca/crl_only.crt +15 -0
  30. data/spec/support/ca/digicert.crl +0 -0
  31. data/spec/support/ca/empty.crt +13 -0
  32. data/spec/support/ca/github.crt +34 -0
  33. data/spec/support/ca/good.crt +16 -0
  34. data/spec/support/ca/mismatched.crl +13 -0
  35. data/spec/support/ca/ocsp_only.crt +15 -0
  36. data/spec/support/ca/revoked.crl +9 -0
  37. data/spec/support/ca/revoked.crt +16 -0
  38. data/spec/support/ca/root.crt +14 -0
  39. data/spec/support/ca/root.key +9 -0
  40. data/spec/support/certs.rb +17 -0
  41. data/spec/support/ocsp_guard.rb +2 -0
  42. data/spec/support/validator_expectations.rb +13 -0
  43. metadata +150 -0
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 0f3fd5982c4c87671c828d1e0a53597b82150ab9
4
+ data.tar.gz: 5b26c0a0cf2ddc39944a865d74eabec1c1a7cb0f
5
+ SHA512:
6
+ metadata.gz: 4b1cfb84bbc4dc74d63495ee1259c72f71c2e71c602296157d9695c4f4651e5db0a55970b08d0854d2f94ae675818b31b6da39bc598a5c3fb56c6d0d70e733b1
7
+ data.tar.gz: b278b942d7e86e9c52c479f083d535a2a3024210f9c5eef9ea117742bfd44f635e25314464d164d4234a9a715bc623e3be814f7ba559aa0dbde52c14cbde6dab
@@ -0,0 +1,22 @@
1
+ *.gem
2
+ *.rbc
3
+ .bundle
4
+ .config
5
+ .yardoc
6
+ Gemfile.lock
7
+ InstalledFiles
8
+ _yardoc
9
+ coverage
10
+ doc/
11
+ lib/bundler/man
12
+ pkg
13
+ rdoc
14
+ spec/reports
15
+ test/tmp
16
+ test/version_tmp
17
+ tmp
18
+ *.bundle
19
+ *.so
20
+ *.o
21
+ *.a
22
+ mkmf.log
data/.rspec ADDED
@@ -0,0 +1,4 @@
1
+ --format documentation
2
+ --color
3
+ --warnings
4
+ --require spec_helper
@@ -0,0 +1,5 @@
1
+ language: ruby
2
+ rvm:
3
+ - 1.9.3
4
+ - 2.0.0
5
+ - 2.1.2
data/Gemfile ADDED
@@ -0,0 +1,4 @@
1
+ source 'https://rubygems.org'
2
+
3
+ # Specify your gem's dependencies in cert_validator.gemspec
4
+ gemspec
@@ -0,0 +1,22 @@
1
+ Copyright (c) 2014 Bryce Kerley
2
+
3
+ MIT License
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining
6
+ a copy of this software and associated documentation files (the
7
+ "Software"), to deal in the Software without restriction, including
8
+ without limitation the rights to use, copy, modify, merge, publish,
9
+ distribute, sublicense, and/or sell copies of the Software, and to
10
+ permit persons to whom the Software is furnished to do so, subject to
11
+ the following conditions:
12
+
13
+ The above copyright notice and this permission notice shall be
14
+ included in all copies or substantial portions of the Software.
15
+
16
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
19
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
20
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
21
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
22
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@@ -0,0 +1,55 @@
1
+ # CertValidator
2
+
3
+ Validate an X509 certificate against its CRL or OCSP endpoint. Raise exceptions
4
+ if OCSP isn't available.
5
+
6
+ ## Compatibility
7
+
8
+ This project aims for compatibility with:
9
+
10
+ * Ruby 1.9.3
11
+ * Ruby 2.0
12
+ * Ruby 2.1
13
+ * JRuby 1.7 in Ruby 1.9 and 2.0 modes
14
+
15
+ ## Installation
16
+
17
+ Add this line to your application's Gemfile:
18
+
19
+ gem 'cert_validator'
20
+
21
+ And then execute:
22
+
23
+ $ bundle
24
+
25
+ Or install it yourself as:
26
+
27
+ $ gem install cert_validator
28
+
29
+ ## Usage
30
+
31
+ ```ruby
32
+ some_cert # an OpenSSL::X509::Certificate
33
+
34
+ validator = CertValidator.new some_cert
35
+
36
+ validator.crl_available? # return true if certificate has a CRL endpoint
37
+
38
+ validator.crl_valid? # validate against the certificate's CRL endpoint
39
+
40
+ validator.crl_file = some_path # allow overriding the CRL
41
+
42
+ # return true if certificate has an OCSP endpoint and the Ruby OpenSSL module
43
+ # supports OCSP
44
+ validator.ocsp_available?
45
+
46
+ validator.ocsp_valid? # validate against the certificate's OCSP endpoint
47
+ ```
48
+
49
+ ## Contributing
50
+
51
+ 1. Fork it ( https://github.com/[my-github-username]/cert_validator/fork )
52
+ 2. Create your feature branch (`git checkout -b my-new-feature`)
53
+ 3. Commit your changes (`git commit -am 'Add some feature'`)
54
+ 4. Push to the branch (`git push origin my-new-feature`)
55
+ 5. Create a new Pull Request
@@ -0,0 +1,6 @@
1
+ require "bundler/gem_tasks"
2
+ require 'rspec/core/rake_task'
3
+
4
+ RSpec::Core::RakeTask.new(:spec)
5
+
6
+ task :default => :spec
@@ -0,0 +1,24 @@
1
+ # coding: utf-8
2
+ lib = File.expand_path('../lib', __FILE__)
3
+ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
4
+ require 'cert_validator/version'
5
+
6
+ Gem::Specification.new do |spec|
7
+ spec.name = "cert_validator"
8
+ spec.version = CertValidator::VERSION
9
+ spec.authors = ["Bryce Kerley"]
10
+ spec.email = ["bkerley@brycekerley.net"]
11
+ spec.summary = %q{Validate X509 certificates against CRL and OCSP.}
12
+ spec.description = %q{Validate an X509 certificate against its listed OCSP endpoint and/or a CRL.}
13
+ spec.homepage = ""
14
+ spec.license = "MIT"
15
+
16
+ spec.files = `git ls-files -z`.split("\x0")
17
+ spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
18
+ spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
19
+ spec.require_paths = ["lib"]
20
+
21
+ spec.add_development_dependency "bundler", "~> 1.6"
22
+ spec.add_development_dependency "rake"
23
+ spec.add_development_dependency "rspec", '~> 3.0.0'
24
+ end
@@ -0,0 +1,40 @@
1
+ %w{version errors asn1 crl_validator ocsp}.each { |f| require "cert_validator/#{f}" }
2
+
3
+ class CertValidator
4
+ attr_reader :certificate
5
+ attr_reader :ca
6
+
7
+ def initialize(cert, ca)
8
+ @certificate = cert
9
+ @ca = ca
10
+ end
11
+
12
+ def crl=(crl)
13
+ crl_validator.crl = crl
14
+ end
15
+
16
+ def crl_available?
17
+ crl_validator.available?
18
+ end
19
+
20
+ def crl_valid?
21
+ crl_validator.valid?
22
+ end
23
+
24
+ def ocsp_available?
25
+ ocsp_validator.available?
26
+ end
27
+
28
+ def ocsp_valid?
29
+ ocsp_validator.valid?
30
+ end
31
+
32
+ private
33
+ def crl_validator
34
+ @crl_validator ||= CrlValidator.new certificate, ca
35
+ end
36
+
37
+ def ocsp_validator
38
+ @ocsp_validator ||= OcspValidator.new certificate, ca
39
+ end
40
+ end
@@ -0,0 +1,15 @@
1
+ class CertValidator
2
+ class Asn1
3
+ def initialize(der)
4
+ @der = der
5
+ end
6
+
7
+ def decode
8
+ @decode ||= OpenSSL::ASN1.decode @der
9
+ end
10
+
11
+ def extension_payload
12
+ OpenSSL::ASN1.decode(decode.value.last).value
13
+ end
14
+ end
15
+ end
@@ -0,0 +1,48 @@
1
+ class CertValidator
2
+ class CrlValidator
3
+ class Extractor
4
+ attr_reader :certificate
5
+
6
+ def initialize(cert)
7
+ @certificate = cert
8
+ end
9
+
10
+ def distribution_points
11
+ return [] unless has_crl_extension?
12
+ decoded_payload.value.map{ |v| descend_to_string v.value }
13
+ end
14
+
15
+ def has_distribution_points?
16
+ ! distribution_points.empty?
17
+ end
18
+
19
+ def has_crl_extension?
20
+ !! crl_extension
21
+ end
22
+
23
+ def crl_extension
24
+ @crl_extension ||= certificate.extensions.detect{ |e| e.oid == 'crlDistributionPoints' }
25
+ end
26
+
27
+ def crl_extension_payload
28
+ @crl_extension_payload ||= Asn1.new(crl_extension.to_der).extension_payload
29
+ end
30
+
31
+ def decoded_payload
32
+ @decoded_payload ||= Asn1.new(crl_extension_payload).decode
33
+ end
34
+
35
+ def descend_to_string(asn_data)
36
+ seen = Set.new
37
+ current = asn_data
38
+ loop do
39
+ raise RecursiveExtractError.new if seen.include? current
40
+ seen.add current
41
+ current = current.first.value
42
+
43
+ return current if current.is_a? String
44
+ end
45
+ end
46
+ end
47
+ end
48
+ end
@@ -0,0 +1,93 @@
1
+ require 'cert_validator/crl/extractor'
2
+ class CertValidator
3
+ class CrlValidator
4
+ attr_reader :certificate
5
+ attr_reader :ca
6
+ attr_writer :crl
7
+
8
+ attr_reader :revoked_time
9
+
10
+ def initialize(cert, ca)
11
+ @certificate = cert
12
+ @ca = ca
13
+ end
14
+
15
+ def available?
16
+ return true if has_crl_data?
17
+ return false unless extractor.has_distribution_points?
18
+
19
+ begin
20
+ return false unless vivified_crl
21
+ rescue OpenSSL::X509::CRLError
22
+ return false
23
+ end
24
+
25
+ return true
26
+ end
27
+
28
+ def valid?
29
+ return false unless available?
30
+
31
+ begin
32
+ return false unless vivified_crl
33
+ rescue OpenSSL::X509::CRLError
34
+ return false
35
+ end
36
+
37
+ return false unless matches_ca?
38
+
39
+ return false if revoked?
40
+
41
+ return true
42
+ end
43
+
44
+ def crl
45
+ return @crl if defined? @crl
46
+
47
+ distribution_points = extractor.distribution_points
48
+ distribution_points.first do |dp|
49
+ @crl = fetch dp
50
+ end
51
+ end
52
+
53
+ private
54
+ def has_crl_data?
55
+ !! crl
56
+ end
57
+
58
+ def extractor
59
+ @extractor ||= Extractor.new certificate
60
+ end
61
+
62
+ def fetch(uri)
63
+ resp = Net::HTTP.get_response URI(uri)
64
+ return resp.body if resp.code == 200
65
+
66
+ return nil
67
+ end
68
+
69
+ def vivified_crl
70
+ return @vivified_crl if defined? @vivified_crl
71
+
72
+ if crl.is_a? OpenSSL::X509::CRL
73
+ return @vivified_crl = crl
74
+ else
75
+ return @vivified_crl = OpenSSL::X509::CRL.new(crl)
76
+ end
77
+ end
78
+
79
+ def revoked?
80
+ vivified_crl.revoked.find do |entry|
81
+ entry.serial == certificate.serial
82
+ end.tap do |entry|
83
+ next if entry.nil?
84
+ @revoked_time = entry.time
85
+ end
86
+ end
87
+
88
+ def matches_ca?
89
+ vivified_crl.verify ca.public_key
90
+ end
91
+ end
92
+ end
93
+
@@ -0,0 +1,81 @@
1
+ class CertValidator
2
+ class Error < StandardError
3
+ end
4
+
5
+ class OcspNotAvailableError < Error
6
+ def initialize
7
+ super "OCSP functionality isn't available in this version of Ruby."
8
+ end
9
+ end
10
+
11
+ class RecursiveExtractError < Error
12
+ def initialize
13
+ super "Tried to extract a value from a recursive structure. Please file a bug!"
14
+ end
15
+ end
16
+
17
+ class CrlFetchError < Error
18
+ def initialize
19
+ super "Couldn't fetch CRL."
20
+ end
21
+ end
22
+
23
+ module OcspFailures
24
+ class OcspFailure < Error
25
+ end
26
+
27
+ class FetchError < OcspFailure
28
+ def initialize
29
+ super "Couldn't fetch OCSP."
30
+ end
31
+ end
32
+
33
+ class NonzeroStatus < OcspFailure
34
+ def initialize(status)
35
+ super "OCSP status was #{status}, expected 0"
36
+ end
37
+ end
38
+
39
+ class ResponseMismatch < OcspFailure
40
+ def initialize
41
+ super "OCSP response did not match certificate issuer"
42
+ end
43
+ end
44
+
45
+ class MissingStatus < OcspFailure
46
+ def initialize
47
+ super "OCSP response was missing status section"
48
+ end
49
+ end
50
+
51
+ class UnacceptableNonce < OcspFailure
52
+ def initialize
53
+ super "OCSP response had unacceptable result from nonce check"
54
+ end
55
+ end
56
+
57
+ class SerialMismatch < OcspFailure
58
+ def initialize(got, expected)
59
+ super "OCSP response serial was #{got.inspect}, expected #{expected.inspect}"
60
+ end
61
+ end
62
+
63
+ class NotValidNow < OcspFailure
64
+ def initialize(validity_range)
65
+ super "OCSP response only valid from #{validity_range.begin} to #{validity_range.end}, currently #{Time.now}"
66
+ end
67
+ end
68
+
69
+ class Revoked < OcspFailure
70
+ def initialize
71
+ super "OCSP response indicates cert was revoked"
72
+ end
73
+ end
74
+
75
+ class UnexpectedStatus < OcspFailure
76
+ def initialize(got)
77
+ super "OCSP response was #{got.inspect}, expected 0"
78
+ end
79
+ end
80
+ end
81
+ end