cert_validator 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 0f3fd5982c4c87671c828d1e0a53597b82150ab9
+  data.tar.gz: 5b26c0a0cf2ddc39944a865d74eabec1c1a7cb0f
+SHA512:
+  metadata.gz: 4b1cfb84bbc4dc74d63495ee1259c72f71c2e71c602296157d9695c4f4651e5db0a55970b08d0854d2f94ae675818b31b6da39bc598a5c3fb56c6d0d70e733b1
+  data.tar.gz: b278b942d7e86e9c52c479f083d535a2a3024210f9c5eef9ea117742bfd44f635e25314464d164d4234a9a715bc623e3be814f7ba559aa0dbde52c14cbde6dab

data/.gitignore

@@ -0,0 +1,22 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log

data/.rspec

@@ -0,0 +1,4 @@
+--format documentation
+--color
+--warnings
+--require spec_helper

data/.travis.yml

@@ -0,0 +1,5 @@
+language: ruby
+rvm:
+  - 1.9.3
+  - 2.0.0
+  - 2.1.2

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in cert_validator.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Bryce Kerley
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,55 @@
+# CertValidator
+
+Validate an X509 certificate against its CRL or OCSP endpoint. Raise exceptions
+if OCSP isn't available.
+
+## Compatibility
+
+This project aims for compatibility with:
+
+* Ruby 1.9.3
+* Ruby 2.0
+* Ruby 2.1
+* JRuby 1.7 in Ruby 1.9 and 2.0 modes
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'cert_validator'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install cert_validator
+
+## Usage
+
+```ruby
+some_cert # an OpenSSL::X509::Certificate
+
+validator = CertValidator.new some_cert
+
+validator.crl_available? # return true if certificate has a CRL endpoint
+
+validator.crl_valid? # validate against the certificate's CRL endpoint
+
+validator.crl_file = some_path # allow overriding the CRL
+
+# return true if certificate has an OCSP endpoint and the Ruby OpenSSL module
+# supports OCSP
+validator.ocsp_available?
+
+validator.ocsp_valid? # validate against the certificate's OCSP endpoint
+```
+
+## Contributing
+
+1. Fork it ( https://github.com/[my-github-username]/cert_validator/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/cert_validator.gemspec

@@ -0,0 +1,24 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'cert_validator/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "cert_validator"
+  spec.version       = CertValidator::VERSION
+  spec.authors       = ["Bryce Kerley"]
+  spec.email         = ["bkerley@brycekerley.net"]
+  spec.summary       = %q{Validate X509 certificates against CRL and OCSP.}
+  spec.description   = %q{Validate an X509 certificate against its listed OCSP endpoint and/or a CRL.}
+  spec.homepage      = ""
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.6"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec", '~> 3.0.0'
+end

data/lib/cert_validator.rb

@@ -0,0 +1,40 @@
+%w{version errors asn1 crl_validator ocsp}.each { |f| require "cert_validator/#{f}" }
+
+class CertValidator
+  attr_reader :certificate
+  attr_reader :ca
+
+  def initialize(cert, ca)
+    @certificate = cert
+    @ca = ca
+  end
+
+  def crl=(crl)
+    crl_validator.crl = crl
+  end
+
+  def crl_available?
+    crl_validator.available?
+  end
+
+  def crl_valid?
+    crl_validator.valid?
+  end
+
+  def ocsp_available?
+    ocsp_validator.available?
+  end
+
+  def ocsp_valid?
+    ocsp_validator.valid?
+  end
+
+  private
+  def crl_validator
+    @crl_validator ||= CrlValidator.new certificate, ca
+  end
+
+  def ocsp_validator
+    @ocsp_validator ||= OcspValidator.new certificate, ca
+  end
+end

data/lib/cert_validator/asn1.rb

@@ -0,0 +1,15 @@
+class CertValidator
+  class Asn1
+    def initialize(der)
+      @der = der
+    end
+
+    def decode
+      @decode ||= OpenSSL::ASN1.decode @der
+    end
+
+    def extension_payload
+      OpenSSL::ASN1.decode(decode.value.last).value
+    end
+  end
+end

data/lib/cert_validator/crl/extractor.rb

@@ -0,0 +1,48 @@
+class CertValidator
+  class CrlValidator
+    class Extractor
+      attr_reader :certificate
+
+      def initialize(cert)
+        @certificate = cert
+      end
+
+      def distribution_points
+        return [] unless has_crl_extension?
+        decoded_payload.value.map{ |v| descend_to_string v.value }
+      end
+
+      def has_distribution_points?
+        ! distribution_points.empty?
+      end
+
+      def has_crl_extension?
+        !! crl_extension
+      end
+
+      def crl_extension
+        @crl_extension ||= certificate.extensions.detect{ |e| e.oid == 'crlDistributionPoints' }
+      end
+
+      def crl_extension_payload
+        @crl_extension_payload ||= Asn1.new(crl_extension.to_der).extension_payload
+      end
+
+      def decoded_payload
+        @decoded_payload ||= Asn1.new(crl_extension_payload).decode
+      end
+
+      def descend_to_string(asn_data)
+        seen = Set.new
+        current = asn_data
+        loop do
+          raise RecursiveExtractError.new if seen.include? current
+          seen.add current
+          current = current.first.value
+
+          return current if current.is_a? String
+        end
+      end
+    end
+  end
+end

data/lib/cert_validator/crl_validator.rb

@@ -0,0 +1,93 @@
+require 'cert_validator/crl/extractor'
+class CertValidator
+  class CrlValidator
+    attr_reader :certificate
+    attr_reader :ca
+    attr_writer :crl
+
+    attr_reader :revoked_time
+
+    def initialize(cert, ca)
+      @certificate = cert
+      @ca = ca
+    end
+
+    def available?
+      return true if has_crl_data?
+      return false unless extractor.has_distribution_points?
+
+      begin
+        return false unless vivified_crl
+      rescue OpenSSL::X509::CRLError
+        return false
+      end
+
+      return true
+    end
+
+    def valid?
+      return false unless available?
+
+      begin
+        return false unless vivified_crl
+      rescue OpenSSL::X509::CRLError
+        return false
+      end
+
+      return false unless matches_ca?
+      
+      return false if revoked?
+
+      return true
+    end
+
+    def crl
+      return @crl if defined? @crl
+      
+      distribution_points = extractor.distribution_points
+      distribution_points.first do |dp|
+        @crl = fetch dp
+      end
+    end
+
+    private
+    def has_crl_data?
+      !! crl
+    end
+
+    def extractor
+      @extractor ||= Extractor.new certificate
+    end
+
+    def fetch(uri)
+      resp = Net::HTTP.get_response URI(uri)
+      return resp.body if resp.code == 200
+
+      return nil
+    end
+
+    def vivified_crl
+      return @vivified_crl if defined? @vivified_crl
+
+      if crl.is_a? OpenSSL::X509::CRL
+        return @vivified_crl = crl
+      else
+        return @vivified_crl = OpenSSL::X509::CRL.new(crl)
+      end
+    end
+
+    def revoked?
+      vivified_crl.revoked.find do |entry|
+        entry.serial == certificate.serial
+      end.tap do |entry|
+        next if entry.nil?
+        @revoked_time = entry.time
+      end
+    end
+
+    def matches_ca?
+      vivified_crl.verify ca.public_key
+    end
+  end
+end
+

data/lib/cert_validator/errors.rb

@@ -0,0 +1,81 @@
+class CertValidator
+  class Error < StandardError
+  end
+
+  class OcspNotAvailableError < Error
+    def initialize
+      super "OCSP functionality isn't available in this version of Ruby."
+    end
+  end
+
+  class RecursiveExtractError < Error
+    def initialize
+      super "Tried to extract a value from a recursive structure. Please file a bug!"
+    end
+  end
+
+  class CrlFetchError < Error
+    def initialize
+      super "Couldn't fetch CRL."
+    end
+  end
+
+  module OcspFailures
+    class OcspFailure < Error
+    end
+
+    class FetchError < OcspFailure
+      def initialize
+        super "Couldn't fetch OCSP."
+      end
+    end
+
+    class NonzeroStatus < OcspFailure
+      def initialize(status)
+        super "OCSP status was #{status}, expected 0"
+      end
+    end
+
+    class ResponseMismatch < OcspFailure
+      def initialize
+        super "OCSP response did not match certificate issuer"
+      end
+    end
+
+    class MissingStatus < OcspFailure
+      def initialize
+        super "OCSP response was missing status section"
+      end
+    end
+
+    class UnacceptableNonce < OcspFailure
+      def initialize
+        super "OCSP response had unacceptable result from nonce check"
+      end
+    end
+
+    class SerialMismatch < OcspFailure
+      def initialize(got, expected)
+        super "OCSP response serial was #{got.inspect}, expected #{expected.inspect}"
+      end
+    end
+
+    class NotValidNow < OcspFailure
+      def initialize(validity_range)
+        super "OCSP response only valid from #{validity_range.begin} to #{validity_range.end}, currently #{Time.now}"
+      end
+    end
+
+    class Revoked < OcspFailure
+      def initialize
+        super "OCSP response indicates cert was revoked"
+      end
+    end
+
+    class UnexpectedStatus < OcspFailure
+      def initialize(got)
+        super "OCSP response was #{got.inspect}, expected 0"
+      end
+    end
+  end
+end