check_certificate_chain 2.3.0 → 2.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e6befb1fbe46dc8874a339d0c4520c5b109496ede77e659dc3fadbf1892ca11e
-  data.tar.gz: c401f0289313bd3b61b602c68805ff9a8c651fb569dac441fce6024e455295a5
+  metadata.gz: 27a772594eae8ed954707e4d446184fc6bbfcde6348facdd9ee7b4a1f7050be2
+  data.tar.gz: 0015ff495b15b9bba9511b13c46762137945632af903cf4401d7c6310ce506e5
 SHA512:
-  metadata.gz: 2c55067f1e178b0c4d650bbf66b22a58feffa26871af7bacc39094db508d9a20502a327e0ef95756566c447e822a68bad0b53de4eabb31b5c1eb0417bc73a221
-  data.tar.gz: a7c26f08455795e27fa7394381f1f3a9fccd9a6200b5a8d6caa56e6a70314fd0fce8912cddac1a3c8c9867ddbf747df8fab9f9cf7e11ca2a7e4339709a2e89a6
+  metadata.gz: b562158f6c3d2160f95d2f46be905bc6199eede081126b54d2b9b27572d55feef2f8eb9d41249143b51714a9e4d14e56170cfd244a8c002d79edc405baae3138
+  data.tar.gz: 57a5bc19f8524abec71372cbe4a71fc423d8bbc5861b4bcc79f0d0be624b7a53604679ad158af96f752215fc24ec095ddbd3cd686f7da5683f978435ee6fdacf

data/bin/check_certificate_chain

@@ -6,8 +6,33 @@ require 'socket'
 require 'net/http'
 require 'pastel'
 
-hostname = URI(ARGV[0])
-hostname = hostname.host.nil? ? hostname.to_s : hostname.host
+servername = ""
+host = ""
+port = ""
+
+
+def usage
+	puts "Usage: script.rb servername:host:port",
+             "Usage: script.rb host:port",
+	     "Usage: script.rb host",
+	     "Notice: if servername omitted, script takes host as TSL SNI servername",
+	     "Notice: if port is omitted script takes 443 as default"
+	exit 1
+end
+
+usage if ARGV.size != 1
+
+argument_re = /^(((?<ip01>(\d{1,3}\.){3}\d{1,3})|(?<domain01>([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,})):)?
+               ((?<ip02>(\d{1,3}\.){3}\d{1,3})|(?<domain02>([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}))
+	       (:(?<port>\d{1,5}))?$/xi
+
+
+argument_match_result = ARGV[0].match argument_re
+
+host = argument_match_result[:ip02] || argument_match_result[:domain02]
+servername = (argument_match_result[:ip01] || argument_match_result[:domain01]) || host
+port = argument_match_result[:port] || "443"
+
 
 pastel = Pastel.new(eachline: "\n")
 
@@ -22,13 +47,13 @@ warning = pastel.yellow.detach
 
 openssl_context = OpenSSL::SSL::SSLContext.new
 
-tcp_socket = TCPSocket.new(hostname, 443)
+tcp_socket = TCPSocket.new(host, port.to_i)
 ip = tcp_socket.peeraddr(false).last
 
 chain = nil
 
 OpenSSL::SSL::SSLSocket.new(tcp_socket, openssl_context).tap do |ssl_socket|
-    ssl_socket.hostname = hostname
+    ssl_socket.hostname = servername
     ssl_socket.sync_close = true
     ssl_socket.connect
 
@@ -43,7 +68,7 @@ certificate_store.set_default_paths
 output = {}
 output[:header] = "---"
 
-output[:header] << "\nConnected to #{ip}\n---\n"
+output[:header] << "\nConnected to #{ip}:#{port} with #{servername} as TLS SNI servername\n---\n"
 
 output[:hostname_check] = ""
 output[:date_check] = ""
@@ -66,11 +91,18 @@ end
 certificate = chain.first
 
 # Check certificate hostname
-if OpenSSL::SSL.verify_certificate_identity certificate, hostname
-    output[:hostname_check] << good["The hostname #{good_bold[hostname]} is correctly listed in the certificate."]
+if OpenSSL::SSL.verify_certificate_identity certificate, servername
+    if certificate.subject.to_a.empty?
+        output[:issues] << warning["  Subject is empty"]
+    else
+        output[:issues] << warning["  Canonic Name is empty in subject"] unless certificate.subject.to_a.any?{|cn_entry_array| cn_entry_array.first.eql? "CN"}
+
+    end
+
+    output[:hostname_check] << good["The hostname #{good_bold[servername]} is correctly listed in the certificate."]
     check_certificate_hostname = true
 else
-    output[:hostname_check] << bad["None of the common names in the certificate match the name that was entered #{bad_bold[hostname]}."]
+    output[:hostname_check] << bad["None of the common names in the certificate match the name that was entered #{bad_bold[servername]}."]
     check_certificate_hostname = false
 end
 
@@ -205,25 +237,33 @@ chain.each_with_index do |chain_certificate, index|
 
     if chain_check_status
         check_status = chain.any? do |possible_issuer|
-            unless possible_issuer.eql? chain_certificate &&
-                   is_root?(chain_certificate)
+            unless possible_issuer.eql?(chain_certificate) && is_root?(chain_certificate)
                    if chain_certificate.verify possible_issuer.public_key
+                       output[:issues] << bad["  Certificate is self-signed"] if chain_certificate.eql?(possible_issuer)
                        if chain.index(possible_issuer) - chain.index(chain_certificate) > 1
                            chain_order_status = false
                        end
                        true
                    end
+	    else
+		    check_status = false
             end
         end
 
         # If check failed check against the root store
         unless check_status
             if certificate_store.verify chain_certificate
-                long_output(certificate_store.chain.last, output)
-                output[:data] << "---"
+                unless root_anchor
+                    long_output(certificate_store.chain.last, output)
+                    output[:data] << "---"
+                end
             else
                 chain_check_status = false
-                output[:issues] << bad["  Root certificate is not trusted."]
+                if is_root? chain_certificate
+                    output[:issues] << bad["  Root certificate is not trusted."]
+                else
+                    output[:issues] << bad["  Chain is broken."]
+                end
             end
         end
     else

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: check_certificate_chain
 version: !ruby/object:Gem::Version
-  version: 2.3.0
+  version: 2.3.1
 platform: ruby
 authors:
 - Jora Porcu
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-11-05 00:00:00.000000000 Z
+date: 2019-11-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: openssl