check_certificate_chain 1.1.2 → 2.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: eb156e21479cd1b22d66643549361b29421382ed
-  data.tar.gz: 8fef1079f1cb3520d0d6efa016f3bfaf443418f5
+  metadata.gz: e6478165736e8bd911791335f79397d3c95cfab4
+  data.tar.gz: cf224a9090678d4bbdfecc4d20f7aa2190475d57
 SHA512:
-  metadata.gz: bc46742aaabe807fd67cc8a1add4a1e953abea2c55f859629e4017da63c53f0930b06bf3a79d354eed62a6296f9262a53a0908f31490569d1e166da76766afd0
-  data.tar.gz: '04635799b793319f72cc9960fbc74216952abfcfaaf1efc0311e1d5c050a532d00d6832ad1d61b1b3ae320e0594c34ca7ec61d8923650cb1cdc047fd8e257db0'
+  metadata.gz: 22612d4dbde4962e02052eae88bc653a5ad3253ebb635fe152b0753a390892e71d54a5cdde3405d47a020822cc7eb735d47fb403a2a9a4a7915d20687fb3020f
+  data.tar.gz: 00f6402d27ad02b78b82336ca648465acfd88cc7263a2f2ff062ee37d8a722e6c200495f1b80df79c50d3a82de39ab867f812dfd0fa57b6085c4abb74f044a82

data/bin/check_certificate_chain

@@ -1,134 +1,239 @@
 #!/usr/bin/env ruby
 
-require 'uri'
 require 'openssl'
+require 'uri'
 require 'socket'
+require 'net/http'
 
-uri = URI(ARGV[0])
-uri = uri.host.nil? ? ARGV[0] : uri.host
+hostname = URI(ARGV[0])
+hostname = hostname.host.nil? ? hostname.to_s : hostname.host
 
-class String
-	def red
-		"\e[0;31;49m#{self}\e[0m"
-	end
 
-	def green
-		"\e[0;32;49m#{self}\e[0m"
-	end
+openssl_context = OpenSSL::SSL::SSLContext.new
 
-	def bold
-		"\e[1;39;49m#{self}\e[0m"
-	end
-end
+tcp_socket = TCPSocket.new(hostname, 443)
 
-module OpenSSL
-	module X509
-		class Certificate
-			def self_signed?
-				self.verify self.public_key
-			end
-		end
-	end
-end
+chain = nil
 
-cert_store = OpenSSL::X509::Store.new
-cert_store.set_default_paths
+OpenSSL::SSL::SSLSocket.new(tcp_socket, openssl_context).tap do |ssl_socket|
+    ssl_socket.hostname = hostname
+    ssl_socket.sync_close = true
+    ssl_socket.connect
 
-ctx = OpenSSL::SSL::SSLContext.new
+    chain = ssl_socket.peer_cert_chain
 
-socket = TCPSocket.new(uri, 443)
+    ssl_socket.sysclose
+end
 
-ssl = OpenSSL::SSL::SSLSocket.new(socket, ctx)
-ssl.hostname = uri
+certificate_store = OpenSSL::X509::Store.new
+certificate_store.set_default_paths
 
-ssl.connect
+output = {}
+output[:header] = "---"
+output[:hostname_check] = ""
+output[:date_check] = ""
+output[:short] = []
+output[:long] = []
+output[:issues] = []
+output[:ocsp_check] = []
+
+def is_root?(certificate)
+    self_signed = certificate.verify certificate.public_key
+
+    basic_constraints = certificate.extensions.find do |extension|
+        extension.oid.eql?("basicConstraints")
+    end
+    ca, value = basic_constraints.value.split(":")
+    is_ca = ca.eql?("CA") && value.eql?("TRUE")
+
+    self_signed && is_ca
+end
 
-chain = ssl.peer_cert_chain
 certificate = chain.first
 
-output = {}
-output[:header] = "--- " + "Certificate chain".bold
-output[:date] = ""
-output[:hostname] = ""
-output[:short] = ""
-output[:long] = ""
-
-NOW = Time.new
-BEFORE = certificate.not_before 
+# Check certificate hostname
+if OpenSSL::SSL.verify_certificate_identity certificate, hostname
+    output[:hostname_check] << "The hostname (#{hostname}) is correctly listed in the certificate."
+    check_certificate_hostname = true
+else
+    output[:hostname_check] << "None of the common names in the certificate match the name that was entered (#{hostname})."
+    check_certificate_hostname = false
+end
+
+# Check certificate expiration date
+NOW = Time.now
+BEFORE = certificate.not_before
 AFTER = certificate.not_after
 
 def days
-	((AFTER - NOW).to_i.abs / 86400).to_s
+    ((AFTER - NOW).to_i.abs / 86400).to_s
 end
-	
+
 if AFTER > NOW
-	output[:date] = "Certificate is up to date. (".green + days.bold + 
-                        ") days remaining.".green + "\n---\n"
+    output[:date_check] << "Certificate is up to date. (#{days}) days remaining."
+    not_expired = true
 else
-	output[:date] = "Certificate is outdated. This certificate has expired (".red + 
-                        days.bold + ") days ago".red + "\n---\n"
+    output[:date_check] << "Certificate is outdated. This certificate has expired (#{days}) days ago."
+    not_expired = false
 end
 
-if OpenSSL::SSL.verify_certificate_identity(certificate, uri)
-	output[:hostname] << "The hostname (".green + uri.bold + 
-                             ") is correctly listed in the certificate.".green
-else
-	output[:hostname] << "None of the common names in the certificate match the name that was entered (".red +
-	                     uri.bold + ")".red
+### OCSP Check
+authority_info_access = certificate.extensions.find{|ext| ext.oid.eql?("authorityInfoAccess")}
+if check_certificate_hostname && not_expired && authority_info_access
+    if issuer = chain.find{|chain_certificate| certificate.verify(chain_certificate.public_key)}
+        digest = OpenSSL::Digest::SHA1.new
+        certificate_id = OpenSSL::OCSP::CertificateId.new certificate, issuer, digest
+
+        ocsp_request = OpenSSL::OCSP::Request.new
+        ocsp_request.add_certid certificate_id
+        ocsp_request.add_nonce
+
+        ###
+        uri_string = authority_info_access.value.split("\n").find{|str| str.start_with?("OCSP")}
+        ocsp_uri = URI uri_string[/URI:(.+)/, 1]
+        ocsp_uri.path = "/" if ocsp_uri.path.empty?
+
+        def ocsp_post(ocsp_uri, ocsp_request)
+            Net::HTTP.start(ocsp_uri.host, ocsp_uri.port) do |http|
+                http.post ocsp_uri.path, ocsp_request.to_der, {"Content-Type" => "application/ocsp-request"}
+            end
+        end
+
+        http_response = ocsp_post(ocsp_uri,  ocsp_request)
+        case http_response
+        when Net::HTTPSuccess then http_response
+        when Net::HTTPRedirection
+            ocsp_uri = URI(http_response['location'])
+            http_response = ocsp_post(ocsp_uri, ocsp_request)
+        end
+
+        ocsp_response = OpenSSL::OCSP::Response.new http_response.body
+        # Response status can be from 0 to 6. If response status is other then 0 it is error and If the value of responseStatus is one of the error conditions, the responseBytes (basic response) field is not set.
+        # RFC6960 4.2.1
+        if ocsp_response.status.zero?
+            basic = ocsp_response.basic
+            if basic.verify [issuer], certificate_store
+                # Check nonce
+                nonce_status = ocsp_request.check_nonce basic
+                case nonce_status
+                when 1
+                    output[:ocsp_check] << "OCSP: nonce is ok."
+                    nonce_check = true
+                when -1, 2, 3
+                    output[:ocsp_check] << "OCSP: nonce is no supported."
+                    nonce_check = true
+                when 0
+                    output[:ocsp_check] << "OCSP: nonce check failed."
+                    nonce_check = false
+                end
+
+                if nonce_check
+                    ocsp_single_response = basic.find_response(certificate_id)
+                    unless ocsp_single_response
+                        output[:ocsp_check] << "OCSP: no response for this certificate"
+                    end
+
+                    unless ocsp_single_response.check_validity
+                        output[:ocsp_check] << "OCSP: time validity failed."
+                    end
+
+                    case ocsp_single_response.cert_status
+                    when 0
+                        output[:ocsp_check] << "OCSP: certificate is ok."
+                    when 1
+                        output[:ocsp_check] << "OCSP: certificate is revoked."
+                    when 2
+                        output[:ocsp_check] << "OCSP: certificate status is unknown."
+                    end
+                end
+            end
+        else
+            output[:ocsp_check] << "OCSP: response returned an error. Status of the response is #{ocsp_response.status_string}"
+        end
+    end
 end
+###
 
-check_chain_status = true
-
-chain.each_with_index do |cert, i|
-	output[:short] << "#{i} s:#{chain[i].subject.to_s}\n" +
-			  "  i:#{chain[i].issuer.to_s}\n"
-
-	output[:short] << "---\n" if i.eql?(chain.size - 1)
-
-	subject = cert.subject.to_s.split("CN=").last
-	output[:long] << "Common name:".bold + " #{subject}\n"
-
-	sans = cert.extensions.find {|ext| ext.oid.eql?("subjectAltName")}
-	unless sans.nil?
-		sans = sans.value.delete("DNS:")
-		output[:long] << "SANs:".bold + " #{sans}\n"
-	end
-
-	output[:long] << "Valid".bold + " #{cert.not_before.strftime('from %B %d, %Y')} " +
-			 "#{cert.not_after.strftime('to %B %d, %Y')}\n"
-	output[:long] << "Serial Number:".bold + " #{cert.serial.to_s(16)}\n"
-	output[:long] << "Signature Algorithm:".bold + " #{cert.signature_algorithm}\n"
-	output[:long] << "Issuer:".bold + " #{cert.issuer.to_s.split("CN=").last}\n"
-
-	output[:long] << "--- "
-
-	if check_chain_status
-		unless chain[i+1].nil?
-			if cert.verify chain[i+1].public_key
-				output[:long] << "chain ok\n".green
-			else
-				output[:long] << "chain broken\n".red
-				check_chain_status = false
-			end
-		else
-			unless cert.self_signed?
-				if cert_store.verify cert
-					output[:long] << "checked against os store; chain ok\n".green
-				else
-					output[:long] << "checked agains os store; chain broken\n".red
-					check_chain_status = false
-				end
-			else
-				output[:long] << "\n"
-			end
-		end
-	else
-		output[:long] << "\n"
-	end
+
+# Check if certificate chain contains root anchor
+root_anchor = chain.find do |certificate|
+    is_root?(certificate)
+end
+
+if root_anchor
+    output[:issues] << "  Certificate chain contains root_anchor. Extra certificate (Which serves no purpose) is increasing the handshake latency."
+end
+
+def long_output(chain_certificate, output)
+
+    output[:long] << "Common name: #{chain_certificate.subject.to_s[/CN=(.+)/, 1]}"
+    sans = chain_certificate.extensions.find{|extension| extension.oid.eql?("subjectAltName")}
+    unless sans.nil?
+        sans = sans.value.delete("DSN:")
+        output[:long] << "SANs: #{sans}"
+    end
+    output[:long] << chain_certificate.not_before.strftime("Valid from %B %-d, %Y ") +
+                     chain_certificate.not_after.strftime("to %B %-d, %Y")
+    output[:long] << "Serial Number: #{chain_certificate.serial.to_s(16).downcase}"
+    output[:long] << "Signature Algorithm: #{chain_certificate.signature_algorithm}"
+    output[:long] << "Issuer: #{chain_certificate.issuer.to_s[/CN=(.+)/, 1]}"
+    # output[:long] << "---\n"
+end
+
+
+
+chain_check_status = true
+chain_order_status = true
+
+chain.each_with_index do |chain_certificate, index|
+    output[:short] << "#{index} s:#{chain_certificate.subject.to_s}"
+    output[:short] << "  i:#{chain_certificate.issuer.to_s}"
+
+    long_output(chain_certificate, output)
+    output[:long] << "---"
+
+    if chain_check_status
+        check_status = chain.any? do |possible_issuer|
+            unless possible_issuer.eql? chain_certificate &&
+                   is_root?(chain_certificate)
+                   if chain_certificate.verify possible_issuer.public_key
+                       if chain.index(possible_issuer) - chain.index(chain_certificate) > 1
+                           chain_order_status = false
+                       end
+                       true
+                   end
+            end
+        end
+
+        # If check failed check against the root store
+        unless check_status
+            if certificate_store.verify chain_certificate
+                long_output(certificate_store.chain.last, output)
+                output[:long] << "---"
+            else
+                chain_check_status = false
+                output[:issues] << "  Root certificate is not trusted."
+            end
+        end
+    else
+        chain_check_status = false
+        output[:issues] << " Chain is broken."
+    end
+end
+
+unless chain_order_status
+    output[:issues] << "  Incorrect chain order."
 end
 
 puts output[:header]
 puts output[:short]
-puts output[:hostname]
-puts output[:date]
+puts "---\n"
+puts output[:hostname_check]
+puts output[:date_check]
+puts output[:ocsp_check]
+unless output[:issues].empty?
+    puts "Issues:"
+    puts output[:issues]
+end
+puts "---\n"
 puts output[:long]

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: check_certificate_chain
 version: !ruby/object:Gem::Version
-  version: 1.1.2
+  version: 2.1.2
 platform: ruby
 authors:
 - Jora Porcu
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-07-21 00:00:00.000000000 Z
+date: 2017-08-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: openssl
@@ -16,16 +16,16 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2'
-  type: :development
+        version: '2.0'
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2'
-description: Cli tool to check http connection certificates.
-email: jitlogan@gmail.com
+        version: '2.0'
+description: CLI tool to displayh certificate chain and OCSP status
+email: jora@gmail.com
 executables:
 - check_certificate_chain
 extensions: []
@@ -55,5 +55,5 @@ rubyforge_project:
 rubygems_version: 2.6.12
 signing_key: 
 specification_version: 4
-summary: Check HTTPS certificates
+summary: CLI tool to check certificate chain
 test_files: []