check_certificate_chain 2.3.2 → 2.3.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/bin/check_certificate_chain +25 -5
- metadata +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 1ae0cbbfe9f20b30e36746f9b019af48d638ccd979af3e57dce7cc4ded02c832
|
4
|
+
data.tar.gz: c6602eaf11b1f68c4788d1253d017de33fb26f1675109e4d7e19e083931382e1
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 12a9741a5a89407e47adf30949fb77ecebe3ca314b4311ea949db59aae0489c075e0a719a277bfa00a4a162c736c7b43feb965507ccd3045e881589c20bea68f
|
7
|
+
data.tar.gz: 2c08e9568ed2bbdc8085865db545e3b95cfede6a6a826526a1e6ed7ac83d459d8039ed8ab983bcdbeaa630f5ea4ebb4b2b8d51416414595ceb5b9f49e9bdd5dd
|
data/bin/check_certificate_chain
CHANGED
@@ -6,6 +6,20 @@ require 'socket'
|
|
6
6
|
require 'net/http'
|
7
7
|
require 'pastel'
|
8
8
|
|
9
|
+
class OpenSSL::X509::Certificate
|
10
|
+
def exceptionless_verify(public_key)
|
11
|
+
begin
|
12
|
+
self.verify(public_key)
|
13
|
+
rescue OpenSSL::X509::CertificateError => e
|
14
|
+
if e.message == "wrong public key type"
|
15
|
+
return false
|
16
|
+
else
|
17
|
+
raise OpenSSL::X509::CertificateError, "OpenSSL::X509::CertificateError"
|
18
|
+
end
|
19
|
+
end
|
20
|
+
end
|
21
|
+
end
|
22
|
+
|
9
23
|
servername = ""
|
10
24
|
host = ""
|
11
25
|
port = ""
|
@@ -33,7 +47,6 @@ host = argument_match_result[:ip02] || argument_match_result[:domain02]
|
|
33
47
|
servername = (argument_match_result[:ip01] || argument_match_result[:domain01]) || host
|
34
48
|
port = argument_match_result[:port] || "443"
|
35
49
|
|
36
|
-
|
37
50
|
pastel = Pastel.new(eachline: "\n")
|
38
51
|
|
39
52
|
good = pastel.green.detach
|
@@ -47,7 +60,14 @@ warning = pastel.yellow.detach
|
|
47
60
|
|
48
61
|
openssl_context = OpenSSL::SSL::SSLContext.new
|
49
62
|
|
50
|
-
|
63
|
+
begin
|
64
|
+
tcp_socket = TCPSocket.new(host, port.to_i)
|
65
|
+
rescue SocketError => e
|
66
|
+
abort bad[e.message]
|
67
|
+
rescue Errno::ECONNREFUSED => e
|
68
|
+
abort bad[e.message]
|
69
|
+
end
|
70
|
+
|
51
71
|
ip = tcp_socket.peeraddr(false).last
|
52
72
|
|
53
73
|
chain = nil
|
@@ -77,7 +97,7 @@ output[:issues] = []
|
|
77
97
|
output[:ocsp_check] = []
|
78
98
|
|
79
99
|
def is_root?(certificate)
|
80
|
-
self_signed = certificate.
|
100
|
+
self_signed = certificate.exceptionless_verify certificate.public_key
|
81
101
|
|
82
102
|
basic_constraints = certificate.extensions.find do |extension|
|
83
103
|
extension.oid.eql?("basicConstraints")
|
@@ -126,7 +146,7 @@ end
|
|
126
146
|
### OCSP Check
|
127
147
|
authority_info_access = certificate.extensions.find{|ext| ext.oid.eql?("authorityInfoAccess")}
|
128
148
|
if check_certificate_hostname && not_expired && authority_info_access
|
129
|
-
if issuer = chain.find{|chain_certificate| certificate.
|
149
|
+
if issuer = chain.find{|chain_certificate| certificate.exceptionless_verify(chain_certificate.public_key)}
|
130
150
|
digest = OpenSSL::Digest::SHA1.new
|
131
151
|
certificate_id = OpenSSL::OCSP::CertificateId.new certificate, issuer, digest
|
132
152
|
|
@@ -238,7 +258,7 @@ chain.each_with_index do |chain_certificate, index|
|
|
238
258
|
if chain_check_status
|
239
259
|
check_status = chain.any? do |possible_issuer|
|
240
260
|
unless possible_issuer.eql?(chain_certificate) && is_root?(chain_certificate)
|
241
|
-
if chain_certificate.
|
261
|
+
if chain_certificate.exceptionless_verify possible_issuer.public_key
|
242
262
|
output[:issues] << bad[" Certificate is self-signed"] if chain_certificate.eql?(possible_issuer)
|
243
263
|
if chain.index(possible_issuer) - chain.index(chain_certificate) > 1
|
244
264
|
chain_order_status = false
|