check_certificate_chain 2.3.2 → 2.3.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c5b7164a1146fee0714a882c89b7f625ddb4b01ef3cc15e7f13358b0f27ad9cf
-  data.tar.gz: b74808f4afdbcbe15b64ffff10636c74a08b61abc4bcbe39836fcd8ca24078ff
+  metadata.gz: 1ae0cbbfe9f20b30e36746f9b019af48d638ccd979af3e57dce7cc4ded02c832
+  data.tar.gz: c6602eaf11b1f68c4788d1253d017de33fb26f1675109e4d7e19e083931382e1
 SHA512:
-  metadata.gz: f39ba8b71299c080b5f6a3f1f260966b2c11b4919d2d9eb2b3f8e5f4507e1ccc4bf0b1edaec9c492be486743b7fa432dc7f3fa78fbc4f7d3b53b057df9fce385
-  data.tar.gz: bfc4b2ca7da84f711357d5fdbe41a8113362e6244762b340cdfada1296676e6f88f5037b0046c1eb00c4ea6249f40e54d0d71047d21ef5e8c0bfb6b1b1bec9f3
+  metadata.gz: 12a9741a5a89407e47adf30949fb77ecebe3ca314b4311ea949db59aae0489c075e0a719a277bfa00a4a162c736c7b43feb965507ccd3045e881589c20bea68f
+  data.tar.gz: 2c08e9568ed2bbdc8085865db545e3b95cfede6a6a826526a1e6ed7ac83d459d8039ed8ab983bcdbeaa630f5ea4ebb4b2b8d51416414595ceb5b9f49e9bdd5dd

data/bin/check_certificate_chain

@@ -6,6 +6,20 @@ require 'socket'
 require 'net/http'
 require 'pastel'
 
+class OpenSSL::X509::Certificate
+    def exceptionless_verify(public_key)
+        begin
+            self.verify(public_key)
+        rescue OpenSSL::X509::CertificateError => e
+            if e.message == "wrong public key type"
+                return false
+            else
+                raise OpenSSL::X509::CertificateError, "OpenSSL::X509::CertificateError"
+            end
+        end
+    end
+end
+
 servername = ""
 host = ""
 port = ""
@@ -33,7 +47,6 @@ host = argument_match_result[:ip02] || argument_match_result[:domain02]
 servername = (argument_match_result[:ip01] || argument_match_result[:domain01]) || host
 port = argument_match_result[:port] || "443"
 
-
 pastel = Pastel.new(eachline: "\n")
 
 good = pastel.green.detach
@@ -47,7 +60,14 @@ warning = pastel.yellow.detach
 
 openssl_context = OpenSSL::SSL::SSLContext.new
 
-tcp_socket = TCPSocket.new(host, port.to_i)
+begin
+    tcp_socket = TCPSocket.new(host, port.to_i)
+rescue SocketError => e
+    abort bad[e.message]
+rescue Errno::ECONNREFUSED => e
+    abort bad[e.message]
+end
+
 ip = tcp_socket.peeraddr(false).last
 
 chain = nil
@@ -77,7 +97,7 @@ output[:issues] = []
 output[:ocsp_check] = []
 
 def is_root?(certificate)
-    self_signed = certificate.verify certificate.public_key
+    self_signed = certificate.exceptionless_verify certificate.public_key
 
     basic_constraints = certificate.extensions.find do |extension|
         extension.oid.eql?("basicConstraints")
@@ -126,7 +146,7 @@ end
 ### OCSP Check
 authority_info_access = certificate.extensions.find{|ext| ext.oid.eql?("authorityInfoAccess")}
 if check_certificate_hostname && not_expired && authority_info_access
-    if issuer = chain.find{|chain_certificate| certificate.verify(chain_certificate.public_key)}
+    if issuer = chain.find{|chain_certificate| certificate.exceptionless_verify(chain_certificate.public_key)}
         digest = OpenSSL::Digest::SHA1.new
         certificate_id = OpenSSL::OCSP::CertificateId.new certificate, issuer, digest
 
@@ -238,7 +258,7 @@ chain.each_with_index do |chain_certificate, index|
     if chain_check_status
         check_status = chain.any? do |possible_issuer|
             unless possible_issuer.eql?(chain_certificate) && is_root?(chain_certificate)
-                   if chain_certificate.verify possible_issuer.public_key
+                   if chain_certificate.exceptionless_verify possible_issuer.public_key
                        output[:issues] << bad["  Certificate is self-signed"] if chain_certificate.eql?(possible_issuer)
                        if chain.index(possible_issuer) - chain.index(chain_certificate) > 1
                            chain_order_status = false

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: check_certificate_chain
 version: !ruby/object:Gem::Version
-  version: 2.3.2
+  version: 2.3.3
 platform: ruby
 authors:
 - Jora Porcu