internet_security_event 1.0.2 → 1.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.rspec +0 -2
- data/CHANGELOG.md +24 -0
- data/lib/internet_security_event/tlsa_status.rb +81 -0
- data/lib/internet_security_event/version.rb +1 -1
- data/lib/internet_security_event.rb +2 -0
- data/lib/resolv/dns/resource/in/tlsa.rb +39 -0
- metadata +5 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 2d93be47b6e84cb8d7e40c2f604732ee48ba6582235253710dd473e0634099c1
|
|
4
|
+
data.tar.gz: b58978d3f62628a1239a03e60438ca5f516f19ac59ff6946987c4541080b90ca
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c936050537ef4665d970fea58906b3c1de303a80abe73a082a09040801ebfda12c0826d055c89345591c7844472c82bfb8ccce01bed48dd79618f3a89b78f2e5
|
|
7
|
+
data.tar.gz: e03ee5ccf138e9d4a9bc6534dcfa3987f631fca669ed1cf0f450d159536c88a43405de338abb71508abb8297f05689818b7ace1abcab97238f6122ecf2519c86
|
data/.rspec
CHANGED
data/CHANGELOG.md
ADDED
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
# Changelog
|
|
2
|
+
All notable changes to this project will be documented in this file.
|
|
3
|
+
|
|
4
|
+
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
|
5
|
+
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
6
|
+
|
|
7
|
+
## [1.1.0] - 2019-02-21
|
|
8
|
+
### Added
|
|
9
|
+
- Add basic suport for TLSA events.
|
|
10
|
+
|
|
11
|
+
## [1.0.2] - 2019-02-21
|
|
12
|
+
|
|
13
|
+
### Changed
|
|
14
|
+
- Fix checking of TLS hostnames with wildcard certificates.
|
|
15
|
+
|
|
16
|
+
## [1.0.1] - 2019-02-18
|
|
17
|
+
|
|
18
|
+
### Changed
|
|
19
|
+
- Improve the way TLS certificates state is computed.
|
|
20
|
+
|
|
21
|
+
[Unreleased]: https://github.com/smortex/internet_security_event/compare/v1.1.0...HEAD
|
|
22
|
+
[1.1.0]: https://github.com/smortex/internet_security_event/compare/v1.0.2...v1.1.0
|
|
23
|
+
[1.0.2]: https://github.com/smortex/internet_security_event/compare/v1.0.1...v1.0.2
|
|
24
|
+
[1.0.1]: https://github.com/smortex/internet_security_event/compare/v1.0.0...v1.0.1
|
|
@@ -0,0 +1,81 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'resolv'
|
|
4
|
+
|
|
5
|
+
module InternetSecurityEvent
|
|
6
|
+
class TLSAStatus
|
|
7
|
+
attr_reader :record, :certificate
|
|
8
|
+
|
|
9
|
+
def initialize(record, certificate)
|
|
10
|
+
@record = record
|
|
11
|
+
@certificate = certificate
|
|
12
|
+
|
|
13
|
+
@resolv = Resolv::DNS.new
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
def self.build(record, certificate)
|
|
17
|
+
obj = new(record, certificate)
|
|
18
|
+
obj.to_e
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
def to_e
|
|
22
|
+
{
|
|
23
|
+
state: state,
|
|
24
|
+
description: description,
|
|
25
|
+
}
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
def certificate_association_data(selector, matching_type)
|
|
29
|
+
certificate_association_data_digest(certificate_association_data_certificate_bytes(selector), matching_type)
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
def certificate_match_tlsa_record?
|
|
33
|
+
certificate_association_data(record.selector, record.matching_type) == record.certificate_association_data
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
private
|
|
37
|
+
|
|
38
|
+
def certificate_association_data_certificate_bytes(selector)
|
|
39
|
+
case selector
|
|
40
|
+
when Resolv::DNS::Resource::IN::TLSA::Selector::CERT
|
|
41
|
+
certificate.to_der
|
|
42
|
+
when Resolv::DNS::Resource::IN::TLSA::Selector::SPKI
|
|
43
|
+
certificate.public_key.to_der
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
def certificate_association_data_digest(bytes, matching_type)
|
|
48
|
+
case matching_type
|
|
49
|
+
when Resolv::DNS::Resource::IN::TLSA::MatchingType::FULL
|
|
50
|
+
bytes.unpack1('H*')
|
|
51
|
+
when Resolv::DNS::Resource::IN::TLSA::MatchingType::SHA2_256
|
|
52
|
+
Digest::SHA256.hexdigest(bytes)
|
|
53
|
+
when Resolv::DNS::Resource::IN::TLSA::MatchingType::SHA2_512
|
|
54
|
+
Digest::SHA512.hexdigest(bytes)
|
|
55
|
+
end
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
def state
|
|
59
|
+
return 'critical' unless record
|
|
60
|
+
|
|
61
|
+
return nil unless record.end_entity?
|
|
62
|
+
|
|
63
|
+
return 'ok' if certificate_match_tlsa_record?
|
|
64
|
+
|
|
65
|
+
'critical'
|
|
66
|
+
end
|
|
67
|
+
|
|
68
|
+
def description
|
|
69
|
+
if record.end_entity?
|
|
70
|
+
if certificate_match_tlsa_record?
|
|
71
|
+
'certificate match TLSA record'
|
|
72
|
+
else
|
|
73
|
+
'certificate does not match TLSA record'
|
|
74
|
+
end
|
|
75
|
+
else
|
|
76
|
+
# FIXME: For now, we only check the certificate, not the CA
|
|
77
|
+
'Unsupported certificate usage'
|
|
78
|
+
end
|
|
79
|
+
end
|
|
80
|
+
end
|
|
81
|
+
end
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
class Resolv
|
|
4
|
+
class DNS
|
|
5
|
+
class Resource
|
|
6
|
+
module IN
|
|
7
|
+
class TLSA
|
|
8
|
+
module CertificateUsage
|
|
9
|
+
PKIX_TA = 0
|
|
10
|
+
PKIX_EE = 1
|
|
11
|
+
DANE_TA = 2
|
|
12
|
+
DANE_EE = 3
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
module Selector
|
|
16
|
+
CERT = 0
|
|
17
|
+
SPKI = 1
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
module MatchingType
|
|
21
|
+
FULL = 0
|
|
22
|
+
SHA2_256 = 1
|
|
23
|
+
SHA2_512 = 2
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
def initialize(data)
|
|
27
|
+
@certificate_usage, @selector, @matching_type, @certificate_association_data = data.unpack('CCCH*')
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
attr_reader :certificate_usage, :selector, :matching_type, :certificate_association_data
|
|
31
|
+
|
|
32
|
+
def end_entity?
|
|
33
|
+
[CertificateUsage::PKIX_EE, CertificateUsage::DANE_EE].include?(certificate_usage)
|
|
34
|
+
end
|
|
35
|
+
end
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: internet_security_event
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0
|
|
4
|
+
version: 1.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Romain Tartière
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-02-
|
|
11
|
+
date: 2019-02-22 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: actionview
|
|
@@ -104,6 +104,7 @@ files:
|
|
|
104
104
|
- ".gitignore"
|
|
105
105
|
- ".rspec"
|
|
106
106
|
- ".travis.yml"
|
|
107
|
+
- CHANGELOG.md
|
|
107
108
|
- CODE_OF_CONDUCT.md
|
|
108
109
|
- Gemfile
|
|
109
110
|
- LICENSE.txt
|
|
@@ -115,8 +116,10 @@ files:
|
|
|
115
116
|
- lib/internet_security_event.rb
|
|
116
117
|
- lib/internet_security_event/now.rb
|
|
117
118
|
- lib/internet_security_event/tls_status.rb
|
|
119
|
+
- lib/internet_security_event/tlsa_status.rb
|
|
118
120
|
- lib/internet_security_event/version.rb
|
|
119
121
|
- lib/internet_security_event/x509_status.rb
|
|
122
|
+
- lib/resolv/dns/resource/in/tlsa.rb
|
|
120
123
|
homepage: https://github.com/smortex/internet_security_event
|
|
121
124
|
licenses:
|
|
122
125
|
- MIT
|