internet_security_event 1.0.2 → 1.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.rspec +0 -2
- data/CHANGELOG.md +24 -0
- data/lib/internet_security_event/tlsa_status.rb +81 -0
- data/lib/internet_security_event/version.rb +1 -1
- data/lib/internet_security_event.rb +2 -0
- data/lib/resolv/dns/resource/in/tlsa.rb +39 -0
- metadata +5 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 2d93be47b6e84cb8d7e40c2f604732ee48ba6582235253710dd473e0634099c1
|
|
4
|
+
data.tar.gz: b58978d3f62628a1239a03e60438ca5f516f19ac59ff6946987c4541080b90ca
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c936050537ef4665d970fea58906b3c1de303a80abe73a082a09040801ebfda12c0826d055c89345591c7844472c82bfb8ccce01bed48dd79618f3a89b78f2e5
|
|
7
|
+
data.tar.gz: e03ee5ccf138e9d4a9bc6534dcfa3987f631fca669ed1cf0f450d159536c88a43405de338abb71508abb8297f05689818b7ace1abcab97238f6122ecf2519c86
|
data/.rspec
CHANGED
data/CHANGELOG.md
ADDED
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
# Changelog
|
|
2
|
+
All notable changes to this project will be documented in this file.
|
|
3
|
+
|
|
4
|
+
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
|
5
|
+
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
6
|
+
|
|
7
|
+
## [1.1.0] - 2019-02-21
|
|
8
|
+
### Added
|
|
9
|
+
- Add basic suport for TLSA events.
|
|
10
|
+
|
|
11
|
+
## [1.0.2] - 2019-02-21
|
|
12
|
+
|
|
13
|
+
### Changed
|
|
14
|
+
- Fix checking of TLS hostnames with wildcard certificates.
|
|
15
|
+
|
|
16
|
+
## [1.0.1] - 2019-02-18
|
|
17
|
+
|
|
18
|
+
### Changed
|
|
19
|
+
- Improve the way TLS certificates state is computed.
|
|
20
|
+
|
|
21
|
+
[Unreleased]: https://github.com/smortex/internet_security_event/compare/v1.1.0...HEAD
|
|
22
|
+
[1.1.0]: https://github.com/smortex/internet_security_event/compare/v1.0.2...v1.1.0
|
|
23
|
+
[1.0.2]: https://github.com/smortex/internet_security_event/compare/v1.0.1...v1.0.2
|
|
24
|
+
[1.0.1]: https://github.com/smortex/internet_security_event/compare/v1.0.0...v1.0.1
|
|
@@ -0,0 +1,81 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'resolv'
|
|
4
|
+
|
|
5
|
+
module InternetSecurityEvent
|
|
6
|
+
class TLSAStatus
|
|
7
|
+
attr_reader :record, :certificate
|
|
8
|
+
|
|
9
|
+
def initialize(record, certificate)
|
|
10
|
+
@record = record
|
|
11
|
+
@certificate = certificate
|
|
12
|
+
|
|
13
|
+
@resolv = Resolv::DNS.new
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
def self.build(record, certificate)
|
|
17
|
+
obj = new(record, certificate)
|
|
18
|
+
obj.to_e
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
def to_e
|
|
22
|
+
{
|
|
23
|
+
state: state,
|
|
24
|
+
description: description,
|
|
25
|
+
}
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
def certificate_association_data(selector, matching_type)
|
|
29
|
+
certificate_association_data_digest(certificate_association_data_certificate_bytes(selector), matching_type)
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
def certificate_match_tlsa_record?
|
|
33
|
+
certificate_association_data(record.selector, record.matching_type) == record.certificate_association_data
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
private
|
|
37
|
+
|
|
38
|
+
def certificate_association_data_certificate_bytes(selector)
|
|
39
|
+
case selector
|
|
40
|
+
when Resolv::DNS::Resource::IN::TLSA::Selector::CERT
|
|
41
|
+
certificate.to_der
|
|
42
|
+
when Resolv::DNS::Resource::IN::TLSA::Selector::SPKI
|
|
43
|
+
certificate.public_key.to_der
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
def certificate_association_data_digest(bytes, matching_type)
|
|
48
|
+
case matching_type
|
|
49
|
+
when Resolv::DNS::Resource::IN::TLSA::MatchingType::FULL
|
|
50
|
+
bytes.unpack1('H*')
|
|
51
|
+
when Resolv::DNS::Resource::IN::TLSA::MatchingType::SHA2_256
|
|
52
|
+
Digest::SHA256.hexdigest(bytes)
|
|
53
|
+
when Resolv::DNS::Resource::IN::TLSA::MatchingType::SHA2_512
|
|
54
|
+
Digest::SHA512.hexdigest(bytes)
|
|
55
|
+
end
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
def state
|
|
59
|
+
return 'critical' unless record
|
|
60
|
+
|
|
61
|
+
return nil unless record.end_entity?
|
|
62
|
+
|
|
63
|
+
return 'ok' if certificate_match_tlsa_record?
|
|
64
|
+
|
|
65
|
+
'critical'
|
|
66
|
+
end
|
|
67
|
+
|
|
68
|
+
def description
|
|
69
|
+
if record.end_entity?
|
|
70
|
+
if certificate_match_tlsa_record?
|
|
71
|
+
'certificate match TLSA record'
|
|
72
|
+
else
|
|
73
|
+
'certificate does not match TLSA record'
|
|
74
|
+
end
|
|
75
|
+
else
|
|
76
|
+
# FIXME: For now, we only check the certificate, not the CA
|
|
77
|
+
'Unsupported certificate usage'
|
|
78
|
+
end
|
|
79
|
+
end
|
|
80
|
+
end
|
|
81
|
+
end
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
class Resolv
|
|
4
|
+
class DNS
|
|
5
|
+
class Resource
|
|
6
|
+
module IN
|
|
7
|
+
class TLSA
|
|
8
|
+
module CertificateUsage
|
|
9
|
+
PKIX_TA = 0
|
|
10
|
+
PKIX_EE = 1
|
|
11
|
+
DANE_TA = 2
|
|
12
|
+
DANE_EE = 3
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
module Selector
|
|
16
|
+
CERT = 0
|
|
17
|
+
SPKI = 1
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
module MatchingType
|
|
21
|
+
FULL = 0
|
|
22
|
+
SHA2_256 = 1
|
|
23
|
+
SHA2_512 = 2
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
def initialize(data)
|
|
27
|
+
@certificate_usage, @selector, @matching_type, @certificate_association_data = data.unpack('CCCH*')
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
attr_reader :certificate_usage, :selector, :matching_type, :certificate_association_data
|
|
31
|
+
|
|
32
|
+
def end_entity?
|
|
33
|
+
[CertificateUsage::PKIX_EE, CertificateUsage::DANE_EE].include?(certificate_usage)
|
|
34
|
+
end
|
|
35
|
+
end
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: internet_security_event
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0
|
|
4
|
+
version: 1.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Romain Tartière
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-02-
|
|
11
|
+
date: 2019-02-22 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: actionview
|
|
@@ -104,6 +104,7 @@ files:
|
|
|
104
104
|
- ".gitignore"
|
|
105
105
|
- ".rspec"
|
|
106
106
|
- ".travis.yml"
|
|
107
|
+
- CHANGELOG.md
|
|
107
108
|
- CODE_OF_CONDUCT.md
|
|
108
109
|
- Gemfile
|
|
109
110
|
- LICENSE.txt
|
|
@@ -115,8 +116,10 @@ files:
|
|
|
115
116
|
- lib/internet_security_event.rb
|
|
116
117
|
- lib/internet_security_event/now.rb
|
|
117
118
|
- lib/internet_security_event/tls_status.rb
|
|
119
|
+
- lib/internet_security_event/tlsa_status.rb
|
|
118
120
|
- lib/internet_security_event/version.rb
|
|
119
121
|
- lib/internet_security_event/x509_status.rb
|
|
122
|
+
- lib/resolv/dns/resource/in/tlsa.rb
|
|
120
123
|
homepage: https://github.com/smortex/internet_security_event
|
|
121
124
|
licenses:
|
|
122
125
|
- MIT
|