r509-cert-validator 0.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +17 -0
- data/.rspec +1 -0
- data/.travis.yml +6 -0
- data/Gemfile +4 -0
- data/LICENSE.txt +22 -0
- data/README.md +70 -0
- data/Rakefile +8 -0
- data/lib/r509-cert-validator.rb +1 -0
- data/lib/r509/cert/validator.rb +62 -0
- data/lib/r509/cert/validator/basic_validator.rb +24 -0
- data/lib/r509/cert/validator/crl_validator.rb +40 -0
- data/lib/r509/cert/validator/errors.rb +14 -0
- data/lib/r509/cert/validator/ocsp_validator.rb +87 -0
- data/lib/r509/cert/validator/version.rb +7 -0
- data/lib/tasks/ca.rb +112 -0
- data/lib/tasks/helper.rb +33 -0
- data/r509-cert-validator.gemspec +31 -0
- data/spec/spec_helper.rb +11 -0
- data/spec/support/ca/.gitignore +5 -0
- data/spec/support/ca/config.yaml.erb +35 -0
- data/spec/support/ca_server.rb +29 -0
- data/spec/support/certs/README.md +15 -0
- data/spec/support/certs/ca.crt +21 -0
- data/spec/support/certs/digicert_ev.crt +39 -0
- data/spec/support/certs/github.crt +41 -0
- data/spec/support/certs/github_chain.crt +112 -0
- data/spec/support/certs/no_validator.crt +94 -0
- data/spec/validator_spec.rb +73 -0
- data/travis.sh +5 -0
- metadata +197 -0
checksums.yaml
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
---
|
|
2
|
+
SHA1:
|
|
3
|
+
metadata.gz: f1727921e4d1ea7764cfd809a42478d3ec8cb4cf
|
|
4
|
+
data.tar.gz: ecca2f905cfe41c45a7130d3eeb095fecff9693a
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: 711bb8c8d34ffbbefcd0859f512cee2056696f2d047ff8c60ed6d629186122c0986501914db7397d726e997da1ec5bf26e3d4469e277750fd80962102298e4db
|
|
7
|
+
data.tar.gz: 5f4d58440734468761e8f8eb9363246f3cb12a05de8dd0aa27ab0e33fe15d933d38f62c3f37efc0e08b270f9e174907c089676b582ca4fea58ba1ef3d358c483
|
data/.gitignore
ADDED
data/.rspec
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
--color
|
data/.travis.yml
ADDED
data/Gemfile
ADDED
data/LICENSE.txt
ADDED
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
Copyright (c) 2014 Bryce Kerley
|
|
2
|
+
|
|
3
|
+
MIT License
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
|
6
|
+
a copy of this software and associated documentation files (the
|
|
7
|
+
"Software"), to deal in the Software without restriction, including
|
|
8
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
|
9
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
|
10
|
+
permit persons to whom the Software is furnished to do so, subject to
|
|
11
|
+
the following conditions:
|
|
12
|
+
|
|
13
|
+
The above copyright notice and this permission notice shall be
|
|
14
|
+
included in all copies or substantial portions of the Software.
|
|
15
|
+
|
|
16
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
17
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
18
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
19
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
20
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
21
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
22
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.md
ADDED
|
@@ -0,0 +1,70 @@
|
|
|
1
|
+
# R509::Cert::Validator
|
|
2
|
+
|
|
3
|
+
Have an x.509 certificate that you need to validate against its Online
|
|
4
|
+
Certificate Status Protocol (OCSP) or Certificate Revocation List (CRL)
|
|
5
|
+
endpoint? This gem uses the `r509` library for x.509 processing, and performs
|
|
6
|
+
OCSP and CRL processing.
|
|
7
|
+
|
|
8
|
+
[](https://travis-ci.org/bkerley/r509-cert-validator)
|
|
9
|
+
[](https://codeclimate.com/github/bkerley/r509-cert-validator)
|
|
10
|
+
|
|
11
|
+
## Installation
|
|
12
|
+
|
|
13
|
+
Add this line to your application's Gemfile:
|
|
14
|
+
|
|
15
|
+
gem 'r509-cert-validator'
|
|
16
|
+
|
|
17
|
+
And then execute:
|
|
18
|
+
|
|
19
|
+
$ bundle
|
|
20
|
+
|
|
21
|
+
Or install it yourself as:
|
|
22
|
+
|
|
23
|
+
$ gem install r509-cert-validator
|
|
24
|
+
|
|
25
|
+
## Usage
|
|
26
|
+
|
|
27
|
+
```ruby
|
|
28
|
+
validator = R509::Cert::Validator.new @socket.peer_cert
|
|
29
|
+
|
|
30
|
+
# Returns false on invalid certificates
|
|
31
|
+
# Raises R509::Cert::Validator::Error when checking failed
|
|
32
|
+
validator.validate
|
|
33
|
+
|
|
34
|
+
# Raises R509::Cert::Validator::CrlError and
|
|
35
|
+
# R509::Cert::Validator::OcspError on invalid certificates
|
|
36
|
+
# Raises R509::Cert::Validator::Error when checking failed
|
|
37
|
+
validator.validate!
|
|
38
|
+
|
|
39
|
+
# OCSP and CRL checking are enabled when present in certificates, but
|
|
40
|
+
# can be disabled individually
|
|
41
|
+
validator.validate ocsp: false
|
|
42
|
+
validator.validate! crl: false
|
|
43
|
+
|
|
44
|
+
# Attempting to validate OCSP and/or CRL when a cert does not have them raises
|
|
45
|
+
# R509::Cert::Validator::Error
|
|
46
|
+
validator.validate ocsp: true
|
|
47
|
+
```
|
|
48
|
+
|
|
49
|
+
## Development and Testing
|
|
50
|
+
|
|
51
|
+
This library requires a bit of Public Key Infrastructure (PKI) for testing.
|
|
52
|
+
Fortunately, it's easy to set up.
|
|
53
|
+
|
|
54
|
+
0. Install dependencies with `bundle install`.
|
|
55
|
+
0. Optional: clean out the existing PKI with `rake ca:clean`
|
|
56
|
+
1. Generate a CA and testing certificates with `rake ca:all`
|
|
57
|
+
2. Start the CRL and OCSP endpoint with `bundle exec ruby spec/support/ca_server.rb`
|
|
58
|
+
and let it run. This command starts a web server on port 22022.
|
|
59
|
+
3. Run the specs with `bundle exec rspec`
|
|
60
|
+
4. CTRL-C or otherwise kill the CRL and OCSP server when you no longer need it.
|
|
61
|
+
|
|
62
|
+
This process is automated by `travis.sh`, and you can just run that :)
|
|
63
|
+
|
|
64
|
+
## Contributing
|
|
65
|
+
|
|
66
|
+
1. Fork it
|
|
67
|
+
2. Create your feature branch (`git checkout -b my-new-feature`)
|
|
68
|
+
3. Commit your changes (`git commit -am 'Add some feature'`)
|
|
69
|
+
4. Push to the branch (`git push origin my-new-feature`)
|
|
70
|
+
5. Create new Pull Request
|
data/Rakefile
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
require 'r509/cert/validator'
|
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
require 'r509'
|
|
2
|
+
%w{version errors basic_validator ocsp_validator crl_validator}.each do |f|
|
|
3
|
+
require "r509/cert/validator/#{f}"
|
|
4
|
+
end
|
|
5
|
+
|
|
6
|
+
module R509
|
|
7
|
+
class Cert
|
|
8
|
+
class Validator
|
|
9
|
+
# The certificate this Validator will validate
|
|
10
|
+
attr_reader :cert
|
|
11
|
+
|
|
12
|
+
def initialize(cert, issuer = nil)
|
|
13
|
+
if cert.is_a? OpenSSL::X509::Certificate
|
|
14
|
+
cert = R509::Cert.new cert: cert
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
if issuer.is_a? OpenSSL::X509::Certificate
|
|
18
|
+
cert = R509::Cert.new cert: cert
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
@cert = cert
|
|
22
|
+
@issuer = issuer
|
|
23
|
+
|
|
24
|
+
initialize_validators
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
def validate!(options={})
|
|
28
|
+
opts = { ocsp: @ocsp.available?, crl: @crl.available? }.merge options
|
|
29
|
+
|
|
30
|
+
if opts[:ocsp] && !@ocsp.available?
|
|
31
|
+
raise Error.new "Tried to validate OCSP but cert has no OCSP data"
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
if opts[:crl] && !@crl.available?
|
|
35
|
+
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
@ocsp.validate! if opts[:ocsp]
|
|
39
|
+
@crl.validate! if opts[:crl]
|
|
40
|
+
true
|
|
41
|
+
end
|
|
42
|
+
|
|
43
|
+
def validate(options={})
|
|
44
|
+
begin
|
|
45
|
+
validate! options
|
|
46
|
+
rescue OcspError
|
|
47
|
+
return false
|
|
48
|
+
rescue CrlError
|
|
49
|
+
return false
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
return true
|
|
53
|
+
end
|
|
54
|
+
|
|
55
|
+
private
|
|
56
|
+
def initialize_validators
|
|
57
|
+
@ocsp = OcspValidator.new @cert, @issuer
|
|
58
|
+
@crl = CrlValidator.new @cert, @issuer
|
|
59
|
+
end
|
|
60
|
+
end
|
|
61
|
+
end
|
|
62
|
+
end
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
require 'net/http'
|
|
2
|
+
|
|
3
|
+
module R509
|
|
4
|
+
class Cert
|
|
5
|
+
class Validator
|
|
6
|
+
class BasicValidator
|
|
7
|
+
def initialize(cert, issuer)
|
|
8
|
+
@cert = cert
|
|
9
|
+
@issuer = issuer
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
private
|
|
13
|
+
def get(uri)
|
|
14
|
+
resp = Net::HTTP.get_response URI(uri)
|
|
15
|
+
if resp.code != '200'
|
|
16
|
+
raise Error.new("Unexpected HTTP #{resp.code} from OCSP endpoint")
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
resp.body
|
|
20
|
+
end
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
end
|
|
24
|
+
end
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
module R509
|
|
2
|
+
class Cert
|
|
3
|
+
class Validator
|
|
4
|
+
class CrlValidator < BasicValidator
|
|
5
|
+
def available?
|
|
6
|
+
return false unless cdp
|
|
7
|
+
return false if uris.empty?
|
|
8
|
+
return true
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def validate!
|
|
12
|
+
unless available?
|
|
13
|
+
raise Error.new "Tried to validate CRL but cert has no CRL data"
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
body = R509::CRL::SignedList.new(get(uris.first))
|
|
17
|
+
|
|
18
|
+
unless body.verify @issuer.public_key
|
|
19
|
+
raise CrlError.new "CRL did not match certificate"
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
if body.revoked? @cert.serial
|
|
23
|
+
raise CrlError.new "CRL listed certificate as revoked"
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
return true
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
private
|
|
30
|
+
def cdp
|
|
31
|
+
@cert.crl_distribution_points
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def uris
|
|
35
|
+
cdp.uris
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
end
|
|
40
|
+
end
|
|
@@ -0,0 +1,87 @@
|
|
|
1
|
+
require 'base64'
|
|
2
|
+
|
|
3
|
+
module R509
|
|
4
|
+
class Cert
|
|
5
|
+
class Validator
|
|
6
|
+
class OcspValidator < BasicValidator
|
|
7
|
+
def available?
|
|
8
|
+
return false unless @issuer
|
|
9
|
+
return false unless aia && aia.ocsp
|
|
10
|
+
return false if ocsp_uris.empty?
|
|
11
|
+
return true
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def validate!
|
|
15
|
+
unless available?
|
|
16
|
+
raise Error.new "Tried to validate OCSP but cert has no OCSP data"
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
uri = build_request_uri
|
|
20
|
+
body = R509::OCSP::Response.parse(get(uri))
|
|
21
|
+
|
|
22
|
+
check_ocsp_response body
|
|
23
|
+
check_ocsp_payload body.basic.status.first
|
|
24
|
+
return true
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
private
|
|
28
|
+
def build_request_uri
|
|
29
|
+
@req = OpenSSL::OCSP::Request.new
|
|
30
|
+
@req.add_nonce
|
|
31
|
+
@req.add_certid cert_id
|
|
32
|
+
pem = Base64.encode64(@req.to_der).strip
|
|
33
|
+
URI(ocsp_uris.first + '/' + URI.encode_www_form_component(pem))
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
def check_ocsp_response(body)
|
|
37
|
+
unless body.status == 0
|
|
38
|
+
raise OcspError.new "OCSP status was #{body.status}, expected 0"
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
unless body.verify(@issuer.cert)
|
|
42
|
+
raise OcspError.new "OCSP response did not match issuer"
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
unless body.basic.status.first
|
|
46
|
+
raise OcspError.new "OCSP response was missing payload"
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
if body.check_nonce(@req) != R509::OCSP::Request::Nonce::PRESENT_AND_EQUAL
|
|
50
|
+
raise OcspError.new "OCSP Nonce was not present and equal to request"
|
|
51
|
+
end
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
def check_ocsp_payload(basic)
|
|
55
|
+
if basic[0].serial != @cert.serial
|
|
56
|
+
raise OcspError.new "OCSP cert serial was #{basic[0].serial}, expected #{@cert.serial}"
|
|
57
|
+
end
|
|
58
|
+
|
|
59
|
+
if basic[1] == 1
|
|
60
|
+
raise OcspError.new "OCSP response indicates cert was revoked"
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
if basic[1] != 0
|
|
64
|
+
raise OcspError.new "OCSP response was #{basic[1]}, expected 0"
|
|
65
|
+
end
|
|
66
|
+
|
|
67
|
+
validity_range = (basic[4]..basic[5])
|
|
68
|
+
unless validity_range.cover? Time.now
|
|
69
|
+
raise OcspError.new "OCSP response outside validity window"
|
|
70
|
+
end
|
|
71
|
+
end
|
|
72
|
+
|
|
73
|
+
def aia
|
|
74
|
+
@aia ||= @cert.authority_info_access
|
|
75
|
+
end
|
|
76
|
+
|
|
77
|
+
def ocsp_uris
|
|
78
|
+
aia.ocsp.uris
|
|
79
|
+
end
|
|
80
|
+
|
|
81
|
+
def cert_id
|
|
82
|
+
@cert_id ||= OpenSSL::OCSP::CertificateId.new @cert.cert, @issuer.cert
|
|
83
|
+
end
|
|
84
|
+
end
|
|
85
|
+
end
|
|
86
|
+
end
|
|
87
|
+
end
|
data/lib/tasks/ca.rb
ADDED
|
@@ -0,0 +1,112 @@
|
|
|
1
|
+
require 'r509'
|
|
2
|
+
require 'erb'
|
|
3
|
+
require_relative 'helper'
|
|
4
|
+
|
|
5
|
+
namespace :ca do
|
|
6
|
+
desc 'Generate all the certificates for testing'
|
|
7
|
+
task :all => %i{ good ocsp_only crl_only empty revoked }
|
|
8
|
+
|
|
9
|
+
task :clean do
|
|
10
|
+
Dir.chdir 'spec/support/ca' do
|
|
11
|
+
sh 'rm -f *.crt *.crl *.key *.txt *.yaml'
|
|
12
|
+
end
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
desc 'Generate a signing CA for testing certificates'
|
|
16
|
+
task :root => 'spec/support/ca/root.key'
|
|
17
|
+
file 'spec/support/ca/root.key' do |t|
|
|
18
|
+
subject = OpenSSL::X509::Name.new
|
|
19
|
+
'C=US/ST=Florida/L=Miami/O=r509-cert-validator/CN='.split('/').each do |s|
|
|
20
|
+
key, value = s.split '=', 2
|
|
21
|
+
subject.add_entry key, value
|
|
22
|
+
end
|
|
23
|
+
csr = CaHelper.csr
|
|
24
|
+
cert = R509::CertificateAuthority::Signer.selfsign(
|
|
25
|
+
csr: csr,
|
|
26
|
+
not_after: (Time.now.to_i + (86400 * 3650)),
|
|
27
|
+
message_digest: 'sha1'
|
|
28
|
+
)
|
|
29
|
+
|
|
30
|
+
csr.key.write_pem 'spec/support/ca/root.key'
|
|
31
|
+
cert.write_pem 'spec/support/ca/root.crt'
|
|
32
|
+
|
|
33
|
+
sh "touch spec/support/ca/rcv_spec_list.txt"
|
|
34
|
+
sh "touch spec/support/ca/rcv_spec_crlnumber.txt"
|
|
35
|
+
end
|
|
36
|
+
file 'spec/support/ca/root.crt' => 'spec/support/ca/root.key'
|
|
37
|
+
file 'spec/support/ca/rcv_spec_list.txt' => 'spec/support/ca/root.key'
|
|
38
|
+
file 'spec/support/ca/rcv_spec_crlnumber.txt' => 'spec/support/ca/root.key
|
|
39
|
+
'
|
|
40
|
+
|
|
41
|
+
file 'spec/support/ca/config.yaml' => 'spec/support/ca/config.yaml.erb' do |s|
|
|
42
|
+
erb = ERB.new File.read s.prerequisites.first
|
|
43
|
+
b = binding
|
|
44
|
+
cert_path = File.expand_path 'spec/support/ca/'
|
|
45
|
+
File.open s.name, 'w' do |f|
|
|
46
|
+
f.write erb.result b
|
|
47
|
+
end
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
desc 'Generate a valid certificate with CRL and OCSP data'
|
|
51
|
+
task :good => 'spec/support/ca/good.crt'
|
|
52
|
+
file 'spec/support/ca/good.crt' => [:root, 'spec/support/ca/config.yaml'] do
|
|
53
|
+
ca = CaHelper.ca
|
|
54
|
+
csr = CaHelper.options_builder.build_and_enforce(
|
|
55
|
+
csr: CaHelper.csr,
|
|
56
|
+
profile_name: 'good'
|
|
57
|
+
)
|
|
58
|
+
|
|
59
|
+
cert = ca.sign csr
|
|
60
|
+
cert.write_pem 'spec/support/ca/good.crt'
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
desc 'Generate a valid certificate with only CRL data'
|
|
64
|
+
task :crl_only => 'spec/support/ca/crl_only.crt'
|
|
65
|
+
file 'spec/support/ca/crl_only.crt' => [:root, 'spec/support/ca/config.yaml'] do |t|
|
|
66
|
+
ca = CaHelper.ca
|
|
67
|
+
csr = CaHelper.options_builder.build_and_enforce(
|
|
68
|
+
csr: CaHelper.csr,
|
|
69
|
+
profile_name: 'crl_only'
|
|
70
|
+
)
|
|
71
|
+
cert = ca.sign csr
|
|
72
|
+
cert.write_pem 'spec/support/ca/crl_only.crt'
|
|
73
|
+
end
|
|
74
|
+
|
|
75
|
+
desc 'Generate a valid certificate with only OCSP data'
|
|
76
|
+
task :ocsp_only => 'spec/support/ca/ocsp_only.crt'
|
|
77
|
+
file 'spec/support/ca/ocsp_only.crt' => [:root, 'spec/support/ca/config.yaml'] do |t|
|
|
78
|
+
ca = CaHelper.ca
|
|
79
|
+
csr = CaHelper.options_builder.build_and_enforce(
|
|
80
|
+
csr: CaHelper.csr,
|
|
81
|
+
profile_name: 'ocsp_only'
|
|
82
|
+
)
|
|
83
|
+
cert = ca.sign csr
|
|
84
|
+
cert.write_pem 'spec/support/ca/ocsp_only.crt'
|
|
85
|
+
end
|
|
86
|
+
|
|
87
|
+
desc 'Generate a certificate and revoke it in both CRL and OCSP'
|
|
88
|
+
task :revoked => 'spec/support/ca/revoked.crt'
|
|
89
|
+
file 'spec/support/ca/revoked.crt' => [:root, 'spec/support/ca/config.yaml'] do |t|
|
|
90
|
+
ca = CaHelper.ca
|
|
91
|
+
csr = CaHelper.options_builder.build_and_enforce(
|
|
92
|
+
csr: CaHelper.csr,
|
|
93
|
+
profile_name: 'good'
|
|
94
|
+
)
|
|
95
|
+
|
|
96
|
+
cert = ca.sign csr
|
|
97
|
+
cert.write_pem 'spec/support/ca/revoked.crt'
|
|
98
|
+
|
|
99
|
+
admin = R509::CRL::Administrator.new CaHelper.pool['rcv_spec_ca']
|
|
100
|
+
admin.revoke_cert cert.serial
|
|
101
|
+
crl = admin.generate_crl
|
|
102
|
+
crl.write_pem 'spec/support/ca/rcv_spec.crl'
|
|
103
|
+
end
|
|
104
|
+
|
|
105
|
+
desc 'Generate a valid certificate with no CRL or OCSP data'
|
|
106
|
+
task :empty => 'spec/support/ca/empty.crt'
|
|
107
|
+
file 'spec/support/ca/empty.crt' => [:root, 'spec/support/ca/config.yaml'] do
|
|
108
|
+
ca = CaHelper.ca
|
|
109
|
+
cert = ca.sign csr: CaHelper.csr
|
|
110
|
+
cert.write_pem 'spec/support/ca/empty.crt'
|
|
111
|
+
end
|
|
112
|
+
end
|
data/lib/tasks/helper.rb
ADDED
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
require 'r509'
|
|
2
|
+
|
|
3
|
+
module CaHelper
|
|
4
|
+
def self.csr
|
|
5
|
+
R509::CSR.new(
|
|
6
|
+
subject: {
|
|
7
|
+
C: 'US',
|
|
8
|
+
ST: 'Florida',
|
|
9
|
+
L: 'Miami',
|
|
10
|
+
O: 'r509-cert-validator',
|
|
11
|
+
CN: 'localhost'
|
|
12
|
+
},
|
|
13
|
+
bit_length: 512,
|
|
14
|
+
type: 'RSA',
|
|
15
|
+
message_digest: 'sha1'
|
|
16
|
+
)
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def self.ca
|
|
20
|
+
@ca ||= R509::CertificateAuthority::Signer.new pool['rcv_spec_ca']
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
def self.options_builder
|
|
24
|
+
@builder ||= R509::CertificateAuthority::OptionsBuilder.new pool['rcv_spec_ca']
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
def self.pool
|
|
28
|
+
@pool ||= R509::Config::CAConfigPool.from_yaml(
|
|
29
|
+
'certificate_authorities',
|
|
30
|
+
File.read('spec/support/ca/config.yaml')
|
|
31
|
+
)
|
|
32
|
+
end
|
|
33
|
+
end
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
# coding: utf-8
|
|
2
|
+
lib = File.expand_path('../lib', __FILE__)
|
|
3
|
+
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
|
4
|
+
require 'r509/cert/validator/version'
|
|
5
|
+
|
|
6
|
+
Gem::Specification.new do |spec|
|
|
7
|
+
spec.name = "r509-cert-validator"
|
|
8
|
+
spec.version = R509::Cert::Validator::VERSION
|
|
9
|
+
spec.authors = ["Bryce Kerley"]
|
|
10
|
+
spec.email = ["bkerley@brycekerley.net"]
|
|
11
|
+
spec.description = %q{Tool for validating x509 certificates against CRLs and OCSP.}
|
|
12
|
+
spec.summary = %q{An r509-based tool for validating x509 certificates against CRLs and OCSP.}
|
|
13
|
+
spec.homepage = ""
|
|
14
|
+
spec.license = "MIT"
|
|
15
|
+
|
|
16
|
+
spec.files = `git ls-files`.split($/)
|
|
17
|
+
spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
|
|
18
|
+
spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
|
|
19
|
+
spec.require_paths = ["lib"]
|
|
20
|
+
|
|
21
|
+
spec.required_ruby_version = '~> 2.0'
|
|
22
|
+
|
|
23
|
+
spec.add_development_dependency "bundler", "~> 1.3"
|
|
24
|
+
spec.add_development_dependency "rake", "~> 10.1.1"
|
|
25
|
+
spec.add_development_dependency "rspec", "~> 2.14.1"
|
|
26
|
+
spec.add_development_dependency 'rack', '~> 1.5.2'
|
|
27
|
+
spec.add_development_dependency 'puma', '~> 2.7.1'
|
|
28
|
+
spec.add_development_dependency 'r509-ocsp-responder', '~> 0.3.3'
|
|
29
|
+
spec.add_development_dependency 'r509-validity-crl', '~> 0.1.1'
|
|
30
|
+
spec.add_runtime_dependency "r509", "~> 0.10.0"
|
|
31
|
+
end
|
data/spec/spec_helper.rb
ADDED
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
require 'r509/cert/validator'
|
|
2
|
+
|
|
3
|
+
def load_cert(name)
|
|
4
|
+
path = File.join(File.dirname(__FILE__), 'support', 'ca', name)
|
|
5
|
+
data = File.read path
|
|
6
|
+
return OpenSSL::X509::Certificate.new data
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
def cert(name)
|
|
10
|
+
R509::Cert.new cert: load_cert(name)
|
|
11
|
+
end
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
---
|
|
2
|
+
copy_nonce: true
|
|
3
|
+
certificate_authorities:
|
|
4
|
+
rcv_spec_ca:
|
|
5
|
+
ca_cert:
|
|
6
|
+
cert: <%= cert_path %>/root.crt
|
|
7
|
+
key: <%= cert_path %>/root.key
|
|
8
|
+
ocsp_start_skew_seconds: 3600
|
|
9
|
+
ocsp_validity_hours: 168
|
|
10
|
+
crl_list_file: <%= cert_path %>/rcv_spec_list.txt
|
|
11
|
+
crl_number_file: <%= cert_path %>/rcv_spec_crlnumber.txt
|
|
12
|
+
crl_validity_hours: 87600
|
|
13
|
+
crl_md: SHA1
|
|
14
|
+
profiles:
|
|
15
|
+
good:
|
|
16
|
+
authority_info_access:
|
|
17
|
+
:ocsp_location:
|
|
18
|
+
- :type: URI
|
|
19
|
+
:value: http://localhost:22022/ocsp
|
|
20
|
+
crl_distribution_points:
|
|
21
|
+
:value:
|
|
22
|
+
- :type: URI
|
|
23
|
+
:value: http://localhost:22022/crl
|
|
24
|
+
crl_only:
|
|
25
|
+
crl_distribution_points:
|
|
26
|
+
:value:
|
|
27
|
+
- :type: URI
|
|
28
|
+
:value: http://localhost:22022/crl
|
|
29
|
+
ocsp_only:
|
|
30
|
+
authority_info_access:
|
|
31
|
+
:ocsp_location:
|
|
32
|
+
- :type: URI
|
|
33
|
+
:value: http://localhost:22022/ocsp
|
|
34
|
+
certwriter:
|
|
35
|
+
path: <%= cert_path %>
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
require 'r509/ocsp/responder/server'
|
|
2
|
+
require 'r509/validity/crl'
|
|
3
|
+
require 'dependo'
|
|
4
|
+
require 'logger'
|
|
5
|
+
require 'rack'
|
|
6
|
+
|
|
7
|
+
crl_paths = [File.join(File.dirname(__FILE__), 'ca/rcv_spec.crl')]
|
|
8
|
+
|
|
9
|
+
reload_interval = '5s' #yolo
|
|
10
|
+
Dependo::Registry[:validity_checker] = R509::Validity::CRL::Checker.new(
|
|
11
|
+
crl_paths,
|
|
12
|
+
reload_interval
|
|
13
|
+
)
|
|
14
|
+
Dependo::Registry[:log] = Logger.new STDERR
|
|
15
|
+
|
|
16
|
+
Dir.chdir File.join(File.dirname(__FILE__), 'ca') do
|
|
17
|
+
R509::OCSP::Responder::OCSPConfig.load_config
|
|
18
|
+
end
|
|
19
|
+
R509::OCSP::Responder::OCSPConfig.print_config
|
|
20
|
+
|
|
21
|
+
responder = R509::OCSP::Responder::Server
|
|
22
|
+
|
|
23
|
+
Rack::Server.start(
|
|
24
|
+
app: Rack::URLMap.new(
|
|
25
|
+
'/ocsp' => R509::OCSP::Responder::Server,
|
|
26
|
+
'/crl' => Rack::File.new(File.join(File.dirname(__FILE__), 'ca', 'rcv_spec.crl'))
|
|
27
|
+
),
|
|
28
|
+
Port: 22022
|
|
29
|
+
)
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
**DO NOT USE THESE IN PRODUCTION**
|
|
2
|
+
|
|
3
|
+
This directory has certificates and a key for testing Riak authentication.
|
|
4
|
+
|
|
5
|
+
* no_validator.crt - a certificate with no CRL or OCSP data
|
|
6
|
+
* ca.crt - a certificate for the CA that issued no_validator.crt
|
|
7
|
+
* github_chain.crt - the complete set of certificates presented by
|
|
8
|
+
https://github.com at 6:48 PM US Eastern time on Feb. 6, 2014. This
|
|
9
|
+
certificate has CRL and OCSP endpoints.
|
|
10
|
+
* github.crt - the GitHub certificate from above
|
|
11
|
+
* digicert_ev.crt - the Digicert EV CA that issued github.crt
|
|
12
|
+
|
|
13
|
+
**DO NOT USE THESE IN PRODUCTION**
|
|
14
|
+
|
|
15
|
+
These were generated using https://github.com/basho-labs/riak-ruby-ca .
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
-----BEGIN CERTIFICATE-----
|
|
2
|
+
MIIDjDCCAnQCCQDrkNSIB3EtsDANBgkqhkiG9w0BAQUFADCBhzELMAkGA1UEBhMC
|
|
3
|
+
VVMxEDAOBgNVBAgMB0Zsb3JpZGExDjAMBgNVBAcMBU1pYW1pMQ4wDAYDVQQKDAVC
|
|
4
|
+
YXNobzEZMBcGA1UECwwQUmlhayBSdWJ5IENsaWVudDELMAkGA1UEAwwCQ0ExHjAc
|
|
5
|
+
BgkqhkiG9w0BCQEWD2JyeWNlQGJhc2hvLmNvbTAeFw0xNDAyMDUxNjI5MDBaFw0x
|
|
6
|
+
MzA4MDUxNjI5MDBaMIGHMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTEO
|
|
7
|
+
MAwGA1UEBwwFTWlhbWkxDjAMBgNVBAoMBUJhc2hvMRkwFwYDVQQLDBBSaWFrIFJ1
|
|
8
|
+
YnkgQ2xpZW50MQswCQYDVQQDDAJDQTEeMBwGCSqGSIb3DQEJARYPYnJ5Y2VAYmFz
|
|
9
|
+
aG8uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0OuLzsUEbF53
|
|
10
|
+
BGhI1uLbwAK+DoWWQL0kPB0cCFYXkfR0Y/wCeq0iDgwq0+CR2otmcMR8Sg13h8dm
|
|
11
|
+
YfKWnKeVh1uvWDasE9t1BXvi0b8gunwMvSz2DKwyxYqjI8+PGmL6tg2lcmlC/eHA
|
|
12
|
+
Y6ObowXycMW5mugcp524yeWpsJ+YBnDPwctKtMJExPAl4mZp9Y5kffeROBrWwkeg
|
|
13
|
+
1nbB1GJCPw9t2/4kMl7ksa7/b6dKbq/ra/zcfB0b0BC8dkoTKgcSaGVycFguIn1R
|
|
14
|
+
Xn0i3ruwN644ODt/H/3qQp1Qyh/jrz/aRMjuk/3jpwwzo5buoUYgk8FVGnG4x+FE
|
|
15
|
+
S+trFWOs7QIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBFxRahSTOmyYtqbcrDG7S5
|
|
16
|
+
eLghOpUr1jXU3dfVOf+/1u9g/HZCXYGPr+tRw+OsxiR5Cw6U8Nj2gQdZmsCkVMRp
|
|
17
|
+
3XUE2Wo5O+ogaV4l68ODZ+uS1yxjvRqoOC0M1/XtihCvNJtpLiaRMxysARp4wnH2
|
|
18
|
+
ReksBUMxwDl2tEYcczTXRiKRk2QL6BeQ+l08O9scbSjClso8Wfq+z5Z+qSuFwjC9
|
|
19
|
+
LpxR6aEc6HVnKgio/Pi+6MJwP7NafBXVfTUK9RoFnG8F/fPAbAPqxXK1qYoTHzHr
|
|
20
|
+
d44rhxSOHHNDq3074VlBbMtx+NvCoIk3k5/5Am1rmezxGtA9ESofEgSo1/H9oQYH
|
|
21
|
+
-----END CERTIFICATE-----
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
-----BEGIN CERTIFICATE-----
|
|
2
|
+
MIIG5jCCBc6gAwIBAgIQAze5KDR8YKauxa2xIX84YDANBgkqhkiG9w0BAQUFADBs
|
|
3
|
+
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
|
|
4
|
+
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
|
|
5
|
+
ZSBFViBSb290IENBMB4XDTA3MTEwOTEyMDAwMFoXDTIxMTExMDAwMDAwMFowaTEL
|
|
6
|
+
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
|
|
7
|
+
LmRpZ2ljZXJ0LmNvbTEoMCYGA1UEAxMfRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
|
|
8
|
+
RVYgQ0EtMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPOWYth1bhn/
|
|
9
|
+
PzR8SU8xfg0ETpmB4rOFVZEwscCvcLssqOcYqj9495BoUoYBiJfiOwZlkKq9ZXbC
|
|
10
|
+
7L4QWzd4g2B1Rca9dKq2n6Q6AVAXxDlpufFP74LByvNK28yeUE9NQKM6kOeGZrzw
|
|
11
|
+
PnYoTNF1gJ5qNRQ1A57bDIzCKK1Qss72kaPDpQpYSfZ1RGy6+c7pqzoC4E3zrOJ6
|
|
12
|
+
4GAiBTyC01Li85xH+DvYskuTVkq/cKs+6WjIHY9YHSpNXic9rQpZL1oRIEDZaARo
|
|
13
|
+
LfTAhAsKG3jf7RpY3PtBWm1r8u0c7lwytlzs16YDMqbo3rcoJ1mIgP97rYlY1R4U
|
|
14
|
+
pPKwcNSgPqcCAwEAAaOCA4UwggOBMA4GA1UdDwEB/wQEAwIBhjA7BgNVHSUENDAy
|
|
15
|
+
BggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUH
|
|
16
|
+
AwgwggHEBgNVHSAEggG7MIIBtzCCAbMGCWCGSAGG/WwCATCCAaQwOgYIKwYBBQUH
|
|
17
|
+
AgEWLmh0dHA6Ly93d3cuZGlnaWNlcnQuY29tL3NzbC1jcHMtcmVwb3NpdG9yeS5o
|
|
18
|
+
dG0wggFkBggrBgEFBQcCAjCCAVYeggFSAEEAbgB5ACAAdQBzAGUAIABvAGYAIAB0
|
|
19
|
+
AGgAaQBzACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAAYwBvAG4AcwB0AGkAdAB1
|
|
20
|
+
AHQAZQBzACAAYQBjAGMAZQBwAHQAYQBuAGMAZQAgAG8AZgAgAHQAaABlACAARABp
|
|
21
|
+
AGcAaQBDAGUAcgB0ACAARQBWACAAQwBQAFMAIABhAG4AZAAgAHQAaABlACAAUgBl
|
|
22
|
+
AGwAeQBpAG4AZwAgAFAAYQByAHQAeQAgAEEAZwByAGUAZQBtAGUAbgB0ACAAdwBo
|
|
23
|
+
AGkAYwBoACAAbABpAG0AaQB0ACAAbABpAGEAYgBpAGwAaQB0AHkAIABhAG4AZAAg
|
|
24
|
+
AGEAcgBlACAAaQBuAGMAbwByAHAAbwByAGEAdABlAGQAIABoAGUAcgBlAGkAbgAg
|
|
25
|
+
AGIAeQAgAHIAZQBmAGUAcgBlAG4AYwBlAC4wEgYDVR0TAQH/BAgwBgEB/wIBADCB
|
|
26
|
+
gwYIKwYBBQUHAQEEdzB1MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
|
|
27
|
+
dC5jb20wTQYIKwYBBQUHMAKGQWh0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NBQ2Vy
|
|
28
|
+
dHMvRGlnaUNlcnRIaWdoQXNzdXJhbmNlRVZSb290Q0EuY3J0MIGPBgNVHR8EgYcw
|
|
29
|
+
gYQwQKA+oDyGOmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEhpZ2hB
|
|
30
|
+
c3N1cmFuY2VFVlJvb3RDQS5jcmwwQKA+oDyGOmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0
|
|
31
|
+
LmNvbS9EaWdpQ2VydEhpZ2hBc3N1cmFuY2VFVlJvb3RDQS5jcmwwHQYDVR0OBBYE
|
|
32
|
+
FExYyyXwQU9S9CjIgUObpqig5pLlMB8GA1UdIwQYMBaAFLE+w2kD+L9HAdSYJhoI
|
|
33
|
+
Au9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQBMeheHKF0XvLIyc7/NLvVYMR3wsXFU
|
|
34
|
+
nNabZ5PbLwM+Fm8eA8lThKNWYB54lBuiqG+jpItSkdfdXJW777UWSemlQk808kf/
|
|
35
|
+
roF/E1S3IMRwFcuBCoHLdFfcnN8kpCkMGPAc5K4HM+zxST5Vz25PDVR708noFUjU
|
|
36
|
+
xbvcNRx3RQdIRYW9135TuMAW2ZXNi419yWBP0aKb49Aw1rRzNubS+QOy46T15bg+
|
|
37
|
+
BEkAui6mSnKDcp33C4ypieez12Qf1uNgywPE3IjpnSUBAHHLA7QpYCWP+UbRe3Gu
|
|
38
|
+
zVMSW4SOwg/H7ZMZ2cn6j1g0djIvruFQFGHUqFijyDATI+/GJYw2jxyA
|
|
39
|
+
-----END CERTIFICATE-----
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
-----BEGIN CERTIFICATE-----
|
|
2
|
+
MIIHOjCCBiKgAwIBAgIQBH++LkveAITSyvjj7P5wWDANBgkqhkiG9w0BAQUFADBp
|
|
3
|
+
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
|
|
4
|
+
d3cuZGlnaWNlcnQuY29tMSgwJgYDVQQDEx9EaWdpQ2VydCBIaWdoIEFzc3VyYW5j
|
|
5
|
+
ZSBFViBDQS0xMB4XDTEzMDYxMDAwMDAwMFoXDTE1MDkwMjEyMDAwMFowgfAxHTAb
|
|
6
|
+
BgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYBBAGCNzwCAQMTAlVT
|
|
7
|
+
MRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQFEwc1MTU3NTUwMRcw
|
|
8
|
+
FQYDVQQJEw41NDggNHRoIFN0cmVldDEOMAwGA1UEERMFOTQxMDcxCzAJBgNVBAYT
|
|
9
|
+
AlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
|
|
10
|
+
MRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xEzARBgNVBAMTCmdpdGh1Yi5jb20wggEi
|
|
11
|
+
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDt04nDXXByCfMzTxpydNm2WpVQ
|
|
12
|
+
u2hhn/f7Hxnh2gQxrxV8Gn/5c68d5UMrVgkARWlK6MRb38J3UlEZW9Er2TllNqAy
|
|
13
|
+
GRxBc/sysj2fmOyCWws3ZDkstxCDcs3w6iRL+tmULsOFFTmpOvaI2vQniaaVT4Si
|
|
14
|
+
N058JXg6yYNtAheVeH1HqFWD7hPIGRqzPPFf/jsC4YX7EWarCV2fTEPwxyReKXIo
|
|
15
|
+
ztR1aE8kcimuOSj8341PTYNzdAxvEZun3WLe/+LrF+b/DL/ALTE71lmi8t2HSkh7
|
|
16
|
+
bTMRFE00nzI49sgZnfG2PcVG71ELisYz7UhhxB0XG718tmfpOc+lUoAK9OrNAgMB
|
|
17
|
+
AAGjggNUMIIDUDAfBgNVHSMEGDAWgBRMWMsl8EFPUvQoyIFDm6aooOaS5TAdBgNV
|
|
18
|
+
HQ4EFgQUh9GPGW7kh29TjHeRB1Dfo79VRyAwJQYDVR0RBB4wHIIKZ2l0aHViLmNv
|
|
19
|
+
bYIOd3d3LmdpdGh1Yi5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG
|
|
20
|
+
AQUFBwMBBggrBgEFBQcDAjBjBgNVHR8EXDBaMCugKaAnhiVodHRwOi8vY3JsMy5k
|
|
21
|
+
aWdpY2VydC5jb20vZXZjYTEtZzIuY3JsMCugKaAnhiVodHRwOi8vY3JsNC5kaWdp
|
|
22
|
+
Y2VydC5jb20vZXZjYTEtZzIuY3JsMIIBxAYDVR0gBIIBuzCCAbcwggGzBglghkgB
|
|
23
|
+
hv1sAgEwggGkMDoGCCsGAQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9z
|
|
24
|
+
c2wtY3BzLXJlcG9zaXRvcnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4A
|
|
25
|
+
eQAgAHUAcwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQA
|
|
26
|
+
ZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUA
|
|
27
|
+
IABvAGYAIAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAA
|
|
28
|
+
YQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcA
|
|
29
|
+
cgBlAGUAbQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIA
|
|
30
|
+
aQBsAGkAdAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQA
|
|
31
|
+
ZQBkACAAaABlAHIAZQBpAG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMH0G
|
|
32
|
+
CCsGAQUFBwEBBHEwbzAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQu
|
|
33
|
+
Y29tMEcGCCsGAQUFBzAChjtodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGln
|
|
34
|
+
aUNlcnRIaWdoQXNzdXJhbmNlRVZDQS0xLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqG
|
|
35
|
+
SIb3DQEBBQUAA4IBAQBfFW1nwzrVo94WnEUzJtU9yRZ0NMqHSBsUkG31q0eGufW4
|
|
36
|
+
4wFFZWjuqRJ1n3Ym7xF8fTjP3fdKGQnxIHKSsE0nuuh/XbQX5DpBJknHdGFoLwY8
|
|
37
|
+
xZ9JPI57vgvzLo8+fwHyZp3Vm/o5IYLEQViSo+nlOSUQ8YAVqu6KcsP/e612UiqS
|
|
38
|
+
+UMBmgdx9KPDDzZy4MJZC2hbfUoXj9A54mJN8cuEOPyw3c3yKOcq/h48KzVguQXi
|
|
39
|
+
SdJbwfqNIbQ9oJM+YzDjzS62+TCtNSNWzWbwABZCmuQxK0oEOSbTmbhxUF7rND3/
|
|
40
|
+
+mx9u8cY//7uAxLWYS5gIZlCbxcf0lkiKSHJB319
|
|
41
|
+
-----END CERTIFICATE-----
|
|
@@ -0,0 +1,112 @@
|
|
|
1
|
+
CONNECTED(00000003)
|
|
2
|
+
---
|
|
3
|
+
Certificate chain
|
|
4
|
+
0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
|
|
5
|
+
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1
|
|
6
|
+
-----BEGIN CERTIFICATE-----
|
|
7
|
+
MIIHOjCCBiKgAwIBAgIQBH++LkveAITSyvjj7P5wWDANBgkqhkiG9w0BAQUFADBp
|
|
8
|
+
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
|
|
9
|
+
d3cuZGlnaWNlcnQuY29tMSgwJgYDVQQDEx9EaWdpQ2VydCBIaWdoIEFzc3VyYW5j
|
|
10
|
+
ZSBFViBDQS0xMB4XDTEzMDYxMDAwMDAwMFoXDTE1MDkwMjEyMDAwMFowgfAxHTAb
|
|
11
|
+
BgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYBBAGCNzwCAQMTAlVT
|
|
12
|
+
MRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQFEwc1MTU3NTUwMRcw
|
|
13
|
+
FQYDVQQJEw41NDggNHRoIFN0cmVldDEOMAwGA1UEERMFOTQxMDcxCzAJBgNVBAYT
|
|
14
|
+
AlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
|
|
15
|
+
MRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xEzARBgNVBAMTCmdpdGh1Yi5jb20wggEi
|
|
16
|
+
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDt04nDXXByCfMzTxpydNm2WpVQ
|
|
17
|
+
u2hhn/f7Hxnh2gQxrxV8Gn/5c68d5UMrVgkARWlK6MRb38J3UlEZW9Er2TllNqAy
|
|
18
|
+
GRxBc/sysj2fmOyCWws3ZDkstxCDcs3w6iRL+tmULsOFFTmpOvaI2vQniaaVT4Si
|
|
19
|
+
N058JXg6yYNtAheVeH1HqFWD7hPIGRqzPPFf/jsC4YX7EWarCV2fTEPwxyReKXIo
|
|
20
|
+
ztR1aE8kcimuOSj8341PTYNzdAxvEZun3WLe/+LrF+b/DL/ALTE71lmi8t2HSkh7
|
|
21
|
+
bTMRFE00nzI49sgZnfG2PcVG71ELisYz7UhhxB0XG718tmfpOc+lUoAK9OrNAgMB
|
|
22
|
+
AAGjggNUMIIDUDAfBgNVHSMEGDAWgBRMWMsl8EFPUvQoyIFDm6aooOaS5TAdBgNV
|
|
23
|
+
HQ4EFgQUh9GPGW7kh29TjHeRB1Dfo79VRyAwJQYDVR0RBB4wHIIKZ2l0aHViLmNv
|
|
24
|
+
bYIOd3d3LmdpdGh1Yi5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG
|
|
25
|
+
AQUFBwMBBggrBgEFBQcDAjBjBgNVHR8EXDBaMCugKaAnhiVodHRwOi8vY3JsMy5k
|
|
26
|
+
aWdpY2VydC5jb20vZXZjYTEtZzIuY3JsMCugKaAnhiVodHRwOi8vY3JsNC5kaWdp
|
|
27
|
+
Y2VydC5jb20vZXZjYTEtZzIuY3JsMIIBxAYDVR0gBIIBuzCCAbcwggGzBglghkgB
|
|
28
|
+
hv1sAgEwggGkMDoGCCsGAQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9z
|
|
29
|
+
c2wtY3BzLXJlcG9zaXRvcnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4A
|
|
30
|
+
eQAgAHUAcwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQA
|
|
31
|
+
ZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUA
|
|
32
|
+
IABvAGYAIAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAA
|
|
33
|
+
YQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcA
|
|
34
|
+
cgBlAGUAbQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIA
|
|
35
|
+
aQBsAGkAdAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQA
|
|
36
|
+
ZQBkACAAaABlAHIAZQBpAG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMH0G
|
|
37
|
+
CCsGAQUFBwEBBHEwbzAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQu
|
|
38
|
+
Y29tMEcGCCsGAQUFBzAChjtodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGln
|
|
39
|
+
aUNlcnRIaWdoQXNzdXJhbmNlRVZDQS0xLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqG
|
|
40
|
+
SIb3DQEBBQUAA4IBAQBfFW1nwzrVo94WnEUzJtU9yRZ0NMqHSBsUkG31q0eGufW4
|
|
41
|
+
4wFFZWjuqRJ1n3Ym7xF8fTjP3fdKGQnxIHKSsE0nuuh/XbQX5DpBJknHdGFoLwY8
|
|
42
|
+
xZ9JPI57vgvzLo8+fwHyZp3Vm/o5IYLEQViSo+nlOSUQ8YAVqu6KcsP/e612UiqS
|
|
43
|
+
+UMBmgdx9KPDDzZy4MJZC2hbfUoXj9A54mJN8cuEOPyw3c3yKOcq/h48KzVguQXi
|
|
44
|
+
SdJbwfqNIbQ9oJM+YzDjzS62+TCtNSNWzWbwABZCmuQxK0oEOSbTmbhxUF7rND3/
|
|
45
|
+
+mx9u8cY//7uAxLWYS5gIZlCbxcf0lkiKSHJB319
|
|
46
|
+
-----END CERTIFICATE-----
|
|
47
|
+
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1
|
|
48
|
+
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
|
|
49
|
+
-----BEGIN CERTIFICATE-----
|
|
50
|
+
MIIG5jCCBc6gAwIBAgIQAze5KDR8YKauxa2xIX84YDANBgkqhkiG9w0BAQUFADBs
|
|
51
|
+
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
|
|
52
|
+
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
|
|
53
|
+
ZSBFViBSb290IENBMB4XDTA3MTEwOTEyMDAwMFoXDTIxMTExMDAwMDAwMFowaTEL
|
|
54
|
+
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
|
|
55
|
+
LmRpZ2ljZXJ0LmNvbTEoMCYGA1UEAxMfRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
|
|
56
|
+
RVYgQ0EtMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPOWYth1bhn/
|
|
57
|
+
PzR8SU8xfg0ETpmB4rOFVZEwscCvcLssqOcYqj9495BoUoYBiJfiOwZlkKq9ZXbC
|
|
58
|
+
7L4QWzd4g2B1Rca9dKq2n6Q6AVAXxDlpufFP74LByvNK28yeUE9NQKM6kOeGZrzw
|
|
59
|
+
PnYoTNF1gJ5qNRQ1A57bDIzCKK1Qss72kaPDpQpYSfZ1RGy6+c7pqzoC4E3zrOJ6
|
|
60
|
+
4GAiBTyC01Li85xH+DvYskuTVkq/cKs+6WjIHY9YHSpNXic9rQpZL1oRIEDZaARo
|
|
61
|
+
LfTAhAsKG3jf7RpY3PtBWm1r8u0c7lwytlzs16YDMqbo3rcoJ1mIgP97rYlY1R4U
|
|
62
|
+
pPKwcNSgPqcCAwEAAaOCA4UwggOBMA4GA1UdDwEB/wQEAwIBhjA7BgNVHSUENDAy
|
|
63
|
+
BggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUH
|
|
64
|
+
AwgwggHEBgNVHSAEggG7MIIBtzCCAbMGCWCGSAGG/WwCATCCAaQwOgYIKwYBBQUH
|
|
65
|
+
AgEWLmh0dHA6Ly93d3cuZGlnaWNlcnQuY29tL3NzbC1jcHMtcmVwb3NpdG9yeS5o
|
|
66
|
+
dG0wggFkBggrBgEFBQcCAjCCAVYeggFSAEEAbgB5ACAAdQBzAGUAIABvAGYAIAB0
|
|
67
|
+
AGgAaQBzACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAAYwBvAG4AcwB0AGkAdAB1
|
|
68
|
+
AHQAZQBzACAAYQBjAGMAZQBwAHQAYQBuAGMAZQAgAG8AZgAgAHQAaABlACAARABp
|
|
69
|
+
AGcAaQBDAGUAcgB0ACAARQBWACAAQwBQAFMAIABhAG4AZAAgAHQAaABlACAAUgBl
|
|
70
|
+
AGwAeQBpAG4AZwAgAFAAYQByAHQAeQAgAEEAZwByAGUAZQBtAGUAbgB0ACAAdwBo
|
|
71
|
+
AGkAYwBoACAAbABpAG0AaQB0ACAAbABpAGEAYgBpAGwAaQB0AHkAIABhAG4AZAAg
|
|
72
|
+
AGEAcgBlACAAaQBuAGMAbwByAHAAbwByAGEAdABlAGQAIABoAGUAcgBlAGkAbgAg
|
|
73
|
+
AGIAeQAgAHIAZQBmAGUAcgBlAG4AYwBlAC4wEgYDVR0TAQH/BAgwBgEB/wIBADCB
|
|
74
|
+
gwYIKwYBBQUHAQEEdzB1MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
|
|
75
|
+
dC5jb20wTQYIKwYBBQUHMAKGQWh0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NBQ2Vy
|
|
76
|
+
dHMvRGlnaUNlcnRIaWdoQXNzdXJhbmNlRVZSb290Q0EuY3J0MIGPBgNVHR8EgYcw
|
|
77
|
+
gYQwQKA+oDyGOmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEhpZ2hB
|
|
78
|
+
c3N1cmFuY2VFVlJvb3RDQS5jcmwwQKA+oDyGOmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0
|
|
79
|
+
LmNvbS9EaWdpQ2VydEhpZ2hBc3N1cmFuY2VFVlJvb3RDQS5jcmwwHQYDVR0OBBYE
|
|
80
|
+
FExYyyXwQU9S9CjIgUObpqig5pLlMB8GA1UdIwQYMBaAFLE+w2kD+L9HAdSYJhoI
|
|
81
|
+
Au9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQBMeheHKF0XvLIyc7/NLvVYMR3wsXFU
|
|
82
|
+
nNabZ5PbLwM+Fm8eA8lThKNWYB54lBuiqG+jpItSkdfdXJW777UWSemlQk808kf/
|
|
83
|
+
roF/E1S3IMRwFcuBCoHLdFfcnN8kpCkMGPAc5K4HM+zxST5Vz25PDVR708noFUjU
|
|
84
|
+
xbvcNRx3RQdIRYW9135TuMAW2ZXNi419yWBP0aKb49Aw1rRzNubS+QOy46T15bg+
|
|
85
|
+
BEkAui6mSnKDcp33C4ypieez12Qf1uNgywPE3IjpnSUBAHHLA7QpYCWP+UbRe3Gu
|
|
86
|
+
zVMSW4SOwg/H7ZMZ2cn6j1g0djIvruFQFGHUqFijyDATI+/GJYw2jxyA
|
|
87
|
+
-----END CERTIFICATE-----
|
|
88
|
+
---
|
|
89
|
+
Server certificate
|
|
90
|
+
subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
|
|
91
|
+
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1
|
|
92
|
+
---
|
|
93
|
+
No client certificate CA names sent
|
|
94
|
+
---
|
|
95
|
+
SSL handshake has read 3796 bytes and written 456 bytes
|
|
96
|
+
---
|
|
97
|
+
New, TLSv1/SSLv3, Cipher is AES128-SHA
|
|
98
|
+
Server public key is 2048 bit
|
|
99
|
+
Secure Renegotiation IS supported
|
|
100
|
+
Compression: NONE
|
|
101
|
+
Expansion: NONE
|
|
102
|
+
SSL-Session:
|
|
103
|
+
Protocol : TLSv1
|
|
104
|
+
Cipher : AES128-SHA
|
|
105
|
+
Session-ID: 68A4FF6A1FAFD9EF2AC080C4E9A42433A0C27815CB17F0A6C24B455E17A49D0B
|
|
106
|
+
Session-ID-ctx:
|
|
107
|
+
Master-Key: 324790F1157F795B7716645002F4E5515CF874B8AF64370245B67C45B4CBFF50A71CA54E5FDDF8AEE58ED4201C127B64
|
|
108
|
+
Key-Arg : None
|
|
109
|
+
Start Time: 1391730515
|
|
110
|
+
Timeout : 300 (sec)
|
|
111
|
+
Verify return code: 0 (ok)
|
|
112
|
+
---
|
|
@@ -0,0 +1,94 @@
|
|
|
1
|
+
Certificate:
|
|
2
|
+
Data:
|
|
3
|
+
Version: 3 (0x2)
|
|
4
|
+
Serial Number: 7353680 (0x703550)
|
|
5
|
+
Signature Algorithm: sha1WithRSAEncryption
|
|
6
|
+
Issuer: C=US, ST=Florida, L=Miami, O=Basho, OU=Riak Ruby Client, CN=CA/emailAddress=bryce@basho.com
|
|
7
|
+
Validity
|
|
8
|
+
Not Before: Feb 5 16:29:00 2014 GMT
|
|
9
|
+
Not After : Feb 3 16:29:00 2024 GMT
|
|
10
|
+
Subject: C=US, ST=Florida, O=Basho, OU=Riak Ruby client, CN=localhost/emailAddress=bryce@basho.com
|
|
11
|
+
Subject Public Key Info:
|
|
12
|
+
Public Key Algorithm: rsaEncryption
|
|
13
|
+
Public-Key: (2048 bit)
|
|
14
|
+
Modulus:
|
|
15
|
+
00:cc:37:29:ad:9d:f1:93:6f:6c:61:ba:14:ac:70:
|
|
16
|
+
98:7d:5c:11:97:64:6e:10:72:7a:81:d0:97:c7:5d:
|
|
17
|
+
b3:5e:6b:ed:57:29:eb:54:3b:ee:c8:40:3c:57:54:
|
|
18
|
+
7f:1a:0f:66:f7:8d:4c:49:d0:56:3f:8f:27:6a:1c:
|
|
19
|
+
98:31:4d:c5:d5:01:50:6a:e3:d2:a4:19:65:b6:38:
|
|
20
|
+
b8:81:c9:e7:46:51:79:8b:1a:92:ee:a4:d8:0e:ef:
|
|
21
|
+
dc:4b:1d:08:ec:b8:13:22:7c:85:7f:ff:a3:ef:bc:
|
|
22
|
+
23:ba:dd:b4:e8:bf:f3:6a:e9:3c:89:fc:9c:b9:7d:
|
|
23
|
+
1e:a5:61:b0:fe:b5:74:e2:ab:9e:42:7d:9e:f0:ee:
|
|
24
|
+
28:5a:d4:fb:b5:fc:d0:05:6c:72:cf:04:6a:d4:6d:
|
|
25
|
+
5f:f9:eb:97:a8:cf:fa:79:ee:82:ed:00:47:18:80:
|
|
26
|
+
a3:9f:2e:86:74:c4:6e:b9:e1:da:d1:87:1c:10:d5:
|
|
27
|
+
f3:87:fb:71:ce:55:ee:7e:53:f2:88:b6:15:aa:a9:
|
|
28
|
+
4e:d0:b4:a2:27:04:3b:af:61:88:2a:b3:c1:90:c0:
|
|
29
|
+
41:d7:e0:43:63:ee:55:b7:3a:f4:c3:56:c7:88:d4:
|
|
30
|
+
c9:4e:ca:55:9d:d4:3f:30:7c:ea:34:8a:5c:31:90:
|
|
31
|
+
0b:ad:7f:35:cc:b8:0d:5a:f4:f4:f1:2b:86:0a:c2:
|
|
32
|
+
df:4f
|
|
33
|
+
Exponent: 65537 (0x10001)
|
|
34
|
+
X509v3 extensions:
|
|
35
|
+
X509v3 Basic Constraints:
|
|
36
|
+
CA:FALSE
|
|
37
|
+
Netscape Cert Type:
|
|
38
|
+
SSL Client, SSL Server
|
|
39
|
+
X509v3 Key Usage:
|
|
40
|
+
Digital Signature, Non Repudiation, Key Encipherment
|
|
41
|
+
Netscape Comment:
|
|
42
|
+
Riak Ruby Client Testing Certificate
|
|
43
|
+
X509v3 Subject Key Identifier:
|
|
44
|
+
CD:69:91:9F:7F:4F:EC:4D:76:95:87:41:D4:A7:5F:62:9C:E2:7F:8A
|
|
45
|
+
X509v3 Authority Key Identifier:
|
|
46
|
+
DirName:/C=US/ST=Florida/L=Miami/O=Basho/OU=Riak Ruby Client/CN=CA/emailAddress=bryce@basho.com
|
|
47
|
+
serial:EB:90:D4:88:07:71:2D:B0
|
|
48
|
+
|
|
49
|
+
X509v3 Extended Key Usage:
|
|
50
|
+
TLS Web Server Authentication, TLS Web Client Authentication
|
|
51
|
+
Signature Algorithm: sha1WithRSAEncryption
|
|
52
|
+
39:20:28:de:26:20:af:e3:d2:59:92:a9:43:95:b9:25:83:2e:
|
|
53
|
+
6e:a2:32:66:53:a8:ef:6b:96:b1:44:8f:74:3f:f2:01:6f:96:
|
|
54
|
+
af:3b:70:67:1a:1e:39:68:6a:57:b0:b8:89:e7:ed:50:34:ef:
|
|
55
|
+
53:bd:96:68:94:ab:8b:3f:f7:20:be:1a:52:80:0a:11:ee:dc:
|
|
56
|
+
dc:93:01:11:3d:91:e5:93:d8:0c:b0:05:44:fa:a7:d1:c9:32:
|
|
57
|
+
be:58:58:48:40:66:dd:8f:bc:b0:02:84:05:c3:e8:e4:77:f9:
|
|
58
|
+
ff:a9:09:b7:a0:9b:3a:ea:a5:c9:02:8f:eb:30:aa:f6:92:bf:
|
|
59
|
+
38:ef:fb:6c:5d:e5:7b:c7:57:86:74:06:ca:e5:86:70:40:35:
|
|
60
|
+
50:51:df:28:44:fa:d0:a3:30:ae:aa:71:34:32:a5:dc:f7:7e:
|
|
61
|
+
70:a7:ed:c1:e7:20:77:a0:27:16:00:4d:74:90:5a:29:9b:b3:
|
|
62
|
+
43:5f:0b:b2:4e:d5:c8:8f:ab:e6:92:f5:57:b0:b4:f8:fd:be:
|
|
63
|
+
a1:12:9f:06:fa:5e:da:bd:1c:fc:08:e4:d8:de:5e:82:a8:dc:
|
|
64
|
+
8b:3b:61:b5:65:ce:b3:2c:a0:fc:8e:a1:28:33:ca:a5:b8:0a:
|
|
65
|
+
45:29:b8:ba:ab:f1:77:42:e5:a8:2d:b7:67:6c:75:18:f4:ce:
|
|
66
|
+
91:ea:62:80
|
|
67
|
+
-----BEGIN CERTIFICATE-----
|
|
68
|
+
MIIE0DCCA7igAwIBAgIDcDVQMA0GCSqGSIb3DQEBBQUAMIGHMQswCQYDVQQGEwJV
|
|
69
|
+
UzEQMA4GA1UECAwHRmxvcmlkYTEOMAwGA1UEBwwFTWlhbWkxDjAMBgNVBAoMBUJh
|
|
70
|
+
c2hvMRkwFwYDVQQLDBBSaWFrIFJ1YnkgQ2xpZW50MQswCQYDVQQDDAJDQTEeMBwG
|
|
71
|
+
CSqGSIb3DQEJARYPYnJ5Y2VAYmFzaG8uY29tMB4XDTE0MDIwNTE2MjkwMFoXDTI0
|
|
72
|
+
MDIwMzE2MjkwMFowfjELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExDjAM
|
|
73
|
+
BgNVBAoMBUJhc2hvMRkwFwYDVQQLDBBSaWFrIFJ1YnkgY2xpZW50MRIwEAYDVQQD
|
|
74
|
+
DAlsb2NhbGhvc3QxHjAcBgkqhkiG9w0BCQEWD2JyeWNlQGJhc2hvLmNvbTCCASIw
|
|
75
|
+
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMw3Ka2d8ZNvbGG6FKxwmH1cEZdk
|
|
76
|
+
bhByeoHQl8dds15r7Vcp61Q77shAPFdUfxoPZveNTEnQVj+PJ2ocmDFNxdUBUGrj
|
|
77
|
+
0qQZZbY4uIHJ50ZReYsaku6k2A7v3EsdCOy4EyJ8hX//o++8I7rdtOi/82rpPIn8
|
|
78
|
+
nLl9HqVhsP61dOKrnkJ9nvDuKFrU+7X80AVscs8EatRtX/nrl6jP+nnugu0ARxiA
|
|
79
|
+
o58uhnTEbrnh2tGHHBDV84f7cc5V7n5T8oi2FaqpTtC0oicEO69hiCqzwZDAQdfg
|
|
80
|
+
Q2PuVbc69MNWx4jUyU7KVZ3UPzB86jSKXDGQC61/Ncy4DVr09PErhgrC308CAwEA
|
|
81
|
+
AaOCAUswggFHMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgbAMAsGA1UdDwQE
|
|
82
|
+
AwIF4DAzBglghkgBhvhCAQ0EJhYkUmlhayBSdWJ5IENsaWVudCBUZXN0aW5nIENl
|
|
83
|
+
cnRpZmljYXRlMB0GA1UdDgQWBBTNaZGff0/sTXaVh0HUp19inOJ/ijCBpgYDVR0j
|
|
84
|
+
BIGeMIGboYGNpIGKMIGHMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTEO
|
|
85
|
+
MAwGA1UEBwwFTWlhbWkxDjAMBgNVBAoMBUJhc2hvMRkwFwYDVQQLDBBSaWFrIFJ1
|
|
86
|
+
YnkgQ2xpZW50MQswCQYDVQQDDAJDQTEeMBwGCSqGSIb3DQEJARYPYnJ5Y2VAYmFz
|
|
87
|
+
aG8uY29tggkA65DUiAdxLbAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
|
|
88
|
+
MA0GCSqGSIb3DQEBBQUAA4IBAQA5ICjeJiCv49JZkqlDlbklgy5uojJmU6jva5ax
|
|
89
|
+
RI90P/IBb5avO3BnGh45aGpXsLiJ5+1QNO9TvZZolKuLP/cgvhpSgAoR7tzckwER
|
|
90
|
+
PZHlk9gMsAVE+qfRyTK+WFhIQGbdj7ywAoQFw+jkd/n/qQm3oJs66qXJAo/rMKr2
|
|
91
|
+
kr847/tsXeV7x1eGdAbK5YZwQDVQUd8oRPrQozCuqnE0MqXc935wp+3B5yB3oCcW
|
|
92
|
+
AE10kFopm7NDXwuyTtXIj6vmkvVXsLT4/b6hEp8G+l7avRz8COTY3l6CqNyLO2G1
|
|
93
|
+
Zc6zLKD8jqEoM8qluApFKbi6q/F3QuWoLbdnbHUY9M6R6mKA
|
|
94
|
+
-----END CERTIFICATE-----
|
|
@@ -0,0 +1,73 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
describe R509::Cert::Validator do
|
|
4
|
+
let(:issuer_cert){ cert('root.crt') }
|
|
5
|
+
|
|
6
|
+
describe 'with a cert without CRL or OCSP data' do
|
|
7
|
+
let(:no_validator_cert){ cert('empty.crt') }
|
|
8
|
+
subject{ described_class.new no_validator_cert }
|
|
9
|
+
|
|
10
|
+
it 'should validate' do
|
|
11
|
+
expect{ subject.validate }.to_not raise_error
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
it 'should refuse to validate with CRL or OCSP' do
|
|
15
|
+
expect{ subject.validate crl: true }.to raise_error
|
|
16
|
+
expect{ subject.validate ocsp: true }.to raise_error
|
|
17
|
+
end
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
describe 'with a cert with CRL and OCSP data' do
|
|
21
|
+
let(:good_cert){ cert('good.crt') }
|
|
22
|
+
subject{ described_class.new good_cert, issuer_cert }
|
|
23
|
+
|
|
24
|
+
it 'should validate against a CRL' do
|
|
25
|
+
expect{ subject.validate crl: true, ocsp: false }.to_not raise_error
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
it 'should validate a cert against OCSP' do
|
|
29
|
+
expect{ subject.validate crl: false, ocsp: true }.to_not raise_error
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
describe 'with a cert with CRL and no OCSP' do
|
|
34
|
+
let(:crl_only_cert){ cert('crl_only.crt') }
|
|
35
|
+
subject{ described_class.new crl_only_cert, issuer_cert }
|
|
36
|
+
|
|
37
|
+
it 'should validate against a CRL' do
|
|
38
|
+
expect{ subject.validate crl: true, ocsp: false }.to_not raise_error
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
it 'should fail to validate against OCSP' do
|
|
42
|
+
expect{ subject.validate crl: false, ocsp: true }.to raise_error
|
|
43
|
+
end
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
describe 'with a cert with OCSP and no CRL' do
|
|
47
|
+
let(:ocsp_only_cert){ cert('ocsp_only.crt') }
|
|
48
|
+
subject{ described_class.new ocsp_only_cert, issuer_cert }
|
|
49
|
+
|
|
50
|
+
it 'should fail to validate against a CRL' do
|
|
51
|
+
expect{ subject.validate crl: true, ocsp: false }.to raise_error
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
it 'should validate against OCSP' do
|
|
55
|
+
expect{ subject.validate crl: false, ocsp: true }.to_not raise_error
|
|
56
|
+
end
|
|
57
|
+
end
|
|
58
|
+
|
|
59
|
+
describe 'with a revoked cert' do
|
|
60
|
+
let(:revoked_cert){ cert('revoked.crt') }
|
|
61
|
+
subject{ described_class.new revoked_cert, issuer_cert }
|
|
62
|
+
|
|
63
|
+
it 'should validate false against a CRL' do
|
|
64
|
+
expect(subject.validate crl: true, ocsp: false).to_not be
|
|
65
|
+
expect{ subject.validate! crl: true, ocsp: false }.to raise_error /revoked/
|
|
66
|
+
end
|
|
67
|
+
|
|
68
|
+
it 'should validate false against OCSP' do
|
|
69
|
+
expect(subject.validate crl: false, ocsp: true).to_not be
|
|
70
|
+
expect{ subject.validate! crl: false, ocsp: true }.to raise_error /revoked/
|
|
71
|
+
end
|
|
72
|
+
end
|
|
73
|
+
end
|
data/travis.sh
ADDED
metadata
ADDED
|
@@ -0,0 +1,197 @@
|
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
|
+
name: r509-cert-validator
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: 0.0.1
|
|
5
|
+
platform: ruby
|
|
6
|
+
authors:
|
|
7
|
+
- Bryce Kerley
|
|
8
|
+
autorequire:
|
|
9
|
+
bindir: bin
|
|
10
|
+
cert_chain: []
|
|
11
|
+
date: 2014-02-12 00:00:00.000000000 Z
|
|
12
|
+
dependencies:
|
|
13
|
+
- !ruby/object:Gem::Dependency
|
|
14
|
+
name: bundler
|
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
|
16
|
+
requirements:
|
|
17
|
+
- - ~>
|
|
18
|
+
- !ruby/object:Gem::Version
|
|
19
|
+
version: '1.3'
|
|
20
|
+
type: :development
|
|
21
|
+
prerelease: false
|
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
23
|
+
requirements:
|
|
24
|
+
- - ~>
|
|
25
|
+
- !ruby/object:Gem::Version
|
|
26
|
+
version: '1.3'
|
|
27
|
+
- !ruby/object:Gem::Dependency
|
|
28
|
+
name: rake
|
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
|
30
|
+
requirements:
|
|
31
|
+
- - ~>
|
|
32
|
+
- !ruby/object:Gem::Version
|
|
33
|
+
version: 10.1.1
|
|
34
|
+
type: :development
|
|
35
|
+
prerelease: false
|
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
37
|
+
requirements:
|
|
38
|
+
- - ~>
|
|
39
|
+
- !ruby/object:Gem::Version
|
|
40
|
+
version: 10.1.1
|
|
41
|
+
- !ruby/object:Gem::Dependency
|
|
42
|
+
name: rspec
|
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
|
44
|
+
requirements:
|
|
45
|
+
- - ~>
|
|
46
|
+
- !ruby/object:Gem::Version
|
|
47
|
+
version: 2.14.1
|
|
48
|
+
type: :development
|
|
49
|
+
prerelease: false
|
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
51
|
+
requirements:
|
|
52
|
+
- - ~>
|
|
53
|
+
- !ruby/object:Gem::Version
|
|
54
|
+
version: 2.14.1
|
|
55
|
+
- !ruby/object:Gem::Dependency
|
|
56
|
+
name: rack
|
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
|
58
|
+
requirements:
|
|
59
|
+
- - ~>
|
|
60
|
+
- !ruby/object:Gem::Version
|
|
61
|
+
version: 1.5.2
|
|
62
|
+
type: :development
|
|
63
|
+
prerelease: false
|
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
65
|
+
requirements:
|
|
66
|
+
- - ~>
|
|
67
|
+
- !ruby/object:Gem::Version
|
|
68
|
+
version: 1.5.2
|
|
69
|
+
- !ruby/object:Gem::Dependency
|
|
70
|
+
name: puma
|
|
71
|
+
requirement: !ruby/object:Gem::Requirement
|
|
72
|
+
requirements:
|
|
73
|
+
- - ~>
|
|
74
|
+
- !ruby/object:Gem::Version
|
|
75
|
+
version: 2.7.1
|
|
76
|
+
type: :development
|
|
77
|
+
prerelease: false
|
|
78
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
79
|
+
requirements:
|
|
80
|
+
- - ~>
|
|
81
|
+
- !ruby/object:Gem::Version
|
|
82
|
+
version: 2.7.1
|
|
83
|
+
- !ruby/object:Gem::Dependency
|
|
84
|
+
name: r509-ocsp-responder
|
|
85
|
+
requirement: !ruby/object:Gem::Requirement
|
|
86
|
+
requirements:
|
|
87
|
+
- - ~>
|
|
88
|
+
- !ruby/object:Gem::Version
|
|
89
|
+
version: 0.3.3
|
|
90
|
+
type: :development
|
|
91
|
+
prerelease: false
|
|
92
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
93
|
+
requirements:
|
|
94
|
+
- - ~>
|
|
95
|
+
- !ruby/object:Gem::Version
|
|
96
|
+
version: 0.3.3
|
|
97
|
+
- !ruby/object:Gem::Dependency
|
|
98
|
+
name: r509-validity-crl
|
|
99
|
+
requirement: !ruby/object:Gem::Requirement
|
|
100
|
+
requirements:
|
|
101
|
+
- - ~>
|
|
102
|
+
- !ruby/object:Gem::Version
|
|
103
|
+
version: 0.1.1
|
|
104
|
+
type: :development
|
|
105
|
+
prerelease: false
|
|
106
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
107
|
+
requirements:
|
|
108
|
+
- - ~>
|
|
109
|
+
- !ruby/object:Gem::Version
|
|
110
|
+
version: 0.1.1
|
|
111
|
+
- !ruby/object:Gem::Dependency
|
|
112
|
+
name: r509
|
|
113
|
+
requirement: !ruby/object:Gem::Requirement
|
|
114
|
+
requirements:
|
|
115
|
+
- - ~>
|
|
116
|
+
- !ruby/object:Gem::Version
|
|
117
|
+
version: 0.10.0
|
|
118
|
+
type: :runtime
|
|
119
|
+
prerelease: false
|
|
120
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
121
|
+
requirements:
|
|
122
|
+
- - ~>
|
|
123
|
+
- !ruby/object:Gem::Version
|
|
124
|
+
version: 0.10.0
|
|
125
|
+
description: Tool for validating x509 certificates against CRLs and OCSP.
|
|
126
|
+
email:
|
|
127
|
+
- bkerley@brycekerley.net
|
|
128
|
+
executables: []
|
|
129
|
+
extensions: []
|
|
130
|
+
extra_rdoc_files: []
|
|
131
|
+
files:
|
|
132
|
+
- .gitignore
|
|
133
|
+
- .rspec
|
|
134
|
+
- .travis.yml
|
|
135
|
+
- Gemfile
|
|
136
|
+
- LICENSE.txt
|
|
137
|
+
- README.md
|
|
138
|
+
- Rakefile
|
|
139
|
+
- lib/r509-cert-validator.rb
|
|
140
|
+
- lib/r509/cert/validator.rb
|
|
141
|
+
- lib/r509/cert/validator/basic_validator.rb
|
|
142
|
+
- lib/r509/cert/validator/crl_validator.rb
|
|
143
|
+
- lib/r509/cert/validator/errors.rb
|
|
144
|
+
- lib/r509/cert/validator/ocsp_validator.rb
|
|
145
|
+
- lib/r509/cert/validator/version.rb
|
|
146
|
+
- lib/tasks/ca.rb
|
|
147
|
+
- lib/tasks/helper.rb
|
|
148
|
+
- r509-cert-validator.gemspec
|
|
149
|
+
- spec/spec_helper.rb
|
|
150
|
+
- spec/support/ca/.gitignore
|
|
151
|
+
- spec/support/ca/config.yaml.erb
|
|
152
|
+
- spec/support/ca_server.rb
|
|
153
|
+
- spec/support/certs/README.md
|
|
154
|
+
- spec/support/certs/ca.crt
|
|
155
|
+
- spec/support/certs/digicert_ev.crt
|
|
156
|
+
- spec/support/certs/github.crt
|
|
157
|
+
- spec/support/certs/github_chain.crt
|
|
158
|
+
- spec/support/certs/no_validator.crt
|
|
159
|
+
- spec/validator_spec.rb
|
|
160
|
+
- travis.sh
|
|
161
|
+
homepage: ''
|
|
162
|
+
licenses:
|
|
163
|
+
- MIT
|
|
164
|
+
metadata: {}
|
|
165
|
+
post_install_message:
|
|
166
|
+
rdoc_options: []
|
|
167
|
+
require_paths:
|
|
168
|
+
- lib
|
|
169
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
170
|
+
requirements:
|
|
171
|
+
- - ~>
|
|
172
|
+
- !ruby/object:Gem::Version
|
|
173
|
+
version: '2.0'
|
|
174
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
175
|
+
requirements:
|
|
176
|
+
- - '>='
|
|
177
|
+
- !ruby/object:Gem::Version
|
|
178
|
+
version: '0'
|
|
179
|
+
requirements: []
|
|
180
|
+
rubyforge_project:
|
|
181
|
+
rubygems_version: 2.0.14
|
|
182
|
+
signing_key:
|
|
183
|
+
specification_version: 4
|
|
184
|
+
summary: An r509-based tool for validating x509 certificates against CRLs and OCSP.
|
|
185
|
+
test_files:
|
|
186
|
+
- spec/spec_helper.rb
|
|
187
|
+
- spec/support/ca/.gitignore
|
|
188
|
+
- spec/support/ca/config.yaml.erb
|
|
189
|
+
- spec/support/ca_server.rb
|
|
190
|
+
- spec/support/certs/README.md
|
|
191
|
+
- spec/support/certs/ca.crt
|
|
192
|
+
- spec/support/certs/digicert_ev.crt
|
|
193
|
+
- spec/support/certs/github.crt
|
|
194
|
+
- spec/support/certs/github_chain.crt
|
|
195
|
+
- spec/support/certs/no_validator.crt
|
|
196
|
+
- spec/validator_spec.rb
|
|
197
|
+
has_rdoc:
|