r509-cert-validator 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/.gitignore +17 -0
- data/.rspec +1 -0
- data/.travis.yml +6 -0
- data/Gemfile +4 -0
- data/LICENSE.txt +22 -0
- data/README.md +70 -0
- data/Rakefile +8 -0
- data/lib/r509-cert-validator.rb +1 -0
- data/lib/r509/cert/validator.rb +62 -0
- data/lib/r509/cert/validator/basic_validator.rb +24 -0
- data/lib/r509/cert/validator/crl_validator.rb +40 -0
- data/lib/r509/cert/validator/errors.rb +14 -0
- data/lib/r509/cert/validator/ocsp_validator.rb +87 -0
- data/lib/r509/cert/validator/version.rb +7 -0
- data/lib/tasks/ca.rb +112 -0
- data/lib/tasks/helper.rb +33 -0
- data/r509-cert-validator.gemspec +31 -0
- data/spec/spec_helper.rb +11 -0
- data/spec/support/ca/.gitignore +5 -0
- data/spec/support/ca/config.yaml.erb +35 -0
- data/spec/support/ca_server.rb +29 -0
- data/spec/support/certs/README.md +15 -0
- data/spec/support/certs/ca.crt +21 -0
- data/spec/support/certs/digicert_ev.crt +39 -0
- data/spec/support/certs/github.crt +41 -0
- data/spec/support/certs/github_chain.crt +112 -0
- data/spec/support/certs/no_validator.crt +94 -0
- data/spec/validator_spec.rb +73 -0
- data/travis.sh +5 -0
- metadata +197 -0
checksums.yaml
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
---
|
|
2
|
+
SHA1:
|
|
3
|
+
metadata.gz: f1727921e4d1ea7764cfd809a42478d3ec8cb4cf
|
|
4
|
+
data.tar.gz: ecca2f905cfe41c45a7130d3eeb095fecff9693a
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: 711bb8c8d34ffbbefcd0859f512cee2056696f2d047ff8c60ed6d629186122c0986501914db7397d726e997da1ec5bf26e3d4469e277750fd80962102298e4db
|
|
7
|
+
data.tar.gz: 5f4d58440734468761e8f8eb9363246f3cb12a05de8dd0aa27ab0e33fe15d933d38f62c3f37efc0e08b270f9e174907c089676b582ca4fea58ba1ef3d358c483
|
data/.gitignore
ADDED
data/.rspec
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
--color
|
data/.travis.yml
ADDED
data/Gemfile
ADDED
data/LICENSE.txt
ADDED
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
Copyright (c) 2014 Bryce Kerley
|
|
2
|
+
|
|
3
|
+
MIT License
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
|
6
|
+
a copy of this software and associated documentation files (the
|
|
7
|
+
"Software"), to deal in the Software without restriction, including
|
|
8
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
|
9
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
|
10
|
+
permit persons to whom the Software is furnished to do so, subject to
|
|
11
|
+
the following conditions:
|
|
12
|
+
|
|
13
|
+
The above copyright notice and this permission notice shall be
|
|
14
|
+
included in all copies or substantial portions of the Software.
|
|
15
|
+
|
|
16
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
17
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
18
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
19
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
20
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
21
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
22
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.md
ADDED
|
@@ -0,0 +1,70 @@
|
|
|
1
|
+
# R509::Cert::Validator
|
|
2
|
+
|
|
3
|
+
Have an x.509 certificate that you need to validate against its Online
|
|
4
|
+
Certificate Status Protocol (OCSP) or Certificate Revocation List (CRL)
|
|
5
|
+
endpoint? This gem uses the `r509` library for x.509 processing, and performs
|
|
6
|
+
OCSP and CRL processing.
|
|
7
|
+
|
|
8
|
+
[](https://travis-ci.org/bkerley/r509-cert-validator)
|
|
9
|
+
[](https://codeclimate.com/github/bkerley/r509-cert-validator)
|
|
10
|
+
|
|
11
|
+
## Installation
|
|
12
|
+
|
|
13
|
+
Add this line to your application's Gemfile:
|
|
14
|
+
|
|
15
|
+
gem 'r509-cert-validator'
|
|
16
|
+
|
|
17
|
+
And then execute:
|
|
18
|
+
|
|
19
|
+
$ bundle
|
|
20
|
+
|
|
21
|
+
Or install it yourself as:
|
|
22
|
+
|
|
23
|
+
$ gem install r509-cert-validator
|
|
24
|
+
|
|
25
|
+
## Usage
|
|
26
|
+
|
|
27
|
+
```ruby
|
|
28
|
+
validator = R509::Cert::Validator.new @socket.peer_cert
|
|
29
|
+
|
|
30
|
+
# Returns false on invalid certificates
|
|
31
|
+
# Raises R509::Cert::Validator::Error when checking failed
|
|
32
|
+
validator.validate
|
|
33
|
+
|
|
34
|
+
# Raises R509::Cert::Validator::CrlError and
|
|
35
|
+
# R509::Cert::Validator::OcspError on invalid certificates
|
|
36
|
+
# Raises R509::Cert::Validator::Error when checking failed
|
|
37
|
+
validator.validate!
|
|
38
|
+
|
|
39
|
+
# OCSP and CRL checking are enabled when present in certificates, but
|
|
40
|
+
# can be disabled individually
|
|
41
|
+
validator.validate ocsp: false
|
|
42
|
+
validator.validate! crl: false
|
|
43
|
+
|
|
44
|
+
# Attempting to validate OCSP and/or CRL when a cert does not have them raises
|
|
45
|
+
# R509::Cert::Validator::Error
|
|
46
|
+
validator.validate ocsp: true
|
|
47
|
+
```
|
|
48
|
+
|
|
49
|
+
## Development and Testing
|
|
50
|
+
|
|
51
|
+
This library requires a bit of Public Key Infrastructure (PKI) for testing.
|
|
52
|
+
Fortunately, it's easy to set up.
|
|
53
|
+
|
|
54
|
+
0. Install dependencies with `bundle install`.
|
|
55
|
+
0. Optional: clean out the existing PKI with `rake ca:clean`
|
|
56
|
+
1. Generate a CA and testing certificates with `rake ca:all`
|
|
57
|
+
2. Start the CRL and OCSP endpoint with `bundle exec ruby spec/support/ca_server.rb`
|
|
58
|
+
and let it run. This command starts a web server on port 22022.
|
|
59
|
+
3. Run the specs with `bundle exec rspec`
|
|
60
|
+
4. CTRL-C or otherwise kill the CRL and OCSP server when you no longer need it.
|
|
61
|
+
|
|
62
|
+
This process is automated by `travis.sh`, and you can just run that :)
|
|
63
|
+
|
|
64
|
+
## Contributing
|
|
65
|
+
|
|
66
|
+
1. Fork it
|
|
67
|
+
2. Create your feature branch (`git checkout -b my-new-feature`)
|
|
68
|
+
3. Commit your changes (`git commit -am 'Add some feature'`)
|
|
69
|
+
4. Push to the branch (`git push origin my-new-feature`)
|
|
70
|
+
5. Create new Pull Request
|
data/Rakefile
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
require 'r509/cert/validator'
|
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
require 'r509'
|
|
2
|
+
%w{version errors basic_validator ocsp_validator crl_validator}.each do |f|
|
|
3
|
+
require "r509/cert/validator/#{f}"
|
|
4
|
+
end
|
|
5
|
+
|
|
6
|
+
module R509
|
|
7
|
+
class Cert
|
|
8
|
+
class Validator
|
|
9
|
+
# The certificate this Validator will validate
|
|
10
|
+
attr_reader :cert
|
|
11
|
+
|
|
12
|
+
def initialize(cert, issuer = nil)
|
|
13
|
+
if cert.is_a? OpenSSL::X509::Certificate
|
|
14
|
+
cert = R509::Cert.new cert: cert
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
if issuer.is_a? OpenSSL::X509::Certificate
|
|
18
|
+
cert = R509::Cert.new cert: cert
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
@cert = cert
|
|
22
|
+
@issuer = issuer
|
|
23
|
+
|
|
24
|
+
initialize_validators
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
def validate!(options={})
|
|
28
|
+
opts = { ocsp: @ocsp.available?, crl: @crl.available? }.merge options
|
|
29
|
+
|
|
30
|
+
if opts[:ocsp] && !@ocsp.available?
|
|
31
|
+
raise Error.new "Tried to validate OCSP but cert has no OCSP data"
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
if opts[:crl] && !@crl.available?
|
|
35
|
+
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
@ocsp.validate! if opts[:ocsp]
|
|
39
|
+
@crl.validate! if opts[:crl]
|
|
40
|
+
true
|
|
41
|
+
end
|
|
42
|
+
|
|
43
|
+
def validate(options={})
|
|
44
|
+
begin
|
|
45
|
+
validate! options
|
|
46
|
+
rescue OcspError
|
|
47
|
+
return false
|
|
48
|
+
rescue CrlError
|
|
49
|
+
return false
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
return true
|
|
53
|
+
end
|
|
54
|
+
|
|
55
|
+
private
|
|
56
|
+
def initialize_validators
|
|
57
|
+
@ocsp = OcspValidator.new @cert, @issuer
|
|
58
|
+
@crl = CrlValidator.new @cert, @issuer
|
|
59
|
+
end
|
|
60
|
+
end
|
|
61
|
+
end
|
|
62
|
+
end
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
require 'net/http'
|
|
2
|
+
|
|
3
|
+
module R509
|
|
4
|
+
class Cert
|
|
5
|
+
class Validator
|
|
6
|
+
class BasicValidator
|
|
7
|
+
def initialize(cert, issuer)
|
|
8
|
+
@cert = cert
|
|
9
|
+
@issuer = issuer
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
private
|
|
13
|
+
def get(uri)
|
|
14
|
+
resp = Net::HTTP.get_response URI(uri)
|
|
15
|
+
if resp.code != '200'
|
|
16
|
+
raise Error.new("Unexpected HTTP #{resp.code} from OCSP endpoint")
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
resp.body
|
|
20
|
+
end
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
end
|
|
24
|
+
end
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
module R509
|
|
2
|
+
class Cert
|
|
3
|
+
class Validator
|
|
4
|
+
class CrlValidator < BasicValidator
|
|
5
|
+
def available?
|
|
6
|
+
return false unless cdp
|
|
7
|
+
return false if uris.empty?
|
|
8
|
+
return true
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def validate!
|
|
12
|
+
unless available?
|
|
13
|
+
raise Error.new "Tried to validate CRL but cert has no CRL data"
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
body = R509::CRL::SignedList.new(get(uris.first))
|
|
17
|
+
|
|
18
|
+
unless body.verify @issuer.public_key
|
|
19
|
+
raise CrlError.new "CRL did not match certificate"
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
if body.revoked? @cert.serial
|
|
23
|
+
raise CrlError.new "CRL listed certificate as revoked"
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
return true
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
private
|
|
30
|
+
def cdp
|
|
31
|
+
@cert.crl_distribution_points
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def uris
|
|
35
|
+
cdp.uris
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
end
|
|
40
|
+
end
|
|
@@ -0,0 +1,87 @@
|
|
|
1
|
+
require 'base64'
|
|
2
|
+
|
|
3
|
+
module R509
|
|
4
|
+
class Cert
|
|
5
|
+
class Validator
|
|
6
|
+
class OcspValidator < BasicValidator
|
|
7
|
+
def available?
|
|
8
|
+
return false unless @issuer
|
|
9
|
+
return false unless aia && aia.ocsp
|
|
10
|
+
return false if ocsp_uris.empty?
|
|
11
|
+
return true
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def validate!
|
|
15
|
+
unless available?
|
|
16
|
+
raise Error.new "Tried to validate OCSP but cert has no OCSP data"
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
uri = build_request_uri
|
|
20
|
+
body = R509::OCSP::Response.parse(get(uri))
|
|
21
|
+
|
|
22
|
+
check_ocsp_response body
|
|
23
|
+
check_ocsp_payload body.basic.status.first
|
|
24
|
+
return true
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
private
|
|
28
|
+
def build_request_uri
|
|
29
|
+
@req = OpenSSL::OCSP::Request.new
|
|
30
|
+
@req.add_nonce
|
|
31
|
+
@req.add_certid cert_id
|
|
32
|
+
pem = Base64.encode64(@req.to_der).strip
|
|
33
|
+
URI(ocsp_uris.first + '/' + URI.encode_www_form_component(pem))
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
def check_ocsp_response(body)
|
|
37
|
+
unless body.status == 0
|
|
38
|
+
raise OcspError.new "OCSP status was #{body.status}, expected 0"
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
unless body.verify(@issuer.cert)
|
|
42
|
+
raise OcspError.new "OCSP response did not match issuer"
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
unless body.basic.status.first
|
|
46
|
+
raise OcspError.new "OCSP response was missing payload"
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
if body.check_nonce(@req) != R509::OCSP::Request::Nonce::PRESENT_AND_EQUAL
|
|
50
|
+
raise OcspError.new "OCSP Nonce was not present and equal to request"
|
|
51
|
+
end
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
def check_ocsp_payload(basic)
|
|
55
|
+
if basic[0].serial != @cert.serial
|
|
56
|
+
raise OcspError.new "OCSP cert serial was #{basic[0].serial}, expected #{@cert.serial}"
|
|
57
|
+
end
|
|
58
|
+
|
|
59
|
+
if basic[1] == 1
|
|
60
|
+
raise OcspError.new "OCSP response indicates cert was revoked"
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
if basic[1] != 0
|
|
64
|
+
raise OcspError.new "OCSP response was #{basic[1]}, expected 0"
|
|
65
|
+
end
|
|
66
|
+
|
|
67
|
+
validity_range = (basic[4]..basic[5])
|
|
68
|
+
unless validity_range.cover? Time.now
|
|
69
|
+
raise OcspError.new "OCSP response outside validity window"
|
|
70
|
+
end
|
|
71
|
+
end
|
|
72
|
+
|
|
73
|
+
def aia
|
|
74
|
+
@aia ||= @cert.authority_info_access
|
|
75
|
+
end
|
|
76
|
+
|
|
77
|
+
def ocsp_uris
|
|
78
|
+
aia.ocsp.uris
|
|
79
|
+
end
|
|
80
|
+
|
|
81
|
+
def cert_id
|
|
82
|
+
@cert_id ||= OpenSSL::OCSP::CertificateId.new @cert.cert, @issuer.cert
|
|
83
|
+
end
|
|
84
|
+
end
|
|
85
|
+
end
|
|
86
|
+
end
|
|
87
|
+
end
|
data/lib/tasks/ca.rb
ADDED
|
@@ -0,0 +1,112 @@
|
|
|
1
|
+
require 'r509'
|
|
2
|
+
require 'erb'
|
|
3
|
+
require_relative 'helper'
|
|
4
|
+
|
|
5
|
+
namespace :ca do
|
|
6
|
+
desc 'Generate all the certificates for testing'
|
|
7
|
+
task :all => %i{ good ocsp_only crl_only empty revoked }
|
|
8
|
+
|
|
9
|
+
task :clean do
|
|
10
|
+
Dir.chdir 'spec/support/ca' do
|
|
11
|
+
sh 'rm -f *.crt *.crl *.key *.txt *.yaml'
|
|
12
|
+
end
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
desc 'Generate a signing CA for testing certificates'
|
|
16
|
+
task :root => 'spec/support/ca/root.key'
|
|
17
|
+
file 'spec/support/ca/root.key' do |t|
|
|
18
|
+
subject = OpenSSL::X509::Name.new
|
|
19
|
+
'C=US/ST=Florida/L=Miami/O=r509-cert-validator/CN='.split('/').each do |s|
|
|
20
|
+
key, value = s.split '=', 2
|
|
21
|
+
subject.add_entry key, value
|
|
22
|
+
end
|
|
23
|
+
csr = CaHelper.csr
|
|
24
|
+
cert = R509::CertificateAuthority::Signer.selfsign(
|
|
25
|
+
csr: csr,
|
|
26
|
+
not_after: (Time.now.to_i + (86400 * 3650)),
|
|
27
|
+
message_digest: 'sha1'
|
|
28
|
+
)
|
|
29
|
+
|
|
30
|
+
csr.key.write_pem 'spec/support/ca/root.key'
|
|
31
|
+
cert.write_pem 'spec/support/ca/root.crt'
|
|
32
|
+
|
|
33
|
+
sh "touch spec/support/ca/rcv_spec_list.txt"
|
|
34
|
+
sh "touch spec/support/ca/rcv_spec_crlnumber.txt"
|
|
35
|
+
end
|
|
36
|
+
file 'spec/support/ca/root.crt' => 'spec/support/ca/root.key'
|
|
37
|
+
file 'spec/support/ca/rcv_spec_list.txt' => 'spec/support/ca/root.key'
|
|
38
|
+
file 'spec/support/ca/rcv_spec_crlnumber.txt' => 'spec/support/ca/root.key
|
|
39
|
+
'
|
|
40
|
+
|
|
41
|
+
file 'spec/support/ca/config.yaml' => 'spec/support/ca/config.yaml.erb' do |s|
|
|
42
|
+
erb = ERB.new File.read s.prerequisites.first
|
|
43
|
+
b = binding
|
|
44
|
+
cert_path = File.expand_path 'spec/support/ca/'
|
|
45
|
+
File.open s.name, 'w' do |f|
|
|
46
|
+
f.write erb.result b
|
|
47
|
+
end
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
desc 'Generate a valid certificate with CRL and OCSP data'
|
|
51
|
+
task :good => 'spec/support/ca/good.crt'
|
|
52
|
+
file 'spec/support/ca/good.crt' => [:root, 'spec/support/ca/config.yaml'] do
|
|
53
|
+
ca = CaHelper.ca
|
|
54
|
+
csr = CaHelper.options_builder.build_and_enforce(
|
|
55
|
+
csr: CaHelper.csr,
|
|
56
|
+
profile_name: 'good'
|
|
57
|
+
)
|
|
58
|
+
|
|
59
|
+
cert = ca.sign csr
|
|
60
|
+
cert.write_pem 'spec/support/ca/good.crt'
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
desc 'Generate a valid certificate with only CRL data'
|
|
64
|
+
task :crl_only => 'spec/support/ca/crl_only.crt'
|
|
65
|
+
file 'spec/support/ca/crl_only.crt' => [:root, 'spec/support/ca/config.yaml'] do |t|
|
|
66
|
+
ca = CaHelper.ca
|
|
67
|
+
csr = CaHelper.options_builder.build_and_enforce(
|
|
68
|
+
csr: CaHelper.csr,
|
|
69
|
+
profile_name: 'crl_only'
|
|
70
|
+
)
|
|
71
|
+
cert = ca.sign csr
|
|
72
|
+
cert.write_pem 'spec/support/ca/crl_only.crt'
|
|
73
|
+
end
|
|
74
|
+
|
|
75
|
+
desc 'Generate a valid certificate with only OCSP data'
|
|
76
|
+
task :ocsp_only => 'spec/support/ca/ocsp_only.crt'
|
|
77
|
+
file 'spec/support/ca/ocsp_only.crt' => [:root, 'spec/support/ca/config.yaml'] do |t|
|
|
78
|
+
ca = CaHelper.ca
|
|
79
|
+
csr = CaHelper.options_builder.build_and_enforce(
|
|
80
|
+
csr: CaHelper.csr,
|
|
81
|
+
profile_name: 'ocsp_only'
|
|
82
|
+
)
|
|
83
|
+
cert = ca.sign csr
|
|
84
|
+
cert.write_pem 'spec/support/ca/ocsp_only.crt'
|
|
85
|
+
end
|
|
86
|
+
|
|
87
|
+
desc 'Generate a certificate and revoke it in both CRL and OCSP'
|
|
88
|
+
task :revoked => 'spec/support/ca/revoked.crt'
|
|
89
|
+
file 'spec/support/ca/revoked.crt' => [:root, 'spec/support/ca/config.yaml'] do |t|
|
|
90
|
+
ca = CaHelper.ca
|
|
91
|
+
csr = CaHelper.options_builder.build_and_enforce(
|
|
92
|
+
csr: CaHelper.csr,
|
|
93
|
+
profile_name: 'good'
|
|
94
|
+
)
|
|
95
|
+
|
|
96
|
+
cert = ca.sign csr
|
|
97
|
+
cert.write_pem 'spec/support/ca/revoked.crt'
|
|
98
|
+
|
|
99
|
+
admin = R509::CRL::Administrator.new CaHelper.pool['rcv_spec_ca']
|
|
100
|
+
admin.revoke_cert cert.serial
|
|
101
|
+
crl = admin.generate_crl
|
|
102
|
+
crl.write_pem 'spec/support/ca/rcv_spec.crl'
|
|
103
|
+
end
|
|
104
|
+
|
|
105
|
+
desc 'Generate a valid certificate with no CRL or OCSP data'
|
|
106
|
+
task :empty => 'spec/support/ca/empty.crt'
|
|
107
|
+
file 'spec/support/ca/empty.crt' => [:root, 'spec/support/ca/config.yaml'] do
|
|
108
|
+
ca = CaHelper.ca
|
|
109
|
+
cert = ca.sign csr: CaHelper.csr
|
|
110
|
+
cert.write_pem 'spec/support/ca/empty.crt'
|
|
111
|
+
end
|
|
112
|
+
end
|
data/lib/tasks/helper.rb
ADDED
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
require 'r509'
|
|
2
|
+
|
|
3
|
+
module CaHelper
|
|
4
|
+
def self.csr
|
|
5
|
+
R509::CSR.new(
|
|
6
|
+
subject: {
|
|
7
|
+
C: 'US',
|
|
8
|
+
ST: 'Florida',
|
|
9
|
+
L: 'Miami',
|
|
10
|
+
O: 'r509-cert-validator',
|
|
11
|
+
CN: 'localhost'
|
|
12
|
+
},
|
|
13
|
+
bit_length: 512,
|
|
14
|
+
type: 'RSA',
|
|
15
|
+
message_digest: 'sha1'
|
|
16
|
+
)
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def self.ca
|
|
20
|
+
@ca ||= R509::CertificateAuthority::Signer.new pool['rcv_spec_ca']
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
def self.options_builder
|
|
24
|
+
@builder ||= R509::CertificateAuthority::OptionsBuilder.new pool['rcv_spec_ca']
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
def self.pool
|
|
28
|
+
@pool ||= R509::Config::CAConfigPool.from_yaml(
|
|
29
|
+
'certificate_authorities',
|
|
30
|
+
File.read('spec/support/ca/config.yaml')
|
|
31
|
+
)
|
|
32
|
+
end
|
|
33
|
+
end
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
# coding: utf-8
|
|
2
|
+
lib = File.expand_path('../lib', __FILE__)
|
|
3
|
+
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
|
4
|
+
require 'r509/cert/validator/version'
|
|
5
|
+
|
|
6
|
+
Gem::Specification.new do |spec|
|
|
7
|
+
spec.name = "r509-cert-validator"
|
|
8
|
+
spec.version = R509::Cert::Validator::VERSION
|
|
9
|
+
spec.authors = ["Bryce Kerley"]
|
|
10
|
+
spec.email = ["bkerley@brycekerley.net"]
|
|
11
|
+
spec.description = %q{Tool for validating x509 certificates against CRLs and OCSP.}
|
|
12
|
+
spec.summary = %q{An r509-based tool for validating x509 certificates against CRLs and OCSP.}
|
|
13
|
+
spec.homepage = ""
|
|
14
|
+
spec.license = "MIT"
|
|
15
|
+
|
|
16
|
+
spec.files = `git ls-files`.split($/)
|
|
17
|
+
spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
|
|
18
|
+
spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
|
|
19
|
+
spec.require_paths = ["lib"]
|
|
20
|
+
|
|
21
|
+
spec.required_ruby_version = '~> 2.0'
|
|
22
|
+
|
|
23
|
+
spec.add_development_dependency "bundler", "~> 1.3"
|
|
24
|
+
spec.add_development_dependency "rake", "~> 10.1.1"
|
|
25
|
+
spec.add_development_dependency "rspec", "~> 2.14.1"
|
|
26
|
+
spec.add_development_dependency 'rack', '~> 1.5.2'
|
|
27
|
+
spec.add_development_dependency 'puma', '~> 2.7.1'
|
|
28
|
+
spec.add_development_dependency 'r509-ocsp-responder', '~> 0.3.3'
|
|
29
|
+
spec.add_development_dependency 'r509-validity-crl', '~> 0.1.1'
|
|
30
|
+
spec.add_runtime_dependency "r509", "~> 0.10.0"
|
|
31
|
+
end
|
data/spec/spec_helper.rb
ADDED
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
require 'r509/cert/validator'
|
|
2
|
+
|
|
3
|
+
def load_cert(name)
|
|
4
|
+
path = File.join(File.dirname(__FILE__), 'support', 'ca', name)
|
|
5
|
+
data = File.read path
|
|
6
|
+
return OpenSSL::X509::Certificate.new data
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
def cert(name)
|
|
10
|
+
R509::Cert.new cert: load_cert(name)
|
|
11
|
+
end
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
---
|
|
2
|
+
copy_nonce: true
|
|
3
|
+
certificate_authorities:
|
|
4
|
+
rcv_spec_ca:
|
|
5
|
+
ca_cert:
|
|
6
|
+
cert: <%= cert_path %>/root.crt
|
|
7
|
+
key: <%= cert_path %>/root.key
|
|
8
|
+
ocsp_start_skew_seconds: 3600
|
|
9
|
+
ocsp_validity_hours: 168
|
|
10
|
+
crl_list_file: <%= cert_path %>/rcv_spec_list.txt
|
|
11
|
+
crl_number_file: <%= cert_path %>/rcv_spec_crlnumber.txt
|
|
12
|
+
crl_validity_hours: 87600
|
|
13
|
+
crl_md: SHA1
|
|
14
|
+
profiles:
|
|
15
|
+
good:
|
|
16
|
+
authority_info_access:
|
|
17
|
+
:ocsp_location:
|
|
18
|
+
- :type: URI
|
|
19
|
+
:value: http://localhost:22022/ocsp
|
|
20
|
+
crl_distribution_points:
|
|
21
|
+
:value:
|
|
22
|
+
- :type: URI
|
|
23
|
+
:value: http://localhost:22022/crl
|
|
24
|
+
crl_only:
|
|
25
|
+
crl_distribution_points:
|
|
26
|
+
:value:
|
|
27
|
+
- :type: URI
|
|
28
|
+
:value: http://localhost:22022/crl
|
|
29
|
+
ocsp_only:
|
|
30
|
+
authority_info_access:
|
|
31
|
+
:ocsp_location:
|
|
32
|
+
- :type: URI
|
|
33
|
+
:value: http://localhost:22022/ocsp
|
|
34
|
+
certwriter:
|
|
35
|
+
path: <%= cert_path %>
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
require 'r509/ocsp/responder/server'
|
|
2
|
+
require 'r509/validity/crl'
|
|
3
|
+
require 'dependo'
|
|
4
|
+
require 'logger'
|
|
5
|
+
require 'rack'
|
|
6
|
+
|
|
7
|
+
crl_paths = [File.join(File.dirname(__FILE__), 'ca/rcv_spec.crl')]
|
|
8
|
+
|
|
9
|
+
reload_interval = '5s' #yolo
|
|
10
|
+
Dependo::Registry[:validity_checker] = R509::Validity::CRL::Checker.new(
|
|
11
|
+
crl_paths,
|
|
12
|
+
reload_interval
|
|
13
|
+
)
|
|
14
|
+
Dependo::Registry[:log] = Logger.new STDERR
|
|
15
|
+
|
|
16
|
+
Dir.chdir File.join(File.dirname(__FILE__), 'ca') do
|
|
17
|
+
R509::OCSP::Responder::OCSPConfig.load_config
|
|
18
|
+
end
|
|
19
|
+
R509::OCSP::Responder::OCSPConfig.print_config
|
|
20
|
+
|
|
21
|
+
responder = R509::OCSP::Responder::Server
|
|
22
|
+
|
|
23
|
+
Rack::Server.start(
|
|
24
|
+
app: Rack::URLMap.new(
|
|
25
|
+
'/ocsp' => R509::OCSP::Responder::Server,
|
|
26
|
+
'/crl' => Rack::File.new(File.join(File.dirname(__FILE__), 'ca', 'rcv_spec.crl'))
|
|
27
|
+
),
|
|
28
|
+
Port: 22022
|
|
29
|
+
)
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
**DO NOT USE THESE IN PRODUCTION**
|
|
2
|
+
|
|
3
|
+
This directory has certificates and a key for testing Riak authentication.
|
|
4
|
+
|
|
5
|
+
* no_validator.crt - a certificate with no CRL or OCSP data
|
|
6
|
+
* ca.crt - a certificate for the CA that issued no_validator.crt
|
|
7
|
+
* github_chain.crt - the complete set of certificates presented by
|
|
8
|
+
https://github.com at 6:48 PM US Eastern time on Feb. 6, 2014. This
|
|
9
|
+
certificate has CRL and OCSP endpoints.
|
|
10
|
+
* github.crt - the GitHub certificate from above
|
|
11
|
+
* digicert_ev.crt - the Digicert EV CA that issued github.crt
|
|
12
|
+
|
|
13
|
+
**DO NOT USE THESE IN PRODUCTION**
|
|
14
|
+
|
|
15
|
+
These were generated using https://github.com/basho-labs/riak-ruby-ca .
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
-----BEGIN CERTIFICATE-----
|
|
2
|
+
MIIDjDCCAnQCCQDrkNSIB3EtsDANBgkqhkiG9w0BAQUFADCBhzELMAkGA1UEBhMC
|
|
3
|
+
VVMxEDAOBgNVBAgMB0Zsb3JpZGExDjAMBgNVBAcMBU1pYW1pMQ4wDAYDVQQKDAVC
|
|
4
|
+
YXNobzEZMBcGA1UECwwQUmlhayBSdWJ5IENsaWVudDELMAkGA1UEAwwCQ0ExHjAc
|
|
5
|
+
BgkqhkiG9w0BCQEWD2JyeWNlQGJhc2hvLmNvbTAeFw0xNDAyMDUxNjI5MDBaFw0x
|
|
6
|
+
MzA4MDUxNjI5MDBaMIGHMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTEO
|
|
7
|
+
MAwGA1UEBwwFTWlhbWkxDjAMBgNVBAoMBUJhc2hvMRkwFwYDVQQLDBBSaWFrIFJ1
|
|
8
|
+
YnkgQ2xpZW50MQswCQYDVQQDDAJDQTEeMBwGCSqGSIb3DQEJARYPYnJ5Y2VAYmFz
|
|
9
|
+
aG8uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0OuLzsUEbF53
|
|
10
|
+
BGhI1uLbwAK+DoWWQL0kPB0cCFYXkfR0Y/wCeq0iDgwq0+CR2otmcMR8Sg13h8dm
|
|
11
|
+
YfKWnKeVh1uvWDasE9t1BXvi0b8gunwMvSz2DKwyxYqjI8+PGmL6tg2lcmlC/eHA
|
|
12
|
+
Y6ObowXycMW5mugcp524yeWpsJ+YBnDPwctKtMJExPAl4mZp9Y5kffeROBrWwkeg
|
|
13
|
+
1nbB1GJCPw9t2/4kMl7ksa7/b6dKbq/ra/zcfB0b0BC8dkoTKgcSaGVycFguIn1R
|
|
14
|
+
Xn0i3ruwN644ODt/H/3qQp1Qyh/jrz/aRMjuk/3jpwwzo5buoUYgk8FVGnG4x+FE
|
|
15
|
+
S+trFWOs7QIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBFxRahSTOmyYtqbcrDG7S5
|
|
16
|
+
eLghOpUr1jXU3dfVOf+/1u9g/HZCXYGPr+tRw+OsxiR5Cw6U8Nj2gQdZmsCkVMRp
|
|
17
|
+
3XUE2Wo5O+ogaV4l68ODZ+uS1yxjvRqoOC0M1/XtihCvNJtpLiaRMxysARp4wnH2
|
|
18
|
+
ReksBUMxwDl2tEYcczTXRiKRk2QL6BeQ+l08O9scbSjClso8Wfq+z5Z+qSuFwjC9
|
|
19
|
+
LpxR6aEc6HVnKgio/Pi+6MJwP7NafBXVfTUK9RoFnG8F/fPAbAPqxXK1qYoTHzHr
|
|
20
|
+
d44rhxSOHHNDq3074VlBbMtx+NvCoIk3k5/5Am1rmezxGtA9ESofEgSo1/H9oQYH
|
|
21
|
+
-----END CERTIFICATE-----
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
-----BEGIN CERTIFICATE-----
|
|
2
|
+
MIIG5jCCBc6gAwIBAgIQAze5KDR8YKauxa2xIX84YDANBgkqhkiG9w0BAQUFADBs
|
|
3
|
+
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
|
|
4
|
+
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
|
|
5
|
+
ZSBFViBSb290IENBMB4XDTA3MTEwOTEyMDAwMFoXDTIxMTExMDAwMDAwMFowaTEL
|
|
6
|
+
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
|
|
7
|
+
LmRpZ2ljZXJ0LmNvbTEoMCYGA1UEAxMfRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
|
|
8
|
+
RVYgQ0EtMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPOWYth1bhn/
|
|
9
|
+
PzR8SU8xfg0ETpmB4rOFVZEwscCvcLssqOcYqj9495BoUoYBiJfiOwZlkKq9ZXbC
|
|
10
|
+
7L4QWzd4g2B1Rca9dKq2n6Q6AVAXxDlpufFP74LByvNK28yeUE9NQKM6kOeGZrzw
|
|
11
|
+
PnYoTNF1gJ5qNRQ1A57bDIzCKK1Qss72kaPDpQpYSfZ1RGy6+c7pqzoC4E3zrOJ6
|
|
12
|
+
4GAiBTyC01Li85xH+DvYskuTVkq/cKs+6WjIHY9YHSpNXic9rQpZL1oRIEDZaARo
|
|
13
|
+
LfTAhAsKG3jf7RpY3PtBWm1r8u0c7lwytlzs16YDMqbo3rcoJ1mIgP97rYlY1R4U
|
|
14
|
+
pPKwcNSgPqcCAwEAAaOCA4UwggOBMA4GA1UdDwEB/wQEAwIBhjA7BgNVHSUENDAy
|
|
15
|
+
BggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUH
|
|
16
|
+
AwgwggHEBgNVHSAEggG7MIIBtzCCAbMGCWCGSAGG/WwCATCCAaQwOgYIKwYBBQUH
|
|
17
|
+
AgEWLmh0dHA6Ly93d3cuZGlnaWNlcnQuY29tL3NzbC1jcHMtcmVwb3NpdG9yeS5o
|
|
18
|
+
dG0wggFkBggrBgEFBQcCAjCCAVYeggFSAEEAbgB5ACAAdQBzAGUAIABvAGYAIAB0
|
|
19
|
+
AGgAaQBzACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAAYwBvAG4AcwB0AGkAdAB1
|
|
20
|
+
AHQAZQBzACAAYQBjAGMAZQBwAHQAYQBuAGMAZQAgAG8AZgAgAHQAaABlACAARABp
|
|
21
|
+
AGcAaQBDAGUAcgB0ACAARQBWACAAQwBQAFMAIABhAG4AZAAgAHQAaABlACAAUgBl
|
|
22
|
+
AGwAeQBpAG4AZwAgAFAAYQByAHQAeQAgAEEAZwByAGUAZQBtAGUAbgB0ACAAdwBo
|
|
23
|
+
AGkAYwBoACAAbABpAG0AaQB0ACAAbABpAGEAYgBpAGwAaQB0AHkAIABhAG4AZAAg
|
|
24
|
+
AGEAcgBlACAAaQBuAGMAbwByAHAAbwByAGEAdABlAGQAIABoAGUAcgBlAGkAbgAg
|
|
25
|
+
AGIAeQAgAHIAZQBmAGUAcgBlAG4AYwBlAC4wEgYDVR0TAQH/BAgwBgEB/wIBADCB
|
|
26
|
+
gwYIKwYBBQUHAQEEdzB1MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
|
|
27
|
+
dC5jb20wTQYIKwYBBQUHMAKGQWh0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NBQ2Vy
|
|
28
|
+
dHMvRGlnaUNlcnRIaWdoQXNzdXJhbmNlRVZSb290Q0EuY3J0MIGPBgNVHR8EgYcw
|
|
29
|
+
gYQwQKA+oDyGOmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEhpZ2hB
|
|
30
|
+
c3N1cmFuY2VFVlJvb3RDQS5jcmwwQKA+oDyGOmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0
|
|
31
|
+
LmNvbS9EaWdpQ2VydEhpZ2hBc3N1cmFuY2VFVlJvb3RDQS5jcmwwHQYDVR0OBBYE
|
|
32
|
+
FExYyyXwQU9S9CjIgUObpqig5pLlMB8GA1UdIwQYMBaAFLE+w2kD+L9HAdSYJhoI
|
|
33
|
+
Au9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQBMeheHKF0XvLIyc7/NLvVYMR3wsXFU
|
|
34
|
+
nNabZ5PbLwM+Fm8eA8lThKNWYB54lBuiqG+jpItSkdfdXJW777UWSemlQk808kf/
|
|
35
|
+
roF/E1S3IMRwFcuBCoHLdFfcnN8kpCkMGPAc5K4HM+zxST5Vz25PDVR708noFUjU
|
|
36
|
+
xbvcNRx3RQdIRYW9135TuMAW2ZXNi419yWBP0aKb49Aw1rRzNubS+QOy46T15bg+
|
|
37
|
+
BEkAui6mSnKDcp33C4ypieez12Qf1uNgywPE3IjpnSUBAHHLA7QpYCWP+UbRe3Gu
|
|
38
|
+
zVMSW4SOwg/H7ZMZ2cn6j1g0djIvruFQFGHUqFijyDATI+/GJYw2jxyA
|
|
39
|
+
-----END CERTIFICATE-----
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
-----BEGIN CERTIFICATE-----
|
|
2
|
+
MIIHOjCCBiKgAwIBAgIQBH++LkveAITSyvjj7P5wWDANBgkqhkiG9w0BAQUFADBp
|
|
3
|
+
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
|
|
4
|
+
d3cuZGlnaWNlcnQuY29tMSgwJgYDVQQDEx9EaWdpQ2VydCBIaWdoIEFzc3VyYW5j
|
|
5
|
+
ZSBFViBDQS0xMB4XDTEzMDYxMDAwMDAwMFoXDTE1MDkwMjEyMDAwMFowgfAxHTAb
|
|
6
|
+
BgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYBBAGCNzwCAQMTAlVT
|
|
7
|
+
MRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQFEwc1MTU3NTUwMRcw
|
|
8
|
+
FQYDVQQJEw41NDggNHRoIFN0cmVldDEOMAwGA1UEERMFOTQxMDcxCzAJBgNVBAYT
|
|
9
|
+
AlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
|
|
10
|
+
MRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xEzARBgNVBAMTCmdpdGh1Yi5jb20wggEi
|
|
11
|
+
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDt04nDXXByCfMzTxpydNm2WpVQ
|
|
12
|
+
u2hhn/f7Hxnh2gQxrxV8Gn/5c68d5UMrVgkARWlK6MRb38J3UlEZW9Er2TllNqAy
|
|
13
|
+
GRxBc/sysj2fmOyCWws3ZDkstxCDcs3w6iRL+tmULsOFFTmpOvaI2vQniaaVT4Si
|
|
14
|
+
N058JXg6yYNtAheVeH1HqFWD7hPIGRqzPPFf/jsC4YX7EWarCV2fTEPwxyReKXIo
|
|
15
|
+
ztR1aE8kcimuOSj8341PTYNzdAxvEZun3WLe/+LrF+b/DL/ALTE71lmi8t2HSkh7
|
|
16
|
+
bTMRFE00nzI49sgZnfG2PcVG71ELisYz7UhhxB0XG718tmfpOc+lUoAK9OrNAgMB
|
|
17
|
+
AAGjggNUMIIDUDAfBgNVHSMEGDAWgBRMWMsl8EFPUvQoyIFDm6aooOaS5TAdBgNV
|
|
18
|
+
HQ4EFgQUh9GPGW7kh29TjHeRB1Dfo79VRyAwJQYDVR0RBB4wHIIKZ2l0aHViLmNv
|
|
19
|
+
bYIOd3d3LmdpdGh1Yi5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG
|
|
20
|
+
AQUFBwMBBggrBgEFBQcDAjBjBgNVHR8EXDBaMCugKaAnhiVodHRwOi8vY3JsMy5k
|
|
21
|
+
aWdpY2VydC5jb20vZXZjYTEtZzIuY3JsMCugKaAnhiVodHRwOi8vY3JsNC5kaWdp
|
|
22
|
+
Y2VydC5jb20vZXZjYTEtZzIuY3JsMIIBxAYDVR0gBIIBuzCCAbcwggGzBglghkgB
|
|
23
|
+
hv1sAgEwggGkMDoGCCsGAQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9z
|
|
24
|
+
c2wtY3BzLXJlcG9zaXRvcnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4A
|
|
25
|
+
eQAgAHUAcwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQA
|
|
26
|
+
ZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUA
|
|
27
|
+
IABvAGYAIAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAA
|
|
28
|
+
YQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcA
|
|
29
|
+
cgBlAGUAbQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIA
|
|
30
|
+
aQBsAGkAdAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQA
|
|
31
|
+
ZQBkACAAaABlAHIAZQBpAG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMH0G
|
|
32
|
+
CCsGAQUFBwEBBHEwbzAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQu
|
|
33
|
+
Y29tMEcGCCsGAQUFBzAChjtodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGln
|
|
34
|
+
aUNlcnRIaWdoQXNzdXJhbmNlRVZDQS0xLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqG
|
|
35
|
+
SIb3DQEBBQUAA4IBAQBfFW1nwzrVo94WnEUzJtU9yRZ0NMqHSBsUkG31q0eGufW4
|
|
36
|
+
4wFFZWjuqRJ1n3Ym7xF8fTjP3fdKGQnxIHKSsE0nuuh/XbQX5DpBJknHdGFoLwY8
|
|
37
|
+
xZ9JPI57vgvzLo8+fwHyZp3Vm/o5IYLEQViSo+nlOSUQ8YAVqu6KcsP/e612UiqS
|
|
38
|
+
+UMBmgdx9KPDDzZy4MJZC2hbfUoXj9A54mJN8cuEOPyw3c3yKOcq/h48KzVguQXi
|
|
39
|
+
SdJbwfqNIbQ9oJM+YzDjzS62+TCtNSNWzWbwABZCmuQxK0oEOSbTmbhxUF7rND3/
|
|
40
|
+
+mx9u8cY//7uAxLWYS5gIZlCbxcf0lkiKSHJB319
|
|
41
|
+
-----END CERTIFICATE-----
|
|
@@ -0,0 +1,112 @@
|
|
|
1
|
+
CONNECTED(00000003)
|
|
2
|
+
---
|
|
3
|
+
Certificate chain
|
|
4
|
+
0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
|
|
5
|
+
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1
|
|
6
|
+
-----BEGIN CERTIFICATE-----
|
|
7
|
+
MIIHOjCCBiKgAwIBAgIQBH++LkveAITSyvjj7P5wWDANBgkqhkiG9w0BAQUFADBp
|
|
8
|
+
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
|
|
9
|
+
d3cuZGlnaWNlcnQuY29tMSgwJgYDVQQDEx9EaWdpQ2VydCBIaWdoIEFzc3VyYW5j
|
|
10
|
+
ZSBFViBDQS0xMB4XDTEzMDYxMDAwMDAwMFoXDTE1MDkwMjEyMDAwMFowgfAxHTAb
|
|
11
|
+
BgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYBBAGCNzwCAQMTAlVT
|
|
12
|
+
MRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQFEwc1MTU3NTUwMRcw
|
|
13
|
+
FQYDVQQJEw41NDggNHRoIFN0cmVldDEOMAwGA1UEERMFOTQxMDcxCzAJBgNVBAYT
|
|
14
|
+
AlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
|
|
15
|
+
MRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xEzARBgNVBAMTCmdpdGh1Yi5jb20wggEi
|
|
16
|
+
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDt04nDXXByCfMzTxpydNm2WpVQ
|
|
17
|
+
u2hhn/f7Hxnh2gQxrxV8Gn/5c68d5UMrVgkARWlK6MRb38J3UlEZW9Er2TllNqAy
|
|
18
|
+
GRxBc/sysj2fmOyCWws3ZDkstxCDcs3w6iRL+tmULsOFFTmpOvaI2vQniaaVT4Si
|
|
19
|
+
N058JXg6yYNtAheVeH1HqFWD7hPIGRqzPPFf/jsC4YX7EWarCV2fTEPwxyReKXIo
|
|
20
|
+
ztR1aE8kcimuOSj8341PTYNzdAxvEZun3WLe/+LrF+b/DL/ALTE71lmi8t2HSkh7
|
|
21
|
+
bTMRFE00nzI49sgZnfG2PcVG71ELisYz7UhhxB0XG718tmfpOc+lUoAK9OrNAgMB
|
|
22
|
+
AAGjggNUMIIDUDAfBgNVHSMEGDAWgBRMWMsl8EFPUvQoyIFDm6aooOaS5TAdBgNV
|
|
23
|
+
HQ4EFgQUh9GPGW7kh29TjHeRB1Dfo79VRyAwJQYDVR0RBB4wHIIKZ2l0aHViLmNv
|
|
24
|
+
bYIOd3d3LmdpdGh1Yi5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG
|
|
25
|
+
AQUFBwMBBggrBgEFBQcDAjBjBgNVHR8EXDBaMCugKaAnhiVodHRwOi8vY3JsMy5k
|
|
26
|
+
aWdpY2VydC5jb20vZXZjYTEtZzIuY3JsMCugKaAnhiVodHRwOi8vY3JsNC5kaWdp
|
|
27
|
+
Y2VydC5jb20vZXZjYTEtZzIuY3JsMIIBxAYDVR0gBIIBuzCCAbcwggGzBglghkgB
|
|
28
|
+
hv1sAgEwggGkMDoGCCsGAQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9z
|
|
29
|
+
c2wtY3BzLXJlcG9zaXRvcnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4A
|
|
30
|
+
eQAgAHUAcwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQA
|
|
31
|
+
ZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUA
|
|
32
|
+
IABvAGYAIAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAA
|
|
33
|
+
YQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcA
|
|
34
|
+
cgBlAGUAbQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIA
|
|
35
|
+
aQBsAGkAdAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQA
|
|
36
|
+
ZQBkACAAaABlAHIAZQBpAG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMH0G
|
|
37
|
+
CCsGAQUFBwEBBHEwbzAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQu
|
|
38
|
+
Y29tMEcGCCsGAQUFBzAChjtodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGln
|
|
39
|
+
aUNlcnRIaWdoQXNzdXJhbmNlRVZDQS0xLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqG
|
|
40
|
+
SIb3DQEBBQUAA4IBAQBfFW1nwzrVo94WnEUzJtU9yRZ0NMqHSBsUkG31q0eGufW4
|
|
41
|
+
4wFFZWjuqRJ1n3Ym7xF8fTjP3fdKGQnxIHKSsE0nuuh/XbQX5DpBJknHdGFoLwY8
|
|
42
|
+
xZ9JPI57vgvzLo8+fwHyZp3Vm/o5IYLEQViSo+nlOSUQ8YAVqu6KcsP/e612UiqS
|
|
43
|
+
+UMBmgdx9KPDDzZy4MJZC2hbfUoXj9A54mJN8cuEOPyw3c3yKOcq/h48KzVguQXi
|
|
44
|
+
SdJbwfqNIbQ9oJM+YzDjzS62+TCtNSNWzWbwABZCmuQxK0oEOSbTmbhxUF7rND3/
|
|
45
|
+
+mx9u8cY//7uAxLWYS5gIZlCbxcf0lkiKSHJB319
|
|
46
|
+
-----END CERTIFICATE-----
|
|
47
|
+
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1
|
|
48
|
+
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
|
|
49
|
+
-----BEGIN CERTIFICATE-----
|
|
50
|
+
MIIG5jCCBc6gAwIBAgIQAze5KDR8YKauxa2xIX84YDANBgkqhkiG9w0BAQUFADBs
|
|
51
|
+
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
|
|
52
|
+
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
|
|
53
|
+
ZSBFViBSb290IENBMB4XDTA3MTEwOTEyMDAwMFoXDTIxMTExMDAwMDAwMFowaTEL
|
|
54
|
+
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
|
|
55
|
+
LmRpZ2ljZXJ0LmNvbTEoMCYGA1UEAxMfRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
|
|
56
|
+
RVYgQ0EtMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPOWYth1bhn/
|
|
57
|
+
PzR8SU8xfg0ETpmB4rOFVZEwscCvcLssqOcYqj9495BoUoYBiJfiOwZlkKq9ZXbC
|
|
58
|
+
7L4QWzd4g2B1Rca9dKq2n6Q6AVAXxDlpufFP74LByvNK28yeUE9NQKM6kOeGZrzw
|
|
59
|
+
PnYoTNF1gJ5qNRQ1A57bDIzCKK1Qss72kaPDpQpYSfZ1RGy6+c7pqzoC4E3zrOJ6
|
|
60
|
+
4GAiBTyC01Li85xH+DvYskuTVkq/cKs+6WjIHY9YHSpNXic9rQpZL1oRIEDZaARo
|
|
61
|
+
LfTAhAsKG3jf7RpY3PtBWm1r8u0c7lwytlzs16YDMqbo3rcoJ1mIgP97rYlY1R4U
|
|
62
|
+
pPKwcNSgPqcCAwEAAaOCA4UwggOBMA4GA1UdDwEB/wQEAwIBhjA7BgNVHSUENDAy
|
|
63
|
+
BggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUH
|
|
64
|
+
AwgwggHEBgNVHSAEggG7MIIBtzCCAbMGCWCGSAGG/WwCATCCAaQwOgYIKwYBBQUH
|
|
65
|
+
AgEWLmh0dHA6Ly93d3cuZGlnaWNlcnQuY29tL3NzbC1jcHMtcmVwb3NpdG9yeS5o
|
|
66
|
+
dG0wggFkBggrBgEFBQcCAjCCAVYeggFSAEEAbgB5ACAAdQBzAGUAIABvAGYAIAB0
|
|
67
|
+
AGgAaQBzACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAAYwBvAG4AcwB0AGkAdAB1
|
|
68
|
+
AHQAZQBzACAAYQBjAGMAZQBwAHQAYQBuAGMAZQAgAG8AZgAgAHQAaABlACAARABp
|
|
69
|
+
AGcAaQBDAGUAcgB0ACAARQBWACAAQwBQAFMAIABhAG4AZAAgAHQAaABlACAAUgBl
|
|
70
|
+
AGwAeQBpAG4AZwAgAFAAYQByAHQAeQAgAEEAZwByAGUAZQBtAGUAbgB0ACAAdwBo
|
|
71
|
+
AGkAYwBoACAAbABpAG0AaQB0ACAAbABpAGEAYgBpAGwAaQB0AHkAIABhAG4AZAAg
|
|
72
|
+
AGEAcgBlACAAaQBuAGMAbwByAHAAbwByAGEAdABlAGQAIABoAGUAcgBlAGkAbgAg
|
|
73
|
+
AGIAeQAgAHIAZQBmAGUAcgBlAG4AYwBlAC4wEgYDVR0TAQH/BAgwBgEB/wIBADCB
|
|
74
|
+
gwYIKwYBBQUHAQEEdzB1MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
|
|
75
|
+
dC5jb20wTQYIKwYBBQUHMAKGQWh0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NBQ2Vy
|
|
76
|
+
dHMvRGlnaUNlcnRIaWdoQXNzdXJhbmNlRVZSb290Q0EuY3J0MIGPBgNVHR8EgYcw
|
|
77
|
+
gYQwQKA+oDyGOmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEhpZ2hB
|
|
78
|
+
c3N1cmFuY2VFVlJvb3RDQS5jcmwwQKA+oDyGOmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0
|
|
79
|
+
LmNvbS9EaWdpQ2VydEhpZ2hBc3N1cmFuY2VFVlJvb3RDQS5jcmwwHQYDVR0OBBYE
|
|
80
|
+
FExYyyXwQU9S9CjIgUObpqig5pLlMB8GA1UdIwQYMBaAFLE+w2kD+L9HAdSYJhoI
|
|
81
|
+
Au9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQBMeheHKF0XvLIyc7/NLvVYMR3wsXFU
|
|
82
|
+
nNabZ5PbLwM+Fm8eA8lThKNWYB54lBuiqG+jpItSkdfdXJW777UWSemlQk808kf/
|
|
83
|
+
roF/E1S3IMRwFcuBCoHLdFfcnN8kpCkMGPAc5K4HM+zxST5Vz25PDVR708noFUjU
|
|
84
|
+
xbvcNRx3RQdIRYW9135TuMAW2ZXNi419yWBP0aKb49Aw1rRzNubS+QOy46T15bg+
|
|
85
|
+
BEkAui6mSnKDcp33C4ypieez12Qf1uNgywPE3IjpnSUBAHHLA7QpYCWP+UbRe3Gu
|
|
86
|
+
zVMSW4SOwg/H7ZMZ2cn6j1g0djIvruFQFGHUqFijyDATI+/GJYw2jxyA
|
|
87
|
+
-----END CERTIFICATE-----
|
|
88
|
+
---
|
|
89
|
+
Server certificate
|
|
90
|
+
subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
|
|
91
|
+
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1
|
|
92
|
+
---
|
|
93
|
+
No client certificate CA names sent
|
|
94
|
+
---
|
|
95
|
+
SSL handshake has read 3796 bytes and written 456 bytes
|
|
96
|
+
---
|
|
97
|
+
New, TLSv1/SSLv3, Cipher is AES128-SHA
|
|
98
|
+
Server public key is 2048 bit
|
|
99
|
+
Secure Renegotiation IS supported
|
|
100
|
+
Compression: NONE
|
|
101
|
+
Expansion: NONE
|
|
102
|
+
SSL-Session:
|
|
103
|
+
Protocol : TLSv1
|
|
104
|
+
Cipher : AES128-SHA
|
|
105
|
+
Session-ID: 68A4FF6A1FAFD9EF2AC080C4E9A42433A0C27815CB17F0A6C24B455E17A49D0B
|
|
106
|
+
Session-ID-ctx:
|
|
107
|
+
Master-Key: 324790F1157F795B7716645002F4E5515CF874B8AF64370245B67C45B4CBFF50A71CA54E5FDDF8AEE58ED4201C127B64
|
|
108
|
+
Key-Arg : None
|
|
109
|
+
Start Time: 1391730515
|
|
110
|
+
Timeout : 300 (sec)
|
|
111
|
+
Verify return code: 0 (ok)
|
|
112
|
+
---
|
|
@@ -0,0 +1,94 @@
|
|
|
1
|
+
Certificate:
|
|
2
|
+
Data:
|
|
3
|
+
Version: 3 (0x2)
|
|
4
|
+
Serial Number: 7353680 (0x703550)
|
|
5
|
+
Signature Algorithm: sha1WithRSAEncryption
|
|
6
|
+
Issuer: C=US, ST=Florida, L=Miami, O=Basho, OU=Riak Ruby Client, CN=CA/emailAddress=bryce@basho.com
|
|
7
|
+
Validity
|
|
8
|
+
Not Before: Feb 5 16:29:00 2014 GMT
|
|
9
|
+
Not After : Feb 3 16:29:00 2024 GMT
|
|
10
|
+
Subject: C=US, ST=Florida, O=Basho, OU=Riak Ruby client, CN=localhost/emailAddress=bryce@basho.com
|
|
11
|
+
Subject Public Key Info:
|
|
12
|
+
Public Key Algorithm: rsaEncryption
|
|
13
|
+
Public-Key: (2048 bit)
|
|
14
|
+
Modulus:
|
|
15
|
+
00:cc:37:29:ad:9d:f1:93:6f:6c:61:ba:14:ac:70:
|
|
16
|
+
98:7d:5c:11:97:64:6e:10:72:7a:81:d0:97:c7:5d:
|
|
17
|
+
b3:5e:6b:ed:57:29:eb:54:3b:ee:c8:40:3c:57:54:
|
|
18
|
+
7f:1a:0f:66:f7:8d:4c:49:d0:56:3f:8f:27:6a:1c:
|
|
19
|
+
98:31:4d:c5:d5:01:50:6a:e3:d2:a4:19:65:b6:38:
|
|
20
|
+
b8:81:c9:e7:46:51:79:8b:1a:92:ee:a4:d8:0e:ef:
|
|
21
|
+
dc:4b:1d:08:ec:b8:13:22:7c:85:7f:ff:a3:ef:bc:
|
|
22
|
+
23:ba:dd:b4:e8:bf:f3:6a:e9:3c:89:fc:9c:b9:7d:
|
|
23
|
+
1e:a5:61:b0:fe:b5:74:e2:ab:9e:42:7d:9e:f0:ee:
|
|
24
|
+
28:5a:d4:fb:b5:fc:d0:05:6c:72:cf:04:6a:d4:6d:
|
|
25
|
+
5f:f9:eb:97:a8:cf:fa:79:ee:82:ed:00:47:18:80:
|
|
26
|
+
a3:9f:2e:86:74:c4:6e:b9:e1:da:d1:87:1c:10:d5:
|
|
27
|
+
f3:87:fb:71:ce:55:ee:7e:53:f2:88:b6:15:aa:a9:
|
|
28
|
+
4e:d0:b4:a2:27:04:3b:af:61:88:2a:b3:c1:90:c0:
|
|
29
|
+
41:d7:e0:43:63:ee:55:b7:3a:f4:c3:56:c7:88:d4:
|
|
30
|
+
c9:4e:ca:55:9d:d4:3f:30:7c:ea:34:8a:5c:31:90:
|
|
31
|
+
0b:ad:7f:35:cc:b8:0d:5a:f4:f4:f1:2b:86:0a:c2:
|
|
32
|
+
df:4f
|
|
33
|
+
Exponent: 65537 (0x10001)
|
|
34
|
+
X509v3 extensions:
|
|
35
|
+
X509v3 Basic Constraints:
|
|
36
|
+
CA:FALSE
|
|
37
|
+
Netscape Cert Type:
|
|
38
|
+
SSL Client, SSL Server
|
|
39
|
+
X509v3 Key Usage:
|
|
40
|
+
Digital Signature, Non Repudiation, Key Encipherment
|
|
41
|
+
Netscape Comment:
|
|
42
|
+
Riak Ruby Client Testing Certificate
|
|
43
|
+
X509v3 Subject Key Identifier:
|
|
44
|
+
CD:69:91:9F:7F:4F:EC:4D:76:95:87:41:D4:A7:5F:62:9C:E2:7F:8A
|
|
45
|
+
X509v3 Authority Key Identifier:
|
|
46
|
+
DirName:/C=US/ST=Florida/L=Miami/O=Basho/OU=Riak Ruby Client/CN=CA/emailAddress=bryce@basho.com
|
|
47
|
+
serial:EB:90:D4:88:07:71:2D:B0
|
|
48
|
+
|
|
49
|
+
X509v3 Extended Key Usage:
|
|
50
|
+
TLS Web Server Authentication, TLS Web Client Authentication
|
|
51
|
+
Signature Algorithm: sha1WithRSAEncryption
|
|
52
|
+
39:20:28:de:26:20:af:e3:d2:59:92:a9:43:95:b9:25:83:2e:
|
|
53
|
+
6e:a2:32:66:53:a8:ef:6b:96:b1:44:8f:74:3f:f2:01:6f:96:
|
|
54
|
+
af:3b:70:67:1a:1e:39:68:6a:57:b0:b8:89:e7:ed:50:34:ef:
|
|
55
|
+
53:bd:96:68:94:ab:8b:3f:f7:20:be:1a:52:80:0a:11:ee:dc:
|
|
56
|
+
dc:93:01:11:3d:91:e5:93:d8:0c:b0:05:44:fa:a7:d1:c9:32:
|
|
57
|
+
be:58:58:48:40:66:dd:8f:bc:b0:02:84:05:c3:e8:e4:77:f9:
|
|
58
|
+
ff:a9:09:b7:a0:9b:3a:ea:a5:c9:02:8f:eb:30:aa:f6:92:bf:
|
|
59
|
+
38:ef:fb:6c:5d:e5:7b:c7:57:86:74:06:ca:e5:86:70:40:35:
|
|
60
|
+
50:51:df:28:44:fa:d0:a3:30:ae:aa:71:34:32:a5:dc:f7:7e:
|
|
61
|
+
70:a7:ed:c1:e7:20:77:a0:27:16:00:4d:74:90:5a:29:9b:b3:
|
|
62
|
+
43:5f:0b:b2:4e:d5:c8:8f:ab:e6:92:f5:57:b0:b4:f8:fd:be:
|
|
63
|
+
a1:12:9f:06:fa:5e:da:bd:1c:fc:08:e4:d8:de:5e:82:a8:dc:
|
|
64
|
+
8b:3b:61:b5:65:ce:b3:2c:a0:fc:8e:a1:28:33:ca:a5:b8:0a:
|
|
65
|
+
45:29:b8:ba:ab:f1:77:42:e5:a8:2d:b7:67:6c:75:18:f4:ce:
|
|
66
|
+
91:ea:62:80
|
|
67
|
+
-----BEGIN CERTIFICATE-----
|
|
68
|
+
MIIE0DCCA7igAwIBAgIDcDVQMA0GCSqGSIb3DQEBBQUAMIGHMQswCQYDVQQGEwJV
|
|
69
|
+
UzEQMA4GA1UECAwHRmxvcmlkYTEOMAwGA1UEBwwFTWlhbWkxDjAMBgNVBAoMBUJh
|
|
70
|
+
c2hvMRkwFwYDVQQLDBBSaWFrIFJ1YnkgQ2xpZW50MQswCQYDVQQDDAJDQTEeMBwG
|
|
71
|
+
CSqGSIb3DQEJARYPYnJ5Y2VAYmFzaG8uY29tMB4XDTE0MDIwNTE2MjkwMFoXDTI0
|
|
72
|
+
MDIwMzE2MjkwMFowfjELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExDjAM
|
|
73
|
+
BgNVBAoMBUJhc2hvMRkwFwYDVQQLDBBSaWFrIFJ1YnkgY2xpZW50MRIwEAYDVQQD
|
|
74
|
+
DAlsb2NhbGhvc3QxHjAcBgkqhkiG9w0BCQEWD2JyeWNlQGJhc2hvLmNvbTCCASIw
|
|
75
|
+
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMw3Ka2d8ZNvbGG6FKxwmH1cEZdk
|
|
76
|
+
bhByeoHQl8dds15r7Vcp61Q77shAPFdUfxoPZveNTEnQVj+PJ2ocmDFNxdUBUGrj
|
|
77
|
+
0qQZZbY4uIHJ50ZReYsaku6k2A7v3EsdCOy4EyJ8hX//o++8I7rdtOi/82rpPIn8
|
|
78
|
+
nLl9HqVhsP61dOKrnkJ9nvDuKFrU+7X80AVscs8EatRtX/nrl6jP+nnugu0ARxiA
|
|
79
|
+
o58uhnTEbrnh2tGHHBDV84f7cc5V7n5T8oi2FaqpTtC0oicEO69hiCqzwZDAQdfg
|
|
80
|
+
Q2PuVbc69MNWx4jUyU7KVZ3UPzB86jSKXDGQC61/Ncy4DVr09PErhgrC308CAwEA
|
|
81
|
+
AaOCAUswggFHMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgbAMAsGA1UdDwQE
|
|
82
|
+
AwIF4DAzBglghkgBhvhCAQ0EJhYkUmlhayBSdWJ5IENsaWVudCBUZXN0aW5nIENl
|
|
83
|
+
cnRpZmljYXRlMB0GA1UdDgQWBBTNaZGff0/sTXaVh0HUp19inOJ/ijCBpgYDVR0j
|
|
84
|
+
BIGeMIGboYGNpIGKMIGHMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTEO
|
|
85
|
+
MAwGA1UEBwwFTWlhbWkxDjAMBgNVBAoMBUJhc2hvMRkwFwYDVQQLDBBSaWFrIFJ1
|
|
86
|
+
YnkgQ2xpZW50MQswCQYDVQQDDAJDQTEeMBwGCSqGSIb3DQEJARYPYnJ5Y2VAYmFz
|
|
87
|
+
aG8uY29tggkA65DUiAdxLbAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
|
|
88
|
+
MA0GCSqGSIb3DQEBBQUAA4IBAQA5ICjeJiCv49JZkqlDlbklgy5uojJmU6jva5ax
|
|
89
|
+
RI90P/IBb5avO3BnGh45aGpXsLiJ5+1QNO9TvZZolKuLP/cgvhpSgAoR7tzckwER
|
|
90
|
+
PZHlk9gMsAVE+qfRyTK+WFhIQGbdj7ywAoQFw+jkd/n/qQm3oJs66qXJAo/rMKr2
|
|
91
|
+
kr847/tsXeV7x1eGdAbK5YZwQDVQUd8oRPrQozCuqnE0MqXc935wp+3B5yB3oCcW
|
|
92
|
+
AE10kFopm7NDXwuyTtXIj6vmkvVXsLT4/b6hEp8G+l7avRz8COTY3l6CqNyLO2G1
|
|
93
|
+
Zc6zLKD8jqEoM8qluApFKbi6q/F3QuWoLbdnbHUY9M6R6mKA
|
|
94
|
+
-----END CERTIFICATE-----
|
|
@@ -0,0 +1,73 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
describe R509::Cert::Validator do
|
|
4
|
+
let(:issuer_cert){ cert('root.crt') }
|
|
5
|
+
|
|
6
|
+
describe 'with a cert without CRL or OCSP data' do
|
|
7
|
+
let(:no_validator_cert){ cert('empty.crt') }
|
|
8
|
+
subject{ described_class.new no_validator_cert }
|
|
9
|
+
|
|
10
|
+
it 'should validate' do
|
|
11
|
+
expect{ subject.validate }.to_not raise_error
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
it 'should refuse to validate with CRL or OCSP' do
|
|
15
|
+
expect{ subject.validate crl: true }.to raise_error
|
|
16
|
+
expect{ subject.validate ocsp: true }.to raise_error
|
|
17
|
+
end
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
describe 'with a cert with CRL and OCSP data' do
|
|
21
|
+
let(:good_cert){ cert('good.crt') }
|
|
22
|
+
subject{ described_class.new good_cert, issuer_cert }
|
|
23
|
+
|
|
24
|
+
it 'should validate against a CRL' do
|
|
25
|
+
expect{ subject.validate crl: true, ocsp: false }.to_not raise_error
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
it 'should validate a cert against OCSP' do
|
|
29
|
+
expect{ subject.validate crl: false, ocsp: true }.to_not raise_error
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
describe 'with a cert with CRL and no OCSP' do
|
|
34
|
+
let(:crl_only_cert){ cert('crl_only.crt') }
|
|
35
|
+
subject{ described_class.new crl_only_cert, issuer_cert }
|
|
36
|
+
|
|
37
|
+
it 'should validate against a CRL' do
|
|
38
|
+
expect{ subject.validate crl: true, ocsp: false }.to_not raise_error
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
it 'should fail to validate against OCSP' do
|
|
42
|
+
expect{ subject.validate crl: false, ocsp: true }.to raise_error
|
|
43
|
+
end
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
describe 'with a cert with OCSP and no CRL' do
|
|
47
|
+
let(:ocsp_only_cert){ cert('ocsp_only.crt') }
|
|
48
|
+
subject{ described_class.new ocsp_only_cert, issuer_cert }
|
|
49
|
+
|
|
50
|
+
it 'should fail to validate against a CRL' do
|
|
51
|
+
expect{ subject.validate crl: true, ocsp: false }.to raise_error
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
it 'should validate against OCSP' do
|
|
55
|
+
expect{ subject.validate crl: false, ocsp: true }.to_not raise_error
|
|
56
|
+
end
|
|
57
|
+
end
|
|
58
|
+
|
|
59
|
+
describe 'with a revoked cert' do
|
|
60
|
+
let(:revoked_cert){ cert('revoked.crt') }
|
|
61
|
+
subject{ described_class.new revoked_cert, issuer_cert }
|
|
62
|
+
|
|
63
|
+
it 'should validate false against a CRL' do
|
|
64
|
+
expect(subject.validate crl: true, ocsp: false).to_not be
|
|
65
|
+
expect{ subject.validate! crl: true, ocsp: false }.to raise_error /revoked/
|
|
66
|
+
end
|
|
67
|
+
|
|
68
|
+
it 'should validate false against OCSP' do
|
|
69
|
+
expect(subject.validate crl: false, ocsp: true).to_not be
|
|
70
|
+
expect{ subject.validate! crl: false, ocsp: true }.to raise_error /revoked/
|
|
71
|
+
end
|
|
72
|
+
end
|
|
73
|
+
end
|
data/travis.sh
ADDED
metadata
ADDED
|
@@ -0,0 +1,197 @@
|
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
|
+
name: r509-cert-validator
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: 0.0.1
|
|
5
|
+
platform: ruby
|
|
6
|
+
authors:
|
|
7
|
+
- Bryce Kerley
|
|
8
|
+
autorequire:
|
|
9
|
+
bindir: bin
|
|
10
|
+
cert_chain: []
|
|
11
|
+
date: 2014-02-12 00:00:00.000000000 Z
|
|
12
|
+
dependencies:
|
|
13
|
+
- !ruby/object:Gem::Dependency
|
|
14
|
+
name: bundler
|
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
|
16
|
+
requirements:
|
|
17
|
+
- - ~>
|
|
18
|
+
- !ruby/object:Gem::Version
|
|
19
|
+
version: '1.3'
|
|
20
|
+
type: :development
|
|
21
|
+
prerelease: false
|
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
23
|
+
requirements:
|
|
24
|
+
- - ~>
|
|
25
|
+
- !ruby/object:Gem::Version
|
|
26
|
+
version: '1.3'
|
|
27
|
+
- !ruby/object:Gem::Dependency
|
|
28
|
+
name: rake
|
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
|
30
|
+
requirements:
|
|
31
|
+
- - ~>
|
|
32
|
+
- !ruby/object:Gem::Version
|
|
33
|
+
version: 10.1.1
|
|
34
|
+
type: :development
|
|
35
|
+
prerelease: false
|
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
37
|
+
requirements:
|
|
38
|
+
- - ~>
|
|
39
|
+
- !ruby/object:Gem::Version
|
|
40
|
+
version: 10.1.1
|
|
41
|
+
- !ruby/object:Gem::Dependency
|
|
42
|
+
name: rspec
|
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
|
44
|
+
requirements:
|
|
45
|
+
- - ~>
|
|
46
|
+
- !ruby/object:Gem::Version
|
|
47
|
+
version: 2.14.1
|
|
48
|
+
type: :development
|
|
49
|
+
prerelease: false
|
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
51
|
+
requirements:
|
|
52
|
+
- - ~>
|
|
53
|
+
- !ruby/object:Gem::Version
|
|
54
|
+
version: 2.14.1
|
|
55
|
+
- !ruby/object:Gem::Dependency
|
|
56
|
+
name: rack
|
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
|
58
|
+
requirements:
|
|
59
|
+
- - ~>
|
|
60
|
+
- !ruby/object:Gem::Version
|
|
61
|
+
version: 1.5.2
|
|
62
|
+
type: :development
|
|
63
|
+
prerelease: false
|
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
65
|
+
requirements:
|
|
66
|
+
- - ~>
|
|
67
|
+
- !ruby/object:Gem::Version
|
|
68
|
+
version: 1.5.2
|
|
69
|
+
- !ruby/object:Gem::Dependency
|
|
70
|
+
name: puma
|
|
71
|
+
requirement: !ruby/object:Gem::Requirement
|
|
72
|
+
requirements:
|
|
73
|
+
- - ~>
|
|
74
|
+
- !ruby/object:Gem::Version
|
|
75
|
+
version: 2.7.1
|
|
76
|
+
type: :development
|
|
77
|
+
prerelease: false
|
|
78
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
79
|
+
requirements:
|
|
80
|
+
- - ~>
|
|
81
|
+
- !ruby/object:Gem::Version
|
|
82
|
+
version: 2.7.1
|
|
83
|
+
- !ruby/object:Gem::Dependency
|
|
84
|
+
name: r509-ocsp-responder
|
|
85
|
+
requirement: !ruby/object:Gem::Requirement
|
|
86
|
+
requirements:
|
|
87
|
+
- - ~>
|
|
88
|
+
- !ruby/object:Gem::Version
|
|
89
|
+
version: 0.3.3
|
|
90
|
+
type: :development
|
|
91
|
+
prerelease: false
|
|
92
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
93
|
+
requirements:
|
|
94
|
+
- - ~>
|
|
95
|
+
- !ruby/object:Gem::Version
|
|
96
|
+
version: 0.3.3
|
|
97
|
+
- !ruby/object:Gem::Dependency
|
|
98
|
+
name: r509-validity-crl
|
|
99
|
+
requirement: !ruby/object:Gem::Requirement
|
|
100
|
+
requirements:
|
|
101
|
+
- - ~>
|
|
102
|
+
- !ruby/object:Gem::Version
|
|
103
|
+
version: 0.1.1
|
|
104
|
+
type: :development
|
|
105
|
+
prerelease: false
|
|
106
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
107
|
+
requirements:
|
|
108
|
+
- - ~>
|
|
109
|
+
- !ruby/object:Gem::Version
|
|
110
|
+
version: 0.1.1
|
|
111
|
+
- !ruby/object:Gem::Dependency
|
|
112
|
+
name: r509
|
|
113
|
+
requirement: !ruby/object:Gem::Requirement
|
|
114
|
+
requirements:
|
|
115
|
+
- - ~>
|
|
116
|
+
- !ruby/object:Gem::Version
|
|
117
|
+
version: 0.10.0
|
|
118
|
+
type: :runtime
|
|
119
|
+
prerelease: false
|
|
120
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
121
|
+
requirements:
|
|
122
|
+
- - ~>
|
|
123
|
+
- !ruby/object:Gem::Version
|
|
124
|
+
version: 0.10.0
|
|
125
|
+
description: Tool for validating x509 certificates against CRLs and OCSP.
|
|
126
|
+
email:
|
|
127
|
+
- bkerley@brycekerley.net
|
|
128
|
+
executables: []
|
|
129
|
+
extensions: []
|
|
130
|
+
extra_rdoc_files: []
|
|
131
|
+
files:
|
|
132
|
+
- .gitignore
|
|
133
|
+
- .rspec
|
|
134
|
+
- .travis.yml
|
|
135
|
+
- Gemfile
|
|
136
|
+
- LICENSE.txt
|
|
137
|
+
- README.md
|
|
138
|
+
- Rakefile
|
|
139
|
+
- lib/r509-cert-validator.rb
|
|
140
|
+
- lib/r509/cert/validator.rb
|
|
141
|
+
- lib/r509/cert/validator/basic_validator.rb
|
|
142
|
+
- lib/r509/cert/validator/crl_validator.rb
|
|
143
|
+
- lib/r509/cert/validator/errors.rb
|
|
144
|
+
- lib/r509/cert/validator/ocsp_validator.rb
|
|
145
|
+
- lib/r509/cert/validator/version.rb
|
|
146
|
+
- lib/tasks/ca.rb
|
|
147
|
+
- lib/tasks/helper.rb
|
|
148
|
+
- r509-cert-validator.gemspec
|
|
149
|
+
- spec/spec_helper.rb
|
|
150
|
+
- spec/support/ca/.gitignore
|
|
151
|
+
- spec/support/ca/config.yaml.erb
|
|
152
|
+
- spec/support/ca_server.rb
|
|
153
|
+
- spec/support/certs/README.md
|
|
154
|
+
- spec/support/certs/ca.crt
|
|
155
|
+
- spec/support/certs/digicert_ev.crt
|
|
156
|
+
- spec/support/certs/github.crt
|
|
157
|
+
- spec/support/certs/github_chain.crt
|
|
158
|
+
- spec/support/certs/no_validator.crt
|
|
159
|
+
- spec/validator_spec.rb
|
|
160
|
+
- travis.sh
|
|
161
|
+
homepage: ''
|
|
162
|
+
licenses:
|
|
163
|
+
- MIT
|
|
164
|
+
metadata: {}
|
|
165
|
+
post_install_message:
|
|
166
|
+
rdoc_options: []
|
|
167
|
+
require_paths:
|
|
168
|
+
- lib
|
|
169
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
170
|
+
requirements:
|
|
171
|
+
- - ~>
|
|
172
|
+
- !ruby/object:Gem::Version
|
|
173
|
+
version: '2.0'
|
|
174
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
175
|
+
requirements:
|
|
176
|
+
- - '>='
|
|
177
|
+
- !ruby/object:Gem::Version
|
|
178
|
+
version: '0'
|
|
179
|
+
requirements: []
|
|
180
|
+
rubyforge_project:
|
|
181
|
+
rubygems_version: 2.0.14
|
|
182
|
+
signing_key:
|
|
183
|
+
specification_version: 4
|
|
184
|
+
summary: An r509-based tool for validating x509 certificates against CRLs and OCSP.
|
|
185
|
+
test_files:
|
|
186
|
+
- spec/spec_helper.rb
|
|
187
|
+
- spec/support/ca/.gitignore
|
|
188
|
+
- spec/support/ca/config.yaml.erb
|
|
189
|
+
- spec/support/ca_server.rb
|
|
190
|
+
- spec/support/certs/README.md
|
|
191
|
+
- spec/support/certs/ca.crt
|
|
192
|
+
- spec/support/certs/digicert_ev.crt
|
|
193
|
+
- spec/support/certs/github.crt
|
|
194
|
+
- spec/support/certs/github_chain.crt
|
|
195
|
+
- spec/support/certs/no_validator.crt
|
|
196
|
+
- spec/validator_spec.rb
|
|
197
|
+
has_rdoc:
|