sslackey 0.6.0

data/examples/simple.rb

@@ -0,0 +1,49 @@
+require 'net/https'
+require 'uri'
+require 'logger'
+require 'openssl'
+require 'sslackey'
+
+
+module OpenSSL
+  module SSL
+    class SSLSocket
+      def post_connection_check(hostname)
+        unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
+          raise SSLError, "hostname was not match with the server certificate"
+        end
+
+        checker = RevocationChecker.new()
+        status = checker.check_revocation_status(peer_cert)
+        raise SSLError, "Bad revocation status: #{status}" unless status == :successful
+
+        return true
+      end
+    end
+  end
+end
+
+RevocationChecker.setup File.join(File.dirname(__FILE__), 'cacert.pem')
+RevocationChecker.cache = RedisRevocationCache.new("localhost", "6379")
+
+#Test the connection
+LOGGER = Logger.new(STDERR)
+
+# tdameritrade.com is broken on ocsp parsing
+# americanexpress.com : requires CRL check
+
+url = URI.parse('https://www.google.com ')
+
+http = Net::HTTP.new(url.host, url.port)
+http.set_debug_output $stderr
+http.use_ssl=true
+store = OpenSSL::X509::Store.new
+store.add_file File.join(File.dirname(__FILE__), 'cacert.pem')
+http.cert_store = store
+http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+
+http.start() do |http|
+  request = Net::HTTP::Get.new url.request_uri
+  response = http.request request # Net::HTTPResponse object
+  puts response
+end

data/lib/sslackey/authority_checker.rb

@@ -0,0 +1,107 @@
+class AuthorityChecker
+  REVOCATION_RESPONSES = [:successful, :unknown, :revoked]
+
+  attr_accessor :trusted_certs_file_path
+
+  def initialize(trusted_certs_path)
+    @trusted_certs_file_path = trusted_certs_path
+
+  end
+
+  def validate(certificate, issuer_certificate)
+    ocsp_url = nil
+    crl_url = nil
+
+    certificate.extensions.each do |extension|
+      props = extension.to_h
+      if props["oid"] == "authorityInfoAccess"
+        ocsp_url = AuthorityChecker.parse_authority_info_access(props["value"])
+      end
+
+      if props["oid"] == "crlDistributionPoints"
+        crl_url = AuthorityChecker.parse_crl_distribution_points(props["value"])
+      end
+    end
+    if ocsp_url
+      response = perform_ocsp_check(certificate, issuer_certificate, ocsp_url)
+    elsif crl_url
+      response = perform_crl_check(certificate, crl_url)
+    else
+      raise "Could not find valid oscp or crl extension to check against in certificate #{certificate.subject}"
+    end
+
+    raise "Unknown revocation response #{response}" unless AuthorityChecker::REVOCATION_RESPONSES.include?(response)
+
+    response
+  end
+
+  def self.parse_authority_info_access(ocsp_string)
+    ocsp_string.each_line do |line|
+      if line.index(/OCSP/)
+        urls = line.scan(/URI:.*/)
+        url = urls[0]
+        url.slice!(/URI:/)
+        return url
+      end
+    end
+  end
+
+  def self.parse_crl_distribution_points(crl_string)
+    crl_string.each_line do |line|
+      urls = line.scan(/URI:.*/)
+      crl_url = urls[0]
+      crl_url.slice!(/URI:/)
+      return crl_url
+    end
+  end
+
+
+  def perform_ocsp_check(certificate, issuer_certificate, ocsp_url)
+    certificate_file = write_certificate_file(certificate, "provider")
+    issuer_file = write_certificate_file(issuer_certificate, "issuer")
+    output_file = create_response_file("ocsp_output")
+
+    generate_ocsp_response(issuer_file.path, certificate_file.path, output_file.path, ocsp_url)
+
+    read_ocsp_response(output_file).to_sym
+  end
+
+  def generate_ocsp_response(issuer_file_path, certificate_file_path, output_file_path, ocsp_url)
+    `openssl ocsp -no_nonce -CAfile #{trusted_certs_file_path} -issuer #{issuer_file_path} -cert #{certificate_file_path} -respout #{output_file_path} -url #{ocsp_url}`
+  end
+
+  def read_ocsp_response(output_file)
+    output_file.rewind
+    response = OpenSSL::OCSP::Response.new(output_file.read)
+    output_file.close
+    response.status_string
+  end
+
+  def write_certificate_file(certificate, file_name)
+    file = Tempfile.new(file_name)
+    file.write(certificate)
+    file.rewind
+    file.close
+    file
+  end
+
+  def create_response_file(file_name)
+    Tempfile.new(file_name)
+  end
+
+  def perform_crl_check(certificate, crl_url)
+    content = fetch_crl_content(crl_url)
+    crl = OpenSSL::X509::CRL.new(content)
+
+    revoked_matches = crl.revoked.select { |elem| elem.serial == certificate.serial }
+
+    return :revoked unless revoked_matches.empty?
+
+    :successful
+  end
+
+  def fetch_crl_content(crl_url)
+    `curl -s '#{crl_url}'`
+  end
+
+end

data/lib/sslackey/cache/redis_revocation_cache.rb

@@ -0,0 +1,30 @@
+require 'redis'
+require 'redis/namespace'
+require 'active_support/all'
+
+class RedisRevocationCache
+
+  attr_accessor :redis, :expiration_seconds
+
+  def initialize(redis_host, redis_port)
+    @redis = Redis::Namespace.new(:revocation, :redis => Redis.new(:host => redis_host, :port => redis_port, :threadsafe => true))
+    @expiration_seconds = 3600
+  end
+
+  def cached_response(certificate)
+    response = redis.get(get_key(certificate))
+    LOGGER.info("got a cached response: #{response}") if response && defined?(LOGGER)
+    response.try(:to_sym)
+  end
+
+  def cache_response(certificate, response)
+    key = get_key(certificate)
+    LOGGER.info "caching revocation response for certificate: #{certificate.subject}" if defined?(LOGGER)
+    redis.set(key, response)
+    redis.expire(key, expiration_seconds)
+  end
+
+  def get_key(certificate)
+    certificate.subject.hash
+  end
+end

data/lib/sslackey/revocation_checker.rb

@@ -0,0 +1,90 @@
+# Load all known issuer certs into memory. Key by cert name
+require 'logger'
+require 'openssl'
+require 'tempfile'
+require 'redis'
+require 'redis/namespace'
+require 'active_support/all'
+
+class RevocationChecker
+  @issuers = {}
+  @issuers_by_name = {}
+  @trusted_certs_file_path = nil
+  @cache = nil
+
+  class << self
+    attr_accessor :issuers, :issuers_by_name, :trusted_certs_file_path, :cache
+  end
+
+  def self.setup(trusted_certs_file_path)
+    RevocationChecker.issuers = {}
+    RevocationChecker.issuers_by_name = {}
+
+    RevocationChecker.trusted_certs_file_path = trusted_certs_file_path
+
+    certs_file = File.read(RevocationChecker.trusted_certs_file_path)
+
+    certs = certs_file.scan(/-----BEGIN CERTIFICATE-----[^-]*-----END CERTIFICATE-----/)
+
+    certs.each do |cert|
+      certificate = OpenSSL::X509::Certificate.new(cert)
+
+      certificate.extensions.each do |extension|
+        props = extension.to_h
+        if props["oid"] == "subjectKeyIdentifier"
+          issuer_key = props["value"]
+          RevocationChecker.issuers[issuer_key] = certificate
+        end
+      end
+      RevocationChecker.issuers_by_name[certificate.subject.hash] = certificate
+    end
+  end
+
+  def check_revocation_status(certificate)
+
+    unless RevocationChecker.cache
+      LOGGER.info("skipping revocation caching") if defined? LOGGER
+      return get_latest_revocation_status(certificate)
+    end
+
+    if  cached_response = RevocationChecker.cache.cached_response(certificate)
+      return cached_response
+    end
+
+    response = get_latest_revocation_status(certificate)
+
+    RevocationChecker.cache.cache_response(certificate, response)
+
+    response
+  end
+
+
+  def get_latest_revocation_status(certificate)
+    issuer_certificate = nil
+    certificate.extensions.each do |extension|
+      props = extension.to_h
+      if props["oid"] == "authorityKeyIdentifier"
+        issuer_key = RevocationChecker.parse_authority_key_identifier(props["value"])
+        issuer_certificate = RevocationChecker.issuers[issuer_key]
+      end
+    end
+
+    unless issuer_certificate
+      issuer_certificate = RevocationChecker.issuers_by_name[certificate.issuer.hash]
+    end
+
+    raise "No issuer certificate #{certificate.issuer} found for certificate #{certificate.subject}" unless issuer_certificate
+
+    real_time_checker = AuthorityChecker.new(RevocationChecker.trusted_certs_file_path)
+    response = real_time_checker.validate(certificate, issuer_certificate)
+
+    response
+  end
+
+  def self.parse_authority_key_identifier(authority_key_identifier_string)
+    authority_key_identifier_string.slice!(/keyid:/)
+    authority_key_identifier_string.slice!(/\n/)
+    authority_key_identifier_string
+  end
+
+end

data/lib/sslackey/version.rb

@@ -0,0 +1,3 @@
+module Sslackey
+  VERSION = "0.6.0"
+end

data/lib/sslackey.rb

@@ -0,0 +1,3 @@
+require "sslackey/authority_checker"
+require "sslackey/revocation_checker"
+require "sslackey/cache/redis_revocation_cache"

data/spec/authority_checker_spec.rb

@@ -0,0 +1,148 @@
+require 'spec_helper'
+require 'openssl'
+require 'tempfile'
+require 'uri'
+require 'lib/sslackey/authority_checker'
+
+def load_ocsp_enabled_cert
+  ocsp_enabled_cert = File.read(File.expand_path "../fixtures/ocsp_enabled_cert.pem", __FILE__)
+  OpenSSL::X509::Certificate.new(ocsp_enabled_cert)
+end
+
+def load_non_ocsp_cert
+  crl_only_cert = File.read(File.expand_path "../fixtures/crl_only_cert.pem", __FILE__)
+  OpenSSL::X509::Certificate.new(crl_only_cert)
+end
+
+def load_sample_ocsp_response
+  File.open(File.expand_path "../fixtures/sample_ocsp_response.der", __FILE__)
+end
+
+def load_crl_without_cert_revoked
+  File.read(File.expand_path "../fixtures/AkamaiSub3.crl", __FILE__)
+end
+
+def load_crl_with_cert_revoked
+  File.read(File.expand_path "../fixtures/sample_certificate_revocation_list.crl", __FILE__)
+end
+
+describe AuthorityChecker do
+
+  describe ".parse_authority_info_access" do
+
+    context "with a multi line authority info string" do
+      it "only finds the value that matches OCSP" do
+        ocsp_string = "CA Issuers - URI:http://crt.usertrust.com/USERTrustLegacySecureServerCA.crt\nOCSP - URI:http://ocsp.usertrust.com\n"
+        AuthorityChecker.parse_authority_info_access(ocsp_string).should == "http://ocsp.usertrust.com"
+
+        ocsp_string = "OCSP - URI:http://ocsp.verisign.com\nCA Issuers - URI:http://SVRIntl-G3-aia.verisign.com/SVRIntlG3.cer\n"
+        AuthorityChecker.parse_authority_info_access(ocsp_string).should == "http://ocsp.verisign.com"
+      end
+    end
+
+    context "with a single authority info line" do
+      it "finds the right value" do
+        ocsp_string = "OCSP - URI:http ://ocsp.verisign.com"
+        AuthorityChecker.parse_authority_info_access(ocsp_string).should == "http ://ocsp.verisign.com"
+      end
+    end
+  end
+
+  describe ".parse_crl_distribution_points" do
+    context 'with a valid crl info string' do
+      it "finds a matching crl url" do
+        crl_string = "URI:http://crl.globalsign.net/AkamaiSub3.crl\n"
+        AuthorityChecker.parse_crl_distribution_points(crl_string).should == "http://crl.globalsign.net/AkamaiSub3.crl"
+      end
+    end
+  end
+
+  describe "#validate" do
+    before do
+      @authority_checker = AuthorityChecker.new(nil)
+    end
+    context "when ocsp info present" do
+      it "uses ocsp strategy to verify certificate" do
+        AuthorityChecker.expects(:parse_authority_info_access).returns "ocsp.verisign.com"
+        AuthorityChecker.stubs(:parse_crl_distribution_points)
+        cert = load_ocsp_enabled_cert
+        AuthorityChecker.any_instance.expects(:perform_ocsp_check).with(cert, "stub issuer cert", "ocsp.verisign.com").returns :successful
+        @authority_checker.validate(cert, "stub issuer cert").should == :successful
+      end
+    end
+
+    context "when only crl info present" do
+      it "falls back to the crl strategy to verify the certificate" do
+        AuthorityChecker.stubs(:parse_authority_info_access)
+        AuthorityChecker.expects(:parse_crl_distribution_points).returns "crl.verisign.com"
+        cert = load_non_ocsp_cert
+        AuthorityChecker.any_instance.expects(:perform_crl_check).with(cert, "crl.verisign.com").returns :successful
+        @authority_checker.validate(cert, "stub issuer certificate").should == :successful
+      end
+    end
+
+    context "when neither crl or ocsp info is in the certificate" do
+      it "blows up" do
+        AuthorityChecker.stubs(:parse_crl_distribution_points)
+        AuthorityChecker.any_instance.stubs(:perform_crl_check)
+
+        cert = load_non_ocsp_cert
+        expect { @authority_checker.validate(cert, "stub issuer cert") }.to raise_error(/Could not find valid oscp or crl extension/)
+      end
+    end
+  end
+
+  describe "#perform_crl_check" do
+    it "returns a status of revoked when the certificate is on the crl" do
+      crl_response = load_crl_with_cert_revoked
+      AuthorityChecker.any_instance.expects(:fetch_crl_content).returns(crl_response)
+      checker = AuthorityChecker.new(nil)
+
+      cert = load_ocsp_enabled_cert
+      checker.perform_crl_check(cert, nil).should == :revoked
+    end
+
+    it "returns a status of successful when the certificate is not on the crl" do
+      crl_response = load_crl_without_cert_revoked
+      AuthorityChecker.any_instance.expects(:fetch_crl_content).returns(crl_response)
+      checker = AuthorityChecker.new(nil)
+
+      cert = load_ocsp_enabled_cert
+      checker.perform_crl_check(cert, "crl url").should == :successful
+    end
+  end
+
+  describe "#perform_ocsp_check" do
+    it "writes certificates to files and invokes open ssl verifier" do
+      cert = mock()
+      cert.expects(:path).returns "cert path"
+      issuer_cert = mock()
+      issuer_cert.expects(:path).returns "issuer path"
+      response = mock()
+      response.expects(:path).returns "response path"
+
+      AuthorityChecker.any_instance.expects(:write_certificate_file).with(cert, "provider").returns cert
+      AuthorityChecker.any_instance.expects(:write_certificate_file).with(issuer_cert, "issuer").returns issuer_cert
+      AuthorityChecker.any_instance.expects(:create_response_file).returns(response).returns response
+      AuthorityChecker.any_instance.expects(:read_ocsp_response).returns 'successful'
+
+      AuthorityChecker.any_instance.expects(:generate_ocsp_response).with("issuer path", "cert path", "response path", "ocsp.verisign.com")
+
+      checker = AuthorityChecker.new(nil)
+
+      checker.perform_ocsp_check(cert, issuer_cert, "ocsp.verisign.com").should == :successful
+    end
+  end
+
+  describe "#read_ocsp_response" do
+    context "when a valid response is written to a file" do
+      it "parses and reads a successful ocsp response correctly" do
+        checker = AuthorityChecker.new(nil)
+        checker.read_ocsp_response(load_sample_ocsp_response).should == 'successful'
+      end
+    end
+  end
+
+
+end
+

data/spec/cache/redis_revocation_cache_spec.rb

@@ -0,0 +1,61 @@
+require 'spec_helper'
+require 'redis'
+require 'redis/namespace'
+require 'active_support/all'
+require 'lib/sslackey/cache/redis_revocation_cache'
+
+describe RedisRevocationCache do
+
+  describe "#initialize" do
+    it "creates a new Redis with the correct host and port" do
+      Redis::Namespace.expects(:new).returns "a redis namespace"
+      Redis.expects(:new).with(:host => "redis.test.com", :port => 80, :threadsafe => true).returns "a redis"
+      RedisRevocationCache.new("redis.test.com", 80)
+    end
+  end
+
+  context "caching methods" do
+    before do
+      Redis::Namespace.stubs(:new).returns nil
+      @redis = mock()
+      @cache_service = RedisRevocationCache.new("some host", 90)
+      @cache_service.redis = @redis
+    end
+    describe "#cached_response" do
+      it "gets the symbolized response from redis" do
+        @redis.expects(:get).with("12345").returns "successful"
+        @cache_service.expects(:get_key).returns "12345"
+        @cache_service.cached_response("some cert").should == :successful
+      end
+
+      it "returns nil response when no response cached" do
+        @redis.expects(:get).with("12345").returns nil
+        @cache_service.expects(:get_key).returns "12345"
+        @cache_service.cached_response("some cert").should  be_nil
+      end
+    end
+
+    describe "#cache_response" do
+      it "sets the key in redis along with an expiration time" do
+        cert = mock()
+        cert.stubs(:subject)
+        @redis.expects(:set).with("12345","successful").returns nil
+        @redis.expects(:expire).with("12345", @cache_service.expiration_seconds)
+        @cache_service.expects(:get_key).returns "12345"
+        @cache_service.cache_response(cert,"successful")
+      end
+    end
+
+    describe "#get_key" do
+      it "uses the hash of the certificate subject name as the caching key" do
+        cert = mock()
+        cert.stubs(:subject)
+        subject = mock()
+        cert.expects(:subject).returns subject
+        subject.expects(:hash).returns "12345"
+        @cache_service.get_key(cert).should == "12345"
+      end
+    end
+
+  end
+end