sslackey 0.6.0

data/spec/fixtures/crl_only_cert.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIICzTCCAjagAwIBAgIOAgAAAAABNw9QCUY2BIQwDQYJKoZIhvcNAQEFBQAwUTEL
+MAkGA1UEBhMCVVMxIDAeBgNVBAoTF0FrYW1haSBUZWNobm9sb2dpZXMgSW5jMSAw
+HgYDVQQDExdBa2FtYWkgU3Vib3JkaW5hdGUgQ0EgMzAeFw0xMjA1MDIyMTAwMDha
+Fw0xMzA1MDIyMTAwMDhaMIGMMQswCQYDVQQGEwJVUzEQMA4GA1UEBxMHUGhvZW5p
+eDEmMCQGA1UEChMdQW1lcmljYW4gRXhwcmVzcyBUZWNobm9sb2dpZXMxETAPBgNV
+BAsTCENvbnN1bWVyMRAwDgYDVQQIEwdBcml6b25hMR4wHAYDVQQDFBUqLmFtZXJp
+Y2FuZXhwcmVzcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKxhYcYS
+MHXkKn8yWmV6N3Ac3eJOVfZDH6NEIaNPNgH+5Bzm5xfry8lA0QmRELQafClC8afV
+JqQuP7aDVZwaSUmk0EPVGIhbKi81CzO3wc9FCxhgySsvoFwxfOQywQd5ewlU/ZNg
+UKXbqR9Ba1yqJcVOq3axjxmY1OykKKqMHcaJAgMBAAGjbDBqMDkGA1UdHwQyMDAw
+LqAsoCqGKGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5uZXQvQWthbWFpU3ViMy5jcmww
+HQYDVR0OBBYEFP0U8j2HOCBc39gxkO3y79Eb+il+MA4GA1UdDwEB/wQEAwIFIDAN
+BgkqhkiG9w0BAQUFAAOBgQCDFNSSY9NGGEZbaWx4CAZFRmwBvhcUxDWK+0tLnC3y
+5NH1+2cEAKpzK4xD8u2bONJaEchM7x6Uc4/lhFPblCX9uIqcKB8EdAuDxr7FTH0S
+vofrkpwuSWkdY9FGWd0kIyl4hLIi/Fm9mE9zrmDPYkced3MvL5deZAXlL22jxiJR
+Ew==
+-----END CERTIFICATE-----

data/spec/fixtures/ocsp_enabled_cert.pem

@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGEzCCBPugAwIBAgIQfJwdpj3YKPYCRiHLu80CyzANBgkqhkiG9w0BAQUFADCB
+vjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
+ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
+YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE4MDYGA1UEAxMv
+VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBTR0MgQ0Ew
+HhcNMTAxMTAyMDAwMDAwWhcNMTIwODE2MjM1OTU5WjCB+TETMBEGCysGAQQBgjc8
+AgEDEwJVUzEZMBcGCysGAQQBgjc8AgECFAhEZWxhd2FyZTEdMBsGA1UEDxMUUHJp
+dmF0ZSBPcmdhbml6YXRpb24xEDAOBgNVBAUTBzQ3NTIyODIxCzAJBgNVBAYTAlVT
+MREwDwYDVQQIFAhOZXcgWW9yazERMA8GA1UEBxQITmV3IFlvcmsxFDASBgNVBAoU
+C01hbmlsbGEgTExDMTMwMQYDVQQLFCpUZXJtcyBvZiB1c2UgYXQgd3d3LnZlcmlz
+aWduLmNvbS9ycGEgKGMpMDUxGDAWBgNVBAMUD2FwcC5tYW5pbGxhLmNvbTCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKnpFmttCpcZxWFc3gQwB0pg7xEf
+aZnJXYz4EBaLks/Jvr4cR3ytoXchTwTS3y2up2uW2WFvjlcKOI8HacXUtEymbiPb
+c9RADCCo0G5TJ2DL7fpzOX6N3f+wDOjN//odiDDKn/AZNjtkae3t+jYglDfrYRnc
+SfGL1Gw3Nj9Jf9MlRamiUzKh75QWHa+3J+oNDHqesR1+pgAhulJge22K8dWkMhjz
+kbMeKn5JDUq5GL/+dHE56abnoZiSWo64XeqcWN0FGrPniJxLzT/mLgRj7GQLuvf0
+je0DOjOoqf+IL9pmZ/KB7nUE+h93GZvpqG1ZfqDuI6tLy1S7wfl57kL3NOcCAwEA
+AaOCAc4wggHKMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMEQGA1UdIAQ9MDswOQYL
+YIZIAYb4RQEHFwYwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24u
+Y29tL2NwczA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vRVZJbnRsLWNybC52ZXJp
+c2lnbi5jb20vRVZJbnRsMjAwNi5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsG
+AQUFBwMCBglghkgBhvhCBAEwHwYDVR0jBBgwFoAUTkPIHXbvN1N6T/JYb5TzOOLV
+vd8wbwYIKwYBBQUHAQEEYzBhMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJp
+c2lnbi5jb20wOQYIKwYBBQUHMAKGLWh0dHA6Ly9FVkludGwtYWlhLnZlcmlzaWdu
+LmNvbS9FVkludGwyMDA2LmNlcjBuBggrBgEFBQcBDARiMGChXqBcMFowWDBWFglp
+bWFnZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEFGDAmFiRo
+dHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZIhvcNAQEF
+BQADggEBAC0BoimlCBynBKmilNsVIxpNa6nWddc9gyAPzlis0LWIwLylmTxPsPa3
+LDhblWzGN2wzOkarjvnPVzvY66dA9GLabNBrBpAh6HrhVwOE5LKSTAmvEU3pU0Tg
+Rj6LVCq6xDKP1ayeY3dj8MvPIi76i5QpV9v89wJbw1/CJorKAqDl9XZF6xX8gyuB
+rdv7dS6nTSb61sEFo9D2tO9u6dgseiwHctmla9AwXLqm3uyqA1HkWvhhTmOg6rMe
+k2KXQo/gEIMXwONdDp2kZb5QT2aFNskByuKB9CQsn7wBLROBwVzTLibs/fsYamZH
+65Ih38OovopLwNuIXwgpqp7nsRExRq4=
+-----END CERTIFICATE-----

data/spec/fixtures/ssl.rb

@@ -0,0 +1,29 @@
+#useful utility to generating a certificate revocation list given a certificate you want to be revoked.
+require 'openssl'
+require 'active_support/all'
+
+
+cert = OpenSSL::X509::Certificate.new(File.read("ocsp_enabled_cert.pem"))
+serial = cert.serial
+
+puts "cert serial: #{cert.serial}"
+revoked = OpenSSL::X509::Revoked.new()
+revoked.serial = serial
+revoked.time = Time.now
+
+
+puts "revoked: #{revoked.serial}"
+
+crl = OpenSSL::X509::CRL.new
+
+crl.add_revoked(revoked)
+crl.last_update = 5.days.ago.to_time
+crl.next_update= 5.days.from_now.to_time
+
+puts crl.to_text
+
+der = crl.to_der
+
+output = File.open("sample_certificate_revocation_list.crl", "w")
+output.write(der)
+output.close

data/spec/revocation_checker_spec.rb

@@ -0,0 +1,113 @@
+require 'spec_helper'
+require 'openssl'
+require 'tempfile'
+require 'uri'
+require 'lib/sslackey/revocation_checker'
+
+LOGGER = Logger.new(STDERR)
+
+describe RevocationChecker do
+
+  def load_ocsp_enabled_cert
+    ocsp_enabled_cert = File.read(File.expand_path "../fixtures/ocsp_enabled_cert.pem", __FILE__)
+    OpenSSL::X509::Certificate.new(ocsp_enabled_cert)
+  end
+
+  def load_non_ocsp_cert
+    crl_only_cert = File.read(File.expand_path "../fixtures/crl_only_cert.pem", __FILE__)
+    OpenSSL::X509::Certificate.new(crl_only_cert)
+  end
+
+  def load_sample_ocsp_response
+    File.open(File.expand_path "../fixtures/sample_ocsp_response.der", __FILE__)
+  end
+
+  def load_crl_without_cert_revoked
+    File.read(File.expand_path "../fixtures/AkamaiSub3.crl", __FILE__)
+  end
+
+  def load_crl_with_cert_revoked
+    File.read(File.expand_path "../fixtures/sample_certificate_revocation_list.crl", __FILE__)
+  end
+
+  describe ".setup" do
+    it "caches trusted certificates correctly" do
+      path = File.expand_path "../fixtures/cacert.pem", __FILE__
+      RevocationChecker.setup(path)
+      RevocationChecker.issuers.keys.size.should == 18
+      RevocationChecker.issuers["FC:8A:50:BA:9E:B9:25:5A:7B:55:85:4F:95:00:63:8F:E9:58:6B:43"].serial.should == 121579451771502689459931452667480057963
+      RevocationChecker.issuers_by_name.keys.size.should == 23
+      RevocationChecker.issuers_by_name[301028566].serial.should == 185237570324729778462978133790525665700
+      RevocationChecker.trusted_certs_file_path.should == path
+    end
+  end
+
+  describe "#check_revocation_status" do
+    it "skips caching if no cache has been configured" do
+      cert = load_ocsp_enabled_cert
+      RevocationChecker.any_instance.expects(:get_latest_revocation_status).returns :successful
+      checker = RevocationChecker.new
+      checker.check_revocation_status(cert).should == :successful
+    end
+    it "uses the cached response when available" do
+      cert = load_ocsp_enabled_cert
+      cache = mock()
+      cache.expects(:cached_response).with(cert).returns :successful
+      cache.expects(:cache_response).never
+      RevocationChecker.expects(:cache).twice.returns cache
+      AuthorityChecker.any_instance.expects(:validate).never
+      checker = RevocationChecker.new
+      checker.check_revocation_status(cert).should == :successful
+    end
+
+    it "retrieves the latest response and caches it when there's nothing in the cache" do
+      cert = load_ocsp_enabled_cert
+      cache = mock()
+      cache.expects(:cached_response).with(cert).returns nil
+      cache.expects(:cache_response).with(cert, :successful)
+      RevocationChecker.expects(:cache).at_least_once.returns cache
+      AuthorityChecker.any_instance.expects(:validate).returns :successful
+      checker = RevocationChecker.new
+      checker.check_revocation_status(cert).should == :successful
+    end
+  end
+
+
+  describe "#get_latest_revocation_status" do
+    before do
+      @revocation_checker = RevocationChecker.new
+    end
+
+    context "when authority key info extension exists" do
+      it "retrieves the issuer certificate using the authority key info" do
+        AuthorityChecker.any_instance.stubs(:validate)
+        RevocationChecker.expects(:issuers).returns "stub issuer cert"
+        cert = load_ocsp_enabled_cert
+        @revocation_checker.get_latest_revocation_status(cert)
+      end
+    end
+
+    context "when authority key info extension does not exist" do
+      it "retrieves the issuer certificate using the issuer name" do
+        RevocationChecker.stubs(:parse_authority_info_access)
+        cert = load_non_ocsp_cert
+        issuers = {1983599852 => "an issuer"}
+        RevocationChecker.expects(:issuers_by_name).returns issuers
+        @revocation_checker.get_latest_revocation_status(cert)
+      end
+    end
+
+    context "when the issuer certificate is not loaded" do
+      it "raises an error" do
+        RevocationChecker.expects(:issuers_by_name).returns Hash.new
+        issuer = stub(:hash => "12345", :to_s => "an issuer")
+        cert = mock()
+        cert.expects(:extensions).returns []
+        cert.expects(:subject).returns "test certificate"
+        cert.expects(:issuer).twice.returns issuer
+        expect{@revocation_checker.get_latest_revocation_status(cert)}.to raise_error /No issuer certificate/
+      end
+    end
+
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,22 @@
+$LOAD_PATH.unshift(File.expand_path("../..", __FILE__))
+
+$: << '.'
+
+require 'bundler'
+Bundler.require
+
+require 'sslackey'
+require 'rspec'
+
+require 'active_support/string_inquirer'
+Dir[File.expand_path(File.join(File.dirname(__FILE__), "support/**/*.rb"))].each { |f| require f }
+
+RSpec.configure do |config|
+  config.mock_with :mocha
+end
+
+RSpec::Matchers.define :include_hash do |expected|
+  match do |actual|
+    actual.present? && actual.slice(*expected.keys) == expected
+  end
+end

data/sslackey.gemspec

@@ -0,0 +1,35 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/sslackey/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Manilla", "Peter Krimmel"]
+  gem.email         = ["engineering@manilla.com"]
+  gem.description   = %q{Checks a certificate via ocsp or crl to see if it has been revoked}
+  gem.summary       = %q{Ruby ssl certificate revocation checking}
+  gem.homepage      = "http://chill.manilla.com"
+
+
+  gem.add_runtime_dependency('resque')
+  gem.add_runtime_dependency('activesupport')
+  gem.add_runtime_dependency('redis')
+  gem.add_runtime_dependency('redis-namespace')
+  gem.add_runtime_dependency('i18n')
+  gem.add_runtime_dependency('rake')
+  gem.add_runtime_dependency('httparty')
+
+  gem.add_development_dependency('rspec')
+  gem.add_development_dependency('mocha')
+  gem.add_development_dependency('fuubar')
+  gem.add_development_dependency('awesome_print')
+  gem.add_development_dependency('ruby-debug19')
+  gem.add_development_dependency('highline')
+
+
+
+  gem.files         = `git ls-files`.split($\)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.name          = "sslackey"
+  gem.require_paths = ["lib"]
+  gem.version       = Sslackey::VERSION
+end

metadata

@@ -0,0 +1,227 @@
+--- !ruby/object:Gem::Specification
+name: sslackey
+version: !ruby/object:Gem::Version
+  version: 0.6.0
+  prerelease: 
+platform: ruby
+authors:
+- Manilla
+- Peter Krimmel
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-07-23 00:00:00.000000000Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: resque
+  requirement: &2153512620 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *2153512620
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: &2153512200 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *2153512200
+- !ruby/object:Gem::Dependency
+  name: redis
+  requirement: &2153511780 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *2153511780
+- !ruby/object:Gem::Dependency
+  name: redis-namespace
+  requirement: &2153511360 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *2153511360
+- !ruby/object:Gem::Dependency
+  name: i18n
+  requirement: &2153510940 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *2153510940
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: &2153510520 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *2153510520
+- !ruby/object:Gem::Dependency
+  name: httparty
+  requirement: &2153510100 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *2153510100
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: &2153509680 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *2153509680
+- !ruby/object:Gem::Dependency
+  name: mocha
+  requirement: &2153509260 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *2153509260
+- !ruby/object:Gem::Dependency
+  name: fuubar
+  requirement: &2153508840 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *2153508840
+- !ruby/object:Gem::Dependency
+  name: awesome_print
+  requirement: &2153539880 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *2153539880
+- !ruby/object:Gem::Dependency
+  name: ruby-debug19
+  requirement: &2153539460 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *2153539460
+- !ruby/object:Gem::Dependency
+  name: highline
+  requirement: &2153539040 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *2153539040
+description: Checks a certificate via ocsp or crl to see if it has been revoked
+email:
+- engineering@manilla.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .rspec
+- .rvmrc
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- examples/README.md
+- examples/cacert.pem
+- examples/simple.rb
+- lib/sslackey.rb
+- lib/sslackey/authority_checker.rb
+- lib/sslackey/cache/redis_revocation_cache.rb
+- lib/sslackey/revocation_checker.rb
+- lib/sslackey/version.rb
+- spec/authority_checker_spec.rb
+- spec/cache/redis_revocation_cache_spec.rb
+- spec/fixtures/AkamaiSub3.crl
+- spec/fixtures/cacert.pem
+- spec/fixtures/crl_only_cert.pem
+- spec/fixtures/ocsp_enabled_cert.pem
+- spec/fixtures/sample_certificate_revocation_list.crl
+- spec/fixtures/sample_ocsp_response.der
+- spec/fixtures/ssl.rb
+- spec/revocation_checker_spec.rb
+- spec/spec_helper.rb
+- sslackey.gemspec
+homepage: http://chill.manilla.com
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.15
+signing_key: 
+specification_version: 3
+summary: Ruby ssl certificate revocation checking
+test_files:
+- spec/authority_checker_spec.rb
+- spec/cache/redis_revocation_cache_spec.rb
+- spec/fixtures/AkamaiSub3.crl
+- spec/fixtures/cacert.pem
+- spec/fixtures/crl_only_cert.pem
+- spec/fixtures/ocsp_enabled_cert.pem
+- spec/fixtures/sample_certificate_revocation_list.crl
+- spec/fixtures/sample_ocsp_response.der
+- spec/fixtures/ssl.rb
+- spec/revocation_checker_spec.rb
+- spec/spec_helper.rb