sslcheck 0.9.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 99dd5040fd8190da53d30ee4fedff05c25705c33
+  data.tar.gz: d1f0f5e802311ae580f6a1501c240e3f535f683d
+SHA512:
+  metadata.gz: 2759629f5a99a2c23fba38453b56bda4287d64dc225a1d4584048dbf1b8a8eaf1fc8c62ab0ad6e9fb8368ab778e61006018be91c4062ddc0333f297e2ac6c6fe
+  data.tar.gz: eebf070b57b40f597fe535325a267f7caa917205c34fbb86ed9ff88caf5ee8c0080e325c44566abd110b29f7b3b3a08f966697f0d078580bb96af80f9b512f34

data/.gitignore

@@ -0,0 +1,14 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log

data/.rspec

@@ -0,0 +1,3 @@
+--color
+-f d
+--require spec_helper

data/.travis.yml

@@ -0,0 +1,6 @@
+language: ruby
+rvm:
+  - 2.2.0-p0
+script:
+  - bundle exec rspec spec/
+  - ./run_acceptance_on_ci

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in sslcheck.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2015 Clayton Lengel-Zigich
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,177 @@
+## SSL Check
+
+An easy way to verify the installation of SSL certificates.
+
+[![Build Status](https://travis-ci.org/clayton/sslcheck.svg?branch=master)](https://travis-ci.org/clayton/sslcheck)
+
+## Installation
+
+Install the gem on your system
+
+```
+  gem install sslcheck
+```
+
+Use the gem with bundler by adding the following to your `Gemfile`
+
+```
+  gem "sslcheck"
+```
+
+## Using SSLCheck
+
+The SSLCheck gem has a simple API.
+
+First create a check:
+
+```
+  check = SSLCheck::Check.new
+```
+
+Then, check a url:
+
+```
+  check.check("github.com")
+```
+
+Is the certificate valid?
+
+```
+  check.valid?
+  => true
+```
+
+Are there any errors?
+
+```
+  check.errors
+  => []
+```
+
+What are the details of the certificate?
+
+The peer certificate found during the check is available with a rich
+(undocumented) API. See `SSLCheck::Certificate` for more details. A helper
+method is provided on the `Certificate` to get at most of the important details.
+
+```
+  checker.peer_cert.to_h
+  {:common_name=>"www.sslinsight.com",
+   :organization_unit=>"Domain Control Validated",
+   :not_before=>
+    #<DateTime: 2014-07-25T00:00:00+00:00 ((2456864j,0s,0n),+0s,2299161j)>,
+   :not_after=>
+    #<DateTime: 2015-07-25T23:59:59+00:00 ((2457229j,86399s,0n),+0s,2299161j)>,
+   :issued=>true,
+   :expired=>false,
+   :issuer=>
+    {:common_name=>"COMODO RSA Domain Validation Secure Server CA",
+     :country=>"GB",
+     :state=>"Greater Manchester",
+     :locality=>"Salford",
+     :organization=>"COMODO CA Limited"}}
+  => {:common_name=>"www.sslinsight.com", :organization_unit=>"Domain Control Validated", :not_before=>#<DateTime: 2014-07-25T00:00:00+00:00 ((2456864j,0s,0n),+0s,2299161j)>, :not_after=>#<DateTime: 2015-07-25T23:59:59+00:00 ((2457229j,86399s,0n),+0s,2299161j)>, :issued=>true, :expired=>false, :issuer=>{:common_name=>"COMODO RSA Domain Validation Secure Server CA", :country=>"GB", :state=>"Greater Manchester", :locality=>"Salford", :organization=>"COMODO CA Limited"}}
+```
+
+What are the details of the CA Bundle?
+
+Each certificate in the CA Bundle is available as an `SSLCheck::Certificate`
+instance if needed.
+
+
+### Potential Validation Errors
+
+**SSLCheck::Errors::Validation::CommonNameMismatch**
+
+Occurs when the common name supplied in the check does not match the common name
+on the certificate, any alternate subject names or match a regex based on the
+wildcard domain if the certificate was issued for a wildcard domain.
+
+**SSLCheck::Errors::Validation::NotYetIssued**
+
+Occurs when the certificates `not_before` date is in the future.
+
+**SSLCheck::Errors::Validation::CertificateExpired**
+
+Occurs when the certificates `not_after` date is in the past.
+
+**SSLCheck::Errors::Validation::CABundleVerification**
+
+Occurs when the CA Bundle (peer certificate chain) that is gathered during the
+connection to the server cannot verify the certificate. This is a very common
+error when setting up and install SSL Certificates and occurs when the web
+server is not configured correctly or the CA Bundle certificates from the
+certificate issuer were not configured or installed correctly.
+
+
+
+### Validating Certificates
+
+A certificate is considered valid if the certificate is present, the CA
+bundle is present and all of the default validations pass.
+
+By default, SSLCheck validates the following:
+
+* Common Name matches (accounting for alternate names and wildcard certificates)
+* CA Bundle Verification (can the CA bundle verify the certificate?)
+* Issue Date (is in the past)
+* Expiration Date (is in the future)
+
+## Custom Client
+
+By default, all certificates are fetched by opening an SSL Socket Connection and
+grabbing the peer certificate and peer certificate chain (CA Bundle.)
+
+A custom client should return a response that exposes the peer certificate,
+peer certificate chain and url that was fetched. See `SSLCheck::Client::Response`
+for more information.
+
+### Using a custom client
+
+```
+  check = SSLCheck::Check.new(MyClient.new)
+```
+
+## Custom Validators and Validations
+
+A custom validator can be used to allow for additional validations or override
+the default validations. For more information see `SSLCheck::Validator`
+
+### Using a custom validator
+
+```
+  # passing nil as the first argument to use the default client
+  check = SSLCheck::Check.new(nil, MyValidator.new)
+```
+
+## Contributing
+
+* Fork
+* Run the tests (`rake`)
+* Commit & Push
+* Submit a pull request
+
+
+## License
+
+The MIT License (MIT)
+
+Copyright (c) 2014 Clayton Lengel-Zigich
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/Rakefile

@@ -0,0 +1,14 @@
+require "bundler/gem_tasks"
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec) do |t|
+  t.pattern = Dir.glob('spec/**/*_spec.rb')
+  t.rspec_opts = '--format documentation'
+end
+
+RSpec::Core::RakeTask.new(:acceptance) do |t|
+  t.pattern = Dir.glob('acceptance/**/*_spec.rb')
+  t.rspec_opts = '--format documentation'
+end
+
+task :default => [:spec, :acceptance]

data/acceptance/acceptance_helper.rb

@@ -0,0 +1 @@
+require_relative '../spec/spec_helper'

data/acceptance/checking_certificates_spec.rb

@@ -0,0 +1,23 @@
+require 'spec_helper'
+
+module SSLCheck
+  describe 'Checking Certificates' do
+    context "when the certificate is valid" do
+      before do
+        @check = Check.new.check("http://www.sslinsight.com")
+      end
+      it 'should be valid' do
+        expect(@check.valid?).to be
+      end
+      it 'should not have any errors' do
+        expect(@check.errors).to be_empty
+      end
+      it 'should know the peer certificate' do
+        expect(@check.peer_cert).to be
+      end
+      it 'should know the ca bundle' do
+        expect(@check.ca_bundle).to be
+      end
+    end
+  end
+end

data/acceptance/client_spec.rb

@@ -0,0 +1,67 @@
+require 'spec_helper'
+
+module SSLCheck
+  describe 'Client' do
+    context "Getting Certificates" do
+      context "When Things Go Well" do
+        it 'should have the host name' do
+          sut = Client.new
+          response = sut.get('https://www.sslinsight.com')
+          expect(response.host_name).to eq("www.sslinsight.com")
+        end
+
+        it 'should have the peer certificate' do
+          sut = Client.new
+          response = sut.get('https://www.sslinsight.com')
+          expect(response.peer_cert).to be_a(SSLCheck::Certificate)
+        end
+
+        it 'should have the peer cert chain' do
+          sut = Client.new
+          response = sut.get('https://www.sslinsight.com')
+          expect(response.ca_bundle.first).to be_a(SSLCheck::Certificate)
+        end
+      end
+
+      context "when the URL is missing the protocol" do
+        it 'should still provide a hostname for the response' do
+          sut = Client.new
+          response = sut.get('www.sslinsight.com')
+          expect(response.host_name).to eq("www.sslinsight.com")
+        end
+      end
+
+      context "when the URL has an http protocol" do
+        it 'should still provide a hostname for the response' do
+          sut = Client.new
+          response = sut.get('http://www.sslinsight.com')
+          expect(response.host_name).to eq("www.sslinsight.com")
+        end
+      end
+
+      context "When the URL is malformed" do
+        it 'should raise an invalid URI error' do
+          sut = Client.new
+          response = sut.get('this is not even close to a valid url.com')
+          expect(response.errors.first).to be_a(SSLCheck::Errors::Connection::InvalidURI)
+        end
+      end
+
+      context "When there is no SSL Certificate present" do
+        it 'should raise a verification error' do
+          sut = Client.new
+          response = sut.get('http://www.claytonlz.com')
+          expect(response.errors.first).to be_a(SSLCheck::Errors::Connection::SSLVerify)
+        end
+      end
+
+      context "When the certificate is self-signed" do
+        it 'should raise a verification error' do
+          sut = Client.new
+          response = sut.get('https://www.pcwebshop.co.uk')
+          expect(response.errors.first).to be_a(SSLCheck::Errors::Connection::SSLVerify)
+        end
+      end
+    end
+  end
+end

data/blinky_tests

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+blinky-tape-test-tool f && bundle exec rspec spec && blinky-tape-test-tool gs || blinky-tape-test-tool rs

data/lib/sslcheck.rb

@@ -0,0 +1,20 @@
+require "sslcheck/version"
+require 'openssl'
+
+module SSLCheck
+  # Your code goes here...
+end
+
+require 'sslcheck/certificate'
+require 'sslcheck/validator'
+require 'sslcheck/certificate_client'
+require 'sslcheck/parser'
+require 'sslcheck/generic_error'
+require 'sslcheck/check'
+require 'sslcheck/client'
+require 'sslcheck/validators/generic_validator'
+require 'sslcheck/validators/errors'
+require 'sslcheck/validators/common_name'
+require 'sslcheck/validators/issue_date'
+require 'sslcheck/validators/expiration_date'
+require 'sslcheck/validators/ca_bundle'

data/lib/sslcheck/certificate.rb

@@ -0,0 +1,121 @@
+require 'openssl'
+
+module SSLCheck
+  class Certificate
+    def initialize(cert, clock=nil)
+      @cert = bootstrap_certificate(cert)
+      @clock = clock || DateTime
+    end
+
+    def to_x509
+      OpenSSL::X509::Certificate.new @cert.to_s
+    end
+
+    def to_h
+      {
+        :common_name       => common_name,
+        :organization_unit => organizational_unit,
+        :not_before        => not_before,
+        :not_after         => not_after,
+        :issued            => true,
+        :expired           => false,
+        :issuer            => {
+          :common_name  => issuer_common_name,
+          :country      => issuer_country,
+          :state        => issuer_state,
+          :locality     => issuer_locality,
+          :organization => issuer_organization
+        }
+      }
+    end
+
+    def to_s
+      @cert.to_s
+    end
+
+    def subject
+      @cert.subject.to_s
+    end
+
+    def organizational_unit
+      match = subject.match(/OU=([\w\s]+)/)
+      match.captures.first if match
+    end
+
+    def common_name
+      subject.scan(/CN=(.*)/)[0][0]
+    end
+
+    def alternate_common_names
+      ext = @cert.extensions.find{|ext| ext.oid == "subjectAltName" }
+      return [] unless ext
+      alternates = ext.value.split(",")
+      names = alternates.map{|a| a.scan(/DNS:(.*)/)[0][0]}
+      names
+    end
+
+    def issuer
+      @cert.issuer.to_s
+    end
+
+    def issuer_country
+      match = issuer.match(/C=([\w\s]+)/)
+      match.captures.first if match
+    end
+
+    def issuer_state
+      match = issuer.match(/ST=([\w\s]+)/)
+      match.captures.first if match
+    end
+
+    def issuer_locality
+      match = issuer.match(/L=([\w\s]+)/)
+      match.captures.first if match
+    end
+
+    def issuer_organization
+      match = issuer.match(/O=([^\/]+)/)
+      match.captures.first if match
+    end
+
+    def issuer_common_name
+      issued_by
+    end
+
+    def issued_by
+      match = issuer.match("CN=(.*)")
+      match.captures.first if match
+    end
+
+    def public_key
+      @cert.public_key
+    end
+
+    def verify(ca)
+      @cert.verify(ca.public_key)
+    end
+
+    def not_before
+      DateTime.parse(@cert.not_before.to_s)
+    end
+
+    def not_after
+      DateTime.parse(@cert.not_after.to_s)
+    end
+
+    def expired?
+      @clock.now > not_after
+    end
+
+    def issued?
+      @clock.now > not_before
+    end
+
+    def bootstrap_certificate(cert)
+      return cert if cert.is_a?(OpenSSL::X509::Certificate)
+      return cert if cert.is_a?(SSLCheck::Certificate)
+      OpenSSL::X509::Certificate.new cert
+    end
+
+  end
+end