sslcheck 0.9.0

data/lib/sslcheck/certificate_client.rb

@@ -0,0 +1,10 @@
+require 'uri'
+
+module SSLCheck
+  class CertificateClient
+    def fetch(url)
+      uri = URI.parse(url)
+      `bash -c '(sleep 5; kill $$) & exec openssl s_client -showcerts -connect #{uri.to_s}:443 < /dev/null'`
+    end
+  end
+end

data/lib/sslcheck/check.rb

@@ -0,0 +1,65 @@
+module SSLCheck
+  class Check
+    attr_accessor :peer_cert, :ca_bundle, :host_name
+    def initialize(client=nil, validator=nil)
+      @client = client || Client.new
+      @validator = validator || Validator.new
+      @errors = []
+      @checked = false
+    end
+
+    def check(url)
+      fetch(url)
+      validate if no_errors?
+      @checked = true
+      @url = url
+      return self
+    end
+
+    def errors
+      @errors
+    end
+
+    def failed?
+      return false if no_errors?
+      true
+    end
+
+    def valid?
+      return true if no_errors? && checked?
+      false
+    end
+
+    def checked?
+      return true if @checked
+      false
+    end
+
+    def url
+      @url
+    end
+
+  private
+
+    def no_errors?
+      @errors.empty?
+    end
+
+    def fetch(url)
+      response = @client.get(url)
+      self.peer_cert = response.peer_cert
+      self.ca_bundle = response.ca_bundle
+      self.host_name = response.host_name
+
+      response.errors.each do |error|
+        @errors << error
+      end
+      true
+    end
+
+    def validate
+      @validator.validate(host_name, peer_cert, ca_bundle)
+      true
+    end
+  end
+end

data/lib/sslcheck/client.rb

@@ -0,0 +1,68 @@
+require 'socket'
+require 'openssl'
+
+
+module SSLCheck
+  class Client
+    class Response
+      attr_accessor :host_name, :errors
+
+      def initialize
+        self.errors = []
+      end
+
+      def raw_peer_cert=(peer_cert)
+        @raw_peer_cert = peer_cert
+      end
+
+      def raw_peer_cert_chain=(peer_cert_chain)
+        @raw_peer_cert_chain = peer_cert_chain
+      end
+
+      def peer_cert
+        Certificate.new(@raw_peer_cert)
+      end
+
+      def ca_bundle
+        @raw_peer_cert_chain.map{|ca_cert| Certificate.new(ca_cert) }
+      end
+    end
+
+    def initialize
+      @response = Response.new
+    end
+
+    def get(url)
+      begin
+        uri = determine_uri(url)
+
+        sock = TCPSocket.new(uri.host, 443)
+        ctx = OpenSSL::SSL::SSLContext.new
+        ctx.set_params(verify_mode: OpenSSL::SSL::VERIFY_PEER)
+
+        @socket = OpenSSL::SSL::SSLSocket.new(sock, ctx).tap do |socket|
+          socket.sync_close = true
+          socket.connect
+          @response.host_name = uri.host
+          @response.raw_peer_cert = OpenSSL::X509::Certificate.new(socket.peer_cert)
+          @response.raw_peer_cert_chain = socket.peer_cert_chain
+        end
+
+        @socket.sysclose
+      rescue URI::InvalidURIError
+        @response.errors << SSLCheck::Errors::Connection::InvalidURI.new({:name => "Invalid URI Error", :type => :invalid_uri, :message => "The URI, #{url}, is not a valid URI."})
+      rescue OpenSSL::SSL::SSLError
+        @response.errors << SSLCheck::Errors::Connection::SSLVerify.new({:name => "OpenSSL Verification Error", :type => :openssl_error, :message => "There was a peer verification error."})
+      end
+
+      @response
+    end
+
+    private
+      def determine_uri(url)
+        return URI.parse(url) if url.match(/^https\:\/\//)
+        return URI.parse(url.gsub("http","https")) if url.match(/^http\:\/\//)
+        return URI.parse("https://#{url}") if url.match(/^https\:\/\//).nil?
+      end
+  end
+end

data/lib/sslcheck/generic_error.rb

@@ -0,0 +1,15 @@
+module SSLCheck
+  module Errors
+    class GenericError
+      attr_accessor :name, :type, :message
+      def initialize(opts={})
+        self.name    = opts[:name]
+        self.type    = opts[:type]
+        self.message = opts[:message]
+      end
+      def to_s
+        "[#{self.name}] #{self.message}"
+      end
+    end
+  end
+end

data/lib/sslcheck/parser.rb

@@ -0,0 +1,96 @@
+module SSLCheck
+  class Parser
+    class SSLNotConfigured < StandardError; end
+
+    def initialize(raw, url=nil)
+      @raw = raw
+      @url = url
+    end
+
+    def parse
+      raise SSLNotConfigured if connection_refused?
+      {
+        "raw"                 => @raw,
+        "valid_certificate"   => valid_certificate?,
+        "issued_by"           => issued_by,
+        "issued_at"           => issued_at,
+        "expires_at"          => expires_at,
+        "organizational_unit" => organizational_unit,
+        "common_name"         => common_name,
+        "issuer_country"      => issuer_country,
+        "issuer_state"        => issuer_state,
+        "issuer_locality"     => issuer_locality,
+        "issuer_organization" => issuer_organization,
+        "issuer_common_name"  => issuer_common_name,
+      }
+    end
+
+    def certs
+      @raw.scan(/((?<=-----BEGIN CERTIFICATE-----)(?:\S+|\s(?!-----END CERTIFICATE-----))+(?=\s-----END CERTIFICATE-----))/)
+          .flatten
+          .map{|cert| "-----BEGIN CERTIFICATE-----\n#{cert.strip}\n-----END CERTIFICATE-----\n" }
+    end
+
+    def certificate
+      Certificate.new certs.first
+    end
+
+    def ca_bundle
+      Certificate.new certs[1..certs.size].join("\n")
+    end
+
+    def url
+      @url
+    end
+
+    def issued_by
+      certificate.issued_by
+    end
+
+    def issued_at
+      certificate.not_before
+    end
+
+    def expires_at
+      certificate.not_after
+    end
+
+    def organizational_unit
+      certificate.organizational_unit
+    end
+
+    def common_name
+      certificate.common_name
+    end
+
+    def issuer_country
+      certificate.issuer_country
+    end
+
+    def issuer_state
+      certificate.issuer_state
+    end
+
+    def issuer_locality
+      certificate.issuer_locality
+    end
+
+    def issuer_organization
+      certificate.issuer_organization
+    end
+
+    def issuer_common_name
+      certificate.issuer_common_name
+    end
+
+
+  private
+    def connection_refused?
+      @raw.match("connect: Connection refused")
+    end
+
+    def valid_certificate?
+      Validator.new(self).validate
+    end
+  end
+end

data/lib/sslcheck/validator.rb

@@ -0,0 +1,111 @@
+require 'openssl'
+
+module SSLCheck
+  class Validator
+    class CommonNameMissingError < ArgumentError;end
+    class PeerCertificateMissingError < ArgumentError;end
+    class CABundleMissingError < ArgumentError;end
+
+    def initialize
+      @valid       = false
+      @errors      = []
+      @warnings    = []
+      @common_name = nil
+      @peer_cert   = nil
+      @ca_bundle   = []
+      @validated   = false
+      @default_validators = [
+        Validators::CommonName,
+        Validators::IssueDate,
+        Validators::ExpirationDate,
+        Validators::CABundle,
+      ]
+    end
+
+    def validate(common_name=nil, peer_cert=nil, ca_bundle=[], validators=[])
+      raise CommonNameMissingError if common_name.nil? || common_name.empty?
+      raise PeerCertificateMissingError if peer_cert.nil?
+      raise CABundleMissingError if ca_bundle.nil? || ca_bundle.empty?
+      @common_name = common_name
+      @peer_cert = peer_cert
+
+      run_validations(validators)
+    end
+
+    def valid?
+      @validated && errors.empty?
+    end
+
+    def errors
+      @errors.compact
+    end
+
+    def warnings
+      []
+    end
+
+  private
+    def run_validations(validators)
+      validators = @default_validators if validators.empty?
+      validators.each do |validator|
+        @errors << validator.new(@common_name, @peer_cert, @ca_bundle).validate
+      end
+      @validated = true
+    end
+
+  end
+end
+
+  #   class InvalidCertificate < StandardError;end
+  #   class InvalidCommonName < StandardError;end
+  #   class InvalidDates < StandardError;end
+  #   class MissingCACertificate < StandardError;end
+
+  #   def initialize(parser=nil)
+  #     @parser = parser
+  #     @url = parser.url
+  #   end
+
+  #   def validate
+  #     raise InvalidCertificate unless validate_certificates
+  #     raise InvalidCommonName, "expected #{@url} but got #{certificate.common_name}" unless validate_common_name
+  #     raise InvalidDates, "Issued On: #{certificate.not_before}, Expires On: #{certificate.not_after}" unless validate_dates
+  #     true
+  #   end
+
+  #   def validate_certificates
+  #     certificate.verify(ca_bundle)
+  #   end
+
+  #   def validate_common_name
+  #     matching_wildcard_domain || certificate.common_name.downcase == @url.downcase
+  #   end
+
+  #   def validate_expiration_date
+  #     !certificate.expired?
+  #   end
+
+  #   def validate_issue_date
+  #     certificate.issued?
+  #   end
+
+  #   def validate_dates
+  #     validate_expiration_date && validate_issue_date
+  #   end
+
+  # private
+  #   def certificate
+  #     @parser.certificate
+  #   end
+
+  #   def matching_wildcard_domain
+  #     true if (certificate.common_name.match(/\*\./) && @url.include?(certificate.common_name.gsub(/\*\./,'')))
+  #   end
+
+  #   def ca_bundle
+  #     begin
+  #       @parser.ca_bundle
+  #     rescue OpenSSL::X509::CertificateError => e
+  #       raise MissingCACertificate
+  #     end
+  #   end

data/lib/sslcheck/validators/ca_bundle.rb

@@ -0,0 +1,23 @@
+module SSLCheck
+  module Validators
+    class CABundle < GenericValidator
+      def validate
+        return nil if verified_certificate?
+        SSLCheck::Errors::Validation::CABundleVerification.new({:name => "Certificate Authority Verification", :message => "The Certificate could not be verified using the supplied Certificate Authority (CA) Bundle."})
+      end
+
+    private
+      def verified_certificate?
+        return false if @ca_bundle.empty?
+
+        store = OpenSSL::X509::Store.new
+
+        @ca_bundle.each do |ca_cert|
+          store.add_cert ca_cert.to_x509
+        end
+
+        store.verify(@peer_cert.to_x509)
+      end
+    end
+  end
+end

data/lib/sslcheck/validators/common_name.rb

@@ -0,0 +1,27 @@
+module SSLCheck
+  module Validators
+    class CommonName < GenericValidator
+      def validate
+        return nil if common_name_matches?
+        SSLCheck::Errors::Validation::CommonNameMismatch.new({:name => "Common Name Mismatch", :message => "This certificate is not valid for #{@common_name}."})
+      end
+
+    private
+      def common_name_matches?
+        matching_wildcard_domain || alternate_common_name_match || direct_common_name_match
+      end
+
+      def matching_wildcard_domain
+        true if (@peer_cert.common_name.match(/\*\./) && @common_name.include?(@peer_cert.common_name.gsub(/\*\./,'')))
+      end
+
+      def direct_common_name_match
+        @peer_cert.common_name.downcase == @common_name.downcase
+      end
+
+      def alternate_common_name_match
+        @peer_cert.alternate_common_names.include?(@common_name.downcase)
+      end
+    end
+  end
+end

data/lib/sslcheck/validators/errors.rb

@@ -0,0 +1,15 @@
+module SSLCheck
+  module Errors
+    module Connection
+      class InvalidURI < GenericError; end
+      class SSLVerify < GenericError; end
+    end
+
+    module Validation
+      class CommonNameMismatch < GenericError;end
+      class NotYetIssued < GenericError;end
+      class CertificateExpired < GenericError;end
+      class CABundleVerification < GenericError;end
+    end
+  end
+end

data/lib/sslcheck/validators/expiration_date.rb

@@ -0,0 +1,10 @@
+module SSLCheck
+  module Validators
+    class ExpirationDate < GenericValidator
+      def validate(clock=DateTime)
+        return nil if clock.now < @peer_cert.not_after
+        SSLCheck::Errors::Validation::CertificateExpired.new({:name => "Certifiate Expired", :message => "This certificate expired on #{@peer_cert.not_after}."})
+      end
+    end
+  end
+end