ssltool 0.0.1

data/README.md

@@ -0,0 +1,56 @@
+# ssltool-complete-chain
+
+Re-orders and completes a chain for a given certificate.
+
+More precisely, it takes any string as input, scans for PEMs, detects one that is a certificate for
+a domain name, then goes on to complete its chain, in correct order.
+
+The pool of possible chain completions are whatever other certificates that are passed as input, plus
+all certificates in the intermediate and trusted pools (see `var/pools/`).
+
+The output is the correct and complete chain. Everything else from the input is discarded.
+
+If the chain is incomplete, untrusted, or the certificate is self-signed, warnings will be printed to stderr.
+
+
+### Usage
+
+`ssltool-complete-chain` can work with either stdin or file arguments, so all of the below are valid:
+
+    ### pipe a file in:
+    $ ssltool-complete-chain < example.com.pem
+
+    ### pass multiple file names as arguments:
+    $ ssltool-complete-chain example.com.pem issuer-intermediates.pem
+
+    ### pass a file descriptor from a command's stdout:
+    $ ssltool-complete-chain <(pbpaste)
+
+    ### or just pipe that command in:
+    $ pbpaste | ssltool-complete-chain
+
+
+
+# Bootstrapping
+
+This is how we get the list of trusted roots and the intermediates file.
+
+This process has already been done for you, you don't need to repeat it unless you want updated data.
+
+1.  Downloaded an updated list of trusted roots:
+
+        $ SRC="http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1"
+        $ curl -s "$SRC" > var/mozilla-certdata.txt
+        $ bin/bootstrap-trusted-pems-from-mozilla-certdata < var/mozilla-certdata.txt > var/pools/trusted.pem
+
+
+2.  Generate the intermediates pool:
+
+        $ bin/bootstrap-detect-intermediates var/all-the-certs.pem
+
+    The `var/all-the-certs.pem` is a pool of assorted certificates to extract intermediates from. You'll
+    have to compile this file yourself.
+
+    If circular chains are detected, all members of them will be rejected and printed to stderr. You can
+    resolve the cycle manually, and decide which certificate(s) to exclude to break the cycle. Add those
+    to `var/pools/excluded.pem` and generate the intermediates pool again.

data/bin/bootstrap-detect-intermediates

@@ -0,0 +1,51 @@
+#!/usr/bin/env ruby
+# encoding: UTF-8
+
+require_relative "../lib/ssltool/certificate"
+require_relative "../lib/ssltool/certificate_store"
+
+(puts DATA.read.gsub("$0", File.basename($0)); exit 1) if ARGV.empty? && STDIN.tty?
+
+def notify_circular_chains_detected(circular_chains)
+  $stderr.puts "The following circular chains were detected:"
+  $stderr.puts
+  $stderr.puts "Resolve this manually and exclude the necessary certs to break the cycle by putting them your exclude pool; rerun this script."
+  $stderr.puts
+  $stderr.puts "All certificates currently participating in a cyclic chain were removed from the final intermediate pool."
+  $stderr.puts
+  cert_numbers = circular_chains.flatten.uniq.each_with_index.inject({}) { |h, (c, i)| h[c] = i; h }
+  circular_chains.each { |chain|
+    $stderr.puts "---"
+    chain.each { |cert|
+      $stderr.puts "- cert %d (signed by %s) (signs %s)" % [
+        cert_numbers[cert],
+        chain.select { |other_cert| cert.signed_by?(other_cert) }.map { |cert| cert_numbers[cert] }.join(", "),
+        chain.select { |other_cert| cert.signs?(other_cert)     }.map { |cert| cert_numbers[cert] }.join(", "),]}}
+
+  circular_chains.flatten.uniq.each do |cert|
+    $stderr.puts "--- #{cert_numbers[cert]} ---"
+    $stderr.puts "subject.....: #{cert.subject}"
+    $stderr.puts "issuer......: #{cert.issuer}"
+    $stderr.puts "self_signed.: #{cert.self_signed?}"
+    $stderr.puts cert.to_s
+  end
+end
+public :notify_circular_chains_detected
+
+store = SSLTool::CertificateStore.new("file://var/pools")
+store.register_for_circular_chain_detection_notification(self)
+store.detect_and_merge_intermediates!(SSLTool::Certificate.scan(ARGF.read), false)
+
+__END__
+Usage:
+  $0 <src-pems>
+
+<src-pems> is the pool of certificates to extract chain-forming
+intermediates from.
+
+If circular chains are detected they'll be printed to stderr,
+and all its members will be excluded from the final intermediate
+pool.
+
+You should review the circular chain manually and put the
+offending certs in the exclude pool, then rerun this script.

data/bin/bootstrap-trusted-pems-from-mozilla-certdata

@@ -0,0 +1,93 @@
+#!/usr/bin/env ruby
+# encoding: UTF-8
+require 'digest/sha1'
+
+(puts DATA.read.gsub("$0", File.basename($0)); exit 1) if $stdin.tty? && ARGV.empty?
+
+def get_line
+  return unless line = ARGF.gets
+  line.chomp
+end
+
+### parse the data into the certificates and trust arrays
+license      = ""
+certificates = []
+trust        = []
+while line = get_line
+  case line
+  when /^#.*BEGIN LICENSE BLOCK/
+    begin license << line << "\n"; end until line =~ /^#.*END LICENSE BLOCK/ || !(line = get_line)
+  when /^$/;        next
+  when /^#/;        next
+  when /^CVS_ID\b/; next
+  when "BEGINDATA"; next
+  when /^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST$/; object = {}
+  when /^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE$/          ; (certificates << object = {})
+  when /^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST$/            ; (trust        << object = {})
+  when /^(CKA_\S+) (\S+) (.+)$/                               ; object[$1] = [$2, $3]
+  when /^(CKA_\S+) (MULTILINE_OCTAL)$/                        ; object[$1] = [$2, "".tap { |data| data << line while line = get_line and line != "END" }]
+  else raise "Could not parse line: #{line}"
+  end
+end
+
+### transform values according to data type; make keys more ruby-friendly
+(certificates + trust).each do |object|
+  object.entries.each do |k, (t, v)|
+    object.delete k
+    object[k.sub(/^CKA_/, '').downcase.to_sym] = case t
+    when "CK_CERTIFICATE_TYPE"; v == "CKC_X_509" or raise "CK_CERTIFICATE_TYPE should always be CKC_X_509; Found: #{v.inspect}"; v
+    when "CK_TRUST"           ; case v
+                                when "CKT_NSS_MUST_VERIFY_TRUST"; :must_verify_trust
+                                when "CKT_NSS_NOT_TRUSTED"      ; :not_trusted
+                                when "CKT_NSS_TRUSTED_DELEGATOR"; :trusted_delegator
+                                when "CKT_NSS_TRUST_UNKNOWN"    ; :trust_unknown
+                                else raise "Unexpected CK_TRUST value: #{v.inspect}"
+                                end
+    when "CK_BBOOL"           ; case v
+                                when "CK_FALSE"; false
+                                when "CK_TRUE" ; true
+                                else raise "Unexpected CK_BBOOL value: #{v.inspect}"
+                                end
+    when "UTF8"               ; v =~ /\A"(.*)"\z/ or raise "Unexpected UTF8 value: #{v}.inspect"
+                                $1.force_encoding("UTF-8")
+    when "MULTILINE_OCTAL"    ; v =~ /\A(\\[0-3][0-7][0-7])*\z/ or raise "Unexpected MULTILINE_OCTAL value: #{v}.inspect"
+                                v.gsub(/\\([0-3][0-7][0-7])/) { $1.oct.chr }
+    else raise "Unexpected type: #{t.inspect}"
+    end
+  end
+end
+
+### match trust data to certs, merge data
+trust = trust.inject({}) { |h, t| t.key?(:cert_sha1_hash) and h[t[:cert_sha1_hash]] = t; h }
+certificates.each do |cert|
+  trust[Digest::SHA1.digest(cert[:value])].each do |k, v|
+    raise "Cert / Trust value mismatch for key #{k.inspect}" if cert.key?(k) && cert[k] != v
+    cert[k] = v
+  end
+end
+
+### select trusted certificates
+trusted_certificates = certificates.select { |c| c[:trust_server_auth] == :trusted_delegator }
+
+### print it all
+puts license
+trusted_certificates.each do |cert|
+  puts
+  puts cert[:label]
+  puts cert[:label].gsub(/./, '=')
+  puts "-----BEGIN CERTIFICATE-----"
+  puts [cert[:value]].pack("m50")
+  puts "-----END CERTIFICATE-----"
+end
+
+# Hey, at least it's not MORK!
+
+
+__END__
+Print trusted certificates from Mozilla's certdata.txt, converting from its crazy-ass data format to saner PEM strings.
+
+Usage:
+  $0 < certdata.txt
+
+Example:
+  curl -s 'http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1' | $0

data/bin/console

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+# encoding: UTF-8
+
+require "irb"
+require "yaml"
+
+require_relative "../lib/ssltool/certificate_store"
+
+$all      = SSLTool::Certificate.scan(IO.read("var/all-the-certs.pem")) rescue []
+$store    = SSLTool::CertificateStore.new("file://var/pools")
+$trusted  = $store.trusted_pool
+$pool     = $store.intermediate_pool
+$excluded = $store.excluded_pool
+$domains  = $all.select(&:for_domain_name?)
+IRB.start

data/bin/ssltool-complete-chain

@@ -0,0 +1,25 @@
+#!/usr/bin/env ruby
+# encoding: UTF-8
+
+# input..: certificate chain PEM string + garbage
+# output.: oredered / complete certificate chain PEM string
+
+require_relative "../lib/ssltool/chain_resolution"
+
+def die(msg, code=1)
+  $stderr.puts msg unless msg.empty?
+  exit code
+end
+
+begin
+  store = SSLTool::CertificateStore.new("file://var/pools")
+  chain = store.resolve_chain_from_pem_string(ARGF.read)
+rescue SSLTool::ChainResolution::ZeroCertsChainResolutionError   ; die("No certificate given.", 1)
+rescue SSLTool::ChainResolution::ZeroHeadsChainResolutionError   ; die("No certificate given covers a domain name.", 2)
+rescue SSLTool::ChainResolution::TooManyHeadsChainResolutionError; die("More than one domain name certificate given.", 3)
+end
+
+puts chain
+$stderr.puts("!! Failed to complete chain.")   unless chain.complete?
+$stderr.puts("!! Certificate is self-signed.") if chain.self_signed_untrusted?
+$stderr.puts("!! Certificate is not trusted.") unless chain.trusted? || chain.self_signed?

data/bin/ssltool-dbpool-from-fspool

@@ -0,0 +1,13 @@
+#!/usr/bin/env ruby
+# encoding: UTF-8
+
+require_relative "../lib/ssltool/certificate_store"
+require_relative "../lib/ssltool/adapters/filesystem"
+require_relative "../lib/ssltool/adapters/sequel"
+
+fs_store = SSLTool::CertificateStore::FilesystemAdapter.new "var/pools"
+db_store = SSLTool::CertificateStore::SequelAdapter.new "sqlite://var/pools/store.sqlite"
+
+%w[ excluded intermediate trusted ].each do |pool|
+  db_store.store_pool(pool, fs_store.load_pool(pool))
+end

data/bin/ssltool-filter-certs

@@ -0,0 +1,18 @@
+#!/usr/bin/env ruby
+# encoding: UTF-8
+
+# input..: any strings containing valid PEM strings
+# output.: valid certificate PEM strings
+
+require_relative "../lib/ssltool/certificate"
+
+certs = SSLTool::PEMScanner.new(ARGF.read).certs.map(&:strip).uniq.map do |s|
+  begin
+    SSLTool::Certificate.new(s)
+  rescue => e
+    $stderr.puts "--- Failed to instantiate certificate from:", s, e
+    exit 1
+  end
+end.uniq
+
+puts certs

data/bin/ssltool-print-certs-info

@@ -0,0 +1,26 @@
+#!/usr/bin/env ruby
+# encoding: UTF-8
+
+# input..: multiple certificate PEM string + garbage
+# output.: cert information
+
+require_relative "../lib/ssltool/certificate_store"
+require_relative "../lib/ssltool/adapters/filesystem"
+
+store = SSLTool::CertificateStore.new("file://var/pools")
+certs = SSLTool::Certificate.scan(ARGF.read)
+
+certs.each do |cert|
+  trusted = store.trust?(cert)
+  puts "---"
+  puts cert.to_s.split(/\n/)[1, 2]
+  puts "Domains.....: #{cert.domain_names.join(', ')}" if cert.for_domain_name?
+  puts "Subject.....: #{cert.subject}"
+  puts "Issuer......: #{cert.issuer}"
+  puts "Self-signed.: #{cert.self_signed?}"
+  puts "Trusted.....: #{trusted}"
+  puts "Issued......: #{cert.not_before}"
+  puts "Expires.....: #{cert.not_after}"
+  puts "Other.......: version #{cert.version} / certificate_sign:#{cert.certificate_sign?} / certificate_authority:#{cert.certificate_authority?}"
+  puts
+end

data/lib/ssltool.rb

@@ -0,0 +1,9 @@
+module SSLTool; end
+
+require_relative "ssltool/pem_scanner"
+require_relative "ssltool/certificate"
+require_relative "ssltool/certificate_store"
+require_relative "ssltool/chain_resolution"
+require_relative "ssltool/key_helper"
+require_relative "ssltool/adapters/filesystem"
+require_relative "ssltool/adapters/sequel"

data/lib/ssltool/adapters/base.rb

@@ -0,0 +1,18 @@
+# encoding: UTF-8
+require 'set'
+
+module SSLTool
+  class CertificateStore
+    class Adapter
+
+      def load_pool(pool_name)
+        raise NotImplementedError
+      end
+
+      def store_pool(pool_name, certs)
+        raise NotImplementedError
+      end
+
+    end
+  end
+end

data/lib/ssltool/adapters/filesystem.rb

@@ -0,0 +1,33 @@
+# encoding: UTF-8
+require_relative 'base'
+
+module SSLTool
+  class CertificateStore
+    class FilesystemAdapter < Adapter
+      def initialize(base_path)
+        @base_path = base_path
+      end
+
+      def load_pool(pool_name)
+        Certificate.scan(read_pool(pool_name)).to_set
+      end
+
+      def store_pool(pool_name, certs)
+        return if read_pool(pool_name) == certs.to_set
+        open(pool_path(pool_name), 'w') { |io| io.puts certs.map(&:to_pem).sort }
+      end
+
+      private
+
+      def pool_path(pool_name)
+        File.join(@base_path, "#{pool_name}.pem")
+      end
+
+      def read_pool(pool_name)
+        path = pool_path(pool_name)
+        return "" unless File.exists?(path)
+        File.read(path).strip
+      end
+    end
+  end
+end

data/lib/ssltool/adapters/sequel.rb

@@ -0,0 +1,36 @@
+# encoding: UTF-8
+require 'sequel'
+require_relative 'base'
+
+module SSLTool
+  class CertificateStore
+    class SequelAdapter < Adapter
+      def initialize(database_url)
+        @database = Sequel.connect(database_url)
+        @database.create_table? :certificates do
+          column :pool,        :varchar, null:false
+          column :pem,         :text,    null:false
+          column :fingerprint, :char,    null:false, size:40
+          index  :fingerprint
+          index [:pool, :fingerprint], unique:true
+        end
+        @certificates = @database[:certificates]
+      end
+
+      def load_pool(pool_name)
+        @certificates.filter(pool:pool_name.to_s).map(:pem).map { |pem| Certificate.new pem }.to_set
+      end
+
+      def store_pool(pool_name, certs)
+        @database.transaction do
+          current_set     = load_pool(pool_name)
+          replacement_set = certs.to_set
+          delete_set      = (current_set - replacement_set).map { |cert| { fingerprint:cert.fingerprint, pool:pool_name.to_s } }
+          insert_set      = (replacement_set - current_set).map { |cert| { fingerprint:cert.fingerprint, pool:pool_name.to_s, pem:cert.to_pem } }
+          delete_set.each { |params| @certificates.where(params).delete }
+          @certificates.multi_insert(insert_set)
+        end
+      end
+    end
+  end
+end

data/lib/ssltool/certificate.rb

@@ -0,0 +1,108 @@
+# encoding: UTF-8
+require 'openssl'
+require 'weakref'
+require 'digest/sha1'
+
+require_relative 'pem_scanner'
+
+module SSLTool
+  class Certificate < OpenSSL::X509::Certificate
+    RX_DOMAIN_NAME = /^(\*\.)?([a-zA-Z0-9-]+\.)+[a-zA-Z0-9]+$/
+
+    # The certificate_cache stuff ensures we always get the same object every time we instantiate the same certificate.
+    # This is regardless of differences in the string used to instantiate the object.
+    # The weakrefs ensure we don't hold on to certs that are not being used outside of the cache.
+    @@certificate_cache = {}
+    def self.new(s)
+      cert = super(s)
+      k = cert.fingerprint
+      @@certificate_cache.delete(k) if v = @@certificate_cache[k] and v.respond_to?(:weakref_alive?) && !v.weakref_alive?
+      (@@certificate_cache[k] ||= WeakRef.new(cert)).__getobj__
+    end
+
+    # returns an array of Certificate objects created from cert strings found in s
+    def self.scan(s)
+      PEMScanner.new(s).certs.map { |s| new(s) }.uniq
+    end
+
+    ### signing
+
+    def signed_by?(other_cert)
+      verify(other_cert.public_key)
+    rescue OpenSSL::X509::CertificateError => e
+      # catching common error cases and returning nil
+      return nil if e.message == "wrong public key type" && other_cert.signature_algorithm =~ /^ecdsa/  # this error was seen with ecdsa-with-SHA384 signers, not sure why
+      return nil if e.message == "unknown message digest algorithm" && signature_algorithm =~ /^md2/    # md2 is not present in later versions of openssl
+      raise e
+    end
+
+    def signs?(other_cert)
+      other_cert.signed_by?(self)
+    end
+
+    def self_signed?
+      signs?(self)
+    end
+
+    def self_issued?
+      subject.eql?(issuer)
+    end
+
+    ### properties
+
+    def fingerprint
+      @fingerprint ||= Digest::SHA1.hexdigest(to_der)
+    end
+
+    def common_name
+      k, v, t = subject.to_a.find { |k, v, t| k == "CN" }; v
+    end
+
+    def for_domain_name?
+      common_name =~ RX_DOMAIN_NAME
+    end
+
+    def domain_names
+      [ (common_name if for_domain_name?),
+        map_extension_value('subjectAltName') { |s| s.scan(/\bDNS:([^\s,]+)/) },
+      ].flatten.compact.sort.uniq
+    end
+
+    def certificate_authority?
+      map_extension_value('basicConstraints') { |s| s.split(", ").include?('CA:TRUE') }
+    end
+
+    def certificate_sign?
+      map_extension_value('keyUsage') { |s| s.split(", ").include?('Certificate Sign') }
+    end
+
+    ### extensions
+
+    module Extensions
+      def [](k)
+        return super if k.is_a?(Integer) || !k.respond_to?(:to_str)
+        find { |e| e.oid == k.to_str }
+      end
+    end
+
+    def extensions
+      super.tap { |a| class << a; include Extensions; end }
+    end
+
+    def map_extension_value(extension_name, default = nil)
+      e = extensions[extension_name]
+      return default if e.nil?
+      yield(e.value)
+    end
+
+    ### chain
+
+    def chain_from(certs)
+      chain  = [self]
+      parent = (certs - chain).find { |cert| cert.signs?(self) }
+      chain.concat(parent.chain_from(certs - chain)) if parent
+      chain
+    end
+
+  end
+end