You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

cert.rb 3.2KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110
  1. module CryptCheck
  2. module Tls
  3. class Cert
  4. DEFAULT_CA_DIRECTORIES = [
  5. '/usr/share/ca-certificates/mozilla'
  6. ]
  7. SIGNATURE_ALGORITHMS = {
  8. 'dsaWithSHA' => %i(sha1 dss),
  9. 'dsaWithSHA1' => %i(sha1 dss),
  10. 'dsaWithSHA1_2' => %i(sha1 dss),
  11. 'dsa_with_SHA224' => %i(sha2 dss),
  12. 'dsa_with_SHA256' => %i(sha2 dss),
  13. 'mdc2WithRSA' => %i(mdc2 rsa),
  14. 'md2WithRSAEncryption' => %i(md2 rsa),
  15. 'md4WithRSAEncryption' => %i(md4, rsa),
  16. 'md5WithRSA' => %i(md5 rsa),
  17. 'md5WithRSAEncryption' => %i(md5 rsa),
  18. 'shaWithRSAEncryption' => %i(sha rsa),
  19. 'sha1WithRSA' => %i(sha1 rsa),
  20. 'sha1WithRSAEncryption' => %i(sha1 rsa),
  21. 'sha224WithRSAEncryption' => %i(sha2 rsa),
  22. 'sha256WithRSAEncryption' => %i(sha2 rsa),
  23. 'sha384WithRSAEncryption' => %i(sha2 rsa),
  24. 'sha512WithRSAEncryption' => %i(sha2 rsa),
  25. 'ripemd160WithRSA' => %i(ripemd160 rsa),
  26. 'ecdsa-with-SHA1' => %i(sha1 ecc),
  27. 'ecdsa-with-SHA224' => %i(sha2 ecc),
  28. 'ecdsa-with-SHA256' => %i(sha2 ecc),
  29. 'ecdsa-with-SHA384' => %i(sha2 ecc),
  30. 'ecdsa-with-SHA512' => %i(sha2 ecc),
  31. 'id_GostR3411_94_with_GostR3410_2001' => %i(ghost),
  32. 'id_GostR3411_94_with_GostR3410_94' => %i(ghost),
  33. 'id_GostR3411_94_with_GostR3410_94_cc' => %i(ghost),
  34. 'id_GostR3411_94_with_GostR3410_2001_cc' => %i(ghost)
  35. }
  36. WEAK_SIGN = {
  37. critical: %i(mdc2 md2 md4 md5 sha sha1)
  38. }
  39. %i(md2 mdc2 md4 md5 ripemd160 sha sha1 sha2 rsa dss ecc ghost).each do |name|
  40. class_eval <<-RUBY_EVAL, __FILE__, __LINE__ + 1
  41. def #{name}?
  42. SIGNATURE_ALGORITHMS[@cert.signature_algorithm].include? :#{name}
  43. end
  44. RUBY_EVAL
  45. end
  46. def initialize(cert, chain=[])
  47. @cert, @chain = case cert
  48. when ::OpenSSL::X509::Certificate
  49. [cert, chain]
  50. when ::OpenSSL::SSL::SSLSocket
  51. [cert.peer_cert, cert.peer_cert_chain]
  52. end
  53. end
  54. def self.trusted?(cert, chain, roots: DEFAULT_CA_DIRECTORIES)
  55. store = ::OpenSSL::X509::Store.new
  56. store.purpose = ::OpenSSL::X509::PURPOSE_SSL_CLIENT
  57. store.add_chains roots
  58. chain.each do |cert|
  59. # Never add other self signed certificates than system CA !
  60. next if cert.subject == cert.issuer
  61. store.add_cert cert rescue nil
  62. end
  63. trusted = store.verify cert
  64. return :trusted if trusted
  65. store.error_string
  66. end
  67. def trusted?(roots: DEFAULT_CA_DIRECTORIES)
  68. Cert.trusted? @cert, @chain, roots: roots
  69. end
  70. def valid?(host)
  71. ::OpenSSL::SSL.verify_certificate_identity @cert, host
  72. end
  73. def fingerprint
  74. ::OpenSSL::Digest::SHA256.hexdigest @cert.to_der
  75. end
  76. def key
  77. @cert.public_key
  78. end
  79. def subject
  80. @cert.subject
  81. end
  82. def serial
  83. @cert.serial
  84. end
  85. def issuer
  86. @cert.issuer
  87. end
  88. end
  89. end
  90. end