aeris
/
cryptcheck
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
130 Commits
3 Branches
875KB
Tree: 8d3c33d516
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '8d3c33d516'
${ noResults }
cryptcheck/lib/cryptcheck/tls/cert.rb

154 lines
4.3KB
Raw Blame History 

  1. module CryptCheck

  2. 	module Tls

  3. 		class Cert

  4. 			DEFAULT_CA_DIRECTORIES = [

  5. 					'/usr/share/ca-certificates/mozilla'

  6. 			]

  7. 

  8. 			SIGNATURE_ALGORITHMS      = %i(md2 mdc2 md4 md5 ripemd160 sha sha1 sha2 rsa dss ecc ghost).freeze

  9. 			SIGNATURE_ALGORITHMS_X509 = {

  10. 					'dsaWithSHA'                             => %i(sha1 dss),

  11. 					'dsaWithSHA1'                            => %i(sha1 dss),

  12. 					'dsaWithSHA1_2'                          => %i(sha1 dss),

  13. 					'dsa_with_SHA224'                        => %i(sha2 dss),

  14. 					'dsa_with_SHA256'                        => %i(sha2 dss),

  15. 

  16. 					'mdc2WithRSA'                            => %i(mdc2 rsa),

  17. 

  18. 					'md2WithRSAEncryption'                   => %i(md2 rsa),

  19. 

  20. 					'md4WithRSAEncryption'                   => %i(md4, rsa),

  21. 

  22. 					'md5WithRSA'                             => %i(md5 rsa),

  23. 					'md5WithRSAEncryption'                   => %i(md5 rsa),

  24. 

  25. 					'shaWithRSAEncryption'                   => %i(sha rsa),

  26. 					'sha1WithRSA'                            => %i(sha1 rsa),

  27. 					'sha1WithRSAEncryption'                  => %i(sha1 rsa),

  28. 					'sha224WithRSAEncryption'                => %i(sha2 rsa),

  29. 					'sha256WithRSAEncryption'                => %i(sha2 rsa),

  30. 					'sha384WithRSAEncryption'                => %i(sha2 rsa),

  31. 					'sha512WithRSAEncryption'                => %i(sha2 rsa),

  32. 

  33. 					'ripemd160WithRSA'                       => %i(ripemd160 rsa),

  34. 

  35. 					'ecdsa-with-SHA1'                        => %i(sha1 ecc),

  36. 					'ecdsa-with-SHA224'                      => %i(sha2 ecc),

  37. 					'ecdsa-with-SHA256'                      => %i(sha2 ecc),

  38. 					'ecdsa-with-SHA384'                      => %i(sha2 ecc),

  39. 					'ecdsa-with-SHA512'                      => %i(sha2 ecc),

  40. 

  41. 					'id_GostR3411_94_with_GostR3410_2001'    => %i(ghost),

  42. 					'id_GostR3411_94_with_GostR3410_94'      => %i(ghost),

  43. 					'id_GostR3411_94_with_GostR3410_94_cc'   => %i(ghost),

  44. 					'id_GostR3411_94_with_GostR3410_2001_cc' => %i(ghost)

  45. 			}.freeze

  46. 			WEAK_SIGN                 = {

  47. 					critical: %i(mdc2 md2 md4 md5 sha sha1)

  48. 			}.freeze

  49. 

  50. 			SIGNATURE_ALGORITHMS.each do |name|

  51. 				class_eval <<-RUBY_EVAL, __FILE__, __LINE__ + 1

  52. 					def #{name}?

  53. 						SIGNATURE_ALGORITHMS_X509[@cert.signature_algorithm].include? :#{name}

  54. 					end

  55. 				RUBY_EVAL

  56. 			end

  57. 

  58. 			def initialize(cert, chain=[])

  59. 				@cert, @chain = case cert

  60. 									when ::OpenSSL::X509::Certificate

  61. 										[cert, chain]

  62. 									when ::OpenSSL::SSL::SSLSocket

  63. 										[cert.peer_cert, cert.peer_cert_chain]

  64. 								end

  65. 			end

  66. 

  67. 			def self.trusted?(cert, chain, roots: DEFAULT_CA_DIRECTORIES)

  68. 				store         = ::OpenSSL::X509::Store.new

  69. 				store.purpose = ::OpenSSL::X509::PURPOSE_SSL_SERVER

  70. 				store.add_chains roots

  71. 				chain.each do |cert|

  72. 					# Never add other self signed certificates than system CA !

  73. 					next if cert.subject == cert.issuer

  74. 					store.add_cert cert rescue nil

  75. 				end if chain

  76. 

  77. 				trusted = store.verify cert

  78. 				return :trusted if trusted

  79. 				store.error_string

  80. 			end

  81. 

  82. 			def trusted?(roots: DEFAULT_CA_DIRECTORIES)

  83. 				Cert.trusted? @cert, @chain, roots: roots

  84. 			end

  85. 

  86. 			def valid?(host)

  87. 				::OpenSSL::SSL.verify_certificate_identity @cert, host

  88. 			end

  89. 

  90. 			def fingerprint

  91. 				@cert.fingerprint

  92. 			end

  93. 

  94. 			def key

  95. 				@cert.public_key

  96. 			end

  97. 

  98. 			def subject

  99. 				@cert.subject

  100. 			end

  101. 

  102. 			def serial

  103. 				@cert.serial

  104. 			end

  105. 

  106. 			def issuer

  107. 				@cert.issuer

  108. 			end

  109. 

  110. 			def lifetime

  111. 				{ not_before: @cert.not_before, not_after: @cert.not_after }

  112. 			end

  113. 

  114. 			def to_h

  115. 				{

  116. 						subject:     self.subject.to_s,

  117. 						serial:      self.serial.to_s,

  118. 						issuer:      self.issuer.to_s,

  119. 						lifetime:    self.lifetime,

  120. 						fingerprint: self.fingerprint,

  121. 						chain:       @chain.collect do |cert|

  122. 							{

  123. 									subject:     cert.subject.to_s,

  124. 									serial:      cert.serial.to_s,

  125. 									issuer:      cert.issuer.to_s,

  126. 									fingerprint: cert.fingerprint,

  127. 									lifetime:    { not_before: cert.not_before, not_after: cert.not_after }

  128. 							}

  129. 						end,

  130. 						key:         self.key.to_h,

  131. 						states:      self.states

  132. 				}

  133. 			end

  134. 

  135. 			protected

  136. 			include State

  137. 

  138. 			CHECKS = WEAK_SIGN.collect do |level, hashes|

  139. 				hashes.collect do |hash|

  140. 					["#{hash}_sign".to_sym, level, -> (s) { s.send "#{hash}?" }]

  141. 				end

  142. 			end.flatten(1).freeze

  143. 

  144. 			def available_checks

  145. 				CHECKS

  146. 			end

  147. 

  148. 			def children

  149. 				[self.key]

  150. 			end

  151. 		end

  152. 	end

  153. end