mirror of
https://github.com/inspec/inspec
synced 2024-11-30 08:30:39 +00:00
d2f000e435
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
143 lines
4.9 KiB
Ruby
143 lines
4.9 KiB
Ruby
# encoding: utf-8
|
|
# author: Richard Nixon
|
|
# author: Christoph Hartmann
|
|
|
|
require 'openssl'
|
|
require 'hashie/mash'
|
|
|
|
module Inspec::Resources
|
|
class X509CertificateResource < Inspec.resource(1) # rubocop:disable Metrics/ClassLength
|
|
name 'x509_certificate'
|
|
desc 'Used to test x.509 certificates'
|
|
example "
|
|
describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
|
|
its('subject') { should match /CN=My Website/ }
|
|
its('validity_in_days') { should be > 30 }
|
|
end
|
|
|
|
describe x509_certificate('trials/x509/cert.pem') do
|
|
it { should be_certificate }
|
|
it { should be_valid }
|
|
its('fingerprint') { should eq '62b137bdf427e7273dc2e487877b3033e4c8ce17' }
|
|
its('signature_algorithm') { should eq 'sha1WithRSAEncryption' }
|
|
its('validity_in_days') { should_not be < 100 }
|
|
its('validity_in_days') { should be >= 100 }
|
|
its('subject_dn') { should eq '/C=DE/ST=Berlin/L=Berlin/O=InSpec/OU=Chef Software, Inc/CN=inspec.io/emailAddress=support@chef.io' }
|
|
its('subject.C') { should eq 'DE' }
|
|
its('subject.emailAddress') { should_not be_empty }
|
|
its('subject.emailAddress') { should eq 'support@chef.io' }
|
|
its('issuer_dn') { should eq '/C=DE/ST=Berlin/L=Berlin/O=InSpec/OU=Chef Software, Inc/CN=inspec.io/emailAddress=support@chef.io' }
|
|
its('key_length') { should be >= 2048 }
|
|
its('extensions.subjectKeyIdentifier') { should cmp 'A5:16:0B:12:F4:48:0F:06:6C:32:29:67:98:12:DF:3D:0D:75:9D:5C' }
|
|
end
|
|
"
|
|
|
|
# @see https://tools.ietf.org/html/rfc5280#page-23
|
|
def initialize(filename)
|
|
@certpath = filename
|
|
@issuer = nil
|
|
@parsed_subject = nil
|
|
@parsed_issuer = nil
|
|
@extensions = nil
|
|
|
|
file = inspec.file(@certpath)
|
|
return skip_resource "Unable to find certificate file #{@certpath}" unless file.exist?
|
|
|
|
begin
|
|
@cert = OpenSSL::X509::Certificate.new file.content
|
|
rescue OpenSSL::X509::CertificateError
|
|
@cert = nil
|
|
return skip_resource "Unable to load certificate #{@certpath}"
|
|
end
|
|
end
|
|
|
|
# Forward these methods directly to OpenSSL::X509::Certificate instance
|
|
%w{version not_before not_after signature_algorithm public_key }.each do |m|
|
|
define_method m.to_sym do |*args|
|
|
@cert.method(m.to_sym).call(*args)
|
|
end
|
|
end
|
|
|
|
def certificate?
|
|
!@cert.nil?
|
|
end
|
|
|
|
def fingerprint
|
|
return if @cert.nil?
|
|
OpenSSL::Digest::SHA1.new(@cert.to_der).to_s
|
|
end
|
|
|
|
def serial
|
|
return if @cert.nil?
|
|
@cert.serial.to_i
|
|
end
|
|
|
|
def subject_dn
|
|
return if @cert.nil?
|
|
@cert.subject.to_s
|
|
end
|
|
|
|
def subject
|
|
return if @cert.nil?
|
|
# Return cached subject if we have already parsed it
|
|
return @parsed_subject if @parsed_subject
|
|
# Use a Mash to make it easier to access hash elements in "its('subject') {should ...}"
|
|
@parsed_subject = Hashie::Mash.new(Hash[@cert.subject.to_a.map { |k, v, _| [k, v] }])
|
|
end
|
|
|
|
def issuer_dn
|
|
return if @cert.nil?
|
|
@cert.issuer.to_s
|
|
end
|
|
|
|
def issuer
|
|
return if @cert.nil?
|
|
# Return cached subject if we have already parsed it
|
|
return @parsed_issuer if @parsed_issuer
|
|
# Use a Mash to make it easier to access hash elements in "its('issuer') {should ...}"
|
|
@parsed_issuer = Hashie::Mash.new(Hash[@cert.issuer.to_a.map { |k, v, _| [k, v] }])
|
|
end
|
|
|
|
def key_length
|
|
return if @cert.nil?
|
|
@cert.public_key.n.num_bytes * 8
|
|
end
|
|
|
|
def validity_in_days
|
|
(not_after - Time.now.utc) / 86400
|
|
end
|
|
|
|
def valid?
|
|
now = Time.now
|
|
certificate? && (now >= not_before && now <= not_after)
|
|
end
|
|
|
|
def extensions
|
|
# Return cached Mash if we already parsed the certificate extensions
|
|
return @extensions if @extensions
|
|
# Return the exception class if we failed to instantiate a Cert from file
|
|
return @cert unless @cert.respond_to? :extensions
|
|
# Use a Mash to make it easier to access hash elements in "its('entensions') {should ...}"
|
|
@extensions = Hashie::Mash.new({})
|
|
# Make sure standard extensions exist so we don't get nil for nil:NilClass
|
|
# when the user tests for extensions which aren't present
|
|
%w{
|
|
keyUsage extendedKeyUsage basicConstraints subjectKeyIdentifier
|
|
authorityKeyIdentifier subjectAltName issuerAltName authorityInfoAccess
|
|
crlDistributionPoints issuingDistributionPoint certificatePolicies
|
|
policyConstraints nameConstraints noCheck tlsfeature nsComment
|
|
}.each { |extension| @extensions[extension] ||= [] }
|
|
# Now parse the extensions into the Mash
|
|
extension_array = @cert.extensions.map(&:to_s)
|
|
extension_array.each do |extension|
|
|
kv = extension.split(/ *= */, 2)
|
|
@extensions[kv.first] = kv.last.split(/ *, */)
|
|
end
|
|
@extensions
|
|
end
|
|
|
|
def to_s
|
|
"x509_certificate #{@certpath}"
|
|
end
|
|
end
|
|
end
|