calidog / easyssl Goto Github PK

SSL certificate parsing for humans

License: MIT License

Elixir 100.00%

easyssl's Introduction

EasySSL

Originally this module was part of the Certstream project, but we decided that it'd be more useful as a stand-alone module to hopefully de-duplicate the annoyances of figuring out how to use Erlang's :public_key module to properly parse X509 certificates and coerce things like extensions and subjects to something that more closely resembles certificate parsing in other languages.

As a forewarning, this is by no means an all-inclusive library for parsing X509 certificates, it's just what we needed as part of our project, but pull requests are extremely welcome if you notice some breakage or ways to improve! That being said, it does process millions of certificates per day through Certstream, so we consider it fairly battle tested!

Installation

As with most libraries in the Elixir landscape, you can install this by adding the following to your deps in mix.exs:

(Current version: )

{:easy_ssl, "~> 1.3.0"}

Then run $ mix deps.get to fetch the dependency.

Hex docs can be found at https://hexdocs.pm/easy_ssl.

Usage

We aim to make the usage as stupid simple as possible, so there are only 2 exported functions (for now), both of which return the following data structure:

%{
  extensions: %{
    authorityInfoAccess: "CA Issuers - URI:http://certificates.godaddy.com/repository/gd_intermediate.crt\nOCSP - URI:http://ocsp.godaddy.com/\n",
    authorityKeyIdentifier: "keyid:FD:AC:61:32:93:6C:45:D6:E2:EE:85:5F:9A:BA:E7:76:99:68:CC:E7\n",
    basicConstraints: "CA:FALSE",
    certificatePolicies: "Policy: 2.16.840.1.114413.1.7.23.1\n  CPS: http://certificates.godaddy.com/repository/",
    crlDistributionPoints: "Full Name:\n URI:http://crl.godaddy.com/gds1-90.crl",
    extendedKeyUsage: "TLS Web server authentication, TLS Web client authentication",
    keyUsage: "Digital Signature, Key Encipherment",
    subjectAltName: "DNS:acaline.com, DNS:www.acaline.com",
    subjectKeyIdentifier: "E6:61:14:4E:5A:4B:51:0C:4E:6C:5E:3C:79:61:65:D4:BD:64:94:BE"
  },
  fingerprint: "FA:BE:B5:9B:ED:C2:2B:42:7E:B1:45:C8:9A:8A:73:16:4A:A0:10:09",
  issuer: %{
    C: "US",
    CN: "Go Daddy Secure Certification Authority",
    L: "Scottsdale",
    O: "GoDaddy.com, Inc.",
    OU: "http://certificates.godaddy.com/repository",
    ST: "Arizona",
    aggregated: "/C=US/CN=Go Daddy Secure Certification Authority/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/ST=Arizona",
    emailAddress: nil
  },
  not_after: 1398523877,
  not_before: 1366987877,
  serial_number: "27ACAE30B9F323",
  signature_algorithm: "sha, rsa",
  subject: %{
    C: nil,
    CN: "www.acaline.com",
    L: nil,
    O: nil,
    OU: "Domain Control Validated",
    ST: nil,
    aggregated: "/CN=www.acaline.com/OU=Domain Control Validated",
    emailAddress: nil
  }
}

parse_der

Parses a DER-encoded X509 certificate

iex(1)> File.read!("some_cert.der") |> EasySSL.parse_der
%{
  extensions: %{
    ...SNIP...
  },
  fingerprint: "FA:BE:B5:9B:ED:C2:2B:42:7E:B1:45:C8:9A:8A:73:16:4A:A0:10:09",
  issuer: %{
    ...SNIP...
  },
  not_after: 1398523877,
  not_before: 1366987877,
  serial_number: "27ACAE30B9F323",
  signature_algorithm: "sha, rsa",
  subject: %{
    ...SNIP...
  }
}

parse_pem

Parses a PEM-encoded X509 certificate

iex(1)> File.read!("some_cert.pem") |> EasySSL.parse_pem
%{
  extensions: %{
    ...SNIP...
  },
  fingerprint: "FA:BE:B5:9B:ED:C2:2B:42:7E:B1:45:C8:9A:8A:73:16:4A:A0:10:09",
  issuer: %{
    ...SNIP...
  },
  not_after: 1398523877,
  not_before: 1366987877,
  serial_number: "27ACAE30B9F323",
  signature_algorithm: "sha, rsa",
  subject: %{
    ...SNIP...
  }
}

If you'd like some other functionality or find a bug please open a ticket!

easyssl's People

Contributors

Stargazers

Watchers

Forkers

rmoorman ninoseki ahovgaard omh kayger44 toddholmberg synse ameg-yag ruudk bytevan kianmeng sbv-csis haljin binaryape digital-identity-labs mitel bertdg pkazmier

easyssl's Issues

CaseClauseError in parse_extensions when :rfc822Name identifier case appears in :crlDistributionPoints list.

10:37:59.774 [error] ** (CaseClauseError) no case clause matching: {:rfc822Name, '[email protected]'}
    (easy_ssl 1.1.2) lib/easy_ssl.ex:400: anonymous fn/1 in EasySSL.parse_extensions/1
    (elixir 1.10.1) lib/enum.ex:1396: Enum."-map/2-lists^map/1-0-"/2
    (easy_ssl 1.1.2) lib/easy_ssl.ex:399: anonymous fn/2 in EasySSL.parse_extensions/1
    (elixir 1.10.1) lib/enum.ex:2111: Enum."-reduce/3-lists^foldl/2-0-"/3
    (easy_ssl 1.1.2) lib/easy_ssl.ex:395: anonymous fn/2 in EasySSL.parse_extensions/1
    (elixir 1.10.1) lib/enum.ex:2111: Enum."-reduce/3-lists^foldl/2-0-"/3
    (easy_ssl 1.1.2) lib/easy_ssl.ex:70: EasySSL.parse_der/2
    (tls_worker 0.1.0) lib/tls_worker/certificate.ex:140: TLSWorker.Certificate.process_certificate/

Here's a possible fix:

{:Extension, {2, 5, 29, 31}, _critical, crl_distribution_points} ->
              Map.put(
                extension_map,
                :crlDistributionPoints,
                crl_distribution_points
                |> Enum.reduce([], fn distro_point, output ->
                  case distro_point do
                    {:DistributionPoint, {:fullName, crls}, :asn1_NOVALUE, :asn1_NOVALUE} ->
                      crl_string =
                        crls
                        |> Enum.map(fn identifier ->
                          case identifier do
                            {:uniformResourceIdentifier, uri} ->
                              " URI:#{uri}"
                            {:rfc822Name, identifier} -> " RFC 822 Name: #{identifier}"
                            {:directoryName, _rdn_sequence} ->
                              "" # Just skip this for now, not commonly used.
                          end
                        end)
                        |> Enum.join("\n")

                      output = ["Full Name:" | output]
                      output = [crl_string | output]
                      output
                      |> Enum.reverse()

                    _ ->
                      Logger.error("Unhandled CRL distrobution point #{inspect distro_point}")
                      output
                  end
                end)
                |> Enum.join("\n")
              )

I have a pull request in for this issue.

access to custom extensions

i can imagine you never needed custom extensions, because for the certstream-server it's unusual to see them - but they do exist :) right now, i just know "it's there", but the library does not offer a way to access it:

iex> EasySSL.parse_der(cert)
%{
  extensions: %{
    extra: ["1.3.6.1.5.5.7.1.323.2", "1.3.6.1.5.5.7.1.323.1"],
  },
  subject: %{
    aggregated: "/CN=my_cn"
  },
  serial_number: "A"
}

using erlang's public_key library i can get it:

{:OTPCertificate, {:OTPTBSCertificate, _, _, _, _, _, _, _, _, _, extensions}, _, _} = 
  :public_key.pkix_decode_cert(cert, :otp)

Enum.filter(extensions, fn
  {:Extension, {1, 3, 6, 1, 5, 5, 7, 1, 323, 1}, _, _} -> true
  _ -> false
end) |> List.first()

Question is, do you see fit for the library or is it too special @Fitblip ? it'd probably include a bit code towards ASN1 handling - to get a least some meaningful values returned ..

Could you please bump hex to v1.3.1 or v1.4 so it works on latest Elixir?

Could you release the latest stuff to hex.pm, so the extra_applications: [:public_key] stuff becomes visible?

Would prefer to do {:easy_ssl, "~> 1.3.1"} or {:easy_ssl, "~> 1.4"} instead of {:easy_ssl, github: "CaliDog/EasySSL", branch: "master"}.

Thanks for the good work,
Christian

Protocol.UndefinedError with Elixir 1.14

I got the following errors when I try to use EasySSL with Elixir 1.14.
(Sorry I'm an Elixir newbie and I cannot guess a root cause but let me report)

$ elixir  --version                                                                                                                                                                         11:38:54
Erlang/OTP 25 [erts-13.2] [source] [64-bit] [smp:10:10] [ds:10:10:10] [async-threads:1] [jit] [dtrace]

Elixir 1.14.4 (compiled with Erlang/OTP 23)

$ mix test                                                                                                                                                                                  11:38:39
warning: use Mix.Config is deprecated. Use the Config module instead
  config/config.exs:3

Compiling 1 file (.ex)


  1) test parses signature algorithm correctly (EasySSLTest)
     test/easy_ssl_test.exs:112
     ** (Protocol.UndefinedError) protocol Enumerable not implemented for <<48, 42, 48, 40, 160, 38, 160, 36, 134, 34, 104, 116, 116, 112, 58, 47, 47, 99, 114, 108, 46, 103, 111, 100, 97, 100, 100, 121, 46, 99, 111, 109, 47, 103, 100, 115, 49, 45, 57, 48, 46, 99, 114, 108>> of type BitString. This protocol is implemented for the following type(s): Date.Range, File.Stream, Function, GenEvent.Stream, HashDict, HashSet, IO.Stream, List, Map, MapSet, Range, Stream
     code: cert = File.read!(@pem_cert_dir <> "acaline.com.crt") |> EasySSL.parse_pem()
     stacktrace:
       (elixir 1.14.4) lib/enum.ex:1: Enumerable.impl_for!/1
       (elixir 1.14.4) lib/enum.ex:166: Enumerable.reduce/3
       (elixir 1.14.4) lib/enum.ex:4307: Enum.reduce/3
       (easy_ssl 1.3.0) lib/easy_ssl.ex:523: anonymous fn/2 in EasySSL.parse_extensions/1
       (elixir 1.14.4) lib/enum.ex:2468: Enum."-reduce/3-lists^foldl/2-0-"/3
       (easy_ssl 1.3.0) lib/easy_ssl.ex:86: EasySSL.parse_der/2
       test/easy_ssl_test.exs:113: (test)

..

  2) test parses all certifiates in @pem_cert_dir directory (EasySSLTest)
     test/easy_ssl_test.exs:34
     ** (Protocol.UndefinedError) protocol Enumerable not implemented for <<48, 42, 48, 40, 160, 38, 160, 36, 134, 34, 104, 116, 116, 112, 58, 47, 47, 99, 114, 108, 46, 103, 111, 100, 97, 100, 100, 121, 46, 99, 111, 109, 47, 103, 100, 115, 49, 45, 57, 48, 46, 99, 114, 108>> of type BitString. This protocol is implemented for the following type(s): Date.Range, File.Stream, Function, GenEvent.Stream, HashDict, HashSet, IO.Stream, List, Map, MapSet, Range, Stream
     code: |> Enum.each(fn cert_filename ->
     stacktrace:
       (elixir 1.14.4) lib/enum.ex:1: Enumerable.impl_for!/1
       (elixir 1.14.4) lib/enum.ex:166: Enumerable.reduce/3
       (elixir 1.14.4) lib/enum.ex:4307: Enum.reduce/3
       (easy_ssl 1.3.0) lib/easy_ssl.ex:523: anonymous fn/2 in EasySSL.parse_extensions/1
       (elixir 1.14.4) lib/enum.ex:2468: Enum."-reduce/3-lists^foldl/2-0-"/3
       (easy_ssl 1.3.0) lib/easy_ssl.ex:86: EasySSL.parse_der/2
       test/easy_ssl_test.exs:38: anonymous fn/1 in EasySSLTest."test parses all certifiates in @pem_cert_dir directory"/1
       (elixir 1.14.4) lib/enum.ex:975: Enum."-each/2-lists^foreach/1-0-"/2
       test/easy_ssl_test.exs:36: (test)

.

  3) test parses subject and issuer correctly (EasySSLTest)
     test/easy_ssl_test.exs:103
     ** (Protocol.UndefinedError) protocol Enumerable not implemented for <<48, 90, 48, 43, 160, 41, 160, 39, 134, 37, 104, 116, 116, 112, 58, 47, 47, 99, 114, 108, 51, 46, 100, 105, 103, 105, 99, 101, 114, 116, 46, 99, 111, 109, 47, 101, 118, 99, 97, 49, 45, 103, 50, 46, 99, 114, 108, 48, 43, 160, ...>> of type BitString. This protocol is implemented for the following type(s): Date.Range, File.Stream, Function, GenEvent.Stream, HashDict, HashSet, IO.Stream, List, Map, MapSet, Range, Stream
     code: cert = File.read!(@pem_cert_dir <> "github.com.crt") |> EasySSL.parse_pem()
     stacktrace:
       (elixir 1.14.4) lib/enum.ex:1: Enumerable.impl_for!/1
       (elixir 1.14.4) lib/enum.ex:166: Enumerable.reduce/3
       (elixir 1.14.4) lib/enum.ex:4307: Enum.reduce/3
       (easy_ssl 1.3.0) lib/easy_ssl.ex:523: anonymous fn/2 in EasySSL.parse_extensions/1
       (elixir 1.14.4) lib/enum.ex:2468: Enum."-reduce/3-lists^foldl/2-0-"/3
       (easy_ssl 1.3.0) lib/easy_ssl.ex:86: EasySSL.parse_der/2
       test/easy_ssl_test.exs:104: (test)



  4) test parses validity dates correctly (EasySSLTest)
     test/easy_ssl_test.exs:89
     ** (Protocol.UndefinedError) protocol Enumerable not implemented for <<48, 90, 48, 43, 160, 41, 160, 39, 134, 37, 104, 116, 116, 112, 58, 47, 47, 99, 114, 108, 51, 46, 100, 105, 103, 105, 99, 101, 114, 116, 46, 99, 111, 109, 47, 101, 118, 99, 97, 49, 45, 103, 50, 46, 99, 114, 108, 48, 43, 160, ...>> of type BitString. This protocol is implemented for the following type(s): Date.Range, File.Stream, Function, GenEvent.Stream, HashDict, HashSet, IO.Stream, List, Map, MapSet, Range, Stream
     code: cert = File.read!(@pem_cert_dir <> "github.com.crt") |> EasySSL.parse_pem()
     stacktrace:
       (elixir 1.14.4) lib/enum.ex:1: Enumerable.impl_for!/1
       (elixir 1.14.4) lib/enum.ex:166: Enumerable.reduce/3
       (elixir 1.14.4) lib/enum.ex:4307: Enum.reduce/3
       (easy_ssl 1.3.0) lib/easy_ssl.ex:523: anonymous fn/2 in EasySSL.parse_extensions/1
       (elixir 1.14.4) lib/enum.ex:2468: Enum."-reduce/3-lists^foldl/2-0-"/3
       (easy_ssl 1.3.0) lib/easy_ssl.ex:86: EasySSL.parse_der/2
       test/easy_ssl_test.exs:90: (test)



  5) test parses all certifiates in @der_cert_dir directory (EasySSLTest)
     test/easy_ssl_test.exs:21
     ** (Protocol.UndefinedError) protocol Enumerable not implemented for <<48, 60, 48, 58, 160, 56, 160, 54, 134, 52, 104, 116, 116, 112, 58, 47, 47, 99, 114, 108, 46, 103, 108, 111, 98, 97, 108, 115, 105, 103, 110, 46, 99, 111, 109, 47, 103, 115, 47, 103, 115, 111, 114, 103, 97, 110, 105, 122, 97, 116, ...>> of type BitString. This protocol is implemented for the following type(s): Date.Range, File.Stream, Function, GenEvent.Stream, HashDict, HashSet, IO.Stream, List, Map, MapSet, Range, Stream
     code: |> Enum.each(fn cert_filename ->
     stacktrace:
       (elixir 1.14.4) lib/enum.ex:1: Enumerable.impl_for!/1
       (elixir 1.14.4) lib/enum.ex:166: Enumerable.reduce/3
       (elixir 1.14.4) lib/enum.ex:4307: Enum.reduce/3
       (easy_ssl 1.3.0) lib/easy_ssl.ex:523: anonymous fn/2 in EasySSL.parse_extensions/1
       (elixir 1.14.4) lib/enum.ex:2468: Enum."-reduce/3-lists^foldl/2-0-"/3
       (easy_ssl 1.3.0) lib/easy_ssl.ex:86: EasySSL.parse_der/2
       test/easy_ssl_test.exs:25: anonymous fn/1 in EasySSLTest."test parses all certifiates in @der_cert_dir directory"/1
       (elixir 1.14.4) lib/enum.ex:975: Enum."-each/2-lists^foreach/1-0-"/2
       test/easy_ssl_test.exs:23: (test)



  6) test parses and adds all domains to the top level leaf node (EasySSLTest)
     test/easy_ssl_test.exs:59
     ** (Protocol.UndefinedError) protocol Enumerable not implemented for <<48, 57, 48, 55, 160, 53, 160, 51, 134, 49, 104, 116, 116, 112, 58, 47, 47, 69, 86, 83, 101, 99, 117, 114, 101, 45, 99, 114, 108, 46, 118, 101, 114, 105, 115, 105, 103, 110, 46, 99, 111, 109, 47, 69, 86, 83, 101, 99, 117, 114, ...>> of type BitString. This protocol is implemented for the following type(s): Date.Range, File.Stream, Function, GenEvent.Stream, HashDict, HashSet, IO.Stream, List, Map, MapSet, Range, Stream
     code: |> EasySSL.parse_der()
     stacktrace:
       (elixir 1.14.4) lib/enum.ex:1: Enumerable.impl_for!/1
       (elixir 1.14.4) lib/enum.ex:166: Enumerable.reduce/3
       (elixir 1.14.4) lib/enum.ex:4307: Enum.reduce/3
       (easy_ssl 1.3.0) lib/easy_ssl.ex:523: anonymous fn/2 in EasySSL.parse_extensions/1
       (elixir 1.14.4) lib/enum.ex:2468: Enum."-reduce/3-lists^foldl/2-0-"/3
       (easy_ssl 1.3.0) lib/easy_ssl.ex:86: EasySSL.parse_der/2
       test/easy_ssl_test.exs:63: (test)


Finished in 0.08 seconds (0.00s async, 0.08s sync)
9 tests, 6 failures

MatchError in parse extensions when anything other than :AccessDescription is present when parsing :authorityInfoAccess extensions.

I ran into an error recently when parsing a certificate:

10:37:26.790 [error] ** (MatchError) no match of right hand side value: {:AccessDescription, {1, 3, 6, 1, 5, 5, 7, 48, 2}, {:directoryName, {:rdnSequence, [[{:AttributeTypeAndValue, {2, 5, 4, 10}, <<19, 6, 104, 112, 46, 99, 111, 109>>}], [{:AttributeTypeAndValue, {2, 5, 4, 11}, <<19, 17, 73, 84, 32, 73, 110, 102, 114, 97, 115, 116, 114, 117, 99, 116, 117, 114, 101>>}], [{:AttributeTypeAndValue, {2, 5, 4, 6}, <<19, 2, 85, 83>>}], [{:AttributeTypeAndValue, {2, 5, 4, 10}, <<19, 23, 72, 101, 119, 108, 101, 116, 116, 45, 80, 97, 99, 107, 97, 114, 100, 32, 67, 111, 109, 112, 97, 110, 121>>}], [{:AttributeTypeAndValue, {2, 5, 4, 3}, <<19, 55, 72, 101, 119, 108, 101, 116, 116, 45, 80, 97, 99, 107, 97, 114, 100, 32, 80, 114, 105, 118, 97, 116, 101, 32, 67, 108, 97, 115, 115, 32, 50, 32, ...>>}]]}}}
    (easy_ssl 1.1.2) lib/easy_ssl.ex:292: anonymous fn/2 in EasySSL.parse_extensions/1
    (elixir 1.10.1) lib/enum.ex:2111: Enum."-reduce/3-lists^foldl/2-0-"/3
    (easy_ssl 1.1.2) lib/easy_ssl.ex:291: anonymous fn/2 in EasySSL.parse_extensions/1
    (elixir 1.10.1) lib/enum.ex:2111: Enum."-reduce/3-lists^foldl/2-0-"/3
    (easy_ssl 1.1.2) lib/easy_ssl.ex:70: EasySSL.parse_der/2
    (tls_worker 0.1.0) lib/tls_worker/certificate.ex:140: TLSWorker.Certificate.process_certificate/4
    (tls_worker 0.1.0) lib/tls_worker.ex:35: TLSWorker.run_scan/2
    (tls_worker 0.1.0) lib/tls_worker/broadway.ex:135: TLSWorker.Broadway.process_message/1

This occurs because the match on line 292 is too restrictive and causes the above match error.

Current code:

{:Extension, {1, 3, 6, 1, 5, 5, 7, 1, 1}, _critical, authority_info_access} ->
              Map.put(
                extension_map,
                :authorityInfoAccess,
                authority_info_access
                |> Enum.reduce([], fn match, entries ->
                  {:AccessDescription, oid, {:uniformResourceIdentifier, url}} = match
                  ["#{@authority_info_access_oids[oid]}:#{url}" | entries]
                end)
                |> Enum.join("\n")
                |> String.replace_suffix("", "\n")
              )

I propose adding a case clause and ignoring anything that does not fit the first case clause:

{:Extension, {1, 3, 6, 1, 5, 5, 7, 1, 1}, _critical, authority_info_access} ->
              Map.put(
                extension_map,
                :authorityInfoAccess,
                authority_info_access
                |> Enum.reduce([], fn match, entries ->
                  case match do
                    {:AccessDescription, oid, {:uniformResourceIdentifier, url}} -> ["#{@authority_info_access_oids[oid]}:#{url}" | entries]
                    _ -> entries
                  end
                end)
                |> Enum.join("\n")
                |> String.replace_suffix("", "\n")
              )

I have a branch ready for a pull request.

Dependency errors

I am getting the following warnings after installing EasySSL 1.3, and doing a deps.get or deps.compile

==> easy_ssl
Compiling 1 file (.ex)
warning: :crypto.hash/2 defined in application :crypto is used by the current application but the current application does not depend on :crypto. To fix this, you must do one of:

  1. If :crypto is part of Erlang/Elixir, you must include it under :extra_applications inside "def application" in your mix.exs

  2. If :crypto is a dependency, make sure it is listed under "def deps" in your mix.exs

  3. In case you don't want to add a requirement to :crypto, you may optionally skip this warning by adding [xref: [exclude: [:crypto]]] to your "def project" in mix.exs

  lib/easy_ssl.ex:201: EasySSL.fingerprint_cert/1

warning: :public_key.pkix_decode_cert/2 defined in application :public_key is used by the current application but the current application does not depend on :public_key. To fix this, you must do one of:

  1. If :public_key is part of Erlang/Elixir, you must include it under :extra_applications inside "def application" in your mix.exs

  2. If :public_key is a dependency, make sure it is listed under "def deps" in your mix.exs

  3. In case you don't want to add a requirement to :public_key, you may optionally skip this warning by adding [xref: [exclude: [:public_key]]] to your "def project" in mix.exs

  lib/easy_ssl.ex:76: EasySSL.parse_der/2

warning: :public_key.pkix_sign_types/1 defined in application :public_key is used by the current application but the current application does not depend on :public_key. To fix this, you must do one of:

  1. If :public_key is part of Erlang/Elixir, you must include it under :extra_applications inside "def application" in your mix.exs

  2. If :public_key is a dependency, make sure it is listed under "def deps" in your mix.exs

  3. In case you don't want to add a requirement to :public_key, you may optionally skip this warning by adding [xref: [exclude: [:public_key]]] to your "def project" in mix.exs

  lib/easy_ssl.ex:273: EasySSL.parse_signature_algo/1

Generated easy_ssl app

This is with:

elixir          1.12.3-otp-24
erlang          24.1

If I put xref: [exclude: [:crypto, :public_key]] in the mix.exs project() function, the warnings go away. I have no idea if this module actually needs those applications to be running.. my guess is not. If that's the case, I can create a PR with this fix.

Thanks,
Nate