certs.lua 4.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133
  1. local date = require("3rdparty/date");
  2. local sha1 = require("util.hashes").sha1;
  3. local openssl_blacklists = nil;
  4. function print_subject(print, subject)
  5. for _, entry in ipairs(subject) do
  6. print((" %s: %q"):format(entry.name or entry.oid, entry.value:gsub("[\r\n%z%c]", " ")));
  7. end
  8. end
  9. local function _capitalize_and_colon(byte)
  10. return string.upper(byte)..":";
  11. end
  12. function pretty_fingerprint(hash)
  13. return hash:gsub("..", _capitalize_and_colon):sub(1, -2);
  14. end
  15. function tohex(c)
  16. return string.format("%02x", string.byte(c));
  17. end
  18. function hex(c)
  19. local h = string.gsub(c, ".", tohex);
  20. return h;
  21. end
  22. function print_errors(print, errors)
  23. if type(errors) == "string" then
  24. print(" 0: " .. errors);
  25. else
  26. for depth, t in pairs(errors) do
  27. print((" %d: %s"):format(depth-1, table.concat(t, "\n ")));
  28. end
  29. end
  30. end
  31. function debian_weak_key(cert)
  32. local bits = cert:bits();
  33. local modulus = cert:modulus();
  34. if not modulus then return nil end;
  35. local modulus_hash = hex(sha1("Modulus="..cert:modulus().."\n"));
  36. local blacklist = (openssl_blacklists and io.open(openssl_blacklists .. "/blacklist.RSA-" .. bits)) or nil;
  37. if blacklist then
  38. local found = false;
  39. while true do
  40. local line = blacklist:read("*l");
  41. if not line then break; end
  42. if line == modulus_hash:sub(20) then
  43. return true;
  44. end
  45. end
  46. return false;
  47. end
  48. return nil;
  49. end
  50. function pretty_cert(outputmanager, current_cert)
  51. outputmanager.print("Subject:");
  52. print_subject(outputmanager.print, current_cert:subject());
  53. outputmanager.print("");
  54. outputmanager.print("SubjectPublicKeyInfo: "..hex(current_cert:spki()));
  55. outputmanager.print("Fingerprint (SHA1): "..pretty_fingerprint(current_cert:digest("sha1")));
  56. outputmanager.print("Fingerprint (SHA256): "..pretty_fingerprint(current_cert:digest("sha256")));
  57. outputmanager.print("Fingerprint (SHA512): "..pretty_fingerprint(current_cert:digest("sha512")));
  58. local bits = current_cert:bits();
  59. local b = debian_weak_key(current_cert);
  60. if b then
  61. outputmanager.print(outputmanager.boldred .. "Uses a weak Debian key! See https://wiki.debian.org/SSLkeys" .. outputmanager.reset);
  62. elseif b == nil then
  63. outputmanager.print("Can not determine whether a key with bit size " .. bits .. " is a weak Debian key.");
  64. end
  65. local judgement = "";
  66. local signature_alg = current_cert:signature_alg();
  67. if signature_alg == "md5WithRSAEncryption" then
  68. judgement = outputmanager.boldred .. " INSECURE!" .. outputmanager.reset;
  69. end
  70. outputmanager.print("");
  71. outputmanager.print("Signature algorithm: " .. signature_alg .. judgement);
  72. outputmanager.print("Key size: " .. bits .. " bits");
  73. outputmanager.print("");
  74. local notbefore = date(current_cert:notbefore());
  75. local notafter = date(current_cert:notafter());
  76. local now = date();
  77. outputmanager.print("Valid from: " .. notbefore:fmt("%F %T GMT") .. " (" .. date.fuzzy_range(now, notbefore) .. ")");
  78. outputmanager.print("Valid to: " .. notafter:fmt("%F %T GMT") .. " (" .. date.fuzzy_range(now, notafter) .. ")");
  79. if now < notbefore then
  80. outputmanager.print(outputmanager.boldred .. "Certificate is not yet valid." .. outputmanager.reset);
  81. end
  82. if now > notafter then
  83. outputmanager.print(outputmanager.boldred .. "Certificate is expired." .. outputmanager.reset);
  84. end
  85. local crl_url = current_cert:crl();
  86. local ocsp_url = current_cert:ocsp();
  87. outputmanager.print("Revocation:" .. (crl_url and " CRL: " .. crl_url or "") .. (ocsp_url and " OCSP: " .. ocsp_url or ""));
  88. end
  89. return function(blacklist)
  90. openssl_blacklists = blacklist;
  91. return {
  92. print_subject = print_subject;
  93. pretty_fingerprint = pretty_fingerprint;
  94. print_errors = print_errors;
  95. pretty_cert = pretty_cert;
  96. tohex = tohex;
  97. hex = hex;
  98. }
  99. end