Class: Http::SSLValidator

Inherits:

Object

• Object
• Http::SSLValidator

Defined in:

lib/ssl_validator.rb

Class Method Summary

• .configure(logger) ⇒ Object
• .configured? ⇒ Boolean
• .validate(certs, host) ⇒ Object

  Completes the 3 steps to certificate chain verification Also applies if there is just one cert in the chain, but the last step won’t run.

Class Method Details

.configure(logger) ⇒ Object

# File 'lib/ssl_validator.rb', line 8

def configure(logger)
  @@logger = logger || Logger.new(STDOUT)
  create_store
end

.configured? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/ssl_validator.rb', line 13

def configured?
  class_variable_defined?("@@logger")
end

.validate(certs, host) ⇒ Object

Completes the 3 steps to certificate chain verification Also applies if there is just one cert in the chain, but the last step won’t run

# File 'lib/ssl_validator.rb', line 22

def validate(certs, host)
  configure unless configured?

  certs = certs.collect { |c| OpenSSL::X509::Certificate.new(c) }
  @@logger.debug("Verifying certs for #{host}")
  
  # 1. Verify that the last cert has a valid hostname 
  unless OpenSSL::SSL.verify_certificate_identity(certs.last, host)
    @@logger.error("Hostname #{host} does not match cert: #{certs.last}")
    return false
  end
          
  # 2. Verify that the first cert can be validated by a root certificate
  unless @@store.verify(certs.first)
    @@logger.error("Cert not validated by any of the root certificates in my store: #{certs.first}")
    return false
  end
  
  # 3. Verify that every cert in the chain is validated by the cert after it
  (certs.length - 1).times do |i|
    cert_a = certs[i+1]
    cert_b = certs[i]
    unless cert_a.verify(cert_b.public_key)
      @@logger.error("Broken link in certificate chain for #{host} between #{cert_a} and #{cert_b}")
      return false
    end
  end
  true
end