Class: Inspec::Resources::X509CertificateResource

Inherits:

Object

• Object
• Inspec::Resources::X509CertificateResource

Includes:

FileReader

Defined in:

lib/inspec/resources/x509_certificate.rb

Instance Method Summary

• #certificate? ⇒ Boolean
• #extensions ⇒ Object
• #fingerprint ⇒ Object
• #initialize(filename) ⇒ X509CertificateResource constructor

  A new instance of X509CertificateResource.

• #issuer ⇒ Object
• #issuer_dn ⇒ Object
• #key_length ⇒ Object
• #serial ⇒ Object
• #subject ⇒ Object
• #subject_dn ⇒ Object
• #to_s ⇒ Object
• #valid? ⇒ Boolean
• #validity_in_days ⇒ Object

Methods included from FileReader

#read_file_content

Constructor Details

#initialize(filename) ⇒ X509CertificateResource

Returns a new instance of X509CertificateResource.

See Also:

• https://tools.ietf.org/html/rfc5280#page-23

# File 'lib/inspec/resources/x509_certificate.rb', line 37

def initialize(filename)
  @certpath = filename
  @issuer = nil
  @parsed_subject = nil
  @parsed_issuer = nil
  @extensions = nil
  @cert = OpenSSL::X509::Certificate.new read_file_content(@certpath)
end

Instance Method Details

#certificate? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/inspec/resources/x509_certificate.rb', line 53

def certificate?
  !@cert.nil?
end

#extensions ⇒ Object

# File 'lib/inspec/resources/x509_certificate.rb', line 107

def extensions
  # Return cached Mash if we already parsed the certificate extensions
  return @extensions if @extensions
  # Return the exception class if we failed to instantiate a Cert from file
  return @cert unless @cert.respond_to? :extensions
  # Use a Mash to make it easier to access hash elements in "its('entensions') {should ...}"
  @extensions = Hashie::Mash.new({})
  # Make sure standard extensions exist so we don't get nil for nil:NilClass
  # when the user tests for extensions which aren't present
  %w{
    keyUsage extendedKeyUsage basicConstraints subjectKeyIdentifier
    authorityKeyIdentifier subjectAltName issuerAltName authorityInfoAccess
    crlDistributionPoints issuingDistributionPoint certificatePolicies
    policyConstraints nameConstraints noCheck tlsfeature nsComment
  }.each { |extension| @extensions[extension] ||= [] }
  # Now parse the extensions into the Mash
  extension_array = @cert.extensions.map(&:to_s)
  extension_array.each do |extension|
    kv = extension.split(/ *= */, 2)
    @extensions[kv.first] = kv.last.split(/ *, */)
  end
  @extensions
end

#fingerprint ⇒ Object

# File 'lib/inspec/resources/x509_certificate.rb', line 57

def fingerprint
  return if @cert.nil?
  OpenSSL::Digest::SHA1.new(@cert.to_der).to_s
end

#issuer ⇒ Object

# File 'lib/inspec/resources/x509_certificate.rb', line 85

def issuer
  return if @cert.nil?
  # Return cached subject if we have already parsed it
  return @parsed_issuer if @parsed_issuer
  # Use a Mash to make it easier to access hash elements in "its('issuer') {should ...}"
  @parsed_issuer = Hashie::Mash.new(Hash[@cert.issuer.to_a.map { |k, v, _| [k, v] }])
end

#issuer_dn ⇒ Object

# File 'lib/inspec/resources/x509_certificate.rb', line 80

def issuer_dn
  return if @cert.nil?
  @cert.issuer.to_s
end

#key_length ⇒ Object

# File 'lib/inspec/resources/x509_certificate.rb', line 93

def key_length
  return if @cert.nil?
  @cert.public_key.n.num_bytes * 8
end

#serial ⇒ Object

# File 'lib/inspec/resources/x509_certificate.rb', line 62

def serial
  return if @cert.nil?
  @cert.serial.to_i
end

#subject ⇒ Object

# File 'lib/inspec/resources/x509_certificate.rb', line 72

def subject
  return if @cert.nil?
  # Return cached subject if we have already parsed it
  return @parsed_subject if @parsed_subject
  # Use a Mash to make it easier to access hash elements in "its('subject') {should ...}"
  @parsed_subject = Hashie::Mash.new(Hash[@cert.subject.to_a.map { |k, v, _| [k, v] }])
end

#subject_dn ⇒ Object

# File 'lib/inspec/resources/x509_certificate.rb', line 67

def subject_dn
  return if @cert.nil?
  @cert.subject.to_s
end

#to_s ⇒ Object

# File 'lib/inspec/resources/x509_certificate.rb', line 131

def to_s
  "x509_certificate #{@certpath}"
end

#valid? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/inspec/resources/x509_certificate.rb', line 102

def valid?
  now = Time.now
  certificate? && (now >= not_before && now <= not_after)
end

#validity_in_days ⇒ Object

# File 'lib/inspec/resources/x509_certificate.rb', line 98

def validity_in_days
  (not_after - Time.now.utc) / 86400
end