« Groovy News: Gaelyk 0.5.5 Released | Main | Redhat vs. SpringSource: It Ain't Over! »

10/09/2010

Groovy: EVNark v0.2 - Validate SSL EV Certs

Well, it's been a couple of months since the initial release and I've updated evnark to version 0.2.  There are a few things new in this version:

  • Added AC Camerfirma SA to list of known EV OIDS
  • Added D-Trust to the ist of known EV OIDS
  • Added TC Trustcenter but check is still disabled until verification can be made.  The Certificate Policy extension id that I was able to find for TC Trustcenter extended validation certs looks odd.  If anyone out there uses an extended validation ssl certificate signed by TC Trustcenter and you know the certificate policy extension ID "1.2.276.0.44.1.1.1.4" is valid, please let me know.
  • Added UnknownHostException handler so that a lookup failure on a host exits gracefully
  • Added a socket timeout exception.  Initially set to just 5 seconds, the script won't wait forever trying to connect.
  • Cleaned up the output a little more

NOTE REGARDING CERTIFICATE PEER VALIDATION:  EVNark was written in the Groovy programming language.  EVNark executes as a groovy script running inside your system's default java viryual machine.  Successful peer validation of any CA signed ssl certificate is dependent entirely upon whether or not your jvm vendor has included that CA's root certificates within your jvm's cacerts file, whether you've imported a vendor's root certificates within your cacerts store, or if you are using a custom cacerts store.  Results may vary.  I'm using the default cacerts store provided by Apple bundled with their 1.6.0 JVM in Snow Leopard (OS X 10.6).  I personally know that 1.5 Apple JVM's running on Leopard (OS X 10.5) were unable to successfully validate GlobalSign's EV certs.

Downloads are now available from the main EVNark page

#!/usr/bin/env groovy
// usage: 'evnark [-h/--host "hostname"] [-p/--port "port"]'
//
// v0.2 
//   + Adds hostname lookup exception handling
//   + Adds connection Timeout exception handling
//   + Modified the output so that it will now state
//     whether or not an EV cert was found.

import java.security.*
import javax.net.ssl.*
import sun.security.x509.* 

/* This section sets up the command 
   line arguments portion of this script. */ 

def cli = new CliBuilder( usage: 'evnark [-h/--host "hostname"] [-p/--port "port"]' )
  cli.h( longOpt:'host', args:1, required:true, type:GString, 'The host or site you want to test' )
  cli.p( longOpt:'port', args:1, required:false, type:GString, 'Optional. Defaults to port 443')

def opt = cli.parse(args)
  if (!opt) return
  if (opt.h) host = opt.h

def port = 443
  if (opt.p) port = Integer.parseInt(opt.p)

// Create the socket
def factory = SSLSocketFactory.getDefault()

try {
  socket = factory.createSocket()
  socketaddr = new InetSocketAddress(host, port)
  socket.connect(socketaddr, 5000)
  } catch(UnknownHostException ex) {
      println "Hostname Resolution Failed.  Is ${host} a valid host?"
      return
  } catch(SocketTimeoutException ex) {
      println "Connection Timed Out. Is ${host} up or available?"
      return
  } 

try {
  socket.addHandshakeCompletedListener( new listener() )
  
  socket.startHandshake() 
  } catch(SSLHandshakeException ex) {
    println "CERTIFICATE PEER COULD NOT BE VERIFIED"
  } catch(SSLException ex) {
      println "The port number you specified (${port}) does not appear to be an ssl port"
  }

  class listener implements HandshakeCompletedListener {
  void handshakeCompleted(HandshakeCompletedEvent e) {

  def ev_oids = [
    // 'A-Trust GmbH'  => ' Doesn't appear to offer the .yet ',
    'AC Camerfirma SA'  => ' 1.3.6.1.4.1.17326.10.14.2',
    'Buypass AS':'2.16.578.1.26.1.3.3',
    // 'Certum':' Doesn't appear to offer them yet ',
    'Comodo CA Limited':'1.3.6.1.4.1.6449.1.2.1.5.1',
    'Cybertrust, Inc':'1.3.6.1.4.1.6334.1.100.1',
    'D-TRUST GmbH':'1.3.6.1.4.1.4788.2.202.1',
    // 'DanID':' Doesn't appear to offer the yet ',
    'DigiCert Inc':'2.16.840.1.114412.2.1',
    'DigiNotar':'2.16.528.1.1001.1.1.1.12.6.1.1.1',
    // 'Echoworx Corporation':' Doesn't appear to offer them yet ',
    'Entrust, Inc.':'2.16.840.1.114028.10.1.2',
    'GeoTrust Inc.':'1.3.6.1.4.1.14370.1.6',
    // 'Getronics PinkRoccade':'Doesn't appear to offer them yet  ',
    'GlobalSign nv-sa':'1.3.6.1.4.1.4146.1.1',
    'The Go Daddy Group, Inc.':'2.16.840.1.114413.1.7.23.3',
    // 'IdenTrust, Inc.':' Doesn't appear to offer the yet ',
    // 'IpsCA, IPS Certification Authority s.l.':' ',
    'Izenpe S.A.':'1.3.6.1.4.1.14777.6.1.1',
    'Network Solutions L.L.C.':'1.3.6.1.4.1.782.1.2.1.8.1',
    'QuoVadis Limited':'1.3.6.1.4.1.8024.0.2.100.1.2',
    // 'RSA Security, Inc.':' ',
    'SECOM Trust Systems CO.,LTD.':'1.2.392.200091.100.721.1',
    'SecureTrust Corporation':'2.16.840.1.114404.1.1.2.4.1',
    // 'Skaitmeninio sertifikavimo centras (SSC)':' ',
    'StartCom Ltd.':'1.3.6.1.4.1.23223.2',
    'Starfield Technologies':'2.16.840.1.114414.1.7.23.3',
    'SwissSign AG':'2.16.756.1.89.1.2.1.1',
    // 'T-Systems Enterprise Services GmbH':' ',
    // 'TC TrustCenter GMBh':'1.2.276.0.44.1.1.1.4',
    'thawte, Inc.':'2.16.840.1.113733.1.7.48.1',
    // 'Trustis Limited':Doesn't appear to offer them yet ',
    'ValiCert, Inc.':'2.16.840.1.114414.1.7.23.3',
    'VeriSign, Inc.':'2.16.840.1.113733.1.7.23.6',
    'Wells Fargo WellsSecure':'2.16.840.1.114171.500.9'
  ]

  def certs = e.getPeerCertificates()
  def crt = certs[0]
  def intcrt = certs[1]

  def ext = crt.getCertificatePoliciesExtension()
  def policies = ext.get(CertificatePoliciesExtension.POLICIES)
    for ( PolicyInformation info in policies ) {
      CertificatePolicyId id = info.getPolicyIdentifier()
        def certpolicyid = id.getIdentifier().toString()
        //println ""
        //println "Found Certificate Policy ID: ${certpolicyid}"
      if ( ev_oids.any { it.value == certpolicyid } )
        println "This host uses an Extended Validation Cert\nThe Certficate Policy ID is: ${certpolicyid}\n"
        else 
        println "This host does NOT use an Extended Validation Cert\nThe Certificate Policy ID is: ${certpolicyid}\n"

}
    }
  }
  socket.close()

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01156fbc6fe6970c0133f4f5813d970b

Listed below are links to weblogs that reference Groovy: EVNark v0.2 - Validate SSL EV Certs:

Comments