class InternetSecurityEvent::TLSAStatus

Attributes

certificate[R]
record[R]

Public Class Methods

build(record, certificate) click to toggle source
# File lib/internet_security_event/tlsa_status.rb, line 16
def self.build(record, certificate)
  obj = new(record, certificate)
  obj.to_e
end
new(record, certificate) click to toggle source
# File lib/internet_security_event/tlsa_status.rb, line 9
def initialize(record, certificate)
  @record = record
  @certificate = certificate

  @resolv = Resolv::DNS.new
end

Public Instance Methods

certificate_association_data(selector, matching_type) click to toggle source
# File lib/internet_security_event/tlsa_status.rb, line 28
def certificate_association_data(selector, matching_type)
  certificate_association_data_digest(certificate_association_data_certificate_bytes(selector), matching_type)
end
certificate_match_tlsa_record?() click to toggle source
# File lib/internet_security_event/tlsa_status.rb, line 32
def certificate_match_tlsa_record?
  certificate_association_data(record.selector, record.matching_type) == record.certificate_association_data
end
to_e() click to toggle source
# File lib/internet_security_event/tlsa_status.rb, line 21
def to_e
  {
    state:       state,
    description: description,
  }
end

Private Instance Methods

certificate_association_data_certificate_bytes(selector) click to toggle source
# File lib/internet_security_event/tlsa_status.rb, line 38
def certificate_association_data_certificate_bytes(selector)
  case selector
  when Resolv::DNS::Resource::IN::TLSA::Selector::CERT
    certificate.to_der
  when Resolv::DNS::Resource::IN::TLSA::Selector::SPKI
    certificate.public_key.to_der
  end
end
certificate_association_data_digest(bytes, matching_type) click to toggle source
# File lib/internet_security_event/tlsa_status.rb, line 47
def certificate_association_data_digest(bytes, matching_type)
  case matching_type
  when Resolv::DNS::Resource::IN::TLSA::MatchingType::FULL
    bytes.unpack1('H*')
  when Resolv::DNS::Resource::IN::TLSA::MatchingType::SHA2_256
    Digest::SHA256.hexdigest(bytes)
  when Resolv::DNS::Resource::IN::TLSA::MatchingType::SHA2_512
    Digest::SHA512.hexdigest(bytes)
  end
end
description() click to toggle source
# File lib/internet_security_event/tlsa_status.rb, line 68
def description
  if record.end_entity?
    if certificate_match_tlsa_record?
      'certificate match TLSA record'
    else
      'certificate does not match TLSA record'
    end
  else
    # FIXME: For now, we only check the certificate, not the CA
    'Unsupported certificate usage'
  end
end
state() click to toggle source
# File lib/internet_security_event/tlsa_status.rb, line 58
def state
  return 'critical' unless record

  return nil unless record.end_entity?

  return 'ok' if certificate_match_tlsa_record?

  'critical'
end