cert.ist certificate chain pinning example Ruby
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env ruby -W0 | |
| require 'net/http' | |
| require 'openssl' | |
| require 'json' | |
| require 'digest' | |
| def validate_cert_for_domain(domain) | |
| uri = URI("https://api.cert.ist/#{domain}") | |
| response = Net::HTTP.get(uri) | |
| parsed = JSON.parse(response) | |
| chain = parsed['chain'] | |
| full_chain ||= [] | |
| chain.each { |certInChain| | |
| full_chain << certInChain['pem']['hashes']['sha256'] | |
| } | |
| http = Net::HTTP.new(domain, 443) | |
| http.use_ssl = true | |
| http.verify_mode = OpenSSL::SSL::VERIFY_PEER | |
| index = 0 | |
| http.verify_callback = lambda do |preverify_ok, cert_store| | |
| return false unless preverify_ok | |
| end_cert = cert_store.chain[index] | |
| local_cert_hash = Digest::SHA256.hexdigest(end_cert.to_pem) | |
| api_chain_hash = full_chain[index] | |
| index += 1 | |
| if api_chain_hash.to_s != "" | |
| return api_chain_hash == local_cert_hash | |
| else | |
| # TODO: extra certificate found, figure out what's going on here | |
| return true | |
| end | |
| end | |
| _ = http.get '/' | |
| puts "Local and cert.ist api certificate chain hashes matched for host: #{domain}" | |
| end | |
| validate_cert_for_domain('jbird.dev') | |
| validate_cert_for_domain('urip.io') | |
| validate_cert_for_domain('tilltrump.com') | |
| validate_cert_for_domain('asciirange.com') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment