x509_certificate and key_rsa resource

[chris-rock]

This PR fixes #1459

Now you can define tests like:

describe x509_certificate('trials/x509/cert.pem') do
  it { should be_certificate }
  it { should be_valid }
  its('fingerprint') { should eq '62b137bdf427e7273dc2e487877b3033e4c8ce17' }
  its('signature_algorithm') { should eq 'sha1WithRSAEncryption' }
  its('validity_in_days') { should_not be < 100 }
  its('validity_in_days') { should be >= 100 }
  its('subject_dn') { should eq '/C=DE/ST=Berlin/L=Berlin/O=InSpec/OU=Chef Software, Inc/CN=inspec.io/[email protected]' }
  its('subject.C') { should eq 'DE' }
  its('subject.emailAddress') { should_not be_empty }
  its('subject.emailAddress') { should eq '[email protected]' }
  its('issuer_dn') { should eq '/C=DE/ST=Berlin/L=Berlin/O=InSpec/OU=Chef Software, Inc/CN=inspec.io/[email protected]' }
  its('key_length') { should be >= 2048 }
  its('extensions.subjectKeyIdentifier') { should cmp 'A5:16:0B:12:F4:48:0F:06:6C:32:29:67:98:12:DF:3D:0D:75:9D:5C' }
end

describe x509_certificate('trials/x509/x505.md') do
  it { should_not be_certificate }
end

describe key_rsa('trials/x509/key.pem', 'passphrase') do
  it { should be_private }
  it { should be_public }
end

which will result in:

$ inspec exec trials/x509.rb

Profile: tests from trials/x509.rb
Version: (not specified)
Target:  local://


  x509_certificate trials/x509/cert.pem
     ✔  should be certificate
     ✔  should be valid
     ✔  fingerprint should eq "62b137bdf427e7273dc2e487877b3033e4c8ce17"
     ✔  signature_algorithm should eq "sha1WithRSAEncryption"
     ✔  validity_in_days should not be < 100
     ✔  validity_in_days should be >= 100
     ✔  subject_dn should eq "/C=DE/ST=Berlin/L=Berlin/O=InSpec/OU=Chef Software, Inc/CN=inspec.io/[email protected]"
     ✔  subject.C should eq "DE"
     ✔  subject.emailAddress should not be empty
     ✔  subject.emailAddress should eq "[email protected]"
     ✔  issuer_dn should eq "/C=DE/ST=Berlin/L=Berlin/O=InSpec/OU=Chef Software, Inc/CN=inspec.io/[email protected]"
     ✔  key_length should be >= 2048
     ✔  extensions.subjectKeyIdentifier should cmp == "A5:16:0B:12:F4:48:0F:06:6C:32:29:67:98:12:DF:3D:0D:75:9D:5C"
  x509_certificate trials/x509/x505.md
     ✔  should not be certificate
  rsa_key trials/x509/key.pem
     ✔  should be private
     ✔  should be public

Test Summary: 16 successful, 0 failures, 0 skipped

TODO:

• unit tests
• integration tests

[aaronlippold]

So are we saying that a certificate is valid if it is public? I think we may need to refine what we mean by 'valid' just so it is clear. In the DoD sense, a key is 'valid' is it was issues and signed by an approved known trusted CA - i.e. one of the valid root or intermediate authorities.

[chris-rock]

Certificates check the following: certificate? && (now >= not_before && now <= not_after)

[aaronlippold]

Small thing, If possible I would like to be able to say, its(... OU, CN, O, L, or CN ) { should match *DOD*}

[aaronlippold]

http://iasecontent.disa.mil/pki-pke/Certificates_PKCS7_v5.0u1_DoD.zip has examples of valid DoD certs which should give a good idea about the things we would scan for.

[chris-rock]

Would be good to verify what specifically needs to be done to use that.

[aaronlippold]

Overall I think this looks good, I added a couple of comments and a few examples of things that I may be able to make a bit more clear - i.e. what does valid mean? Valid may be a combination of things, signed by and issued by an organization of name x or be signed with a signature that matches a specific email. I added a link to the PKCS#7 dod public certs so you can look at them to see how the three certs are connected to each other - i.e. through issuer and subject - and that may clarify that we want to make 'valid' a different keyword for the core test. The only real question I have is what does 'valid' test?

[aaronlippold]

One part that I would also have is the ability to check a certificates md5,sha-1, and she-256 fingerprints. That would be another way to validate that the cert is the real thing.

DOD has published locations where you can get fingerprint lists of released and issued certs.

[chris-rock]

As discussed with @trickyearlobe I am going to merge his efforts with my efforts

[chris-rock]

I refactored my implementation to use the base implementation from @trickyearlobe

[chris-rock]

cc @DeltaWhy for a review request

[adamleff]

This looks really awesome, @chris-rock and @trickyearlobe. I have some comments/questions I've left in my review. I'll be happy to re-review when ready.

[adamleff]

Spelling error: private_key instead of provate_key

[adamleff]

Also should have an example like the other methods for consistency.

[chris-rock]

Thank you. I agree.

[adamleff]

Should be issuer.XX?

[chris-rock]

correct :-)

[adamleff]

validity_in_days? I don't see a days_remaining method.

[adamleff]

validity_in_days? I don't see a days_remaining method.

[chris-rock]

Oh yeah, it is validity_in_days

[adamleff]

Let's include an example for consistency with the rest of the documentation.

[adamleff]

Missing closing ' on each of the remaining lines in the its argument.

[adamleff]

Any particular reason you're using hash notation instead of method/dot notation for these examples?

[chris-rock]

nope, will change it

[adamleff]

Since a provided key could be public, should this instead say:

"Unable to find key file #{@key_path}"

[adamleff]

Same comment as above re: public vs. private keys.

[adamleff]

We skip_resource in the key_rsa resource if the file doesn't exist or is nil. We should probably do the same here, yes?

[chris-rock]

Great idea @adamleff

[chris-rock]

Switch to openssl cookbook 7.x since chef-boneyard/openssl#54 is solved now

[chris-rock]

Thank you. I agree.

[chris-rock]

Oh yeah, it is validity_in_days

[chris-rock]

correct :-)

[chris-rock]

nope, will change it

[chris-rock]

Great idea @adamleff

[chris-rock]

@adamleff I've addressed all your feedback. Let me know if there is anything else I can do.

[adamleff]

This is wonderful! I'm super-excited for these new resources. Excellent work.