New TRP Sample – check certs against the ICSI Notary
The ICSI Certificate Notary project provides a public DNS service where you can validate SSL certificates against what it has seen. All you have to do is send a DNS TXT request for {sha1-of-DER-cert}.notary.icsi.berkeley.edu and deal with the results.
- NXDOMAIN → this is a never before seen certificate
- TXT → cert seen. If validate=1 it has also been validated upto root
Let us use the SSL Cert resources and check each one against the notary. This kind of bulk checking begs for automation and there is where the TRP shines. Using a tiny bit of Ruby and the trisulrp and dnsruby gems we have a very neat way to use the DNS service.
Download and run checknotary.rb. on github https://github.com/trisulnsm/trisul-scripts/ The script is well commented.
Sample output
You can schedule this script to run every hour as the DNS service zone files are updated at that rate.
$ ruby checknotary.rb 192.168.1.22 12001
Enter PEM pass phrase:
Found 720 matches
5604e5921ea362403c500c4865794905f6fde310.notary.icsi.berkeley.edu....[OK VALID]
59676e6bdd9f4d9ddae6a15d9dbcdf24357cf776.notary.icsi.berkeley.edu....[OK VALID]
f56bf24463b0bd6136c5e872346b320428ff4d7c.notary.icsi.berkeley.edu....[OK VALID]
d559a586669b08f46a30a133f8a9ed3d038e2ea8.notary.icsi.berkeley.edu....[OK VALID]
97e82560e3e8b2db741e38f1f798a89dd676cec0.notary.icsi.berkeley.edu....[OK VALID]
59e4d36def09e650989c6a014e544695b2db6d30.notary.icsi.berkeley.edu....[OK VALID]
2796bae63f1801e277261ba0d77770028f20eee4.notary.icsi.berkeley.edu....[OK]
^-- not validated NAME:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority# [OK VALID] -> Seen and validate=1 in the TXT record
# [OK] -> Seen but validate=0 in TXT record
# [FAILED] -> Received a NXDOMAIN, cert not seenScope for further automation
You can automate this even further by pulling the PCAPs for the certificates that dont pass.
Existing Trisul users are encouraged to try this script. If you arent yet using Trisul, you should be. Check out Trisul 3.0