New TRP Sample – check certs against the ICSI Notary

New TRP Sample – check certs against the ICSI Notary

The ICSI Certificate Notary project provides a public DNS service where you can validate SSL certificates against what it has seen. All you have to do is send a DNS TXT request for {sha1-of-DER-cert}.notary.icsi.berkeley.edu and deal with the results.

  • NXDOMAIN → this is a never before seen certificate
  • TXT → cert seen. If validate=1 it has also been validated upto root

Let us use the SSL Cert resources and check each one against the notary. This kind of bulk checking begs for automation and there is where the TRP shines. Using a tiny bit of Ruby and the trisulrp and dnsruby gems we have a very neat way to use the DNS service.

 Download and run checknotary.rb. on github https://github.com/trisulnsm/trisul-scripts/ The script is well commented. 

Sample output

You can schedule this script to run every hour as the DNS service zone files are updated at that rate.

$ ruby checknotary.rb 192.168.1.22 12001
Enter PEM pass phrase:
Found 720 matches
5604e5921ea362403c500c4865794905f6fde310.notary.icsi.berkeley.edu....[OK VALID]
59676e6bdd9f4d9ddae6a15d9dbcdf24357cf776.notary.icsi.berkeley.edu....[OK VALID]
f56bf24463b0bd6136c5e872346b320428ff4d7c.notary.icsi.berkeley.edu....[OK VALID]
d559a586669b08f46a30a133f8a9ed3d038e2ea8.notary.icsi.berkeley.edu....[OK VALID]
97e82560e3e8b2db741e38f1f798a89dd676cec0.notary.icsi.berkeley.edu....[OK VALID]
59e4d36def09e650989c6a014e544695b2db6d30.notary.icsi.berkeley.edu....[OK VALID]
2796bae63f1801e277261ba0d77770028f20eee4.notary.icsi.berkeley.edu....[OK]
    ^-- not validated NAME:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
# [OK VALID]  -> Seen and validate=1 in the TXT record
# [OK] -> Seen but validate=0 in TXT record
# [FAILED] -> Received a NXDOMAIN, cert not seen

Scope for further automation

You can automate this even further by pulling the PCAPs for the certificates that dont pass.

Existing Trisul users are encouraged to try this script. If you arent yet using Trisul, you should be. Check out Trisul 3.0